Abstract: Systems and methods for purpose-based access control are provided. In one embodiment, a method for determining access to an asset comprises receiving, from a user, an access request for the asset, the access request specifying a purpose for accessing the asset, and authorizing access to the asset if the purpose is approvingly linked to the asset. In this way, unrestricted collaboration across an organization may be allowed without risking inappropriate disclosure.

Abstract: The exemplary embodiments provide an improved approach to preventing exfiltration through email messages. The exemplary embodiments process outbound email messages to determine whether an outbound email message contains sensitive subject matter based on contextual information. The determination may be made based at least in part on the context reflected in the contextual information. In the exemplary embodiments, the determination of whether an outbound email message contains sensitive subject matter that should not be exfiltrated may be based at least in part on analysis performed by a trained neural network model.

Abstract: A deduplication system (100) includes encryption apparatuses (400), a conversion key generation apparatus (500), a tag conversion apparatus (600), and a match determination apparatus (700). The encryption apparatuses (400) each generate encryption tag (ETag) using an encryption key (ek) and plaintext (M). The conversion key generation apparatus (500) generates a conversion key (ck) using the encryption key (ek) and a conversion key generation key (tk). The tag conversion apparatus (600) converts an encryption tag (ETag) for which the same plaintext (M) has been used into an encryption tag (T) that takes the same value regardless of a value of the encryption key (ek) used for the encryption tag (ETag) by applying the conversion key (ck) to the encryption tag (ETag). The match determination apparatus (700) determines whether the values of two encryption tags (T) match.

Abstract: A mechanism for providing secure feature and key management in integrated circuits is described. An example integrated circuit includes a secure memory to store a secret key, and a security manager core, coupled to the secure memory, to receive a digitally signed command, verify a signature associated with the command using the secret key, and configure operation of the integrated circuit using the command.

Abstract: A word mining method and apparatus, an electronic device and a readable storage medium are disclosed. The method includes: acquiring search data; taking first identification information, a search sentence and second identification information in the search data as nodes, and taking a relationship between the first identification information and the search sentence, a relationship between the first identification information and the second identification information and a relationship between the search sentence and the second identification information as sides to construct a behavior graph; obtaining a label vector of each search sentence in the behavior graph according to a search sentence with a preset label in the behavior graph; determining a target search sentence in the behavior graph according to the label vector; and extracting a target word from the target search sentence, and taking the target word as a word mining result of the search data.

Abstract: A mobile device includes a processing circuit to perform operations including transmitting a device token and a customer token to a computing system, the device token identifying the mobile device and a first session of a client application, the customer token identifying a user. The operations can include enabling access to the client application during the first session based on the device token and the customer token and receiving a second device token, the second device token identifying the mobile device and a second session. The operations can include receiving, during the first session, an identification number associated with an account of the user for a transaction, the identification number generated in response to a fund request from the mobile device. The operations can include providing a user interface displayed on the mobile device during the first session and receiving during the first session, an approval for the transaction.

Abstract: A method including determining, by a manager device configured to manage network services provided by an infrastructure device, a manager request including a signature header signed by utilizing a manager private key associated with the manager device and a timestamp header identifying a point in time when the signature header was signed; transmitting, by the manager device to the infrastructure device, the manager request to request performance of an action associated with managing the network services; and receiving, by the manager device from the infrastructure device based at least in part on transmitting the manager request, an authorization message indicating successful authorization of the manager request, the successful authorization being based at least in part on a verification that a time difference between the point in time when the signature header was signed and a current time satisfies a predetermined duration of time is disclosed. Various other aspects are contemplated.

Abstract: System and methods are provided to facilitate the exchange of user data between two parties, but limit the exchange of user data to users that are known to both parties. According to an embodiment, encrypted first user data is transmitted from a first device to a second device. The second device then transmits intersection data to the first device, where the intersection data is based on the encrypted first user data and second user data. The intersection data may be decrypted by the first device and the first device may determine, based on the decrypted intersection data, that one or more users are common to the both the first device and the second device. The first and second devices may then exchange data pertaining to the common users.

Abstract: Methods, systems, and computer program products for application-specific, real-time modification of application programming interface behavior. Meaning is derived from analysis of human-readable intelligence found in a collaboration object of a content management system. The meaning is used to inform the behavior of an application programming interface that is exposed to applications that interface with the content management system. The content management system invokes a range of analysis modules that examine the human-intelligible contents of a requested collaboration object to determine meaning from the human-intelligible contents. Content-derived tags are emitted based on the analysis. When the application invokes an entry point of the API, a set of content-derived tags are associated with the application, and the occurrence and/or values of the content-derived tags are then used in rules. The results of evaluation of the rules determine how the API will respond to the application.

Abstract: Provided is a system and method for confidential repository searching. The method executed on a first computing device and includes: receiving an encrypted query term from the second computing device; searching the encrypted data repository by determining one or more matches of the encrypted query term to data in the encrypted data repository; communicating the one or more matches to the second computing device; receiving associative data from the second computing device, the associative data associated with data in the encrypted data repository that is to be retrieved and associated with one of the one or more matches; retrieving the encrypted data in the encrypted data repository associated with the received associative data; and communicating the retrieved encrypted data to the second computing device.

Abstract: A digital license plate has a secure communication system able to initialize the digital license plate, support external communications, and have various antitheft features. In some embodiments, a communication module can transmit both vehicle identification number and digital license plate identifier to a central server. The central server is able to act in the event of a security mismatch to modify operation of the digital license plate.

Abstract: A technological approach to management of data lifecycle includes protecting data. Datasets from distinct computing environments of an organization can be scanned to identify data elements subject to protection, such as sensitive data. Data lineage associated with the identified data elements can be determined including relationships amongst other data and linkages between computing environments or systems. The identified elements can be automatically protected based at least in part on the lineage such as by masking, encryption, or tokenization. Further, the datasets can be monitored to create audit trails for interactions with the datasets.

Abstract: The description relates to systems and methods for extending applications. For example, a voice assistant application can be the application to be extended. In an example, a mobile banking application can be the application that provides the extension. For example, a voice assistant might not have capability to conduct fingerprint (or biometric) authentication and bill payment function. An extension point within the voice assistant application that would enable this kind of capability might not exist. The mobile banking application can have a biometric tool for fingerprint authentication capability and a payment tool for a bill payment or money transfer function. Embodiments described herein can involve a deep link from the voice assistant application to the mobile banking application (which does offer fingerprint authentication and bill payment capability). The navigation to the mobile banking application can generate a visual impression at the UI similar or consistent with the voice assistant application.

Abstract: Embodiments of the present disclosure provide methods and apparatuses for blockchain-based multi-party computation, a device and a medium, relate to blockchain technology in the field of computer technology. An embodiment of the method can include: encrypting business data, to obtain a ciphertext of the business data; hashing the ciphertext of the business data, to obtain a hash result of the business data; sending the hash result of the business data to a blockchain node, so that the blockchain node writes the hash result of the business data into a blockchain; and sending the ciphertext of the business data to a target trusted computing module in a target server, for instructing the target trusted computing module to perform multi-party computation based on the ciphertext of the business data and the hash result of the business data in the blockchain.

Abstract: A computer-implemented method includes receiving deduplication information at a storage system. The deduplication information is accessible to the storage system for performing operations thereon. The deduplication information includes signatures associated with portions of client data. The method also includes receiving the client data encrypted with a client secret key. The client secret key is unavailable to the storage system. The method includes deduplicating data chunks stored in the storage system against chunks of the client data, wherein the client data chunks are selected from the client data for deduplication using the deduplication information.

Abstract: A model parameters security protection method is implemented in a computing device in communication connection with at least one security protection device. The method includes training a data model based on an artificial neural network using a number of images and obtaining parameter information of the data model, encrypting the parameter information and generating a configuration file comprising the encrypted parameter information, and sending the configuration file to the at least one security protection device. The parameter information includes at least one of a weight of neuron and an offset value of the neuron of the artificial neural network.

Abstract: A method including determining, by a manager device configured to manage network services provided by an infrastructure device, a manager request including a signature header signed by utilizing a manager private key associated with the manager device and a timestamp header identifying a point in time when the signature header was signed; transmitting, by the manager device to the infrastructure device, the manager request to request performance of an action associated with managing the network services; authorizing, by the infrastructure device, the manager request based at least in part on determining that a difference between the point in time when the signature header was signed and a current time satisfies a predetermined duration of time; and enabling, by the infrastructure device, performance of the action associated with managing the network services based at least in part on authorizing the manager request. Various other aspects are contemplated.

Abstract: A method and apparatus for processing a transaction between a merchant system and a customer system, the customer system associated with a customer of the merchant are described. The method may include receiving, at a commerce platform, a transaction request from the merchant system, wherein the transaction request is generated by the merchant system and comprises a card identifier and encrypted payment card data, wherein the card identifier is determined from card data for a payment card used in the transaction and the encrypted payment card data comprises at least an encryption of a payment account number. The method may also include decrypting, by the commerce platform, the encrypted payment card data using an encryption key selected based on the card identifier, the encryption key associated with the commerce platform. Furthermore, the method may include authorizing, by the commerce platform in communication with one or more authorization systems, the transaction using the decrypted payment card data.

Abstract: A method, system, and computer program product for key in lockbox encrypted data deduplication are provided. The method collects a set of deduplication information by a host in communication with a storage system via a communications network. A fingerprint is generated for a data chunk to be stored on a storage system. The method encrypts the data chunk using a first encryption key to generate an encrypted data chunk. The fingerprint is encrypted with a second encryption key to generate an encrypted fingerprint. The method encrypts the first encryption key with a third encryption key to generate a first encrypted key. The method encrypts the first encryption key with a fourth encryption key to generate a second encryption key. A data package is generated for transmission to the storage system. The method transmits the data package to the storage system.

Abstract: A packet is received by a hypervisor from a first virtualized execution environment, the packet to be provided to a second virtualized execution environment. It is then determined whether the packet was successfully delivered to the second virtualized execution environment. In response to determining that the packet was not successfully delivered to the second virtualized execution environment, a network policy is identified that indicates whether to subsequently provide the packet to the virtualized execution environment. In response to the network policy indicating that the packet is to be subsequently provided, the packet is provided to the virtualized execution environment again.

Abstract: This disclosure describes techniques that include identifying sensitive information from any appropriate set of data, such as data produced by operations of a business or organization. In one example, this disclosure describes a method that includes receiving text data containing sensitive information, including structured sensitive information and unstructured sensitive information; applying a rule-based model to identify the structured sensitive information in the text data; applying a machine learning model to identify the unstructured sensitive information in the text data, wherein the machine learning model has been trained to identify unstructured sensitive information in text; and generating output text data from the text data by modifying the structured sensitive information identified by the rule-based model and the unstructured sensitive information identified by the machine learning model.

Abstract: Managing network interactions by engaging a networked information broadcast service, receiving information from the networked information broadcast service, filtering the information according to a profile, and sending information according to the filtered information using another network communications connection.

Abstract: A system and method for secure cloud computing. The cloud based processing system comprises a user interface, allowing a user to enter and edit data, a proxy server, and a cloud based processing server. The user interface sends data entered by a user to the proxy server, which sends the encrypted data to the cloud based processing server. The proxy server receives editing commands from the user interface, and sends those commands to the cloud based processing server along with the encrypted data. The cloud based processing server receives the encrypted data and editing commands, applies the editing commands to the encrypted data, and sends the edited encrypted data back to the proxy server.

Abstract: A user using a client computer registers with a server computer over a computer network by submitting a biometric scan of a body part of the user. The user commands the client computer to encrypt an electronic file. The client computer generates a private key, encrypts the electronic file and transmits the key to the server computer. The client computer saves the encrypted file. The encrypted file and the key are saved at different physical locations. The owner of the file is able to grant permission to other registered users to unlock the encrypted file.

Abstract: Embodiments disclosed herein relate to methods, systems, and computer programs for verifying that data incorporated into a computer program is current. The methods, systems, and computer programs compare a source identifier status code associated with the data to a current source identifier status code at the location where the data was obtained. The methods, systems, and computer programs include at least one validation function which determines the validity of the data according to selected parameters. If the source identifier status code and current source identifier status code match and the at least one validation function determines the data is valid, an executable computer program incorporating the data and one or more functions is produced as output.

Abstract: A method of controlling the operating mode of a remote device based upon a local user preference setting includes determining a user privacy setting by a user at a local device and storing the user privacy setting. The user privacy setting is conveyed to the remote device and the operational mode of the remote device is modified based upon the transmitted user privacy preference setting. The operational mode of the remote device is returned to the normal operational mode upon meeting a predetermined condition.

Abstract: A storage system and method for command execution ordering by security key are provided. In one example, the storage system has a non-volatile memory, a volatile memory storing a plurality of keys, and a controller with a cache storing a subset of the plurality of keys. The storage system gives priority to a command whose key is stored in the cache in the controller over commands whose keys are stored only in the volatile memory. This avoids transferring a key from the volatile memory to the cache in the controller, thereby improving efficiency of the storage system.

Abstract: Systems, methods, and computer program products for a contactless automated teller machine (ATM) experience receive, from a telephone number, a first short message service (SMS) message including a unique identifier associated with an ATM terminal; in response to receiving the first SMS message, communicate, to the ATM terminal, a first password associated with the telephone number and the unique identifier; receive, from the telephone number, a second SMS message including the first password; verify the first password; in response to verifying the first password, transmit, to the telephone number, a third SMS message including an option to withdraw cash from the ATM terminal; receive, from the telephone number, a fourth SMS message including a selection of the option to withdraw the cash from the ATM terminal; and communicate, to the ATM terminal, a cash dispense command that causes the ATM terminal to dispense the cash.

Abstract: A method and a system for preventing an activity of a malware application in a computer system are provided. The method comprising: receiving at least one artefact of a sandbox environment to be installed in the computer system for simulating the sandbox environment in the computer system; receiving an indication of at least one interaction of a given application with the at least one artefact; analyzing an activity of the given application to detect at least one of a first type event and a second type event triggered thereby after executing the at least one interaction; in response to the analyzing rendering a positive result: identifying the given application as being the malware application; and using data indicative of a digital footprint of the given application in the computer system for further updating the at least one artefact for further preventing the activity of the malware application.

Abstract: A method for initiating a cardless automated teller machine (ATM) transaction via a mobile computing device includes: storing, in a memory of a mobile computing device, at least transaction account data and authentication data; receiving, by an input device of the mobile computing device, at least desired transaction data and authentication information; receiving, by the input device of the mobile computing device, a unique identifier associated with an automated teller machine (ATM); authenticating, by an authentication module of the mobile computing device, the received authentication information based on the stored authentication data; and electronically transmitting, by a transmitting device of the mobile computing device, at least the received desired data and unique identifier and a result of the authentication to an external computing system.

Abstract: A method performed by a device for identifying a network node within a network to which data will be replicated is disclosed. The method comprises encrypting a session key according to an attribute-based encryption scheme; broadcasting the encrypted session key within the network; receiving at least one message encrypted using the session key from at least one network node within the network; and selecting a network node from the at least one network node to which data will be replicated. A further method, a device and a non-transitory machine-readable medium are also disclosed.

Abstract: The present invention concerns a method for secure data classification by a computer platform. A client sends to the platform data to be classified in encrypted form using a first symmetric key. Similarly, a supplier sends to the platform parameters of a classification model in encrypted form using a second symmetric key. The invention uses a homomorphic cryptosystem defined by a public key and a private key. The platform performs a first transcryption step by deciphering the data to be classified in the homomorphic domain and a second transcryption step by deciphering the model parameters in the homomorphic domain. The classification function is then evaluated in the homomorphic domain for providing a classification result encrypted by said public key.

Abstract: In one embodiment, a file system of a computing device may receive from a first application a write request to write a file to a storage device of the computing device. The request may include a privacy preference for the file. In response to the write request, the file system may generate privacy metadata corresponding to the privacy preference, associate the privacy metadata to the file, and write the file and the associated privacy metadata to the storage device. The file system may receive from a second application a read request to read the file from the storage device. In response to receiving the read request, the file system may provide the second application access to the file and the associated privacy metadata. The privacy metadata can be configured to be used by the second application to select a distribution policy for the file.

Abstract: In some examples, a system and method for pairing a payment object reader with a point-of-sale (POS) terminal is described herein. The payment object reader includes one or more light indicators configured to display information in an optical pattern of one or more colors, brightness, lightness, and intensities, wherein the light indicators display a first optical pattern representative of an operational status of the payment object reader in a first mode, and a second optical pattern representative of a pairing code in a second mode. A display control component, executed by a processor, is configured to control the light indicators in accordance with the pairing code to generate the second optical pattern, the second optical pattern when shared with the POS terminal enables pairing between the payment object reader and the POS terminal. When paired, the payment object reader allows the POS terminal to accept payments from a customer.

Abstract: A key rotation that results in a first key version associated with a key being replaced by a second key version associated with the same key, wherein the first key version remains associated with the key for decrypting a previously generated ciphertext but not for future encryption requests. The first key version may be associated with a first cryptographic key material and the second key version may be associated with a second cryptographic key material different from the first cryptographic key material.

Abstract: There is provided a computer implemented method encrypting and/or decrypting data, comprising: accessing data for encryption and/or decryption, wherein the data is of a user account of a plurality of user accounts, obtaining an account key in an encrypted state, the account key is obtained from an account key dataset storing at least one encrypted account key for each of the user accounts, providing over the network, the encrypted account key to a key management system(s) (KMS) hosted by a server, receiving over the network, a decrypted account key from the server hosting the KMS(s), wherein the KMS(s) decrypts the encrypted account key using an organization key stored and managed by the KMS(s), storing the decrypted account key in a data storage device set to provide temporary storage for decrypted account keys, and encrypting and/or decrypting the data associated with the user account using the decrypted account key.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for referenced access control lists. In one aspect, a method includes accessing an object hierarchy for a plurality of objects, each object being representative of one of a storage location or a file. The object hierarchy includes for each object, a respective node, for each object that is a parent object having a child object, a directed edge connecting the node representing the parent object. In addition, for each object, including metadata that includes an access control list identifier that identifies an access control list for the object and that is owned by an access control list root object. The method including receiving updates to an access control list for particular objects, generating a new access control list, and storing the new access control list identifier in metadata for each object that descends from the particular object.

Abstract: A system and methods for facilitating secure computing device control and operation. The invention discloses a framework to supply security and policy-based control to computing applications as a software service. Clients running the framework make requests for services whereby they identify the service needed and its required parameters, encrypt and sign them, and send them to the service handler. The service handler decrypts, checks for policy allowance, and then, if allowed, executes the functions. The handler then encrypts and returns the response to the client. The framework allows for an aggregator that collects service requests for any number of clients and manages the distribution to service handlers and communications back to the clients.

Abstract: Various examples are directed to systems and methods for executing a web application with client-side encryption. A web browser can receive a document comprising a plurality of data elements including a secure element that comprises an encrypted value. An extension component may generate a secure container element to replace the secure element. The extension component can also insert a subdocument into the secure container element. The web browser may be configured to prevent web applications from accessing the subdocument. The extension component may also decrypt the encrypted value to generate a clear value and write the clear value to the subdocument. The web browser may render the document using the clear value.

Abstract: A method and system for performing authentication for a backup service provided by a server is provided. The method receives a request for authentication from a client device, the request for authentication including a signature generated using a private key. The method sends a request to obtain a public key corresponding to the private key to the server and receives the public key from the server, the public key being retrieved by the server from a backup of a virtual machine. The method verifies the signature using the public key and generates a token encrypted using the public key, the token enabling the client device to access the server for the backup service. The method sends the token to the client device, the token to be decrypted using the private key by the client device.

Abstract: The description relates to systems and methods for extending applications. For example, a voice assistant application can be the application to be extended. In an example, a mobile banking application can be the application that provides the extension. For example, a voice assistant might not have capability to conduct fingerprint (or biometric) authentication and bill payment function. An extension point within the voice assistant application that would enable this kind of capability might not exist. The mobile banking application can have a biometric tool for fingerprint authentication capability and a payment tool for a bill payment or money transfer function. Embodiments described herein can involve a deep link from the voice assistant application to the mobile banking application (which does offer fingerprint authentication and bill payment capability). The navigation to the mobile banking application can generate a visual impression at the UI similar or consistent with the voice assistant application.

Abstract: Embodiments are directed to providing remote healthcare services including remote diagnostics, and facilitating third-party healthcare payments. In one embodiment, a computer system receives an input including authentication credentials from a healthcare entity, and also requests assistance from another healthcare entity. The computer system authenticates the first healthcare entity using the authentication credentials, receives an input including authentication credentials from the other healthcare entity, and authenticates the other healthcare entity using these authentication credentials. The computer system further receives real-time information related to a health condition of a patient, where the real-time health condition information is provided to the second healthcare entity.

Abstract: The systems, devices, and methods discussed herein are directed to a portable communication device, or a user equipment (UE), for obtaining cellular network services with an unassociated cellular network with assistance from a wireless local area network (WLAN). The UE registers with the WLAN, discovers the unassociated cellular network, sends request to a WLAN service provider of the WLAN to obtain cellular network services with the unassociated cellular network, and obtains cellular network services with the unassociated cellular network.

Abstract: A cloud-based platform encrypts data imported from an organization using respective data encryption keys (DEK). The platform prevents decrypted data of the organization, and the DEK(s) used to encrypt such data, from being persistently retained within the platform. Access to the DEK may be controlled by the organization. Accordingly, the organization may retain control over access to its data, after the data has been exported to the platform. The platform may provide a purge control by which the organization can configure the platform the purge any cached DEK and/or unencrypted data pertaining to the organization.

Abstract: A method for combining different partial data includes providing a secure connection between a connection unit in a first network and an analysis unit a second network, separating original data into at least two items of partial data comprised of analysis data and personal data as first and second partial data that can be assigned to each other by way of assigning information, pseudonymizing the second partial data, transmitting the first partial data and pseudonymized second partial data and the assigning information to the analysis unit, storing the second partial data on the connection unit, providing third partial data on the analysis unit in the form of analyzed first partial data, transmitting the third partial data and the pseudonymized second partial data with the assigning information to the connection unit via the secure connection, and combining the third partial data and the second partial data using the assigning information.

Abstract: Authentication is a key procedure in information systems. Conventional biometric authentication system is based on a trusted third-party server which is not secure. The present disclosure provides a privacy preserving multifactor biometric authentication for authenticating a client without the third-party authentication server. The server receives a plurality of encrypted biometric features from the client, encrypted using Fully Homomorphic Encryption. Further, the server evaluates the plurality of encrypted biometric features to obtain a client identifier value and a plurality of encrypted resultant values. The server encrypts each of the plurality of resultant values based on a time based nonce and the client identifier value. The encrypted authentication tags and the corresponding resultant values are aggregated by the server and transmitted to the client. The client decrypts the resultant value and the authentication tag and transmits to the server.

Abstract: An object blocking method, a terminal, a server, and a storage medium are provided. The method includes: sending, when whether to block a target object cannot be determined according to a first blocking strategy library, feature information of the target object to a server. The feature information instructs the server to generate a target blocking strategy according to the feature information and feed back the target blocking strategy. The method also includes: receiving the target blocking strategy fed back by the server; adding the target blocking strategy to the first blocking strategy library; and performing subsequent object blocking according to the first blocking strategy library added with the target blocking strategy, including: determining whether to block the target object according to the target blocking strategy in the first blocking strategy library.

Abstract: A method and a computing apparatus for tracking device utilization are provided. The method includes: obtaining first data that relates to a physical location of a device; obtaining second data that relates to network switch information of the device; obtaining third data that relates to a network activity performed by using the device; using each of the first data, second data, and third data to determine a utilization of the device; and outputting a result of the determination. The first data may include a building identification, a floor number, and/or a seat identification. The second data may include a switch host name, card information, and/or port information. The third data may include a management system into which the device is logged in.

Abstract: Systems and methods utilized to protect data. One method includes maintaining, by one or more processing circuits in a production environment, encrypted data associated with a cryptographic function. The method further includes decrypting, by the one or more processing circuits in the production environment, the encrypted data to generate cleartext data. The method further includes encrypting, by the one or more processing circuits, the cleartext data using a homomorphic encryption function to generate ciphertext data. The method further includes masking, by the one or more processing circuits, the ciphertext data using a masking function to generate alternate ciphertext data. The method further includes decrypting, by the one or more processing circuits, the alternate ciphertext data to generate masked cleartext data and storing, by the one or more processing circuits in a lower environment, the masked cleartext data.

Abstract: A computing device can perform operations to unlock encrypted volumes of the computing device while the computing device is in a recovery environment. In some examples, the computing device can work in conjunction with a test computing device to unlock the encrypted volumes using an unlock token and a PIN. In other examples, the computing device can perform operations without a test computing device. For example, the computing device can, while in the recovery environment, use credentials associated with a user of the computing device to obtain a recovery password to unlock keys for interpreting the encrypted volumes. In some examples, the computing device can use a shortened recovery password in conjunction with anti-hammering capabilities of a Trusted Platform Module in order to unlock keys for interpreting the encrypted volumes. These and other operations can facilitate secure unlock of volumes of encrypted data on a consumer device.