US 11,689,365 B2
Centralized volume encryption key management for edge devices with trusted platform modules
Alexey Makhalov, Bellevue, WA (US); Maria Potapova, Bellevue, WA (US); Ravishankar Chamarajnagar, Atlanta, GA (US); Bo Gan, Bellevue, WA (US); Raghunath Krishnamurthy, Atlanta, GA (US); Sharath George, Bellevue, WA (US); and Sriram Nambakam, Bellevue, WA (US)
Assigned to VMWARE, INC., Palo Alto, CA (US)
Filed by VMware, Inc., Palo Alto, CA (US)
Filed on Oct. 23, 2019, as Appl. No. 16/661,198.
Claims priority of provisional application 62/875,248, filed on Jul. 17, 2019.
Prior Publication US 2021/0021418 A1, Jan. 21, 2021
Int. Cl. H04L 9/14 (2006.01); H04L 9/08 (2006.01); H04L 9/32 (2006.01); G06F 3/06 (2006.01)
CPC H04L 9/14 (2013.01) [G06F 3/067 (2013.01); G06F 3/0622 (2013.01); G06F 3/0653 (2013.01); H04L 9/0822 (2013.01); H04L 9/0877 (2013.01); H04L 9/3234 (2013.01)] 20 Claims
OG exemplary drawing
 
8. A method performed by instructions executed by at least one computing device, the method comprising:
generating, by a management service, a volume encryption key for a gateway device that is associated with a gateway-specific account with the management service;
storing, in the gateway-specific account, a predetermined platform configuration register (PCR) mask that is identified based on a particular gateway model of the gateway device, the predetermined PCR mask specifying at least one PCR that measures extractor code of the gateway device that unseals volume encryption keys;
generating, by the management service, a sealing authorization policy based on the predetermined PCR mask and expected PCR values, wherein the management service identifies the predetermined PCR mask based on the gateway-specific account; and
transmitting, from the management service to the gateway device, a command to seal the volume encryption key in a non-volatile memory of a trusted platform module (TPM) of the gateway device based on the predetermined PCR mask and the expected PCR values.