CN110806919B - Method and system for protecting virtual machine image in cloud environment - Google Patents
Method and system for protecting virtual machine image in cloud environment Download PDFInfo
- Publication number
- CN110806919B CN110806919B CN201910912822.XA CN201910912822A CN110806919B CN 110806919 B CN110806919 B CN 110806919B CN 201910912822 A CN201910912822 A CN 201910912822A CN 110806919 B CN110806919 B CN 110806919B
- Authority
- CN
- China
- Prior art keywords
- dek
- virtual machine
- password
- machine image
- plaintext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000007726 management method Methods 0.000 description 21
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/4557—Distribution of virtual machine instances; Migration and load balancing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method and a system for protecting a virtual machine image in a cloud environment, wherein the method comprises the following steps: adding a first password when creating a virtual machine image file; creating a DEK plaintext and a DEK ciphertext according to the first password; encrypting the virtual machine image file by using the DEK plaintext; simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool; when the encrypted virtual machine image file is read, a second password and a DEK ciphertext are obtained; judging whether the second password is the same as the first password or not; if so, the trusted platform module acquires the DEK plaintext according to the DEK ciphertext; and decrypting the virtual machine image file by using the DEK plaintext. The system comprises a key management module and a virtual machine mirror module. Through the method and the device, the data security level of the virtual data center can be improved, and the data security is effectively improved.
Description
Technical Field
The application relates to the technical field of computer security, in particular to a method and a system for protecting a virtual machine image in a cloud environment.
Background
With the development of cloud computing and big data, more and more enterprises and scientific research institutions adopt the cloud computing technology to deploy virtual data centers, and the virtual data centers deployed by the cloud computing technology are flexible in deployment and can save cost. However, how to improve the security of data compared to the conventional data center is an important issue of the virtual data center. Particularly, for virtual machine images in a cloud environment, operations such as backup provided by virtualization management software can easily spread sensitive data, certificates, information and the like, thereby causing a data security problem.
Currently, for virtual machine images, cloud computing manufacturers generally use the same encryption storage method for data storage. Specifically, in a cloud environment, all virtual machine disk images adopt one encryption and decryption key, that is, the encryption keys of the tenant a and the tenant B are the same.
However, in the same encryption storage mode, since one encryption and decryption key is shared, when there is an internal threat from a cloud computing manufacturer or a cloud administrator, etc., the confidentiality of the virtual machine image of the tenant cannot be guaranteed, that is, the security of the data center is not high enough.
Disclosure of Invention
The application provides a method and a system for protecting a virtual machine image in a cloud environment, which aim to solve the problem that the data security of a data center is not high enough in the prior art by using the method for protecting the virtual machine image in the cloud environment.
In order to solve the technical problem, the embodiment of the application discloses the following technical scheme:
a method for protecting a virtual machine image in a cloud environment, the method comprising:
adding a first password when creating a virtual machine image file, wherein the first password is a password set by a tenant;
according to the first password, a DEK (Data Encrypted Key) plaintext and a DEK ciphertext are created based on a trusted platform module;
encrypting the virtual machine image file by using the DEK plaintext to obtain an encrypted virtual machine image file;
storing the DEK ciphertext and the encrypted virtual machine image file to a storage pool at the same time;
when the encrypted virtual machine image file is read, a second password and a DEK ciphertext are obtained, wherein the second password is a password input by a current tenant;
judging whether the second password is the same as the first password or not;
if so, the trusted platform module acquires the DEK plaintext according to the DEK ciphertext;
and decrypting the virtual machine image file by using the DEK plaintext.
Optionally, the method for creating the DEK plaintext and the DEK ciphertext based on the trusted platform module according to the first password includes:
according to the first password, a DEK plaintext and RSA public and private key pair is created based on a trusted platform module;
and encrypting the DEK plaintext by using the RSA public and private key pair to obtain a DEK ciphertext.
Optionally, the Trusted Platform Module is a TPM (Trusted Platform Module) chip.
Optionally, the method for encrypting the virtual machine image file is AES encryption, and the method for decrypting the virtual machine image file is AES decryption.
