CN109684860B - Data encryption method and device based on business relation - Google Patents
Data encryption method and device based on business relation Download PDFInfo
- Publication number
- CN109684860B CN109684860B CN201811641322.9A CN201811641322A CN109684860B CN 109684860 B CN109684860 B CN 109684860B CN 201811641322 A CN201811641322 A CN 201811641322A CN 109684860 B CN109684860 B CN 109684860B
- Authority
- CN
- China
- Prior art keywords
- key
- lun
- service
- storage
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
- G06F21/805—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors using a security table for the storage sub-system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/12—Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
Abstract
The application provides a data encryption method and device based on business relationship, and the method comprises the following steps: receiving a service enabling instruction aiming at a first LUN, and enabling a first service based on the service enabling instruction; synchronizing a first key parameter of the first LUN to a preset second key node through a preset first key node, so that the second key node replaces the second key parameter of the second key node with the first key parameter and obtains a first storage key according to the first key parameter; the first key node is a key node of the first LUN, and the second key node is a key node of the second LUN. Because different LUNs establishing the service relationship can share the storage key, in the process of executing the service in the storage system, data interaction between different LUNs does not need redundant encryption and decryption processing, the time consumption for processing the service and the occupation of processing resources are reduced, and the overall processing efficiency of the storage system is effectively improved.
Description
Technical Field
The present application relates to the field of storage, and in particular, to a data encryption method and apparatus based on a business relationship.
Background
The data is a foundation of an information system, and in order to realize the safe storage and transmission of the data, the storage system encrypts the data written into the disk, so that the data is stored in the disk in a ciphertext mode. In this case, even if the data is stolen, the data is not analyzed.
In the related technology, a physical encryption module can be added at a disk interface or inside a disk, the physical encryption module can be an encryption chip actually, and data written into the disk after being encrypted by the physical encryption module is ciphertext data. Each disk is provided with a unique storage key, the physical encryption module interacts with the storage key management server to acquire the storage key of the disk corresponding to the physical encryption module, and then data written into the disk can be encrypted according to the storage key, and data read out of the disk can be decrypted.
Disclosure of Invention
In view of this, the present application provides a data encryption method and apparatus based on a business relationship, so as to improve storage security and flexibly encrypt data under the condition of low encryption cost.
Specifically, the method is realized through the following technical scheme:
a data encryption method based on business relationship is applied to a first storage device in a storage system, each LUN of the storage system corresponds to different key nodes respectively, the key node of any LUN is used for managing the storage key of the LUN, and the method comprises the following steps:
receiving a service enabling instruction aiming at a first LUN, and enabling a first service based on the service enabling instruction; the main LUN of the first service is the first LUN, and the slave LUN of the first service is the second LUN;
synchronizing a first key parameter of the first LUN to a preset second key node through a preset first key node, so that the second key node replaces a second key parameter of the second key node with the first key parameter and obtains a first storage key according to the first key parameter; the first key node is a key node of the first LUN, and the second key node is a key node of the second LUN.
In the data encryption method based on the business relationship, the second LUN is located on a second storage device of the storage system;
the synchronizing the first key parameter of the first LUN to a preset second key node through a preset first key node includes:
sending a key parameter synchronization request to the second storage device to replace, by the second storage device, the first key parameter with the second key parameter in the second key node; the key parameter synchronization request carries the service identifier of the first service, the LUN identifier of the master LUN, the LUN identifier of the slave LUN, and the first key parameter.
In the data encryption method based on the business relationship, the storage system comprises a key management server, and the key management server distributes key parameters for LUNs in the storage system;
before receiving a service enablement instruction for the first LUN, the method further comprises:
creating the first LUN, and creating the first key node for the first LUN;
creating the second LUN, and creating the second key node for the second LUN;
authenticating the key management server through the first key node, and acquiring the first key parameter from the key management server;
and authenticating the key management server through the second key node, and acquiring the second key parameter from the key management server.
In the data encryption method based on the business relationship, a key parameter is used for indicating a storage key; the obtaining a first storage key according to the first key parameter includes:
and sending a key acquisition request to the key management server through the second key node, so that the key management server returns the first storage key according to the first key parameter in the key acquisition request.
In the data encryption method based on the business relationship, the key parameter comprises a storage key; the obtaining a first storage key according to the first key parameter includes:
and analyzing the first key parameter through the second key node to obtain the first storage key.
In the data encryption method based on business relationship, the method further comprises:
after the first service is enabled, respectively recording the service relationship of the first service in the first key node and the second key node; the service relationship comprises a service identifier of the first service, an LUN identifier of a master LUN of the first service, and an LUN identifier of a slave LUN.
In the data encryption method based on business relationship, the method further comprises:
receiving a write request aiming at the first LUN, and analyzing target data in the write request;
acquiring the first storage key from the first key node, encrypting the target data based on the first storage key, and writing the encrypted first ciphertext data into the first LUN;
checking the business relation recorded by the first key node and taking the first LUN as a main LUN, and determining a slave LUN in the business relation as the second LUN;
and acquiring the first ciphertext data from the first LUN, and writing the first ciphertext data into the second LUN.
In the data encryption method based on business relationship, the method further comprises:
receiving a service release instruction, and releasing the service relationship of the first service between the first LUN and the second LUN;
checking a preset service log, and determining whether to write the first ciphertext data into the second LUN when the first service is executed;
if so, keeping the first storage key of the second LUN unchanged;
if not, the first storage key of the second LUN is changed into the second storage key.
In the data encryption method based on business relationship, the method further comprises:
receiving a service enabling instruction aiming at the first LUN, and enabling a second service based on the service enabling instruction; the main LUN of the second service is a third LUN, and the slave LUN of the second service is the first LUN;
synchronizing a third key parameter of the third LUN to the first key node through a preset third key node, so that the first key node replaces the first key parameter of the first key node with the third key parameter and obtains a third storage key according to the third key parameter; wherein the third key node is a key node of the third LUN;
and synchronizing the third key parameter to the second key node through the first key node, so that the second key node replaces the first key parameter of the second key node with the third key parameter and obtains the third storage key according to the third key parameter.
A data encryption device based on business relationship is applied to a first storage device in a storage system, each LUN of the storage system corresponds to different key nodes respectively, and the key node of any LUN is used for managing the storage key of the LUN, and the data encryption device comprises:
the starting unit is used for receiving a service starting instruction aiming at the first LUN and starting the first service based on the service starting instruction; the main LUN of the first service is the first LUN, and the slave LUN of the first service is the second LUN;
a synchronization unit, configured to synchronize a first key parameter of the first LUN to a preset second key node through a preset first key node, so that the second key node replaces a second key parameter of the second key node with the first key parameter, and obtains a first storage key according to the first key parameter; the first key node is a key node of the first LUN, and the second key node is a key node of the second LUN.
In the technical scheme of the application, after the storage device starts the first service, a service relationship between the first LUN and the second LUN is established, and a first key parameter of the first LUN can be synchronized to a second key node of the second LUN through a first key node of the first LUN, so that the second key node can replace a second key parameter of the second key node with the first key parameter, and obtain a first storage key according to the first key parameter;
because different LUNs establishing the service relationship can share the storage key, in the process of executing the service in the storage system, data interaction between different LUNs does not need redundant encryption and decryption processing, the time consumption for processing the service and the occupation of processing resources are reduced, and the overall processing efficiency of the storage system is effectively improved.
Drawings
FIG. 1 is a schematic diagram of an architecture of a storage system shown in the present application;
FIG. 2 is a flow chart of a data encryption method based on business relations shown in the present application;
FIG. 3 is a schematic diagram of an architecture of another storage system shown in the present application;
FIG. 4 is a business relationship diagram of the present application;
FIG. 5 is a schematic diagram of an architecture of yet another storage system shown herein;
FIG. 6 is a schematic diagram of another business relationship shown in the present application;
FIG. 7 is a block diagram of an embodiment of a data encryption apparatus based on business relationships according to the present application;
fig. 8 is a hardware configuration diagram of a data encryption device based on a business relationship according to the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Referring to fig. 1, which is a schematic structural diagram of a storage system shown in the present application, as shown in fig. 1, each hard disk of a storage device in the storage system has a corresponding physical encryption module ("encrypt" in fig. 1), and the physical encryption module may be located at a disk interface or inside a disk. Each disk is provided with a unique storage key, and when the storage device writes data into any disk, the data needs to be encrypted through a physical encryption module and the storage key of the disk, and then the ciphertext data is written into the disk.
When the storage system performs business processing on data written into a disk, the data must be decrypted once and encrypted once. The services may include copying, mirroring, cloning, snapshot, and the like.
As shown in fig. 1, if the storage device mirrors data in the disk 1 to the disk 2, first, ciphertext data read from the disk 1 needs to be decrypted, and then plaintext data obtained by decryption is transmitted to the disk 2. Then, the plaintext data is encrypted according to the storage key of the disk 2 to obtain new ciphertext data, and the new ciphertext data is written into the disk 2.
The decryption and encryption processing inside the storage system increases the time consumption of processing service, occupies the processing resources of the storage system, and reduces the overall processing efficiency of the storage system.
In order to solve the above problems, the present application provides a data encryption method based on a business relationship, which is used to associate a data encryption operation with the business relationship, thereby reducing encryption cost and improving the overall processing efficiency of a storage system.
Referring to fig. 2, a flowchart of a data encryption method based on business relationship, which is applied to a first storage device of a storage system, is shown in the present application, and includes the following steps:
step 201: receiving a service enabling instruction aiming at a first LUN, and enabling a first service based on the service enabling instruction; the master LUN of the first service is the first LUN, and the slave LUN of the first service is the second LUN.
The first storage device may be any storage device in the storage system, and is only named for convenience of describing the scheme, and the present application is not limited thereto.
Each LUN of the storage system corresponds to a different key node, and the key node of any LUN manages the storage key of the LUN.
Referring to fig. 3, for another network architecture diagram shown in the present application, as shown in fig. 3, a physical encryption module ("encrypt" of fig. 3) of a storage device is installed at an entrance of the device, so that the storage device can immediately perform encryption processing on received target data. It should be noted that, when the storage device encrypts data written to any LUN through the physical encryption module, first, a storage key needs to be obtained from a key node of the LUN, and then, the data is encrypted based on the storage key.
It should be noted that the storage system may include a key management server, and the key management server allocates storage keys to LUNs in the storage system.
First, in this embodiment of the present application, before receiving a service enabling instruction for the first LUN, the first storage device may first create the first LUN and create a first key node for the first LUN, and the first storage device may create the second LUN and create a second key node for the second LUN.
Further, the first storage device may authenticate with the key management server through the first key node, and obtain the first key parameter from the key management server.
Similarly, the first storage device may authenticate with the key management server through the second key node, and acquire the second key parameter from the key management server.
As an embodiment, the key parameter is used to indicate that the key is stored, in other words, the key parameter corresponds to the key identification. In this embodiment, the first storage device further needs to obtain a first storage key for the first key node through the first key parameter. The first storage key is a storage key allocated to the first LUN by the key management server.
Similarly, the first storage device further needs to obtain a second storage key for the second key node through the second key parameter. The second storage key is a storage key allocated by the key management server for the second LUN.
As another embodiment, the key parameter includes a storage key, and the first storage device needs to analyze the first key parameter through the first key node, so as to obtain the first storage key. The first storage key is a storage key allocated to the first LUN by the key management server.
Similarly, the first storage device needs to analyze the second key parameter through the second key node, so as to obtain the second storage key. The second storage key is a storage key allocated by the key management server for the second LUN.
In addition, the authentication is to obtain the access right of the key management server, and the specific authentication process may refer to the prior art and is not described herein again.
Through the measures, different key parameters can be configured for each LUN respectively. When an IO (Input/Output) request is processed, the storage device generally reads and writes data in LUN units. A plurality of LUNs can be created on one disk, so that, taking LUNs as the basic unit for encryption, compared with the prior art that disks are used as the basic unit for encryption, the encryption granularity is refined, and the data security is improved.
The first storage device may enable storage-related services after creating each LUN and the key node corresponding to the LUN. The services may include copying, mirroring, cloning, snapshot, and the like.
At this time, as an embodiment, the administrator may issue a service enabling instruction to the storage system based on the service requirement.
The first storage device receives a service enabling instruction for the first LUN, where the service enabling instruction carries a service identifier, a LUN identifier of a master LUN (major) and a LUN identifier of a slave LUN (slave) in a service relationship.
The service identifier may be a service name, and the service identifier indicates a first service, which is a general service and may be any one of the aforementioned services such as copy and mirror; the LUN identifier of the main LUN is the LUN identifier of the first LUN; the LUN identifier of the slave LUN is the LUN identifier of the second LUN.
The first storage device may enable the first service based on the service enabling instruction.
Referring to fig. 4, for a schematic view of a business relationship shown in the present application, as shown in a of fig. 4, neither LUN1 nor LUN2 enables any business in the initial state, and thus LUN1 and LUN2 are now ordinary LUNs (general). When the LUN1 and LUN2 are enabled, the LUN1 is designated as the master LUN and LUN2 is designated as the slave LUN in the business relationship.
Step 202: synchronizing a first key parameter of the first LUN to a preset second key node through a preset first key node, so that the second key node replaces a second key parameter of the second key node with the first key parameter and obtains a first storage key according to the first key parameter; the first key node is a key node of the first LUN, and the second key node is a key node of the second LUN.
After the first service is enabled, the first storage device may synchronize the first key parameter to the second key node through the first key node.
Further, the first storage device may replace the second key parameter of the first storage device with the first key parameter through the second key node, and then obtain the first storage key according to the first key parameter.
In an embodiment, if the second LUN is located on a second storage device of the storage system, the first storage device may send a key parameter synchronization request to the second storage device. The key parameter synchronization request may carry the service identifier of the first service, the LUN identifier of the master LUN, the LUN identifier of the slave LUN, and the first key parameter.
After receiving the key parameter synchronization request, the second storage device may replace the second key parameter in the second key node with the first key parameter. Further, a first storage key may be obtained according to the first key parameter.
Referring to fig. 5, for another network architecture diagram shown in the present application, as shown in fig. 5, a storage system includes a storage device 1, a storage device 2, a storage device 3, and a storage device 4. Thus, when the LUNs involved in any of the enabled services are located on different storage devices, there is a necessary interaction between the various storage devices. Reference may be made to the prior art, which is not repeated herein.
As an embodiment, if the key parameter is used to indicate a storage key, the first storage device may send a key obtaining request to the key management server through the second key node in a process of obtaining a first storage key according to the first key parameter. Wherein, the key obtaining request carries the first key parameter.
And after receiving the first key parameter, the key management server returns the first storage key to the second key node of the first storage device.
Since the first storage device completes authentication with the key management server through the second key node, in this embodiment, even if the key parameter on the first storage device is stolen by an attacker, the attacker cannot acquire the storage key from the key management server. The embodiment can greatly improve the safety of the stored data.
As another embodiment, if the key parameter includes a storage key, the first storage device may parse the first key parameter through the second key node in a process of obtaining the first storage key according to the first key parameter, so as to obtain the first storage key.
An advantage of such an embodiment is that the second key node can obtain the first storage key more quickly.
Of course, if the second LUN is located in a second storage device of the storage system, the second storage device may also obtain the first storage key for the second key node based on the manners in the two embodiments.
In this embodiment, after the first service is enabled, the first storage device may record service relationships of the first service in the first key node and the second key node, respectively. The service relationship may include a service identifier of the first service, an LUN identifier of a master LUN of the first service, and an LUN identifier of a slave LUN.
Of course, if the second LUN is located in a second storage device of the storage system, the second storage device may also record the service relationship of the first service in a local second key node.
By this measure, subsequent execution of services can be facilitated.
In this embodiment of the present application, after the first storage device enables the first service, the first service may be executed in a process of processing a write request.
Specifically, the first storage device receives a write request for the first LUN, and may parse target data in the write request.
Then, the first storage device may obtain the first storage key from the first key node, encrypt the target data based on the first storage key, and write the encrypted first ciphertext data into the first LUN.
Further, the first storage device checks the business relationship recorded by the first key node and using the first LUN as the master LUN, and determines that the slave LUN in the business relationship is the second LUN.
Therefore, the first storage device may obtain the first ciphertext data from the first LUN, and then write the first ciphertext data to the second LUN.
Because the first LUN and the second LUN have a service relationship, the first LUN and the second LUN share a storage key, and the first storage device only needs to be encrypted once in the process of executing the first service.
In this embodiment of the present application, the same LUN may be in multiple service relationships, and in this case, to ensure that the LUN and other LUNs in each service relationship can share the storage key, the LUN needs to share the same storage key with other LUNs in all service relationships.
The following describes a sharing process of the storage key by taking the first LUN as an example.
And the first storage equipment receives a service enabling instruction aiming at the first LUN, wherein the service enabling instruction carries a service identifier, an LUN identifier of a main LUN in a service relationship and an LUN identifier of a slave LUN.
The LUN identification of the main LUN is the LUN identification of the third LUN; the LUN identification of the slave LUN is the LUN identification of the first LUN.
The first storage device may enable the second service based on the service enabling instruction.
Then, the first storage device may synchronize a third key parameter of the third LUN to the first key node through a preset third key node. And the third key node is the key node of the third LUN.
Further, the first storage device may replace the first key parameter of the first storage device with the third key parameter through the first key node, and then obtain a third storage key according to the third key parameter.
The first storage device further needs to synchronize the third key parameter to the second key node through the first key node, then replace the first key parameter of the first storage device with the third key parameter through the second key node, and obtain the third storage key according to the third key parameter.
Referring to fig. 6, another business relationship diagram shown in the present application is shown. As shown in fig. 6, LUN1 and LUN2 first establish a business relationship in which LUN1 is the master LUN and LUN2 is the slave LUN, and thus LUN1 synchronizes its key parameters to LUN2, so that LUN2 can share the key parameters with LUN1, and further share the storage key. Next, LUN3 and LUN1 establish a business relationship in which LUN3 is the master LUN and LUN1 is the slave LUN. In this case, LUN3 synchronizes its key parameter to LUN1, and LUN1 synchronizes the key parameter to LUN2, so that three LUNs can share the key parameter and thus share the storage key.
It can be seen that, when multiple service relationships exist among multiple LUNs, the storage key ultimately shared by the LUNs is actually the storage key of the main LUN in the last established service relationship.
In this embodiment, the first storage device may release the enabled service when necessary, and as an embodiment, the administrator may issue a service release instruction to the storage system.
And the first storage equipment receives the service release instruction, wherein the service release instruction carries a service identifier, an LUN identifier of a main LUN in a service relationship and an LUN identifier of a slave LUN. The service identifier is a service identifier of the first service, the LUN identifier of the master LUN is a LUN identifier of the first LUN, and the LUN identifier of the slave LUN is a LUN identifier of the second LUN.
The first storage device may release the service relationship of the first service between the first LUN and the second LUN in response to the service release instruction.
Further, the first storage device may check a preset service log to determine whether to write the first ciphertext data to the second LUN when executing the first service.
In one case, the service log record has written the first ciphertext data to the second LUN, and at this time, the first storage device may keep the first storage key of the second LUN unchanged.
In another case, the service log record does not write the first ciphertext data to the second LUN, and at this time, the first storage device may change the first storage key of the second LUN to the second storage key.
Referring to FIG. 4, in view B, after LUN1 and LUN2 are removed from business relations, LUN1 is no longer the master LUN and LUN2 is no longer the slave LUN, and both use independent storage keys at this time.
By the measure, different storage keys can be used respectively after different LUNs remove the service relation, and the storage safety is facilitated.
In summary, in the technical solution of the present application, after the storage device starts the first service, a service relationship between the first LUN and the second LUN is established, and a first key parameter of the first LUN can be synchronized to a second key node of the second LUN by using a first key node of the first LUN, so that the second key node can replace a second key parameter of the second key node with the first key parameter, and obtain a second storage key according to the first key parameter;
because different LUNs establishing the service relationship can share the storage key, in the process of executing the service in the storage system, data interaction between different LUNs does not need redundant encryption and decryption processing, the time consumption for processing the service and the occupation of processing resources are reduced, and the overall processing efficiency of the storage system is effectively improved.
Corresponding to the embodiment of the data encryption method based on the business relationship, the application also provides an embodiment of a data encryption device based on the business relationship.
Referring to fig. 7, a data encryption apparatus 70 based on business relationship is shown for the present application:
as shown in fig. 7, the data encryption apparatus 70 based on business relationship includes:
an enabling unit 710, configured to receive a service enabling instruction for the first LUN, and enable the first service based on the service enabling instruction; the main LUN of the first service is the first LUN, and the slave LUN of the first service is the second LUN;
a synchronizing unit 720, configured to synchronize, by a preset first key node, a first key parameter of the first LUN to a preset second key node, so that the second key node replaces a second key parameter of the second key node with the first key parameter, and obtains a first storage key according to the first key parameter; the first key node is a key node of the first LUN, and the second key node is a key node of the second LUN.
In this example, the second LUN is located on a second storage device of the storage system;
the synchronization unit 720 is further configured to:
sending a key parameter synchronization request to the second storage device to replace, by the second storage device, the first key parameter with the second key parameter in the second key node; the key parameter synchronization request carries the service identifier of the first service, the LUN identifier of the master LUN, the LUN identifier of the slave LUN, and the first key parameter.
In this example, the storage system includes a key management server that assigns key parameters to LUNs in the storage system; the device further comprises:
a creating unit 730 (not shown in the figure) configured to create the first LUN and create the first key node for the first LUN; creating the second LUN, and creating the second key node for the second LUN;
an obtaining unit 740 (not shown in the figure) configured to authenticate with the key management server through the first key node and obtain the first key parameter from the key management server; and authenticating the key management server through the second key node, and acquiring the second key parameter from the key management server.
In this example, the key parameter is used to indicate the storage key; the device further comprises:
the obtaining unit 740 (not shown in the figure) is further configured to initiate a key obtaining request to the key management server through the second key node, so that the key management server returns the first storage key according to the first key parameter in the key obtaining request.
In this example, the key parameter comprises a storage key; the device further comprises:
the obtaining unit 740 (not shown in the figure) is further configured to parse the first key parameter through the second key node to obtain the first storage key.
In this example, the apparatus further comprises:
a recording unit 750 (not shown in the figure) configured to record, in the first key node and the second key node, a service relationship of the first service after the first service is enabled; the service relationship comprises a service identifier of the first service, an LUN identifier of a master LUN of the first service, and an LUN identifier of a slave LUN.
In this example, the apparatus further comprises:
a receiving unit 760 (not shown in the figure) configured to receive a write request for the first LUN, and parse target data in the write request;
an encrypting unit 770 (not shown in the figure) configured to obtain the first storage key from the first key node, encrypt the target data based on the first storage key, and write the encrypted first ciphertext data into the first LUN;
a checking unit 780 (not shown in the figure), configured to check a business relationship recorded by the first key node and using the first LUN as a master LUN, and determine that a slave LUN in the business relationship is the second LUN;
and a processing unit 790 (not shown in the figure) configured to obtain the first ciphertext data from the first LUN, and write the first ciphertext data to the second LUN.
In this example, the apparatus further comprises:
a receiving unit 760 (not shown in the figure) configured to receive a service release instruction to release the service relationship of the first service between the first LUN and the second LUN;
a checking unit 780 (not shown in the figure) configured to check a preset service log, and determine whether to write the first ciphertext data to the second LUN when the first service is executed;
a processing unit 790 (not shown in the figure) for keeping the first storage key of the second LUN unchanged if yes; if not, the first storage key of the second LUN is changed into the second storage key.
In this example, the apparatus further comprises:
the enabling unit 710 is further configured to receive a service enabling instruction for the first LUN, and enable a second service based on the service enabling instruction; the main LUN of the second service is a third LUN, and the slave LUN of the second service is the first LUN;
the synchronizing unit 720 is further configured to synchronize a third key parameter of the third LUN to the first key node through a preset third key node, so that the first key node replaces the first key parameter of the first key node with the third key parameter, and obtains a third storage key according to the third key parameter; wherein the third key node is a key node of the third LUN; and synchronizing the third key parameter to the second key node through the first key node, so that the second key node replaces the first key parameter of the second key node with the third key parameter and obtains the third storage key according to the third key parameter.
The embodiment of the data encryption device based on the business relationship can be applied to the storage equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is formed by reading a corresponding computer program instruction in the nonvolatile memory into the memory through the processor of the storage device where the device is located to operate. In terms of hardware, as shown in fig. 8, the hardware structure diagram of the storage device in which the data encryption apparatus based on the service relationship is located according to the present application is a hardware structure diagram, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 8, the storage device in which the apparatus is located in the embodiment may also include other hardware according to the actual function of the data encryption apparatus based on the service relationship, which is not described again.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (9)
1. A data encryption method based on business relationship is applied to a first storage device in a storage system, each LUN of the storage system corresponds to different key nodes respectively, and the key node of any LUN is used for managing the storage key of the LUN, and the method is characterized by comprising the following steps:
receiving a service enabling instruction aiming at a first LUN, and enabling a first service based on the service enabling instruction; the main LUN of the first service is the first LUN, the slave LUN of the first service is a second LUN, and the second LUN is located on a second storage device of the storage system;
sending a key parameter synchronization request to the second storage device through a preset first key node, so that the second storage device replaces a second key parameter in the second key node with the first key parameter; the key parameter synchronization request carries a service identifier of the first service, an LUN identifier of a master LUN, an LUN identifier of a slave LUN, and the first key parameter, so that the second key node replaces a second key parameter of itself with the first key parameter and obtains a first storage key according to the first key parameter; the first key node is a key node of the first LUN, and the second key node is a key node of the second LUN.
2. The method according to claim 1, wherein the storage system comprises a key management server, and the key management server assigns key parameters to LUNs in the storage system;
before receiving a service enablement instruction for the first LUN, the method further comprises:
creating the first LUN, and creating the first key node for the first LUN;
creating the second LUN, and creating the second key node for the second LUN;
authenticating the key management server through the first key node, and acquiring the first key parameter from the key management server;
and authenticating the key management server through the second key node, and acquiring the second key parameter from the key management server.
3. The method of claim 2, wherein obtaining the first storage key according to the first key parameter comprises:
and sending a key acquisition request to the key management server through the second key node, so that the key management server returns the first storage key according to the first key parameter in the key acquisition request.
4. The method of claim 1, wherein obtaining the first storage key according to the first key parameter comprises:
and analyzing the first key parameter through the second key node to obtain the first storage key.
5. The method of claim 1, further comprising:
after the first service is enabled, respectively recording the service relationship of the first service in the first key node and the second key node; the service relationship comprises a service identifier of the first service, an LUN identifier of a master LUN of the first service, and an LUN identifier of a slave LUN.
6. The method of claim 1, further comprising:
receiving a write request aiming at the first LUN, and analyzing target data in the write request;
acquiring the first storage key from the first key node, encrypting the target data based on the first storage key, and writing the encrypted first ciphertext data into the first LUN;
checking the business relation recorded by the first key node and taking the first LUN as a main LUN, and determining a slave LUN in the business relation as the second LUN;
and acquiring the first ciphertext data from the first LUN, and writing the first ciphertext data into the second LUN.
7. The method of claim 6, further comprising:
receiving a service release instruction, and releasing the service relationship of the first service between the first LUN and the second LUN;
checking a preset service log, and determining whether to write the first ciphertext data into the second LUN when the first service is executed;
if so, keeping the first storage key of the second LUN unchanged;
if not, the first storage key of the second LUN is changed into a second storage key.
8. The method of claim 1, further comprising:
receiving a service enabling instruction aiming at the first LUN, and enabling a second service based on the service enabling instruction; the main LUN of the second service is a third LUN, and the slave LUN of the second service is the first LUN;
synchronizing a third key parameter of the third LUN to the first key node through a preset third key node, so that the first key node replaces the first key parameter of the first key node with the third key parameter and obtains a third storage key according to the third key parameter; wherein the third key node is a key node of the third LUN;
and synchronizing the third key parameter to the second key node through the first key node, so that the second key node replaces the first key parameter of the second key node with the third key parameter and obtains the third storage key according to the third key parameter.
9. A data encryption device based on business relationship is applied to a first storage device in a storage system, each LUN of the storage system corresponds to different key nodes respectively, and the key node of any LUN is used for managing the storage key of the LUN, and the data encryption device is characterized by comprising:
the starting unit is used for receiving a service starting instruction aiming at the first LUN and starting the first service based on the service starting instruction; the main LUN of the first service is the first LUN, the slave LUN of the first service is a second LUN, and the second LUN is located on a second storage device of the storage system;
a synchronization unit, configured to send a key parameter synchronization request to the second storage device through a preset first key node, so that the second storage device replaces a second key parameter in the second key node with the first key parameter; the key parameter synchronization request carries a service identifier of the first service, an LUN identifier of a master LUN, an LUN identifier of a slave LUN, and the first key parameter, so that the second key node replaces a second key parameter of itself with the first key parameter and obtains a first storage key according to the first key parameter; the first key node is a key node of the first LUN, and the second key node is a key node of the second LUN.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641322.9A CN109684860B (en) | 2018-12-29 | 2018-12-29 | Data encryption method and device based on business relation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641322.9A CN109684860B (en) | 2018-12-29 | 2018-12-29 | Data encryption method and device based on business relation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109684860A CN109684860A (en) | 2019-04-26 |
| CN109684860B true CN109684860B (en) | 2020-08-14 |
Family
ID=66191260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811641322.9A Active CN109684860B (en) | 2018-12-29 | 2018-12-29 | Data encryption method and device based on business relation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109684860B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111191266A (en) * | 2019-12-31 | 2020-05-22 | 中国广核电力股份有限公司 | File encryption method and system and decryption method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000048357A1 (en) * | 1999-02-12 | 2000-08-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and arrangement for enabling encrypted communication |
| CN101983385A (en) * | 2008-04-02 | 2011-03-02 | 思科技术公司 | Distribution of storage area network encryption keys across data centers |
| CN102077193A (en) * | 2008-06-27 | 2011-05-25 | 微软公司 | Cluster shared volumes |
| US8010809B1 (en) * | 2007-06-22 | 2011-08-30 | Qlogic, Corporation | Method and system for securing network data |
| US8855318B1 (en) * | 2008-04-02 | 2014-10-07 | Cisco Technology, Inc. | Master key generation and distribution for storage area network devices |
| CN106331166A (en) * | 2016-10-11 | 2017-01-11 | 杭州宏杉科技有限公司 | Access method and device of storage resource |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080022120A1 (en) * | 2006-06-05 | 2008-01-24 | Michael Factor | System, Method and Computer Program Product for Secure Access Control to a Storage Device |
| US20170317991A1 (en) * | 2016-04-29 | 2017-11-02 | Netapp, Inc. | Offloading storage encryption operations |
-
2018
- 2018-12-29 CN CN201811641322.9A patent/CN109684860B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000048357A1 (en) * | 1999-02-12 | 2000-08-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and arrangement for enabling encrypted communication |
| US8010809B1 (en) * | 2007-06-22 | 2011-08-30 | Qlogic, Corporation | Method and system for securing network data |
| CN101983385A (en) * | 2008-04-02 | 2011-03-02 | 思科技术公司 | Distribution of storage area network encryption keys across data centers |
| US8855318B1 (en) * | 2008-04-02 | 2014-10-07 | Cisco Technology, Inc. | Master key generation and distribution for storage area network devices |
| CN102077193A (en) * | 2008-06-27 | 2011-05-25 | 微软公司 | Cluster shared volumes |
| CN106331166A (en) * | 2016-10-11 | 2017-01-11 | 杭州宏杉科技有限公司 | Access method and device of storage resource |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109684860A (en) | 2019-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4728060B2 (en) | Storage device | |
| US10409990B2 (en) | Encryption and decryption method and apparatus in virtualization system, and system | |
| CN102945355B (en) | Fast Data Encipherment strategy based on sector map is deferred to | |
| US9626497B2 (en) | Sharing USB key by multiple virtual machines located at different hosts | |
| CN102855452B (en) | Fast Data Encipherment strategy based on encryption chunk is deferred to | |
| KR20190136245A (en) | Method for managing content based on blockchain and system performing the method | |
| CN109189749B (en) | File synchronization method and terminal equipment | |
| US20070136606A1 (en) | Storage system with built-in encryption function | |
| CN202795383U (en) | Device and system for protecting data | |
| CN109726575B (en) | Data encryption method and device | |
| CA3176858A1 (en) | Data processing method and system | |
| AU2013243923A1 (en) | Systems and methods for securing and restoring virtual machines | |
| WO2010090633A3 (en) | Database outsourcing with access privacy | |
| CN101025714A (en) | Data processing device and data processing method | |
| CN111062045B (en) | Information encryption and decryption method and device, electronic equipment and storage medium | |
| US20140129848A1 (en) | Method and Apparatus for Writing and Reading Hard Disk Data | |
| CN111654372B (en) | Key management method and related device | |
| CN113886862B (en) | Trusted computing system and resource processing method based on trusted computing system | |
| CN111291399B (en) | Data encryption method, system, computer system and computer readable storage medium | |
| CN110334531B (en) | Virtual machine key management method, master node, system, storage medium and device | |
| CN108763401A (en) | A kind of reading/writing method and equipment of file | |
| CN109684860B (en) | Data encryption method and device based on business relation | |
| US11625385B2 (en) | Method and apparatus for managing data based on blockchain | |
| CN112088376A (en) | File storage method and device and storage medium | |
| CN117389974A (en) | File secure sharing method based on super fusion system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |