Information Technology (IT) System and Method with Automated Encryption Management

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. DETAILED ACTION Claims 1-18 are presented for examination. Information Disclosure Statement The information disclosure statement (IDS) submitted on 01/17/2025 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto. Drawings The drawings filed on 11/08/2024 are accepted by the examiner. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. 1. Claims 1-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Basmov et al. (US Publication No. 2015/0033039, hereinafter “Basmov”). Regarding claim 1, Basmov does disclose, an automated information technology (IT) computer system comprising: a controller; a system state; and a plurality of system rules (Basmov, (para. [0023]), policy module 106 can obtain one or more policies to implement in various manners, such as being pre-configured with one or more policies, receiving a user input (e.g., from an administrative user) of one or more policies, receiving one or more policies from a remote server or service, and so forth); wherein the controller is configured to access and use the system rules and the system state to provide automated management of the IT computer system; wherein the controller is further configured to add a compute resource and a storage resource to the IT computer system using the system rules and the system state (Basmov, (para. [0021]), module 102 can be authorized to allow data to be encrypted and/or decrypted only after detecting that computing device 100 is in a particular state (e.g., conforms to a particular policy). By way of yet another example, module 102 can be authorized to allow data to be encrypted and/or decrypted only after obtaining particular encryption and/or decryption keys stored in or by computing device 100); wherein the automated management comprises automated encryption management, wherein the automated encryption management includes control over encryption of a volume of storage of the storage resource (Basmov, (para. [0056]), in response to activating a policy on computing device 100 indicating that data stored on storage volume 110 after activation of the policy be encrypted, policy module 106 begins the process of encrypting the unencrypted data in sectors of storage volume 110. Which sectors have unencrypted data can be readily identified (e.g., based on sector map 108, based on a bitmap corresponding to storage volume 110 as discussed above, etc.). This can be performed, for example, by requesting that the unencrypted data from a sector be read and then written back to the sector. As the request to write the data back to the sector is received after the policy is activated, the data written back is encrypted. When no unencrypted data remains on storage volume 110, use of sector map 108 can cease--sector map 108 can be deleted and/or ignored because the data that was written to storage volume 110 before sector map 108 was locked has been re-written as encrypted data); wherein the system rules comprise encryption rules; and wherein the controller is further configured run commands using the encryption rules that provide encryption, decryption, [and/or enablement of plaintext viewing of the storage volume of the storage resource] (Basmov, (para. [0068]), after the policy (indicating that data stored on storage volume 110 after activation of the policy be encrypted) is activated, when data is requested to be written to a sector of storage volume 110, encrypted chunks map 402 is checked (e.g., by read/write control module 104 or policy module 106) to determine whether the chunk including the sector being written to is unencrypted (e.g., the bit corresponding to the chunk including the sector is not set). If the chunk is not unencrypted (the sectors in the chunk have already been encrypted or are not in use), then read/write control module 104 invokes encryption/decryption control module 102 to encrypt the content of the sector, and writes the encrypted content of the sector to storage volume 110). Regarding claim 2, Basmov further discloses the system of claim 1 wherein the controller is further configured to set up the storage resource to store encrypted data (Basmov, (para. [0045]), encrypting data stored on storage volume 110 after activation of the policy); wherein the control over encryption includes the control over encryption of the volume of storage at set up of the storage volume; wherein the encryption of the volume of storage comprises operations that encrypt the volume of storage and update the system state with encryption information of the volume of storage (Basmov, (para. [0064]), in response to activation of a policy on computing device 400 indicating that data stored on storage volume 110 after activation of the policy be encrypted, read/write control module 104 invokes encryption/decryption control module 102 to have data written to storage volume 110 encrypted). Regarding claim 3, Basmov further discloses the system of claim 1 wherein the control over encryption of the volume of storage includes operations that control enablement of viewing of plaintext of the volume of storage (Basmov, (para. [0075]), …by requesting that the unencrypted data from sectors in a chunk be read…; (para. [0022]), where this reading and writing includes reading and writing of encrypted data (also referred to as ciphertext) as well as unencrypted data (also referred to as plaintext)). Regarding claim 4, Basmov further discloses the system of claim 3 wherein the operations that control enablement of viewing of the plaintext of the volume of storage comprise the controller configured to (1) use the system rules to automatically provide commands that couple the compute resource to the storage resource (Basmov, (para. [0016]), an encrypted chunks map for a storage volume used by a computing device can be generated, the encrypted chunks map identifying chunks of sectors of the storage volume. For each chunk of sectors of the storage volume, the encrypted chunks map indicates whether the sectors in the chunk are encrypted (or not in use) or are unencrypted. After activation of a policy for the computing device indicating that content written by the computing device to the storage volume after activation of the policy is encrypted, data written to the storage volume is encrypted. If data is written to a chunk that is unencrypted (as determined by the encrypted chunks map), then the sectors in the chunk are encrypted, the data is encrypted and written to the sector, and the encrypted chunks map is updated to indicate that the chunk is encrypted. Whether data read from the storage volume is decrypted is determined based on whether the sector from which the data is read is unencrypted (as determined by the encrypted chunks map) and (2) using the encryption rules to enable viewing by the compute resource of the plaintext of the volume of storage (Basmov, (para. [0091]), if the signature of the content of the sector does not match the signature for that sector as identified in the sector map in act 608, or if the sector is not identified in the sector map in act 606, then the content of the sector is decrypted (act 612), and the decrypted content is returned (act 614). The content is returned to a requester from which the request to read the content was received). Regarding claim 5, Basmov further discloses the system of claim 4 wherein the controller is configured to automatically provide decryption keys and/or decryption instructions to the compute resource (Basmov, (para. [0021]), … … module 102 can be authorized to allow data to be encrypted and/or decrypted only after detecting that computing device 100 is in a particular state (e.g., conforms to a particular policy). By way of yet another example, module 102 can be authorized to allow data to be encrypted and/or decrypted only after obtaining particular encryption and/or decryption keys stored in or by computing device 100). Regarding claim 6, Basmov further discloses the system of claim 4 wherein the controller is further configured to update the system state with an enabled status of the volume of data (Basmov, (para. [0033]), sector map 200 includes identifiers and corresponding signatures of sectors that were written to prior to sector map 200 being locked. …, sector map 200 can include identifiers of multiple sectors that were not written to prior to sector map 200 being locked, and also include one or more indications of which identified sectors were written to prior to sector map 200 being locked (e.g., flag values, include signatures for only those sectors that were written to prior to sector map 200 being locked, etc.). Regarding claim 7, Basmov further discloses the system of claim 1 wherein the control over encryption of the volume of storage comprises operations that control decryption of the volume of storage (Basmov, (para. [0038]), sector map 108 includes identifiers and corresponding signatures of sectors that were written to prior to sector map 108 being locked. After sector map 108 is locked, data written to storage volume 110 is encrypted by encryption/decryption control module 102. Such data can include data written to sectors of storage volume 110 not previously written to, as well as data written to sectors of storage volume 110). Regarding claim 8, Basmov further discloses the system of claim 7 wherein the operations that control decryption of the volume of storage comprise the controller configured to (1) use the system rules to automatically provide commands that couple the compute resource to the storage resource and (2) use the encryption rules to provide the compute resource with access to the decrypted volume of storage (Basmov, (para. [0016]), an encrypted chunks map for a storage volume used by a computing device can be generated, the encrypted chunks map identifying chunks of sectors of the storage volume. For each chunk of sectors of the storage volume, the encrypted chunks map indicates whether the sectors in the chunk are encrypted (or not in use) or are unencrypted. After activation of a policy for the computing device indicating that content written by the computing device to the storage volume after activation of the policy is encrypted, data written to the storage volume is encrypted. If data is written to a chunk that is unencrypted (as determined by the encrypted chunks map), then the sectors in the chunk are encrypted, the data is encrypted and written to the sector, and the encrypted chunks map is updated to indicate that the chunk is encrypted. Whether data read from the storage volume is decrypted is determined based on whether the sector from which the data is read is unencrypted (as determined by the encrypted chunks map). Regarding claim 9, Basmov further discloses the system of claim 7 wherein the controller is further configured to update the system state with a decrypted status of the volume of storage (Basmov, (para. [0033]), sector map 200 includes identifiers and corresponding signatures of sectors that were written to prior to sector map 200 being locked. …, sector map 200 can include identifiers of multiple sectors that were not written to prior to sector map 200 being locked, and also include one or more indications of which identified sectors were written to prior to sector map 200 being locked (e.g., flag values, include signatures for only those sectors that were written to prior to sector map 200 being locked, etc.). Regarding claim 10, Basmov further discloses the system of claim 7 wherein the controller is further configured to automatically provide decryption keys and/or decryption instructions to the compute resource so that plaintext does not leave the compute resource (Basmov, (para. [0021]), … … module 102 can be authorized to allow data to be encrypted and/or decrypted only after detecting that computing device 100 is in a particular state (e.g., conforms to a particular policy). By way of yet another example, module 102 can be authorized to allow data to be encrypted and/or decrypted only after obtaining particular encryption and/or decryption keys stored in or by computing device 100). Regarding claim 11, Basmov further discloses the system of claim 1 wherein the compute resource is configured to power an application or service that uses the storage volume of data (Basmov, (para. [0054]), when the computing device again starts operation (e.g., is powered on, reset, etc.), each group of sector map 302 that is marked as clean is copied from storage volume 300 into memory 310 as a group of sector map 312). Regarding claim 12, Basmov further discloses the system of claim 11 wherein the controller is further configured to receive user input that causes the credential to receive a request to power on the application or service, and wherein the controller is further configured to (1) access the system state database to determine if the requested application or service is locked (Basmov, (para. [0056]), as the request to write the data back to the sector is received after the policy is activated, the data written back is encrypted. When no unencrypted data remains on storage volume 110, use of sector map 108 can cease--sector map 108 can be deleted and/or ignored because the data that was written to storage volume 110 before sector map 108 was locked has been re-written as encrypted data) and (2) generate a request for a credential for unlocking the requested application or service if the requested application or service is locked (Basmov, (para. [0057]), after unencrypted data from a sector is read and written back to the storage volume as encrypted data, the sector identifier and corresponding sector signature for that sector can be removed from sector map 108 (effectively unlocking sector map 108 for removal of the sector identifier and corresponding sector signature)). Regarding claim 13, Basmov further discloses the system of claim 1 wherein the controller is further configured to receive user input that causes the controller to receive a credential, and wherein the controller automatically controls encryption of the volume of storage based on the credential (Basmov, (para. [0021]), module 102 can be authorized to allow data to be encrypted and/or decrypted only after a user of computing device 100 has proven that he or she possesses valid credentials to access the data. Various different credentials can be used, such as knowledge of a secret phrase (e.g., a password), a private key corresponding to a certificate, a temporal secret (e.g., a one-time password), and so forth). Regarding claim 14, Basmov further discloses the system of claim 13 further comprising a plurality of compute resources, and wherein the controller is further configured to automatically power on the application or service by: automatically determining a selected compute resource from among the compute resources to run the application or service; automatically determining required data to run the application or service; accessing the system state to determine a location of the required data to run the application or service (Basmov, (para. [0029]), in response to activation of a policy on computing device 100 indicating data is to be encrypted, data written to storage volume 110 subsequent to activation of the policy is encrypted regardless of the application or other program writing the data to storage); enabling access to the required data by decrypting the required data or enabling viewing of plaintext of the required data (Basmov, (para. [0075]), …by requesting that the unencrypted data from sectors in a chunk be read…; (para. [0022]), where this reading and writing includes reading and writing of encrypted data (also referred to as ciphertext) as well as unencrypted data (also referred to as plaintext)); and instructing the selected compute resource to access the decrypted required data or to view the plaintext of the required data to power on the application or service (Basmov, (para. [0028]), sector map 108 is typically stored on a storage device (e.g., storage volume 110) and copied into a memory (e.g., RAM) of computing device 100 when computing device 100 starts operation (e.g., is powered on, reset, etc.)). Regarding claim 15, Basmov further discloses the system of claim 1 wherein the controller is further configured to update the system state with (i) a location of the storage resource within the computer system (Basmov, (para. [0052]), when data is subsequently written to a sector of the storage volume, sector map 312 is updated with the signature of the newly written content of that sector), (ii) a transport type of the storage resource (Basmov, (para. [0026]), storage volume 110 is a removable volume, such as being part of a storage device designed to be easily coupled to and decoupled from computing device 100 and transported to other computing devices), and (iii) encryption information associated with the storage resource (Basmov, (para. [0071]), read/write control module 104 invokes encryption/decryption control module 102 to encrypt the content of the sector, and writes the encrypted content of the sector to storage volume 110). Regarding claim 16, Basmov further discloses the system of claim 15 wherein the compute resource comprises a physical computer resource, wherein the controller or the physical compute resource is configured to query the system state for the location of a storage resource, the transport type, and the encryption information of the storage resource; and wherein the controller is further configured to (1) couple the storage resource to the physical compute resource (Basmov, (para. [0038]), sector map 108 includes identifiers and corresponding signatures of sectors that were written to prior to sector map 108 being locked. After sector map 108 is locked, data written to storage volume 110 is encrypted by encryption/decryption control module 102) and (2) provide instructions on how to decrypt or enable plaintext viewing of the volume of storage based on a response to the query (Basmov, (para. [0028]), sector map 108 is typically stored on a storage device (e.g., storage volume 110) and copied into a memory (e.g., RAM) of computing device 100 when computing device 100 starts operation (e.g., is powered on, reset, etc.)). Regarding claim 17, Basmov further discloses the system of claim 1 wherein the automated encryption management provides data-at-rest encryption capabilities (Basmov, (para. [0080]), when computing device 400 boots (e.g., due to being restarted, reset, etc.) read/write control module 104 retrieves the most recent valid version of encrypted chunks map 402 persisted on storage volume 110. Whether a particular version of encrypted chunks map 402 is valid can be determined in different manners (e.g., based on a checksum or other value stored with the encrypted chunks map 4020 on storage volume 110)). Regarding claim 18, the substance of the claimed invention is similar to that of claim 1. Accordingly, this claim is rejected under the same rationale. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US Publication No. 2019/0340136, “a storage controller coupled to a storage array comprising one or more storage devices can receive a request to write encrypted data to a volume resident on a storage array, where the encrypted data comprises data encrypted by a first encryption key that is associated with at least one property of the data. In some implementations, a property of the data may include a volume on the storage array where the data is stored, a volume range resident on the storage array, a group of blocks associated with the volume resident on the storage array, a unique identifier associated with the client (or owner of the data), a client application identifier, or any other similar information associated with the data. The storage controller determines a decryption key to decrypt the encrypted data, decrypts the encrypted data using the decryption key, and performs at least one data reduction operation (e.g., data compression, deduplication, etc.) on the decrypted data. The storage controller then encrypts the reduced data using a second encryption key to generate a second encrypted data and stores the second encrypted data on the storage array”. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MORSHED MEHEDI whose telephone number is (571) 270-7640. The examiner can normally be reached on M - F, 8:00 am to 4:00 pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Linglan Edwards can be reach on (571) 270-5440. The fax number for the organization where this application or proceeding is assigned is (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from their Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (In USA or Canada) or 571-272-1000. /MORSHED MEHEDI/Primary Examiner, Art Unit 2408