US 11,055,414 B2
Method for a secured start-up of a computer system, and configuration comprising a computer system and an external storage medium connected to the computer system
Heinz-Josef Claes, Munich (DE)
Assigned to Fujitsu Technology Solutions Intellectual Property GmbH, Munich (DE)
Appl. No. 16/95,911
Filed by Fujitsu Technology Solutions Intellectual Property GmbH, Munich (DE)
PCT Filed Dec. 1, 2017, PCT No. PCT/EP2017/081232
§ 371(c)(1), (2) Date Oct. 23, 2018,
PCT Pub. No. WO2018/114292, PCT Pub. Date Jun. 28, 2018.
Claims priority of application No. 10 2016 125 416.9 (DE), filed on Dec. 22, 2016; and application No. 10 2017 106 042.1 (DE), filed on Mar. 21, 2017.
Prior Publication US 2021/0034750 A1, Feb. 4, 2021
Int. Cl. G06F 21/57 (2013.01); G06F 21/60 (2013.01); G06F 21/74 (2013.01); G06F 21/72 (2013.01)
CPC G06F 21/575 (2013.01) [G06F 21/602 (2013.01); G06F 21/725 (2013.01); G06F 21/74 (2013.01); G06F 2221/2107 (2013.01)] 11 Claims
OG exemplary drawing
 
1. A method for a secured start-up of a computer system including an encrypted file system stored in a first storage area of a storage in the computer system, wherein the method comprises steps automatically executed during start of the computer system:
triggering a start-up process of the computer system by accessing a second storage area of the storage in which the program data required for the start-up process are stored,
loading and executing the program data required for the start-up process from the second storage area,
mounting an external storage medium that is connected to the computer system, wherein a file system key that decrypts the file system data of the encrypted file system is stored on the external storage medium, wherein the file system key is encrypted on the external storage medium,
loading the encrypted file system key from the external storage medium into the computer system,
decrypting the encrypted file system key by a key stored in the second storage area,
setting the decrypted file system key in a cryptographic module established by the start-up process, and
decrypting and loading file system data of the encrypted file system by the cryptographic modules by the set file system key, whereby the computer system is started up completely,
wherein the file system key is stored on the external storage medium in a key file that includes an identifier of the external storage medium in addition to the file system key, the key file is loaded from the external storage medium into the computer system, and a verification is performed whether the identifier of the external storage medium included in the key file matches an actual identifier that was determined by mounting the external storage medium,
wherein, after a complete start-up of the computer system, further steps are performed:
loading a copy of the key file stored in the file system,
verifying whether the key file loaded from the external storage medium matches the loaded copy of the key file,
extracting an identifier of the external storage medium from the loaded copy of the key file, and
verifying whether the identifier that was extracted from the loaded copy of the key file matches the actual identifier, which has been determined by mounting the external storage medium, which is connected to the computer system, in the started-up file system.