TW202036349A - Computer system and method for virtual hard disk encryption and decryption - Google Patents
Computer system and method for virtual hard disk encryption and decryption Download PDFInfo
- Publication number
- TW202036349A TW202036349A TW108110071A TW108110071A TW202036349A TW 202036349 A TW202036349 A TW 202036349A TW 108110071 A TW108110071 A TW 108110071A TW 108110071 A TW108110071 A TW 108110071A TW 202036349 A TW202036349 A TW 202036349A
- Authority
- TW
- Taiwan
- Prior art keywords
- hard disk
- virtual hard
- disk file
- storage device
- encrypted
- Prior art date
Links
Images
Abstract
Description
本發明是有關於一種虛擬硬碟的加解密技術。The invention relates to an encryption and decryption technology of a virtual hard disk.
微軟的虛擬硬碟(virtual hard disk,VHD)提供許多方便的應用,其可讓使用者掛載虛擬作業系統,避免與既有的系統衝突,亦可讓使用者在不需要時直接退出,以讓虛擬硬碟回歸到虛擬硬碟檔案(VHD file)。此外,微軟更提供了位元鎖(BitLocker)進行進階加密標準(advanced encryption standard,AES)加密,因此必須輸入金鑰才能掛載虛擬硬碟,使用者較為隱私的資料得以獲得完善保護。此外,使用者在不需要虛擬硬碟而直接退出時,虛擬硬碟將會直接恢復上鎖狀態,因此使用上亦會比同樣為微軟所提出針對整個實體硬碟進行eDrive加密來要來得方便。Microsoft's virtual hard disk (VHD) provides many convenient applications. It allows users to mount virtual operating systems to avoid conflicts with existing systems, and allows users to log out directly when they are not needed. Let the virtual hard disk return to the virtual hard disk file (VHD file). In addition, Microsoft provides a BitLocker (Advanced Encryption Standard, AES) encryption, so you must enter the key to mount the virtual hard drive, and the user's more private data can be fully protected. In addition, when the user exits directly without the virtual hard disk, the virtual hard disk will be directly restored to the locked state. Therefore, it is more convenient to use than the eDrive encryption for the entire physical hard disk also proposed by Microsoft.
然而,目前既有的虛擬硬碟是利用純軟體的AES加密,因此虛擬硬碟檔案即可複製到各個作業系統。倘若不經意地被盜用者複製,僅須花點時間破解密碼,重要資料即有洩露的方險存在,進而導致信用卡、銀行等重要資訊被盜用。However, the existing virtual hard disks are encrypted using pure software AES, so the virtual hard disk files can be copied to various operating systems. If it is copied inadvertently by a pirate, it only takes a moment to crack the password, and there is a risk of leakage of important information, which will lead to the theft of important information such as credit cards and banks.
本發明提供一種電腦系統及其虛擬硬碟的加解密方法,其可提升虛擬硬碟的安全性。The invention provides a computer system and a method for encrypting and decrypting a virtual hard disk, which can improve the security of the virtual hard disk.
在本發明的一實施例中,上述的方法適用於具有儲存裝置以及處理器的電腦系統,並且包括下列步驟。當虛擬硬碟所對應的虛擬硬碟檔案儲存於儲存裝置時,由儲存裝置針對虛擬硬碟檔案進行加密,以產生第一加密虛擬硬碟檔案,其中儲存裝置為自我加密硬碟。由處理器針對第一加密虛擬硬碟檔案進行加密,以產生第二加密虛擬硬碟檔案。當處理器接收到密碼時,由處理器判斷密碼是否關聯於掛載第二加密虛擬硬碟檔案的掛載指令。若是,由處理器針對第二加密虛擬硬碟檔案進行解密,以將第二加密虛擬硬碟檔案解密還原成第一加密虛擬硬碟檔案。由儲存裝置針對第一加密虛擬硬碟檔案進行解密,以將第一加密虛擬硬碟檔案解密還原成虛擬硬碟檔案。In an embodiment of the present invention, the above method is applicable to a computer system having a storage device and a processor, and includes the following steps. When the virtual hard disk file corresponding to the virtual hard disk is stored in the storage device, the storage device encrypts the virtual hard disk file to generate a first encrypted virtual hard disk file, wherein the storage device is a self-encrypting hard disk. The processor encrypts the first encrypted virtual hard disk file to generate a second encrypted virtual hard disk file. When the processor receives the password, the processor determines whether the password is associated with a mounting instruction for mounting the second encrypted virtual hard disk file. If yes, the processor decrypts the second encrypted virtual hard disk file to decrypt and restore the second encrypted virtual hard disk file to the first encrypted virtual hard disk file. The storage device decrypts the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to a virtual hard disk file.
在本發明的一實施例中,上述的電腦系統包括儲存裝置以及處理器,其中儲存裝置為自我加密硬碟,處理器耦接儲存裝置。當虛擬硬碟所對應的虛擬硬碟檔案儲存於儲存裝置時,儲存裝置用以針對虛擬硬碟檔案進行加密,以產生第一加密虛擬硬碟檔案,其中儲存裝置為自我加密硬碟。處理器用以針對第一加密虛擬硬碟檔案進行加密,以產生第二加密虛擬硬碟檔案。當處理器接收到密碼時,處理器用以判斷密碼是否關聯於掛載第二加密虛擬硬碟檔案的掛載指令。若是,處理器用以針對第二加密虛擬硬碟檔案進行解密,以將第二加密虛擬硬碟檔案解密還原成第一加密虛擬硬碟檔案。儲存裝置用以針對第一加密虛擬硬碟檔案進行解密,以將第一加密虛擬硬碟檔案解密還原成虛擬硬碟檔案。In an embodiment of the present invention, the aforementioned computer system includes a storage device and a processor, wherein the storage device is a self-encrypting hard disk, and the processor is coupled to the storage device. When the virtual hard disk file corresponding to the virtual hard disk is stored in the storage device, the storage device is used to encrypt the virtual hard disk file to generate a first encrypted virtual hard disk file, wherein the storage device is a self-encrypting hard disk. The processor is used for encrypting the first encrypted virtual hard disk file to generate a second encrypted virtual hard disk file. When the processor receives the password, the processor is used to determine whether the password is associated with a mounting instruction for mounting the second encrypted virtual hard disk file. If yes, the processor is used to decrypt the second encrypted virtual hard disk file to decrypt and restore the second encrypted virtual hard disk file to the first encrypted virtual hard disk file. The storage device is used for decrypting the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to a virtual hard disk file.
為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.
傳統的eDrive的技術是將整個硬碟進行加密,也就是電腦系統開機時,整個硬碟已為解鎖狀態,盜用者得以在解鎖狀態下直接複製未受保護的資料。另一方面,傳統的BitLocker是透過軟體進行AES加密,因此在存取時需要耗費處理器的資源,並且沒有辦法限制檔案被存取的地點。本發明的概念主要是導入自我加密硬碟(self-encrypting drive,SED)的加密機制來對檔案進行加密。由於不同的硬碟所產生的金鑰不同,意味著此檔案僅能在此硬碟被存取。即便盜用者將此檔案複製到他處並且破解了位元鎖的密碼,在沒有硬碟的金鑰的前提下,盜用者仍僅能看到亂碼資料,進而避免檔案資料被破解的風險。The traditional eDrive technology is to encrypt the entire hard drive, that is, when the computer system is turned on, the entire hard drive is already unlocked, and the pirate can directly copy unprotected data in the unlocked state. On the other hand, traditional BitLocker uses AES encryption through software, so it consumes processor resources when accessing, and there is no way to limit the location where files are accessed. The concept of the present invention is mainly to import an encryption mechanism of a self-encrypting drive (SED) to encrypt files. Since different hard drives generate different keys, it means that this file can only be accessed on this hard drive. Even if the pirate copies the file elsewhere and cracks the password of the bit lock, the pirate can only see the garbled data without the key of the hard disk, thus avoiding the risk of file data being cracked.
本發明的部份實施例接下來將會配合附圖來詳細描述,以下的描述所引用的元件符號,當不同附圖出現相同的元件符號將視為相同或相似的元件。這些實施例只是本發明的一部份,並未揭示所有本發明的可實施方式。更確切的說,這些實施例只是本發明的專利申請範圍中的方法與電腦系統的範例。Part of the embodiments of the present invention will be described in detail in conjunction with the accompanying drawings. The reference symbols in the following description will be regarded as the same or similar elements when the same symbol appears in different drawings. These embodiments are only a part of the present invention, and do not disclose all the possible implementation modes of the present invention. More precisely, these embodiments are just examples of methods and computer systems within the scope of the patent application of the present invention.
圖1為根據本發明一實施例所繪示的電腦系統的方塊圖。首先圖1先介紹系統的所有構件以及配置關係,詳細功能將配合圖2一併揭露。FIG. 1 is a block diagram of a computer system according to an embodiment of the invention. First, Figure 1 first introduces all the components and configuration relationships of the system, and detailed functions will be disclosed in conjunction with Figure 2.
請參照圖1,電腦系統100包括儲存裝置110以及處理器120,其中處理器120電性連接或耦接於儲存裝置110。在本實施例中,電腦系統100可以是個人電腦、筆記型電腦、伺服器電腦、平板電腦、智慧型手機、工作站。Please refer to FIG. 1, the
儲存裝置110可以是內建於電腦系統100並且與處理器110電性連接或耦接的硬碟,或者是外接於電腦系統並且藉由傳輸線以及匯流排等外接的方式與處理器110電性連接的硬碟。在本實施例中,儲存裝置110為自我加密硬碟,其可例如是以Opal的安全管理規範所建立固態硬碟(solid state drive,SSD),然而本發明不在此設限。The
處理器120用以控制電腦系統100的構件之間的作動,其可以例如是中央處理單元(central processing unit,CPU)或是其他可程式化之一般用途或特殊用途的微處理器(microprocessor)、數位訊號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuits,ASIC)、可程式化邏輯裝置(programmable logic device,PLD)或其他類似裝置、積體電路及其組合。The
此外,本領域具通常知識者應明瞭,電腦系統100更包括可區隔於儲存裝置110的記憶體(未繪示),記憶體用以儲存處理器120用以執行存取方法的程式碼以及相關資料,其可以例如是任意型式的固定式或可移動式隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read-only memory,ROM)、快閃記憶體(flash memory)或其他類似裝置、積體電路及其組合。In addition, those skilled in the art should understand that the
圖2為根據本發明一實施例所繪示的電腦系統的虛擬硬碟的加解密方法流程圖。本實施例的方法適用於圖1的電腦系統100,以下即搭配電腦系統100中的各個元件說明之詳細步驟。2 is a flowchart of a method for encrypting and decrypting a virtual hard disk of a computer system according to an embodiment of the invention. The method of this embodiment is applicable to the
請同時參照圖1以及圖2,首先,當虛擬硬碟所對應的虛擬硬碟檔案儲存於儲存裝置110時,儲存裝置110將針對虛擬硬碟檔案進行加密,以產生第一加密虛擬硬碟檔案(步驟S201)。處理器120將針對第一加密虛擬硬碟檔案進行加密,以產生第二加密虛擬硬碟檔案(步驟S202)。在本實施例中,處理器120可以是在接收到使用者欲針對虛擬硬碟檔案進行加密的加密指令時,儲存裝置110會以儲存裝置110的硬體雜湊(hardware hash),利用Opal規範的自我加密機制來針對虛擬硬碟檔案進行加密,以產生第一加密虛擬檔案,而處理器120更會以BitLocker再針對第一加密虛擬檔案進行加密,以產生第二加密虛擬檔案,進而提供軟體與硬體的雙重安全保護。在此的加密方式可以是採用AES加密,然而本發明不以此為限。Please refer to Figure 1 and Figure 2 at the same time. First, when the virtual hard disk file corresponding to the virtual hard disk is stored in the
當處理器120接收到密碼時,處理器120本身將判斷此密碼是否關聯於掛載第二加密虛擬檔案的掛載指令(步驟S204)。當處理器120判定此密碼關聯於掛載第二加密虛擬檔案的掛載指令時,處理器120將針對第二加密虛擬硬碟檔案進行解密,以將第二加密虛擬硬碟檔案解密還原成第一加密虛擬硬碟檔案(步驟S205)。儲存裝置110將針對第一加密虛擬硬碟檔案進行解密,以將第一加密虛擬硬碟檔案解密還原成虛擬硬碟檔案(步驟S206)。在本實施例中,處理器120將以BitLocker金鑰針對第二加密虛擬硬碟檔案進行解密,以將其解密還原回第一加密虛擬硬碟檔案,而儲存裝置110將以本身專屬的硬體雜湊金鑰,針對第一加密虛擬硬碟檔案進行解密,以將其解密還原回虛擬硬碟檔案。之後,處理器120得以存取已掛載的虛擬硬碟,以獲得解密資料。When the
在本實施例中,由於儲存裝置110僅針對虛擬硬碟進行Opal規範的加密,在電腦系統100的正常系統運作下,虛擬硬碟檔案是沒有解密的狀態,因此複製虛擬硬碟檔案時也可以是保持著未解密的狀態,進一步地降低被破解的風險。倘若盜用者直接複製虛擬硬碟檔案至儲存裝置110以外的其它裝置,則無法利用由儲存裝置110本身專屬的硬體雜湊金鑰來將虛擬硬碟檔案進行解密。In this embodiment, since the
為方便明瞭,圖3為根據本發明一實施例所繪示的電腦系統的虛擬硬碟的解密方法的功能流程圖。在本實施例中,儲存裝置110將實作為SED 340,而處理器120將實作為CPU 310。For convenience and clarity, FIG. 3 is a functional flowchart of a method for decrypting a virtual hard disk of a computer system according to an embodiment of the present invention. In this embodiment, the
請參照圖3,在本實施例中,CPU 310將針對虛擬硬碟檔案325下達以BitLocker金鑰來進行解密的系統指令,並且虛擬硬碟檔案325將會傳送製造商指令(vendor-specific command)至SED 340,而SED 340將會回應製造商指令以硬體雜湊金鑰至虛擬硬碟檔案325來進行解密。如此一來,不需要依賴作業系統原生的檔案系統320,亦無需先將虛擬硬碟檔案325解密而放置到DRAM 330,而造成額外的隱憂。使用者得以直接透過作業系統執行虛擬硬碟檔案325經掛載後的內部資料。Referring to FIG. 3, in this embodiment, the
以另一觀點而言,圖4為根據本發明一實施例與先前技術所繪示的虛擬硬碟的解密方法的比較示意圖。From another point of view, FIG. 4 is a schematic diagram illustrating a comparison between a method for decrypting a virtual hard disk according to an embodiment of the present invention and the prior art.
請參照圖4,在本實施例中,使用者掛載虛擬硬碟後,作業系統可以透過App 410以具有硬體雜湊金鑰的VHD檔案系統420來存取虛擬硬碟的內部資料。如此一來,VHD檔案系統420並不會再與原生作業系統的檔案系統衝突。另一方面,若是以利用App 410自身建構第三方檔案系統以讀取加密檔案來達到硬體雜湊金鑰的傳遞,檔案僅能複製到OS檔案系統440而無法直接執行,因為各種執行程式仍是依賴OS檔案系統440。然而,此種做法的保護效果不佳,因為等同於要將加密檔案進行解密才可複製到未加密區,即便作業完立即刪除檔案,OS檔案系統440並不會馬上複寫該些資料,而造成額外的隱憂。Referring to FIG. 4, in this embodiment, after the user mounts the virtual hard disk, the operating system can access the internal data of the virtual hard disk through the
附帶說明的是,在儲存裝置110為SSD的情況下,虛擬硬碟可以搭配SSD韌體來達到資料強化。目前的SSD主要是TLC/QLC等多層單元(multi-level cell)的結構(即,相同電位切8階層、16階層),其資料保存(data retention)的能力遠不如早期SLC的結構(相同電位切2階層)。然而,若SSD使用SLC的結構來儲存資料,虛擬硬碟檔案的使用空間將會是實際的3倍、4倍,並且這些資料都不能再被整理成為TLC/QLC的結構,因此SSD韌體可將其分開處理。假設虛擬硬碟是用以儲存重要資料,而倘若此些重要資料不佔用過多的空間,以空間來換取資料精確性也可達到取捨平衡。因此,倘若處理器120偵測到SSD具有TLC/QLC的儲存能力,處理器120可先針對虛擬硬碟的內部資料進行對應的處理,因為此虛擬硬碟的內部資料將是以其資料量的3倍、4倍的空間來儲存(即,當儲存2MB的文件時,實際上將佔用SSD的空間為TLC 6MB、QLC 8MB),而檔案系統將宣告例如3倍、4倍的儲存空間給內部資料。Incidentally, when the
綜上所述,本發明所提供的電腦系統及其虛擬硬碟的加解密方法,其以處理器以及儲存裝置針對虛擬硬碟所對應的虛擬硬碟檔案進行前後兩階段的加密,並且以處理器以及儲存裝置針對加密後的虛擬硬碟檔案進行前後兩階段的解密,以雙重資訊保護機制來提升虛擬硬碟的安全性。In summary, the computer system and its virtual hard disk encryption and decryption method provided by the present invention uses a processor and a storage device to perform two-stage encryption on the virtual hard disk file corresponding to the virtual hard disk. The device and storage device perform two-stage decryption on the encrypted virtual hard disk file, and use a dual information protection mechanism to enhance the security of the virtual hard disk.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be determined by the scope of the attached patent application.
100:電腦系統 110:儲存裝置 120:處理器 S201~S206:步驟 310:CPU 320:檔案系統 325:虛擬硬碟檔案 330:DRAM 340:SED 410:App 420:VHD檔案系統 430:第三方檔案系統 440:OS檔案系統100: computer system 110: storage device 120: processor S201~S206: steps 310: CPU 320: file system 325: Virtual Hard Disk File 330: DRAM 340: SED 410: App 420: VHD file system 430: Third-party file system 440: OS file system
圖1為根據本發明一實施例所繪示的電腦系統的方塊圖。 圖2為根據本發明一實施例所繪示的電腦系統的虛擬硬碟的加解密方法流程圖。 圖3為根據本發明一實施例所繪示的電腦系統的虛擬硬碟的加解密方法的功能流程圖。 圖4為根據本發明一實施例與先前技術所繪示的虛擬硬碟的加解密方法的比較示意圖。FIG. 1 is a block diagram of a computer system according to an embodiment of the invention. 2 is a flowchart of a method for encrypting and decrypting a virtual hard disk of a computer system according to an embodiment of the invention. 3 is a functional flowchart of a method for encrypting and decrypting a virtual hard disk of a computer system according to an embodiment of the invention. FIG. 4 is a schematic diagram of comparison between the encryption and decryption methods of virtual hard disks according to an embodiment of the present invention and the prior art.
S201~S206:步驟 S201~S206: steps
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108110071A TW202036349A (en) | 2019-03-22 | 2019-03-22 | Computer system and method for virtual hard disk encryption and decryption |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108110071A TW202036349A (en) | 2019-03-22 | 2019-03-22 | Computer system and method for virtual hard disk encryption and decryption |
Publications (1)
Publication Number | Publication Date |
---|---|
TW202036349A true TW202036349A (en) | 2020-10-01 |
Family
ID=74091137
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW108110071A TW202036349A (en) | 2019-03-22 | 2019-03-22 | Computer system and method for virtual hard disk encryption and decryption |
Country Status (1)
Country | Link |
---|---|
TW (1) | TW202036349A (en) |
-
2019
- 2019-03-22 TW TW108110071A patent/TW202036349A/en unknown
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10348497B2 (en) | System and method for content protection based on a combination of a user pin and a device specific identifier | |
US11809584B2 (en) | File system metadata protection | |
US20190026117A1 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
US10503934B2 (en) | Secure subsystem | |
AU2012204448B2 (en) | System and method for in-place encryption | |
US9397834B2 (en) | Scrambling an address and encrypting write data for storing in a storage device | |
US8433901B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
US9135450B2 (en) | Systems and methods for protecting symmetric encryption keys | |
TWI514187B (en) | Systems and methods for providing anti-malware protection on storage devices | |
US20220123932A1 (en) | Data storage device encryption | |
WO2012047199A1 (en) | Modifying a length of an element to form an encryption key | |
US20220045850A1 (en) | Memory system encrypting data | |
TW202036349A (en) | Computer system and method for virtual hard disk encryption and decryption | |
US20240160766A1 (en) | File system metadata protection | |
US20220121781A1 (en) | Data storage device encryption | |
CN101763319A (en) | Disk FDE (Full Disk Encryption) system and method |