	US 11,928,216 B2
	Protecting an entire system disk by encrypting data stored in a portion of the system disk
Samyuktha Subramanian, Mountain View, CA (US); Jesse Pool, Ottawa (CA); Petr Vandrovec, Palo Alto, CA (US); and Viswesh Narayanan, Palo Alto, CA (US)
Assigned to VMware, Inc., Palo Alto, CA (US)
Filed by VMware LLC, Palo Alto, CA (US)
Filed on Dec. 18, 2020, as Appl. No. 17/127,696.
Prior Publication US 2022/0198021 A1, Jun. 23, 2022
Int. Cl. G06F 21/57 (2013.01); G06F 11/14 (2006.01); G06F 21/78 (2013.01); H04L 9/08 (2006.01); G06F 9/4401 (2018.01); G06F 21/72 (2013.01); H04L 9/32 (2006.01)

CPC G06F 21/575 (2013.01) [G06F 11/1435 (2013.01); G06F 11/1464 (2013.01); G06F 21/572 (2013.01); G06F 21/78 (2013.01); H04L 9/0897 (2013.01); G06F 9/4401 (2013.01); G06F 2201/84 (2013.01); G06F 2221/033 (2013.01)]

20 Claims

16. A computer system, comprising:

a memory; and

a processor coupled to the memory, the processor being configured to:

identify a portion of an OS disk of a host computing device, the portion of the OS disk including one or more files that store configuration data associated with OS binaries executed on the host computing device;

encrypt, using an encryption key, only the portion of the OS disk;

seal the encryption key to a trusted platform module (TPM) of the host computing device; and

boot the host computing device comprising:

attempting to unseal the encryption key by authenticating one or more of the OS binaries with the TPM;

when authenticating the one or more of the OS binaries is successful, completing boot of the host computing device by decrypting the portion of the OS disk using the encryption key to obtain the configuration data; and

when authenticating the one or more of the OS binaries is not successful, aborting boot of the host computing device.