CN116094775A - Ceph distributed file system server encryption system - Google Patents
Ceph distributed file system server encryption system Download PDFInfo
- Publication number
- CN116094775A CN116094775A CN202211692733.7A CN202211692733A CN116094775A CN 116094775 A CN116094775 A CN 116094775A CN 202211692733 A CN202211692733 A CN 202211692733A CN 116094775 A CN116094775 A CN 116094775A
- Authority
- CN
- China
- Prior art keywords
- file
- key
- encryption
- data
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 claims abstract description 40
- 238000000034 method Methods 0.000 claims abstract description 32
- 238000013500 data storage Methods 0.000 claims abstract description 13
- 230000005540 biological transmission Effects 0.000 claims abstract description 7
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 9
- 238000005111 flow chemistry technique Methods 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 230000009191 jumping Effects 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003321 amplification Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Abstract
The invention particularly relates to a ceph distributed file system server encryption system. The ceph distributed file system server side encryption system comprises a key management module, a client side encryption and decryption module, an MDS side data key storage module and an OSD data storage module. According to the ceph distributed file system server side encryption system, file data in a file system are encrypted, so that requirements of user privacy and data security are met; the security in the key management and transmission process is enhanced by the way of envelope encryption, and the method of combining the envelope encryption and the encryption aiming at each object is more suitable for encrypting a large amount of data.
Description
Technical Field
The invention relates to the technical field of information, in particular to a ceph distributed file system server encryption system.
Background
Ceph is a unified, distributed storage system with high performance, high reliability and scalability, and provides object, block and file storage functions simultaneously in one unified storage system. After years of development, numerous cloud computing vendors have been supported and are widely used.
When the CephFS file system is used, the client strips the whole file into RADOS (distributed Object storage system) objects with specified sizes, and then sends a write request to each Object storage device OSD (Object-based storage device) to complete data persistence. Data is stored in the clear on disk, and in some cases, such as a loss of a hardware device, may cause the data content to be read, identified, or restored, thereby causing data leakage and privacy security problems. For some usage scenarios with high data security requirements, there is a large security risk. Envelope encryption is an encryption means similar to digital envelope technology. The encrypted data key is sealed in an envelope for storage, transmission and use, and the data is directly encrypted and decrypted without using a simple user master key. The encrypted key can ensure the security in the process of transmission and use, and is more applicable to the encryption of large data volume than the direct encryption by using an asymmetric key.
In a use scene with high data security requirement, the CephFS file system does not have a mechanism for encrypting files in the CephFS file system, and the requirements of users on security and privacy cannot be met. The invention provides a ceph distributed file system server encryption system.
Disclosure of Invention
The invention provides a simple and efficient ceph distributed file system server encryption system for overcoming the defects of the prior art.
The invention is realized by the following technical scheme:
a ceph distributed file system server encryption system is characterized in that: the system comprises a key management module, a client encryption and decryption module, an MDS end data key storage module and an OSD data storage module;
the key management module is responsible for managing a master key in a file system and responding to a request of the client encryption and decryption module; when the client needs to encrypt, a data key is issued to the client; when the client needs to decrypt, decrypting the encrypted data key sent by the client;
the client encryption and decryption module is positioned at the CephFS client and is responsible for interactively acquiring a data key with the key management module, carrying out encryption and decryption operations when the client reads and writes file contents, and storing the encrypted data key into the MDS-side data key storage module;
the MDS side data key storage module is responsible for storing the encrypted data key of each file;
the OSD data storage module is responsible for responding to the read-write request of the client and storing the user data.
The ceph distributed file system server side encryption system encrypts the file systems in an envelope encryption mode, and designates a master key for each file system; when encrypting a file in a file system, firstly applying a data key to a key management module aiming at the file, then banding the whole file into RADOS objects with specified sizes, then encrypting each object, and simultaneously storing the encrypted data key into the extension attribute of an index node Inode corresponding to the file.
