RU2580014C2 - System and method for changing mask of encrypted region during breakdown in computer system - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: system comprises indicators determining whether a data unit is encrypted or decrypted. The system includes a security log necessary for storing encrypted data units. Conversion means are used to store data units in the security log, store a mask of an encrypted region from random access memory onto a disk and change the encryption indicator in the mask of the encrypted region for each stored encrypted data unit. The system includes mask changing means designed to read from the disk the stored mask of the encrypted region into random access memory, determine data units for which the encryption indicator indicates that the data units are encrypted, and the mask changing means is also designed to change the value of the encryption indicator to an opposite value.

EFFECT: protecting the mask of the encrypted region during breakdown in the system during full-disk encryption by recovering the mask of the encrypted region using the security log.

10 cl, 7 dwg

Description

Technical field

The invention relates to computer systems and more particularly to systems and methods for protecting computer devices and end-user data from unauthorized access.

State of the art

In modern society, the requirements for the preservation of confidential data are constantly increasing. The number of cases of theft and data loss is constantly increasing. However, even in such cases, data encryption prevents the reading of confidential information. One of the most secure types of encryption is full disk encryption, in which the entire contents of the disk is encrypted as a whole. In this case, access to individual files of the encrypted disk is performed by decrypting the data on the fly — individual sectors of the disk containing the requested file are decrypted, while the rest of the disk remains encrypted. When you finish working with a file, it is also encrypted “on the fly” - the file is divided into parts equal to the volume of the disk sector, which is encrypted and stored on the disk.

The primary encryption process of the entire disk requires significant processor computing resources, causes increased disk wear and can take a long time (from several hours to several days or even weeks). Disk data is divided into blocks of a given size, after which each block is atomically encrypted and stored on the disk. To maintain up-to-date information about encrypted data blocks, an encrypted area bitmap is usually used. Each bit of the card is equal to one for encrypted blocks and zero for decrypted ones. To reduce disk wear, a bitmap can be saved to the disk periodically. At the same time, in the event of a system failure, the card of the encrypted area must correspond to the state of the encrypted data blocks on the disk. Thus, there is a need to protect the mask of the encrypted area in the event of a system failure during full disk encryption.

In patent application US 20120173882 A1 describes the possibility of resuming the encryption / decryption operation upon reboot or accidental system failure. The authors indicate that the user can obtain information about the current encryption status: the number of encrypted data blocks, information bits, the percentage of encrypted information. However, the application does not specify how this information is used when resuming encryption after a system failure.

An analysis of the prior art allows us to conclude about the inefficiency and, in some cases, the impossibility of using previous technologies, the disadvantages of which are solved by the present invention, namely, a system and method for changing the mask of an encrypted area in the event of a malfunction in a computer system.

Disclosure of invention

The present invention relates to systems and methods for protecting computer devices and end-user data from unauthorized access.

The technical result of the present invention is to provide protection for the mask of the encrypted area in the event of a system failure during full disk encryption by restoring the mask of the encrypted area using the security log.

According to an embodiment, a system is used to change the mask of the encrypted area, containing information about each data block, whether it is encrypted when a failure occurs in the computer system, containing: at least one protection log contained on the disk and necessary for storing data blocks; conversion tool associated with the protection log and intended for: storing during the process of full-disk encryption of encrypted data blocks in the protection log; save the mask of the encrypted area to disk when the specified conditions are met; changing the encryption metric in the mask of the encrypted area for each stored data block, while the modified encryption metric indicates that the stored block is encrypted; mask changing means associated with the conversion means, the protection log and intended for: reading from the disk the saved mask of the encrypted area when a system malfunction occurs during encryption; determining the data blocks contained in the protection log for which the encryption indicator in the mask of the encrypted area on the disk indicates that the data blocks are decrypted; changing the value of the encryption indicator to the opposite value for certain data blocks.

According to one particular embodiment, the mask conversion tool is designed to save the encrypted area mask to the disk when at least one of the following specified conditions is fulfilled since the last time the said encrypted area mask was last saved to disk: a certain number of encrypted data blocks were saved to the protection log; after a specified period of time.

According to another particular embodiment, the mask changing means is additionally intended for determining data blocks for which the serial number of the data block is greater than the serial number of the mask, wherein: said serial number of the block is equal to an iteratively increasing number for each encrypted data block written to the disk; said sequential mask change number is equal to the maximum value among sequential change numbers of data blocks for which in the last mask of the encrypted area on the disk the encryption indicator determines that said data block is encrypted.

According to another particular embodiment, the conversion means is further provided for storing the sequence number of the block change in the protection log.

According to one particular embodiment, the conversion tool is further intended to store a sequential mask change number to disk.

According to another particular embodiment, the mask of the encrypted area is: a bitmap; binary search tree; interval graph.

According to an embodiment, a method is used to change the mask of the encrypted area containing information about each data block, whether it is encrypted when a malfunction occurs in a computer system, in which: using the conversion tool, the encrypted data blocks are stored in the protection log during the full-disk encryption process; using the conversion means, the encryption indicator in the mask of the encrypted area is changed for each stored data block, while the changed encryption indicator indicates that the stored block is encrypted; using the conversion tool, they save the mask of the encrypted area on the disk when the specified conditions are met; using the mask changing tool, the saved mask of the encrypted area is read from the disk when a system malfunction occurs during encryption; using the mask change tool, the data blocks contained in the protection log are determined for which the encryption indicator in the mask of the encrypted area on the disk indicates that the data blocks are decrypted; using the change tool, the masks change the value of the encryption metric to the opposite value for the data blocks defined in the previous step.

According to one particular embodiment, using the conversion tool, the mask of the encrypted area is saved to disk when at least one of the following specified conditions is fulfilled since the last time the said mask of the encrypted area was saved to disk: a certain number of encrypted data blocks were saved to the protection log; after a specified period of time.

According to another particular embodiment, data blocks are determined using the mask change tool, in which the serial data block change number is greater than the mask change serial number, wherein: said block change serial number is equal to an iteratively increasing number for each encrypted data block written to the disk; said sequential mask change number is equal to the maximum value among sequential change numbers of data blocks for which the encryption indicator determines that said data block is encrypted in the mask of the encrypted area on the disk.

According to another particular embodiment, by means of the conversion means, a sequential block change number is additionally stored in the security log.

According to one particular embodiment, by means of a means of conversion to a disk, a sequential mask change number is additionally stored.

According to another particular embodiment, the mask of the encrypted area is: a bitmap; binary search tree; interval graph.

Brief Description of the Drawings

Additional objectives, features and advantages of the present invention will be apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

In FIG. 1 shows a general scheme of an encryption system.

In FIG. 2 shows a possible example of an encrypted area mask.

In FIG. 3 shows an embodiment of a method for determining a mask of an encrypted area.

In FIG. 4 shows a general diagram of the process of initiating full disk encryption of a disk.

In FIG. 5 shows an embodiment of a method for determining the mask of an encrypted area during full-disk encryption.

In FIG. 6 shows a method for changing the mask of an encrypted area.

FIG. 7 is an example of a general purpose computer system.

Description of Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The essence described in the description is nothing more than the specific details provided to assist the specialist in the field of technology in a comprehensive understanding of the invention, and the present invention is defined in the scope of the attached claims.

In general, the computer encryption system 100 may have the form shown in FIG. 1. The computer system 100 includes a storage device 101 (for clarity, the term “disk” will be used hereinafter) for storing data. The disk 101 may be any random access medium with the ability to repeatedly overwrite the contents of the medium, such as a magnetic disk, solid state drive, magneto-optical disk. Disk 101 is characterized by disk parameters, which may include: disk size, type (for example, magnetic disk, solid state drive, magneto-optical disk), the number of tracks and sectors of the disk, the number of damaged sectors of the disk, etc. Disk 101 can contain several logical partitions, one of which can be installed operating system (OS), such as: Microsoft Windows, Unix, Mac OS, etc.

During full-disk encryption, to increase the encryption speed and implement the fault tolerance of the encryption system, the disk is divided into data blocks of equal size. At the same time, when decrypting a fully encrypted disk, it will already be divided into data blocks. It is worth noting that the system and methods used in both encryption and decryption are largely the same. Therefore, hereinafter, for brevity, when describing the implementation options, methods applicable for full disk encryption will be described. At the same time, it is implied that for decryption similar system modules and method steps are used. If the specific steps of the method or modules of the system will differ from the method of decryption of the disk, this will be mentioned in the description of the implementation options.

The mask definition module 102 is responsible for determining the size of the data block, which is also used to determine disk parameters. For example, on Windows, the disk size can be determined using the IOCTL_DISK_GET_LENGTH_INFO control code of the DeviceloControl function from the Windows API (application programming interface). In order to ensure data safety and the possibility of resuming the encryption process after a system failure, an encrypted area mask is created at the beginning of the encryption process, containing information about each data block, whether it is encrypted. An example of a system failure can be, for example, a power outage, errors in the system (for example, a failure when initializing the I / O system), etc. For mask creation of the encrypted area, the mask detection module 102 is also used. Below, in the description of FIG. 2 shows a particular example of an encrypted area mask.

In one example implementation, the encryption system 100 comprises a security log 103 necessary to store user data during the encryption process. User data may include, for example, files and directory contents of a user account. User data may also include all data stored on disk. In a preferred embodiment, the security log 103 may have a ring buffer structure. It is worth noting that the security log 103 may have any other data structure known in the art, for example a linked list.

In a particular example implementation, the system contains a mask storage log 104 necessary to store several versions of the mask of the encrypted area during disk encryption. Each of the masks of the encrypted area contains information about the encrypted data blocks at different points in time. In an example implementation, the system 100 includes a conversion tool 105 associated with the mask definition module and designed to load data blocks from disk into RAM, then encrypt them and write encrypted data blocks to protection log 103. In yet another example implementation, mask storage log 104 may contained on the disk in several copies in order to provide additional protection for the mask of the encrypted area and the possibility of resuming the encryption process in the event of a system failure. In an example implementation, several mask storage logs may reside in different areas of the disk. Thus, if a large number of bad sectors occur in one area of the disk, the likelihood of a similar situation simultaneously occurring in another area of the disk will be extremely small. In another example implementation, masks of the encrypted area of different versions may be contained directly on disk 101.

In an example implementation, the system 100 comprises an encryption module 106 associated with the conversion means 105 and designed to encrypt and decrypt user data written to or read from the encrypted area of the disk and create a security log file 103 on the disk.

In a particular implementation example, the conversion tool 105 is additionally designed to write encrypted data blocks to a disk 101 and to the protection log 103. In another example implementation, the conversion tool 105 is further designed to create an encrypted area mask file on a disk and place an encrypted area mask in it defined by the module definitions of the mask 102. In another example implementation, the conversion tool 105 is additionally designed to update the mask of the encrypted area when writing encrypted blocks to disk OF DATA. In a particular embodiment, the conversion tool 105 is further intended to store the mask of the encrypted area in the mask storage log 104.

In another example implementation, the conversion tool 105 is further designed to save the mask of the encrypted area to disk when certain conditions are met. For example, a mask may be saved from random access memory to disk periodically, as well as during partial or full updating of protection log 103.

In one embodiment, the system 100 comprises a mask changing means 107 for reading the last stored mask of the encrypted area from the mask storage log 104. Mask changing means 107 is also designed to change the value of the indicator in the mask of the encrypted area indicating that the data blocks are encrypted opposite meaning. Further, for brevity, indicators determining whether a data block is encrypted will be referred to as encryption indicators. In addition, the mask changing means 107 serves to determine the data blocks contained in the security log 103 for which the encryption rate in the mask of the encrypted area is different from the state of the data blocks on the disk. In a particular embodiment, the disk may contain a metadata file 108, which in turn contains pointers to the protection log 103 and to the mask storage log 104, as well as an indicator determining whether the disk is encrypted or is in the process of encryption.

