Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicant’s amendment filed 2/3/2022 has been entered.  Claims 20-23, 25-27, 29-33, 35-40 were amended.   The claim amendments have overcome the claim objections and 112b rejection in the Non-Final Office Action mailed 11/3/2021.  The 101 rejection of claims 39 and 40 is maintained.  Claims 20-40 are presented for examination.


Response to Arguments
Applicant's arguments filed 2/3/2022 have been fully considered but they are not persuasive. 
 On page 8, Applicant argues that Suarez (2017/0180346) and Iyer (WO 2008/094839) do not teach the claim 20 limitation an encryption key (25) of the container image (22) is usable in the random access memory of the client machine (3), inaccessible in a mass storage of the client machine (3), and inaccessible on the server machine (4).  Examiner respectfully disagrees.  
Suarez is cited to teach storage of container images with encryption.  Iyer is cited to teach the encryption/decryption key handling to satisfy the encryption key location requirements of the claim.  
The Applicant argues that “the encryption key of this container image is only used in the random access memory of the client machine.”  The claim does not recite “only used in.”  The amended claim recites “wherein a encryption key (25) of the container image (22) is usable in the random access memory of the client machine (3), inaccessible in a mass storage of the client machine (3), and inaccessible on the server machine (4).”  The claim restricts the encryption key to be “usable in random 1 key is a memory device which stores the encryption key.  As a memory device, the instructions to use the encryption key are not executed in a processor in the hardware key, and therefore must be executed on the client (host) processor.  The host processor will have to read the hardware key device to use the key.  During execution time the operations and data using the key will be in the random access memory.    Thus, Applicant’s arguments that Iyer’s teaching of the encryption key residing in the hardware key and never leaves to go into the system are not persuasive.  Applicant argues Iyer’s encryption module on the hardware key is different than the claim, but the claims do not have any limitations on where the encryption key is “permanently and safely” stored, only that the key is in RAM which can be volatile.
	On page 9, Applicant argues the claim 22 (under heading Claim 20) limitation “the encoded encryption key and the decoding password are found together only in the random access memory of the client machine in order to encrypt the container image”.  Iyer teaches a prompting for the password, thus the input is read by the host processor, making it available in random access memory.  Again, Applicant’s arguments are directed to a different one of Iyer’s embodiments where an encryption module exists.  Applicant’s reference to Iyer [0064] is off point since Iyer [0064] is an example embodiment with an encryption module.
	Thus the §103 rejection with Suarez and Iyer is maintained.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 39 and 40 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because as an apparatus claim, the network of nodes does not recite structure and could be software per se2.  A node could be virtual machine or merely a port on a computer3.  The amended limitation “comprising a plurality of client machines, the network of nodes” does not ameliorate the missing structure (apparatus/machine) in the claim.  Client machines can be virtual machines.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 20-24, 37 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Suarez (2017/0180346) in view of Iyer (WO 2008/094839).