The encryption process of the ceph distributed file system server-side encryption system comprises the following steps:
step S1, designating a master key in a key management module for each file system in an envelope encryption mode;
step S2, when each file in the file system is written, a master key is used for applying a data key to a key management module; then carrying out banding processing on the whole file, converting the whole file into RADOS objects with specified size, encrypting the written file data by using a data key, wherein the RADOS objects corresponding to the file share the encryption key;
step S3, storing the encrypted data key in the extension attribute of the index node Inode corresponding to the file;
and the data key of the encrypted data is sealed in the envelope for storage, transmission and use in an envelope encryption mode, and the data is directly encrypted and decrypted without using the user master key.
In the step S1, an encryption process is started for a file under a specified file system, as follows:
s1.1, a CephFS client processes a request for setting a Ceph. Dir. Encrypt attribute;
s1.2, verifying whether a file system with the set attribute is empty, if so, continuing to execute the next step, otherwise, returning an error verification failure;
step S1.3, a CephFS client sends a request to a key management module to apply for a master key;
step S1.4, the key management module sends the master key ID to the CephFS client, and the CephFS client returns application success information after receiving the master key ID;
step S1.5, the CephFS client finds a specified file system in a directory tree of the file system by sending a request to a metadata server MDS;
step S1.6, the CephFS client sends a request to the metadata server MDS, and the file under the file system needs to be encrypted by setting the Ceph. Dir. Encrypt attribute, and the corresponding master key uuid is the value of the Ceph. Dir. Encrypt attribute.
In the step S2, the writing process of the file data in the file system is as follows:
step S2.1, after receiving a file writing request, the CephFS client side judges whether a file to be written needs to be newly created or not;
if the file is needed to be newly built, jumping to the step S2.2;
if so, verifying whether the current file Inode contains ceph.file.encrypt attribute, and if not, directly executing write flow processing without encryption; otherwise, the file needs to be encrypted, and the step S2.5 is skipped;
step S2.2, the CephFS client backtracks upwards according to the directory tree of the file system until the file system is found to set the Ceph. Dir. Encrypt attribute;
if the ceph.dir.encrypt attribute is not set up until the root file system, the file does not need encryption, and the write flow process is directly executed; otherwise, finding the file system which is nearest to the current file and is provided with the ceph.dir.encrypt attribute, and acquiring the value of the ceph.dir.encrypt attribute;
step S2.3, the CephFS client sends a request to the key management module to apply for a data key, wherein the data key carries the value of the Ceph. Dir. Encrypt attribute obtained in the step S2.2, and the used master key is designated;
step S2.4, the key management module returns the generated data key and the data key encrypted by using the master key to the CephFS client, jumps to step S2.7, and executes the encryption writing flow;
step S2.5, aiming at the situation of the file which is created but needs to be encrypted, reading the ceph.file.encryption attribute of the file, and obtaining an encrypted data key for encrypting the original file data;
step S2.6, the CephFS client sends a request to the key management module, and decrypts the encrypted file data key acquired in the step S2.5 to acquire a data key;
step S2.7, after the data key is obtained, the file data to be written in the write request is striped according to the logical offset and the length of the file, and then mapped into RADOS objects with specified sizes;
step S2.8, encrypting each RADOS object by using a data key;
during encryption, dividing each RADOS object into blocks of 4KiB according to logic offset, and encrypting each block respectively; after encryption, the ciphertext data is stored in an OSD data storage module.
In the step S2, the RADOS object designates a size of 4MB, and modifies the object size by modifying the file layout.
In the step S3, for the newly created file, the file stored by the encrypted data key is stored in the ceph.file.encryption attribute of the Inode, so as to be used when writing and reading the subsequent file.
In the step S3, the file data reading process is as follows:
step S3.1, a CephFS client receives a file read request and verifies whether an index node Inode of a current file contains a ceph.file.encrypt attribute;
if the file does not contain the ceph. File. Encryption attribute, the file is not required to be encrypted, and the read flow process is directly executed;
if the ceph.file.encryption attribute is included, reading the value of the data and acquiring an encrypted data key;
step S3.2, the CephFS client sends a request to the key management module, and decrypts the encrypted data key read in the step S3.1 to obtain a plaintext data key;
step S3.3, mapping the file data in the read request from the logic offset and the length according to the file to the appointed offset and the length of the RADOS object with the appointed size after the striping treatment;
4K alignment is carried out on the logic offset and the length, and the part with the front end and the rear end of the request less than 4KiB is amplified to 4KiB read request processing; initiating a read request to an OSD data storage module to acquire corresponding RADOS object content;
and S3.4, decrypting the read RADOS object content by using the obtained plaintext data key, returning to the file data content required by the CephFS client read request, and ending the read request processing.
An apparatus, characterized in that: comprising a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the above method steps when executing the computer program.
A readable storage medium, characterized by: the readable storage medium has stored thereon a computer program which, when executed by a processor, implements the above-described method steps.
The beneficial effects of the invention are as follows: according to the ceph distributed file system server side encryption system, file data in a file system are encrypted, so that requirements of user privacy and data security are met; the security in the key management and transmission process is enhanced by the way of envelope encryption, and the method of combining the envelope encryption and the encryption aiming at each object is more suitable for encrypting a large amount of data.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a ceph distributed file system server encryption system according to the present invention.
FIG. 2 is a schematic diagram of a file data writing process according to the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the technical solution of the present invention, the following description will make clear and complete description of the technical solution of the present invention in combination with the embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
The ceph distributed file system server side encryption system comprises a key management module, a client side encryption and decryption module, an MDS (metadata server) side data key storage module and an OSD data storage module;
the key management module is responsible for managing a master key in a file system and responding to a request of the client encryption and decryption module; when the client needs to encrypt, a data key is issued to the client; when the client needs to decrypt, decrypting the encrypted data key sent by the client;
the client encryption and decryption module is positioned at the CephFS client and is responsible for interactively acquiring a data key with the key management module, carrying out encryption and decryption operations when the client reads and writes file contents, and storing the encrypted data key into the MDS-side data key storage module;
the MDS side data key storage module is responsible for storing the encrypted data key of each file;
the OSD data storage module is responsible for responding to the read-write request of the client and storing the user data.
The ceph distributed file system server side encryption system encrypts the file systems in an envelope encryption mode, and designates a master key for each file system; when encrypting a file in a file system, firstly applying a data key to a key management module aiming at the file, then banding the whole file into RADOS objects with specified sizes, then encrypting each object, and simultaneously storing the encrypted data key into the extension attribute of an index node Inode corresponding to the file.
The encryption process of the ceph distributed file system server-side encryption system comprises the following steps:
step S1, designating a master key in a key management module for each file system in an envelope encryption mode;
step S2, when each file in the file system is written, a master key is used for applying a data key to a key management module; then carrying out banding processing on the whole file, converting the whole file into RADOS objects with specified size, encrypting the written file data by using a data key, wherein the RADOS objects corresponding to the file share the encryption key;
step S3, storing the encrypted data key in the extension attribute of the index node Inode corresponding to the file;
and the data key of the encrypted data is sealed in the envelope for storage, transmission and use in an envelope encryption mode, and the data is directly encrypted and decrypted without using the user master key.
When each RADOS object is encrypted, the object is divided into blocks of 4KiB for encryption respectively.
In the step S2, each file selects to apply for a different data key, so as to further ensure the data security under the condition of multiple users;
after the server-side data encryption is carried out, even if the hardware equipment is lost, the effective content in the data can not be identified, so that the safety of the user data is ensured.
In the step S1, an encryption process is started for a file under a specified file system, as follows:
s1.1, a CephFS client processes a request for setting a Ceph. Dir. Encrypt attribute;
s1.2, verifying whether a file system with the set attribute is empty, if so, continuing to execute the next step, otherwise, returning an error verification failure;
step S1.3, a CephFS client sends a request to a key management module to apply for a master key;
step S1.4, the key management module sends the master key ID to the CephFS client, and the CephFS client returns application success information after receiving the master key ID;
step S1.5, the CephFS client finds a specified file system in a directory tree of the file system by sending a request to a metadata server MDS;
step S1.6, the CephFS client sends a request to the metadata server MDS, and the file under the file system needs to be encrypted by setting the Ceph. Dir. Encrypt attribute, and the corresponding master key uuid is the value of the Ceph. Dir. Encrypt attribute. Subsequent file writes under the file system all need to be encrypted. Note that the file system for which the encryption attribute has been set cannot be modified and deleted.
In the step S2, the writing process of the file data in the file system is as follows:
step S2.1, after receiving a file writing request, the CephFS client side judges whether a file to be written needs to be newly created or not;
if the file is needed to be newly built, jumping to the step S2.2;
if so, verifying whether the current file Inode contains ceph.file.encrypt attribute, and if not, directly executing write flow processing without encryption; otherwise, the file needs to be encrypted, and the step S2.5 is skipped;
step S2.2, the CephFS client backtracks upwards according to the directory tree of the file system until the file system is found to set the Ceph. Dir. Encrypt attribute;
if the ceph.dir.encrypt attribute is not set up until the root file system, the file does not need encryption, and the write flow process is directly executed; otherwise, finding the file system which is nearest to the current file and is provided with the ceph.dir.encrypt attribute, and acquiring the value of the ceph.dir.encrypt attribute;
step S2.3, the CephFS client sends a request to the key management module to apply for a data key, wherein the data key carries the value of the Ceph. Dir. Encrypt attribute obtained in the step S2.2, and the used master key is designated;
step S2.4, the key management module returns the generated data key and the data key encrypted by using the master key to the CephFS client, jumps to step S2.7, and executes the encryption writing flow;
step S2.5, aiming at the situation of the file which is created but needs to be encrypted, reading the ceph.file.encryption attribute of the file, and obtaining an encrypted data key for encrypting the original file data;
step S2.6, the CephFS client sends a request to the key management module, and decrypts the encrypted file data key acquired in the step S2.5 to acquire a data key;
step S2.7, after the data key is obtained, the file data to be written in the write request is striped according to the logical offset and the length of the file, and then mapped into RADOS objects with specified sizes;
step S2.8, encrypting each RADOS object by using a data key;
during encryption, dividing each RADOS object into blocks of 4KiB according to logic offset, and encrypting each block respectively; after encryption, the ciphertext data is stored in an OSD data storage module.
In the step S2, the RADOS object designates a size of 4MB, and modifies the object size by modifying the file layout.
In the step S3, for the newly created file, the file stored by the encrypted data key is stored in the ceph.file.encryption attribute of the Inode, so as to be used when writing and reading the subsequent file.
In the step S3, the file data reading process is as follows:
step S3.1, a CephFS client receives a file read request and verifies whether an index node Inode of a current file contains a ceph.file.encrypt attribute;
if the file does not contain the ceph. File. Encryption attribute, the file is not required to be encrypted, and the read flow process is directly executed;
if the ceph.file.encryption attribute is included, reading the value of the data and acquiring an encrypted data key;
step S3.2, the CephFS client sends a request to the key management module, and decrypts the encrypted data key read in the step S3.1 to obtain a plaintext data key;
step S3.3, mapping the file data in the read request from the logic offset and the length according to the file to the appointed offset and the length of the RADOS object with the appointed size after the striping treatment;
4K alignment is carried out on the logic offset and the length, and the part with the front end and the rear end of the request less than 4KiB is amplified to 4KiB read request processing; initiating a read request to an OSD data storage module to acquire corresponding RADOS object content;
and S3.4, decrypting the read RADOS object content by using the obtained plaintext data key, returning to the file data content required by the CephFS client read request, and ending the read request processing.
