CN110806919B - Method and system for protecting virtual machine image in cloud environment - Google Patents

Method and system for protecting virtual machine image in cloud environment Download PDF

Info

Publication number
CN110806919B
CN110806919B CN201910912822.XA CN201910912822A CN110806919B CN 110806919 B CN110806919 B CN 110806919B CN 201910912822 A CN201910912822 A CN 201910912822A CN 110806919 B CN110806919 B CN 110806919B
Authority
CN
China
Prior art keywords
dek
virtual machine
password
machine image
plaintext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910912822.XA
Other languages
Chinese (zh)
Other versions
CN110806919A (en
Inventor
刘海伟
吴保锡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN201910912822.XA priority Critical patent/CN110806919B/en
Publication of CN110806919A publication Critical patent/CN110806919A/en
Priority to PCT/CN2020/087164 priority patent/WO2021057024A1/en
Application granted granted Critical
Publication of CN110806919B publication Critical patent/CN110806919B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method and a system for protecting a virtual machine image in a cloud environment, wherein the method comprises the following steps: adding a first password when creating a virtual machine image file; creating a DEK plaintext and a DEK ciphertext according to the first password; encrypting the virtual machine image file by using the DEK plaintext; simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool; when the encrypted virtual machine image file is read, a second password and a DEK ciphertext are obtained; judging whether the second password is the same as the first password or not; if so, the trusted platform module acquires the DEK plaintext according to the DEK ciphertext; and decrypting the virtual machine image file by using the DEK plaintext. The system comprises a key management module and a virtual machine mirror module. Through the method and the device, the data security level of the virtual data center can be improved, and the data security is effectively improved.

Description

Method and system for protecting virtual machine image in cloud environment
Technical Field
The application relates to the technical field of computer security, in particular to a method and a system for protecting a virtual machine image in a cloud environment.
Background
With the development of cloud computing and big data, more and more enterprises and scientific research institutions adopt the cloud computing technology to deploy virtual data centers, and the virtual data centers deployed by the cloud computing technology are flexible in deployment and can save cost. However, how to improve the security of data compared to the conventional data center is an important issue of the virtual data center. Particularly, for virtual machine images in a cloud environment, operations such as backup provided by virtualization management software can easily spread sensitive data, certificates, information and the like, thereby causing a data security problem.
Currently, for virtual machine images, cloud computing manufacturers generally use the same encryption storage method for data storage. Specifically, in a cloud environment, all virtual machine disk images adopt one encryption and decryption key, that is, the encryption keys of the tenant a and the tenant B are the same.
However, in the same encryption storage mode, since one encryption and decryption key is shared, when there is an internal threat from a cloud computing manufacturer or a cloud administrator, etc., the confidentiality of the virtual machine image of the tenant cannot be guaranteed, that is, the security of the data center is not high enough.
Disclosure of Invention
The application provides a method and a system for protecting a virtual machine image in a cloud environment, which aim to solve the problem that the data security of a data center is not high enough in the prior art by using the method for protecting the virtual machine image in the cloud environment.
In order to solve the technical problem, the embodiment of the application discloses the following technical scheme:
a method for protecting a virtual machine image in a cloud environment, the method comprising:
adding a first password when creating a virtual machine image file, wherein the first password is a password set by a tenant;
according to the first password, a DEK (Data Encrypted Key) plaintext and a DEK ciphertext are created based on a trusted platform module;
encrypting the virtual machine image file by using the DEK plaintext to obtain an encrypted virtual machine image file;
storing the DEK ciphertext and the encrypted virtual machine image file to a storage pool at the same time;
when the encrypted virtual machine image file is read, a second password and a DEK ciphertext are obtained, wherein the second password is a password input by a current tenant;
judging whether the second password is the same as the first password or not;
if so, the trusted platform module acquires the DEK plaintext according to the DEK ciphertext;
and decrypting the virtual machine image file by using the DEK plaintext.
Optionally, the method for creating the DEK plaintext and the DEK ciphertext based on the trusted platform module according to the first password includes:
according to the first password, a DEK plaintext and RSA public and private key pair is created based on a trusted platform module;
and encrypting the DEK plaintext by using the RSA public and private key pair to obtain a DEK ciphertext.
Optionally, the Trusted Platform Module is a TPM (Trusted Platform Module) chip.
Optionally, the method for encrypting the virtual machine image file is AES encryption, and the method for decrypting the virtual machine image file is AES decryption.
Optionally, after the DEK ciphertext and the encrypted virtual machine image file are stored in a storage pool at the same time, and after the virtual machine image file is decrypted by using the DEK plaintext, the method further includes:
the DEK plaintext is deleted.
A system for protecting virtual machine images in a cloud environment, the system comprising:
the key management module is used for adding a first password when a virtual machine image file is created, creating a DEK (Dek) plaintext and a DEK ciphertext based on the trusted platform module according to the first password, and sending the DEK plaintext and the DEK ciphertext to the virtual machine image module, wherein the first password is a password set by a tenant;
the virtual machine image module is used for encrypting the virtual machine image file by utilizing the DEK plaintext to obtain an encrypted virtual machine image file, and simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool;
the virtual machine mirror image module is further configured to, when reading the encrypted virtual machine mirror image file, obtain a second password and a DEK ciphertext, and simultaneously send the second password and the DEK ciphertext to the key management module, where the second password is a password input by a current tenant;
the key management module is further used for judging whether the second password is the same as the first password, calling the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password, and sending the DEK plaintext to the virtual machine mirror image module;
and the virtual machine image module is also used for decrypting the virtual machine image file by utilizing the DEK plaintext.
Optionally, the key management module includes:
the password adding unit is used for adding a first password when the virtual machine image file is created, wherein the first password is a password set by a tenant;
the key creating unit is used for creating a DEK plaintext and a DEK ciphertext based on the trusted platform module according to the first password;
the first sending unit is used for sending the DEK plaintext and the DEK ciphertext to the virtual machine mirror image module;
the judgment unit is used for judging whether a second password is the same as the first password, wherein the second password is a password input by the current tenant;
the DEK plaintext acquisition unit is used for calling the trusted platform module to acquire the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password;
the first sending unit is further used for sending the DEK plaintext to the virtual machine mirror image module after the DEK plaintext is obtained according to the DEK ciphertext.
Optionally, the virtual machine image module includes:
the encryption unit is used for encrypting the virtual machine image file by using the DEK plaintext to obtain the encrypted virtual machine image file;
the storage unit is used for simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool;
the obtaining unit is used for obtaining a second password and a DEK ciphertext when the encrypted virtual machine image file is read;
the second sending unit is used for sending the second password and the DEK ciphertext to the key management module at the same time;
and the decryption unit is used for decrypting the virtual machine image file by using the DEK plaintext.
Optionally, the encryption unit is an AES encryption unit, and the decryption unit is an AES decryption unit.
Optionally, the key management module further includes: the first deleting unit is used for deleting the DEK plaintext after the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool;
the virtual machine image module further comprises: and the second deleting unit is used for deleting the DEK plaintext after decrypting the virtual machine image file by using the DEK plaintext.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
the method includes the steps of adopting corresponding steps to improve data security when a virtual machine image file is created and read, firstly adding a first password when the virtual machine image file is created, secondly creating a DEK plaintext and a DEK ciphertext based on a trusted platform module according to the first password, then encrypting the virtual machine image file by using the DEK plaintext, and finally storing the DEK ciphertext and the encrypted virtual machine image file to a storage pool. When the encrypted virtual machine image file is read, firstly, a second password and a DEK ciphertext are obtained, secondly, whether the second password is the same as the first password or not is judged, when the second password is the same as the first password, the trusted platform module obtains a DEK plaintext according to the DEK ciphertext, and then the DEK plaintext is used for decrypting the virtual machine image file. According to the embodiment, the first password set by the tenant is added when the virtual machine image file is created, when the virtual machine image file is loaded, the content of the disk image of the virtual machine can be obtained only when the second password input by the current tenant is the same as the first password, but the content of the virtual machine image can be obtained only through the DEK ciphertext, and therefore the security of the data center in the cloud environment can be greatly improved due to the arrangement of the first password.
In addition, in this embodiment, after the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool, the deletion of the DEK plaintext is further included. And decrypting the virtual machine image file by using the DEK plaintext, and deleting the DEK plaintext after the DEK plaintext of the virtual machine image file is obtained. Through deleting the DEK plaintext in time, data leakage can be prevented, and the data security in the data center is further improved.
The application also provides a system for protecting the virtual machine image under the cloud environment, and the system mainly comprises a key management module and a virtual machine image module. When the virtual machine image file is created, a first password can be added through the key management module, a DEK plaintext and a DEK ciphertext are created based on the trusted platform module, and the DEK plaintext and the DEK ciphertext are sent to the virtual machine image module. The virtual machine image file can be encrypted by utilizing the DEK plaintext through the virtual machine image module, and the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool. When the virtual machine image file is read, the DEK ciphertext and a second password input by a current tenant are obtained through the virtual machine image file module and are simultaneously sent to the key management module, whether the second password is the same as the first password or not is judged through the key management module, and when the second password is the same as the first password, the trusted platform module is called to obtain the DEK plaintext according to the DEK ciphertext and send the DEK plaintext to the virtual machine image module. In this embodiment, by setting the key management module and the virtual machine image module, and by the key management module, the first password can be added when creating the virtual machine image file, and by the virtual machine image management module, the second password can be obtained when reading the encrypted virtual machine image file, and the second password and the first password are compared, so that the confidentiality of the virtual machine image data in the cloud environment can be greatly improved, that is, the security of the data center data is greatly improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for protecting a virtual machine image in a cloud environment according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a system for protecting a virtual machine image in a cloud environment according to an embodiment of the present disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
For a better understanding of the present application, embodiments of the present application are explained in detail below with reference to the accompanying drawings.
Example one
Referring to fig. 1, fig. 1 is a schematic flowchart of a method for protecting a virtual machine image in a cloud environment according to an embodiment of the present disclosure. As shown in fig. 1, the method for protecting a virtual machine image in a cloud environment in this embodiment mainly includes the following steps:
s01: when the virtual machine image file is created, a first password is added, wherein the first password is a password set by a tenant.
In the embodiment, the first password set in advance by the tenant is added when the virtual machine image file is created, and when the virtual machine image file is loaded, the content of the virtual machine disk image can be acquired only when the second password input by the current tenant is the same as the first password, instead of acquiring the content of the virtual machine image only through the DEK ciphertext. Therefore, the confidentiality of the virtual machine mirror image in the cloud environment can be greatly improved by setting the first password, and the data security of the data center is improved.
S02: and creating the DEK plaintext and the DEK ciphertext based on the trusted platform module according to the first password.
In this embodiment, the DEK plaintext and the DEK ciphertext are used for virtual machine image encryption, and specifically, step S02 includes the following steps:
s021: according to the first password, a DEK plaintext and RSA public and private key pair is created based on the trusted platform module;
s022: and encrypting the DEK plaintext by using an RSA public and private key pair to obtain the DEK ciphertext.
In this embodiment, the trusted platform module may adopt a TPM chip, and according to the steps S021 and S022, when creating the DEK plaintext and the DEK ciphertext based on the trusted platform module, first call the command TPM2_ GetRandom of the TPM chip to generate a random number as the DEK plaintext; then according to the first password input by the tenant, the TPM2_ Create command of the TPM chip is called to Create an RSA public and private key pair, namely: rsa _ pri and Rsa _ pub, wherein Rsa _ pub is used as a public key and can be stored outside the TPM chip; and finally, calling a TPM chip to command TPM2_ RSA _ Encypt to encrypt the DEK plaintext to obtain the DEK ciphertext.
With continued reference to fig. 1, step S03 is performed after the DEK plain text and the DEK cipher text are created: and encrypting the virtual machine image file by utilizing the DEK plaintext to obtain the encrypted virtual machine image file.
In this embodiment, the method for encrypting the virtual machine image file by using the DEK plaintext is AES encryption. Namely: and performing AES encryption on the created virtual machine image file by using the DEK plaintext as an AES key through an AES encryption method to obtain the encrypted virtual machine image file.
After the encrypted virtual machine image file is acquired, step S04 is executed: and simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool.
The storage pool in this embodiment refers to a storage pool in a cloud environment, and is used for storing a virtual machine image file.
Through the above steps S01-S04, after the creation of the virtual machine image file is completed, step S06 is executed: and when the encrypted virtual machine image file is read, acquiring a second password and a DEK ciphertext, wherein the second password is a password input by the current tenant.
S07: and judging whether the second password is the same as the first password.
If the second password is the same as the first password, go to step S08: and the trusted platform module acquires the DEK plaintext according to the DEK ciphertext.
If the second password is different from the first password, it indicates that the second password currently input by the tenant is incorrect, and the process returns to step S06 to obtain the second password again.
S09: and decrypting the virtual machine image file by using the DEK plaintext.
Corresponding to step S03, the method for decrypting the virtual machine image file in the present embodiment is AES decryption. The specific AES decryption method is a method in the prior art, and is not described herein again.
As can be seen from the above steps S06-S09, when the virtual machine image file is loaded, the DEK ciphertext matched with the virtual machine image file and the second password input by the current tenant are first obtained; then, a TPM2_ RSA _ Decrypt command of the TPM chip is called, and the DEK ciphertext is decrypted according to a second password input by the current tenant; when the second password is the same as the first password, the second password input by the current tenant is judged to be correct, and the DEK ciphertext is decrypted to obtain the DEK plaintext; and carrying out AES decryption on the virtual machine image file by using the DEK plaintext obtained by decryption to finally obtain the virtual machine image plaintext.
Further, in the present embodiment, after the step S04, the method further includes a step S05: the DEK plaintext is deleted. After the step S09, a step S10 is further included: the DEK plaintext is deleted.
Through the steps of S05 and S10, malicious administrators can be effectively prevented from illegally snooping sensitive data of tenants in a public cloud or mixed cloud environment, and the confidentiality of virtual machine image files in the cloud environment is protected, so that the data security level of the virtual data center is effectively improved, and the data security of the data center is greatly improved.
In summary, in the method for protecting a virtual machine image in a cloud environment in this embodiment, confidentiality of the virtual machine image file is enhanced mainly from a stage of creating the virtual machine image file and a stage of reading the virtual machine image file. The data security level of the virtual data center is improved by adding the first password in the stage of creating the virtual machine image file and judging the consistency of the second password input by the current tenant and the first password in the stage of reading the encrypted virtual machine image file.
Example two
Referring to fig. 2 based on the embodiment shown in fig. 1, fig. 2 is a schematic structural diagram of a system for protecting a virtual machine image in a cloud environment according to an embodiment of the present disclosure. As can be seen from fig. 2, the system of the present embodiment mainly includes two parts: a key management module and a virtual machine mirror module. The key management module is used for adding a first password when the virtual machine image file is created, creating a DEK (Dek) plaintext and a DEK ciphertext based on the trusted platform module according to the first password, and sending the DEK plaintext and the DEK ciphertext to the virtual machine image module, wherein the first password is a password set by a tenant. And the virtual machine image module is used for encrypting the virtual machine image file by utilizing the DEK plaintext, acquiring the encrypted virtual machine image file, and simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into the storage pool. The virtual machine mirror image module is further configured to, when reading the encrypted virtual machine mirror image file, obtain a second password and a DEK ciphertext, and simultaneously send the second password and the DEK ciphertext to the key management module, where the second password is a password input by a current tenant. And the key management module is also used for judging whether the second password is the same as the first password, calling the trusted platform module to acquire the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password, and sending the DEK plaintext to the virtual machine mirror image module. And the virtual machine image module is also used for decrypting the virtual machine image file by utilizing the DEK plaintext.
Further, the key management module comprises: the device comprises a password adding unit, a key creating unit, a first sending unit, a judging unit and a DEK plaintext obtaining unit. The system comprises a password adding unit, a password adding unit and a password adding unit, wherein the password adding unit is used for adding a first password when a virtual machine image file is created, and the first password is a password set by a tenant; the key creating unit is used for creating a DEK plaintext and a DEK ciphertext based on the trusted platform module according to the first password; the first sending unit is used for sending the DEK plaintext and the DEK ciphertext to the virtual machine mirror image module; the judgment unit is used for judging whether the second password is the same as the first password or not, wherein the second password is a password input by the current tenant; the DEK plaintext acquisition unit is used for calling the trusted platform module to acquire the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password; the first sending unit is further used for sending the DEK plaintext to the virtual machine mirror image module after the DEK plaintext is obtained according to the DEK ciphertext.
Wherein, the key creating unit further comprises: the DEK plaintext and RSA public and private key pair creates a subunit, and the DEK ciphertext creates a subunit. The DEK plaintext and RSA public and private key pair creating subunit is used for creating a DEK plaintext and RSA public and private key pair based on the trusted platform module according to the first password; and the DEK ciphertext creating subunit is used for encrypting the DEK plaintext by using the RSA public and private key to obtain the DEK ciphertext. After the private key pair of RSA is created by the private key pair creation subunit and the DEK plaintext, the public key of RSA can be saved outside the TPM chip, for example: and storing the data on a magnetic disk of the key management module.
The virtual machine image module comprises: the device comprises an encryption unit, a storage unit, an acquisition unit, a second transmission unit and a decryption unit. The encryption unit is used for encrypting the virtual machine image file by utilizing the DEK plaintext to obtain the encrypted virtual machine image file; the storage unit is used for simultaneously storing the DEK ciphertext and the encrypted virtual machine image file to the storage pool; the obtaining unit is used for obtaining a second password and a DEK ciphertext when reading the encrypted virtual machine image file; the second sending unit is used for sending the second password and the DEK ciphertext to the key management module at the same time; the decryption unit is used for decrypting the virtual machine image file by using the DEK plaintext.
In this embodiment, the encryption unit adopts an AES encryption unit, and the decryption unit adopts an AES decryption unit.
Further, in this embodiment, the key management module is further provided with a first deletion unit, configured to delete the DEK plaintext after the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool. The virtual machine image module also comprises a second deleting unit which is used for deleting the DEK plaintext after decrypting the virtual machine image file by using the DEK plaintext.
In this embodiment, the working principle and the working method of the system for protecting a virtual machine image in a cloud environment have been described in detail in the embodiment shown in fig. 1, and are not described herein again. Parts of this embodiment not described in detail can also refer to the embodiment shown in fig. 1, and the two embodiments can be referred to each other.
The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. A method for protecting a virtual machine image in a cloud environment is characterized by comprising the following steps:
adding a first password when creating a virtual machine image file, wherein the first password is a password set by a tenant;
according to the first password, a DEK plaintext and a DEK ciphertext are created based on a trusted platform module;
encrypting the virtual machine image file by using the DEK plaintext to obtain an encrypted virtual machine image file;
storing the DEK ciphertext and the encrypted virtual machine image file to a storage pool at the same time;