method for the secure storage, in a network (1), of a container image (22) in a container registry (20), comprising: (Suarez, [0032] As illustrated in FIG. 2, the environment 200 may include a container registry 202 comprising a container registry front-end service 214, a registry metadata service 222, and a storage service. [0038] Each of the service interfaces may also provide secured and/or protected access to each other via encryption keys and/or other such secured and/or protected access methods, thereby enabling secure and/or protected access between them.)
sending (11) a container image (22), the container image (22) corresponding to an initial state of a client machine environment which can subsequently be used to execute the container, (Suarez, [0026] In some examples, a "container image" may refer to metadata and one or more computer files corresponding to contents and/or structure of one or more software applications configured to execute in a software container.) from a client machine (3) of the network (1) to a container registry (20) of a server machine (4) of the network (1) that is remote from the client machine (3);  (Suarez, [0069] For example, the customer may encrypt a container image and upload the container image through the container registry front-end service,)
encrypting (23) the container image (20), carried out in a random access memory of the client machine (3) before the sending step (11) to the server machine (4), so that the container image (22) is already encrypted when received by the container registry (20) for storage therein, (Suarez, [0069] For example, the customer may encrypt a container image and upload the container image through the container registry front-end service,)
wherein a encryption key (25) of the container image (22) (Suarez, [0069] In some embodiments, a key management service, such as the key management service 220 of FIG. 2 can issue a key (such as a public key of a public-private key pair) to the customer so that the customer can perform client-side encryption of container images, [0069] For example, the 
Suarez teaches an embodiment where the server does not have the key (Suarez, [0064] However, if the customer has directed that the container images be encrypted in the repository and the scanning mechanism 554 does not have access to a key to decrypt the container images,.)  
Suarez does not teach the encryption key (25) … is …  inaccessible in a mass storage of the client machine (3), and inaccessible on the server machine (4).
However Iyer teaches the encryption key (25) … is usable in the random access memory of the client machine (3), inaccessible in a mass storage of the client machine (3), and inaccessible on the server machine (4) (Iyer, [0045] Therefore, the encryption key residing on the hardware key is not stored on the system itself.  In one embodiment, the encryption key on the hardware key is accessible when the predetermined password is supplied and the hardware key having stored on it the encryption key is coupled to the host system and the storage device to be read.)  (EN: an encryption/decryption algorithm when executing will use RAM)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Iyer’s hardware key with Suarez’s key management because doing so improves data security by separating the key from the data (Iyer, [0004] Additionally, the location where the encryption key that encrypts data on the storage device is stored affects the security of encrypted storage device. If the encryption key is stored on a storage device in the host system, the security of the encryption key may be compromised when the host system is lost or stolen.)

Regarding claim 21, Suarez and Iyer teach
method for secure storage according to claim 20, wherein:
the sending step (11) is carried out on an input node of the client machine (3) of the network (1), (Suarez, [0026] The customer 166 may upload the container image 152 to a container registry 102 through a container registry front-end service 114.  … The customer 166 may be a customer of a computing resource service provider that is hosting container instances for the customer 166.)
the encryption step (23) is carried out on the input node, (Suarez, [0069] For example, the customer may encrypt a container image and upload the container image through the container registry front-end service,)

the execution of the container is carried out on a compute node (5, 6) of the client machine (3) of the network (1), and (Suarez, [0039] In some embodiments, the container engine 208 and/or the instance service interface 212 are executed on a local computer system by the customer, rather than within the container instance 204.)
the compute node (5, 6) is distinct from the input node (Suarez, [0026] As another example, the customer 166 may be a software vendor and wish to upload the container image to a publicly-accessible repository in order to make it accessible to other users for download and/or purchase.)

Regarding claim 22, Suarez and Iyer teach
method for secure storage according to claim 20, wherein:
the encryption key (25) is introduced in encoded form on the client machine (3), (Iyer, [0045] Therefore, the encryption key residing on the hardware key is not stored on the system itself.  In one embodiment, the encryption key on the hardware key is accessible when the predetermined password is supplied and the hardware key having stored on it the encryption key is coupled to the host system and the storage device to be read.)
the encryption key (25) is accompanied by a decoding password (21) enabling it to be decoded, and (Iyer, [0039] The initial setup process enables the user to set up one or more passwords to access (e.g., encrypt, decipher, delete, backup, etc.) data on the storage device.)
the encoded encryption key (25) and the decoding password (21) are found together only in the random access memory of the client machine (3) (Iyer, [0045] Therefore, the encryption key residing on the hardware key is not stored on the system itself.  In one embodiment, the encryption key on the hardware key is accessible when the predetermined password is supplied and the hardware key having stored on it the encryption key is coupled to the host system and the storage device to be read.) in order to encrypt the container image (22) (Suarez, [0069] For example, the customer may encrypt a container image and upload the container image through the container registry front-end service,)

Regarding claim 23, Suarez and Iyer teach
method for secure storage according to claim 20, wherein the encryption step (23) is first preceded by a step of creating a container image (22) on the client machine (3) (Suarez, [0036] A container image may be stored as a container image layer. Each time the container image is updated, a new container image layer may be created. [0069] For example, the customer may encrypt a container image and upload the container image through the container registry front-end service,)

Regarding claim 24, Suarez and Iyer teach
method for secure storage according to claim 20, wherein the encryption key (25) is a symmetric key (Iyer, [0040] Through supplying the predetermined password, the encryption key used to encrypt data on the secured storage device can be accessed to decipher the encrypted data.)
 to have combined Iyer’s symmetric key to the encryption/decryption method because symmetric keys are processed faster.

Regarding claim 37, Suarez and Iyer teach
method for secure storage according to claim 20, wherein:
the container registry (20) comprises at least: 
a function for adding a container image (22) to the registry (20), 
a function for deleting a container image (22) from the registry (20), (Suarez, [0119] In 1502, the system performing the process 1500 may receive a request from a client (e.g., a client device) to access (e.g., download from, upload to, delete from, list images stored in, search the contents of, etc.) a repository assigned to a customer of a computing resource service provider.) (EN: upload is adding)
a function for sharing a container image (22) stored in the registry (20), between several client machines (3) of the network (1) that are distinct from one another; and (Suarez, [0026] As another example, the customer 166 may be a software vendor and wish to upload the container image to a publicly-accessible repository in order to make it accessible to other users for download and/or purchase. [0092] FIG. 10 illustrates an example 1000 of an embodiment of the present disclosure. In embodiments of the present disclosure, container registries can be physically located on servers in different geographic regions in order to provide faster uploading and downloading of container images. [0094] For example, if the customer 1066B has 1,000 container instances running a first version of the container image 1052 on servers in the second geographical region 1082B,)
a function for downloading (12) a container image (22) stored in the registry (20), to a client machine (3) of the network (1) (Suarez, [0119] download from).


network of nodes comprising a plurality of client machines, the network of nodes comprising a container registry (20), using a secure storage method according to claim 20 (Suarez, [0029] The container registry 102 may be a comprised of one or more repositories configured to store files and/or directories corresponding to container images, such as the container image 152, and metadata for the files and/or directories. Individual repositories 188 may be assigned to customers of the computing resource service provider. Customers may have one or more repositories 188 as needed. For example, a customer may have a private repository to which the customer uploads container images under development, but not yet ready for release, and a public repository to upload container images that may be purchased and/or downloaded for installation by various users or other customers of the computing resource service provider. The repositories may be individual databases or may be stored in one or more data stores of a data storage service of the computing resource service provider. Each repository may have various associated roles and policies specifying access types and restricting access to the repository to entities authorized by the customer to access the repository.  [0064] However, if the customer has directed that the container images be encrypted in the repository and the scanning mechanism 554 does not have access to a key to decrypt the container images, [0092] FIG. 10 illustrates an example 1000 of an embodiment of the present disclosure. In embodiments of the present disclosure, container registries can be physically located on servers in different geographic regions)

Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over Suarez (2017/0180346) in view of Iyer (WO 2008/094839) in view of Allen (2014/0115328).

Regarding claim 25, Suarez and Iyer teach
method for secure storage according to claim 20, wherein the step of encrypting (23) the container image (22) (Suarez, [0064] However, if the customer has directed that the container images be encrypted in the repository and the scanning mechanism 554 does not have access to a key to decrypt the container images,.)
Suarez does not teach by the user (2) of the client machine (3).
However Allen teaches the step of encrypting (23) … is carried out just before the step of sending (11) the … image (22), between the request to send the … image (22) made by a user (2) of the client machine (3) and the actual sending (11) of the encrypted … image (22) to the server machine (4) (Allen, [0018] For example, when a software agent (or a user interacting with an encryption tool) encrypts a target file, an encryption engine may encrypt the application file using a variety of algorithms.) [0029] As shown, client system 105, 115 and hosted storage service 110 are each connected to a network 120 (e.g., the internet). In this example, assume the user uploads the format-friendly encrypted document 125.sub.1 to the hosted storage service 110 (e.g., the Dropbox.RTM. file sharing service or other public or enterprise-private hosting service [0040] In such a case, the encryption agent could encrypt all documents that exit an enterprise boundary before being uploaded to a public hosting service (e.g., the Dropbox.RTM. service)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Allen’s user friendly format with Suarez-Iyer’s container registry service because doing so improves file protection with encryption/decryption when it is available for more than one user (Allen, [0006] In such a case, when a user shares an application file 

Claims 30-34, 38 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Suarez (2017/0180346) in view of Iyer (WO 2008/094839) in view of Allen (2014/0115328).

Regarding the secure storage retrieval claims 30-364, 38 and 40, Suarez teaches the same techniques if the container image is uploaded or downloaded (Suarez [0091] Note that a similar process would follow if the software developer 966 took action to download a container image from the container registry 990 as well or instead.)  Iyer [0040] teaches encryption and decryption with a symmetric key (the same key).   A person having ordinary skill in the art would understand in Suarez’s disclosure, when the inverse process occurs, that is, when a secure container image is downloaded that client side decryption will occur to make the container image usable.  

Regarding claim 30, Suarez teaches
method for the secure retrieval, in a network (1), of a container image (22) stored in a container registry (20), comprising:
downloading (12) a container image (22) to a client machine (3) of the network (1),  (Suarez, [0035] Upon a request to retrieve/download a container image, the container registry front-end service 214 may query the registry metadata service 222 to obtain a list of storage locations for the container image,) the container image (22) corresponding to an initial state of a client machine environment which can subsequently be used to execute the container, (Suarez, [0026] In some examples, a "container image" may refer to metadata and one or more computer files corresponding to contents and/or structure of one or more software applications configured to execute in a software container.) the image being stored in encrypted form (Suarez, [0059] the actual container image itself may be encrypted in the repository) in a container registry (20) of a server machine (4) of the network (1) that is remote from the client machine (3), (Suarez, [0026] As another example, the customer 166 may be a software vendor and wish to upload the container image to a publicly-accessible repository in order to make it accessible to other users for download and/or purchase)
decrypting the container image (22), (Suarez, [0077] For example, the container image 752 may be downloaded and installed to the one or more container instances 718 of the customer 770 without charge by the software vendor 766. [0091] Note that a similar process would follow if the software developer 966 took action to download a container image from the container registry 990 as well or instead.)
Suarez does not explicitly teach the client side decryption however Allen teaches decrypting the … (file) carried out in a random access memory of the client machine (3), after the step of downloading (12) from the server machine (4), so that the (file) is still encrypted when received by the client machine (3), (Allen [0030] When the user downloads format-friendly encrypted document 125.sub.2 from hosted storage service 110, a copy (format-friendly encrypted document 125.sub.3) is stored on client system 115. …. For example, the instructions could provide links to the software needed to decrypt format-friendly encrypted document 125.sub.3, i.e., encryption agent 136, as well as 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Allen’s user friendly format with Suarez-Iyer’s container registry service because doing so improves file protection with encryption/decryption when it is available for more than one user (Allen, [0006] In such a case, when a user shares an application file with a cloud-storage provider, a user accessing that document may end up accessing an encrypted file within no means to decrypt it and attempting to view the file using an application that does not understand the encrypted content. More generally, using encryption tools often creates friction in business processes within an enterprise, as once a user (or proxy acting on behalf of a user) encrypts data, it is no longer usable by the software that created and/or maintains that data. This produces unfriendly results for users who try to access the file later, either forgetting to decrypt it first or not having the software on hand to decrypt it.)
wherein
Suarez does not teach a decryption key (25) … is …  inaccessible in a mass storage of the client machine (3), and inaccessible on the server machine (4).
However Iyer teaches a decryption key (25) of the container image (22) is usable in the random access memory of the client machine (3), inaccessible in a mass storage of the client machine (3), and inaccessible on the server machine (4) (Iyer, [0043] Additionally, the hardware key 110 can be any type of storage and/or memory device able to carry out encryption and decryption processes and store the required software code. [0045] Therefore, the encryption key residing on the hardware key is not stored on the system itself.  In one embodiment, the encryption key on the hardware key is accessible when the predetermined password is supplied and the hardware key having stored on it the encryption key is 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Iyer’s hardware key with Suarez’s key management because doing so improves data security by separating the key from the data (Iyer, [0004] Additionally, the location where the encryption key that encrypts data on the storage device is stored affects the security of encrypted storage device. If the encryption key is stored on a storage device in the host system, the security of the encryption key may be compromised when the host system is lost or stolen.)

Regarding claim 31, Suarez, Iyer and Allen teach
method for secure retrieval according to claim 30, wherein: 
the downloading step (12) is carried out on a compute node (5, 6) of the client machine (3) of the network (1), (Suarez, [0077] For example, the container image 752 may be downloaded [0026] As another example, the customer 166 may be a software vendor and wish to upload the container image to a publicly-accessible repository in order to make it accessible to other users for download and/or purchase.)
the decryption step is carried out on the compute node (5, 6),
the execution of the container by using the decrypted container image (22) is carried out on the compute node (5, 6), (Suarez, [0068] In the third scenario, a container image 552C is stored in the repository in encrypted form. However, if the container image 552C is decrypted (such as by an entity authorized by the customer to extract and launch the container image)
the decryption key (25) is sent from an input node of the client machine (3) of the network (1) to the compute node (5, 6), 
the compute node (5, 6) is distinct from the input node, and (Allen, [0030] For example, the instructions could provide links to the software needed to decrypt format-friendly 
the decryption key (25) is usable one time only in the random access memory of the compute node (5, 6) in order to carry out the decryption of the container image (22) to be decrypted in order to subsequently launch the execution of the container, but remains inaccessible via the mass storage of the compute node (5, 6) (Iyer, [0043] Additionally, the hardware key 110 can be any type of storage and/or memory device able to carry out encryption and decryption processes and store the required software code.) (EN: an encryption/decryption algorithm when executing will use RAM. RAM is not used for permanent storage, it is volatile)

Regarding claim 32, Suarez, Allen and Iyer teach
method for secure retrieval according to claim 30, wherein:
the decryption key (25) is introduced in encoded form on the client machine (3), (Iyer, [0046] In one embodiment, the hardware key further comprises a unit to use the encryption key to decipher the encrypted data from the storage device)
the decryption key (25) is accompanied by a decoding password (21) enabling it to be decoded, and (Iyer, [0039] The initial setup process enables the user to set up one or more passwords to access (e.g., encrypt, decipher, delete, backup, etc.) data on the storage device.)
the encoded decryption key (25) and the decoding password (21) are found together only in the random access memory of the client machine (3) in order to decrypt the encrypted container image (22) (Iyer, [0043] Additionally, the hardware key 110 can be any type of storage and/or memory device able to carry out encryption and decryption processes and store the required software code. 

Regarding claim 33, Suarez, Allen and Iyer teach
method for secure retrieval according to claim 32, wherein: 
the decryption key (25) is introduced in encoded form on the input node, 
the decryption key (25) is accompanied by a decoding password (21) enabling it to be decoded, and (Iyer, [0039] The initial setup process enables the user to set up one or more passwords to access (e.g., encrypt, decipher, delete, backup, etc.) data on the storage device.)
the encoded decryption key (25) and the decoding password (21) are sent separately from the input node to the compute node (5, 6) and are found together only in the random access memory of the compute node (5, 6) in order to decrypt the encrypted container image (22) (Iyer, [0045] Therefore, the encryption key residing on the hardware key is not stored on the system itself.  In one embodiment, the encryption key on the hardware key is accessible when the predetermined password is supplied and the hardware key having stored on it the encryption key is coupled to the host system and the storage device to be read.)

Regarding claim 34, Suarez, Allen and Iyer teach
method for secure retrieval according to claim 30, wherein the decryption key (25) is a symmetric key (Iyer, [0040] Through supplying the predetermined password, the encryption key used to encrypt data on the secured storage device can be accessed to decipher the encrypted data.)
 to have combined Iyer’s symmetric key to the encryption/decryption method because symmetric keys are processed faster.

Regarding claim 38, Suarez, Allen and Iyer teach
method for secure retrieval according to claim 30, wherein: 
the container registry (20) comprises at least: 
a function for adding a container image (22) to the registry (20), 
a function for deleting a container image (22) from the registry (20), (Suarez, [0119] In 1502, the system performing the process 1500 may receive a request from a client (e.g., a client device) to access (e.g., download from, upload to, delete from, list images stored in, search the contents of, etc.) a repository assigned to a customer of a computing resource service provider.) (EN: upload is adding)
a function for sharing a container image (22) stored in the registry (20), between several client machines (3) of the network (1) that are distinct from one another; and (Suarez, [0026] As another example, the customer 166 may be a software vendor and wish to upload the container image to a publicly-accessible repository in order to make it accessible to other users for download and/or purchase. [0092] FIG. 10 illustrates an example 1000 of an embodiment of the present disclosure. In embodiments of the present disclosure, container registries can be physically located on servers in different geographic regions in order to provide faster uploading and downloading of container images. [0094] For example, if the customer 1066B has 1,000 container instances running a first version of the container image 1052 on servers in the second geographical region 1082B,)
a function for downloading (12) a container image (22) stored in the registry (20), to a client machine (3) of the network (1) (Suarez, [0119] download from).

Regarding claim 40, Suarez, Allen and Iyer teach
network of nodes comprising a plurality of client machines, the network of nodes comprising a container registry (20), using a secure retrieval method according to claim 30 (Suarez, [0073] Finally, in the second example, upon receiving a request to launch the container image, the container image of the second container engine type 652B may be retrieved from the repository 690, whereupon it will pass through the container registry proxy 662, which will then ensure that the correct container engine is used when the container image is launched in an instance. [0029] The container registry 102 may be a comprised of one or more repositories configured to store files and/or directories corresponding to container images, such as the container image 152, and metadata for the files and/or directories. Individual repositories 188 may be assigned to customers of the computing resource service provider. Customers may have one or more repositories 188 as needed)


Claims 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over Suarez (2017/0180346) in view of Iyer (WO 2008/094839) in view of Sobel (2017/0099144).

Regarding claim 26, Suarez and Iyer teach
method for secure storage according to claim 20, wherein the step of encrypting (23) the container image (22) is integrated into a command (Iyer, [0035] If the hardware key receives a command to read data from the storage device, a password prompt may be generated.)
Iyer teaches prompts but does not explicitly teach command line.  
However Sobel teaches the step of encrypting (23) the container image (22) is integrated into a command line for the sending of the container image (22), from the client machine (3) to the server machine (4), in the form of an additional encryption layer (Sobel [0090] These steps comprise creating and executing command line invocations of encryption engine programs and other system programs. These command lines may be written to a scripting file which is executed or they may be executed directly by making the appropriate call to the system that is running all these programs.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Sobel’s command line to Suarez-Iyer’s key password command because doing to improves script control of systems (Sobel, [0014] A scriptable controller invokes the unique functionality of special purpose hardware and software to run programs which will securely control the system, produce and send, or receive and utilize data. A platform can uniquely enable an engineer to dynamically script or program the calculation of the encryption parameters)

Regarding claim 27, Suarez, Iyer and Sobel teach
method for secure storage according to claim 26, wherein the encryption key (25) is passed as an argument of the command line for sending (Sobel, [0058] In the present description, "switch" refers to an option and parameter on a command line of code in a script. The particular command is denoted by -(letter), where (letter) is a particular alphabetical character specifying a corresponding value. Switches include: … [0066] -x command line switch to specify Password;)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Sobel’s command line to Iyer’s key password command because doing to improves script control of systems (Sobel, [0014] A scriptable controller invokes the unique functionality of special purpose hardware and software to run programs which will securely control the system, produce and send, or receive and utilize data. A platform can uniquely enable an engineer to dynamically script or program the calculation of the encryption parameters)


Claims 28-29 and 35-36 are rejected under 35 U.S.C. 103 as being unpatentable over Suarez (2017/0180346) in view of Iyer (WO 2008/094839) in view of Sobel (2017/0099144) in view of Allen (2014/0115328).

Regarding claim 28, Suarez, Iyer and Sobel teach
method for secure storage according to claim 26, wherein the encryption step (23) is carried out automatically before any container image (22) is sent from the client machine (3) to the server machine (4) 
Suarez does not teach the encryption step (23) is carried out automatically 
However Allen teaches the encryption step (23) is carried out automatically (Allen, [0040] In such a case, the encryption agent could encrypt all documents that exit an enterprise boundary before being uploaded to a public hosting service (e.g., the Dropbox.RTM. service).)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Allen’s user friendly format with Suarez-Iyer’s container registry service because doing so improves file protection with encryption/decryption when it is available for more than one user (Allen, [0006] In such a case, when a user shares an application file with a cloud-storage provider, a user accessing that document may end up accessing an encrypted file within no means to decrypt it and attempting to view the file using an application that does not understand the encrypted content. More generally, using encryption tools often creates friction in business processes within an enterprise, as once a user (or proxy acting on behalf of a user) encrypts data, it is no longer usable by the software that created and/or maintains that data. This produces unfriendly results for users who try to access the file later, either forgetting to decrypt it first or not having the software on hand to decrypt it.)

Regarding claim 29, Suarez, Iyer, Sobel and Allen teach
method for secure storage according to claim 26, wherein the encryption step (23) is carried out after automatically querying the user (2) of the client machine (3) followed by a user (2) of the client machine (3) accepting such encryption (Allen, [0032] For example, a user (or enterprise system administrator) may configure some (or all) documents created by a particular user, saved to a particular location, having certain content, or having other identifiable characteristics to be encrypted when stored by a client application or when published to a particular storage location (e.g., when published to the hosted application service 110).)
The same reason to combine Allen with Suarez-Iyer-Sobel as in claim 28 applies.

Regarding claim 35, Suarez, Allen, Iyer and Sobel teach 
method for secure retrieval according to claim 30, (Suarez, [0026] As another example, the customer 166 may be a software vendor and wish to upload the container image to a publicly-accessible repository in order to make it accessible to other users for download and/or purchase.) wherein the step of decrypting the container image (22) is integrated into a command line for the downloading of the container image (22) from the client machine (3) to the server machine (4), in the form of an additional decryption layer  (Iyer, [0035] If the hardware key receives a command to read data from the storage device, a password prompt may be generated.)
Iyer teaches prompts but does not explicitly teach command line.  
However Sobel teaches the step of decrypting (23) the container image (22) is integrated into a command line for the sending of the container image (22), from the client machine (3) to the server machine (4), in the form of an additional encryption layer (Sobel [0090] These steps comprise creating and executing command line invocations of encryption engine programs and other system programs. 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Sobel’s command line to Suarez-Iyer’s key password command because doing to improves script control of systems (Sobel, [0014] A scriptable controller invokes the unique functionality of special purpose hardware and software to run programs which will securely control the system, produce and send, or receive and utilize data. A platform can uniquely enable an engineer to dynamically script or program the calculation of the encryption parameters)

Regarding claim 36, Suarez, Allen, Iyer ad Sobel teach,
method for secure retrieval according to claim 35, wherein the decryption key (25) is passed as an argument of the command line for downloading (Sobel, [0058] In the present description, "switch" refers to an option and parameter on a command line of code in a script. The particular command is denoted by -(letter), where (letter) is a particular alphabetical character specifying a corresponding value. Switches include: … [0066] -x command line switch to specify Password;)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Sobel’s command line to Iyer’s key password command because doing to improves script control of systems (Sobel, [0014] A scriptable controller invokes the unique functionality of special purpose hardware and software to run programs which will securely control the system, produce and send, or receive and utilize data. A platform can uniquely enable an engineer to dynamically script or program the calculation of the encryption parameters)

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315. The examiner can normally be reached 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional 





/BRUCE S ASHLEY/Examiner, Art Unit 2494                                                                                                                                                                                                        
/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        2-22-2022


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Iyer [0042] The hardware key 110 can be a device that plugs in to a port (e.g., a parallel, a serial, a USB, or a Fire Wire port) on the system.  In one embodiment the hardware key 110 is a memory device that can be plugged and un-plugged
        2 MPEP 2106.03 I.  
        3 See Specification page 4 lines 20-25 “an input node of the client machine” and “the compute node is distinct from the input node”
        4 Note: Claims 35 and 36 are not rejected in this section, but are listed because they are secure retrieval claims.