The apparatus includes a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the above method steps when executing the computer program.
The readable storage medium has stored thereon a computer program which, when executed by a processor, implements the above-described method steps.
Compared with the prior art, the ceph distributed file system server encryption system has the following characteristics:
firstly, the server encryption function can be provided for the user, and the scene that the user has higher requirements on data security and privacy is effectively met.
And secondly, the encryption is carried out by using an envelope encryption mode, so that the security in the key management and storage processes is enhanced compared with the direct encryption of data by using a symmetric encryption key, and the encryption method is more applicable to the encryption of large data volume compared with the direct encryption by using an asymmetric key.
Thirdly, the RADOS objects corresponding to the files are respectively encrypted, and the single encryption length is set to be 4KiB, so that compared with data encryption with finer granularity at the file level, the file read-write efficiency is improved, and the read-write amplification caused by encryption is reduced.
The above examples are only one of the specific embodiments of the present invention, and the ordinary changes and substitutions made by those skilled in the art within the scope of the technical solution of the present invention should be included in the scope of the present invention.
Claims (10)
1. A ceph distributed file system server encryption system is characterized in that: the system comprises a key management module, a client encryption and decryption module, an MDS end data key storage module and an OSD data storage module;
the key management module is responsible for managing a master key in a file system and responding to a request of the client encryption and decryption module; when the client needs to encrypt, a data key is issued to the client; when the client needs to decrypt, decrypting the encrypted data key sent by the client;
the client encryption and decryption module is positioned at the CephFS client and is responsible for interactively acquiring a data key with the key management module, carrying out encryption and decryption operations when the client reads and writes file contents, and storing the encrypted data key into the MDS-side data key storage module;
the MDS side data key storage module is responsible for storing the encrypted data key of each file;
the OSD data storage module is responsible for responding to the read-write request of the client and storing the user data.
2. The ceph distributed file system server encryption system according to claim 1, wherein: encrypting the file systems in an envelope encryption mode, and designating a master key for each file system; when encrypting a file in a file system, firstly applying a data key to a key management module aiming at the file, then banding the whole file into RADOS objects with specified sizes, then encrypting each object, and simultaneously storing the encrypted data key into the extension attribute of an index node Inode corresponding to the file.
3. The ceph distributed file system server encryption system according to claim 2, wherein: the encryption flow comprises the following steps:
step S1, designating a master key in a key management module for each file system in an envelope encryption mode;
step S2, when each file in the file system is written, a master key is used for applying a data key to a key management module; then carrying out banding processing on the whole file, converting the whole file into RADOS objects with specified size, encrypting the written file data by using a data key, wherein the RADOS objects corresponding to the file share the encryption key;
step S3, storing the encrypted data key in the extension attribute of the index node Inode corresponding to the file;
and the data key of the encrypted data is sealed in the envelope for storage, transmission and use in an envelope encryption mode, and the data is directly encrypted and decrypted without using the user master key.
4. The ceph distributed file system server encryption system according to claim 3, wherein: in the step S1, an encryption process is started for a file under a specified file system, as follows:
s1.1, a CephFS client processes a request for setting a Ceph. Dir. Encrypt attribute;
s1.2, verifying whether a file system with the set attribute is empty, if so, continuing to execute the next step, otherwise, returning an error verification failure;
step S1.3, a CephFS client sends a request to a key management module to apply for a master key;
step S1.4, the key management module sends the master key ID to the CephFS client, and the CephFS client returns application success information after receiving the master key ID;
step S1.5, the CephFS client finds a specified file system in a directory tree of the file system by sending a request to a metadata server MDS;
step S1.6, the CephFS client sends a request to the metadata server MDS, and the file under the file system needs to be encrypted by setting the Ceph. Dir. Encrypt attribute, and the corresponding master key uuid is the value of the Ceph. Dir. Encrypt attribute.
5. The ceph distributed file system server encryption system according to claim 4, wherein: in the step S2, the writing process of the file data in the file system is as follows:
step S2.1, after receiving a file writing request, the CephFS client side judges whether a file to be written needs to be newly created or not;
if the file is needed to be newly built, jumping to the step S2.2;
if so, verifying whether the current file Inode contains ceph.file.encrypt attribute, and if not, directly executing write flow processing without encryption; otherwise, the file needs to be encrypted, and the step S2.5 is skipped;
step S2.2, the CephFS client backtracks upwards according to the directory tree of the file system until the file system is found to set the Ceph. Dir. Encrypt attribute;
if the ceph.dir.encrypt attribute is not set up until the root file system, the file does not need encryption, and the write flow process is directly executed; otherwise, finding the file system which is nearest to the current file and is provided with the ceph.dir.encrypt attribute, and acquiring the value of the ceph.dir.encrypt attribute;
step S2.3, the CephFS client sends a request to the key management module to apply for a data key, wherein the data key carries the value of the Ceph. Dir. Encrypt attribute obtained in the step S2.2, and the used master key is designated;
step S2.4, the key management module returns the generated data key and the data key encrypted by using the master key to the CephFS client, jumps to step S2.7, and executes the encryption writing flow;
step S2.5, aiming at the situation of the file which is created but needs to be encrypted, reading the ceph.file.encryption attribute of the file, and obtaining an encrypted data key for encrypting the original file data;
step S2.6, the CephFS client sends a request to the key management module, and decrypts the encrypted file data key acquired in the step S2.5 to acquire a data key;
step S2.7, after the data key is obtained, the file data to be written in the write request is striped according to the logical offset and the length of the file, and then mapped into RADOS objects with specified sizes;
step S2.8, encrypting each RADOS object by using a data key;
during encryption, dividing each RADOS object into blocks of 4KiB according to logic offset, and encrypting each block respectively; after encryption, the ciphertext data is stored in an OSD data storage module.
6. The ceph distributed file system server encryption system according to claim 3, wherein: in the step S2, the RADOS object designates a size of 4MB, and modifies the object size by modifying the file layout.
7. The ceph distributed file system server encryption system according to claim 3, wherein: in the step S3, for the newly created file, the file stored by the encrypted data key is stored in the ceph.file.encryption attribute of the Inode, so as to be used when writing and reading the subsequent file.
8. The ceph distributed file system server encryption system according to claim 6, wherein: in the step S3, the file data reading process is as follows:
step S3.1, a CephFS client receives a file read request and verifies whether an index node Inode of a current file contains a ceph.file.encrypt attribute;
if the file does not contain the ceph. File. Encryption attribute, the file is not required to be encrypted, and the read flow process is directly executed;
if the ceph.file.encryption attribute is included, reading the value of the data and acquiring an encrypted data key;
step S3.2, the CephFS client sends a request to the key management module, and decrypts the encrypted data key read in the step S3.1 to obtain a plaintext data key;
step S3.3, mapping the file data in the read request from the logic offset and the length according to the file to the appointed offset and the length of the RADOS object with the appointed size after the striping treatment;
4K alignment is carried out on the logic offset and the length, and the part with the front end and the rear end of the request less than 4KiB is amplified to 4KiB read request processing; initiating a read request to an OSD data storage module to acquire corresponding RADOS object content;
and S3.4, decrypting the read RADOS object content by using the obtained plaintext data key, returning to the file data content required by the CephFS client read request, and ending the read request processing.
9. An apparatus, characterized in that: comprising a memory and a processor; the memory is adapted to store a computer program, the processor being adapted to implement the method steps of any one of claims 1 to 8 when the computer program is executed.