Optionally, after the DEK ciphertext and the encrypted virtual machine image file are stored in a storage pool at the same time, and after the virtual machine image file is decrypted by using the DEK plaintext, the method further includes:
the DEK plaintext is deleted.
A system for protecting virtual machine images in a cloud environment, the system comprising:
the key management module is used for adding a first password when a virtual machine image file is created, creating a DEK (Dek) plaintext and a DEK ciphertext based on the trusted platform module according to the first password, and sending the DEK plaintext and the DEK ciphertext to the virtual machine image module, wherein the first password is a password set by a tenant;
the virtual machine image module is used for encrypting the virtual machine image file by utilizing the DEK plaintext to obtain an encrypted virtual machine image file, and simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool;
the virtual machine mirror image module is further configured to, when reading the encrypted virtual machine mirror image file, obtain a second password and a DEK ciphertext, and simultaneously send the second password and the DEK ciphertext to the key management module, where the second password is a password input by a current tenant;
the key management module is further used for judging whether the second password is the same as the first password, calling the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password, and sending the DEK plaintext to the virtual machine mirror image module;
and the virtual machine image module is also used for decrypting the virtual machine image file by utilizing the DEK plaintext.
Optionally, the key management module includes:
the password adding unit is used for adding a first password when the virtual machine image file is created, wherein the first password is a password set by a tenant;
the key creating unit is used for creating a DEK plaintext and a DEK ciphertext based on the trusted platform module according to the first password;
the first sending unit is used for sending the DEK plaintext and the DEK ciphertext to the virtual machine mirror image module;
the judgment unit is used for judging whether a second password is the same as the first password, wherein the second password is a password input by the current tenant;
the DEK plaintext acquisition unit is used for calling the trusted platform module to acquire the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password;
the first sending unit is further used for sending the DEK plaintext to the virtual machine mirror image module after the DEK plaintext is obtained according to the DEK ciphertext.
Optionally, the virtual machine image module includes:
the encryption unit is used for encrypting the virtual machine image file by using the DEK plaintext to obtain the encrypted virtual machine image file;
the storage unit is used for simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool;
the obtaining unit is used for obtaining a second password and a DEK ciphertext when the encrypted virtual machine image file is read;
the second sending unit is used for sending the second password and the DEK ciphertext to the key management module at the same time;
and the decryption unit is used for decrypting the virtual machine image file by using the DEK plaintext.
Optionally, the encryption unit is an AES encryption unit, and the decryption unit is an AES decryption unit.
Optionally, the key management module further includes: the first deleting unit is used for deleting the DEK plaintext after the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool;
the virtual machine image module further comprises: and the second deleting unit is used for deleting the DEK plaintext after decrypting the virtual machine image file by using the DEK plaintext.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
the method includes the steps of adopting corresponding steps to improve data security when a virtual machine image file is created and read, firstly adding a first password when the virtual machine image file is created, secondly creating a DEK plaintext and a DEK ciphertext based on a trusted platform module according to the first password, then encrypting the virtual machine image file by using the DEK plaintext, and finally storing the DEK ciphertext and the encrypted virtual machine image file to a storage pool. When the encrypted virtual machine image file is read, firstly, a second password and a DEK ciphertext are obtained, secondly, whether the second password is the same as the first password or not is judged, when the second password is the same as the first password, the trusted platform module obtains a DEK plaintext according to the DEK ciphertext, and then the DEK plaintext is used for decrypting the virtual machine image file. According to the embodiment, the first password set by the tenant is added when the virtual machine image file is created, when the virtual machine image file is loaded, the content of the disk image of the virtual machine can be obtained only when the second password input by the current tenant is the same as the first password, but the content of the virtual machine image can be obtained only through the DEK ciphertext, and therefore the security of the data center in the cloud environment can be greatly improved due to the arrangement of the first password.
In addition, in this embodiment, after the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool, the deletion of the DEK plaintext is further included. And decrypting the virtual machine image file by using the DEK plaintext, and deleting the DEK plaintext after the DEK plaintext of the virtual machine image file is obtained. Through deleting the DEK plaintext in time, data leakage can be prevented, and the data security in the data center is further improved.
