Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsVMware, Inc. › 18902276
Last updated: April 19, 2026
Application No. 18/902,276

CLUSTER ENCRYPTION DURING DEPLOYMENT

Non-Final OA §102§103
Filed
Sep 30, 2024
Examiner
TO, BAOTRAN N
Art Unit
2435
Tech Center
2400 — Computer Networks
Assignee
VMware, Inc.
OA Round
1 (Non-Final)
86%
Grant Probability
Favorable
1-2
OA Rounds
2y 6m
To Grant
99%
With Interview

Interview Optional

+12.4% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 656 resolved cases, 2023–2026

Examiner Intelligence

TO, BAOTRAN N View full profile →
Grants 86% — above average
86%
Career Allow Rate
566 granted / 656 resolved
+28.3% vs TC avg
Moderate +12% lift
Without
With
+12.4%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
14 currently pending
Career history
670
Total Applications
across all art units

Statute-Specific Performance

§101
13.3%
-26.7% vs TC avg
§103
36.6%
-3.4% vs TC avg
§102
17.6%
-22.4% vs TC avg
§112
12.6%
-27.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 656 resolved cases

Office Action

§102 §103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 are presented for examination. Information Disclosure Statement The information disclosure statement (IDS) submitted on 04/16/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1-3, 7-15, and 19 are rejected under 35 U.S.C. 102(a)(1) and/or 102(a)(2) as being anticipated by Ferguson et al. (US Patent Application Publication No. 2015/0319160 A1) listed in IDS dated 04/16/2025 hereinafter Ferguson. Regarding claims 1, 14, and 19, Ferguson discloses a method/node/medium comprising: a processor (para 0283, a computer system including one or more processors); and a memory coupled to the processor, wherein the memory comprises a cluster deployment unit (para 0283, a computer system including one or more processors and computer readable media such as computer memory. In particular, the computer memory may store computer executable instructions that when executed by one or more processors cause various functions to be performed, such as the acts recited in the embodiments): retrieving, from a blueprint, resource information required to deploy a cluster comprising a first host computing system/plurality of cluster nodes and a virtual cluster manager node to manage the first host computing system/plurality of cluster nodes, wherein the resource information comprises host information and disk information required to deploy the virtual cluster manager node, and encryption information associated with a key provider (para 0049, the VMs 208, 209 and 210 are deployed onto one of the hosts 230 in the fabric. In the embodiments illustrated herein, a “host” is a virtualization platform. The host, in some examples illustrated, includes the hypervisor 215 deployed on hardware (illustrated as server 251) plus a host VM 231 which is deployed on the hypervisor 215, para 0052, a virtual storage device may include or be associated with metadata that is meant for use by a hypervisor 215, , para 0094, the tenant creating shield VMs based on Templates, para 0095, offers a gallery of templates … Such a template is a complete or partial definition of a VM, para 0097, the template may contain secrets such as software, data or credentials for connecting to external services, and it is useful to protect the template through encryption, whereby the hypervisor is a virtualization manager i.e. a virtual cluster manager node, to manage a cluster of hosts, i.e. cluster manager nodes, as defined in para 0013 of the description of the present application as filed, and shielded VMs are generated based on templates); based on the host information and the disk information, creating a clustered datastore on the first host computing system (para 0049, the deployment action may be undertaken by the tenant using a self-service management portal presented by a VMM 253, para 0096, create shielded VMs from such a template); deploying the virtual cluster manager node on the clustered datastore (para 0101, The tenant may want to deploy and retrieve the shielded VM for execution in a private cloud or at another service provider. If the tenant has a datacenter with a similar hosting fabric for protecting VMs with secure hosting services, an inter-datacenter transfer as described above can be used); based on the encryption information associated with the key provider, encrypting the virtual cluster manager node and associated disks (para 0053, an entire virtual storage device including the metadata meant for use by the hypervisor may be encrypted, para 0097, since this encryption is done with a key that belongs to the author of the template, the virtual storage device is re-keyed (e.g., decrypted and re-encrypted with a different key) with a key that is specific to the VM and , consequently to the tenant, para 0098, in the process of …. creating a shielded VM…. re-encrypting the template VHD to create a VM VHD); and upon encrypting the virtual cluster manager node, creating the cluster and adding the host computing system to the cluster (para 0101, the tenant’s public key can be included within the VM metadata that is encrypted and protected by the vTPM, and hence accessible to the KDS or an approved host, para 0103, provisioning, configuration, and attestation of the hosts, para 0105, When the host 230 receives a shielded VM 208 and makes a request 256 to the KDS 235 to retrieve the vTPM key, it includes an attestation certificate 257 to demonstrate that it complies with certain polices. For example, the attestation certificate may indicate that the host 230 that it is a known member of the fabric, i.e. allowing respectively attested hosts to access the shielded VMs, created from the templates, thus ‘adding’ said hosts to the cluster). Regarding claims 2 and 15, Ferguson discloses the method of claim 1, wherein creating the cluster comprises: creating a data center; and creating the cluster in the data center (para 0046-0047 and 0089-0093). Regarding claim 3, Ferguson discloses the method of claim 1, wherein the key provider is deployed on the host computing system or deployed external to the host computing system and accessible via a network (para 0095-0097 and 0137). Regarding claim 7, Ferguson discloses the method of claim 1, wherein retrieving, from the blueprint, the resource information required to deploy the cluster comprises: retrieving the disk information including Universally Unique Identifiers (UUIDs), canonical names, or both associated with disks to check hardware compatibility of the first host computing system to deploy the virtual cluster manager node (para 0049 and 0120). Regarding claim 8, Ferguson discloses the method of claim 1, wherein retrieving, from the blueprint, the resource information required to deploy the cluster comprises: retrieving the host information including a network identifier associated with the host computing system on which the virtual cluster manager node is to be deployed (para 0101 and 0138-0139). Regarding claim 9, Ferguson discloses the method of claim 1, wherein the virtual cluster manager node comprises a virtual machine executing a management application to manage the first host computing system (para 0049, 0070-0074, and 0093-0094). Regarding claim 10, Ferguson discloses the method of claim 1, further comprising: enabling a user to modify parameters of the blueprint used to deploy the cluster to include the encryption information associated with the key provider (para 0047-0048 and 0095-0097). Regarding claim 11, Ferguson discloses the method of claim 1, further comprising: prior to encrypting the virtual cluster manager node and associated disks, validating the encryption information associated with the key provider retrieved from the blueprint (para 0098-0100). Regarding claim 12, Ferguson discloses the method of claim 1, wherein retrieving the resource information comprises: retrieving, from the blueprint, resource information required to deploy a second host computing system (para 0049-0050 and 0095-0099). Regarding claim 13, Ferguson discloses the method of claim 12, further comprising: adding the second host computing system to the cluster based on the resource information associated with the second host computing system (para 0049-0050 and 0095-0099). Claims 1-4, 6-16, and 18-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Xie et al. (US Patent Application Publication No. 2022/0407685 A1) listed in IDS dated 04/16/2025 hereinafter Xie. Regarding claims 1, 14, and 19, Xie discloses a method/node/medium comprising: a processor (claim 19, a system comprising one or more processors); and a memory coupled to the processor, wherein the memory comprises a cluster deployment unit (claim 19, a non-transitory computer readable medium comprising instructions that, when executed by the one or more processors, cause the system to perform a method for encryption in a distributed datastore): retrieving, from a blueprint, resource information required to deploy a cluster comprising a first host computing system/plurality of cluster nodes and a virtual cluster manager node to manage the first host computing system/plurality of cluster nodes, wherein the resource information comprises host information and disk information required to deploy the virtual cluster manager node, and encryption information associated with a key provider (para 0027, A virtual disk object may itself be a hierarchical, “composite” object that is further composed of “component” objects (again separately backed by object store 116) that reflect the storage requirements (e.g., capacity, availability, IOPs, etc.) of a corresponding storage profile or policy generated by the administrator when initially creating the virtual disk, para 0030, A composite object may store metadata describing a storage organization or configuration for the virtual disk (sometimes referred to herein as a virtual disk “blueprint”), wherein the composite object is a blueprint as defined, para 0025, each host 111 includes a virtualization layer or hypervisor 113, a VSAN module 114, and hardware 119 (which includes the SSDs and MDs of a host 111). Through hypervisor 113, a host 111 is able to launch and run multiple VMs 112. Hypervisor 113, in part, manages hardware 119 to properly allocate computing resources (e.g., processing power, random access memory (RAM), etc.) for each VM 112. Furthermore, as described below, each hypervisor 113, through its corresponding VSAN module 114, may provide access to storage resources located in hardware 119 (e.g., SSDs and magnetic disks) for use as storage for storage objects, such as virtual disks (or portions thereof) and other related files that may be accessed by any VM 112 residing in any of hosts 111 in host cluster 110, i.e. deploying the virtualization layer or hypervisor – the virtual cluster manager node, to manage a cluster of hosts, i.e. cluster nodes); based on the host information and the disk information, creating a clustered datastore on the first host computing system (para 0025, A virtualization management platform 105 is associated with host cluster 110 of hosts 111. Virtualization management platform 105 enables an administrator to manage the configuration and spawning of VMs 112 on hosts 111. As depicted in the embodiment of FIG. 1, each host 111 includes a virtualization layer or hypervisor 113, a VSAN module 114, and hardware 119 (which includes the SSDs and MDs of a host 111, i.e. creating the clustered datastore on a respective host); deploying the virtual cluster manager node on the clustered datastore (para 0025, spawning of VMs 112 on hosts 111…. each host 111 includes a virtualization layer or hypervisor 113, a VSAN module 114, and hardware 119 (which includes the SSDs and MDs of a host 111). Through hypervisor 113, a host 111 is able to launch and run multiple VMs 112. Hypervisor 113, in part, manages hardware 119 to properly allocate computing resources (e.g., processing power, random access memory (RAM), etc.) for each VM 112. Furthermore, as described below, each hypervisor 113, through its corresponding VSAN module 114, may provide access to storage resources located in hardware 119 (e.g., SSDs and magnetic disks) for use as storage for storage objects, such as virtual disks (or portions thereof) and other related files that may be accessed by any VM 112 residing in any of hosts 111 in host cluster 110, i.e. deploying the virtualization layer or hypervisor – the virtual cluster manager node); based on the encryption information associated with the key provider, encrypting the virtual cluster manager node and associated disks (para 0033, encryption is enabled in VSAN 115 thereby providing native hyper-converged infrastructure encryption. More specifically, encryption capability may be built into hypervisors 113 and enabled at the host cluster level such that all objects residing in object store 116 of VSAN 115 are encrypted, para 0034, for VSAN encryption, virtualization management platform 105 requests KMS 135 to generate a KEK, and para 0035, the VSAN encryption is a two-level encryption using the KEK generated by KMS 135 to encrypt a KEK. The DEK is randomly generated key used to encrypt data on each disk); and upon encrypting the virtual cluster manager node, creating the cluster and adding the host computing system to the cluster (para 0028, VSAN module 114 may also include a cluster module 140, such as a cluster monitoring, membership, and directory services (CMMDS) module, that maintains the previously discussed in-memory metadata database to provide information on the state of host cluster 110 to other modules of VSAN module 114 and also tracks the general “health” of cluster host 110 by monitoring the status, accessibility, and visibility of each host 111 in host cluster 110, i.e. managing the hosts in the cluster, including adding and removing hosts). Regarding claims 2 and 15, Xie discloses the method of claim 1, wherein creating the cluster comprises: creating a data center; and creating the cluster in the data center (para 0019 and 0021). Regarding claim 3, Xie discloses the method of claim 1, wherein the key provider is deployed on the host computing system or deployed external to the host computing system and accessible via a network (para 0034-0035). Regarding claims 4, 16, and 20, Xie discloses the method of claim 1 wherein encrypting the virtual cluster manager node and associated disks comprises: encrypting the virtual cluster manager node and associated disks using a data encryption key (DEK) generated at the host computing system; and based on the encryption information provided in the blueprint, encrypting the DEK using a key encryption key (KEK) provided by the key provider (para 0006 and 0017). Regarding claims 6 and 18, Xie discloses the method of claim 1 wherein encrypting the virtual cluster manager node and associated disks comprises: encrypting the virtual cluster manager node and associated disks using a data encryption key (DEK) generated at the host computing system; based on the encryption information provided in the blueprint, configuring or utilizing the key provider on the host computing system; and based on the key provider, encrypting the DEK using a key encryption key (KEK) provided by the key provider (para 0006, 0017, 0019-0020 and 0039-0041). Regarding claim 7, Xie discloses the method of claim 1, wherein retrieving, from the blueprint, the resource information required to deploy the cluster comprises: retrieving the disk information including Universally Unique Identifiers (UUIDs), canonical names, or both associated with disks to check hardware compatibility of the first host computing system to deploy the virtual cluster manager node (para 0039). Regarding claim 8, Ferguson discloses the method of claim 1, wherein retrieving, from the blueprint, the resource information required to deploy the cluster comprises: retrieving the host information including a network identifier associated with the host computing system on which the virtual cluster manager node is to be deployed (para 0039). Regarding claim 9, Xie discloses the method of claim 1, wherein the virtual cluster manager node comprises a virtual machine executing a management application to manage the first host computing system (para 0021). Regarding claim 10, Xie discloses the method of claim 1, further comprising: enabling a user to modify parameters of the blueprint used to deploy the cluster to include the encryption information associated with the key provider (para 0066). Regarding claim 11, Xie discloses the method of claim 1, further comprising: prior to encrypting the virtual cluster manager node and associated disks, validating the encryption information associated with the key provider retrieved from the blueprint (para 0030). Regarding claim 12, Xie discloses the method of claim 1, wherein retrieving the resource information comprises: retrieving, from the blueprint, resource information required to deploy a second host computing system (para 0030, 0037 and 0066). Regarding claim 13, Ferguson discloses the method of claim 12, further comprising: adding the second host computing system to the cluster based on the resource information associated with the second host computing system (para 0030, 0037 and 0066). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 4, 6, 16, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable Ferguson as applied to claims 1, 14, and 19 above, and further in view of Xie et al. (US Patent Application Publication No. 2022/0407685 A1) listed in IDS dated 04/16/2025 hereinafter Xie. Regarding claims 4, 16, and 20, Ferguson discloses the method of claim 1 above, but does not explicitly disclose, however, Xie discloses wherein encrypting the virtual cluster manager node and associated disks comprises: encrypting the virtual cluster manager node and associated disks using a data encryption key (DEK) generated at the host computing system; and based on the encryption information provided in the blueprint, encrypting the DEK using a key encryption key (KEK) provided by the key provider (para 0006 and 0017). Therefore, it would have been obvious to a person ordinary skill in the art before effective filing date of claimed invention to modify teachings of Ferguson to include encrypting the virtual cluster manager node and associated disks using a data encryption key (DEK) generated at the host computing system; and based on the encryption information provided in the blueprint, encrypting the DEK using a key encryption key (KEK) provided by the key provider as taught by Xie in order to meet compliance requirements for security (Xie, para 0006). Regarding claims 6 and 18, Ferguson discloses the method of claim 1 above, but does not explicitly disclose, however, Xie discloses wherein encrypting the virtual cluster manager node and associated disks comprises: encrypting the virtual cluster manager node and associated disks using a data encryption key (DEK) generated at the host computing system; based on the encryption information provided in the blueprint, configuring or utilizing the key provider on the host computing system; and based on the key provider, encrypting the DEK using a key encryption key (KEK) provided by the key provider (para 0006, 0017, 0019-0020 and 0039-0041). Therefore, it would have been obvious to a person ordinary skill in the art before effective filing date of claimed invention to modify teachings of Ferguson to include encrypting the virtual cluster manager node and associated disks comprises: encrypting the virtual cluster manager node and associated disks using a data encryption key (DEK) generated at the host computing system; based on the encryption information provided in the blueprint, configuring or utilizing the key provider on the host computing system; and based on the key provider, encrypting the DEK using a key encryption key (KEK) provided by the key provider as taught by Xie in order to meet compliance requirements for security (Xie, para 0006). Allowable Subject Matter Claims 5 and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-892). Any inquiry concerning this communication or earlier communications from the examiner should be directed to BAOTRAN N TO whose telephone number is (571)272-8156. The examiner can normally be reached M-F: 7-3. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached at 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BAOTRAN N TO/Primary Examiner, Art Unit 2435
Read full office action

Prosecution Timeline

Sep 30, 2024
Application Filed
Jan 23, 2026
Non-Final Rejection — §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/642,966
Patent 12603761
RECEIVER, CRYPTOGRAPHIC KEY DISTRIBUTION SYSTEM, METHOD FOR CONTROLLING RECEIVER, AND CONTROL PROGRAM
2y 5m to grant Granted Apr 14, 2026
18/280,960
Patent 12587373
QUANTUM KEY DISTRIBUTION TRANSMITTER
2y 5m to grant Granted Mar 24, 2026
18/291,257
Patent 12580751
FAST POST-QUANTUM CRYPTOGRAPHIC SORTITION
2y 5m to grant Granted Mar 17, 2026
18/195,453
Patent 12574253
SECURE COMMUNICATIONS BETWEEN EDGE CLUSTERS AND CLUSTER MANAGEMENT SYSTEM
2y 5m to grant Granted Mar 10, 2026
18/461,540
Patent 12572703
Dynamic Power-Supply Attack Detection Circuit
2y 5m to grant Granted Mar 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
86%
Grant Probability
99%
With Interview (+12.4%)
2y 6m
Median Time to Grant
Low
PTA Risk
Based on 656 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month