10. A readable storage medium, characterized by: the readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method steps of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211692733.7A CN116094775A (en) | 2022-12-28 | 2022-12-28 | Ceph distributed file system server encryption system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211692733.7A CN116094775A (en) | 2022-12-28 | 2022-12-28 | Ceph distributed file system server encryption system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116094775A true CN116094775A (en) | 2023-05-09 |
Family
ID=86186161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211692733.7A Pending CN116094775A (en) | 2022-12-28 | 2022-12-28 | Ceph distributed file system server encryption system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116094775A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107506652A (en) * | 2017-07-13 | 2017-12-22 | 浙江大学 | CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism |
| CN109783438A (en) * | 2018-12-05 | 2019-05-21 | 南京华讯方舟通信设备有限公司 | Distributed NFS system and its construction method based on librados |
| CN110120869A (en) * | 2019-03-27 | 2019-08-13 | 上海隔镜信息科技有限公司 | Key management system and cipher key service node |
| CN112733189A (en) * | 2021-01-14 | 2021-04-30 | 浪潮云信息技术股份公司 | System and method for realizing file storage server side encryption |
| CN113779619A (en) * | 2021-08-11 | 2021-12-10 | 深圳市证通云计算有限公司 | Encryption and decryption method for ceph distributed object storage system based on state cryptographic algorithm |
-
2022
- 2022-12-28 CN CN202211692733.7A patent/CN116094775A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107506652A (en) * | 2017-07-13 | 2017-12-22 | 浙江大学 | CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism |
| CN109783438A (en) * | 2018-12-05 | 2019-05-21 | 南京华讯方舟通信设备有限公司 | Distributed NFS system and its construction method based on librados |
| CN110120869A (en) * | 2019-03-27 | 2019-08-13 | 上海隔镜信息科技有限公司 | Key management system and cipher key service node |
| CN112733189A (en) * | 2021-01-14 | 2021-04-30 | 浪潮云信息技术股份公司 | System and method for realizing file storage server side encryption |
| CN113779619A (en) * | 2021-08-11 | 2021-12-10 | 深圳市证通云计算有限公司 | Encryption and decryption method for ceph distributed object storage system based on state cryptographic algorithm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11558174B2 (en) | Data storage method, device, related equipment and cloud system for hybrid cloud | |
| US9740639B2 (en) | Map-based rapid data encryption policy compliance | |
| US10409990B2 (en) | Encryption and decryption method and apparatus in virtualization system, and system | |
| US20180365434A1 (en) | File encryption method, file decrypton method, electronic device, and storage medium | |
| US8300823B2 (en) | Encryption and compression of data for storage | |
| US8689279B2 (en) | Encrypted chunk-based rapid data encryption policy compliance | |
| US10509701B2 (en) | Performing data backups using snapshots | |
| CN107943556B (en) | KMIP and encryption card based virtualized data security method | |
| US20120047339A1 (en) | Redundant array of independent clouds | |
| WO2017206754A1 (en) | Storage method and storage device for distributed file system | |
| US20170163413A1 (en) | System and Method for Content Encryption in a Key/Value Store | |
| US9749132B1 (en) | System and method for secure deletion of data | |
| US10698940B2 (en) | Method for searching for multimedia file, terminal device, and server | |
| US8595493B2 (en) | Multi-phase storage volume transformation | |
| US20210160054A1 (en) | Methods and systems for reading data based on plurality of blockchain networks | |
| US20160239388A1 (en) | Managing multi-level backups into the cloud | |
| CN114491607A (en) | Cloud platform data processing method and device, computer equipment and storage medium | |
| CN114036538A (en) | Database transparent encryption and decryption implementation method and system based on virtual block device | |
| US20180314837A1 (en) | Secure file wrapper for tiff images | |
| CN116094775A (en) | Ceph distributed file system server encryption system | |
| CN113268456B (en) | File processing method, system, equipment and computer readable storage medium | |
| US10606985B2 (en) | Secure file wrapper for TIFF images | |
| CN111353152A (en) | Block chain-based document management method, device, system and storage medium | |
| CN109660604B (en) | Data access method and equipment | |
| US20220407685A1 (en) | Encryption in a distributed storage system utilizing cluster-wide encryption keys |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |