CN113220415B - Kata container-oriented persistent data protection method and device - Google Patents
Kata container-oriented persistent data protection method and device Download PDFInfo
- Publication number
- CN113220415B CN113220415B CN202110449233.XA CN202110449233A CN113220415B CN 113220415 B CN113220415 B CN 113220415B CN 202110449233 A CN202110449233 A CN 202110449233A CN 113220415 B CN113220415 B CN 113220415B
- Authority
- CN
- China
- Prior art keywords
- container
- kata
- service data
- file
- data file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45575—Starting, stopping, suspending or resuming virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kata container-oriented persistent data protection method and a kata container-oriented persistent data protection device, wherein when a kata container is started, the kata container checks service data information in a service data file to ensure that the service data information in the service data file is encrypted data; when the business data file is read in the kata container, the kata container sends the business data file to be read to a decryption module in a virtual machine kernel corresponding to the business data file to enable the decryption module to decrypt the business data file to be read; when writing service data occurs in the kata container to the local, the kata container sends the service data to be written to the encryption module in the virtual machine kernel corresponding to the kata container, so that the encryption module encrypts the service data to be written to the local, and the kata container writes the encrypted service data to the local service data file. The invention can realize transparent encryption/decryption of the business data in the container, obviously improve the lasting protection capability of the business data in the container and reduce the risk of business information leakage.
Description
Technical Field
The invention belongs to the technical field of container safety, and particularly relates to a kata container-oriented persistent data protection method and device.
Background
The kata containers do not need to share hardware resources and kernels of the host, each kata container runs on an independent virtual machine, resource consumption of the host and risks of collapse of the kernels of the host are reduced, the containers are isolated through different virtual machines, accordingly, the problems of safety and isolation among the containers are solved, and compared with a traditional docker container, the kata container has higher safety.
The method can realize the local persistent storage of the business data in the kata container, but has the risk problem of the information leakage of the business data in the container. If the service data stored locally is encrypted separately, the kata container cannot decrypt and identify the encrypted service data.
Disclosure of Invention
Aiming at the problems, the invention provides a kata container-oriented persistent data protection method and device, which can realize transparent encryption/decryption of service data in a container, obviously improve the persistent protection capability of the service data in the container, enhance the security of the container data and reduce the risk of service information leakage.
In order to achieve the technical purpose and achieve the technical effects, the invention is realized by the following technical scheme:
in a first aspect, the invention provides a kata container-oriented persistent data protection method, which comprises the following steps:
when the kata container is started, the kata container checks whether the service data information in the service data file is encrypted, and corresponding operation is carried out according to the check result to ensure that the service data information in the service data file is encrypted data;
when the business data file is read in the kata container, the kata container sends the business data file to be read to a decryption module in a virtual machine kernel corresponding to the business data file to enable the decryption module to decrypt the business data file to be read;
when writing service data occurs in the kata container to the local, the kata container sends the service data to be written to the encryption module in the virtual machine kernel corresponding to the kata container, so that the encryption module encrypts the service data to be written to the local, and finally, the kata container writes the encrypted service data to the local service data file.
Optionally, the corresponding operation is performed according to the check result, so as to ensure that the service data information in the service data file is encrypted data, specifically:
and if the checking result is 'unencrypted', the kata container sends the service data information to an encryption module in the kernel of the virtual machine corresponding to the kata container to encrypt the data in the service data file, and receives and stores the encrypted service data information.
Optionally, the encryption module and the decryption module both use the secret SM4 algorithm.
Optionally, before the kata container is started, the method further comprises:
the kata container receives a configuration instruction of the type of the service data file in the container sent by a user, and independently creates a configuration file in a kata configuration file directory according to the received instruction, wherein the configuration file is used for specifying a path and a file type of a file to be encrypted.
Optionally, after the step of receiving, by the kata container, a service data file type configuration instruction sent by a user, the method further includes:
and the kata container receives a designated host storage directory sent by a user, wherein the host is used for storing the business data in the kata container.
In a second aspect, the present invention provides a kata container-oriented persistent data protection apparatus, comprising: the system comprises a kata container and an encryption module and a decryption module in a virtual machine kernel corresponding to the kata container;
when the kata container is started, the kata container checks whether the service data information in the service data file is encrypted, and corresponding operation is carried out according to the check result to ensure that the service data information in the service data file is encrypted data;
when the business data file is read in the kata container, the kata container sends the business data file to be read to a decryption module in a virtual machine kernel corresponding to the business data file to enable the decryption module to decrypt the business data file to be read;
when writing service data occurs in the kata container to the local, the kata container sends the service data to be written to the encryption module in the virtual machine kernel corresponding to the kata container, so that the encryption module encrypts the service data to be written to the local, and finally, the kata container writes the encrypted service data to the local service data file.
Optionally, the corresponding operation is performed according to the check result to ensure that the service data information in the service data file is encrypted data, specifically:
and if the checking result is 'unencrypted', the kata container sends the service data information to an encryption module in the kernel of the virtual machine corresponding to the kata container to encrypt the data in the service data file, and receives and stores the encrypted service data information.
Optionally, the encryption module and the decryption module both use the secret SM4 algorithm.
Optionally, the kata container receives a configuration instruction of the type of the service data file in the container sent by the user, and creates a configuration file in the kata configuration file directory according to the received instruction, wherein the configuration file is used for specifying a path and a file type of the file to be encrypted.
Optionally, the kata container receives a storage directory of a designated host sent by a user, and the host is used for storing the service data in the kata container.
Compared with the prior art, the invention has the beneficial effects that:
in the invention, when the kata container is started, whether the service data file is encrypted is checked, and if the service data file is not encrypted, the encryption module in the virtual machine kernel corresponding to the container is used for encrypting the service data. When the kata container reads the service data file, the read service data is decrypted by using a decryption module in the kernel of the virtual machine corresponding to the container. Before the service data generated in the kata container is written into the container, the encryption module in the corresponding virtual machine kernel is used for encrypting the service data to be written into the local area. The transparent encryption and decryption of the service data in the container are realized, and the local data seen from the outside of the container is encrypted messy codes.
Drawings
In order that the present disclosure may be more readily and clearly understood, reference is now made to the following detailed description of the present disclosure taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a schematic structural diagram of a kata container-oriented persistent data protection apparatus according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an encryption/decryption process according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the scope of the invention.
The following detailed description of the principles of the invention is provided in connection with the accompanying drawings.
Example 1
The embodiment of the invention provides a kata container-oriented persistent data protection method, which specifically comprises the following steps:
the kata container receives a configuration instruction of the type of the service data file in the container sent by a user, and independently creates a configuration file in a kata configuration file directory according to the received instruction, wherein the configuration file is used for specifying a path and a file type of a file to be encrypted;
the kata container receives a storage directory of a designated host sent by a user, wherein the host is used for storing the service data in the kata container;
when the kata container is started, the kata container checks whether the service data information in the service data file is encrypted, and corresponding operation is carried out according to the check result to ensure that the service data information in the service data file is encrypted data;
when the business data file is read in the kata container, the kata container sends the business data file to be read to a decryption module in a virtual machine kernel corresponding to the business data file to enable the decryption module to decrypt the business data file to be read;
when writing service data occurs in the kata container to the local, the kata container sends the service data to be written to the encryption module in the virtual machine kernel corresponding to the kata container, so that the encryption module encrypts the service data to be written to the local, and finally, the kata container writes the encrypted service data to the local service data file.
In the embodiment of the present invention, the corresponding operation is performed according to the checking result, so as to ensure that the service data information in the service data file is encrypted data, specifically:
and if the checking result is 'unencrypted', the kata container sends the service data information to an encryption module in the kernel of the virtual machine corresponding to the kata container to encrypt the data in the service data file, and receives and stores the encrypted service data information.
The method of the present invention will be described in detail below with reference to a specific embodiment.
Step one, a user configures an encrypted file path and a file type;
the user separately creates a configuration file in the kata configuration file directory for specifying the path and the file type of the file to be encrypted.
And step two, establishing a shared space of the designated host machine for the container, and storing the business data in the kata container.
Step three, starting the kata container and the virtual machine corresponding to the container;
and step four, the container starts to check whether the service data file is encrypted.
And (5) starting the kata container according to the file configured in the step one, checking whether the service data file is encrypted, and if the service data is not encrypted, encrypting the content of the service data file by using an encryption module in the virtual machine kernel corresponding to the container.
And fifthly, when the business data files are read and written in the container, carrying out decryption and encryption operation on the business data to be read and written.
And when the service data file is read in the container, the read service data information is decrypted by using a decryption module in the kernel of the virtual machine corresponding to the container. When the service data information generated in the container is written into the local, the encryption module in the virtual machine kernel corresponding to the container is used for encrypting the service data information to be written, and then the service data information is written into the local storage.
As shown in FIG. 2, the encryption and decryption of the service data in the kata container use a symmetric encryption algorithm of French secret SM4, the read service data information is decrypted by a national secret SM4 in the virtual machine kernel corresponding to the container, and then the decrypted service data is returned to the container. When the container writes the service data into the data file, the service data information to be written in the virtual machine kernel corresponding to the container is encrypted by using the state secret SM4, and then the encrypted service data is written into the local service data file for storage.
Example 2
An embodiment of the present invention provides a kata container-oriented persistent data protection device, as shown in fig. 1, including: the kata container and the encryption module and the decryption module (namely the encryption/decryption module in FIG. 1) in the virtual machine kernel corresponding to the kata container;
the kata container receives a configuration instruction of the type of the service data file in the container sent by a user, and independently creates a configuration file in a kata configuration file directory according to the received instruction, wherein the configuration file is used for specifying a path and a file type of a file to be encrypted;
the kata container receives a storage directory of a designated host sent by a user, and the host is used for storing the service data in the kata container;
when the kata container is started, the kata container checks whether the service data information in the service data file is encrypted, and corresponding operation is carried out according to the check result to ensure that the service data information in the service data file is encrypted data;
when the business data file is read in the kata container, the kata container sends the business data file to be read to a decryption module in a virtual machine kernel corresponding to the business data file to enable the decryption module to decrypt the business data file to be read;
when writing service data occurs in the kata container to the local, the kata container sends the service data to be written to the encryption module in the virtual machine kernel corresponding to the kata container, so that the encryption module encrypts the service data to be written to the local, and finally, the kata container writes the encrypted service data to the local service data file.
In a specific implementation manner of the embodiment of the present invention, the performing corresponding operations according to the checking result ensures that the service data information in the service data file is encrypted data, and the specific implementation manner is as follows:
and if the checking result is 'unencrypted', the kata container sends the service data information to an encryption module in the kernel of the virtual machine corresponding to the kata container to encrypt the data in the service data file, and receives and stores the encrypted service data information.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (10)
1. A kata container-oriented persistent data protection method is characterized by comprising the following steps:
when the kata container is started, the kata container checks whether the service data information in the service data file is encrypted, and corresponding operation is carried out according to the check result to ensure that the service data information in the service data file is encrypted data;
when the business data file is read in the kata container, the kata container sends the business data file to be read to a decryption module in a virtual machine kernel corresponding to the business data file to enable the decryption module to decrypt the business data file to be read;
when the writing business data occurs in the kata container to the local, the kata container sends the writing business data to be generated to the encryption module in the virtual machine kernel corresponding to the kata container, so that the encryption module encrypts the writing business data to be written to the local, and finally the kata container writes the encrypted business data to the local business data file.
2. The kata-container-oriented persistent data protection method according to claim 1, wherein: the corresponding operation is performed according to the checking result to ensure that the service data information in the service data file is encrypted data, and the method specifically comprises the following steps:
and if the checking result is 'unencrypted', the kata container sends the service data information to an encryption module in the kernel of the virtual machine corresponding to the kata container to encrypt the data in the service data file, and receives and stores the encrypted service data information.
3. The kata-container-oriented persistent data protection method according to claim 1, wherein: the encryption module and the decryption module both use the secret SM4 algorithm.
4. The kata-container-oriented persistent data protection method according to claim 1, wherein: before the kata container is started, the method also comprises the following steps:
the kata container receives a configuration instruction of the type of the service data file in the container sent by a user, and independently creates a configuration file in a kata configuration file directory according to the received instruction, wherein the configuration file is used for specifying a path and a file type of a file to be encrypted.
5. The kata container-oriented persistent data protection method as claimed in claim 1, wherein the kata container receiving step of the intra-container service data file type configuration instruction sent by the user further comprises:
and the kata container receives a designated host storage directory sent by a user, wherein the host is used for storing the business data in the kata container.
6. A kata-container-oriented persistent data protection device, comprising: the system comprises a kata container and an encryption module and a decryption module in a virtual machine kernel corresponding to the kata container;
when the kata container is started, the kata container checks whether the service data information in the service data file is encrypted, and corresponding operation is carried out according to the check result to ensure that the service data information in the service data file is encrypted data;
when the business data file is read in the kata container, the kata container sends the business data file to be read to a decryption module in a virtual machine kernel corresponding to the business data file to enable the decryption module to decrypt the business data file to be read;
when writing service data occurs in the kata container to the local, the kata container sends the service data to be written to the encryption module in the virtual machine kernel corresponding to the kata container, so that the encryption module encrypts the service data to be written to the local, and finally, the kata container writes the encrypted service data to the local service data file.
7. The kata container-oriented persistent data protection device according to claim 6, wherein the corresponding operation is performed according to the check result to ensure that the service data information in the service data file is encrypted data, specifically:
and if the checking result is 'unencrypted', the kata container sends the service data information to an encryption module in the kernel of the virtual machine corresponding to the kata container to encrypt the data in the service data file, and receives and stores the encrypted service data information.
8. The kata-oriented container persistent data protection device of claim 6, wherein the encryption module and the decryption module both use the SM4 cryptographic algorithm.
9. The kata container-oriented persistent data protection device of claim 6, wherein the kata container receives a configuration command of the type of the service data file in the container sent by a user, and creates a configuration file in the kata configuration file directory separately according to the received command, wherein the configuration file is used for specifying the path and the type of the file to be encrypted.
10. The kata container-oriented persistent data protection device as claimed in claim 6, wherein the kata container receives a specified host storage directory sent by a user, and the host is used for storing the business data in the kata container.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110449233.XA CN113220415B (en) | 2021-04-25 | 2021-04-25 | Kata container-oriented persistent data protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110449233.XA CN113220415B (en) | 2021-04-25 | 2021-04-25 | Kata container-oriented persistent data protection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113220415A CN113220415A (en) | 2021-08-06 |
| CN113220415B true CN113220415B (en) | 2022-08-09 |
Family
ID=77088834
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110449233.XA Active CN113220415B (en) | 2021-04-25 | 2021-04-25 | Kata container-oriented persistent data protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113220415B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109726566A (en) * | 2018-11-22 | 2019-05-07 | 成都海光集成电路设计有限公司 | Encryption system and encryption method based on secure memory encryption technology |
| CN110569111A (en) * | 2019-09-12 | 2019-12-13 | 天津华云软件有限公司 | virtual machine implementation method, device and system based on traditional container |
-
2021
- 2021-04-25 CN CN202110449233.XA patent/CN113220415B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109726566A (en) * | 2018-11-22 | 2019-05-07 | 成都海光集成电路设计有限公司 | Encryption system and encryption method based on secure memory encryption technology |
| CN110569111A (en) * | 2019-09-12 | 2019-12-13 | 天津华云软件有限公司 | virtual machine implementation method, device and system based on traditional container |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113220415A (en) | 2021-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108345806B (en) | Hardware encryption card and encryption method | |
| EP3667535B1 (en) | Storage data encryption and decryption device and method | |
| CN106022155B (en) | Method and server for database security management | |
| JP2020535693A (en) | Storage data encryption / decryption device and method | |
| CN103294961A (en) | Method and device for file encrypting/decrypting | |
| CN104123506B (en) | Data access method, device, data encryption, storage and access method, device | |
| US20130185569A1 (en) | Data protection system and method based on cloud storage | |
| CN103559453B (en) | A kind of data in mobile phone hardware encryption protecting method and system | |
| CN102073808B (en) | Method for encrypting and storing information through SATA interface and encryption card | |
| US8539250B2 (en) | Secure, two-stage storage system | |
| CN106997439A (en) | TrustZone-based data encryption and decryption method and device and terminal equipment | |
| CN101488110A (en) | Memory encryption method, apparatus and system | |
| CN102726028A (en) | Encryption method, decryption method, and corresponding device and system | |
| CN106682521B (en) | File transparent encryption and decryption system and method based on driver layer | |
| CN108491724A (en) | A kind of hardware based computer interface encryption device and method | |
| CN101866411A (en) | Security certification and encryption method and system of multi-application noncontact-type CPU card | |
| CN111177773A (en) | Full disk encryption and decryption method and system based on network card ROM | |
| CN101853220A (en) | Mobile storage device with key removal and storage mechanism | |
| CN113220415B (en) | Kata container-oriented persistent data protection method and device | |
| CN111159726B (en) | UEFI (unified extensible firmware interface) environment variable-based full-disk encryption and decryption method and system | |
| CN106845254A (en) | A kind of encrypted data transmission line for computer | |
| CN103699853B (en) | A kind of intelligent SD card and control system thereof and method | |
| CN111159783B (en) | Portable high-speed stream encryption hardware device and method | |
| CN116048716A (en) | Direct storage access method and device and related equipment | |
| CN112287415B (en) | USB storage device access control method, system, medium, device and application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |