WO2014089968A1 - Virtual machine system data encryption method and device - Google Patents

Virtual machine system data encryption method and device Download PDF

Info

Publication number
WO2014089968A1
WO2014089968A1 PCT/CN2013/079696 CN2013079696W WO2014089968A1 WO 2014089968 A1 WO2014089968 A1 WO 2014089968A1 CN 2013079696 W CN2013079696 W CN 2013079696W WO 2014089968 A1 WO2014089968 A1 WO 2014089968A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
encryption
transport layer
virtual machine
application data
Prior art date
Application number
PCT/CN2013/079696
Other languages
French (fr)
Chinese (zh)
Inventor
刘新保
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2014089968A1 publication Critical patent/WO2014089968A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Definitions

  • the embodiments of the present invention relate to communication technologies, and in particular, to a virtual machine system data encryption method and device.
  • Desktop virtualization is the installation of a virtual machine system on a physical server that implements the data center.
  • the virtual machine system simulates the hardware resources required for the operation of the operating system.
  • the operating system runs on top of these virtual hardware resources, so that multiple operating systems can share the hardware resources of the physical server, thereby improving resource utilization.
  • the embodiment of the invention provides a method and device for encrypting data of a virtual machine system, so as to implement encryption support for application data of multiple virtual machines on a physical server.
  • an embodiment of the present invention provides a data encryption method for a virtual machine system, including:
  • the terminal device sends the second packet that is encrypted by the transport layer to the network encryption gateway, specifically:
  • the terminal device uses a virtual desktop proxy client module of the terminal device and a virtual desktop of the virtual machine
  • the method further includes: before the receiving, by the proxy module, the virtual channel of the network encryption gateway, the first packet sent by the network encryption gateway after the encryption process is performed by the network encryption gateway, the method further includes:
  • the terminal device extracts the encrypted application data from the decrypted first packet, and performs hardware decryption processing on the encrypted application data by using a hardware encryption module set on the terminal device.
  • the encrypted application data is data generated by a virtual machine in the virtual machine system and encrypted by the hardware encryption module hardware of the terminal device;
  • a data encryption method for a virtual machine system including:
  • the virtual machine generates a first packet according to the received application data sent by the application in the virtual machine, and sends the first packet to the network encryption gateway;
  • the virtual machine generates a first packet according to the application data that is sent by the application in the virtual machine, which is specifically:
  • the virtual machine generates the text according to the received application data and the key identifier sent by the application, where the key identifier is used to identify a key.
  • the virtual machine sends the first packet to a network encryption gateway, specifically:
  • the virtual machine receives the second packet that is sent by the network encryption gateway and is decrypted by the transport layer, and is specifically:
  • the virtual machine generates a third packet according to the received encrypted application data sent by the application in the virtual machine, and sends the third packet to the network encryption gateway;
  • the virtual machine receives the fourth packet after the transport layer decryption process sent by the network encryption gateway, and extracts the decrypted application data in the fourth packet after the transport layer decryption process, The decrypted application data is sent to the application, where the decrypted application data is obtained by the terminal device performing hardware decryption processing on the encrypted application processing.
  • an embodiment of the present invention provides a terminal device, including:
  • a transport layer decryption module configured to receive a first “text” sent by the network encryption gateway after the transport layer encryption process, and perform the transport layer decryption process on the text encrypted by the transport layer;
  • the transport layer encryption module is connected to the cryptographic service module, configured to generate a second packet according to the encrypted application data, perform a transport layer encryption process on the second packet, and encrypt the transport layer.
  • the second packet is sent to the network encryption gateway.
  • the first packet includes a key identifier used to identify the key
  • the cryptographic service module is specifically configured to extract the application data and the key identifier from the decrypted first packet, and send the application data and the key identifier to the hardware
  • the encryption module, the hardware encryption module determines a key according to the key identifier, encrypts the application data by using the key, and returns the encrypted application data to the terminal device.
  • the terminal device further includes:
  • the transport layer decryption module is configured to receive, by using the virtual channel, the first packet that is sent by the network encryption gateway and is encrypted by the transport layer;
  • the transport layer encryption module is specifically configured to pass the second packet after the transport layer is encrypted.
  • the virtual channel is sent to the network encryption gateway.
  • an embodiment of the present invention provides a virtual machine, including:
  • the virtual machine further includes:
  • a virtual desktop proxy module configured to establish, by the virtual desktop proxy client module of the terminal device, a virtual channel through the network encryption gateway;
  • an embodiment of the present invention provides a terminal device, including: a processor, a communication interface, a memory, and a bus:
  • the memory configured to store an instruction
  • an embodiment of the present invention provides a computer node for a virtual machine, including: a processor, a communication interface, a memory, and a bus:
  • the processor is configured to execute an instruction stored in the memory, wherein the processor is configured to generate an application data according to the received application data sent by the application in the virtual machine The first message is sent; the encrypted application data in the second packet after the decryption process of the transport layer is extracted, and the encrypted application data is sent to the application, where the encrypted The application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
  • FIG. 1 is a flowchart of a method for encrypting data of a first virtual machine system according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a third virtual machine system data encryption method according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a first terminal device according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a second virtual machine according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a method for encrypting data of a first virtual machine system according to an embodiment of the present invention.
  • the data encryption method of the virtual machine system provided in this embodiment may be specifically applied to a data encryption process in a virtual machine system, where the virtual machine system may include at least one physical server, and each physical server is configured with At least two virtual machines, the following uses one of the virtual machines as an example to describe the virtual machine system data encryption method.
  • the data encryption method of the virtual machine system provided in this embodiment specifically includes:
  • Step C20 The terminal device extracts application data from the decrypted first packet, and performs hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, where the application data is Data generated for virtual machines in a virtual machine system;
  • Step C30 The terminal device generates a second packet according to the encrypted application data, performs a transport layer encryption process on the second packet, and sends the second packet after the transport layer encryption process to the Network encryption gateway.
  • the second packet When the second packet is encrypted by the transport layer, the second packet may be hardware-encrypted by the hardware encryption module of the terminal device, and the mobile terminal sends the second packet encrypted by the transport layer to the network encryption gateway, and the network encrypts the network.
  • the gateway decrypts the received second packet and sends it to the virtual machine.
  • the virtual machine extracts application data from the second packet, where the application data is application data encrypted by the terminal device hardware, and correspondingly processes the application data, and the processing may be, for example, forwarding application data or writing application data. Operations such as disks.
  • the application data can be encrypted by the terminal device by the above method.
  • the terminal devices corresponding to each virtual machine can be the same terminal device or different terminal devices.
  • the terminal device receives the first >3 ⁇ 4 text sent by the network encryption gateway after the transport layer encryption process, and performs the first >3 ⁇ 4 text after the transport layer encryption process.
  • the transport layer decryption process extracts application data from the decrypted first packet, and performs hardware encryption processing on the application data through a hardware encryption module set on the terminal device, where the application data is data generated by the virtual machine in the virtual machine system. And generating a second packet according to the encrypted application data, performing a transport layer encryption process on the second packet, and transmitting the second packet encrypted by the transport layer to the network encryption gateway.
  • Encrypting application data generated by the virtual machine by using a terminal device provided with a hardware encryption module Encryption support for application data of multiple virtual machines on a physical server is implemented without inserting an encryption card on the physical server. Moreover, the encryption process takes full advantage of the processing capabilities of the terminal device and reduces the load on the virtual machine.
  • the first identifier includes a key identifier for identifying a key.
  • the terminal device extracts application data from the decrypted first packet. Performing hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, which may be:
  • the terminal device extracts the application data and the key identifier from the decrypted first packet, and sends the application data and the key identifier to the hardware encryption module.
  • the hardware encryption module determines a key according to the key identifier, encrypts the application data by using the key, and returns the encrypted application data to the terminal device.
  • the number of keys stored in the hardware encryption module of the terminal device may be multiple, and each key has a unique key identifier, and the data provided by the application has a key in addition to the application data that needs to be encrypted.
  • the virtual machine generates the first packet by using the application data and the key identifier.
  • the terminal device receives the message that is sent by the network encryption gateway and is encrypted by the transmission layer, and may be specifically:
  • the terminal device receives, by using the virtual desktop proxy client module of the terminal device, a virtual channel established by the virtual desktop proxy module of the virtual machine via the network encryption gateway, and receiving the network encrypted gateway. Decoding the first message after being encrypted by the transport layer;
  • Step C30 the terminal device sends the second packet that is encrypted by the transport layer to the network encryption gateway, which may be:
  • the terminal device sends the second packet encrypted by the transport layer to the network encryption gateway through the virtual channel.
  • the virtual machine system is, for example, a system for providing virtual desktop services
  • a virtual desktop agent Virtual Desktop Agent, VDA for short
  • VDA Virtual Desktop Agent
  • the virtual desktop proxy module of the virtual machine establishes a virtual channel with the virtual desktop proxy client module of the terminal device, and the virtual channel encrypts the gateway via the network.
  • Virtual machine and The interaction of the terminal device can be implemented through the virtual channel.
  • the hardware encryption module on the terminal device can be reused to provide the transmission layer encryption capability of the terminal device and the desktop cloud data center, that is, the virtual machine system, which saves the cost of deploying the network encryption machine on the terminal device side and enables the access location of the desktop terminal. flexible.
  • the terminal device receives the virtual channel established by the virtual desktop proxy client module of the terminal device and the virtual desktop proxy module of the virtual device via the network encryption gateway, and receives the Before the first packet sent by the transport layer is encrypted by the network encryption gateway, the method further includes:
  • the virtual desktop proxy client module of the terminal device establishes the virtual channel with a virtual desktop proxy module of the virtual machine.
  • the process of establishing a virtual channel may be initiated by the virtual desktop proxy client module of the terminal device to the virtual desktop proxy module of the virtual machine, or may be virtual desktop proxy module of the virtual machine to the virtual desktop of the terminal device.
  • the proxy client module initiates the request.
  • the virtual machine system data encryption method may further include:
  • Step C40 The terminal device receives the third>3 ⁇ 4 text sent by the network encryption gateway after the transport layer encryption process, and performs the transport layer decryption on the third>3 ⁇ 4 text after the transport layer encryption process. deal with;
  • Step C50 The terminal device extracts the encrypted application data from the decrypted first packet, and performs hardware decryption processing on the encrypted application data by using a hardware encryption module set on the terminal device.
  • the encrypted application data is data generated by a virtual machine in the virtual machine system and encrypted by the hardware encryption module hardware of the terminal device;
  • Step C60 The terminal device generates a fourth packet according to the decrypted application data, performs a transport layer encryption process on the fourth packet, and sends a fourth packet after the transport layer encryption process to the Network encryption gateway.
  • the terminal device may further decrypt the encrypted application data sent by the virtual machine through the hardware encryption module.
  • the encrypted application data is generated by the application of the previous virtual machine, and the data is processed by the hardware encryption module of the terminal device.
  • the virtual machine When an application on a virtual machine needs to decrypt encrypted application data, the virtual machine will add The third application packet is generated by the dense application data, and the third packet is sent to the network encryption gateway, and the network encryption gateway performs the transport layer encryption processing on the third packet, and then sends the third packet to the terminal device.
  • the terminal device receives the third packet that is sent by the network encryption gateway and is encrypted by the transport layer, and performs a transport layer decryption process.
  • the transport layer decryption process may also be implemented by using a hardware encryption module set on the terminal device.
  • the decrypted application data is returned to the terminal device, and the terminal device generates a fourth packet by using the decrypted application data, and the fourth packet is encrypted by the transport layer and then sent to the network encryption gateway.
  • the network encryption gateway decrypts the received fourth packet and sends it to the virtual machine.
  • the virtual machine extracts the decrypted application data from the fourth packet, and performs corresponding processing on the application data, and the processing may be, for example, an operation of forwarding the application data or writing the application data to the disk.
  • the application data can be decrypted by the terminal device by the above method.
  • FIG. 3 is a flowchart of a third virtual machine system data encryption method according to an embodiment of the present invention. As shown
  • the data encryption method of the virtual machine system provided in this embodiment may be implemented in conjunction with the data encryption method of the virtual machine system applied to the terminal device according to any embodiment of the present invention.
  • the specific implementation process is not described herein.
  • the data encryption method of the virtual machine system provided in this embodiment specifically includes:
  • Step S10 The virtual machine generates a first packet according to the application data sent by the application in the virtual machine, and sends the first packet to the network encryption gateway.
  • Step S20 The virtual machine receives the second packet after the transport layer decryption process sent by the network encryption gateway, and extracts the encrypted application in the second packet after the transport layer decryption process. Data, the encrypted application data is sent to the application, where the encrypted application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
  • the virtual machine system data encryption method provided by the embodiment, the virtual machine generates a first packet according to the application data sent by the application in the received virtual machine, and sends the first packet to the network encryption gateway to receive the network.
  • the second packet sent by the encryption layer after being decrypted by the transport layer extracts the encrypted application data in the second packet after being decrypted by the transport layer, and sends the encrypted application data to the application, where the encryption is performed.
  • After the application data is the terminal device to perform hardware encryption processing on the application processing. Arrived.
  • Encryption of application data generated by the virtual machine by the terminal device provided with the hardware encryption module eliminates the need to insert an encryption card on the physical server, thereby implementing encryption support for application data of multiple virtual machines on the physical server.
  • the encryption process takes full advantage of the processing capabilities of the terminal device and reduces the load on the virtual machine.
  • step S10 the virtual machine generates a first packet according to the application data sent by the application program in the virtual machine, which may be:
  • the virtual machine generates the text according to the received application data and a key identifier sent by the application, where the key identifier is used to identify a key.
  • the key identification is not transmitted by the setting of the key identifier, and the security of the key is ensured.
  • step S10 the virtual machine sends the first packet to the network encryption gateway, which is specifically:
  • the virtual machine sends the first packet to the virtual channel that is established by the virtual desktop proxy module of the virtual machine and the virtual desktop proxy client module of the terminal device via the network encryption gateway.
  • the network encryption gateway ;
  • Step S20 the virtual machine receives the second ⁇ message sent by the network encryption gateway after being decrypted by the transport layer, specifically:
  • the virtual machine receives, by using the virtual channel, the second text after the transport layer decryption process sent by the network encryption gateway.
  • step S10 before the virtual machine sends the first packet to the network encryption gateway, the method may further include:
  • the virtual desktop proxy module of the virtual machine establishes the virtual channel with a virtual desktop proxy client module of the terminal device.
  • FIG. 4 is a flowchart of a fourth method for encrypting data of a virtual machine system according to an embodiment of the present invention.
  • the virtual machine system data encryption method may further include:
  • Step S30 The virtual machine generates a third packet according to the encrypted application data sent by the application in the virtual machine, and sends the third packet to the network encryption gateway.
  • Step S40 The virtual machine receives the fourth packet after the transport layer decryption process sent by the network encryption gateway, and extracts the decrypted application in the fourth packet after the transport layer decryption process. Data, the decrypted application data is sent to the application, where the decrypted application data is obtained by the terminal device performing hardware decryption processing on the encrypted application processing.
  • FIG. 5 is a schematic structural diagram of a first terminal device according to an embodiment of the present invention.
  • the terminal device 81 provided in this embodiment may implement various steps of the data encryption method for the virtual machine system applied to the terminal device according to any embodiment of the present invention. The specific implementation process is not described herein.
  • the terminal device 81 provided in this embodiment specifically includes a transport layer decryption module 11, an encryption service module 12, and a transport layer encryption module 13.
  • the transport layer decryption module 11 is configured to receive a first packet after the transport layer encryption process sent by the network encryption gateway, and perform the transport layer decryption process on the first packet that has been encrypted by the transport layer;
  • the service module 12 is connected to the transport layer decryption module 11 for extracting application data from the decrypted first packet, and performing hardware encryption processing on the application data by using the hardware encryption module 14 provided on the terminal device 81.
  • the application data is data generated by a virtual machine in the virtual machine system;
  • the transport layer encryption module 13 is connected to the encryption service module 12, and configured to generate a second packet according to the encrypted application data, The second packet is subjected to a transport layer encryption process, and the second packet after the transport layer is encrypted is sent to the network encryption gateway.
  • the transport layer decryption module 11 receives the first packet after the transport layer encryption process sent by the network encryption gateway, and performs the transport layer on the first packet after the transport layer encryption process.
  • the decryption process, the cryptographic service module 12 extracts application data from the decrypted first message, and performs hardware encryption processing on the application data through the hardware encryption module 14 provided on the terminal device 81, wherein the application data is virtual in the virtual machine system.
  • the data generated by the machine, the transport layer encryption module 13 generates a second packet according to the encrypted application data, performs a transport layer encryption process on the second packet, and sends the second packet encrypted by the transport layer to the network encryption gateway.
  • the application data generated by the virtual machine is encrypted by the terminal device 81 provided with the hardware encryption module 14, and the encryption data of the application data of the plurality of virtual machines on the physical server is realized without inserting the encryption card on the physical server. Moreover, the encryption process takes full advantage of the processing capabilities of the terminal device 81, reducing the load on the virtual machine.
  • the first identifier includes a key identifier for identifying a key
  • the encryption service module 12 is specifically configured to extract the identifier from the decrypted first packet. Sending the application data and the key identifier to the hardware encryption module 14 by using the data and the key identifier, the hardware encryption module 14 determines a key according to the key identifier, and passes the key The application data is encrypted, and the encrypted application data is returned to the terminal device 81.
  • FIG. 6 is a schematic structural diagram of a second terminal device according to an embodiment of the present invention.
  • the terminal device 81 further includes a virtual desktop proxy client module 15, the virtual The desktop proxy client module 15 is configured to establish a virtual channel with the virtual desktop proxy module of the virtual machine via the network encryption gateway; correspondingly, the transport layer decryption module 11 is specifically configured to receive the The first packet after the transport layer encryption process is sent by the network encryption gateway; the transport layer encryption module 13 is configured to send the second packet that is encrypted by the transport layer to the virtual channel through the virtual channel.
  • the network encryption gateway is a schematic structural diagram of a second terminal device according to an embodiment of the present invention.
  • the terminal device 81 further includes a virtual desktop proxy client module 15, the virtual The desktop proxy client module 15 is configured to establish a virtual channel with the virtual desktop proxy module of the virtual machine via the network encryption gateway; correspondingly, the transport layer decryption module 11 is specifically configured to receive the The first packet after the transport layer encryption process is sent by the network encryption gateway; the transport layer encryption
  • the transport layer decryption module 11 is further configured to receive a third >3 ⁇ 4 text sent by the network encryption gateway after the transport layer encryption process, and the encrypted layer is processed by the transport layer.
  • the third packet performs a transport layer decryption process;
  • the cryptographic service module 12 further extracts the encrypted application data from the decrypted first packet, and the hardware encryption module 14 provided on the terminal device 81 pairs the
  • the encrypted application data is subjected to a hardware decryption process, where the encrypted application data is data generated by a virtual machine in the virtual machine system and is hardware-encrypted by the hardware encryption module 14 of the terminal device 81;
  • the layer encryption module 13 is further configured to generate a fourth packet according to the decrypted application data, perform a transport layer encryption process on the fourth packet, and send the fourth packet after the transport layer encryption process to the network encryption gateway.
  • FIG. 7 is a schematic structural diagram of a first virtual machine according to an embodiment of the present invention.
  • the virtual machine 82 provided in this embodiment may implement various steps of the data encryption method of the virtual machine system applied to the virtual machine provided by any embodiment of the present invention. The specific implementation process is not described herein.
  • the virtual machine 82 provided in this embodiment specifically includes a sending processing module 21 and a receiving processing module 22.
  • the sending processing module 21 is configured to generate a first packet according to the received application data sent by the application in the virtual machine 82, and send the first packet to a network encryption gateway; the receiving processing module 22 And the second packet received by the network encryption gateway after being decrypted by the transport layer, and the encrypted application data in the second packet after being decrypted by the transport layer is extracted, and the encrypted The application data is sent to the application, where the encrypted application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
  • the application in the virtual machine 82 can send the application data to the sending processing module 21 by calling an API (Application Programming Interface) of the sending processing module 21.
  • API Application Programming Interface
  • the sending processing module 21 generates a first packet according to the application data sent by the application program in the received virtual machine 82, and sends the first packet to the network encryption gateway, and receives the processing.
  • the module 22 receives the second packet sent by the network encryption gateway after being decrypted by the transport layer, and extracts the encrypted application data in the second packet after being decrypted by the transport layer, and then encrypts the encrypted packet.
  • the application data is sent to the application, where the encrypted application data is obtained by the terminal device performing hardware encryption processing on the application processing.
  • the application data generated by the virtual machine 82 is encrypted by the terminal device provided with the hardware encryption module, and the encryption data of the application data of the plurality of virtual machines 82 on the physical server is realized without inserting the encryption card on the physical server. Moreover, the encryption process takes full advantage of the processing capabilities of the terminal device, reducing the load on the virtual machine 82.
  • the sending processing module 21 is specifically configured to generate the first packet according to the received application data and the key identifier sent by the application, where the key identifier is used. To identify the key.
  • FIG. 8 is a schematic structural diagram of a second virtual machine according to an embodiment of the present invention.
  • the virtual machine 82 further includes a virtual desktop proxy module 23, and the virtual desktop proxy module 23 is configured to establish a virtual desktop proxy client module with the terminal device.
  • a virtual channel of the network encryption gateway correspondingly, the sending processing module 21 is specifically configured to send the first packet to the network encryption gateway by using the virtual channel; the receiving processing module 22 is specifically configured to pass The virtual channel receives the second packet sent by the network encryption gateway after being decrypted by the transport layer.
  • the sending processing module 21 is further configured to generate a third packet according to the received encrypted application data sent by the application in the virtual machine 82, and send the third packet.
  • the message is sent to the network encryption gateway;
  • the receiving processing module 22 is further configured to receive the fourth packet that is sent by the network encryption gateway and is decrypted by the transport layer, and extract the fourth packet that has been decrypted by the transport layer.
  • the decrypted application data is sent to the application by the decrypted application data, wherein the decrypted application data is obtained by the terminal device performing hardware decryption processing on the encrypted application processing.
  • FIG. 9 is a schematic structural diagram of a third terminal device according to an embodiment of the present invention.
  • the terminal device 700 provided in this embodiment may implement various steps of a method for encrypting a virtual machine system data applied to a terminal device according to any embodiment of the present disclosure. The specific implementation process is not described herein.
  • the terminal device 700 provided in this embodiment specifically includes: a processor 710, a communication interface 720, a memory 730, and a communication bus 740: wherein the processor 710, the communication interface 720, and the memory 730 are completed by using the communication bus 740.
  • the communication interface 720 is configured to receive a first “text” sent by the network encryption gateway after the transport layer encryption process, and send the second message after the transport layer encryption process to the network encryption.
  • a gateway 730 configured to store an instruction; the processor 710 is configured to execute an instruction stored in the memory 730, where The processor 710 is configured to perform the transport layer decryption process on the text encrypted by the transport layer, extract the application data from the decrypted first packet, and use the hardware encryption module set on the terminal device. And performing hardware encryption processing on the application data, where the application data is data generated by a virtual machine in the virtual machine system; generating a second packet according to the encrypted application data, and performing a transport layer on the second packet Encryption processing.
  • FIG. 10 is a schematic structural diagram of a computer node for a virtual machine according to an embodiment of the present invention.
  • the computer node 800 for the virtual machine provided in this embodiment may implement various steps of the virtual machine system data encryption method applied to the virtual machine provided by any embodiment of the present invention, and the specific implementation process is not Let me repeat.
  • the computer node 800 for a virtual machine specifically includes: a processor 810, a communication interface 820, a memory 830, and a communication bus 840: wherein the processor 810, the communication interface 820, and the memory 830 pass through The communication bus 840 performs communication with each other; the communication interface 820 is configured to send the first packet to the network encryption gateway, and receive the second packet sent by the network encryption gateway after being decrypted by the transport layer;
  • the memory 830 is configured to store an instruction; the processor 810 is configured to execute an instruction stored in the memory 830, wherein the processor 810 is configured to be used according to the received virtual machine Applying the application data sent by the application to generate the first packet; extracting the encrypted application data in the second packet after being decrypted by the transport layer, and transmitting the encrypted application data to the application a program, where the encrypted application data is obtained by performing hardware encryption processing on the application processing by the terminal device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided are a virtual machine system data encryption method and device. The virtual machine system data encryption method comprises: terminal equipment receiving a first message which is sent by a network encryption gateway and has been subjected to transport-layer encryption processing, and performing transport-layer decryption processing on the first message which has been subjected to the transport-layer encryption processing; the terminal equipment extracting application data from the decrypted first message, and performing hardware encryption processing on the application data through a hardware encryption module arranged on the terminal equipment, wherein the application data are data generated by a virtual machine in a virtual machine system; and the terminal equipment generating a second message according to the encrypted application data, subjecting the second message to transport-layer encryption processing, and sending to the network encryption gateway the second message which has been subjected to the transport-layer encryption processing. The virtual machine system data encryption method and device provided in the embodiments of the present invention realize encryption support for application data of a plurality of virtual machines on a physical server.

Description

虚拟机系统数据加密方法及设备  Virtual machine system data encryption method and device
[01] 技术领域  [01] Technical Field
[02] 本发明实施例涉及通信技术,尤其涉及一种虚拟机系统数据加密方法及设 备。  [02] The embodiments of the present invention relate to communication technologies, and in particular, to a virtual machine system data encryption method and device.
[03] 背景技术  BACKGROUND
[04] 随着计算机技术的发展,虚拟化技术得到大面积的推广和应用。 桌面虚拟 化是在实现数据中心的物理服务器上安装虚拟机系统,由虚拟机系统模拟出操 作系统运行所需要的硬件资源。操作系统运行在这些虚拟的硬件资源之上, 可 以达到多个操作系统共享物理服务器的硬件资源, 从而提高资源利用率。  [04] With the development of computer technology, virtualization technology has been widely promoted and applied. Desktop virtualization is the installation of a virtual machine system on a physical server that implements the data center. The virtual machine system simulates the hardware resources required for the operation of the operating system. The operating system runs on top of these virtual hardware resources, so that multiple operating systems can share the hardware resources of the physical server, thereby improving resource utilization.
[05] 加密是保证数据的安全性的一种重要的手段, 加密卡是为 PC ( Personal Computer, 个人计算机)提供加密服务的专用插卡式密码设备。 在 PC上插设 加密卡, 加密卡可以对 PC上的数据或者从该 PC流出的数据进行加密, 以保 证数据的安全性。 通过加密卡进行数据加密, 由于目密钥并不存放在内存中, 因此更加安全。 但是, 对于安装有虚拟机系统的物理服务器, 在物理服务器上 插设加密卡时, 由于现有技术中并没有加密卡的虚拟化技术,会导致在同一时 刻, 物理服务器上只有一台虚拟机独占加密卡进行加密业务, 亟需提出一种解 决方案。  [05] Encryption is an important means of ensuring the security of data. A dongle is a dedicated plug-in cryptographic device that provides encryption services for PCs (Personal Computers). An encryption card is inserted on the PC, and the encryption card can encrypt data on the PC or data flowing from the PC to ensure data security. Data encryption by encryption card is safer because the key is not stored in the memory. However, for a physical server with a virtual machine system installed, when the encryption card is inserted on the physical server, there is no virtualization technology for the encryption card in the prior art, which results in only one virtual machine on the physical server at the same time. The exclusive encryption card for encryption services requires a solution.
[06]  [06]
[07] 发明内容  [07] Summary of the invention
[08] 本发明实施例提供一种虚拟机系统数据加密方法及设备,以实现对物理服 务器上的多个虚拟机的应用数据的加密支持。  The embodiment of the invention provides a method and device for encrypting data of a virtual machine system, so as to implement encryption support for application data of multiple virtual machines on a physical server.
[09] 第一方面, 本发明实施例提供一种虚拟机系统数据加密方法, 包括:  [09] In a first aspect, an embodiment of the present invention provides a data encryption method for a virtual machine system, including:
[10] 终端设备接收网络加密网关发送的经过传输层加密处理后的第一报文,将 所述经过传输层加密处理后的第一 文进行传输层解密处理;  [10] The terminal device receives the first packet after the transport layer encryption process sent by the network encryption gateway, and performs the transport layer decryption process on the first text that has been encrypted by the transport layer;
[11] 所述终端设备从解密后的第一报文中提取应用数据,通过所述终端设备上 设置的硬件加密模块对所述应用数据进行硬件加密处理, 其中, 所述应用数据 为虚拟机系统中的虚拟机产生的数据;  [11] The terminal device extracts application data from the decrypted first packet, and performs hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, where the application data is a virtual machine. Data generated by virtual machines in the system;
[12] 所述终端设备根据加密后的应用数据生成第二报文,对所述第二报文进行 传输层加密处理, 将传输层加密处理后的第二报文发送给所述网络加密网关。 [13] 在第一种可能的实现方式中,所述第一报文中包括用以标识密钥的密钥标 识; [12] The terminal device generates a second packet according to the encrypted application data, performs a transport layer encryption process on the second packet, and sends a second packet that is encrypted by the transport layer to the network encryption gateway. . [13] In a first possible implementation manner, the first packet includes a key identifier used to identify a key;
[14] 所述终端设备从解密后的第一报文中提取应用数据,通过所述终端设备上 设置的硬件加密模块对所述应用数据进行硬件加密处理, 具体为:  [14] The terminal device extracts application data from the decrypted first packet, and performs hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, specifically:
[15] 所述终端设备从所述解密后的第一报文中提取所述应用数据和所述密钥 标识,将所述应用数据和所述密钥标识发送给所述硬件加密模块, 所述硬件加 密模块根据所述密钥标识确定密钥, 通过所述密钥对所述应用数据进行加密, 将加密后的应用数据返回给所述终端设备。  [15] The terminal device extracts the application data and the key identifier from the decrypted first packet, and sends the application data and the key identifier to the hardware encryption module. The hardware encryption module determines a key according to the key identifier, encrypts the application data by using the key, and returns the encrypted application data to the terminal device.
[16] 结合第一方面或第一方面的第一种可能的实现方式,在第二种可能的实现 方式中,所述终端设备接收网络加密网关发送的经过传输层加密处理后的第一 报文, 具体为:  [16] In combination with the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner, the terminal device receives a first report that is sent by the network encryption gateway and is subjected to the transport layer encryption process. Text, specifically:
[17] 所述终端设备通过所述终端设备的虚拟桌面代理客户端模块与所述虚拟 机的虚拟桌面代理模块建立的经由所述网络加密网关的虚拟通道,接收所述网 络加密网关发送的所述经过传输层加密处理后的第一报文;  [17] The terminal device receives, by using the virtual desktop proxy client module of the terminal device, a virtual channel established by the virtual desktop proxy module of the virtual machine via the network encryption gateway, and receiving the network encrypted gateway. Decoding the first message after being encrypted by the transport layer;
[18] 所述终端设备将传输层加密处理后的第二报文发送给所述网络加密网关, 具体为:  [18] The terminal device sends the second packet that is encrypted by the transport layer to the network encryption gateway, specifically:
[19] 所述终端设备将所述传输层加密处理后的第二报文通过所述虚拟通道发 送给所述网络加密网关。  [19] The terminal device sends the second packet encrypted by the transport layer to the network encryption gateway through the virtual channel.
[20] 结合第一方面的第二种可能的实现方式,在第三种可能的实现方式中, 所 述终端设备通过所述终端设备的虚拟桌面代理客户端模块与所述虚拟机的虚 拟桌面代理模块建立的经由所述网络加密网关的虚拟通道,接收所述网络加密 网关发送的所述经过传输层加密处理后的第一报文之前, 所述方法还包括:  [20] In combination with the second possible implementation manner of the first aspect, in a third possible implementation manner, the terminal device uses a virtual desktop proxy client module of the terminal device and a virtual desktop of the virtual machine The method further includes: before the receiving, by the proxy module, the virtual channel of the network encryption gateway, the first packet sent by the network encryption gateway after the encryption process is performed by the network encryption gateway, the method further includes:
[21] 所述终端设备的虚拟桌面代理客户端模块与所述虚拟机的虚拟桌面代理 模块建立所述虚拟通道。  [21] The virtual desktop proxy client module of the terminal device establishes the virtual channel with a virtual desktop proxy module of the virtual machine.
[22] 在第四种可能的实现方式中, 所述方法还包括:  [22] In a fourth possible implementation manner, the method further includes:
[23] 所述终端设备接收所述网络加密网关发送的经过传输层加密处理后的第 三"¾文, 将所述经过传输层加密处理后的第三"¾文进行传输层解密处理;  [23] the terminal device receives a third "3" message sent by the network encryption gateway after being encrypted by the transport layer, and performs a transport layer decryption process on the third "3" message that has been encrypted by the transport layer;
[24] 所述终端设备从解密后的第一报文中提取已加密的应用数据,通过所述终 端设备上设置的硬件加密模块对所述已加密的应用数据进行硬件解密处理,其 中, 所述已加密的应用数据为虚拟机系统中的虚拟机产生的、经过所述终端设 备的硬件加密模块硬件加密处理过的数据; [24] the terminal device extracts the encrypted application data from the decrypted first packet, and performs hardware decryption processing on the encrypted application data by using a hardware encryption module set on the terminal device. The encrypted application data is data generated by a virtual machine in the virtual machine system and encrypted by the hardware encryption module hardware of the terminal device;
[25] 所述终端设备根据解密后的应用数据生成第四报文,对所述第四报文进行 传输层加密处理, 将传输层加密处理后的第四报文发送给所述网络加密网关。  [25] The terminal device generates a fourth packet according to the decrypted application data, performs a transport layer encryption process on the fourth packet, and sends a fourth packet that is encrypted by the transport layer to the network encryption gateway. .
[26] 第二方面, 本发明实施例一种虚拟机系统数据加密方法, 包括:  [26] In a second aspect, a data encryption method for a virtual machine system is provided in the embodiment of the present invention, including:
[27] 虚拟机根据接收到的所述虚拟机中的应用程序发送的应用数据生成第一 报文, 将所述第一报文发送给网络加密网关;  [27] The virtual machine generates a first packet according to the received application data sent by the application in the virtual machine, and sends the first packet to the network encryption gateway;
[28] 所述虚拟机接收所述网络加密网关发送的经过传输层解密处理后的第二 报文,提取所述经过传输层解密处理后的第二报文中的加密后的应用数据,将 所述加密后的应用数据发送给所述应用程序, 其中, 所述加密后的应用数据为 终端设备对所述应用处理进行硬件加密处理得到的。  [28] The virtual machine receives the second packet after the transport layer decryption process sent by the network encryption gateway, and extracts the encrypted application data in the second packet after the transport layer decryption process, The encrypted application data is sent to the application, where the encrypted application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
[29] 在第一种可能的实现方式中,所述虚拟机根据接收到的所述虚拟机中的应 用程序发送的应用数据生成第一报文, 具体为:  [29] In a first possible implementation manner, the virtual machine generates a first packet according to the application data that is sent by the application in the virtual machine, which is specifically:
[30] 所述虚拟机根据接收到的所述应用程序发送的应用数据和密钥标识生成 所述第 文, 其中, 所述密钥标识用以标识密钥。  [30] The virtual machine generates the text according to the received application data and the key identifier sent by the application, where the key identifier is used to identify a key.
[31] 结合第二方面或第二方面的第一种可能的实现方式,在第二种可能的实现 方式中, 所述虚拟机将所述第一报文发送给网络加密网关, 具体为:  In combination with the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner, the virtual machine sends the first packet to a network encryption gateway, specifically:
[32] 所述虚拟机通过所述虚拟机的虚拟桌面代理模块与所述终端设备的虚拟 桌面代理客户端模块建立的经由所述网络加密网关的虚拟通道,将所述第一报 文发送给所述网络加密网关;  [32] The virtual machine sends the first packet to the virtual channel through the network encryption gateway established by the virtual desktop proxy module of the virtual machine and the virtual desktop proxy client module of the terminal device The network encryption gateway;
[33] 所述虚拟机接收所述网络加密网关发送的经过传输层解密处理后的第二 报文, 具体为:  [33] The virtual machine receives the second packet that is sent by the network encryption gateway and is decrypted by the transport layer, and is specifically:
[34] 所述虚拟机通过所述虚拟通道接收所述网络加密网关发送的经过传输层 解密处理后的第二 文。  [34] The virtual machine receives, by using the virtual channel, the second text after the transport layer decryption process sent by the network encryption gateway.
[35] 结合第二方面的第二种可能的实现方式,在第三种可能的实现方式中, 所 述虚拟机将所述第一报文发送给网络加密网关之前, 所述方法还包括:  [35] In conjunction with the second possible implementation of the second aspect, in a third possible implementation, before the sending, by the virtual machine, the first packet to the network encryption gateway, the method further includes:
[36] 所述虚拟机的虚拟桌面代理模块与所述终端设备的虚拟桌面代理客户端 模块建立所述虚拟通道。 [37] 在第四种可能的实现方式中, 所述方法, 还包括: [36] The virtual desktop proxy module of the virtual machine establishes the virtual channel with a virtual desktop proxy client module of the terminal device. [37] In a fourth possible implementation manner, the method further includes:
[38] 所述虚拟机根据接收到的所述虚拟机中的应用程序发送的已加密的应用 数据生成第三报文, 将所述第三报文发送给网络加密网关;  [38] The virtual machine generates a third packet according to the received encrypted application data sent by the application in the virtual machine, and sends the third packet to the network encryption gateway;
[39] 所述虚拟机接收所述网络加密网关发送的经过传输层解密处理后的第四 报文,提取所述经过传输层解密处理后的第四报文中的解密后的应用数据,将 所述解密后的应用数据发送给所述应用程序, 其中, 所述解密后的应用数据为 终端设备对所述已加密的应用处理进行硬件解密处理得到的。  [39] The virtual machine receives the fourth packet after the transport layer decryption process sent by the network encryption gateway, and extracts the decrypted application data in the fourth packet after the transport layer decryption process, The decrypted application data is sent to the application, where the decrypted application data is obtained by the terminal device performing hardware decryption processing on the encrypted application processing.
[40] 第三方面, 本发明实施例提供一种终端设备, 包括:  [40] In a third aspect, an embodiment of the present invention provides a terminal device, including:
[41] 传输层解密模块,用于接收网络加密网关发送的经过传输层加密处理后的 第一 "^文, 将所述经过传输层加密处理后的第 文进行传输层解密处理;  [41] a transport layer decryption module, configured to receive a first “text” sent by the network encryption gateway after the transport layer encryption process, and perform the transport layer decryption process on the text encrypted by the transport layer;
[42] 加密服务模块, 与所述传输层解密模块连接,用于从解密后的第一报文中 提取应用数据,通过所述终端设备上设置的硬件加密模块对所述应用数据进行 硬件加密处理, 其中, 所述应用数据为虚拟机系统中的虚拟机产生的数据;  [42] an encryption service module, configured to be connected to the transport layer decryption module, configured to extract application data from the decrypted first packet, and perform hardware encryption on the application data by using a hardware encryption module set on the terminal device. Processing, where the application data is data generated by a virtual machine in a virtual machine system;
[43] 传输层加密模块, 与所述加密服务模块连接,用于根据加密后的应用数据 生成第二报文,对所述第二报文进行传输层加密处理,将传输层加密处理后的 第二报文发送给所述网络加密网关。  [43] The transport layer encryption module is connected to the cryptographic service module, configured to generate a second packet according to the encrypted application data, perform a transport layer encryption process on the second packet, and encrypt the transport layer. The second packet is sent to the network encryption gateway.
[44] 在第一种可能的实现方式中,所述第一报文中包括用以标识密钥的密钥标 识;  [44] In a first possible implementation manner, the first packet includes a key identifier used to identify the key;
[45] 所述加密服务模块具体用于从所述解密后的第一报文中提取所述应用数 据和所述密钥标识, 将所述应用数据和所述密钥标识发送给所述硬件加密模 块, 所述硬件加密模块根据所述密钥标识确定密钥,通过所述密钥对所述应用 数据进行加密, 将加密后的应用数据返回给所述终端设备。  [45] The cryptographic service module is specifically configured to extract the application data and the key identifier from the decrypted first packet, and send the application data and the key identifier to the hardware The encryption module, the hardware encryption module determines a key according to the key identifier, encrypts the application data by using the key, and returns the encrypted application data to the terminal device.
[46] 结合第三方面或第三方面的第一种可能的实现方式,在第二种可能的实现 方式中, 所述终端设备还包括:  [46] In combination with the third aspect or the first possible implementation manner of the third aspect, in a second possible implementation manner, the terminal device further includes:
[47] 虚拟桌面代理客户端模块,用于与所述虚拟机的虚拟桌面代理模块建立经 由所述网络加密网关的虚拟通道;  [47] a virtual desktop proxy client module, configured to establish a virtual channel with the virtual desktop proxy module of the virtual machine via the network encryption gateway;
[48] 所述传输层解密模块具体用于通过所述虚拟通道接收所述网络加密网关 发送的所述经过传输层加密处理后的第一报文;  [48] The transport layer decryption module is configured to receive, by using the virtual channel, the first packet that is sent by the network encryption gateway and is encrypted by the transport layer;
[49] 所述传输层加密模块具体用于将所述传输层加密处理后的第二报文通过 所述虚拟通道发送给所述网络加密网关。 [49] The transport layer encryption module is specifically configured to pass the second packet after the transport layer is encrypted. The virtual channel is sent to the network encryption gateway.
[50] 在第三种可能的实现方式中,所述传输层解密模块还用于接收所述网络加 密网关发送的经过传输层加密处理后的第三"¾文,将所述经过传输层加密处理 后的第三报文进行传输层解密处理;  [50] In a third possible implementation, the transport layer decryption module is further configured to receive a third “3” message sent by the network encryption gateway after the transport layer encryption process, and encrypt the transport layer The processed third packet is subjected to a transport layer decryption process;
[51] 所述加密服务模块还从解密后的第一报文中提取已加密的应用数据,通过 所述终端设备上设置的硬件加密模块对所述已加密的应用数据进行硬件解密 处理, 其中, 所述已加密的应用数据为虚拟机系统中的虚拟机产生的、 经过所 述终端设备的硬件加密模块硬件加密处理过的数据;  [51] The cryptographic service module further extracts the encrypted application data from the decrypted first packet, and performs hardware decryption processing on the encrypted application data by using a hardware encryption module set on the terminal device, where The encrypted application data is data generated by a virtual machine in the virtual machine system and encrypted by the hardware encryption module hardware of the terminal device;
[52] 所述传输层加密模块还用于根据解密后的应用数据生成第四报文,对所述 第四报文进行传输层加密处理,将传输层加密处理后的第四报文发送给所述网 络加密网关。  [52] The transport layer encryption module is further configured to generate a fourth packet according to the decrypted application data, perform a transport layer encryption process on the fourth packet, and send the fourth packet after the transport layer encryption process to The network encryption gateway.
[53] 第四方面, 本发明实施例提供一种虚拟机, 包括:  [53] In a fourth aspect, an embodiment of the present invention provides a virtual machine, including:
[54] 发送处理模块,用于根据接收到的所述虚拟机中的应用程序发送的应用数 据生成第一报文, 将所述第一报文发送给网络加密网关;  [54] a sending processing module, configured to generate a first packet according to the received application data sent by the application in the virtual machine, and send the first packet to a network encryption gateway;
[55] 接收处理模块,用于接收所述网络加密网关发送的经过传输层解密处理后 的第二报文,提取所述经过传输层解密处理后的第二报文中的加密后的应用数 据, 将所述加密后的应用数据发送给所述应用程序, 其中, 所述加密后的应用 数据为终端设备对所述应用处理进行硬件加密处理得到的。  [55] The receiving processing module is configured to receive the second packet that is sent by the network encryption gateway and is subjected to the decryption process by the transport layer, and extract the encrypted application data in the second packet that has been decrypted by the transport layer. And sending the encrypted application data to the application, where the encrypted application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
[56] 在第一种可能的实现方式中 ,所述发送处理模块具体用于根据接收到的所 述应用程序发送的应用数据和密钥标识生成所述第一报文, 其中, 所述密钥标 识用以标识密钥。  [56] In a first possible implementation manner, the sending processing module is configured to generate the first packet according to the received application data and a key identifier sent by the application, where the secret The key identifier is used to identify the key.
[57] 结合第四方面或第四方面的第一种可能的实现方式,在第二种可能的实现 方式中, 所述虚拟机还包括:  [57] In combination with the fourth aspect or the first possible implementation manner of the fourth aspect, in a second possible implementation manner, the virtual machine further includes:
[58] 虚拟桌面代理模块,用于与所述终端设备的虚拟桌面代理客户端模块建立 经由所述网络加密网关的虚拟通道;  [58] a virtual desktop proxy module, configured to establish, by the virtual desktop proxy client module of the terminal device, a virtual channel through the network encryption gateway;
[59] 所述发送处理模块具体用于通过所述虚拟通道将所述第一报文发送给所 述网络加密网关;  [59] The sending processing module is specifically configured to send the first packet to the network encryption gateway by using the virtual channel;
[60] 所述接收处理模块具体用于通过所述虚拟通道接收所述网络加密网关发 送的经过传输层解密处理后的第二报文。 [61] 在第三种可能的实现方式中,所述发送处理模块还用于根据接收到的所述 虚拟机中的应用程序发送的已加密的应用数据生成第三报文,将所述第三报文 发送给网络加密网关; [60] The receiving processing module is configured to receive, by using the virtual channel, a second packet that is sent by the network encryption gateway and is decrypted by the transport layer. [61] In a third possible implementation, the sending processing module is further configured to generate a third packet according to the received encrypted application data sent by the application in the virtual machine, where the Three messages are sent to the network encryption gateway;
[62] 所述接收处理模块还用于接收所述网络加密网关发送的经过传输层解密 处理后的第四报文,提取所述经过传输层解密处理后的第四报文中的解密后的 应用数据, 将所述解密后的应用数据发送给所述应用程序, 其中, 所述解密后 的应用数据为终端设备对所述已加密的应用处理进行硬件解密处理得到的。  [62] The receiving processing module is further configured to receive a fourth packet that is sent by the network encryption gateway and that is decrypted by the transport layer, and extract the decrypted information in the fourth packet that has undergone the decryption process by the transport layer. And applying the decrypted application data to the application, where the decrypted application data is obtained by the terminal device performing hardware decryption processing on the encrypted application processing.
[63] 第五方面, 本发明实施例提供一种终端设备, 包括: 处理器, 通信接口, 存储器和总线:  [63] In a fifth aspect, an embodiment of the present invention provides a terminal device, including: a processor, a communication interface, a memory, and a bus:
[64] 其中所述处理器、所述通信接口和所述存储器通过所述总线完成相互间的 通信;  [64] wherein the processor, the communication interface, and the memory complete communication with each other through the bus;
[65] 所述通信接口,用于接收网络加密网关发送的经过传输层加密处理后的第 一报文, 以及将传输层加密处理后的第二报文发送给所述网络加密网关;  [65] the communication interface is configured to receive a first packet sent by the network encryption gateway after being encrypted by the transport layer, and send a second packet that is encrypted by the transport layer to the network encryption gateway;
[66] 所述存储器, 用于存储指令;  [66] the memory, configured to store an instruction;
[67] 所述处理器被配置为执行存储在所述存储器中的指令, 其中, 所述处理器 被配置为用于将所述经过传输层加密处理后的第 文进行传输层解密处理, 从解密后的第一报文中提取应用数据,通过所述终端设备上设置的硬件加密模 块对所述应用数据进行硬件加密处理, 其中, 所述应用数据为虚拟机系统中的 虚拟机产生的数据; 根据加密后的应用数据生成第二报文,对所述第二报文进 行传输层加密处理。  [106] the processor is configured to execute an instruction stored in the memory, wherein the processor is configured to perform a transport layer decryption process on the text encrypted by the transport layer, The application data is extracted by the decrypted first packet, and the application data is subjected to hardware encryption processing by using a hardware encryption module set on the terminal device, where the application data is data generated by a virtual machine in the virtual machine system. And generating a second packet according to the encrypted application data, and performing a transport layer encryption process on the second packet.
[68] 第六方面, 本发明实施例提供一种用于虚拟机的计算机节点, 包括: 处理 器, 通信接口, 存储器和总线:  [68] In a sixth aspect, an embodiment of the present invention provides a computer node for a virtual machine, including: a processor, a communication interface, a memory, and a bus:
[69] 其中所述处理器、所述通信接口和所述存储器通过所述总线完成相互间的 通信;  [69] wherein the processor, the communication interface, and the memory complete communication with each other through the bus;
[70] 所述通信接口, 用于将第一报文发送给网络加密网关, 以及接收所述网络 加密网关发送的经过传输层解密处理后的第二 文;  [70] the communication interface is configured to send the first packet to the network encryption gateway, and receive the second text sent by the network encryption gateway after being decrypted by the transport layer;
[71] 所述存储器, 用于存储指令;  [71] the memory is configured to store an instruction;
[72] 所述处理器被配置为执行存储在所述存储器中的指令, 其中, 所述处理器 被配置为用于根据接收到的所述虚拟机中的应用程序发送的应用数据生成所 述第一报文;提取所述经过传输层解密处理后的第二报文中的加密后的应用数 据, 将所述加密后的应用数据发送给所述应用程序, 其中, 所述加密后的应用 数据为终端设备对所述应用处理进行硬件加密处理得到的。 [72] the processor is configured to execute an instruction stored in the memory, wherein the processor is configured to generate an application data according to the received application data sent by the application in the virtual machine The first message is sent; the encrypted application data in the second packet after the decryption process of the transport layer is extracted, and the encrypted application data is sent to the application, where the encrypted The application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
[73] 由上述技术方案可知,本发明实施例提供的一种虚拟机系统数据加密方法 及设备, 终端设备接收网络加密网关发送的经过传输层加密处理后的第一报 文,将经过传输层加密处理后的第一报文进行传输层解密处理,从解密后的第 一报文中提取应用数据,通过终端设备上设置的硬件加密模块对应用数据进行 硬件加密处理, 其中, 应用数据为虚拟机系统中的虚拟机产生的数据, 根据加 密后的应用数据生成第二报文,对第二报文进行传输层加密处理,将传输层加 密处理后的第二报文发送给网络加密网关。通过设置有硬件加密模块的终端设 备对虚拟机产生的应用数据进行加密, 无需在物理服务器上插设加密卡, 实现 了对物理服务器上的多个虚拟机的应用数据的加密支持。 而且, 该加密过程充 分利用了终端设备的处理能力, 减轻了虚拟机的负载。  [73] According to the foregoing technical solution, a data encryption method and device for a virtual machine system provided by an embodiment of the present invention, after receiving a first packet sent by a network encryption gateway and being encrypted by a transport layer, the terminal device passes through a transport layer. The first packet after the encryption process is subjected to a transport layer decryption process, and the application data is extracted from the decrypted first packet, and the application data is subjected to hardware encryption processing by using a hardware encryption module set on the terminal device, where the application data is virtualized. The data generated by the virtual machine in the machine system generates a second packet according to the encrypted application data, performs a transport layer encryption process on the second packet, and sends the second packet encrypted by the transport layer to the network encryption gateway. The application data generated by the virtual machine is encrypted by the terminal device provided with the hardware encryption module, and the encryption data of the application data of the plurality of virtual machines on the physical server is supported without inserting the encryption card on the physical server. Moreover, the encryption process fully utilizes the processing capabilities of the terminal device, reducing the load on the virtual machine.
[74]  [74]
[75] 附图说明  [75] BRIEF DESCRIPTION OF THE DRAWINGS
[76] 为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施 例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下面描 述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出 创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  [76] In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below, and obviously, in the following description The drawings are some embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any inventive labor.
[77] 图 1为本发明实施例提供的第一种虚拟机系统数据加密方法流程图;  1 is a flowchart of a method for encrypting data of a first virtual machine system according to an embodiment of the present invention;
[78] 图 2为发明实施例提供的第二种虚拟机系统数据加密方法流程图;  2 is a flowchart of a second virtual machine system data encryption method according to an embodiment of the present invention;
[79] 图 3为本发明实施例提供的第三种虚拟机系统数据加密方法流程图;  3 is a flowchart of a third virtual machine system data encryption method according to an embodiment of the present invention;
[80] 图 4为本发明实施例提供的第四种虚拟机系统数据加密方法流程图;  4 is a flowchart of a fourth virtual machine system data encryption method according to an embodiment of the present invention;
[81] 图 5为本发明实施例提供的第一种终端设备结构示意图;  FIG. 5 is a schematic structural diagram of a first terminal device according to an embodiment of the present invention; FIG.
[82] 图 6为本发明实施例提供的第二种终端设备结构示意图;  6 is a schematic structural diagram of a second terminal device according to an embodiment of the present invention;
[83] 图 7为本发明实施例提供的第一种虚拟机结构示意图;  7 is a schematic structural diagram of a first virtual machine according to an embodiment of the present invention;
[84] 图 8为本发明实施例提供的第二种虚拟机结构示意图;  FIG. 8 is a schematic structural diagram of a second virtual machine according to an embodiment of the present invention; FIG.
[85] 图 9为本发明实施例提供的第三种终端设备结构示意图; [86] 图 10为本发明实施例提供的用于虚拟机的计算机节点结构示意图。 9 is a schematic structural diagram of a third terminal device according to an embodiment of the present invention; FIG. 10 is a schematic structural diagram of a computer node for a virtual machine according to an embodiment of the present invention.
[87] [87]
[88] 具体实施方式  [88] Specific implementation
[89] 为使本发明实施例的目的、技术方案和优点更加清楚, 下面将结合本发明 实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。基于本发明中 的实施例 ,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其 他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. The embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
[90] 图 1为本发明实施例提供的第一种虚拟机系统数据加密方法流程图。如图 1所示, 本实施例提供的虚拟机系统数据加密方法具体可以应用于虚拟机系统 中的数据加密处理过程, 该虚拟机系统中可以包括至少一个物理服务器,每个 物理服务器上设置有至少两个虚拟机, 以下以其中一个虚拟机为例,对虚拟机 系统数据加密方法进行说明。本实施例提供的虚拟机系统数据加密方法, 具体 包括:  FIG. 1 is a flowchart of a method for encrypting data of a first virtual machine system according to an embodiment of the present invention. As shown in FIG. 1 , the data encryption method of the virtual machine system provided in this embodiment may be specifically applied to a data encryption process in a virtual machine system, where the virtual machine system may include at least one physical server, and each physical server is configured with At least two virtual machines, the following uses one of the virtual machines as an example to describe the virtual machine system data encryption method. The data encryption method of the virtual machine system provided in this embodiment specifically includes:
[91] 步骤 C10、终端设备接收网络加密网关发送的经过传输层加密处理后的第 文, 将所述经过传输层加密处理后的第 文进行传输层解密处理;  [91] Step C10: The terminal device receives the message after the transport layer encryption process sent by the network encryption gateway, and performs the transport layer decryption process on the text encrypted by the transport layer;
[92] 步骤 C20、 所述终端设备从解密后的第一报文中提取应用数据, 通过所述 终端设备上设置的硬件加密模块对所述应用数据进行硬件加密处理, 其中, 所 述应用数据为虚拟机系统中的虚拟机产生的数据;  [92] Step C20: The terminal device extracts application data from the decrypted first packet, and performs hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, where the application data is Data generated for virtual machines in a virtual machine system;
[93] 步骤 C30、 所述终端设备根据加密后的应用数据生成第二报文,对所述第 二报文进行传输层加密处理,将传输层加密处理后的第二报文发送给所述网络 加密网关。  [93] Step C30: The terminal device generates a second packet according to the encrypted application data, performs a transport layer encryption process on the second packet, and sends the second packet after the transport layer encryption process to the Network encryption gateway.
[94] 具体地, 该终端设备可以是该虚拟机系统提供业务服务的对象, 例如, 该 虚拟机系统可以用于但并不限于为用户提供虚拟桌面业务, 用户可以使用终 端设备通过桌面传输协议访问虚拟机系统中的虚拟机, 终端设备将用户 鼠标、 键盘等操作信息发给虚拟机, 虚拟机则将虚拟桌面信息发至终端 设备。 虚拟机系统还可以为用户提供邮件业务和存储业务等其他业务服 务。 该终端设备具体可以为智能手机、 平板电脑和笔记本电脑等电子设 备。  Specifically, the terminal device may be an object that the virtual machine system provides a service service. For example, the virtual machine system may be used for, but not limited to, providing a virtual desktop service for the user, and the user may use the terminal device to transmit the protocol through the desktop. The virtual machine in the virtual machine system is accessed, and the terminal device sends operation information such as the user's mouse and keyboard to the virtual machine, and the virtual machine sends the virtual desktop information to the terminal device. The virtual machine system can also provide users with other business services such as mail service and storage service. The terminal device may specifically be an electronic device such as a smart phone, a tablet computer, and a notebook computer.
[95] 网络加密网关具体可以设置在虚拟机系统的出口处,对虚拟机系统中的虚 拟机发出的报文进行传输层加密。通常虚拟机上运行有应用程序 , 以实现相应 的业务,应用数据具体为业务过程中应用程序产生的数据, 当应用程序需要将 应用数据加密时,虚拟机将该应用数据生成第一报文,将该第一报文发送给网 络加密网关, 网络加密网关对该第一 ^艮文进行传输层加密处理,传输层加密也 釆用硬件加密的方式来实现, 以保证传输层加密的可靠性。 网络加密网关将经 过传输层加密处理后的第一报文发送给终端设备。由于虚拟机发出的报文是明 文, 通过网络加密网关对第一报文进行传输层加密可以保证应用数据的安全 性。 [95] The network encryption gateway can be set at the exit of the virtual machine system, which is virtual in the virtual machine system. The message sent by the machine is encrypted by the transport layer. An application is run on the virtual machine to implement the corresponding service. The application data is specifically generated by the application in the business process. When the application needs to encrypt the application data, the virtual machine generates the first packet by using the application data. The first packet is sent to the network encryption gateway, and the network encryption gateway performs the transport layer encryption processing on the first packet, and the transport layer encryption is also implemented in the manner of hardware encryption to ensure the reliability of the transport layer encryption. The network encryption gateway sends the first packet that has been encrypted by the transport layer to the terminal device. Because the packets sent by the VM are in plain text, the network layer encryption gateway encrypts the first packet to ensure the security of the application data.
[96] 终端设备上设置有硬件加密模块,该硬件加密模块具体可以为加密芯片或 USB ( Universal Serial BUS , 通用串行总线)加密设备等, 硬件加密模块中存 储有密钥和 /或数字证书。 终端设备接收网络加密网关发送的该经过传输层加 密处理后的第一报文, 进行传输层解密处理,从解密后的第一报文中提取应用 数据, 再通过硬件加密模块的驱动接口函数将应用数据发送给硬件加密模块, 硬件加密模块将应用数据通过密钥和 /或数字证书加密后, 将加密后的应用数 据返回给终端设备, 终端设备将加密后的应用数据生成第二报文,再对该第二 报文进行传输层加密。对第二报文进行传输层加密时,也可以通过终端设备的 硬件加密模块对第二报文进行硬件加密,移动终端将经过传输层加密后的第二 报文发送给网络加密网关,网络加密网关对接收到的第二报文进行传输层解密 后发给虚拟机。虚拟机从第二报文中提取应用数据, 该应用数据是经过终端设 备硬件加密后的应用数据,对该应用数据进行相应的处理, 该处理例如可以为 将应用数据转发或将应用数据写入磁盘等操作。  [96] A hardware encryption module is disposed on the terminal device, and the hardware encryption module may be an encryption chip or a USB (Universal Serial BUS) encryption device, and the hardware encryption module stores a key and/or a digital certificate. . Receiving, by the network encryption gateway, the first packet that has been encrypted by the transport layer, performing the transport layer decryption process, extracting the application data from the decrypted first packet, and then using the driver interface function of the hardware encryption module The application data is sent to the hardware encryption module, and the hardware encryption module encrypts the application data by using the key and/or the digital certificate, and then returns the encrypted application data to the terminal device, and the terminal device generates the second packet by using the encrypted application data. The second packet is then encrypted by the transport layer. When the second packet is encrypted by the transport layer, the second packet may be hardware-encrypted by the hardware encryption module of the terminal device, and the mobile terminal sends the second packet encrypted by the transport layer to the network encryption gateway, and the network encrypts the network. The gateway decrypts the received second packet and sends it to the virtual machine. The virtual machine extracts application data from the second packet, where the application data is application data encrypted by the terminal device hardware, and correspondingly processes the application data, and the processing may be, for example, forwarding application data or writing application data. Operations such as disks.
[97] 当虚拟机系统中的多个虚拟机同时需要对应用数据进行加密时,均可以通 过上述方法通过终端设备对应用数据进行加密。每个虚拟机对应的终端设备可 以为同一个终端设备, 也可以为不同的终端设备。  [97] When multiple virtual machines in a virtual machine system need to encrypt application data at the same time, the application data can be encrypted by the terminal device by the above method. The terminal devices corresponding to each virtual machine can be the same terminal device or different terminal devices.
[98] 本实施例提供的虚拟机系统数据加密方法,终端设备接收网络加密网关发 送的经过传输层加密处理后的第一 >¾文,将经过传输层加密处理后的第一 >¾文 进行传输层解密处理,从解密后的第一报文中提取应用数据,通过终端设备上 设置的硬件加密模块对应用数据进行硬件加密处理, 其中,应用数据为虚拟机 系统中的虚拟机产生的数据,根据加密后的应用数据生成第二报文,对第二报 文进行传输层加密处理, 将传输层加密处理后的第二报文发送给网络加密网 关。 通过设置有硬件加密模块的终端设备对虚拟机产生的应用数据进行加密, 无需在物理服务器上插设加密卡,实现了对物理服务器上的多个虚拟机的应用 数据的加密支持。 而且, 该加密过程充分利用了终端设备的处理能力, 减轻了 虚拟机的负载。 [98] The virtual machine system data encryption method provided by the embodiment, the terminal device receives the first >3⁄4 text sent by the network encryption gateway after the transport layer encryption process, and performs the first >3⁄4 text after the transport layer encryption process. The transport layer decryption process extracts application data from the decrypted first packet, and performs hardware encryption processing on the application data through a hardware encryption module set on the terminal device, where the application data is data generated by the virtual machine in the virtual machine system. And generating a second packet according to the encrypted application data, performing a transport layer encryption process on the second packet, and transmitting the second packet encrypted by the transport layer to the network encryption gateway. Encrypting application data generated by the virtual machine by using a terminal device provided with a hardware encryption module, Encryption support for application data of multiple virtual machines on a physical server is implemented without inserting an encryption card on the physical server. Moreover, the encryption process takes full advantage of the processing capabilities of the terminal device and reduces the load on the virtual machine.
[99] 在本实施例中, 所述第一 ^艮文中包括用以标识密钥的密钥标识; 相应地, 步骤 C20, 所述终端设备从解密后的第一报文中提取应用数据, 通过所述终端 设备上设置的硬件加密模块对所述应用数据进行硬件加密处理, 具体可以为:  [99] In this embodiment, the first identifier includes a key identifier for identifying a key. Correspondingly, in step C20, the terminal device extracts application data from the decrypted first packet. Performing hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, which may be:
[100]所述终端设备从所述解密后的第一报文中提取所述应用数据和所述密钥 标识,将所述应用数据和所述密钥标识发送给所述硬件加密模块, 所述硬件加 密模块根据所述密钥标识确定密钥, 通过所述密钥对所述应用数据进行加密, 将加密后的应用数据返回给所述终端设备。  [100] The terminal device extracts the application data and the key identifier from the decrypted first packet, and sends the application data and the key identifier to the hardware encryption module. The hardware encryption module determines a key according to the key identifier, encrypts the application data by using the key, and returns the encrypted application data to the terminal device.
[101]具体地, 终端设备的硬件加密模块中存储的密钥数量可以为多个,每个密 钥具有唯一密钥标识,则应用程序提供的数据中除了需要加密的应用数据还有 密钥标识, 虚拟机将应用数据和密钥标识生成第一报文。  [101] Specifically, the number of keys stored in the hardware encryption module of the terminal device may be multiple, and each key has a unique key identifier, and the data provided by the application has a key in addition to the application data that needs to be encrypted. The virtual machine generates the first packet by using the application data and the key identifier.
[102]终端设备将从第一报文中提取到的应用数据和密钥标识发送给硬件加密 模块,硬件加密模块根据密钥标识确定相应的密钥,通过该密钥对应用数据进 行加密后返回终端设备。  [102] The terminal device sends the application data and the key identifier extracted from the first packet to the hardware encryption module, and the hardware encryption module determines the corresponding key according to the key identifier, and encrypts the application data by using the key. Return to the terminal device.
[103]在本实施例中, 步骤 C10 , 所述终端设备接收网络加密网关发送的经过传 输层加密处理后的第 文, 具体可以为:  In this embodiment, in step C10, the terminal device receives the message that is sent by the network encryption gateway and is encrypted by the transmission layer, and may be specifically:
[104]所述终端设备通过所述终端设备的虚拟桌面代理客户端模块与所述虚拟 机的虚拟桌面代理模块建立的经由所述网络加密网关的虚拟通道,接收所述网 络加密网关发送的所述经过传输层加密处理后的第一报文;  [104] The terminal device receives, by using the virtual desktop proxy client module of the terminal device, a virtual channel established by the virtual desktop proxy module of the virtual machine via the network encryption gateway, and receiving the network encrypted gateway. Decoding the first message after being encrypted by the transport layer;
[105]步骤 C30,所述终端设备将传输层加密处理后的第二报文发送给所述网络 加密网关, 具体可以为:  [105] Step C30, the terminal device sends the second packet that is encrypted by the transport layer to the network encryption gateway, which may be:
[106]所述终端设备将所述传输层加密处理后的第二报文通过所述虚拟通道发 送给所述网络加密网关。  [106] The terminal device sends the second packet encrypted by the transport layer to the network encryption gateway through the virtual channel.
[107]具体地, 该虚拟机系统例如为提供虚拟桌面业务的系统, 则虚拟机系统的 虚拟机中设置有虚拟桌面代理(Virtual Desktop Agent, 简称 VDA )模块, 相 应地, 终端设备中设置有虚拟桌面代理客户端 ( Virtual Desktop Agent Client ) 模块。在虚拟桌面业务中,虚拟机的虚拟桌面代理模块会与终端设备的虚拟桌 面代理客户端模块建立虚拟通道, 该虚拟通道经由网络加密网关。 则虚拟机与 终端设备的交互可以通过该虚拟通道实现。 当桌面云代替传统的桌面办公后 , 保障了原来的加密业务不丧失, 并且不需要改动原来的加密程序。 另可复用终 端设备上的硬件加密模块,提供终端设备与桌面云数据中心即虚拟机系统的传 输层加密能力,节省了在终端设备侧部署网络加密机的成本并使桌面终端的接 入地点灵活。 Specifically, the virtual machine system is, for example, a system for providing virtual desktop services, and a virtual desktop agent (Virtual Desktop Agent, VDA for short) module is disposed in the virtual machine of the virtual machine system, and correspondingly, the terminal device is provided with Virtual Desktop Agent Client module. In the virtual desktop service, the virtual desktop proxy module of the virtual machine establishes a virtual channel with the virtual desktop proxy client module of the terminal device, and the virtual channel encrypts the gateway via the network. Virtual machine and The interaction of the terminal device can be implemented through the virtual channel. When the desktop cloud replaces the traditional desktop office, the original encryption service is guaranteed to be lost, and the original encryption program does not need to be changed. The hardware encryption module on the terminal device can be reused to provide the transmission layer encryption capability of the terminal device and the desktop cloud data center, that is, the virtual machine system, which saves the cost of deploying the network encryption machine on the terminal device side and enables the access location of the desktop terminal. flexible.
[108]在本实施例中,所述终端设备通过所述终端设备的虚拟桌面代理客户端模 块与所述虚拟机的虚拟桌面代理模块建立的经由所述网络加密网关的虚拟通 道, 接收所述网络加密网关发送的所述经过传输层加密处理后的第一报文之 前, 所述方法还包括:  [108] In this embodiment, the terminal device receives the virtual channel established by the virtual desktop proxy client module of the terminal device and the virtual desktop proxy module of the virtual device via the network encryption gateway, and receives the Before the first packet sent by the transport layer is encrypted by the network encryption gateway, the method further includes:
[109]所述终端设备的虚拟桌面代理客户端模块与所述虚拟机的虚拟桌面代理 模块建立所述虚拟通道。  [109] The virtual desktop proxy client module of the terminal device establishes the virtual channel with a virtual desktop proxy module of the virtual machine.
[110]具体地,建立虚拟通道的处理流程可以由终端设备的虚拟桌面代理客户端 模块向虚拟机的虚拟桌面代理模块发起请求,也可以由虚拟机的虚拟桌面代理 模块向终端设备的虚拟桌面代理客户端模块发起请求。  [110] Specifically, the process of establishing a virtual channel may be initiated by the virtual desktop proxy client module of the terminal device to the virtual desktop proxy module of the virtual machine, or may be virtual desktop proxy module of the virtual machine to the virtual desktop of the terminal device. The proxy client module initiates the request.
[ill]图 2为发明实施例提供的第二种虚拟机系统数据加密方法流程图。 如图 2 所示, 在本实施例中, 所述虚拟机系统数据加密方法还可以包括:  2 is a flow chart of a second method for encrypting data of a virtual machine system according to an embodiment of the present invention. As shown in FIG. 2, in this embodiment, the virtual machine system data encryption method may further include:
[112]步骤 C40、所述终端设备接收所述网络加密网关发送的经过传输层加密处 理后的第三 >¾文,将所述经过传输层加密处理后的第三>¾文进行传输层解密处 理;  [112] Step C40: The terminal device receives the third>3⁄4 text sent by the network encryption gateway after the transport layer encryption process, and performs the transport layer decryption on the third>3⁄4 text after the transport layer encryption process. deal with;
[113]步骤 C50、 所述终端设备从解密后的第一报文中提取已加密的应用数据, 通过所述终端设备上设置的硬件加密模块对所述已加密的应用数据进行硬件 解密处理, 其中, 所述已加密的应用数据为虚拟机系统中的虚拟机产生的、 经 过所述终端设备的硬件加密模块硬件加密处理过的数据;  [113] Step C50: The terminal device extracts the encrypted application data from the decrypted first packet, and performs hardware decryption processing on the encrypted application data by using a hardware encryption module set on the terminal device. The encrypted application data is data generated by a virtual machine in the virtual machine system and encrypted by the hardware encryption module hardware of the terminal device;
[114]步骤 C60、 所述终端设备根据解密后的应用数据生成第四报文,对所述第 四报文进行传输层加密处理,将传输层加密处理后的第四报文发送给所述网络 加密网关。  [114] Step C60: The terminal device generates a fourth packet according to the decrypted application data, performs a transport layer encryption process on the fourth packet, and sends a fourth packet after the transport layer encryption process to the Network encryption gateway.
[115]具体地,终端设备还可以通过硬件加密模块对虚拟机发送的已加密的应用 数据进行解密。该已加密的应用数据为之前虚拟机的应用程序产生的, 由该终 端设备的硬件加密模块进行硬件加密处理后的数据。  Specifically, the terminal device may further decrypt the encrypted application data sent by the virtual machine through the hardware encryption module. The encrypted application data is generated by the application of the previous virtual machine, and the data is processed by the hardware encryption module of the terminal device.
[116]当虚拟机上的应用程序需要将已加密的应用数据解密时,虚拟机将该已加 密的应用数据生成第三报文,将该第三报文发送给网络加密网关, 网络加密网 关对该第三报文进行传输层加密处理后发送给终端设备。终端设备接收网络加 密网关发送的该经过传输层加密处理后的第三报文, 进行传输层解密处理, 该 传输层解密过程也可以通过终端设备上设置的硬件加密模块实现。从解密后的 第三报文中提取已加密的应用数据,再通过硬件加密模块的驱动接口函数将该 已加密的应用数据发送给硬件加密模块,硬件加密模块将该已加密的应用数据 通过密钥和 /或数字证书解密后, 将解密后的应用数据返回给终端设备, 终端 设备将解密后的应用数据生成第四报文,对该第四报文进行传输层加密后发送 给网络加密网关,网络加密网关对接收到的第四报文进行传输层解密后发给虚 拟机。虚拟机从第四报文中提取解密后的应用数据,对该应用数据进行相应的 处理, 该处理例如可以为将应用数据转发或将应用数据写入磁盘等操作。 [116] When an application on a virtual machine needs to decrypt encrypted application data, the virtual machine will add The third application packet is generated by the dense application data, and the third packet is sent to the network encryption gateway, and the network encryption gateway performs the transport layer encryption processing on the third packet, and then sends the third packet to the terminal device. The terminal device receives the third packet that is sent by the network encryption gateway and is encrypted by the transport layer, and performs a transport layer decryption process. The transport layer decryption process may also be implemented by using a hardware encryption module set on the terminal device. Extracting the encrypted application data from the decrypted third message, and transmitting the encrypted application data to the hardware encryption module through a driver interface function of the hardware encryption module, and the hardware encryption module passes the encrypted application data through the secret After the key and/or the digital certificate is decrypted, the decrypted application data is returned to the terminal device, and the terminal device generates a fourth packet by using the decrypted application data, and the fourth packet is encrypted by the transport layer and then sent to the network encryption gateway. The network encryption gateway decrypts the received fourth packet and sends it to the virtual machine. The virtual machine extracts the decrypted application data from the fourth packet, and performs corresponding processing on the application data, and the processing may be, for example, an operation of forwarding the application data or writing the application data to the disk.
[117]当虚拟机系统中的多个虚拟机同时需要对应用数据进行解密时,均可以通 过上述方法通过终端设备对应用数据进行解密。  [117] When multiple virtual machines in the virtual machine system need to decrypt the application data at the same time, the application data can be decrypted by the terminal device by the above method.
[118]当然,在解密处理流程中,终端设备与虚拟机的交互也可以通过上述虚拟 通道实现, 具体实现过程, 在此不再赘述。  [118] Of course, in the decryption process, the interaction between the terminal device and the virtual machine can also be implemented through the above virtual channel, and the specific implementation process is not described herein.
[119]图 3为本发明实施例提供的第三种虚拟机系统数据加密方法流程图。如图 FIG. 3 is a flowchart of a third virtual machine system data encryption method according to an embodiment of the present invention. As shown
3所示, 本实施例提供的虚拟机系统数据加密方法具体可以与本发明任意实施 例提供的应用于终端设备的虚拟机系统数据加密方法配合实现,具体实现过程 在此不再赘述。 本实施例提供的虚拟机系统数据加密方法, 具体包括: As shown in FIG. 3, the data encryption method of the virtual machine system provided in this embodiment may be implemented in conjunction with the data encryption method of the virtual machine system applied to the terminal device according to any embodiment of the present invention. The specific implementation process is not described herein. The data encryption method of the virtual machine system provided in this embodiment specifically includes:
[120]步骤 S10、虚拟机根据接收到的所述虚拟机中的应用程序发送的应用数据 生成第一报文, 将所述第一报文发送给网络加密网关;  [120] Step S10: The virtual machine generates a first packet according to the application data sent by the application in the virtual machine, and sends the first packet to the network encryption gateway.
[121]步骤 S20、所述虚拟机接收所述网络加密网关发送的经过传输层解密处理 后的第二报文,提取所述经过传输层解密处理后的第二报文中的加密后的应用 数据, 将所述加密后的应用数据发送给所述应用程序, 其中, 所述加密后的应 用数据为终端设备对所述应用处理进行硬件加密处理得到的。  [121] Step S20: The virtual machine receives the second packet after the transport layer decryption process sent by the network encryption gateway, and extracts the encrypted application in the second packet after the transport layer decryption process. Data, the encrypted application data is sent to the application, where the encrypted application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
[122]本实施例提供的虚拟机系统数据加密方法,虚拟机根据接收到的虚拟机中 的应用程序发送的应用数据生成第一报文, 将第一报文发送给网络加密网关, 接收网络加密网关发送的经过传输层解密处理后的第二报文,提取经过传输层 解密处理后的第二报文中的加密后的应用数据,将加密后的应用数据发送给应 用程序, 其中,加密后的应用数据为终端设备对应用处理进行硬件加密处理得 到的。 通过设置有硬件加密模块的终端设备对虚拟机产生的应用数据进行加 密, 无需在物理服务器上插设加密卡, 实现了对物理服务器上的多个虚拟机的 应用数据的加密支持。 而且, 该加密过程充分利用了终端设备的处理能力, 减 轻了虚拟机的负载。 [122] The virtual machine system data encryption method provided by the embodiment, the virtual machine generates a first packet according to the application data sent by the application in the received virtual machine, and sends the first packet to the network encryption gateway to receive the network. The second packet sent by the encryption layer after being decrypted by the transport layer, extracts the encrypted application data in the second packet after being decrypted by the transport layer, and sends the encrypted application data to the application, where the encryption is performed. After the application data is the terminal device to perform hardware encryption processing on the application processing. Arrived. Encryption of application data generated by the virtual machine by the terminal device provided with the hardware encryption module eliminates the need to insert an encryption card on the physical server, thereby implementing encryption support for application data of multiple virtual machines on the physical server. Moreover, the encryption process takes full advantage of the processing capabilities of the terminal device and reduces the load on the virtual machine.
[123]在本实施例中, 步骤 S10 , 所述虚拟机根据接收到的所述虚拟机中的应用 程序发送的应用数据生成第一报文, 具体可以为:  [123] In this embodiment, in step S10, the virtual machine generates a first packet according to the application data sent by the application program in the virtual machine, which may be:
[124]所述虚拟机根据接收到的所述应用程序发送的应用数据和密钥标识生成 所述第 文, 其中, 所述密钥标识用以标识密钥。  [124] The virtual machine generates the text according to the received application data and a key identifier sent by the application, where the key identifier is used to identify a key.
[125]当终端设备的硬件加密模块中存储有多个密钥时, 通过密钥标识的设置, 并不将真实的密钥传输, 保证了密钥的安全性。  [125] When a plurality of keys are stored in the hardware encryption module of the terminal device, the key identification is not transmitted by the setting of the key identifier, and the security of the key is ensured.
[126]在本实施例中, 步骤 S10 , 所述虚拟机将所述第一报文发送给网络加密网 关, 具体为: In this embodiment, in step S10, the virtual machine sends the first packet to the network encryption gateway, which is specifically:
[127]所述虚拟机通过所述虚拟机的虚拟桌面代理模块与所述终端设备的虚拟 桌面代理客户端模块建立的经由所述网络加密网关的虚拟通道,将所述第一报 文发送给所述网络加密网关;  [127] The virtual machine sends the first packet to the virtual channel that is established by the virtual desktop proxy module of the virtual machine and the virtual desktop proxy client module of the terminal device via the network encryption gateway. The network encryption gateway;
[128]步骤 S20 ,所述虚拟机接收所述网络加密网关发送的经过传输层解密处理 后的第二 ^艮文, 具体为:  [128] Step S20, the virtual machine receives the second 艮 message sent by the network encryption gateway after being decrypted by the transport layer, specifically:
[129]所述虚拟机通过所述虚拟通道接收所述网络加密网关发送的经过传输层 解密处理后的第二 文。  [129] The virtual machine receives, by using the virtual channel, the second text after the transport layer decryption process sent by the network encryption gateway.
[130]在本实施例中, 步骤 S10 , 所述虚拟机将所述第一报文发送给网络加密网 关之前, 所述方法还可以包括:  [130] In this embodiment, in step S10, before the virtual machine sends the first packet to the network encryption gateway, the method may further include:
[131]所述虚拟机的虚拟桌面代理模块与所述终端设备的虚拟桌面代理客户端 模块建立所述虚拟通道。  [131] The virtual desktop proxy module of the virtual machine establishes the virtual channel with a virtual desktop proxy client module of the terminal device.
[132]图 4为本发明实施例提供的第四种虚拟机系统数据加密方法流程图。如图 4所示, 所述虚拟机系统数据加密方法, 还可以包括:  FIG. 4 is a flowchart of a fourth method for encrypting data of a virtual machine system according to an embodiment of the present invention. As shown in FIG. 4, the virtual machine system data encryption method may further include:
[133]步骤 S30、所述虚拟机根据接收到的所述虚拟机中的应用程序发送的已加 密的应用数据生成第三报文, 将所述第三报文发送给网络加密网关;  [133] Step S30: The virtual machine generates a third packet according to the encrypted application data sent by the application in the virtual machine, and sends the third packet to the network encryption gateway.
[134]步骤 S40、所述虚拟机接收所述网络加密网关发送的经过传输层解密处理 后的第四报文,提取所述经过传输层解密处理后的第四报文中的解密后的应用 数据, 将所述解密后的应用数据发送给所述应用程序, 其中, 所述解密后的应 用数据为终端设备对所述已加密的应用处理进行硬件解密处理得到的。 [134] Step S40: The virtual machine receives the fourth packet after the transport layer decryption process sent by the network encryption gateway, and extracts the decrypted application in the fourth packet after the transport layer decryption process. Data, the decrypted application data is sent to the application, where the decrypted application data is obtained by the terminal device performing hardware decryption processing on the encrypted application processing.
[135]图 5为本发明实施例提供的第一种终端设备结构示意图。如图 5所示,本 实施例提供的终端设备 81具体可以实现本发明任意实施例提供的应用于终端 设备的虚拟机系统数据加密方法的各个步骤, 具体实现过程在此不再赘述。本 实施例提供的终端设备 81具体包括传输层解密模块 11、 加密服务模块 12和 传输层加密模块 13。 所述传输层解密模块 11用于接收网络加密网关发送的经 过传输层加密处理后的第一报文,将所述经过传输层加密处理后的第一报文进 行传输层解密处理; 所述加密服务模块 12与所述传输层解密模块 11连接, 用 于从解密后的第一报文中提取应用数据, 通过所述终端设备 81上设置的硬件 加密模块 14对所述应用数据进行硬件加密处理, 其中, 所述应用数据为虚拟 机系统中的虚拟机产生的数据; 所述传输层加密模块 13与所述加密服务模块 12 连接, 用于根据加密后的应用数据生成第二报文, 对所述第二报文进行传 输层加密处理, 将传输层加密处理后的第二报文发送给所述网络加密网关。  FIG. 5 is a schematic structural diagram of a first terminal device according to an embodiment of the present invention. As shown in FIG. 5, the terminal device 81 provided in this embodiment may implement various steps of the data encryption method for the virtual machine system applied to the terminal device according to any embodiment of the present invention. The specific implementation process is not described herein. The terminal device 81 provided in this embodiment specifically includes a transport layer decryption module 11, an encryption service module 12, and a transport layer encryption module 13. The transport layer decryption module 11 is configured to receive a first packet after the transport layer encryption process sent by the network encryption gateway, and perform the transport layer decryption process on the first packet that has been encrypted by the transport layer; The service module 12 is connected to the transport layer decryption module 11 for extracting application data from the decrypted first packet, and performing hardware encryption processing on the application data by using the hardware encryption module 14 provided on the terminal device 81. The application data is data generated by a virtual machine in the virtual machine system; the transport layer encryption module 13 is connected to the encryption service module 12, and configured to generate a second packet according to the encrypted application data, The second packet is subjected to a transport layer encryption process, and the second packet after the transport layer is encrypted is sent to the network encryption gateway.
[136]本实施例提供的终端设备 81 , 传输层解密模块 11接收网络加密网关发送 的经过传输层加密处理后的第一报文,将经过传输层加密处理后的第一报文进 行传输层解密处理, 加密服务模块 12从解密后的第一报文中提取应用数据, 通过终端设备 81上设置的硬件加密模块 14对应用数据进行硬件加密处理,其 中, 应用数据为虚拟机系统中的虚拟机产生的数据, 传输层加密模块 13根据 加密后的应用数据生成第二报文,对第二报文进行传输层加密处理,将传输层 加密处理后的第二报文发送给网络加密网关。 通过设置有硬件加密模块 14的 终端设备 81对虚拟机产生的应用数据进行加密, 无需在物理服务器上插设加 密卡, 实现了对物理服务器上的多个虚拟机的应用数据的加密支持。 而且, 该 加密过程充分利用了终端设备 81的处理能力, 减轻了虚拟机的负载。  [136] The terminal device 81 provided by this embodiment, the transport layer decryption module 11 receives the first packet after the transport layer encryption process sent by the network encryption gateway, and performs the transport layer on the first packet after the transport layer encryption process. The decryption process, the cryptographic service module 12 extracts application data from the decrypted first message, and performs hardware encryption processing on the application data through the hardware encryption module 14 provided on the terminal device 81, wherein the application data is virtual in the virtual machine system. The data generated by the machine, the transport layer encryption module 13 generates a second packet according to the encrypted application data, performs a transport layer encryption process on the second packet, and sends the second packet encrypted by the transport layer to the network encryption gateway. The application data generated by the virtual machine is encrypted by the terminal device 81 provided with the hardware encryption module 14, and the encryption data of the application data of the plurality of virtual machines on the physical server is realized without inserting the encryption card on the physical server. Moreover, the encryption process takes full advantage of the processing capabilities of the terminal device 81, reducing the load on the virtual machine.
[137]在本实施例中, 所述第一 "^文中包括用以标识密钥的密钥标识; 所述加密 服务模块 12具体用于从所述解密后的第一报文中提取所述应用数据和所述密 钥标识, 将所述应用数据和所述密钥标识发送给所述硬件加密模块 14 , 所述 硬件加密模块 14根据所述密钥标识确定密钥, 通过所述密钥对所述应用数据 进行加密, 将加密后的应用数据返回给所述终端设备 81。  [137] In this embodiment, the first identifier includes a key identifier for identifying a key, and the encryption service module 12 is specifically configured to extract the identifier from the decrypted first packet. Sending the application data and the key identifier to the hardware encryption module 14 by using the data and the key identifier, the hardware encryption module 14 determines a key according to the key identifier, and passes the key The application data is encrypted, and the encrypted application data is returned to the terminal device 81.
[138]图 6为本发明实施例提供的第二种终端设备结构示意图。如图 6所示,在 本实施例中, 所述终端设备 81还包括虚拟桌面代理客户端模块 15 , 所述虚拟 桌面代理客户端模块 15用于与所述虚拟机的虚拟桌面代理模块建立经由所述 网络加密网关的虚拟通道; 相应地, 所述传输层解密模块 11具体用于通过所 述虚拟通道接收所述网络加密网关发送的所述经过传输层加密处理后的第一 报文; 所述传输层加密模块 13具体用于将所述传输层加密处理后的第二报文 通过所述虚拟通道发送给所述网络加密网关。 FIG. 6 is a schematic structural diagram of a second terminal device according to an embodiment of the present invention. As shown in FIG. 6, in the embodiment, the terminal device 81 further includes a virtual desktop proxy client module 15, the virtual The desktop proxy client module 15 is configured to establish a virtual channel with the virtual desktop proxy module of the virtual machine via the network encryption gateway; correspondingly, the transport layer decryption module 11 is specifically configured to receive the The first packet after the transport layer encryption process is sent by the network encryption gateway; the transport layer encryption module 13 is configured to send the second packet that is encrypted by the transport layer to the virtual channel through the virtual channel. The network encryption gateway.
[139]在本实施例中, 所述传输层解密模块 11还用于接收所述网络加密网关发 送的经过传输层加密处理后的第三 >¾文,将所述经过传输层加密处理后的第三 报文进行传输层解密处理; 所述加密服务模块 12还从解密后的第一报文中提 取已加密的应用数据,通过所述终端设备 81上设置的硬件加密模块 14对所述 已加密的应用数据进行硬件解密处理, 其中, 所述已加密的应用数据为虚拟机 系统中的虚拟机产生的、经过所述终端设备 81的硬件加密模块 14硬件加密处 理过的数据; 所述传输层加密模块 13还用于根据解密后的应用数据生成第四 报文,对所述第四报文进行传输层加密处理,将传输层加密处理后的第四报文 发送给所述网络加密网关。  [139] In this embodiment, the transport layer decryption module 11 is further configured to receive a third >3⁄4 text sent by the network encryption gateway after the transport layer encryption process, and the encrypted layer is processed by the transport layer. The third packet performs a transport layer decryption process; the cryptographic service module 12 further extracts the encrypted application data from the decrypted first packet, and the hardware encryption module 14 provided on the terminal device 81 pairs the The encrypted application data is subjected to a hardware decryption process, where the encrypted application data is data generated by a virtual machine in the virtual machine system and is hardware-encrypted by the hardware encryption module 14 of the terminal device 81; The layer encryption module 13 is further configured to generate a fourth packet according to the decrypted application data, perform a transport layer encryption process on the fourth packet, and send the fourth packet after the transport layer encryption process to the network encryption gateway. .
[140]图 7为本发明实施例提供的第一种虚拟机结构示意图。如图 7所示, 本实 施例提供的虚拟机 82具体可以实现本发明任意实施例提供的应用于虚拟机的 虚拟机系统数据加密方法的各个步骤, 具体实现过程在此不再赘述。本实施例 提供的虚拟机 82具体包括发送处理模块 21和接收处理模块 22。 所述发送处 理模块 21用于根据接收到的所述虚拟机 82中的应用程序发送的应用数据生成 第一报文, 将所述第一报文发送给网络加密网关; 所述接收处理模块 22用于 接收所述网络加密网关发送的经过传输层解密处理后的第二报文,提取所述经 过传输层解密处理后的第二报文中的加密后的应用数据,将所述加密后的应用 数据发送给所述应用程序, 其中, 所述加密后的应用数据为终端设备对所述应 用处理进行硬件加密处理得到的。  FIG. 7 is a schematic structural diagram of a first virtual machine according to an embodiment of the present invention. As shown in FIG. 7, the virtual machine 82 provided in this embodiment may implement various steps of the data encryption method of the virtual machine system applied to the virtual machine provided by any embodiment of the present invention. The specific implementation process is not described herein. The virtual machine 82 provided in this embodiment specifically includes a sending processing module 21 and a receiving processing module 22. The sending processing module 21 is configured to generate a first packet according to the received application data sent by the application in the virtual machine 82, and send the first packet to a network encryption gateway; the receiving processing module 22 And the second packet received by the network encryption gateway after being decrypted by the transport layer, and the encrypted application data in the second packet after being decrypted by the transport layer is extracted, and the encrypted The application data is sent to the application, where the encrypted application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
[141]具体地, 在实际实现过程中, 虚拟机 82中的应用程序可以通过调用发送 处理模块 21的 API ( Application Programming Interface, 应用程序编程接口 ) , 将应用数据发送给发送处理模块 21。  Specifically, in an actual implementation process, the application in the virtual machine 82 can send the application data to the sending processing module 21 by calling an API (Application Programming Interface) of the sending processing module 21.
[142]本实施例提供的虚拟机 82, 发送处理模块 21根据接收到的虚拟机 82中 的应用程序发送的应用数据生成第一报文, 将第一报文发送给网络加密网关, 接收处理模块 22接收网络加密网关发送的经过传输层解密处理后的第二报 文,提取经过传输层解密处理后的第二报文中的加密后的应用数据,将加密后 的应用数据发送给应用程序, 其中,加密后的应用数据为终端设备对应用处理 进行硬件加密处理得到的。 通过设置有硬件加密模块的终端设备对虚拟机 82 产生的应用数据进行加密, 无需在物理服务器上插设加密卡, 实现了对物理服 务器上的多个虚拟机 82的应用数据的加密支持。 而且, 该加密过程充分利用 了终端设备的处理能力, 减轻了虚拟机 82的负载。 [142] The virtual machine 82 provided by the embodiment, the sending processing module 21 generates a first packet according to the application data sent by the application program in the received virtual machine 82, and sends the first packet to the network encryption gateway, and receives the processing. The module 22 receives the second packet sent by the network encryption gateway after being decrypted by the transport layer, and extracts the encrypted application data in the second packet after being decrypted by the transport layer, and then encrypts the encrypted packet. The application data is sent to the application, where the encrypted application data is obtained by the terminal device performing hardware encryption processing on the application processing. The application data generated by the virtual machine 82 is encrypted by the terminal device provided with the hardware encryption module, and the encryption data of the application data of the plurality of virtual machines 82 on the physical server is realized without inserting the encryption card on the physical server. Moreover, the encryption process takes full advantage of the processing capabilities of the terminal device, reducing the load on the virtual machine 82.
[143]在本实施例中, 所述发送处理模块 21具体用于根据接收到的所述应用程 序发送的应用数据和密钥标识生成所述第一报文, 其中, 所述密钥标识用以标 识密钥。  In the embodiment, the sending processing module 21 is specifically configured to generate the first packet according to the received application data and the key identifier sent by the application, where the key identifier is used. To identify the key.
[144]图 8为本发明实施例提供的第二种虚拟机结构示意图。如图 8所示,在本 实施例中, 所述虚拟机 82还包括虚拟桌面代理模块 23 , 所述虚拟桌面代理模 块 23 , 用于与所述终端设备的虚拟桌面代理客户端模块建立经由所述网络加 密网关的虚拟通道; 相应地, 所述发送处理模块 21具体用于通过所述虚拟通 道将所述第一报文发送给所述网络加密网关; 所述接收处理模块 22具体用于 通过所述虚拟通道接收所述网络加密网关发送的经过传输层解密处理后的第 二报文。  FIG. 8 is a schematic structural diagram of a second virtual machine according to an embodiment of the present invention. As shown in FIG. 8, in the embodiment, the virtual machine 82 further includes a virtual desktop proxy module 23, and the virtual desktop proxy module 23 is configured to establish a virtual desktop proxy client module with the terminal device. a virtual channel of the network encryption gateway; correspondingly, the sending processing module 21 is specifically configured to send the first packet to the network encryption gateway by using the virtual channel; the receiving processing module 22 is specifically configured to pass The virtual channel receives the second packet sent by the network encryption gateway after being decrypted by the transport layer.
[145]在本实施例中, 所述发送处理模块 21还用于根据接收到的所述虚拟机 82 中的应用程序发送的已加密的应用数据生成第三报文,将所述第三报文发送给 网络加密网关; 所述接收处理模块 22还用于接收所述网络加密网关发送的经 过传输层解密处理后的第四报文,提取所述经过传输层解密处理后的第四报文 中的解密后的应用数据,将所述解密后的应用数据发送给所述应用程序,其中, 所述解密后的应用数据为终端设备对所述已加密的应用处理进行硬件解密处 理得到的。  In the embodiment, the sending processing module 21 is further configured to generate a third packet according to the received encrypted application data sent by the application in the virtual machine 82, and send the third packet. The message is sent to the network encryption gateway; the receiving processing module 22 is further configured to receive the fourth packet that is sent by the network encryption gateway and is decrypted by the transport layer, and extract the fourth packet that has been decrypted by the transport layer. The decrypted application data is sent to the application by the decrypted application data, wherein the decrypted application data is obtained by the terminal device performing hardware decryption processing on the encrypted application processing.
[146]图 9为本发明实施例提供的第三种终端设备结构示意图。如图 9所示,本 实施例提供的终端设备 700 具体可以实现本发明任意实施例提供的应用于终 端设备的虚拟机系统数据加密方法的各个步骤, 具体实现过程在此不再赘述。 本实施例提供的终端设备 700具体包括: 处理器 710, 通信接口 720 , 存储器 730和通信总线 740: 其中所述处理器 710、 所述通信接口 720和所述存储器 730通过所述通信总线 740完成相互间的通信; 所述通信接口 720, 用于接收 网络加密网关发送的经过传输层加密处理后的第一 "^文,以及将传输层加密处 理后的第二报文发送给所述网络加密网关; 所述存储器 730 , 用于存储指令; 所述处理器 710被配置为执行存储在所述存储器 730中的指令, 其中, 所述处 理器 710 被配置为用于将所述经过传输层加密处理后的第 文进行传输层 解密处理,从解密后的第一报文中提取应用数据, 通过所述终端设备上设置的 硬件加密模块对所述应用数据进行硬件加密处理, 其中, 所述应用数据为虚拟 机系统中的虚拟机产生的数据; 根据加密后的应用数据生成第二报文,对所述 第二报文进行传输层加密处理。 FIG. 9 is a schematic structural diagram of a third terminal device according to an embodiment of the present invention. As shown in FIG. 9 , the terminal device 700 provided in this embodiment may implement various steps of a method for encrypting a virtual machine system data applied to a terminal device according to any embodiment of the present disclosure. The specific implementation process is not described herein. The terminal device 700 provided in this embodiment specifically includes: a processor 710, a communication interface 720, a memory 730, and a communication bus 740: wherein the processor 710, the communication interface 720, and the memory 730 are completed by using the communication bus 740. The communication interface 720 is configured to receive a first “text” sent by the network encryption gateway after the transport layer encryption process, and send the second message after the transport layer encryption process to the network encryption. a gateway 730, configured to store an instruction; the processor 710 is configured to execute an instruction stored in the memory 730, where The processor 710 is configured to perform the transport layer decryption process on the text encrypted by the transport layer, extract the application data from the decrypted first packet, and use the hardware encryption module set on the terminal device. And performing hardware encryption processing on the application data, where the application data is data generated by a virtual machine in the virtual machine system; generating a second packet according to the encrypted application data, and performing a transport layer on the second packet Encryption processing.
[147]图 10为本发明实施例提供的用于虚拟机的计算机节点结构示意图。 如图 10所述, 本实施例提供的用于虚拟机的计算机节点 800具体可以实现本发明 任意实施例提供的应用于虚拟机的虚拟机系统数据加密方法的各个步骤,具体 实现过程在此不再赘述。本实施例提供的用于虚拟机的计算机节点 800具体包 括: 处理器 810, 通信接口 820, 存储器 830和通信总线 840: 其中所述处理 器 810、 所述通信接口 820和所述存储器 830通过所述通信总线 840完成相互 间的通信; 所述通信接口 820 , 用于将第一报文发送给网络加密网关, 以及接 收所述网络加密网关发送的经过传输层解密处理后的第二报文; 所述存储器 830, 用于存储指令; 所述处理器 810被配置为执行存储在所述存储器 830中 的指令, 其中, 所述处理器 810被配置为用于根据接收到的所述虚拟机中的应 用程序发送的应用数据生成所述第一报文;提取所述经过传输层解密处理后的 第二报文中的加密后的应用数据,将所述加密后的应用数据发送给所述应用程 序, 其中, 所述加密后的应用数据为终端设备对所述应用处理进行硬件加密处 理得到的。  FIG. 10 is a schematic structural diagram of a computer node for a virtual machine according to an embodiment of the present invention. As shown in FIG. 10, the computer node 800 for the virtual machine provided in this embodiment may implement various steps of the virtual machine system data encryption method applied to the virtual machine provided by any embodiment of the present invention, and the specific implementation process is not Let me repeat. The computer node 800 for a virtual machine provided by this embodiment specifically includes: a processor 810, a communication interface 820, a memory 830, and a communication bus 840: wherein the processor 810, the communication interface 820, and the memory 830 pass through The communication bus 840 performs communication with each other; the communication interface 820 is configured to send the first packet to the network encryption gateway, and receive the second packet sent by the network encryption gateway after being decrypted by the transport layer; The memory 830 is configured to store an instruction; the processor 810 is configured to execute an instruction stored in the memory 830, wherein the processor 810 is configured to be used according to the received virtual machine Applying the application data sent by the application to generate the first packet; extracting the encrypted application data in the second packet after being decrypted by the transport layer, and transmitting the encrypted application data to the application a program, where the encrypted application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
[148]本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可 以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存 储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述的存储 介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程序代码的介质。  [148] It will be understood by those skilled in the art that all or part of the steps of implementing the foregoing method embodiments may be performed by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
[149]最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其限 制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术人员 应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或者对其 中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技术方案的 本质脱离本发明各实施例技术方案的范围。  [149] Finally, it should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting thereof; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: The technical solutions described in the foregoing embodiments may be modified, or some of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present invention. .

Claims

权利要求书 Claim
1、 一种虚拟机系统数据加密方法, 其特征在于, 包括: A virtual machine system data encryption method, comprising:
终端设备接收网络加密网关发送的经过传输层加密处理后的第一报文,将 所述经过传输层加密处理后的第一 文进行传输层解密处理;  The terminal device receives the first packet after the transport layer encryption process sent by the network encryption gateway, and performs the transport layer decryption process on the first text that has been encrypted by the transport layer;
所述终端设备从解密后的第一报文中提取应用数据,通过所述终端设备上 设置的硬件加密模块对所述应用数据进行硬件加密处理, 其中, 所述应用数据 为虚拟机系统中的虚拟机产生的数据;  The terminal device extracts application data from the decrypted first packet, and performs hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, where the application data is in a virtual machine system. Data generated by the virtual machine;
所述终端设备根据加密后的应用数据生成第二报文,对所述第二报文进行 传输层加密处理, 将传输层加密处理后的第二报文发送给所述网络加密网关。  The terminal device generates a second packet according to the encrypted application data, performs a transport layer encryption process on the second packet, and sends a second packet that is encrypted by the transport layer to the network encryption gateway.
2、根据权利要求 1所述的虚拟机系统数据加密方法, 其特征在于: 所述第 一报文中包括用以标识密钥的密钥标识;  The method for encrypting data of a virtual machine system according to claim 1, wherein: the first packet includes a key identifier for identifying a key;
所述终端设备从解密后的第一报文中提取应用数据,通过所述终端设备上 设置的硬件加密模块对所述应用数据进行硬件加密处理, 具体为:  The terminal device extracts application data from the decrypted first packet, and performs hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, specifically:
所述终端设备从所述解密后的第一报文中提取所述应用数据和所述密钥 标识,将所述应用数据和所述密钥标识发送给所述硬件加密模块, 所述硬件加 密模块根据所述密钥标识确定密钥, 通过所述密钥对所述应用数据进行加密, 将加密后的应用数据返回给所述终端设备。  The terminal device extracts the application data and the key identifier from the decrypted first packet, and sends the application data and the key identifier to the hardware encryption module, where the hardware encryption The module determines a key according to the key identifier, encrypts the application data by using the key, and returns the encrypted application data to the terminal device.
3、 根据权利要求 1或 2所述的虚拟机系统数据加密方法, 其特征在于: 所述终端设备接收网络加密网关发送的经过传输层加密处理后的第一报 文, 具体为:  The method for encrypting a data of a virtual machine system according to claim 1 or 2, wherein: the terminal device receives the first packet sent by the network encryption gateway after being encrypted by the transport layer, specifically:
所述终端设备通过所述终端设备的虚拟桌面代理客户端模块与所述虚拟 机的虚拟桌面代理模块建立的经由所述网络加密网关的虚拟通道,接收所述网 络加密网关发送的所述经过传输层加密处理后的第一报文;  The terminal device receives the transmitted transmission sent by the network encryption gateway by using a virtual channel of the network encryption gateway established by the virtual desktop proxy client module of the terminal device and the virtual desktop proxy module of the virtual machine. The first packet after the layer encryption process;
所述终端设备将传输层加密处理后的第二报文发送给所述网络加密网关, 具体为:  Sending, by the terminal device, the second packet that is encrypted by the transport layer to the network encryption gateway, specifically:
所述终端设备将所述传输层加密处理后的第二报文通过所述虚拟通道发 送给所述网络加密网关。  And transmitting, by the terminal device, the second packet that is encrypted by the transport layer to the network encryption gateway by using the virtual channel.
4、根据权利要求 3所述的虚拟机系统数据加密方法, 其特征在于, 所述终 端设备通过所述终端设备的虚拟桌面代理客户端模块与所述虚拟机的虚拟桌 面代理模块建立的经由所述网络加密网关的虚拟通道,接收所述网络加密网关 发送的所述经过传输层加密处理后的第一报文之前, 所述方法还包括: The virtual machine system data encryption method according to claim 3, wherein the terminal is Receiving, by the virtual desktop proxy client module of the terminal device, a virtual channel that is established by the virtual desktop proxy module of the virtual device and the virtual desktop proxy module of the virtual device, and receiving the transport layer encryption sent by the network encryption gateway Before the processed first packet, the method further includes:
所述终端设备的虚拟桌面代理客户端模块与所述虚拟机的虚拟桌面代理 模块建立所述虚拟通道。  The virtual desktop proxy client module of the terminal device establishes the virtual channel with a virtual desktop proxy module of the virtual machine.
5、根据权利要求 1所述的虚拟机系统数据加密方法, 其特征在于, 所述方 法还包括:  The method for encrypting data of a virtual machine system according to claim 1, wherein the method further comprises:
所述终端设备接收所述网络加密网关发送的经过传输层加密处理后的第 三"¾文, 将所述经过传输层加密处理后的第三"¾文进行传输层解密处理; 所述终端设备从解密后的第一报文中提取已加密的应用数据,通过所述终 端设备上设置的硬件加密模块对所述已加密的应用数据进行硬件解密处理,其 中, 所述已加密的应用数据为虚拟机系统中的虚拟机产生的、经过所述终端设 备的硬件加密模块硬件加密处理过的数据;  Receiving, by the network encryption gateway, a third "3" message sent by the network encryption gateway after the encryption process of the transport layer, performing a transport layer decryption process on the third "3" message after the encryption process by the transport layer; the terminal device Extracting the encrypted application data from the decrypted first packet, and performing hardware decryption processing on the encrypted application data by using a hardware encryption module set on the terminal device, where the encrypted application data is The data generated by the virtual machine in the virtual machine system and encrypted by the hardware encryption module of the terminal device;
所述终端设备根据解密后的应用数据生成第四报文,对所述第四报文进行 传输层加密处理, 将传输层加密处理后的第四报文发送给所述网络加密网关。  The terminal device generates a fourth packet according to the decrypted application data, performs a transport layer encryption process on the fourth packet, and sends a fourth packet that is encrypted by the transport layer to the network encryption gateway.
6、 一种虚拟机系统数据加密方法, 其特征在于, 包括:  6. A virtual machine system data encryption method, comprising:
虚拟机根据接收到的所述虚拟机中的应用程序发送的应用数据生成第一 报文, 将所述第一报文发送给网络加密网关;  The virtual machine generates a first packet according to the received application data sent by the application in the virtual machine, and sends the first packet to the network encryption gateway;
所述虚拟机接收所述网络加密网关发送的经过传输层解密处理后的第二 报文,提取所述经过传输层解密处理后的第二报文中的加密后的应用数据,将 所述加密后的应用数据发送给所述应用程序, 其中, 所述加密后的应用数据为 终端设备对所述应用处理进行硬件加密处理得到的。  The virtual machine receives the second packet sent by the network encryption gateway after the transport layer decryption process, and extracts the encrypted application data in the second packet after the transport layer decryption process, and the encryption is performed. The application data is sent to the application, where the encrypted application data is obtained by performing hardware encryption processing on the application processing by the terminal device.
7、根据权利要求 6所述的虚拟机系统数据加密方法, 其特征在于, 所述虚 拟机根据接收到的所述虚拟机中的应用程序发送的应用数据生成第一报文,具 体为:  The virtual machine system data encryption method according to claim 6, wherein the virtual machine generates a first message according to the received application data sent by the application in the virtual machine, which is:
所述虚拟机根据接收到的所述应用程序发送的应用数据和密钥标识生成 所述第 文, 其中, 所述密钥标识用以标识密钥。  The virtual machine generates the text according to the received application data and a key identifier sent by the application, where the key identifier is used to identify a key.
8、 根据权利要求 6或 7所述的虚拟机系统数据加密方法, 其特征在于: 所述虚拟机将所述第一报文发送给网络加密网关, 具体为: 所述虚拟机通过所述虚拟机的虚拟桌面代理模块与所述终端设备的虚拟 桌面代理客户端模块建立的经由所述网络加密网关的虚拟通道,将所述第一报 文发送给所述网络加密网关; The method for encrypting a data of a virtual machine system according to claim 6 or 7, wherein: the virtual machine sends the first packet to a network encryption gateway, specifically: Transmitting, by the virtual machine, the first packet to the network by using a virtual channel of the network encryption gateway established by the virtual desktop proxy module of the virtual machine and the virtual desktop proxy client module of the terminal device Encryption gateway
所述虚拟机接收所述网络加密网关发送的经过传输层解密处理后的第二 报文, 具体为:  The virtual machine receives the second packet that is sent by the network encryption gateway and is decrypted by the transport layer, and is specifically:
所述虚拟机通过所述虚拟通道接收所述网络加密网关发送的经过传输层 解密处理后的第二 文。  The virtual machine receives, by using the virtual channel, a second text that is sent by the network encryption gateway and is decrypted by the transport layer.
9、根据权利要求 8所述的虚拟机系统数据加密方法, 其特征在于, 所述虚 拟机将所述第一报文发送给网络加密网关之前, 所述方法还包括:  The method for encrypting a data of a virtual machine system according to claim 8, wherein the method further includes: before the virtual machine sends the first packet to a network encryption gateway, the method further includes:
所述虚拟机的虚拟桌面代理模块与所述终端设备的虚拟桌面代理客户端 模块建立所述虚拟通道。  The virtual desktop proxy module of the virtual machine establishes the virtual channel with a virtual desktop proxy client module of the terminal device.
10、 根据权利要求 6所述的虚拟机系统数据加密方法, 其特征在于, 所述 方法还包括:  The method for encrypting a data of a virtual machine system according to claim 6, wherein the method further comprises:
所述虚拟机根据接收到的所述虚拟机中的应用程序发送的已加密的应用 数据生成第三报文, 将所述第三报文发送给网络加密网关;  The virtual machine generates a third packet according to the received encrypted application data sent by the application in the virtual machine, and sends the third packet to the network encryption gateway;
所述虚拟机接收所述网络加密网关发送的经过传输层解密处理后的第四 报文,提取所述经过传输层解密处理后的第四报文中的解密后的应用数据,将 所述解密后的应用数据发送给所述应用程序, 其中, 所述解密后的应用数据为 终端设备对所述已加密的应用处理进行硬件解密处理得到的。  The virtual machine receives the fourth packet sent by the network encryption gateway after being decrypted by the transport layer, and extracts the decrypted application data in the fourth packet after being decrypted by the transport layer, and decrypts the decrypted application data. The application data is sent to the application, where the decrypted application data is obtained by the terminal device performing hardware decryption processing on the encrypted application processing.
1 1、 一种终端设备, 其特征在于, 包括:  1 1 . A terminal device, comprising:
传输层解密模块,用于接收网络加密网关发送的经过传输层加密处理后的 第一 "^文, 将所述经过传输层加密处理后的第 文进行传输层解密处理; 加密服务模块, 与所述传输层解密模块连接, 用于从解密后的第一报文中 提取应用数据,通过所述终端设备上设置的硬件加密模块对所述应用数据进行 硬件加密处理, 其中, 所述应用数据为虚拟机系统中的虚拟机产生的数据; 传输层加密模块, 与所述加密服务模块连接, 用于根据加密后的应用数据 生成第二报文,对所述第二报文进行传输层加密处理,将传输层加密处理后的 第二报文发送给所述网络加密网关。  a transport layer decryption module, configured to receive a first "text" sent by the network encryption gateway after the transport layer encryption process, and perform the transport layer decryption process on the text encrypted by the transport layer; the encryption service module, and the a transport layer decryption module connection, configured to extract application data from the decrypted first packet, and perform hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, where the application data is The data generated by the virtual machine in the virtual machine system; the transport layer encryption module is connected to the cryptographic service module, configured to generate a second packet according to the encrypted application data, and perform transport layer encryption processing on the second packet And transmitting, by the transport layer, the second packet that is encrypted by the transport layer to the network encryption gateway.
12、 根据权利要求 1 1所述的终端设备, 其特征在于: 所述第一报文中包 括用以标识密钥的密钥标识; The terminal device according to claim 11, wherein: the first packet is included in the packet a key identifier to identify the key;
所述加密服务模块具体用于从所述解密后的第一报文中提取所述应用数 据和所述密钥标识, 将所述应用数据和所述密钥标识发送给所述硬件加密模 块, 所述硬件加密模块根据所述密钥标识确定密钥,通过所述密钥对所述应用 数据进行加密, 将加密后的应用数据返回给所述终端设备。  The cryptographic service module is configured to: extract the application data and the key identifier from the decrypted first packet, and send the application data and the key identifier to the hardware encryption module, The hardware encryption module determines a key according to the key identifier, encrypts the application data by using the key, and returns the encrypted application data to the terminal device.
13、 根据权利要求 1 1或 12所述的终端设备, 其特征在于, 还包括: 虚拟桌面代理客户端模块,用于与所述虚拟机的虚拟桌面代理模块建立经 由所述网络加密网关的虚拟通道;  The terminal device according to claim 1 or 12, further comprising: a virtual desktop proxy client module, configured to establish a virtual connection with the virtual desktop proxy module of the virtual machine via the network encryption gateway aisle;
所述传输层解密模块具体用于通过所述虚拟通道接收所述网络加密网关 发送的所述经过传输层加密处理后的第一报文;  The transport layer decryption module is configured to receive, by using the virtual channel, the first packet that is sent by the network encryption gateway and is encrypted by the transport layer;
所述传输层加密模块具体用于将所述传输层加密处理后的第二报文通过 所述虚拟通道发送给所述网络加密网关。  The transport layer encryption module is configured to send the second packet that is encrypted by the transport layer to the network encryption gateway by using the virtual channel.
14、 根据权利要求 1 1所述的终端设备, 其特征在于:  14. The terminal device according to claim 11, wherein:
所述传输层解密模块还用于接收所述网络加密网关发送的经过传输层加 密处理后的第三>¾文,将所述经过传输层加密处理后的第三 >¾文进行传输层解 密处理;  The transport layer decryption module is further configured to receive a third>3⁄4 text sent by the network encryption gateway after the transport layer encryption process, and perform the transport layer decryption processing on the third>3⁄4 text after the transport layer encryption process ;
所述加密服务模块还从解密后的第一报文中提取已加密的应用数据,通过 所述终端设备上设置的硬件加密模块对所述已加密的应用数据进行硬件解密 处理, 其中, 所述已加密的应用数据为虚拟机系统中的虚拟机产生的、 经过所 述终端设备的硬件加密模块硬件加密处理过的数据;  The cryptographic service module further extracts the encrypted application data from the decrypted first packet, and performs hardware decryption processing on the encrypted application data by using a hardware encryption module set on the terminal device, where The encrypted application data is data generated by a virtual machine in the virtual machine system and encrypted by the hardware encryption module hardware of the terminal device;
所述传输层加密模块还用于根据解密后的应用数据生成第四报文,对所述 第四报文进行传输层加密处理,将传输层加密处理后的第四报文发送给所述网 络加密网关。  The transport layer encryption module is further configured to generate a fourth packet according to the decrypted application data, perform a transport layer encryption process on the fourth packet, and send the fourth packet after the transport layer encryption process to the network. Encryption gateway.
15、 一种虚拟机, 其特征在于, 包括:  15. A virtual machine, comprising:
发送处理模块,用于根据接收到的所述虚拟机中的应用程序发送的应用数 据生成第一报文, 将所述第一报文发送给网络加密网关;  a sending processing module, configured to generate a first packet according to the received application data sent by the application in the virtual machine, and send the first packet to a network encryption gateway;
接收处理模块,用于接收所述网络加密网关发送的经过传输层解密处理后 的第二报文,提取所述经过传输层解密处理后的第二报文中的加密后的应用数 据, 将所述加密后的应用数据发送给所述应用程序, 其中, 所述加密后的应用 数据为终端设备对所述应用处理进行硬件加密处理得到的。 a receiving processing module, configured to receive a second packet sent by the network encryption gateway after being decrypted by the transport layer, and extract the encrypted application data in the second packet after being decrypted by the transport layer, The encrypted application data is sent to the application, where the encrypted application is The data is obtained by the terminal device performing hardware encryption processing on the application processing.
16、 根据权利要求 15所述的虚拟机, 其特征在于: 所述发送处理模块具 体用于根据接收到的所述应用程序发送的应用数据和密钥标识生成所述第一 文, 其中, 所述密钥标识用以标识密钥。  The virtual machine according to claim 15, wherein: the sending processing module is configured to generate the first text according to the received application data and a key identifier sent by the application, where The key identifier is used to identify the key.
17、 根据权利要求 15或 16所述的虚拟机, 其特征在于, 还包括: 虚拟桌面代理模块,用于与所述终端设备的虚拟桌面代理客户端模块建立 经由所述网络加密网关的虚拟通道;  The virtual machine according to claim 15 or 16, further comprising: a virtual desktop proxy module, configured to establish a virtual channel with the virtual desktop proxy client module of the terminal device via the network encryption gateway ;
所述发送处理模块具体用于通过所述虚拟通道将所述第一报文发送给所 述网络加密网关;  The sending processing module is specifically configured to send the first packet to the network encryption gateway by using the virtual channel;
所述接收处理模块具体用于通过所述虚拟通道接收所述网络加密网关发 送的经过传输层解密处理后的第二报文。  The receiving processing module is configured to receive, by using the virtual channel, a second packet that is sent by the network encryption gateway and is decrypted by the transport layer.
18、 根据权利要求 15所述的虚拟机, 其特征在于:  18. The virtual machine of claim 15 wherein:
所述发送处理模块还用于根据接收到的所述虚拟机中的应用程序发送的 已加密的应用数据生成第三报文, 将所述第三报文发送给网络加密网关; 所述接收处理模块还用于接收所述网络加密网关发送的经过传输层解密 处理后的第四报文,提取所述经过传输层解密处理后的第四报文中的解密后的 应用数据, 将所述解密后的应用数据发送给所述应用程序, 其中, 所述解密后 的应用数据为终端设备对所述已加密的应用处理进行硬件解密处理得到的。  The sending processing module is further configured to generate a third packet according to the received encrypted application data sent by the application in the virtual machine, and send the third packet to a network encryption gateway; The module is further configured to receive the fourth packet that is sent by the network encryption gateway and that is decrypted by the transport layer, and extract the decrypted application data in the fourth packet that has been decrypted by the transport layer, and decrypt the The application data is sent to the application, where the decrypted application data is obtained by the terminal device performing hardware decryption processing on the encrypted application processing.
19、 一种终端设备, 其特征在于, 包括: 处理器, 通信接口, 存储器和总 线:  19. A terminal device, comprising: a processor, a communication interface, a memory, and a bus:
其中所述处理器、所述通信接口和所述存储器通过所述总线完成相互间的 通信;  Wherein the processor, the communication interface and the memory complete communication with each other through the bus;
所述通信接口,用于接收网络加密网关发送的经过传输层加密处理后的第 一报文, 以及将传输层加密处理后的第二报文发送给所述网络加密网关; 所述存储器, 用于存储指令;  The communication interface is configured to receive a first packet that is sent by the network encryption gateway and that is encrypted by the transport layer, and send the second packet that is encrypted by the transport layer to the network encryption gateway; For storing instructions;
所述处理器被配置为执行存储在所述存储器中的指令, 其中, 所述处理器 被配置为用于将所述经过传输层加密处理后的第 文进行传输层解密处理, 从解密后的第一报文中提取应用数据,通过所述终端设备上设置的硬件加密模 块对所述应用数据进行硬件加密处理, 其中, 所述应用数据为虚拟机系统中的 虚拟机产生的数据; 根据加密后的应用数据生成第二报文,对所述第二报文进 行传输层加密处理。 The processor is configured to execute an instruction stored in the memory, wherein the processor is configured to perform a transport layer decryption process on the text encrypted by the transport layer, from the decrypted Extracting the application data in the first packet, performing hardware encryption processing on the application data by using a hardware encryption module set on the terminal device, where the application data is in a virtual machine system The data generated by the virtual machine generates a second packet according to the encrypted application data, and performs a transport layer encryption process on the second packet.
20、 一种用于虚拟机的计算机节点, 其特征在于, 包括: 处理器, 通信接 口, 存储器和总线:  20. A computer node for a virtual machine, comprising: a processor, a communication interface, a memory, and a bus:
其中所述处理器、所述通信接口和所述存储器通过所述总线完成相互间的 通信;  Wherein the processor, the communication interface and the memory complete communication with each other through the bus;
所述通信接口, 用于将第一报文发送给网络加密网关, 以及接收所述网络 加密网关发送的经过传输层解密处理后的第二 文;  The communication interface is configured to send the first packet to the network encryption gateway, and receive the second text sent by the network encryption gateway after being decrypted by the transport layer;
所述存储器, 用于存储指令;  The memory is configured to store an instruction;
所述处理器被配置为执行存储在所述存储器中的指令, 其中, 所述处理器 被配置为用于根据接收到的所述虚拟机中的应用程序发送的应用数据生成所 述第一报文;提取所述经过传输层解密处理后的第二报文中的加密后的应用数 据, 将所述加密后的应用数据发送给所述应用程序, 其中, 所述加密后的应用 数据为终端设备对所述应用处理进行硬件加密处理得到的。  The processor is configured to execute an instruction stored in the memory, wherein the processor is configured to generate the first report according to the received application data sent by an application in the virtual machine Extracting the encrypted application data in the second packet after the decryption process of the transport layer, and sending the encrypted application data to the application, where the encrypted application data is a terminal The device performs hardware encryption processing on the application processing.
PCT/CN2013/079696 2012-12-14 2013-07-19 Virtual machine system data encryption method and device WO2014089968A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210544060.0 2012-12-14
CN201210544060.0A CN103873245B (en) 2012-12-14 2012-12-14 Dummy machine system data ciphering method and equipment

Publications (1)

Publication Number Publication Date
WO2014089968A1 true WO2014089968A1 (en) 2014-06-19

Family

ID=50911395

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/079696 WO2014089968A1 (en) 2012-12-14 2013-07-19 Virtual machine system data encryption method and device

Country Status (2)

Country Link
CN (1) CN103873245B (en)
WO (1) WO2014089968A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10645064B2 (en) * 2015-04-23 2020-05-05 Alcatel Lucent Virtualized application performance through disabling of unnecessary functions
CN105162577B (en) * 2015-08-26 2019-07-12 深信服科技股份有限公司 Encrypting and decrypting method and physical server under virtual environment
CN106341419B (en) * 2016-10-17 2019-04-19 重庆邮电大学 A kind of method that calling external encryption/decryption module and mobile terminal
CN110888716A (en) * 2019-12-17 2020-03-17 北京天融信网络安全技术有限公司 Data processing method and device, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101587524A (en) * 2009-06-23 2009-11-25 上海北大方正科技电脑系统有限公司 Method for encrypting data memory apparatus based on virtual system
CN102270153A (en) * 2011-08-12 2011-12-07 曙光信息产业(北京)有限公司 Method and device for sharing encrypted card in virtual environment
CN102289631A (en) * 2011-08-12 2011-12-21 无锡城市云计算中心有限公司 Method for realizing virtual safety computing environment
CN102664896A (en) * 2012-04-28 2012-09-12 郑州信大捷安信息技术股份有限公司 Safety network transmission system and method based on hardware encryption

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009070430A2 (en) * 2007-11-08 2009-06-04 Suridx, Inc. Apparatus and methods for providing scalable, dynamic, individualized credential services using mobile telephones
CN101447907A (en) * 2008-10-31 2009-06-03 北京东方中讯联合认证技术有限公司 VPN secure access method and system thereof
CN101630270B (en) * 2009-07-22 2013-06-26 成都市华为赛门铁克科技有限公司 Data processing system and method therefor
CN201499183U (en) * 2009-09-14 2010-06-02 陈博东 Virtual network separation system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101587524A (en) * 2009-06-23 2009-11-25 上海北大方正科技电脑系统有限公司 Method for encrypting data memory apparatus based on virtual system
CN102270153A (en) * 2011-08-12 2011-12-07 曙光信息产业(北京)有限公司 Method and device for sharing encrypted card in virtual environment
CN102289631A (en) * 2011-08-12 2011-12-21 无锡城市云计算中心有限公司 Method for realizing virtual safety computing environment
CN102664896A (en) * 2012-04-28 2012-09-12 郑州信大捷安信息技术股份有限公司 Safety network transmission system and method based on hardware encryption

Also Published As

Publication number Publication date
CN103873245B (en) 2017-12-22
CN103873245A (en) 2014-06-18

Similar Documents

Publication Publication Date Title
US11509485B2 (en) Identity authentication method and system, and computing device
CN106063183B (en) Method and apparatus for cloud assisted cryptography
CN113347206B (en) Network access method and device
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
WO2017133558A1 (en) Message encryption and decryption method and device
CN110177099B (en) Data exchange method, transmitting terminal and medium based on asymmetric encryption technology
CN106576043A (en) Virally distributable trusted messaging
US20160261569A1 (en) Device-to-Device Network Location Updates
US9887967B2 (en) Portable security device, method for securing a data exchange and computer program product
US11870760B2 (en) Secure virtual personalized network
WO2014089968A1 (en) Virtual machine system data encryption method and device
CN112689014A (en) Double-full-duplex communication method and device, computer equipment and storage medium
CN111431922A (en) Internet of things data encryption transmission method and system
CN113630412B (en) Resource downloading method, resource downloading device, electronic equipment and storage medium
US20210377239A1 (en) Method for distributed application segmentation through authorization
WO2015027931A1 (en) Method and system for realizing cross-domain remote command
CN106302482A (en) A kind of browser-cross uses hardware encryption medium data safe transmission system and method
Urien Cloud of secure elements perspectives for mobile and cloud applications security
US20220278966A1 (en) Secure Virtual Personalized Network with Preconfigured Wallets
CN106685931B (en) Smart card application management method and system, terminal and smart card
WO2019184206A1 (en) Identity authentication method and apparatus
CN110166226B (en) Method and device for generating secret key
KR101315681B1 (en) Information Processing Device In Cloud Computing Environment and Information Processing Method Therein
WO2018040095A1 (en) Method and device for generating security credential
US20220278967A1 (en) Verified Anonymous Persona for a Distributed Token

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13861590

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13861590

Country of ref document: EP

Kind code of ref document: A1