The use of processing devices is pervasive throughout modern society. Many business, and other, enterprises rely upon their availability and operability to perform many tasks essential to the operation of the enterprise.
Many times, groups of computer stations are interconnected into Local Area Networks (LANs), and groups of the LANs are sometimes interconnected to form Wide Area Networks (WANs). And, sometimes, computing stations are configured to permit their remote connection to another network-connected device, such as by way of a public network, such as the Internet. The ability to interconnect a computer station with a remote device, such as a computer server or other computer station of a network, permits the exchange of information therebetween. For instance, data, typically configured into a data file, is sometimes exchanged between the disparately positioned devices.
The ease with which data can be exchanged between devices, while providing many advantages to enterprise, and other, operations, also gives rise to security-related issues. If a data file includes proprietary information, the ease at which the file can be accessed, copied, or otherwise used by an unauthorized party might well compromise the proprietary nature of the data. Significant efforts, therefore, are made to control the access to the data and to take steps to prevent its unauthorized access.
Problems associated with unauthorized access to, and use of, data files is compounded by the portability of many devices capable of storing such data files. Portable computer stations, such as lap top computers, personal digital assistants, portable storage disks and drives, etc. are all exemplary of devices capable of storing data files.
In typical operation, a data file is operated upon and stored locally to facilitate query and manipulation thereof. As portable computer stations and portable storage elements are susceptible to loss or theft, efforts are made to maintain the security of stored data and data files even in the event of physical compromise, e.g., loss or theft, of any of such portable devices. More generally, irrespective of the technical form in which a data file is realized, the data requires protection, and efforts are made to prevent its compromise.
Accordingly, significant attention has been directed to controlling access to data files, wheresoever positioned. Existing solutions are generally based upon two approaches. First, end-user-managed encryption of single files is sometimes performed. And, secondly, encrypted file systems are sometimes utilized.
Various, available operating systems, e.g., UNIX, MAC OS, third-party utilities, and the Windows™ OS provide encryption and decryption functionality to encrypt and decrypt single files. Certain of these operating systems and utilities also include password management utilities.
In a typical scenario, a user writes a clear text, i.e., an unencrypted file to storage. Then, the user operates a file encrypt function, supplying an encryption key, that yields a new cyphertext, i.e., encrypted, file. The user then destroys the clear text file and stores the key that was used in the encryption procedure. Subsequently, when the user retrieves the file, the user supplies the cyphertext file and key to a decrypt function, and a clear text file is formed. Thereafter, if the file is to be written to storage again, such as subsequent to modification thereof by the user, the procedure must be repeated. This procedure, which requires manual selection by a user, is sometimes tedious. And, a user might elect not to encrypt the file. Additionally, sometimes the plain text, working copy is not securely destroyed, and the copy becomes accessible to an unauthorized party. Additionally, key management of the encryption keys that are used pursuant to the encryption and decryption is sometimes problematical. If the key is shared amongst many files, the security of that group of files is potentially reduced. And, exchange of encrypted files is sometimes difficult as the encryption key must be transmitted by way of a secure channel to prevent its compromise.
When an encrypted file system is used, an accessed file appears to a user as a normal clear text file. However, data of read and write operation is are decrypted and encrypted as the data is retrieved from, and stored to, an actual underlying physical media. Manual operations of encrypting and decrypting required in the aforementioned, end-user-managed scheme are obviated in an encrypted file system. However, conventional encrypted file systems do not permit encrypted file exchange. To send a data file to another user, or to copy data to another media without exposing the clear text, a user still must resort to the end-user-managed, single-file-encryption scheme. An additional drawback to a conventional, encrypted file system is that operating system utility software is generally unable to interpret or manipulate cipher text files. For instance, an unattended backup routine is unable to backup individual files. And, disk space reporting utilities are unable to locate large files. Additionally, disk optimizer and repair utilities generally are unable to operate on the encrypted file systems. An encrypted file system generally is not as robust as a native file system. That is to say, even a single disk error, which normally results in damage to a single file, might well result in the loss of all data in an encrypted file system. A disk error might result in the loss of all data on the device, resulting in the device being unbootable.
An improved manner by which to maintain data in secure form is therefore needed.
It is in light of this background information related to the maintenance of data in secure form that the significant improvements of the present invention have evolved.