In a particular implementation example, to determine the order in which the encrypted data blocks are saved to disk, the sequential block change number is used, which is equal to the number iteratively increasing for each encrypted data block written to the disk. In the example implementation, the sequential change number of the block is additionally stored with each data block in the security log 103 using the conversion tool 105. In a particular implementation example, additional information can be stored using the conversion tool 105 in the security log 103, for example: a pointer to the beginning of the encrypted data block on disk, the checksum from this data block along with the additional information specified above. In the example implementation, when a new encrypted data block is saved to disk, the mask of the encrypted area is updated, thus creating a new mask of the encrypted area. To display the correspondence between the mask of the encrypted area and the last encrypted and written to the disk data block, a sequential mask change number can be used. In a particular embodiment, the value of the sequence number of the mask change is equal to the maximum value of the sequence number of the change among the data blocks for which the encrypted area mask contains the changed encryption index.

In a particular embodiment, the conversion tool 105 is further provided for storing the mask change sequence number in the mask storage log 104. In the example embodiment, the mask change tool 107 is further provided for reading the block change sequence number in the protection log 103, for reading the mask change sequence number in the storage log mask 104, as well as to change the value of the encryption indicator to the opposite value.

In an example implementation, a mask change number is additionally stored along with each mask of the encrypted area in the mask storage log 104. In a particular implementation example, additional information may be stored in the mask storage log 104, for example: a pointer to the beginning of the last saved data block on the disk, a checksum from the mask of the encrypted area along with the additional information indicated above.

In a particular example of implementation, disk 101 contains a custom MBR image (master boot record - the main boot record for BIOS systems), which differs from the main MBR in that, together with the code that activates the preboot authentication environment, or in the absence of one, it can additionally contain pointers to the metadata file 108, the preload agent contained on the disk (not shown in FIG. 1), a protection log, and a pointer to a mask storage log 104. A custom MBR image may also contain a metric that determines and the encrypted disk, or the disk is in the process of encryption.

In FIG. 2 shows a possible example of a mask of an encrypted area 201. In this example, a mask of an encrypted area 201 is represented as a bitmap. Each data block of the disk 100 corresponds to a bit in the mask of the encrypted area 201. In this case, the bit value in the mask of the encrypted area 201 determines whether the corresponding data block is encrypted (for example, the bit can take the value 1 when the data block is encrypted, and 0 when the data block is in decrypted state). In this example, data blocks 1, 3, 6, 7 are encrypted, while blocks 2, 4, 5 are decrypted. For such a disk, the mask of the encrypted area will take the value 1010011.

For clarity, shown in FIG. 2, the mask structure of the encrypted area will be used to describe embodiments of the invention. It should be noted that in FIG. 2 shows only a preferred example of a mask of an encrypted area 201, and in general, a mask of an encrypted area may have a different representation. In a particular implementation example, the mask of the encrypted area can be represented as a binary search tree, an interval graph, as a multi-level bitmap, etc.

In FIG. 3 shows an embodiment of a method for determining a mask of an encrypted area. At the first step 301, the disk parameters are determined using the mask definition module 102, which may include: disk size, type, number of damaged disk sectors, etc. Next, at step 302, the data block size is determined using the mask determination module 102, which depends on disk options. At the last step 303, depending on the size of the data block, the mask of the encrypted area containing the encryption index for each data block and initially corresponding to the unencrypted state for the entire disk is determined using the mask definition module 102 (all bits of the mask of the encrypted area can be zero). The size of the mask of the encrypted area is set based on the size of the data block (for example, the size of the disk divided by the size of the data block).

When encrypting a data block on disk 101, it will be overwritten as a single unit. Thus, to ensure the best performance when encrypting a disk, the size of the data block will be a multiple of the size of the physical sector or the size of the erase block (for a solid state drive).

In a particular implementation example, the data block size may be equal to the square root of the disk capacity in bytes. For example, for a 1 terabyte disk, the data block size will be 1 megabyte. In this case, the size of the mask of the encrypted area will be equal to the ratio of the volume of the disk to the size of the data block and can be 128 kilobytes for presentation as a linear binary bitmap.

In another example implementation, the mask of the encrypted area may have the structure of a multi-level bitmap. For example, for a bitmap in the form of a matrix, the data block size may be comparable to the cubic root of the disk capacity in octets. Thus, for a 1 terabyte disk, the data block size can be 16 kilobits.

In FIG. 4 shows a general diagram of the process of initiating full disk encryption. Initially, at step 401, the encryption process is initiated - the encryption module 106 creates empty files of the protection log 103 and the mask storage log 104. In a particular implementation example, the encryption process can also be initiated by the conversion tool 105. It is worth noting that the log files at this point may already be placed on disk 101. In this case, their contents will be cleared. Next, at step 402, on the computer system using the encryption module 106, a conversion tool 105 and a set of system software components are needed to perform full-disk encryption and to ensure authentication at the pre-boot authentication stage (PBA). After that, a computer system may be rebooted to verify the correct operation of the drivers. For example, if a system error occurs after a reboot, the system can be restored from the last system restore point during subsequent boot, however, in this case, full disk encryption can be canceled.

At step 403, the encryption module 106 transmits to the means of conversion 105 a command about the need for encryption. In a particular embodiment, before the start of encryption, a metadata file 108 can be created on the disk, which, in turn, can contain pointers to the protection log and to the mask storage log 104, as well as an indicator determining whether the disk is encrypted, is in the process of encryption, or disk encryption has not yet begun - the disk is decrypted. In another embodiment, multiple copies of the metadata file 108 may be stored on disk to provide additional security when resuming encryption in the event of a system failure.

Next, in step 404, an encrypted area mask is created using the conversion tool. In a particular implementation example, when performing the full-disk encryption process, all bits of the created mask of the encrypted area can be equal to zero. In another example implementation, when decrypting an encrypted disk, all bits of the created mask of the encrypted area can be equal to one. Further, the mask of the encrypted area can be stored in the storage log of the mask 104.

In step 405, a custom MBR image is created using the encryption module. After creation, the custom MBR image is saved in place of the original MBR, which is usually located in the zero sector of the disk. When the computer system boots up, the BIOS transfers control to the user MBR, which ensures the loading of the preload agent and the transfer of execution to it. A copy of the main MBR can be stored in the metadata file 108. The preload agent provides user authentication, loading the main MBR from the metadata file 108, which ultimately transfers control to the operating system.

As a result, at step 406, the conversion tool proceeds to encrypt the disk. The encryption process is described in more detail below.

In FIG. 5 shows an embodiment of a method for determining the mask of an encrypted area during full-disk encryption. At the beginning of encryption, the mask of the encrypted area can be completely filled with zeros - all data blocks of the disk are not encrypted. If the disk decrypts, all mask bits of the encrypted area will be single — all data blocks on the disk are encrypted.

Thus, at the beginning of disk encryption, the conversion tool using the mask of the encrypted area reads unencrypted data blocks from the disk (in the mask of the encrypted area, such data blocks correspond to a zero bit). Further, the conversion means 105 encrypts the read data block, after which, at step 501, the data blocks are written to the protection log 103. In a particular embodiment, the sequential block change number and additional information (for example, a pointer to the beginning of the encrypted one) can also be written to the protection log 103. data block on disk, checksum).

In a particular embodiment, the data block may be encrypted using symmetric encryption, for example, a block cipher. Encryption keys can be created, for example, by encryption tool 105, encrypted using the user password of the computer system as the encryption key, and saved to disk. Next, at step 502, encryption metrics for the encrypted data blocks are added to the mask of the encrypted area. For example, when using a bitmap, the corresponding bit to the encrypted data block is changed by one. In a particular embodiment, the updated mask can be saved to disk in the next step 503. In another embodiment, the mask of the encrypted area can be saved to disk each time data blocks are written to the protection log.

However, frequent overwriting of the contents of the mask storage log 104 may increase disk wear. Therefore, in a preferred embodiment, the mask of the encrypted area is saved to disk in the mask storage log 104 under certain conditions, which are checked in step 504. In one example, the mask of the encrypted area is saved to disk if a certain number of encrypted data blocks have been stored in the protection log the moment the mask of the encrypted area was last saved to the mask storage log 104 (for example, when the protection log 103 is rewritten by half).

In another example implementation, the mask of the encrypted area can be saved to disk after a certain period of time (for example, every 10 seconds). In another example implementation, the mask of the encrypted area is saved to the disk when requesting write-through of data to the disk.