The application also provides a system for protecting the virtual machine image under the cloud environment, and the system mainly comprises a key management module and a virtual machine image module. When the virtual machine image file is created, a first password can be added through the key management module, a DEK plaintext and a DEK ciphertext are created based on the trusted platform module, and the DEK plaintext and the DEK ciphertext are sent to the virtual machine image module. The virtual machine image file can be encrypted by utilizing the DEK plaintext through the virtual machine image module, and the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool. When the virtual machine image file is read, the DEK ciphertext and a second password input by a current tenant are obtained through the virtual machine image file module and are simultaneously sent to the key management module, whether the second password is the same as the first password or not is judged through the key management module, and when the second password is the same as the first password, the trusted platform module is called to obtain the DEK plaintext according to the DEK ciphertext and send the DEK plaintext to the virtual machine image module. In this embodiment, by setting the key management module and the virtual machine image module, and by the key management module, the first password can be added when creating the virtual machine image file, and by the virtual machine image management module, the second password can be obtained when reading the encrypted virtual machine image file, and the second password and the first password are compared, so that the confidentiality of the virtual machine image data in the cloud environment can be greatly improved, that is, the security of the data center data is greatly improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for protecting a virtual machine image in a cloud environment according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a system for protecting a virtual machine image in a cloud environment according to an embodiment of the present disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
For a better understanding of the present application, embodiments of the present application are explained in detail below with reference to the accompanying drawings.
Example one
Referring to fig. 1, fig. 1 is a schematic flowchart of a method for protecting a virtual machine image in a cloud environment according to an embodiment of the present disclosure. As shown in fig. 1, the method for protecting a virtual machine image in a cloud environment in this embodiment mainly includes the following steps:
s01: when the virtual machine image file is created, a first password is added, wherein the first password is a password set by a tenant.
In the embodiment, the first password set in advance by the tenant is added when the virtual machine image file is created, and when the virtual machine image file is loaded, the content of the virtual machine disk image can be acquired only when the second password input by the current tenant is the same as the first password, instead of acquiring the content of the virtual machine image only through the DEK ciphertext. Therefore, the confidentiality of the virtual machine mirror image in the cloud environment can be greatly improved by setting the first password, and the data security of the data center is improved.
S02: and creating the DEK plaintext and the DEK ciphertext based on the trusted platform module according to the first password.
In this embodiment, the DEK plaintext and the DEK ciphertext are used for virtual machine image encryption, and specifically, step S02 includes the following steps:
s021: according to the first password, a DEK plaintext and RSA public and private key pair is created based on the trusted platform module;
s022: and encrypting the DEK plaintext by using an RSA public and private key pair to obtain the DEK ciphertext.
In this embodiment, the trusted platform module may adopt a TPM chip, and according to the steps S021 and S022, when creating the DEK plaintext and the DEK ciphertext based on the trusted platform module, first call the command TPM2_ GetRandom of the TPM chip to generate a random number as the DEK plaintext; then according to the first password input by the tenant, the TPM2_ Create command of the TPM chip is called to Create an RSA public and private key pair, namely: rsa _ pri and Rsa _ pub, wherein Rsa _ pub is used as a public key and can be stored outside the TPM chip; and finally, calling a TPM chip to command TPM2_ RSA _ Encypt to encrypt the DEK plaintext to obtain the DEK ciphertext.
With continued reference to fig. 1, step S03 is performed after the DEK plain text and the DEK cipher text are created: and encrypting the virtual machine image file by utilizing the DEK plaintext to obtain the encrypted virtual machine image file.
In this embodiment, the method for encrypting the virtual machine image file by using the DEK plaintext is AES encryption. Namely: and performing AES encryption on the created virtual machine image file by using the DEK plaintext as an AES key through an AES encryption method to obtain the encrypted virtual machine image file.
After the encrypted virtual machine image file is acquired, step S04 is executed: and simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool.
The storage pool in this embodiment refers to a storage pool in a cloud environment, and is used for storing a virtual machine image file.
Through the above steps S01-S04, after the creation of the virtual machine image file is completed, step S06 is executed: and when the encrypted virtual machine image file is read, acquiring a second password and a DEK ciphertext, wherein the second password is a password input by the current tenant.
S07: and judging whether the second password is the same as the first password.
If the second password is the same as the first password, go to step S08: and the trusted platform module acquires the DEK plaintext according to the DEK ciphertext.
If the second password is different from the first password, it indicates that the second password currently input by the tenant is incorrect, and the process returns to step S06 to obtain the second password again.
S09: and decrypting the virtual machine image file by using the DEK plaintext.
Corresponding to step S03, the method for decrypting the virtual machine image file in the present embodiment is AES decryption. The specific AES decryption method is a method in the prior art, and is not described herein again.
As can be seen from the above steps S06-S09, when the virtual machine image file is loaded, the DEK ciphertext matched with the virtual machine image file and the second password input by the current tenant are first obtained; then, a TPM2_ RSA _ Decrypt command of the TPM chip is called, and the DEK ciphertext is decrypted according to a second password input by the current tenant; when the second password is the same as the first password, the second password input by the current tenant is judged to be correct, and the DEK ciphertext is decrypted to obtain the DEK plaintext; and carrying out AES decryption on the virtual machine image file by using the DEK plaintext obtained by decryption to finally obtain the virtual machine image plaintext.
Further, in the present embodiment, after the step S04, the method further includes a step S05: the DEK plaintext is deleted. After the step S09, a step S10 is further included: the DEK plaintext is deleted.
Through the steps of S05 and S10, malicious administrators can be effectively prevented from illegally snooping sensitive data of tenants in a public cloud or mixed cloud environment, and the confidentiality of virtual machine image files in the cloud environment is protected, so that the data security level of the virtual data center is effectively improved, and the data security of the data center is greatly improved.
In summary, in the method for protecting a virtual machine image in a cloud environment in this embodiment, confidentiality of the virtual machine image file is enhanced mainly from a stage of creating the virtual machine image file and a stage of reading the virtual machine image file. The data security level of the virtual data center is improved by adding the first password in the stage of creating the virtual machine image file and judging the consistency of the second password input by the current tenant and the first password in the stage of reading the encrypted virtual machine image file.
Example two
Referring to fig. 2 based on the embodiment shown in fig. 1, fig. 2 is a schematic structural diagram of a system for protecting a virtual machine image in a cloud environment according to an embodiment of the present disclosure. As can be seen from fig. 2, the system of the present embodiment mainly includes two parts: a key management module and a virtual machine mirror module. The key management module is used for adding a first password when the virtual machine image file is created, creating a DEK (Dek) plaintext and a DEK ciphertext based on the trusted platform module according to the first password, and sending the DEK plaintext and the DEK ciphertext to the virtual machine image module, wherein the first password is a password set by a tenant. And the virtual machine image module is used for encrypting the virtual machine image file by utilizing the DEK plaintext, acquiring the encrypted virtual machine image file, and simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into the storage pool. The virtual machine mirror image module is further configured to, when reading the encrypted virtual machine mirror image file, obtain a second password and a DEK ciphertext, and simultaneously send the second password and the DEK ciphertext to the key management module, where the second password is a password input by a current tenant. And the key management module is also used for judging whether the second password is the same as the first password, calling the trusted platform module to acquire the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password, and sending the DEK plaintext to the virtual machine mirror image module. And the virtual machine image module is also used for decrypting the virtual machine image file by utilizing the DEK plaintext.
Further, the key management module comprises: the device comprises a password adding unit, a key creating unit, a first sending unit, a judging unit and a DEK plaintext obtaining unit. The system comprises a password adding unit, a password adding unit and a password adding unit, wherein the password adding unit is used for adding a first password when a virtual machine image file is created, and the first password is a password set by a tenant; the key creating unit is used for creating a DEK plaintext and a DEK ciphertext based on the trusted platform module according to the first password; the first sending unit is used for sending the DEK plaintext and the DEK ciphertext to the virtual machine mirror image module; the judgment unit is used for judging whether the second password is the same as the first password or not, wherein the second password is a password input by the current tenant; the DEK plaintext acquisition unit is used for calling the trusted platform module to acquire the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password; the first sending unit is further used for sending the DEK plaintext to the virtual machine mirror image module after the DEK plaintext is obtained according to the DEK ciphertext.
Wherein, the key creating unit further comprises: the DEK plaintext and RSA public and private key pair creates a subunit, and the DEK ciphertext creates a subunit. The DEK plaintext and RSA public and private key pair creating subunit is used for creating a DEK plaintext and RSA public and private key pair based on the trusted platform module according to the first password; and the DEK ciphertext creating subunit is used for encrypting the DEK plaintext by using the RSA public and private key to obtain the DEK ciphertext. After the private key pair of RSA is created by the private key pair creation subunit and the DEK plaintext, the public key of RSA can be saved outside the TPM chip, for example: and storing the data on a magnetic disk of the key management module.
The virtual machine image module comprises: the device comprises an encryption unit, a storage unit, an acquisition unit, a second transmission unit and a decryption unit. The encryption unit is used for encrypting the virtual machine image file by utilizing the DEK plaintext to obtain the encrypted virtual machine image file; the storage unit is used for simultaneously storing the DEK ciphertext and the encrypted virtual machine image file to the storage pool; the obtaining unit is used for obtaining a second password and a DEK ciphertext when reading the encrypted virtual machine image file; the second sending unit is used for sending the second password and the DEK ciphertext to the key management module at the same time; the decryption unit is used for decrypting the virtual machine image file by using the DEK plaintext.
In this embodiment, the encryption unit adopts an AES encryption unit, and the decryption unit adopts an AES decryption unit.
Further, in this embodiment, the key management module is further provided with a first deletion unit, configured to delete the DEK plaintext after the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool. The virtual machine image module also comprises a second deleting unit which is used for deleting the DEK plaintext after decrypting the virtual machine image file by using the DEK plaintext.
In this embodiment, the working principle and the working method of the system for protecting a virtual machine image in a cloud environment have been described in detail in the embodiment shown in fig. 1, and are not described herein again. Parts of this embodiment not described in detail can also refer to the embodiment shown in fig. 1, and the two embodiments can be referred to each other.
The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. A method for protecting a virtual machine image in a cloud environment is characterized by comprising the following steps:
adding a first password when creating a virtual machine image file, wherein the first password is a password set by a tenant;
according to the first password, a DEK plaintext and a DEK ciphertext are created based on a trusted platform module;
encrypting the virtual machine image file by using the DEK plaintext to obtain an encrypted virtual machine image file;
storing the DEK ciphertext and the encrypted virtual machine image file to a storage pool at the same time;
when the encrypted virtual machine image file is read, a second password and a DEK ciphertext are obtained, wherein the second password is a password input by a current tenant;
judging whether the second password is the same as the first password or not;
if so, the trusted platform module acquires the DEK plaintext according to the DEK ciphertext;
decrypting the virtual machine image file by using the DEK plaintext;
the method for creating the DEK plaintext and the DEK ciphertext based on the trusted platform module according to the first password comprises the following steps:
according to the first password, a DEK plaintext and RSA public and private key pair is created based on a trusted platform module;
and encrypting the DEK plaintext by using the RSA public and private key pair to obtain a DEK ciphertext.
2. The method according to claim 1, wherein the trusted platform module is a TPM chip.
3. The method according to claim 1, wherein the method for encrypting the virtual machine image file is AES encryption, and the method for decrypting the virtual machine image file is AES decryption.
4. The method according to claim 1, wherein after decrypting the virtual machine image file using the DEK plaintext, the method further comprises:
the DEK plaintext is deleted.
5. A system for protecting a virtual machine image in a cloud environment, the system comprising:
the key management module is used for adding a first password when a virtual machine image file is created, creating a DEK (Dek) plaintext and a DEK ciphertext based on the trusted platform module according to the first password, and sending the DEK plaintext and the DEK ciphertext to the virtual machine image module, wherein the first password is a password set by a tenant;
the virtual machine image module is used for encrypting the virtual machine image file by utilizing the DEK plaintext to obtain an encrypted virtual machine image file, and simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool;
the virtual machine mirror image module is further configured to, when reading the encrypted virtual machine mirror image file, obtain a second password and a DEK ciphertext, and simultaneously send the second password and the DEK ciphertext to the key management module, where the second password is a password input by a current tenant;
the key management module is further used for judging whether the second password is the same as the first password, calling the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password, and sending the DEK plaintext to the virtual machine mirror image module;
the virtual machine image module is also used for decrypting a virtual machine image file by utilizing the DEK plaintext;
wherein the key management module comprises:
the password adding unit is used for adding a first password when the virtual machine image file is created, wherein the first password is a password set by a tenant; the key creating unit is used for creating a DEK (digital encryption) plaintext and a DEK ciphertext based on the trusted platform module according to the first password, and creating a DEK plaintext and RSA (rivest-Shamir-Adleman) public and private key pair based on the trusted platform module according to the first password; the DEK ciphertext acquisition unit is used for encrypting the DEK plaintext by using the RSA public and private key to acquire the DEK ciphertext; the first sending unit is used for sending the DEK plaintext and the DEK ciphertext to the virtual machine mirror image module; the judgment unit is used for judging whether a second password is the same as the first password, wherein the second password is a password input by the current tenant; the DEK plaintext acquisition unit is used for calling the trusted platform module to acquire the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password; the first sending unit is further used for sending the DEK plaintext to the virtual machine mirror image module after the DEK plaintext is obtained according to the DEK ciphertext.
6. The system for protecting a virtual machine image in a cloud environment according to claim 5, wherein the virtual machine image module includes:
the encryption unit is used for encrypting the virtual machine image file by using the DEK plaintext to obtain the encrypted virtual machine image file;
the storage unit is used for simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool;
the obtaining unit is used for obtaining a second password and a DEK ciphertext when the encrypted virtual machine image file is read;
the second sending unit is used for sending the second password and the DEK ciphertext to the key management module at the same time;
and the decryption unit is used for decrypting the virtual machine image file by using the DEK plaintext.
7. The system for protecting a virtual machine image in a cloud environment according to claim 6, wherein the encryption unit is an AES encryption unit, and the decryption unit is an AES decryption unit.
8. The system for protecting a virtual machine image in a cloud environment according to any one of claims 5 to 7, wherein the key management module further comprises: the first deleting unit is used for deleting the DEK plaintext after the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool;
the virtual machine image module further comprises: and the second deleting unit is used for deleting the DEK plaintext after decrypting the virtual machine image file by using the DEK plaintext.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910912822.XA CN110806919B (en) | 2019-09-25 | 2019-09-25 | Method and system for protecting virtual machine image in cloud environment |
PCT/CN2020/087164 WO2021057024A1 (en) | 2019-09-25 | 2020-04-27 | Method and system for protecting virtual machine image in cloud environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910912822.XA CN110806919B (en) | 2019-09-25 | 2019-09-25 | Method and system for protecting virtual machine image in cloud environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110806919A CN110806919A (en) | 2020-02-18 |
CN110806919B true CN110806919B (en) | 2021-11-02 |
Family
ID=69487744
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910912822.XA Active CN110806919B (en) | 2019-09-25 | 2019-09-25 | Method and system for protecting virtual machine image in cloud environment |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110806919B (en) |
WO (1) | WO2021057024A1 (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110806919B (en) * | 2019-09-25 | 2021-11-02 | 苏州浪潮智能科技有限公司 | Method and system for protecting virtual machine image in cloud environment |
CN111741068B (en) * | 2020-05-20 | 2022-03-18 | 中国电子科技网络信息安全有限公司 | Data encryption key transmission method |
CN112052446A (en) * | 2020-09-14 | 2020-12-08 | 北京数字认证股份有限公司 | Password unit creation method, data processing method and device and electronic equipment |
WO2022088194A1 (en) * | 2020-11-02 | 2022-05-05 | 华为技术有限公司 | Security processing apparatus, security processing method, and related device |
CN113703927B (en) * | 2021-10-29 | 2022-02-11 | 杭州链城数字科技有限公司 | Data processing method, privacy computing system, electronic device, and storage medium |
CN114296873B (en) * | 2021-12-24 | 2023-03-24 | 海光信息技术股份有限公司 | Virtual machine image protection method, related device, chip and electronic equipment |
CN116842529A (en) * | 2023-07-13 | 2023-10-03 | 海光信息技术股份有限公司 | Software file, software running method and related devices thereof |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102088367A (en) * | 2010-12-10 | 2011-06-08 | 北京世纪互联工程技术服务有限公司 | Method for quickly deploying in virtualization environment |
CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
CN107169373A (en) * | 2017-05-11 | 2017-09-15 | 山东超越数控电子有限公司 | A kind of virtual machine image file guard method and system |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103138939B (en) * | 2013-03-28 | 2015-09-16 | 武汉大学 | Based on the key access times management method of credible platform module under cloud memory module |
JP2015171128A (en) * | 2014-03-11 | 2015-09-28 | 富士通株式会社 | Packet acquisition method, packet acquisition device, and packet acquisition program |
CN110806919B (en) * | 2019-09-25 | 2021-11-02 | 苏州浪潮智能科技有限公司 | Method and system for protecting virtual machine image in cloud environment |
-
2019
- 2019-09-25 CN CN201910912822.XA patent/CN110806919B/en active Active
-
2020
- 2020-04-27 WO PCT/CN2020/087164 patent/WO2021057024A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102088367A (en) * | 2010-12-10 | 2011-06-08 | 北京世纪互联工程技术服务有限公司 | Method for quickly deploying in virtualization environment |
CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
CN107169373A (en) * | 2017-05-11 | 2017-09-15 | 山东超越数控电子有限公司 | A kind of virtual machine image file guard method and system |
Also Published As
Publication number | Publication date |
---|---|
CN110806919A (en) | 2020-02-18 |
WO2021057024A1 (en) | 2021-04-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110806919B (en) | Method and system for protecting virtual machine image in cloud environment | |
US9954680B1 (en) | Secure management of a master encryption key in a split-key based distributed computing environment | |
CN109858265B (en) | Encryption method, device and related equipment | |
US7639819B2 (en) | Method and apparatus for using an external security device to secure data in a database | |
US9619667B2 (en) | Methods, systems and computer program product for providing encryption on a plurality of devices | |
WO2019105290A1 (en) | Data processing method, and application method and apparatus of trusted user interface resource data | |
CN107506659B (en) | Data protection system and method of general database based on SGX | |
US9413754B2 (en) | Authenticator device facilitating file security | |
US7318235B2 (en) | Attestation using both fixed token and portable token | |
CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
WO2021164166A1 (en) | Service data protection method, apparatus and device, and readable storage medium | |
US10397216B2 (en) | Systems and methods for performing secure backup operations | |
US8181028B1 (en) | Method for secure system shutdown | |
US20040117318A1 (en) | Portable token controlling trusted environment launch | |
JP2020508619A (en) | Data backup method and data backup device, storage medium, and server | |
CN106992851B (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
US9529733B1 (en) | Systems and methods for securely accessing encrypted data stores | |
CN109525388B (en) | Combined encryption method and system with separated keys | |
CN104468562A (en) | Portable transparent data safety protection terminal oriented to mobile applications | |
EP4064084A1 (en) | Password management method and related device | |
Elrabaa et al. | Secure computing enclaves using FPGAs | |
US9270649B1 (en) | Secure software authenticator data transfer between processing devices | |
US20230058046A1 (en) | Apparatus and Method for Protecting Shared Objects | |
KR20160146623A (en) | A Method for securing contents in mobile environment, Recording medium for storing the method, and Security sytem for mobile terminal | |
TWI790745B (en) | Data backup carrier and backup system having the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |