TW202036349A - Computer system and method for virtual hard disk encryption and decryption - Google Patents

Computer system and method for virtual hard disk encryption and decryption Download PDF

Info

Publication number
TW202036349A
TW202036349A TW108110071A TW108110071A TW202036349A TW 202036349 A TW202036349 A TW 202036349A TW 108110071 A TW108110071 A TW 108110071A TW 108110071 A TW108110071 A TW 108110071A TW 202036349 A TW202036349 A TW 202036349A
Authority
TW
Taiwan
Prior art keywords
hard disk
virtual hard
disk file
storage device
encrypted
Prior art date
Application number
TW108110071A
Other languages
Chinese (zh)
Inventor
侯冠宇
傅子瑜
Original Assignee
宏碁股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 宏碁股份有限公司 filed Critical 宏碁股份有限公司
Priority to TW108110071A priority Critical patent/TW202036349A/en
Publication of TW202036349A publication Critical patent/TW202036349A/en

Links

Images

Abstract

A computer system and a method for virtual hard disk (VHD) encryption and decryption are proposed. The method is applicable to a computer system having a storage device and a process and includes the following steps. When a VHD file corresponding to a VHD is stored in the storage device, encryption is performed on the VHD file by the storage device to generate a first encrypted VHD file. Encryption is performed on the first encrypted VHD file by the processor to generate a second encrypted VHD file. When the processor receives a password, whether the password is associated with a mount command to mount the second encrypted VHD file is determined. If yes, decryption is performed on the second encrypted VHD file by the processor to decrypt and restore the second encrypted VHD file to the first encrypted VHD file. Decryption is performed on the first encrypted VHD file to decrypt and restore the first encrypted VHD file to the VHD file.

Description

電腦系統及其虛擬硬碟的加解密方法Computer system and its virtual hard disk encryption and decryption method

本發明是有關於一種虛擬硬碟的加解密技術。The invention relates to an encryption and decryption technology of a virtual hard disk.

微軟的虛擬硬碟(virtual hard disk,VHD)提供許多方便的應用,其可讓使用者掛載虛擬作業系統,避免與既有的系統衝突,亦可讓使用者在不需要時直接退出,以讓虛擬硬碟回歸到虛擬硬碟檔案(VHD file)。此外,微軟更提供了位元鎖(BitLocker)進行進階加密標準(advanced encryption standard,AES)加密,因此必須輸入金鑰才能掛載虛擬硬碟,使用者較為隱私的資料得以獲得完善保護。此外,使用者在不需要虛擬硬碟而直接退出時,虛擬硬碟將會直接恢復上鎖狀態,因此使用上亦會比同樣為微軟所提出針對整個實體硬碟進行eDrive加密來要來得方便。Microsoft's virtual hard disk (VHD) provides many convenient applications. It allows users to mount virtual operating systems to avoid conflicts with existing systems, and allows users to log out directly when they are not needed. Let the virtual hard disk return to the virtual hard disk file (VHD file). In addition, Microsoft provides a BitLocker (Advanced Encryption Standard, AES) encryption, so you must enter the key to mount the virtual hard drive, and the user's more private data can be fully protected. In addition, when the user exits directly without the virtual hard disk, the virtual hard disk will be directly restored to the locked state. Therefore, it is more convenient to use than the eDrive encryption for the entire physical hard disk also proposed by Microsoft.

然而,目前既有的虛擬硬碟是利用純軟體的AES加密,因此虛擬硬碟檔案即可複製到各個作業系統。倘若不經意地被盜用者複製,僅須花點時間破解密碼,重要資料即有洩露的方險存在,進而導致信用卡、銀行等重要資訊被盜用。However, the existing virtual hard disks are encrypted using pure software AES, so the virtual hard disk files can be copied to various operating systems. If it is copied inadvertently by a pirate, it only takes a moment to crack the password, and there is a risk of leakage of important information, which will lead to the theft of important information such as credit cards and banks.

本發明提供一種電腦系統及其虛擬硬碟的加解密方法,其可提升虛擬硬碟的安全性。The invention provides a computer system and a method for encrypting and decrypting a virtual hard disk, which can improve the security of the virtual hard disk.

在本發明的一實施例中,上述的方法適用於具有儲存裝置以及處理器的電腦系統,並且包括下列步驟。當虛擬硬碟所對應的虛擬硬碟檔案儲存於儲存裝置時,由儲存裝置針對虛擬硬碟檔案進行加密,以產生第一加密虛擬硬碟檔案,其中儲存裝置為自我加密硬碟。由處理器針對第一加密虛擬硬碟檔案進行加密,以產生第二加密虛擬硬碟檔案。當處理器接收到密碼時,由處理器判斷密碼是否關聯於掛載第二加密虛擬硬碟檔案的掛載指令。若是,由處理器針對第二加密虛擬硬碟檔案進行解密,以將第二加密虛擬硬碟檔案解密還原成第一加密虛擬硬碟檔案。由儲存裝置針對第一加密虛擬硬碟檔案進行解密,以將第一加密虛擬硬碟檔案解密還原成虛擬硬碟檔案。In an embodiment of the present invention, the above method is applicable to a computer system having a storage device and a processor, and includes the following steps. When the virtual hard disk file corresponding to the virtual hard disk is stored in the storage device, the storage device encrypts the virtual hard disk file to generate a first encrypted virtual hard disk file, wherein the storage device is a self-encrypting hard disk. The processor encrypts the first encrypted virtual hard disk file to generate a second encrypted virtual hard disk file. When the processor receives the password, the processor determines whether the password is associated with a mounting instruction for mounting the second encrypted virtual hard disk file. If yes, the processor decrypts the second encrypted virtual hard disk file to decrypt and restore the second encrypted virtual hard disk file to the first encrypted virtual hard disk file. The storage device decrypts the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to a virtual hard disk file.

在本發明的一實施例中,上述的電腦系統包括儲存裝置以及處理器,其中儲存裝置為自我加密硬碟,處理器耦接儲存裝置。當虛擬硬碟所對應的虛擬硬碟檔案儲存於儲存裝置時,儲存裝置用以針對虛擬硬碟檔案進行加密,以產生第一加密虛擬硬碟檔案,其中儲存裝置為自我加密硬碟。處理器用以針對第一加密虛擬硬碟檔案進行加密,以產生第二加密虛擬硬碟檔案。當處理器接收到密碼時,處理器用以判斷密碼是否關聯於掛載第二加密虛擬硬碟檔案的掛載指令。若是,處理器用以針對第二加密虛擬硬碟檔案進行解密,以將第二加密虛擬硬碟檔案解密還原成第一加密虛擬硬碟檔案。儲存裝置用以針對第一加密虛擬硬碟檔案進行解密,以將第一加密虛擬硬碟檔案解密還原成虛擬硬碟檔案。In an embodiment of the present invention, the aforementioned computer system includes a storage device and a processor, wherein the storage device is a self-encrypting hard disk, and the processor is coupled to the storage device. When the virtual hard disk file corresponding to the virtual hard disk is stored in the storage device, the storage device is used to encrypt the virtual hard disk file to generate a first encrypted virtual hard disk file, wherein the storage device is a self-encrypting hard disk. The processor is used for encrypting the first encrypted virtual hard disk file to generate a second encrypted virtual hard disk file. When the processor receives the password, the processor is used to determine whether the password is associated with a mounting instruction for mounting the second encrypted virtual hard disk file. If yes, the processor is used to decrypt the second encrypted virtual hard disk file to decrypt and restore the second encrypted virtual hard disk file to the first encrypted virtual hard disk file. The storage device is used for decrypting the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to a virtual hard disk file.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.

傳統的eDrive的技術是將整個硬碟進行加密,也就是電腦系統開機時,整個硬碟已為解鎖狀態,盜用者得以在解鎖狀態下直接複製未受保護的資料。另一方面,傳統的BitLocker是透過軟體進行AES加密,因此在存取時需要耗費處理器的資源,並且沒有辦法限制檔案被存取的地點。本發明的概念主要是導入自我加密硬碟(self-encrypting drive,SED)的加密機制來對檔案進行加密。由於不同的硬碟所產生的金鑰不同,意味著此檔案僅能在此硬碟被存取。即便盜用者將此檔案複製到他處並且破解了位元鎖的密碼,在沒有硬碟的金鑰的前提下,盜用者仍僅能看到亂碼資料,進而避免檔案資料被破解的風險。The traditional eDrive technology is to encrypt the entire hard drive, that is, when the computer system is turned on, the entire hard drive is already unlocked, and the pirate can directly copy unprotected data in the unlocked state. On the other hand, traditional BitLocker uses AES encryption through software, so it consumes processor resources when accessing, and there is no way to limit the location where files are accessed. The concept of the present invention is mainly to import an encryption mechanism of a self-encrypting drive (SED) to encrypt files. Since different hard drives generate different keys, it means that this file can only be accessed on this hard drive. Even if the pirate copies the file elsewhere and cracks the password of the bit lock, the pirate can only see the garbled data without the key of the hard disk, thus avoiding the risk of file data being cracked.

本發明的部份實施例接下來將會配合附圖來詳細描述,以下的描述所引用的元件符號,當不同附圖出現相同的元件符號將視為相同或相似的元件。這些實施例只是本發明的一部份,並未揭示所有本發明的可實施方式。更確切的說,這些實施例只是本發明的專利申請範圍中的方法與電腦系統的範例。Part of the embodiments of the present invention will be described in detail in conjunction with the accompanying drawings. The reference symbols in the following description will be regarded as the same or similar elements when the same symbol appears in different drawings. These embodiments are only a part of the present invention, and do not disclose all the possible implementation modes of the present invention. More precisely, these embodiments are just examples of methods and computer systems within the scope of the patent application of the present invention.

圖1為根據本發明一實施例所繪示的電腦系統的方塊圖。首先圖1先介紹系統的所有構件以及配置關係,詳細功能將配合圖2一併揭露。FIG. 1 is a block diagram of a computer system according to an embodiment of the invention. First, Figure 1 first introduces all the components and configuration relationships of the system, and detailed functions will be disclosed in conjunction with Figure 2.

請參照圖1,電腦系統100包括儲存裝置110以及處理器120,其中處理器120電性連接或耦接於儲存裝置110。在本實施例中,電腦系統100可以是個人電腦、筆記型電腦、伺服器電腦、平板電腦、智慧型手機、工作站。Please refer to FIG. 1, the computer system 100 includes a storage device 110 and a processor 120. The processor 120 is electrically connected or coupled to the storage device 110. In this embodiment, the computer system 100 may be a personal computer, a notebook computer, a server computer, a tablet computer, a smart phone, or a workstation.

儲存裝置110可以是內建於電腦系統100並且與處理器110電性連接或耦接的硬碟,或者是外接於電腦系統並且藉由傳輸線以及匯流排等外接的方式與處理器110電性連接的硬碟。在本實施例中,儲存裝置110為自我加密硬碟,其可例如是以Opal的安全管理規範所建立固態硬碟(solid state drive,SSD),然而本發明不在此設限。The storage device 110 may be a hard disk built in the computer system 100 and electrically connected or coupled to the processor 110, or externally connected to the computer system and electrically connected to the processor 110 through external means such as a transmission line and a bus Hard drive. In this embodiment, the storage device 110 is a self-encrypting hard disk, which may be a solid state drive (SSD) established by the Opal security management standard, for example, but the invention is not limited here.

處理器120用以控制電腦系統100的構件之間的作動,其可以例如是中央處理單元(central processing unit,CPU)或是其他可程式化之一般用途或特殊用途的微處理器(microprocessor)、數位訊號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuits,ASIC)、可程式化邏輯裝置(programmable logic device,PLD)或其他類似裝置、積體電路及其組合。The processor 120 is used to control the actions between the components of the computer system 100, and it can be, for example, a central processing unit (CPU) or other programmable general-purpose or special-purpose microprocessors, Digital signal processor (DSP), programmable controller, application specific integrated circuits (ASIC), programmable logic device (PLD) or other similar devices, product Body circuit and its combination.

此外,本領域具通常知識者應明瞭,電腦系統100更包括可區隔於儲存裝置110的記憶體(未繪示),記憶體用以儲存處理器120用以執行存取方法的程式碼以及相關資料,其可以例如是任意型式的固定式或可移動式隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read-only memory,ROM)、快閃記憶體(flash memory)或其他類似裝置、積體電路及其組合。In addition, those skilled in the art should understand that the computer system 100 further includes a memory (not shown) separable from the storage device 110, and the memory is used to store the program code used by the processor 120 to execute the access method and Related information, which can be, for example, any type of fixed or removable random access memory (RAM), read-only memory (ROM), flash memory (flash memory) Or other similar devices, integrated circuits and combinations thereof.

圖2為根據本發明一實施例所繪示的電腦系統的虛擬硬碟的加解密方法流程圖。本實施例的方法適用於圖1的電腦系統100,以下即搭配電腦系統100中的各個元件說明之詳細步驟。2 is a flowchart of a method for encrypting and decrypting a virtual hard disk of a computer system according to an embodiment of the invention. The method of this embodiment is applicable to the computer system 100 in FIG. 1, and the detailed steps are described below in conjunction with each component in the computer system 100.

請同時參照圖1以及圖2,首先,當虛擬硬碟所對應的虛擬硬碟檔案儲存於儲存裝置110時,儲存裝置110將針對虛擬硬碟檔案進行加密,以產生第一加密虛擬硬碟檔案(步驟S201)。處理器120將針對第一加密虛擬硬碟檔案進行加密,以產生第二加密虛擬硬碟檔案(步驟S202)。在本實施例中,處理器120可以是在接收到使用者欲針對虛擬硬碟檔案進行加密的加密指令時,儲存裝置110會以儲存裝置110的硬體雜湊(hardware hash),利用Opal規範的自我加密機制來針對虛擬硬碟檔案進行加密,以產生第一加密虛擬檔案,而處理器120更會以BitLocker再針對第一加密虛擬檔案進行加密,以產生第二加密虛擬檔案,進而提供軟體與硬體的雙重安全保護。在此的加密方式可以是採用AES加密,然而本發明不以此為限。Please refer to Figure 1 and Figure 2 at the same time. First, when the virtual hard disk file corresponding to the virtual hard disk is stored in the storage device 110, the storage device 110 encrypts the virtual hard disk file to generate the first encrypted virtual hard disk file (Step S201). The processor 120 encrypts the first encrypted virtual hard disk file to generate a second encrypted virtual hard disk file (step S202). In this embodiment, when the processor 120 receives an encryption instruction that the user wants to encrypt the virtual hard disk file, the storage device 110 uses the hardware hash of the storage device 110 to use the Opal specification The self-encryption mechanism encrypts the virtual hard disk file to generate the first encrypted virtual file, and the processor 120 further encrypts the first encrypted virtual file with BitLocker to generate the second encrypted virtual file, and then provides software and Double safety protection of the hardware. The encryption method here can be AES encryption, but the present invention is not limited to this.

當處理器120接收到密碼時,處理器120本身將判斷此密碼是否關聯於掛載第二加密虛擬檔案的掛載指令(步驟S204)。當處理器120判定此密碼關聯於掛載第二加密虛擬檔案的掛載指令時,處理器120將針對第二加密虛擬硬碟檔案進行解密,以將第二加密虛擬硬碟檔案解密還原成第一加密虛擬硬碟檔案(步驟S205)。儲存裝置110將針對第一加密虛擬硬碟檔案進行解密,以將第一加密虛擬硬碟檔案解密還原成虛擬硬碟檔案(步驟S206)。在本實施例中,處理器120將以BitLocker金鑰針對第二加密虛擬硬碟檔案進行解密,以將其解密還原回第一加密虛擬硬碟檔案,而儲存裝置110將以本身專屬的硬體雜湊金鑰,針對第一加密虛擬硬碟檔案進行解密,以將其解密還原回虛擬硬碟檔案。之後,處理器120得以存取已掛載的虛擬硬碟,以獲得解密資料。When the processor 120 receives the password, the processor 120 itself will determine whether the password is associated with a mounting instruction for mounting the second encrypted virtual file (step S204). When the processor 120 determines that the password is associated with the mount command for mounting the second encrypted virtual file, the processor 120 will decrypt the second encrypted virtual hard disk file to decrypt the second encrypted virtual hard disk file and restore it to the first encrypted virtual hard disk file. An encrypted virtual hard disk file (step S205). The storage device 110 decrypts the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to a virtual hard disk file (step S206). In this embodiment, the processor 120 will use the BitLocker key to decrypt the second encrypted virtual hard disk file to decrypt it back to the first encrypted virtual hard disk file, and the storage device 110 will use its own dedicated hardware The hash key is used to decrypt the first encrypted virtual hard disk file to decrypt it back to the virtual hard disk file. After that, the processor 120 can access the mounted virtual hard disk to obtain decrypted data.

在本實施例中,由於儲存裝置110僅針對虛擬硬碟進行Opal規範的加密,在電腦系統100的正常系統運作下,虛擬硬碟檔案是沒有解密的狀態,因此複製虛擬硬碟檔案時也可以是保持著未解密的狀態,進一步地降低被破解的風險。倘若盜用者直接複製虛擬硬碟檔案至儲存裝置110以外的其它裝置,則無法利用由儲存裝置110本身專屬的硬體雜湊金鑰來將虛擬硬碟檔案進行解密。In this embodiment, since the storage device 110 only performs Opal-standard encryption for the virtual hard disk, under the normal system operation of the computer system 100, the virtual hard disk file is not decrypted, so the virtual hard disk file can also be copied It remains undecrypted, further reducing the risk of being cracked. If the pirate directly copies the virtual hard disk file to a device other than the storage device 110, the virtual hard disk file cannot be decrypted by the hardware hash key dedicated to the storage device 110 itself.

為方便明瞭,圖3為根據本發明一實施例所繪示的電腦系統的虛擬硬碟的解密方法的功能流程圖。在本實施例中,儲存裝置110將實作為SED 340,而處理器120將實作為CPU 310。For convenience and clarity, FIG. 3 is a functional flowchart of a method for decrypting a virtual hard disk of a computer system according to an embodiment of the present invention. In this embodiment, the storage device 110 will serve as the SED 340, and the processor 120 will serve as the CPU 310.

請參照圖3,在本實施例中,CPU 310將針對虛擬硬碟檔案325下達以BitLocker金鑰來進行解密的系統指令,並且虛擬硬碟檔案325將會傳送製造商指令(vendor-specific command)至SED 340,而SED 340將會回應製造商指令以硬體雜湊金鑰至虛擬硬碟檔案325來進行解密。如此一來,不需要依賴作業系統原生的檔案系統320,亦無需先將虛擬硬碟檔案325解密而放置到DRAM 330,而造成額外的隱憂。使用者得以直接透過作業系統執行虛擬硬碟檔案325經掛載後的內部資料。Referring to FIG. 3, in this embodiment, the CPU 310 will issue a system command to decrypt the virtual hard disk file 325 with a BitLocker key, and the virtual hard disk file 325 will send a vendor-specific command. To SED 340, and SED 340 will respond to the manufacturer's instruction with the hardware hash key to the virtual hard disk file 325 for decryption. In this way, there is no need to rely on the native file system 320 of the operating system, and there is no need to decrypt the virtual hard disk file 325 and place it in the DRAM 330 first, which causes additional worries. The user can directly execute the internal data of the mounted virtual hard disk file 325 through the operating system.

以另一觀點而言,圖4為根據本發明一實施例與先前技術所繪示的虛擬硬碟的解密方法的比較示意圖。From another point of view, FIG. 4 is a schematic diagram illustrating a comparison between a method for decrypting a virtual hard disk according to an embodiment of the present invention and the prior art.

請參照圖4,在本實施例中,使用者掛載虛擬硬碟後,作業系統可以透過App 410以具有硬體雜湊金鑰的VHD檔案系統420來存取虛擬硬碟的內部資料。如此一來,VHD檔案系統420並不會再與原生作業系統的檔案系統衝突。另一方面,若是以利用App 410自身建構第三方檔案系統以讀取加密檔案來達到硬體雜湊金鑰的傳遞,檔案僅能複製到OS檔案系統440而無法直接執行,因為各種執行程式仍是依賴OS檔案系統440。然而,此種做法的保護效果不佳,因為等同於要將加密檔案進行解密才可複製到未加密區,即便作業完立即刪除檔案,OS檔案系統440並不會馬上複寫該些資料,而造成額外的隱憂。Referring to FIG. 4, in this embodiment, after the user mounts the virtual hard disk, the operating system can access the internal data of the virtual hard disk through the App 410 through the VHD file system 420 with the hardware hash key. In this way, the VHD file system 420 will no longer conflict with the file system of the native operating system. On the other hand, if the App 410 itself is used to construct a third-party file system to read encrypted files to achieve the transfer of the hardware hash key, the file can only be copied to the OS file system 440 and cannot be directly executed, because various executable programs are still Depends on the OS file system 440. However, the protection effect of this approach is not good, because it is equivalent to decrypting the encrypted file before copying to the unencrypted area. Even if the file is deleted immediately after the operation is completed, the OS file system 440 will not immediately overwrite the data, which causes Additional worries.

附帶說明的是,在儲存裝置110為SSD的情況下,虛擬硬碟可以搭配SSD韌體來達到資料強化。目前的SSD主要是TLC/QLC等多層單元(multi-level cell)的結構(即,相同電位切8階層、16階層),其資料保存(data retention)的能力遠不如早期SLC的結構(相同電位切2階層)。然而,若SSD使用SLC的結構來儲存資料,虛擬硬碟檔案的使用空間將會是實際的3倍、4倍,並且這些資料都不能再被整理成為TLC/QLC的結構,因此SSD韌體可將其分開處理。假設虛擬硬碟是用以儲存重要資料,而倘若此些重要資料不佔用過多的空間,以空間來換取資料精確性也可達到取捨平衡。因此,倘若處理器120偵測到SSD具有TLC/QLC的儲存能力,處理器120可先針對虛擬硬碟的內部資料進行對應的處理,因為此虛擬硬碟的內部資料將是以其資料量的3倍、4倍的空間來儲存(即,當儲存2MB的文件時,實際上將佔用SSD的空間為TLC 6MB、QLC 8MB),而檔案系統將宣告例如3倍、4倍的儲存空間給內部資料。Incidentally, when the storage device 110 is an SSD, the virtual hard disk can be used with SSD firmware to achieve data enhancement. The current SSD is mainly a multi-level cell structure such as TLC/QLC (ie, the same potential cuts 8 levels, 16 levels), and its data retention capability is far inferior to the earlier SLC structure (same potential) Cut 2 levels). However, if the SSD uses the SLC structure to store data, the space used by the virtual hard disk file will be 3 times or 4 times the actual space, and these data can no longer be organized into a TLC/QLC structure, so the SSD firmware can Treat it separately. Assuming that the virtual hard disk is used to store important data, and if such important data does not occupy too much space, a trade-off can be achieved by trading space for data accuracy. Therefore, if the processor 120 detects that the SSD has TLC/QLC storage capabilities, the processor 120 can first perform corresponding processing on the internal data of the virtual hard disk, because the internal data of the virtual hard disk will be based on its data volume 3 times and 4 times the space for storage (that is, when storing 2MB files, the actual space occupied by the SSD will be TLC 6MB, QLC 8MB), and the file system will declare, for example, 3 times, 4 times the storage space for internal data.

綜上所述,本發明所提供的電腦系統及其虛擬硬碟的加解密方法,其以處理器以及儲存裝置針對虛擬硬碟所對應的虛擬硬碟檔案進行前後兩階段的加密,並且以處理器以及儲存裝置針對加密後的虛擬硬碟檔案進行前後兩階段的解密,以雙重資訊保護機制來提升虛擬硬碟的安全性。In summary, the computer system and its virtual hard disk encryption and decryption method provided by the present invention uses a processor and a storage device to perform two-stage encryption on the virtual hard disk file corresponding to the virtual hard disk. The device and storage device perform two-stage decryption on the encrypted virtual hard disk file, and use a dual information protection mechanism to enhance the security of the virtual hard disk.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be determined by the scope of the attached patent application.

100:電腦系統 110:儲存裝置 120:處理器 S201~S206:步驟 310:CPU 320:檔案系統 325:虛擬硬碟檔案 330:DRAM 340:SED 410:App 420:VHD檔案系統 430:第三方檔案系統 440:OS檔案系統100: computer system 110: storage device 120: processor S201~S206: steps 310: CPU 320: file system 325: Virtual Hard Disk File 330: DRAM 340: SED 410: App 420: VHD file system 430: Third-party file system 440: OS file system

圖1為根據本發明一實施例所繪示的電腦系統的方塊圖。 圖2為根據本發明一實施例所繪示的電腦系統的虛擬硬碟的加解密方法流程圖。 圖3為根據本發明一實施例所繪示的電腦系統的虛擬硬碟的加解密方法的功能流程圖。 圖4為根據本發明一實施例與先前技術所繪示的虛擬硬碟的加解密方法的比較示意圖。FIG. 1 is a block diagram of a computer system according to an embodiment of the invention. 2 is a flowchart of a method for encrypting and decrypting a virtual hard disk of a computer system according to an embodiment of the invention. 3 is a functional flowchart of a method for encrypting and decrypting a virtual hard disk of a computer system according to an embodiment of the invention. FIG. 4 is a schematic diagram of comparison between the encryption and decryption methods of virtual hard disks according to an embodiment of the present invention and the prior art.

S201~S206:步驟 S201~S206: steps

Claims (10)

一種虛擬硬碟的加解密方法,適用於具有儲存裝置以及處理器的電腦系統,包括: 當該虛擬硬碟所對應的虛擬硬碟檔案儲存於該儲存裝置時,由該儲存裝置針對該虛擬硬碟檔案進行加密,以產生第一加密虛擬硬碟檔案,其中該儲存裝置為自我加密硬碟; 由該處理器針對該第一加密虛擬硬碟檔案進行加密,以產生第二加密虛擬硬碟檔案; 當該處理器接收到密碼時,由該處理器判斷該密碼是否關聯於掛載該第二加密虛擬硬碟檔案的掛載指令; 當該處理器判定該密碼關聯於該掛載指令時,由該處理器針對該第二加密虛擬硬碟檔案進行解密,以將該第二加密虛擬硬碟檔案解密還原成該第一加密虛擬硬碟檔案;以及 由該儲存裝置針對該第一加密虛擬硬碟檔案進行解密,以將該第一加密虛擬硬碟檔案解密還原成該虛擬硬碟檔案。A method for encrypting and decrypting a virtual hard disk, suitable for a computer system with a storage device and a processor, includes: When the virtual hard disk file corresponding to the virtual hard disk is stored in the storage device, the storage device encrypts the virtual hard disk file to generate a first encrypted virtual hard disk file, wherein the storage device is a self-encrypting hard disk dish; The processor encrypts the first encrypted virtual hard disk file to generate a second encrypted virtual hard disk file; When the processor receives the password, the processor determines whether the password is associated with a mount command for mounting the second encrypted virtual hard disk file; When the processor determines that the password is associated with the mount instruction, the processor decrypts the second encrypted virtual hard disk file to decrypt and restore the second encrypted virtual hard disk file to the first encrypted virtual hard disk Disc file; and The storage device decrypts the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to the virtual hard disk file. 如申請專利範圍第1項所述的方法,其中由該儲存裝置針對該虛擬硬碟檔案進行加密,以產生該第一加密虛擬硬碟檔案的步驟包括: 由該儲存裝置以關聯於該儲存裝置的硬體雜湊,利用Opal規範的自我加密機制針對該虛擬硬碟檔案進行加密,以產生該第一加密虛擬硬碟檔案。For the method described in claim 1, wherein the step of encrypting the virtual hard disk file by the storage device to generate the first encrypted virtual hard disk file includes: The storage device uses the hardware hash associated with the storage device to encrypt the virtual hard disk file using the self-encryption mechanism specified by Opal to generate the first encrypted virtual hard disk file. 如申請專利範圍第2項所述的方法,其中針對該第一加密虛擬硬碟檔案進行解密,以將該第一加密虛擬硬碟檔案解密還原成該虛擬硬碟檔案的步驟包括: 由該儲存裝置以該儲存裝置的硬體雜湊金鑰,針對該第一加密虛擬硬碟檔案進行解密,以將該第一加密虛擬硬碟檔案解密還原成該虛擬硬碟檔案。For the method described in item 2 of the scope of patent application, the step of decrypting the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to the virtual hard disk file includes: The storage device uses the hardware hash key of the storage device to decrypt the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to the virtual hard disk file. 如申請專利範圍第1項所述的方法,其中由該處理器針對該第一加密虛擬硬碟檔案進行加密,以產生該第二加密虛擬硬碟檔案的步驟包括: 由該處理器以BitLocker針對該第一加密虛擬硬碟檔案進行加密,以產生該第二加密虛擬硬碟檔案。According to the method described in item 1 of the scope of patent application, the step of encrypting the first encrypted virtual hard disk file by the processor to generate the second encrypted virtual hard disk file includes: The processor encrypts the first encrypted virtual hard disk file with BitLocker to generate the second encrypted virtual hard disk file. 如申請專利範圍第4項所述的方法,其中由該處理器針對該第二加密虛擬硬碟檔案進行解密,以將該第二加密虛擬硬碟檔案解密還原成該第一加密虛擬硬碟檔案的步驟包括: 由該處理器以BitLocker金鑰針對該第二加密虛擬硬碟檔案進行解密,以將該第二加密虛擬硬碟檔案解密還原成該第一加密虛擬硬碟檔案。The method described in item 4 of the scope of patent application, wherein the processor decrypts the second encrypted virtual hard disk file to decrypt and restore the second encrypted virtual hard disk file to the first encrypted virtual hard disk file The steps include: The processor uses the BitLocker key to decrypt the second encrypted virtual hard disk file to decrypt and restore the second encrypted virtual hard disk file to the first encrypted virtual hard disk file. 如申請專利範圍第1項所述的方法,更包括: 由該處理器設定該儲存裝置中用以儲存該虛擬硬碟檔案的儲存空間,其中該儲存空間大於儲存於該虛擬硬碟的檔案資料的資料量。The method described in item 1 of the scope of patent application further includes: The processor sets the storage space in the storage device for storing the virtual hard disk file, wherein the storage space is larger than the data volume of the file data stored in the virtual hard disk. 如申請專利範圍第1項所述的方法,更包括: 由該處理器透過應用程式以該虛擬硬碟的檔案系統來存取資料。The method described in item 1 of the scope of patent application further includes: The processor uses the file system of the virtual hard disk to access data through an application. 一種電腦系統,包括: 儲存裝置,其中該儲存裝置為自我加密硬碟;以及 處理器,耦接該儲存裝置,其中: 當該虛擬硬碟所對應的虛擬硬碟檔案儲存於該儲存裝置時,該儲存裝置用以針對該虛擬硬碟檔案進行加密,以產生第一加密虛擬硬碟檔案,其中該儲存裝置為自我加密硬碟; 該處理器用以針對該第一加密虛擬硬碟檔案進行加密,以產生第二加密虛擬硬碟檔案; 當該處理器接收到密碼時,該處理器用以判斷該密碼是否關聯於掛載該第二加密虛擬硬碟檔案的掛載指令; 當該處理器判定該密碼關聯於該掛載指令時,該處理器用以針對該第二加密虛擬硬碟檔案進行解密,以將該第二加密虛擬硬碟檔案解密還原成該第一加密虛擬硬碟檔案;以及 該儲存裝置用以針對該第一加密虛擬硬碟檔案進行解密,以將該第一加密虛擬硬碟檔案解密還原成該虛擬硬碟檔案。A computer system including: A storage device, where the storage device is a self-encrypting hard disk; and The processor is coupled to the storage device, wherein: When the virtual hard disk file corresponding to the virtual hard disk is stored in the storage device, the storage device is used to encrypt the virtual hard disk file to generate a first encrypted virtual hard disk file, wherein the storage device is self-encrypting Hard drive The processor is used for encrypting the first encrypted virtual hard disk file to generate a second encrypted virtual hard disk file; When the processor receives the password, the processor is used to determine whether the password is associated with a mount command for mounting the second encrypted virtual hard disk file; When the processor determines that the password is associated with the mount command, the processor is used to decrypt the second encrypted virtual hard disk file to decrypt and restore the second encrypted virtual hard disk file to the first encrypted virtual hard disk Disc file; and The storage device is used for decrypting the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to the virtual hard disk file. 如申請專利範圍第8項所述的電腦系統,其中該儲存裝置以關聯於該儲存裝置的硬體雜湊,利用Opal規範的自我加密機制針對該虛擬硬碟檔案進行加密,以產生該第一加密虛擬硬碟檔案,並且該儲存裝置以該儲存裝置的硬體雜湊金鑰,針對該第一加密虛擬硬碟檔案進行解密,以將該第一加密虛擬硬碟檔案解密還原成該虛擬硬碟檔案。For example, the computer system described in item 8 of the scope of patent application, wherein the storage device uses a hardware hash associated with the storage device to encrypt the virtual hard disk file using the self-encryption mechanism specified by Opal to generate the first encryption A virtual hard disk file, and the storage device uses the storage device's hardware hash key to decrypt the first encrypted virtual hard disk file to decrypt and restore the first encrypted virtual hard disk file to the virtual hard disk file . 如申請專利範圍第8項所述的電腦系統,其中該處理器以BitLocker針對該第一加密虛擬硬碟檔案進行加密,以產生該第二加密虛擬硬碟檔案,並且該處理器以BitLocker金鑰針對該第二加密虛擬硬碟檔案進行解密,以將該第二加密虛擬硬碟檔案解密還原成該第一加密虛擬硬碟檔案。For example, the computer system described in item 8 of the scope of patent application, wherein the processor uses BitLocker to encrypt the first encrypted virtual hard disk file to generate the second encrypted virtual hard disk file, and the processor uses the BitLocker key Decrypt the second encrypted virtual hard disk file to decrypt and restore the second encrypted virtual hard disk file to the first encrypted virtual hard disk file.
TW108110071A 2019-03-22 2019-03-22 Computer system and method for virtual hard disk encryption and decryption TW202036349A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108110071A TW202036349A (en) 2019-03-22 2019-03-22 Computer system and method for virtual hard disk encryption and decryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108110071A TW202036349A (en) 2019-03-22 2019-03-22 Computer system and method for virtual hard disk encryption and decryption

Publications (1)

Publication Number Publication Date
TW202036349A true TW202036349A (en) 2020-10-01

Family

ID=74091137

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108110071A TW202036349A (en) 2019-03-22 2019-03-22 Computer system and method for virtual hard disk encryption and decryption

Country Status (1)

Country Link
TW (1) TW202036349A (en)

Similar Documents

Publication Publication Date Title
US10348497B2 (en) System and method for content protection based on a combination of a user pin and a device specific identifier
US11809584B2 (en) File system metadata protection
US20190026117A1 (en) System and method for wiping encrypted data on a device having file-level content protection
US10503934B2 (en) Secure subsystem
AU2012204448B2 (en) System and method for in-place encryption
US9397834B2 (en) Scrambling an address and encrypting write data for storing in a storage device
US8433901B2 (en) System and method for wiping encrypted data on a device having file-level content protection
US9135450B2 (en) Systems and methods for protecting symmetric encryption keys
TWI514187B (en) Systems and methods for providing anti-malware protection on storage devices
US20220123932A1 (en) Data storage device encryption
WO2012047199A1 (en) Modifying a length of an element to form an encryption key
US20220045850A1 (en) Memory system encrypting data
TW202036349A (en) Computer system and method for virtual hard disk encryption and decryption
US20240160766A1 (en) File system metadata protection
US20220121781A1 (en) Data storage device encryption
CN101763319A (en) Disk FDE (Full Disk Encryption) system and method