when the encrypted virtual machine image file is read, a second password and a DEK ciphertext are obtained, wherein the second password is a password input by a current tenant;
judging whether the second password is the same as the first password or not;
if so, the trusted platform module acquires the DEK plaintext according to the DEK ciphertext;
decrypting the virtual machine image file by using the DEK plaintext;
the method for creating the DEK plaintext and the DEK ciphertext based on the trusted platform module according to the first password comprises the following steps:
according to the first password, a DEK plaintext and RSA public and private key pair is created based on a trusted platform module;
and encrypting the DEK plaintext by using the RSA public and private key pair to obtain a DEK ciphertext.
2. The method according to claim 1, wherein the trusted platform module is a TPM chip.
3. The method according to claim 1, wherein the method for encrypting the virtual machine image file is AES encryption, and the method for decrypting the virtual machine image file is AES decryption.
4. The method according to claim 1, wherein after decrypting the virtual machine image file using the DEK plaintext, the method further comprises:
the DEK plaintext is deleted.
5. A system for protecting a virtual machine image in a cloud environment, the system comprising:
the key management module is used for adding a first password when a virtual machine image file is created, creating a DEK (Dek) plaintext and a DEK ciphertext based on the trusted platform module according to the first password, and sending the DEK plaintext and the DEK ciphertext to the virtual machine image module, wherein the first password is a password set by a tenant;
the virtual machine image module is used for encrypting the virtual machine image file by utilizing the DEK plaintext to obtain an encrypted virtual machine image file, and simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool;
the virtual machine mirror image module is further configured to, when reading the encrypted virtual machine mirror image file, obtain a second password and a DEK ciphertext, and simultaneously send the second password and the DEK ciphertext to the key management module, where the second password is a password input by a current tenant;
the key management module is further used for judging whether the second password is the same as the first password, calling the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password, and sending the DEK plaintext to the virtual machine mirror image module;
the virtual machine image module is also used for decrypting a virtual machine image file by utilizing the DEK plaintext;
wherein the key management module comprises:
the password adding unit is used for adding a first password when the virtual machine image file is created, wherein the first password is a password set by a tenant; the key creating unit is used for creating a DEK (digital encryption) plaintext and a DEK ciphertext based on the trusted platform module according to the first password, and creating a DEK plaintext and RSA (rivest-Shamir-Adleman) public and private key pair based on the trusted platform module according to the first password; the DEK ciphertext acquisition unit is used for encrypting the DEK plaintext by using the RSA public and private key to acquire the DEK ciphertext; the first sending unit is used for sending the DEK plaintext and the DEK ciphertext to the virtual machine mirror image module; the judgment unit is used for judging whether a second password is the same as the first password, wherein the second password is a password input by the current tenant; the DEK plaintext acquisition unit is used for calling the trusted platform module to acquire the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password; the first sending unit is further used for sending the DEK plaintext to the virtual machine mirror image module after the DEK plaintext is obtained according to the DEK ciphertext.
6. The system for protecting a virtual machine image in a cloud environment according to claim 5, wherein the virtual machine image module includes:
the encryption unit is used for encrypting the virtual machine image file by using the DEK plaintext to obtain the encrypted virtual machine image file;
the storage unit is used for simultaneously storing the DEK ciphertext and the encrypted virtual machine image file into a storage pool;
the obtaining unit is used for obtaining a second password and a DEK ciphertext when the encrypted virtual machine image file is read;
the second sending unit is used for sending the second password and the DEK ciphertext to the key management module at the same time;
and the decryption unit is used for decrypting the virtual machine image file by using the DEK plaintext.
7. The system for protecting a virtual machine image in a cloud environment according to claim 6, wherein the encryption unit is an AES encryption unit, and the decryption unit is an AES decryption unit.
8. The system for protecting a virtual machine image in a cloud environment according to any one of claims 5 to 7, wherein the key management module further comprises: the first deleting unit is used for deleting the DEK plaintext after the DEK ciphertext and the encrypted virtual machine image file are simultaneously stored in the storage pool;
the virtual machine image module further comprises: and the second deleting unit is used for deleting the DEK plaintext after decrypting the virtual machine image file by using the DEK plaintext.
CN201910912822.XA 2019-09-25 2019-09-25 Method and system for protecting virtual machine image in cloud environment Active CN110806919B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910912822.XA CN110806919B (en) 2019-09-25 2019-09-25 Method and system for protecting virtual machine image in cloud environment
PCT/CN2020/087164 WO2021057024A1 (en) 2019-09-25 2020-04-27 Method and system for protecting virtual machine image in cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910912822.XA CN110806919B (en) 2019-09-25 2019-09-25 Method and system for protecting virtual machine image in cloud environment

Publications (2)

Publication Number Publication Date
CN110806919A CN110806919A (en) 2020-02-18
CN110806919B true CN110806919B (en) 2021-11-02

Family

ID=69487744

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910912822.XA Active CN110806919B (en) 2019-09-25 2019-09-25 Method and system for protecting virtual machine image in cloud environment

Country Status (2)

Country Link
CN (1) CN110806919B (en)
WO (1) WO2021057024A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110806919B (en) * 2019-09-25 2021-11-02 苏州浪潮智能科技有限公司 Method and system for protecting virtual machine image in cloud environment
CN111741068B (en) * 2020-05-20 2022-03-18 中国电子科技网络信息安全有限公司 Data encryption key transmission method
CN112052446A (en) * 2020-09-14 2020-12-08 北京数字认证股份有限公司 Password unit creation method, data processing method and device and electronic equipment
WO2022088194A1 (en) * 2020-11-02 2022-05-05 华为技术有限公司 Security processing apparatus, security processing method, and related device
CN113703927B (en) * 2021-10-29 2022-02-11 杭州链城数字科技有限公司 Data processing method, privacy computing system, electronic device, and storage medium
CN114296873B (en) * 2021-12-24 2023-03-24 海光信息技术股份有限公司 Virtual machine image protection method, related device, chip and electronic equipment
CN116842529A (en) * 2023-07-13 2023-10-03 海光信息技术股份有限公司 Software file, software running method and related devices thereof

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102088367A (en) * 2010-12-10 2011-06-08 北京世纪互联工程技术服务有限公司 Method for quickly deploying in virtualization environment
CN102624522A (en) * 2012-03-30 2012-08-01 华中科技大学 Key encryption method based on file attribution
CN107169373A (en) * 2017-05-11 2017-09-15 山东超越数控电子有限公司 A kind of virtual machine image file guard method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103138939B (en) * 2013-03-28 2015-09-16 武汉大学 Based on the key access times management method of credible platform module under cloud memory module
JP2015171128A (en) * 2014-03-11 2015-09-28 富士通株式会社 Packet acquisition method, packet acquisition device, and packet acquisition program
CN110806919B (en) * 2019-09-25 2021-11-02 苏州浪潮智能科技有限公司 Method and system for protecting virtual machine image in cloud environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102088367A (en) * 2010-12-10 2011-06-08 北京世纪互联工程技术服务有限公司 Method for quickly deploying in virtualization environment
CN102624522A (en) * 2012-03-30 2012-08-01 华中科技大学 Key encryption method based on file attribution
CN107169373A (en) * 2017-05-11 2017-09-15 山东超越数控电子有限公司 A kind of virtual machine image file guard method and system

Also Published As

Publication number Publication date
CN110806919A (en) 2020-02-18
WO2021057024A1 (en) 2021-04-01

Similar Documents

Publication Publication Date Title
CN110806919B (en) Method and system for protecting virtual machine image in cloud environment
US9954680B1 (en) Secure management of a master encryption key in a split-key based distributed computing environment
CN109858265B (en) Encryption method, device and related equipment
US7639819B2 (en) Method and apparatus for using an external security device to secure data in a database
US9619667B2 (en) Methods, systems and computer program product for providing encryption on a plurality of devices
WO2019105290A1 (en) Data processing method, and application method and apparatus of trusted user interface resource data
CN107506659B (en) Data protection system and method of general database based on SGX
US9413754B2 (en) Authenticator device facilitating file security
US7318235B2 (en) Attestation using both fixed token and portable token
CN104618096B (en) Protect method, equipment and the TPM key administrative center of key authorization data
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
US10397216B2 (en) Systems and methods for performing secure backup operations
US8181028B1 (en) Method for secure system shutdown
US20040117318A1 (en) Portable token controlling trusted environment launch
JP2020508619A (en) Data backup method and data backup device, storage medium, and server
CN106992851B (en) TrustZone-based database file password encryption and decryption method and device and terminal equipment
US9529733B1 (en) Systems and methods for securely accessing encrypted data stores
CN109525388B (en) Combined encryption method and system with separated keys
CN104468562A (en) Portable transparent data safety protection terminal oriented to mobile applications
EP4064084A1 (en) Password management method and related device
Elrabaa et al. Secure computing enclaves using FPGAs
US9270649B1 (en) Secure software authenticator data transfer between processing devices
US20230058046A1 (en) Apparatus and Method for Protecting Shared Objects
KR20160146623A (en) A Method for securing contents in mobile environment, Recording medium for storing the method, and Security sytem for mobile terminal
TWI790745B (en) Data backup carrier and backup system having the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant