Secure boot of virtualized computing instances

Assignee

• Bracket Computing, Inc. · US

Inventors

• Jason A. Lango · Mountain View, US
• Adam Cain · Madison, US
• Nitin Bahadur · San Francisco, US
• John K. Edwards · Sunnyvale, US
• Kevin George · Hartland, US
• William McGovern · San Jose, US
• Andrew G. Tucker · Menlo Park, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2009/45587
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

In an approach, a secure boot process includes two phases. In the first phase an on premises device generates a data encryption key (DEK) with which to encrypt an operating system image and a key encryption key (KEK) with which to wrap the DEK. The on-premises device then utilizes a key management service to wrap the KEK with an account root key and writes the wrapped DEK and wrapped KEK onto a label of the encrypted operating system image. The encrypted operating system image is then uploaded to a virtual data center and merged with an intermediary guest manager image. When the encrypted machine image is used to generate a virtual machine instance, the intermediary guest manager utilizes the key management service to unwrap the KEK. The unwrapped KEK is then used to unwrap the wrapped DEK which is then used to launch the encrypted guest operating system.