Abstract: Systems and methods for managing multiple keys for file encryption and decryption may provide an encrypted list of previously used keys. The list itself may be encrypted using a current key. To decrypt files that are encrypted in one or more of the previous keys, the list can be decrypted, and the appropriate previous key can be retrieved. To re-key files, an automated process can decrypt any files using previous keys and encrypt them using the current key. If a new current key is introduced, the prior current key can be used to decrypt the list of keys, the prior current key can be added to the list, and the list can be re-encrypted using the new current key.

Abstract: The present invention extends to methods, systems, and computer program products for licensing protected content to application sets. Embodiments of the invention permit a local machine to increase its participation in authorizing access to protected content. For example, an operating system within an appropriate computing environment is permitted to determine if an application is authorized to access protected content. Thus, the application is relieved from having to store a publishing license. Further, authorization decisions are partially distributed, easing the resource burden on a protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested.

Abstract: Systems and methods for managing multiple keys for file encryption and decryption may provide an encrypted list of previously used keys. The list itself may be encrypted using a current key. To decrypt files that are encrypted in one or more of the previous keys, the list can be decrypted, and the appropriate previous key can be retrieved. To re-key files, an automated process can decrypt any files using previous keys and encrypt them using the current key. If a new current key is introduced, the prior current key can be used to decrypt the list of keys, the prior current key can be added to the list, and the list can be re-encrypted using the new current key.

Abstract: The secure application of content protection policies to content. The secure application of content protection polices is accomplished by having an enforcement mechanism monitor policy application points to detect the transfer of content. The enforcement mechanism accesses the content and a determination is made to protect the content. A usage policy is then identified by the enforcement mechanism to apply to the content and the usage policy is then applied to the content, resulting in a usage policy for the content.

Abstract: Systems and methods for managing multiple keys for file encryption and decryption may provide an encrypted list of previously used keys. The list itself may be encrypted using a current key. To decrypt files that are encrypted in one or more of the previous keys, the list can be decrypted, and the appropriate previous key can be retrieved. To re-key files, an automated process can decrypt any files using previous keys and encrypt them using the current key. If a new current key is introduced, the prior current key can be used to decrypt the list of keys, the prior current key can be added to the list, and the list can be re-encrypted using the new current key.

Abstract: In a storage system, multiple information units are individually associated with an access control policy (ACP) of multiple ACPs. Each respective information unit corresponds to a respective information unit encryption key (IUEK). The multiple information units are grouped into encryption zones based on their associated ACPs. In a described implementation, each ACP is associated with a zone root key (ZRK). In another described implementation, each IUEK corresponding to a given information unit is encrypted by an IUEK corresponding to an information unit at a most-proximate linked node of the storage system.

Abstract: The present invention extends to methods, systems, and computer program products for licensing protected content to application sets. Embodiments of the invention permit a local machine to increase its participation in authorizing access to protected content. For example, an operating system within an appropriate computing environment is permitted to determine if an application is authorized to access protected content. Thus, the application is relieved from having to store a publishing license. Further, authorization decisions are partially distributed, easing the resource burden on a protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested.

Abstract: The secure application of content protection policies to content. The secure application of content protection polices is accomplished by having an enforcement mechanism monitor policy application points to detect the transfer of content. The enforcement mechanism accesses the content and a determination is made to protect the content. A usage policy is then identified by the enforcement mechanism to apply to the content and the usage policy is then applied to the content, resulting in a usage policy for the content.

Abstract: The offline consumption and publication of protected information in a networked environment. The offline consumption of protected information is accomplished by having the consuming user maintain a store of asymmetric encryption keys. The protected information is encrypted by the publishing user using a symmetric key and the symmetric key is then encrypted using a public asymmetric key associated with the consuming user. The consuming user received the protected information and a usage policy containing the encrypted symmetric key. The consuming user verifies that it can decrypt the symmetric key using a private asymmetric key maintained by the consumer. The user then decrypts the symmetric key and accesses the content of the protected information.

Abstract: An operating system copies data from memory pages into a paging file on disk, in order to free up space in the memory. A mechanism is disclosed that causes the data to be encrypted as it is copied into the paging file, thereby protecting the paged data from unauthorized (or otherwise undesired) observation. The data that is stored in the paging file is encrypted with a session key, that is generated shortly after the machine on which the paging file exists is started. The session key, which is used both for encryption and decryption of the paging file data, is stored in volatile memory, so that the key is not persisted across boots of the machine. Since the key is not persisted across boots, old paging file data that was stored prior to the most recent boot cannot be recovered in clear text, thereby protecting the data from observation.

Abstract: In a storage system, multiple information units are individually associated with an access control policy (ACP) of multiple ACPs. Each respective information unit corresponds to a respective information unit encryption key (IUEK). The multiple information units are grouped into encryption zones based on their associated ACPs. In a described implementation, each ACP is associated with a zone root key (ZRK). In another described implementation, each IUEK corresponding to a given information unit is encrypted by an IUEK corresponding to an information unit at a most-proximate linked node of the storage system.