One way or another, the condition for storing the mask of the encrypted area on the disk will be such that when a system failure occurs at any time, the encrypted data blocks stored in the protection log 103, as well as the last saved mask of the encrypted area, will be enough to restore (change) the mask of the encrypted area for all encrypted data blocks that were saved to disk or to the protection log 103 by the time the system crashed. In more detail, a variant of the method for changing the mask of the encrypted area will be described below, when describing FIG. 6.

As a result, under the conditions defined in step 504, the mask of the encrypted area is stored on the disk in step 503, the encryption process continues. Otherwise, the encryption process continues without saving the encrypted area mask to the disk. Because If the mask of the encrypted area is generally stored on the disk less often than the encrypted data blocks, then when a system failure occurs, the mask of the encrypted area contained on the disk may not fully correspond to the state of the encrypted data blocks on the disk. In this case, after rebooting the system 100, it will be necessary to update the mask of the encrypted area to a new version so that the new mask of the encrypted area fully characterizes the state of the encrypted data blocks on the disk 101. The method for changing the mask of the encrypted area after a system failure and rebooting the system is described below in the description of FIG. 6.

After a successful write to the protection log 103, the data block is written directly to disk 101, in place of the original data block.

The encryption process will be completed when all data blocks are encrypted and stored on disk 101, and all bits of the mask of the encrypted area will be single.

In a particular implementation example, after the encryption process is completed, the mask of the encrypted area will be deleted from the memory, as well as from the disk. In another example implementation, after the encryption process is completed, the protection log can also be cleared, which will free up additional disk space.

It is worth noting that in a preferred embodiment, step 503 is performed without interrupting the process of encrypting data blocks.

In FIG. 6 shows a method for changing the mask of an encrypted area. During the encryption process, a system failure may occur, as a result of which the computer system will restart. The mask of the encrypted area is saved to the disk less often than the encrypted data blocks are saved to the disk. Thus, in the mask of the encrypted area on the disk for some encrypted data blocks, there may be no encryption metrics. To resume the encryption process, the encryption indicators contained in the mask of the encrypted area must correspond to the encrypted data blocks on the disk.

To do this, at step 601, using the mask change tool, the last mask of the encrypted area stored on the disk is read. Next, at step 602, using the mask change tool, data blocks are determined for which the encryption index in the mask of the encrypted area does not match the state of the data block in the protection log (for example, the disk is encrypted, the data block in the protection log is present, but it is in the mask of the encrypted area corresponds to the zero bit). It is worth noting that in a particular embodiment, the conversion tool may not access the protection log, but directly to the disk to determine whether the data block on the disk is encrypted and whether this information matches the encryption value in the mask of the encrypted area.

As a result, at step 603, using the mask change tool in the mask of the encrypted area, the values of the encryption indicators for certain data blocks are reversed. Thus, the mask of the encrypted area will correspond to the protection log and, therefore, the state of the data blocks on the disk. A new mask of the encrypted area can be saved to disk and loaded into memory to continue the interrupted encryption process.

In a particular embodiment, to change the mask of the encrypted area, the sequential block change number is used, which is contained with each encrypted data block in the user protection log 103, as well as the sequence number of the mask change, which is contained with the mask of the encrypted area on disk 101. So, on step 601 additionally for each data block in the security log 103 using the means of changing the mask 107 read the sequence number of the block change. At step 602, the mask change log 104 corresponding to the last stored mask of the encrypted area is additionally read in mask storage log 104 using mask change means 107. As a result, at step 603, using the mask change tool 107 in the mask of the encrypted area for data blocks in which the serial number of the data block is greater than the serial number of the mask change, the encryption value is further changed to the opposite value.

FIG. 7 is an example of a general purpose computer system, a personal computer or server 20 comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented as any prior art bus structure comprising, in turn, a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26, contains basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating ROM systems 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature the personal computer 20 of FIG. 7. Other devices, such as routers, network stations, peer-to-peer devices or other network nodes, may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

In accordance with the description, components, execution steps, data structure described above can be performed using various types of operating systems, computer platforms, programs.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims.

Claims (10)

1. The system for changing the mask of the encrypted area in the RAM containing indicators defining for each data block of the disk is encrypted or decrypted, if a failure occurs in the computer system, containing
a) at least one protection log contained on the disk and necessary for storing encrypted data blocks in the process of full disk encryption;
b) a conversion tool associated with the protection log and intended for:
- saving during the process of full-disk encryption of encrypted data blocks in the protection log and on the disk in place of the original data block;
- save the mask of the encrypted area from the RAM to the disk in at least one instance when at least one of the following specified conditions is fulfilled since the last save of the mask of the encrypted area to the disk:
- a certain number of encrypted data blocks were saved in the protection log;
- after a specified period of time;
- changes in the encryption indicator in the mask of the encrypted area in the RAM for each stored encrypted data block by an indicator indicating that the stored data block is encrypted;
c) means of changing the mask associated with the means of conversion, with the protection log and intended for:
- reading from the disk of the saved mask of the encrypted area into RAM in the event of a system malfunction in the process of full disk encryption;
- definitions of data blocks contained in the protection log for which, in the read mask of the encrypted area on the disk, the encryption indicator indicates that the data blocks are decrypted;
- changing the value of the encryption indicator to the opposite value for certain data blocks contained in the protection log, for which in the read mask of the encrypted area the encryption indicator indicates that the data blocks are decrypted. 2. The system of claim 1, wherein the mask changing means is further adapted to determine data blocks for which the sequential change number of the data block is greater than the sequential mask change number, wherein:
- said sequential change number of the data block is equal to a number iteratively increasing for each encrypted data block written to the disk;
- said sequential mask change number is equal to the maximum value among sequential change numbers of data blocks for which in the last mask of the encrypted area on the disk the encryption indicator determines that said data block is encrypted. 3. The system of claim 2, wherein the conversion means is further provided for storing a serial number of a change in a data block in a security log. 4. The system of claim 3, wherein the conversion means is further provided for storing a sequential mask change number to disk. 5. The system of claim 1, wherein the mask of the encrypted area is
- bitmap;
- binary search tree;
- interval graph. 6. The way to change the mask of the encrypted area in the RAM, which contains indicators that determine for each block of disk data, is it encrypted or decrypted, if a failure occurs in a computer system in which
a) using the conversion tool, during the process of full-disk encryption, the encrypted data blocks are stored in at least one protection log and on a disk in place of the original data block, while the said protection log is stored on the disk and is necessary for storing the encrypted data blocks during the full-disk encryption ;
b) using the conversion tool, the encryption indicator in the mask of the encrypted area in the RAM for each stored encrypted data block is changed to an indicator indicating that the stored data block is encrypted;
c) using the conversion tool, save the mask of the encrypted area from the RAM to the disk in at least one instance when at least one of the following specified conditions is fulfilled since the last time the said mask of the encrypted area was saved to the disk:
- a certain number of encrypted data blocks were saved in the protection log;
- after a specified period of time;
d) using the mask change tool, the saved mask of the encrypted area is read into the RAM from the disk when a system malfunction occurs during the full-disk encryption process;
e) using the mask change tool, determine the data blocks contained in the protection log, for which the encryption indicator in the read mask of the encrypted area on the disk indicates that the data blocks are decrypted;
f) using the mask change tool, change the value of the encryption indicator to the opposite value for the data blocks defined in the previous step. 7. The method according to claim 6, in which, in step d), data blocks are determined for which the serial number of the data block is greater than the serial number of the mask change, wherein
- said sequential change number of the data block is equal to a number iteratively increasing for each encrypted data block written to the disk;
- said sequential mask change number is equal to the maximum value among sequential change numbers of data blocks for which the encryption indicator determines that said data block is encrypted in the mask of the encrypted area on the disk. 8. The method according to p. 7, in which at step a) using the means of conversion to the protection log additionally save the sequential change number of the data block. 9. The method according to claim 7, in which, in step c), the conversion number of the mask is additionally stored using the means of conversion to the disk. 10. The method of claim 6, wherein the mask of the encrypted area is
- bitmap;
- binary search tree; interval graph.

Images