WO2021057024A1 - Method and system for protecting virtual machine image in cloud environment - Google Patents

Method and system for protecting virtual machine image in cloud environment Download PDF

Info

Publication number
WO2021057024A1
WO2021057024A1 PCT/CN2020/087164 CN2020087164W WO2021057024A1 WO 2021057024 A1 WO2021057024 A1 WO 2021057024A1 CN 2020087164 W CN2020087164 W CN 2020087164W WO 2021057024 A1 WO2021057024 A1 WO 2021057024A1
Authority
WO
WIPO (PCT)
Prior art keywords
dek
virtual machine
password
machine image
plaintext
Prior art date
Application number
PCT/CN2020/087164
Other languages
French (fr)
Chinese (zh)
Inventor
刘海伟
吴保锡
Original Assignee
苏州浪潮智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏州浪潮智能科技有限公司 filed Critical 苏州浪潮智能科技有限公司
Publication of WO2021057024A1 publication Critical patent/WO2021057024A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • This application relates to the field of computer security technology, and in particular to a method and system for protecting virtual machine images in a cloud environment.
  • cloud computing vendors usually use the same encrypted storage method for data storage. Specifically, in a cloud environment, all virtual machine disk images use one encryption and decryption key, that is, the encryption keys of tenant A and tenant B are the same.
  • This application provides a method and system for protecting a virtual machine image in a cloud environment, so as to solve the problem of insufficient data security in a data center due to the method of protecting a virtual machine image in a cloud environment in the prior art.
  • a method for protecting a virtual machine image in a cloud environment comprising:
  • the trusted platform module obtains the DEK plaintext according to the DEK ciphertext
  • the method of creating DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password includes:
  • DEK plaintext and RSA public-private key pairs are created based on the trusted platform module; among them, RSA is composed of Ron Rivest, Adi Shamir and Leonard Leonard Adleman (Leonard Adleman) is composed of the initial letters of the surnames of the three people. In 1977, the three people jointly proposed the RSA encryption algorithm;
  • the DEK plaintext is encrypted by using the RSA public and private key to obtain the DEK ciphertext.
  • the trusted platform module is a TPM (Trusted Platform Module, Trusted Platform Module) chip.
  • TPM Trusted Platform Module
  • the method for encrypting the virtual machine image file is AES (Advanced Encryption Standard, Advanced Encryption Standard) encryption
  • the method for decrypting the virtual machine image file is AES decryption.
  • the method further includes:
  • a system for protecting virtual machine images in a cloud environment comprising:
  • the key management module is used to add a first password when creating a virtual machine image file, and, according to the first password, create DEK plaintext and DEK ciphertext based on the trusted platform module, and combine the DEK plaintext and DEK ciphertext
  • the text is sent to the virtual machine mirroring module, and the first password is the password set by the tenant;
  • the virtual machine image module is used to encrypt the virtual machine image file by using the DEK plaintext, obtain the encrypted virtual machine image file, and store the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time;
  • the virtual machine image module is also used to obtain a second password and DEK cipher text when reading the encrypted virtual machine image file, and to send the second password and DEK cipher text to the key management module at the same time ,
  • the second password is the password entered by the current tenant
  • the key management module is also used to determine whether the second password is the same as the first password, and when the second password is the same as the first password, call the trusted platform module to obtain the DEK according to the DEK ciphertext Plaintext, and send the DEK plaintext to the virtual machine mirroring module;
  • the virtual machine image module is also used to decrypt the virtual machine image file by using the DEK plaintext.
  • the key management module includes:
  • the password adding unit is used to add a first password when creating a virtual machine image file, where the first password is a password set by the tenant;
  • the key creation unit is configured to create DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password;
  • the first sending unit is configured to send the DEK plaintext and DEK ciphertext to the virtual machine mirroring module;
  • a judging unit for judging whether the second password is the same as the first password, and the second password is the password entered by the current tenant;
  • the DEK plaintext obtaining unit is configured to call the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password;
  • the first sending unit is further configured to send the DEK plaintext to the virtual machine mirroring module after obtaining the DEK plaintext according to the DEK ciphertext.
  • the virtual machine mirroring module includes:
  • the encryption unit is used to encrypt the virtual machine image file by using the DEK plaintext to obtain the encrypted virtual machine image file;
  • the storage unit is configured to store the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time;
  • the obtaining unit is configured to obtain the second password and the DEK ciphertext when reading the encrypted virtual machine image file;
  • the second sending unit is configured to send the second password and the DEK ciphertext to the key management module at the same time;
  • the decryption unit is configured to use the DEK plaintext to decrypt the virtual machine image file.
  • the encryption unit is an AES encryption unit
  • the decryption unit is an AES decryption unit
  • the key management module further includes: a first deletion unit configured to delete the DEK plaintext after storing the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time;
  • the virtual machine image module further includes: a second deletion unit, configured to use the DEK plaintext to delete the DEK plaintext after decrypting the virtual machine image file.
  • This application provides a method for protecting virtual machine images in a cloud environment.
  • the method takes corresponding steps to improve data security when creating virtual machine image files and reading virtual machine image files.
  • When creating virtual machine image files first Add the first password, then create DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password, then use DEK plaintext to encrypt the virtual machine image file, and finally store the DEK ciphertext and encrypted virtual machine image file to storage at the same time Pool.
  • When reading the encrypted virtual machine image file first obtain the second password and the DEK ciphertext, and then determine whether the second password is the same as the first password.
  • the trusted platform module obtains the DEK plaintext according to the DEK ciphertext , And then use DEK plaintext to decrypt the virtual machine image file.
  • the first password set by the tenant is added when the virtual machine image file is created.
  • the virtual machine disk image can be obtained only when the second password entered by the current tenant is the same as the first password
  • the content of the virtual machine image can be obtained instead of only the DEK ciphertext. Therefore, the setting of the first password can greatly improve the security of the data center in the cloud environment.
  • the DEK plaintext after storing the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time in this embodiment, it also includes deleting the DEK plaintext. And, after using the DEK plaintext to decrypt the virtual machine image file, after obtaining the DEK plaintext of the virtual machine image file, it also includes deleting the DEK plaintext. By deleting the DEK plaintext in time, data leakage can be prevented, which is conducive to further improving the security of data in the data center.
  • This application also provides a system for protecting virtual machine images in a cloud environment.
  • the system mainly includes two parts: a key management module and a virtual machine image module.
  • the first password can be added through the key management module, and DEK plaintext and DEK ciphertext can be created based on the trusted platform module, and both are sent to the virtual machine image module.
  • the virtual machine mirroring module Through the virtual machine mirroring module, the DEK plaintext can be used to encrypt the virtual machine image file, and the DEK ciphertext and the encrypted virtual machine image file can be stored in the storage pool at the same time.
  • the DEK ciphertext and the second password entered by the current tenant are obtained through the virtual machine image file module, and both are sent to the key management module at the same time, and the key management module determines whether the second password is the same as
  • the trusted platform module is called to obtain the DEK plaintext according to the DEK ciphertext, and the DEK plaintext is sent to the virtual machine mirroring module.
  • the key management module and the virtual machine mirroring module are set, and through the key management module, the first password can be added when creating the virtual machine image file.
  • the virtual machine mirroring management module can be used to read Obtain the second password when encrypting the virtual machine image file, and compare the second password with the first password, which can greatly improve the confidentiality of the virtual machine image data in the cloud environment, that is, greatly improve the data center data security .
  • FIG. 1 is a schematic flowchart of a method for protecting a virtual machine image in a cloud environment provided by an embodiment of the application;
  • FIG. 2 is a schematic structural diagram of a system for protecting virtual machine images in a cloud environment provided by an embodiment of the application.
  • FIG. 1 is a schematic flowchart of a method for protecting a virtual machine image in a cloud environment provided by an embodiment of the application.
  • the method for protecting virtual machine images in a cloud environment in this embodiment mainly includes the following processes:
  • the first password set in advance by the tenant is added when the virtual machine image file is created.
  • the virtual machine disk can be obtained only when the second password entered by the current tenant is the same as the first password.
  • the contents of the image instead of just obtaining the contents of the virtual machine image through the DEK ciphertext. Therefore, the setting of the first password can greatly improve the confidentiality of virtual machine images in the cloud environment, thereby improving the security of data center data.
  • S02 Create DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password.
  • step S02 further includes the following process:
  • S021 Create a DEK plaintext and RSA public-private key pair based on the trusted platform module according to the first password;
  • S022 Use the RSA public and private keys to encrypt the DEK plaintext to obtain the DEK ciphertext.
  • the trusted platform module may use a TPM chip.
  • steps S021 and S022 when creating DEK plaintext and DEK ciphertext based on the trusted platform module, first call the command TPM2_GetRandom of the TPM chip to generate random numbers as DEK plaintext; Then, according to the first password entered by the tenant, call the command TPM2_Create of the TPM chip to create an RSA public-private key pair, namely: Rsa_pri and Rsa_pub, where Rsa_pub is the public key, which can be saved outside the TPM chip; finally, the TPM chip command TPM2_RSA_Encypt is called, and the above DEK plaintext is encrypted to obtain DEK ciphertext.
  • step S03 is executed: using the DEK plaintext to encrypt the virtual machine image file to obtain the encrypted virtual machine image file.
  • the method of using DEK plaintext to encrypt the virtual machine image file is AES encryption. That is: through the AES encryption method, use DEK plaintext as the AES key for the created virtual machine image file, and perform AES encryption to obtain the encrypted virtual machine image file.
  • step S04 is executed: the DEK ciphertext and the encrypted virtual machine image file are stored in the storage pool at the same time.
  • the storage pool in this embodiment refers to a storage pool in a cloud environment, which is used to store virtual machine image files.
  • step S06 When reading the encrypted virtual machine image file, obtain the second password and DEK ciphertext, where the second password is the password entered by the current tenant .
  • step S08 the trusted platform module obtains the DEK plaintext according to the DEK ciphertext.
  • step S06 is returned to obtain the second password again.
  • the method for decrypting the virtual machine image file in this embodiment is AES decryption.
  • the specific AES decryption method adopts the method in the prior art, and will not be repeated here.
  • step S04 it further includes step S05: deleting DEK plaintext.
  • step S09 it also includes step S10: deleting DEK plaintext.
  • Setting steps S05 and S10 can effectively prevent malicious administrators from illegally snooping sensitive data of tenants in public cloud or hybrid cloud environments, which helps protect the confidentiality of virtual machine image files in the cloud environment, thereby effectively improving the data in the virtual data center
  • the security level greatly improves the security of data center data.
  • the method for protecting virtual machine images in a cloud environment in this embodiment mainly focuses on creating virtual machine image files and reading virtual machine image files to enhance the confidentiality of virtual machine image files.
  • the data security level of the virtual data center is improved by adding the first password in the stage of creating the virtual machine image file, and judging the consistency between the second password entered by the current tenant and the first password in the stage of reading the encrypted virtual machine image file.
  • FIG. 2 is a schematic structural diagram of a system for protecting virtual machine images in a cloud environment provided by an embodiment of the application.
  • the system in this embodiment mainly includes two parts: a key management module and a virtual machine mirroring module.
  • the key management module is used to add the first password when creating the virtual machine image file, and, according to the first password, create DEK plaintext and DEK ciphertext based on the trusted platform module, and send the DEK plaintext and DEK ciphertext To the virtual machine mirroring module, the first password is the password set by the tenant.
  • the virtual machine image module is used to encrypt the virtual machine image file by using the DEK plaintext, obtain the encrypted virtual machine image file, and simultaneously store the DEK ciphertext and the encrypted virtual machine image file in the storage pool.
  • the virtual machine image module is also used to obtain the second password and the DEK ciphertext when reading the encrypted virtual machine image file, and to send the second password and the DEK ciphertext to the key management module at the same time, where the second password The password entered for the current tenant.
  • the key management module is also used to determine whether the second password is the same as the first password, and when the second password is the same as the first password, call the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext, and send the DEK plaintext to Virtual machine mirroring module.
  • the virtual machine image module is also used to decrypt the virtual machine image file by using DEK plaintext.
  • the key management module further includes: a password adding unit, a key creating unit, a first sending unit, a judgment unit, and a DEK plaintext obtaining unit.
  • the password adding unit is used to add the first password when creating the virtual machine image file, the first password is the password set by the tenant;
  • the key creation unit is used to create DEK plaintext and DEK based on the trusted platform module according to the first password The ciphertext;
  • the first sending unit is used to send the DEK plaintext and the DEK ciphertext to the virtual machine mirroring module;
  • the judging unit is used to judge whether the second password is the same as the first password, and the second password is the password entered by the current tenant;
  • DEK plaintext The obtaining unit is used for when the second password is the same as the first password, calling the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext;
  • the first sending unit is also used for obtaining the DEK plaintext according to the DEK ciphertext, and then sending the DEK
  • the key creation unit includes: DEK plaintext and RSA public-private key pair creation subunit, and DEK ciphertext creation subunit.
  • DEK plaintext and RSA public-private key pair creation subunit used to create DEK plaintext and RSA public-private key pair based on the trusted platform module according to the first password
  • DEK ciphertext creation subunit used to perform DEK plaintext using RSA public-private key pair Encrypt and get DEK ciphertext.
  • the DEK plaintext and RSA public-private key pair creation subunit creates the RSA public-private key pair
  • the RSA public key can be saved outside the TPM chip, for example, on the disk of the key management module.
  • the virtual machine mirroring module includes: an encryption unit, a storage unit, an acquisition unit, a second sending unit, and a decryption unit.
  • the encryption unit is used to use DEK plaintext to encrypt the virtual machine image file to obtain the encrypted virtual machine image file
  • the storage unit is used to store the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time
  • the acquisition unit uses When reading the encrypted virtual machine image file, obtain the second password and the DEK cipher text
  • the second sending unit is used to send the second password and the DEK cipher text to the key management module at the same time
  • the decryption unit is used to use the DEK plain text, Decrypt the virtual machine image file.
  • the encryption unit is an AES encryption unit
  • the decryption unit is an AES decryption unit
  • the key management module is also provided with a first deletion unit for deleting the DEK plaintext after storing the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time.
  • the virtual machine mirroring module also includes a second deleting unit for deleting the DEK plaintext after decrypting the virtual machine image file by using the DEK plaintext.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

A method and system for protecting a virtual machine image in a cloud environment, the method comprising: adding a first password when creating a virtual machine image file; creating DEK plaintext and DEK ciphertext according to the first password; using the DEK plaintext to encrypt the virtual machine image file; simultaneously storing the DEK ciphertext and the encrypted virtual machine image file in a storage pool; when reading the encrypted virtual machine image file, acquiring a second password and the DEK ciphertext; determining whether the second password is the same as the first password; if yes, then a trusted platform module acquiring the DEK plaintext according to the DEK ciphertext; and using the DEK plaintext to decrypt the virtual machine image file. The system comprises a key management module and a virtual machine image module. By means of the present application, the data security level of a virtual data center may be improved, and data security is effectively improved.

Description

一种云环境下保护虚拟机镜像的方法及系统Method and system for protecting virtual machine image in cloud environment
本申请要求于2019年9月25日提交中国专利局、申请号为201910912822.X、名称为“一种云环境下保护虚拟机镜像的方法及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on September 25, 2019, the application number is 201910912822.X, and the title is "A method and system for protecting virtual machine images in a cloud environment", and its entire contents Incorporated in this application by reference.
技术领域Technical field
本申请涉及计算机安全技术领域,特别是涉及一种云环境下保护虚拟机镜像的方法及系统。This application relates to the field of computer security technology, and in particular to a method and system for protecting virtual machine images in a cloud environment.
背景技术Background technique
随着云计算和大数据的发展,越来越多的企业和科研院所采用云计算技术来部署虚拟数据中心,采用云计算技术部署的虚拟数据中心部署灵活且能够节约成本。然而,相比于传统数据中心,如何提高数据的安全性,是虚拟数据中心的一个重要问题。尤其是针对云环境下的虚拟机镜像,虚拟化管理软件提供的备份等操作会使得敏感数据、证书和信息等很容易被扩散,从而导致数据的安全性问题。With the development of cloud computing and big data, more and more enterprises and research institutes use cloud computing technology to deploy virtual data centers, and virtual data centers deployed by cloud computing technology are flexible in deployment and can save costs. However, compared with traditional data centers, how to improve data security is an important issue for virtual data centers. Especially for virtual machine images in a cloud environment, operations such as backups provided by virtualization management software can easily spread sensitive data, certificates, and information, which can lead to data security issues.
目前,针对虚拟机镜像,云计算厂商通常采用相同的加密存储的方式进行数据存储。具体地,在云环境下,所有的虚拟机磁盘镜像都采用一个加解密密钥,即租户A与租户B的加密密钥相同。Currently, for virtual machine images, cloud computing vendors usually use the same encrypted storage method for data storage. Specifically, in a cloud environment, all virtual machine disk images use one encryption and decryption key, that is, the encryption keys of tenant A and tenant B are the same.
然而目前相同的加密存储的方式,由于共用一个加解密密钥,当有来自云计算厂商或者云管理员等内部威胁时,租户的虚拟机镜像的机密性就得不到保障,也就是数据中心的安全性不够高。However, the same encryption storage method currently shares an encryption and decryption key. When there are internal threats from cloud computing vendors or cloud administrators, the confidentiality of the tenant's virtual machine image cannot be guaranteed, that is, the data center. The security is not high enough.
发明内容Summary of the invention
本申请提供了一种云环境下保护虚拟机镜像的方法及系统,以解决现有技术中云环境下保护虚拟机镜像的方法使得数据中心的数据安全性不够高的问题。This application provides a method and system for protecting a virtual machine image in a cloud environment, so as to solve the problem of insufficient data security in a data center due to the method of protecting a virtual machine image in a cloud environment in the prior art.
为了解决上述技术问题,本申请实施例公开了如下技术方案:In order to solve the above technical problems, the embodiments of the present application disclose the following technical solutions:
一种云环境下保护虚拟机镜像的方法,所述方法包括:A method for protecting a virtual machine image in a cloud environment, the method comprising:
创建虚拟机镜像文件时,添加第一密码,所述第一密码为租户设定的密码;When creating a virtual machine image file, add a first password, where the first password is a password set by the tenant;
根据所述第一密码,基于可信平台模块创建DEK(Data Encrypted Key,数据加密密钥)明文和DEK密文;Create DEK (Data Encrypted Key) plain text and DEK cipher text based on the trusted platform module according to the first password;
利用所述DEK明文,对虚拟机镜像文件进行加密,获取加密的虚拟机镜像文件;Use the DEK plaintext to encrypt the virtual machine image file to obtain the encrypted virtual machine image file;
将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池;Simultaneously storing the DEK ciphertext and the encrypted virtual machine image file in the storage pool;
读取所述加密的虚拟机镜像文件时,获取第二密码和DEK密文,所述第二密码为当前租户输入的密码;When reading the encrypted virtual machine image file, obtain a second password and a DEK ciphertext, where the second password is the password entered by the current tenant;
判断所述第二密码是否与第一密码相同;Determine whether the second password is the same as the first password;
如果是,可信平台模块根据所述DEK密文获取所述DEK明文;If yes, the trusted platform module obtains the DEK plaintext according to the DEK ciphertext;
利用所述DEK明文,对虚拟机镜像文件进行解密。Use the DEK plaintext to decrypt the virtual machine image file.
可选地,根据所述第一密码,基于可信平台模块创建DEK明文和DEK密文的方法,包括:Optionally, the method of creating DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password includes:
根据所述第一密码,基于可信平台模块创建DEK明文和RSA公私钥对;其中,RSA由罗纳德·李维斯特(Ron Rivest)、阿迪·萨莫尔(Adi Shamir)和伦纳德·阿德曼(Leonard Adleman)三人姓氏开头字母拼合而成,1977年三人共同提出了RSA加密算法;According to the first password, DEK plaintext and RSA public-private key pairs are created based on the trusted platform module; among them, RSA is composed of Ron Rivest, Adi Shamir and Leonard Leonard Adleman (Leonard Adleman) is composed of the initial letters of the surnames of the three people. In 1977, the three people jointly proposed the RSA encryption algorithm;
利用所述RSA公私钥对对所述DEK明文进行加密,获取DEK密文。The DEK plaintext is encrypted by using the RSA public and private key to obtain the DEK ciphertext.
可选地,所述可信平台模块为TPM(Trusted Platform Module,可信平台模块)芯片。Optionally, the trusted platform module is a TPM (Trusted Platform Module, Trusted Platform Module) chip.
可选地,所述对虚拟机镜像文件进行加密的方法为AES(Advanced Encryption Standard,高级加密标准)加密,对虚拟机镜像文件进行解密的方法为AES解密。Optionally, the method for encrypting the virtual machine image file is AES (Advanced Encryption Standard, Advanced Encryption Standard) encryption, and the method for decrypting the virtual machine image file is AES decryption.
可选地,将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池之后,以及,利用所述DEK明文,对虚拟机镜像文件进行解密之后,所述方法还包括:Optionally, after storing the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time, and after using the DEK plaintext to decrypt the virtual machine image file, the method further includes:
删除DEK明文。Delete the DEK plaintext.
一种云环境下保护虚拟机镜像的系统,所述系统包括:A system for protecting virtual machine images in a cloud environment, the system comprising:
密钥管理模块,用于创建虚拟机镜像文件时,添加第一密码,以及,根据所述第一密码,基于可信平台模块创建DEK明文和DEK密文,并将所述DEK明文和DEK密文发送至虚拟机镜像模块,所述第一密码为租户设定的密码;The key management module is used to add a first password when creating a virtual machine image file, and, according to the first password, create DEK plaintext and DEK ciphertext based on the trusted platform module, and combine the DEK plaintext and DEK ciphertext The text is sent to the virtual machine mirroring module, and the first password is the password set by the tenant;
虚拟机镜像模块,用于利用所述DEK明文,对虚拟机镜像文件进行加密,获取加密的虚拟机镜像文件,以及,将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池;The virtual machine image module is used to encrypt the virtual machine image file by using the DEK plaintext, obtain the encrypted virtual machine image file, and store the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time;
所述虚拟机镜像模块,还用于读取所述加密的虚拟机镜像文件时,获取第二密码和DEK密文,以及,将所述第二密码和DEK密文同时发送至密钥管理模块,其中,所述第二密码为当前租户输入的密码;The virtual machine image module is also used to obtain a second password and DEK cipher text when reading the encrypted virtual machine image file, and to send the second password and DEK cipher text to the key management module at the same time , Wherein the second password is the password entered by the current tenant;
所述密钥管理模块,还用于判断所述第二密码是否与第一密码相同,且当所述第二密码与第一密码相同时,调用可信平台模块根据所述DEK密文获取DEK明文,并将所述DEK明文发送至虚拟机镜像模块;The key management module is also used to determine whether the second password is the same as the first password, and when the second password is the same as the first password, call the trusted platform module to obtain the DEK according to the DEK ciphertext Plaintext, and send the DEK plaintext to the virtual machine mirroring module;
所述虚拟机镜像模块,还用于利用所述DEK明文,对虚拟机镜像文件进行解密。The virtual machine image module is also used to decrypt the virtual machine image file by using the DEK plaintext.
可选地,所述密钥管理模块包括:Optionally, the key management module includes:
密码添加单元,用于创建虚拟机镜像文件时,添加第一密码,所述第一密码为租户设定的密码;The password adding unit is used to add a first password when creating a virtual machine image file, where the first password is a password set by the tenant;
密钥创建单元,用于根据所述第一密码,基于可信平台模块创建DEK明文和DEK密文;The key creation unit is configured to create DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password;
第一发送单元,用于将所述DEK明文和DEK密文发送至虚拟机镜像模块;The first sending unit is configured to send the DEK plaintext and DEK ciphertext to the virtual machine mirroring module;
判断单元,用于判断第二密码是否与第一密码相同,所述第二密码为当前租户输入的密码;A judging unit for judging whether the second password is the same as the first password, and the second password is the password entered by the current tenant;
DEK明文获取单元,用于当第二密码与第一密码相同时,调用可信平台模块根据所述DEK密文获取DEK明文;The DEK plaintext obtaining unit is configured to call the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password;
所述第一发送单元,还用于根据DEK密文获取DEK明文后,将DEK 明文发送至虚拟机镜像模块。The first sending unit is further configured to send the DEK plaintext to the virtual machine mirroring module after obtaining the DEK plaintext according to the DEK ciphertext.
可选地,所述虚拟机镜像模块包括:Optionally, the virtual machine mirroring module includes:
加密单元,用于利用所述DEK明文,对虚拟机镜像文件进行加密,获取加密的虚拟机镜像文件;The encryption unit is used to encrypt the virtual machine image file by using the DEK plaintext to obtain the encrypted virtual machine image file;
存储单元,用于将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池;The storage unit is configured to store the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time;
获取单元,用于读取所述加密的虚拟机镜像文件时,获取第二密码和DEK密文;The obtaining unit is configured to obtain the second password and the DEK ciphertext when reading the encrypted virtual machine image file;
第二发送单元,用于将所述第二密码和DEK密文同时发送至密钥管理模块;The second sending unit is configured to send the second password and the DEK ciphertext to the key management module at the same time;
解密单元,用于利用所述DEK明文,对虚拟机镜像文件进行解密。The decryption unit is configured to use the DEK plaintext to decrypt the virtual machine image file.
可选地,所述加密单元为AES加密单元,所述解密单元为AES解密单元。Optionally, the encryption unit is an AES encryption unit, and the decryption unit is an AES decryption unit.
可选地,所述密钥管理模块中还包括:第一删除单元,用于将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池之后,删除DEK明文;Optionally, the key management module further includes: a first deletion unit configured to delete the DEK plaintext after storing the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time;
所述虚拟机镜像模块还包括:第二删除单元,用于利用所述DEK明文,对虚拟机镜像文件进行解密之后,删除DEK明文。The virtual machine image module further includes: a second deletion unit, configured to use the DEK plaintext to delete the DEK plaintext after decrypting the virtual machine image file.
本申请的实施例提供的技术方案可以包括以下有益效果:The technical solutions provided by the embodiments of the present application may include the following beneficial effects:
本申请提供一种云环境下保护虚拟机镜像的方法,该方法在创建虚拟机镜像文件以及读取虚拟机镜像文件时采取相应的步骤提高数据的安全性,在创建虚拟机镜像文件时,首先添加第一密码,其次根据第一密码基于可信平台模块创建DEK明文和DEK密文,然后利用DEK明文对虚拟机镜像文件加密,最后将DEK密文和加密的虚拟机镜像文件同时存储至存储池。在读取加密的虚拟机镜像文件时,首先获取第二密码和DEK密文,其次判断第二密码与第一密码是否相同,当两者相同时,可信平台模块根据DEK密文获取DEK明文,然后利用DEK明文对虚拟机镜像文件进行解密。本实施例在创建虚拟机镜像文件时添加了租户设定的第一密码,当加载该虚拟机镜像文件时,只有当前租户输入的第二密码与第一密码相同时,才能获取虚拟机磁盘镜像的内容,而不是只有DEK密文即可获取虚拟 机镜像内容,因此,第一密码的设置,能够大大提高云环境下数据中心的安全性。This application provides a method for protecting virtual machine images in a cloud environment. The method takes corresponding steps to improve data security when creating virtual machine image files and reading virtual machine image files. When creating virtual machine image files, first Add the first password, then create DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password, then use DEK plaintext to encrypt the virtual machine image file, and finally store the DEK ciphertext and encrypted virtual machine image file to storage at the same time Pool. When reading the encrypted virtual machine image file, first obtain the second password and the DEK ciphertext, and then determine whether the second password is the same as the first password. When the two are the same, the trusted platform module obtains the DEK plaintext according to the DEK ciphertext , And then use DEK plaintext to decrypt the virtual machine image file. In this embodiment, the first password set by the tenant is added when the virtual machine image file is created. When the virtual machine image file is loaded, the virtual machine disk image can be obtained only when the second password entered by the current tenant is the same as the first password The content of the virtual machine image can be obtained instead of only the DEK ciphertext. Therefore, the setting of the first password can greatly improve the security of the data center in the cloud environment.
另外,本实施例中将DEK密文和加密的虚拟机镜像文件同时存储至存储池之后,还包括删除DEK明文。以及,利用DEK明文对虚拟机镜像文件进行解密,获取虚拟机镜像文件的DEK明文之后,也包括删除DEK明文。通过及时删除DEK明文,能够防止泄露数据,有利于进一步提高数据中心中数据的安全性。In addition, after storing the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time in this embodiment, it also includes deleting the DEK plaintext. And, after using the DEK plaintext to decrypt the virtual machine image file, after obtaining the DEK plaintext of the virtual machine image file, it also includes deleting the DEK plaintext. By deleting the DEK plaintext in time, data leakage can be prevented, which is conducive to further improving the security of data in the data center.
本申请还提供一种云环境下保护虚拟机镜像的系统,该系统主要包括密钥管理模块和虚拟机镜像模块两部分。创建虚拟机镜像文件时,通过密钥管理模块能够添加第一密码,并基于可信平台模块创建DEK明文和DEK密文,以及将两者发送至虚拟机镜像模块。通过虚拟机镜像模块能够利用DEK明文对虚拟机镜像文件加密,将DEK密文和加密的虚拟机镜像文件同时存储至存储池。在读取虚拟机镜像文件时,通过虚拟机镜像文件模块获取DEK密文和当前租户输入的第二密码,将两者同时发送至密钥管理模块,通过密钥管理模块判断第二密码是否与第一密码相同,且当两者相同时,调用可信平台模块根据DEK密文获取DEK明文,并将DEK明文发送至虚拟机镜像模块。本实施例中通过设置密钥管理模块和虚拟机镜像模块两部分,且通过密钥管理模块,能够在创建虚拟机镜像文件时,添加第一密码,通过虚拟机镜像管理模块,能够在读取加密的虚拟机镜像文件时获取第二密码,并将第二密码和第一密码进行比对,能够大大提高云环境下,虚拟机镜像数据的机密性,也就是大大提高数据中心数据的安全性。This application also provides a system for protecting virtual machine images in a cloud environment. The system mainly includes two parts: a key management module and a virtual machine image module. When creating a virtual machine image file, the first password can be added through the key management module, and DEK plaintext and DEK ciphertext can be created based on the trusted platform module, and both are sent to the virtual machine image module. Through the virtual machine mirroring module, the DEK plaintext can be used to encrypt the virtual machine image file, and the DEK ciphertext and the encrypted virtual machine image file can be stored in the storage pool at the same time. When reading the virtual machine image file, the DEK ciphertext and the second password entered by the current tenant are obtained through the virtual machine image file module, and both are sent to the key management module at the same time, and the key management module determines whether the second password is the same as When the first password is the same, and when the two are the same, the trusted platform module is called to obtain the DEK plaintext according to the DEK ciphertext, and the DEK plaintext is sent to the virtual machine mirroring module. In this embodiment, two parts: the key management module and the virtual machine mirroring module are set, and through the key management module, the first password can be added when creating the virtual machine image file. The virtual machine mirroring management module can be used to read Obtain the second password when encrypting the virtual machine image file, and compare the second password with the first password, which can greatly improve the confidentiality of the virtual machine image data in the cloud environment, that is, greatly improve the data center data security .
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It should be understood that the above general description and the following detailed description are only exemplary and explanatory, and cannot limit the application.
附图说明Description of the drawings
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请的实施例,并与说明书一起用于解释本申请的原理。The drawings here are incorporated into the specification and constitute a part of the specification, show embodiments that conform to the application, and are used together with the specification to explain the principle of the application.
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地, 对于本领域普通技术人员而言,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, those of ordinary skill in the art are In other words, other drawings can be obtained based on these drawings without creative work.
图1为本申请实施例所提供的一种云环境下保护虚拟机镜像的方法的流程示意图;FIG. 1 is a schematic flowchart of a method for protecting a virtual machine image in a cloud environment provided by an embodiment of the application;
图2为本申请实施例所提供的一种云环境下保护虚拟机镜像的系统的结构示意图。FIG. 2 is a schematic structural diagram of a system for protecting virtual machine images in a cloud environment provided by an embodiment of the application.
具体实施方式detailed description
为了使本技术领域的人员更好地理解本申请中的技术方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。In order to enable those skilled in the art to better understand the technical solutions in the application, the following will clearly and completely describe the technical solutions in the embodiments of the application in conjunction with the drawings in the embodiments of the application. Obviously, the described The embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work should fall within the protection scope of this application.
为了更好地理解本申请,下面结合附图来详细解释本申请的实施方式。In order to better understand the present application, the embodiments of the present application will be explained in detail below with reference to the accompanying drawings.
实施例一Example one
参见图1,图1为本申请实施例所提供的一种云环境下保护虚拟机镜像的方法的流程示意图。由图1可知,本实施例中云环境下保护虚拟机镜像的方法,主要包括如下过程:Referring to FIG. 1, FIG. 1 is a schematic flowchart of a method for protecting a virtual machine image in a cloud environment provided by an embodiment of the application. As can be seen from Figure 1, the method for protecting virtual machine images in a cloud environment in this embodiment mainly includes the following processes:
S01:创建虚拟机镜像文件时,添加第一密码,其中,第一密码为租户设定的密码。S01: When creating a virtual machine image file, add a first password, where the first password is a password set by the tenant.
本实施例通过在创建虚拟机镜像文件时添加租户提前设定的第一密码,当加载该虚拟机镜像文件时,只有当前租户输入的第二密码与第一密码相同时,才能获取虚拟机磁盘镜像的内容,而不是只通过DEK密文即可获取虚拟机镜像内容。因此,第一密码的设置,能够大大提高云环境下虚拟机镜像的机密性,从而提高数据中心数据的安全性。In this embodiment, the first password set in advance by the tenant is added when the virtual machine image file is created. When the virtual machine image file is loaded, the virtual machine disk can be obtained only when the second password entered by the current tenant is the same as the first password. The contents of the image, instead of just obtaining the contents of the virtual machine image through the DEK ciphertext. Therefore, the setting of the first password can greatly improve the confidentiality of virtual machine images in the cloud environment, thereby improving the security of data center data.
S02:根据第一密码,基于可信平台模块创建DEK明文和DEK密文。S02: Create DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password.
本实施例中DEK明文和DEK密文用于虚拟机镜像加密,具体地,步骤S02又包括如下过程:In this embodiment, DEK plaintext and DEK ciphertext are used for virtual machine image encryption. Specifically, step S02 further includes the following process:
S021:根据第一密码,基于可信平台模块创建DEK明文和RSA公私钥对;S021: Create a DEK plaintext and RSA public-private key pair based on the trusted platform module according to the first password;
S022:利用RSA公私钥对对DEK明文进行加密,获取DEK密文。S022: Use the RSA public and private keys to encrypt the DEK plaintext to obtain the DEK ciphertext.
本实施例中可信平台模块可以采用TPM芯片,根据以上步骤S021和S022,基于可信平台模块创建DEK明文和DEK密文时,首先调用TPM芯片的命令TPM2_GetRandom,产生随机数,作为DEK明文;然后根据租户输入的第一密码,调用TPM芯片的命令TPM2_Create,创建RSA公私钥对,即:Rsa_pri和Rsa_pub,其中Rsa_pub作为公钥,可以保存到TPM芯片外部;最后调用TPM芯片命令TPM2_RSA_Encypt,对上述DEK明文进行加密,得到DEK密文。In this embodiment, the trusted platform module may use a TPM chip. According to the above steps S021 and S022, when creating DEK plaintext and DEK ciphertext based on the trusted platform module, first call the command TPM2_GetRandom of the TPM chip to generate random numbers as DEK plaintext; Then, according to the first password entered by the tenant, call the command TPM2_Create of the TPM chip to create an RSA public-private key pair, namely: Rsa_pri and Rsa_pub, where Rsa_pub is the public key, which can be saved outside the TPM chip; finally, the TPM chip command TPM2_RSA_Encypt is called, and the above DEK plaintext is encrypted to obtain DEK ciphertext.
继续参见图1可知,创建DEK明文和DEK密文之后执行步骤S03:利用DEK明文,对虚拟机镜像文件进行加密,获取加密的虚拟机镜像文件。Continuing to refer to FIG. 1, it can be seen that after creating the DEK plaintext and the DEK ciphertext, step S03 is executed: using the DEK plaintext to encrypt the virtual machine image file to obtain the encrypted virtual machine image file.
本实施例中,利用DEK明文对虚拟机镜像文件进行加密的方法为AES加密。即:通过AES加密的方法,对创建的虚拟机镜像文件,利用DEK明文作为AES密钥,进行AES加密获取到加密的虚拟机镜像文件。In this embodiment, the method of using DEK plaintext to encrypt the virtual machine image file is AES encryption. That is: through the AES encryption method, use DEK plaintext as the AES key for the created virtual machine image file, and perform AES encryption to obtain the encrypted virtual machine image file.
获取到加密的虚拟机镜像文件之后,执行步骤S04:将DEK密文和加密的虚拟机镜像文件同时存储至存储池。After the encrypted virtual machine image file is obtained, step S04 is executed: the DEK ciphertext and the encrypted virtual machine image file are stored in the storage pool at the same time.
本实施例中的存储池指的是云环境中的存储池,用于存放虚拟机镜像文件。The storage pool in this embodiment refers to a storage pool in a cloud environment, which is used to store virtual machine image files.
通过以上步骤S01-S04,对虚拟机镜像文件创建完毕后,执行步骤S06:读取加密的虚拟机镜像文件时,获取第二密码和DEK密文,其中,第二密码为当前租户输入的密码。Through the above steps S01-S04, after the virtual machine image file is created, perform step S06: When reading the encrypted virtual machine image file, obtain the second password and DEK ciphertext, where the second password is the password entered by the current tenant .
S07:判断第二密码是否与第一密码相同。S07: Determine whether the second password is the same as the first password.
如果第二密码与第一密码相同,执行步骤S08:可信平台模块根据DEK密文获取DEK明文。If the second password is the same as the first password, step S08 is executed: the trusted platform module obtains the DEK plaintext according to the DEK ciphertext.
如果第二密码与第一密码不同,则说明当前租户输入的第二密码不正确,返回步骤S06,重新获取第二密码。If the second password is different from the first password, it means that the second password entered by the current tenant is incorrect, and step S06 is returned to obtain the second password again.
S09:利用DEK明文,对虚拟机镜像文件进行解密。S09: Use DEK plaintext to decrypt the virtual machine image file.
与步骤S03相对应,本实施例中对虚拟机镜像文件进行解密的方法为 AES解密。具体的AES解密方法采用现有技术中的方法,在此不再赘述。Corresponding to step S03, the method for decrypting the virtual machine image file in this embodiment is AES decryption. The specific AES decryption method adopts the method in the prior art, and will not be repeated here.
由以上步骤S06-S09可知,加载虚拟机镜像文件时,首先获取到该虚拟机镜像文件所匹配的DEK密文,以及当前租户输入的第二密码;然后调用TPM芯片的TPM2_RSA_Decrypt命令,根据当前租户输入的第二密码,解密DEK密文;当第二密码与第一密码相同时,判定当前租户输入的第二密码正确,此时解密DEK密文得到DEK明文;利用解密得到的DEK明文对虚拟机镜像文件进行AES解密,最终得到虚拟机镜像明文。From the above steps S06-S09, when loading the virtual machine image file, first obtain the DEK ciphertext matched by the virtual machine image file and the second password entered by the current tenant; then call the TPM2_RSA_Decrypt command of the TPM chip according to the current tenant Enter the second password to decrypt the DEK ciphertext; when the second password is the same as the first password, it is determined that the second password entered by the current tenant is correct. At this time, the DEK ciphertext is decrypted to obtain the DEK plaintext; the decrypted DEK plaintext is used for the virtual The machine image file is decrypted by AES, and finally the plaintext of the virtual machine image is obtained.
进一步地,本实施例中,在步骤S04之后,还包括步骤S05:删除DEK明文。在步骤S09之后,还包括步骤S10:删除DEK明文。Further, in this embodiment, after step S04, it further includes step S05: deleting DEK plaintext. After step S09, it also includes step S10: deleting DEK plaintext.
通过设置步骤S05和S10,能够有效防止公有云或者混合云环境下,恶意管理员非法窥探租户的敏感数据,有利于保护云环境下虚拟机镜像文件的机密性,从而有效提升虚拟数据中心的数据安全等级,大大提高数据中心数据的安全性。Setting steps S05 and S10 can effectively prevent malicious administrators from illegally snooping sensitive data of tenants in public cloud or hybrid cloud environments, which helps protect the confidentiality of virtual machine image files in the cloud environment, thereby effectively improving the data in the virtual data center The security level greatly improves the security of data center data.
综上所述,本实施例中的云环境下保护虚拟机镜像的方法,主要从创建虚拟机镜像文件阶段和读取虚拟机镜像文件阶段,来加强虚拟机镜像文件的机密性。通过在创建虚拟机镜像文件阶段添加第一密码,以及在读取加密的虚拟机镜像文件阶段判断当前租户输入的第二密码与第一密码的一致性,来提高虚拟数据中心的数据安全等级。In summary, the method for protecting virtual machine images in a cloud environment in this embodiment mainly focuses on creating virtual machine image files and reading virtual machine image files to enhance the confidentiality of virtual machine image files. The data security level of the virtual data center is improved by adding the first password in the stage of creating the virtual machine image file, and judging the consistency between the second password entered by the current tenant and the first password in the stage of reading the encrypted virtual machine image file.
实施例二Example two
在图1所示实施例的基础之上参见图2,图2为本申请实施例所提供的一种云环境下保护虚拟机镜像的系统的结构示意图。由图2可知,本实施例中的系统主要包括两部分:密钥管理模块和虚拟机镜像模块。其中,密钥管理模块,用于创建虚拟机镜像文件时,添加第一密码,以及,根据第一密码,基于可信平台模块创建DEK明文和DEK密文,并将DEK明文和DEK密文发送至虚拟机镜像模块,第一密码为租户设定的密码。虚拟机镜像模块,用于利用DEK明文,对虚拟机镜像文件进行加密,获取加密的虚拟机镜像文件,以及,将DEK密文和加密的虚拟机镜像文件同时存储至存储池。虚拟机镜像模块,还用于读取加密的虚拟机镜像文件时,获取 第二密码和DEK密文,以及,将第二密码和DEK密文同时发送至密钥管理模块,其中,第二密码为当前租户输入的密码。密钥管理模块,还用于判断第二密码是否与第一密码相同,且当第二密码与第一密码相同时,调用可信平台模块根据DEK密文获取DEK明文,并将DEK明文发送至虚拟机镜像模块。虚拟机镜像模块,还用于利用DEK明文,对虚拟机镜像文件进行解密。Refer to FIG. 2 on the basis of the embodiment shown in FIG. 1. FIG. 2 is a schematic structural diagram of a system for protecting virtual machine images in a cloud environment provided by an embodiment of the application. It can be seen from FIG. 2 that the system in this embodiment mainly includes two parts: a key management module and a virtual machine mirroring module. Among them, the key management module is used to add the first password when creating the virtual machine image file, and, according to the first password, create DEK plaintext and DEK ciphertext based on the trusted platform module, and send the DEK plaintext and DEK ciphertext To the virtual machine mirroring module, the first password is the password set by the tenant. The virtual machine image module is used to encrypt the virtual machine image file by using the DEK plaintext, obtain the encrypted virtual machine image file, and simultaneously store the DEK ciphertext and the encrypted virtual machine image file in the storage pool. The virtual machine image module is also used to obtain the second password and the DEK ciphertext when reading the encrypted virtual machine image file, and to send the second password and the DEK ciphertext to the key management module at the same time, where the second password The password entered for the current tenant. The key management module is also used to determine whether the second password is the same as the first password, and when the second password is the same as the first password, call the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext, and send the DEK plaintext to Virtual machine mirroring module. The virtual machine image module is also used to decrypt the virtual machine image file by using DEK plaintext.
进一步地,密钥管理模块又包括:密码添加单元、密钥创建单元、第一发送单元、判断单元和DEK明文获取单元。其中,密码添加单元用于创建虚拟机镜像文件时,添加第一密码,第一密码为租户设定的密码;密钥创建单元用于根据第一密码,基于可信平台模块创建DEK明文和DEK密文;第一发送单元用于将DEK明文和DEK密文发送至虚拟机镜像模块;判断单元用于判断第二密码是否与第一密码相同,第二密码为当前租户输入的密码;DEK明文获取单元用于当第二密码与第一密码相同时,调用可信平台模块根据DEK密文获取DEK明文;第一发送单元还用于根据DEK密文获取DEK明文后,将DEK明文发送至虚拟机镜像模块。Further, the key management module further includes: a password adding unit, a key creating unit, a first sending unit, a judgment unit, and a DEK plaintext obtaining unit. Among them, the password adding unit is used to add the first password when creating the virtual machine image file, the first password is the password set by the tenant; the key creation unit is used to create DEK plaintext and DEK based on the trusted platform module according to the first password The ciphertext; the first sending unit is used to send the DEK plaintext and the DEK ciphertext to the virtual machine mirroring module; the judging unit is used to judge whether the second password is the same as the first password, and the second password is the password entered by the current tenant; DEK plaintext The obtaining unit is used for when the second password is the same as the first password, calling the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext; the first sending unit is also used for obtaining the DEK plaintext according to the DEK ciphertext, and then sending the DEK plaintext to the virtual Machine mirroring module.
其中,密钥创建单元又包括:DEK明文和RSA公私钥对创建子单元,以及DEK密文创建子单元。DEK明文和RSA公私钥对创建子单元,用于根据第一密码,基于可信平台模块创建DEK明文和RSA公私钥对;DEK密文创建子单元,用于利用RSA公私钥对对DEK明文进行加密,获取DEK密文。DEK明文和RSA公私钥对创建子单元创建RSA公私钥对后,可以将RSA公钥保存到TPM芯片外部,例如:存储到密钥管理模块的磁盘上。Among them, the key creation unit includes: DEK plaintext and RSA public-private key pair creation subunit, and DEK ciphertext creation subunit. DEK plaintext and RSA public-private key pair creation subunit, used to create DEK plaintext and RSA public-private key pair based on the trusted platform module according to the first password; DEK ciphertext creation subunit, used to perform DEK plaintext using RSA public-private key pair Encrypt and get DEK ciphertext. After the DEK plaintext and RSA public-private key pair creation subunit creates the RSA public-private key pair, the RSA public key can be saved outside the TPM chip, for example, on the disk of the key management module.
虚拟机镜像模块包括:加密单元、存储单元、获取单元、第二发送单元和解密单元。其中,加密单元用于利用DEK明文,对虚拟机镜像文件进行加密,获取加密的虚拟机镜像文件;存储单元用于将DEK密文和加密的虚拟机镜像文件同时存储至存储池;获取单元用于读取加密的虚拟机镜像文件时,获取第二密码和DEK密文;第二发送单元用于将第二密码和DEK密文同时发送至密钥管理模块;解密单元用于利用DEK明文,对虚拟机镜像文件进行解密。The virtual machine mirroring module includes: an encryption unit, a storage unit, an acquisition unit, a second sending unit, and a decryption unit. Among them, the encryption unit is used to use DEK plaintext to encrypt the virtual machine image file to obtain the encrypted virtual machine image file; the storage unit is used to store the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time; the acquisition unit uses When reading the encrypted virtual machine image file, obtain the second password and the DEK cipher text; the second sending unit is used to send the second password and the DEK cipher text to the key management module at the same time; the decryption unit is used to use the DEK plain text, Decrypt the virtual machine image file.
本实施例中加密单元采用AES加密单元,解密单元采用AES解密单 元。In this embodiment, the encryption unit is an AES encryption unit, and the decryption unit is an AES decryption unit.
进一步地,本实施例中密钥管理模块中还设置有第一删除单元,用于将DEK密文和加密的虚拟机镜像文件同时存储至存储池之后,删除DEK明文。虚拟机镜像模块中还包括有第二删除单元,用于利用DEK明文,对虚拟机镜像文件进行解密之后,删除DEK明文。Further, in this embodiment, the key management module is also provided with a first deletion unit for deleting the DEK plaintext after storing the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time. The virtual machine mirroring module also includes a second deleting unit for deleting the DEK plaintext after decrypting the virtual machine image file by using the DEK plaintext.
本实施例中云环境下保护虚拟机镜像的系统的工作原理和工作方法,在图1所示的实施例中已经详细阐述,在此不再赘述。该实施例未详细描述的部分也可以参照图1所示的实施例,两个实施例之间可以互相参照。The working principle and working method of the system for protecting virtual machine images in the cloud environment in this embodiment have been described in detail in the embodiment shown in FIG. 1 and will not be repeated here. For parts that are not described in detail in this embodiment, reference may also be made to the embodiment shown in FIG. 1, and the two embodiments may refer to each other.
以上所述仅是本申请的具体实施方式,使本领域技术人员能够理解或实现本申请。对这些实施例的多种修改对本领域的技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本申请的精神或范围的情况下,在其它实施例中实现。因此,本申请将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above are only specific implementations of the application, so that those skilled in the art can understand or implement the application. Various modifications to these embodiments will be obvious to those skilled in the art, and the general principles defined herein can be implemented in other embodiments without departing from the spirit or scope of the application. Therefore, this application will not be limited to the embodiments shown in this document, but should conform to the widest scope consistent with the principles and novel features disclosed in this document.

Claims (10)

  1. 一种云环境下保护虚拟机镜像的方法,其特征在于,所述方法包括:A method for protecting a virtual machine image in a cloud environment, wherein the method includes:
    创建虚拟机镜像文件时,添加第一密码,所述第一密码为租户设定的密码;When creating a virtual machine image file, add a first password, where the first password is a password set by the tenant;
    根据所述第一密码,基于可信平台模块创建DEK明文和DEK密文;Create DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password;
    利用所述DEK明文,对虚拟机镜像文件进行加密,获取加密的虚拟机镜像文件;Use the DEK plaintext to encrypt the virtual machine image file to obtain the encrypted virtual machine image file;
    将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池;Simultaneously storing the DEK ciphertext and the encrypted virtual machine image file in the storage pool;
    读取所述加密的虚拟机镜像文件时,获取第二密码和DEK密文,所述第二密码为当前租户输入的密码;When reading the encrypted virtual machine image file, obtain a second password and a DEK ciphertext, where the second password is the password entered by the current tenant;
    判断所述第二密码是否与第一密码相同;Determine whether the second password is the same as the first password;
    如果是,可信平台模块根据所述DEK密文获取所述DEK明文;If yes, the trusted platform module obtains the DEK plaintext according to the DEK ciphertext;
    利用所述DEK明文,对虚拟机镜像文件进行解密。Use the DEK plaintext to decrypt the virtual machine image file.
  2. 根据权利要求1所述的一种云环境下保护虚拟机镜像的方法,其特征在于,根据所述第一密码,基于可信平台模块创建DEK明文和DEK密文的方法,包括:The method for protecting a virtual machine image in a cloud environment according to claim 1, wherein the method for creating DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password comprises:
    根据所述第一密码,基于可信平台模块创建DEK明文和RSA公私钥对;Create a DEK plaintext and RSA public-private key pair based on the trusted platform module according to the first password;
    利用所述RSA公私钥对对所述DEK明文进行加密,获取DEK密文。The DEK plaintext is encrypted by using the RSA public and private key to obtain the DEK ciphertext.
  3. 根据权利要求1所述的一种云环境下保护虚拟机镜像的方法,其特征在于,所述可信平台模块为TPM芯片。The method for protecting a virtual machine image in a cloud environment according to claim 1, wherein the trusted platform module is a TPM chip.
  4. 根据权利要求1所述的一种云环境下保护虚拟机镜像的方法,其特征在于,所述对虚拟机镜像文件进行加密的方法为AES加密,对虚拟机镜像文件进行解密的方法为AES解密。The method for protecting a virtual machine image in a cloud environment according to claim 1, wherein the method for encrypting the virtual machine image file is AES encryption, and the method for decrypting the virtual machine image file is AES decryption .
  5. 根据权利要求1所述的一种云环境下保护虚拟机镜像的方法,其特征在于,将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池之后,以及,利用所述DEK明文,对虚拟机镜像文件进行解密之后,所述方法还包括:The method for protecting a virtual machine image in a cloud environment according to claim 1, wherein after storing the DEK ciphertext and the encrypted virtual machine image file in a storage pool at the same time, and using the DEK plaintext After decrypting the virtual machine image file, the method further includes:
    删除DEK明文。Delete the DEK plaintext.
  6. 一种云环境下保护虚拟机镜像的系统,其特征在于,所述系统包括:A system for protecting virtual machine images in a cloud environment, wherein the system includes:
    密钥管理模块,用于创建虚拟机镜像文件时,添加第一密码,以及,根据所述第一密码,基于可信平台模块创建DEK明文和DEK密文,并将所述DEK明文和DEK密文发送至虚拟机镜像模块,所述第一密码为租户设定的密码;The key management module is used to add a first password when creating a virtual machine image file, and, according to the first password, create DEK plaintext and DEK ciphertext based on the trusted platform module, and combine the DEK plaintext and DEK ciphertext The text is sent to the virtual machine mirroring module, and the first password is the password set by the tenant;
    虚拟机镜像模块,用于利用所述DEK明文,对虚拟机镜像文件进行加密,获取加密的虚拟机镜像文件,以及,将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池;The virtual machine image module is used to encrypt the virtual machine image file by using the DEK plaintext, obtain the encrypted virtual machine image file, and store the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time;
    所述虚拟机镜像模块,还用于读取所述加密的虚拟机镜像文件时,获取第二密码和DEK密文,以及,将所述第二密码和DEK密文同时发送至密钥管理模块,其中,所述第二密码为当前租户输入的密码;The virtual machine image module is also used to obtain a second password and DEK cipher text when reading the encrypted virtual machine image file, and to send the second password and DEK cipher text to the key management module at the same time , Wherein the second password is the password entered by the current tenant;
    所述密钥管理模块,还用于判断所述第二密码是否与第一密码相同,且当所述第二密码与第一密码相同时,调用可信平台模块根据所述DEK密文获取DEK明文,并将所述DEK明文发送至虚拟机镜像模块;The key management module is also used to determine whether the second password is the same as the first password, and when the second password is the same as the first password, call the trusted platform module to obtain the DEK according to the DEK ciphertext Plaintext, and send the DEK plaintext to the virtual machine mirroring module;
    所述虚拟机镜像模块,还用于利用所述DEK明文,对虚拟机镜像文件进行解密。The virtual machine image module is also used to decrypt the virtual machine image file by using the DEK plaintext.
  7. 根据权利要求6所述的一种云环境下保护虚拟机镜像的系统,其特征在于,所述密钥管理模块包括:The system for protecting virtual machine images in a cloud environment according to claim 6, wherein the key management module comprises:
    密码添加单元,用于创建虚拟机镜像文件时,添加第一密码,所述第一密码为租户设定的密码;The password adding unit is used to add a first password when creating a virtual machine image file, where the first password is a password set by the tenant;
    密钥创建单元,用于根据所述第一密码,基于可信平台模块创建DEK明文和DEK密文;The key creation unit is configured to create DEK plaintext and DEK ciphertext based on the trusted platform module according to the first password;
    第一发送单元,用于将所述DEK明文和DEK密文发送至虚拟机镜像模块;The first sending unit is configured to send the DEK plaintext and DEK ciphertext to the virtual machine mirroring module;
    判断单元,用于判断第二密码是否与第一密码相同,所述第二密码为当前租户输入的密码;A judging unit for judging whether the second password is the same as the first password, and the second password is the password entered by the current tenant;
    DEK明文获取单元,用于当第二密码与第一密码相同时,调用可信平台模块根据所述DEK密文获取DEK明文;The DEK plaintext obtaining unit is configured to call the trusted platform module to obtain the DEK plaintext according to the DEK ciphertext when the second password is the same as the first password;
    所述第一发送单元,还用于根据DEK密文获取DEK明文后,将DEK 明文发送至虚拟机镜像模块。The first sending unit is further configured to send the DEK plaintext to the virtual machine mirroring module after obtaining the DEK plaintext according to the DEK ciphertext.
  8. 根据权利要求6所述的一种云环境下保护虚拟机镜像的系统,其特征在于,所述虚拟机镜像模块包括:The system for protecting virtual machine mirroring in a cloud environment according to claim 6, wherein the virtual machine mirroring module comprises:
    加密单元,用于利用所述DEK明文,对虚拟机镜像文件进行加密,获取加密的虚拟机镜像文件;The encryption unit is used to encrypt the virtual machine image file by using the DEK plaintext to obtain the encrypted virtual machine image file;
    存储单元,用于将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池;The storage unit is configured to store the DEK ciphertext and the encrypted virtual machine image file in the storage pool at the same time;
    获取单元,用于读取所述加密的虚拟机镜像文件时,获取第二密码和DEK密文;The obtaining unit is configured to obtain the second password and the DEK ciphertext when reading the encrypted virtual machine image file;
    第二发送单元,用于将所述第二密码和DEK密文同时发送至密钥管理模块;The second sending unit is configured to send the second password and the DEK ciphertext to the key management module at the same time;
    解密单元,用于利用所述DEK明文,对虚拟机镜像文件进行解密。The decryption unit is configured to use the DEK plaintext to decrypt the virtual machine image file.
  9. 根据权利要求8所述的一种云环境下保护虚拟机镜像的系统,其特征在于,所述加密单元为AES加密单元,所述解密单元为AES解密单元。The system for protecting virtual machine images in a cloud environment according to claim 8, wherein the encryption unit is an AES encryption unit, and the decryption unit is an AES decryption unit.
  10. 根据权利要求6-9中任一所述的一种云环境下保护虚拟机镜像的系统,其特征在于,所述密钥管理模块中还包括:第一删除单元,用于将所述DEK密文和加密的虚拟机镜像文件同时存储至存储池之后,删除DEK明文;The system for protecting virtual machine images in a cloud environment according to any one of claims 6-9, wherein the key management module further comprises: a first deletion unit configured to encrypt the DEK After the text and the encrypted virtual machine image file are stored in the storage pool at the same time, delete the DEK plain text;
    所述虚拟机镜像模块还包括:第二删除单元,用于利用所述DEK明文,对虚拟机镜像文件进行解密之后,删除DEK明文。The virtual machine image module further includes: a second deletion unit, configured to use the DEK plaintext to delete the DEK plaintext after decrypting the virtual machine image file.
PCT/CN2020/087164 2019-09-25 2020-04-27 Method and system for protecting virtual machine image in cloud environment WO2021057024A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910912822.X 2019-09-25
CN201910912822.XA CN110806919B (en) 2019-09-25 2019-09-25 Method and system for protecting virtual machine image in cloud environment

Publications (1)

Publication Number Publication Date
WO2021057024A1 true WO2021057024A1 (en) 2021-04-01

Family

ID=69487744

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/087164 WO2021057024A1 (en) 2019-09-25 2020-04-27 Method and system for protecting virtual machine image in cloud environment

Country Status (2)

Country Link
CN (1) CN110806919B (en)
WO (1) WO2021057024A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110806919B (en) * 2019-09-25 2021-11-02 苏州浪潮智能科技有限公司 Method and system for protecting virtual machine image in cloud environment
CN111741068B (en) * 2020-05-20 2022-03-18 中国电子科技网络信息安全有限公司 Data encryption key transmission method
CN112052446A (en) * 2020-09-14 2020-12-08 北京数字认证股份有限公司 Password unit creation method, data processing method and device and electronic equipment
WO2022088194A1 (en) * 2020-11-02 2022-05-05 华为技术有限公司 Security processing apparatus, security processing method, and related device
CN113703927B (en) * 2021-10-29 2022-02-11 杭州链城数字科技有限公司 Data processing method, privacy computing system, electronic device, and storage medium
CN114296873B (en) * 2021-12-24 2023-03-24 海光信息技术股份有限公司 Virtual machine image protection method, related device, chip and electronic equipment
CN116842529A (en) * 2023-07-13 2023-10-03 海光信息技术股份有限公司 Software file, software running method and related devices thereof

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102088367A (en) * 2010-12-10 2011-06-08 北京世纪互联工程技术服务有限公司 Method for quickly deploying in virtualization environment
CN102624522A (en) * 2012-03-30 2012-08-01 华中科技大学 Key encryption method based on file attribution
CN103138939A (en) * 2013-03-28 2013-06-05 武汉大学 Secret key use time management method based on credible platform module under cloud storage mode
US9660906B2 (en) * 2014-03-11 2017-05-23 Fujitsu Limited Method for acquiring packet, device and recording medium
CN107169373A (en) * 2017-05-11 2017-09-15 山东超越数控电子有限公司 A kind of virtual machine image file guard method and system
CN110806919A (en) * 2019-09-25 2020-02-18 苏州浪潮智能科技有限公司 Method and system for protecting virtual machine image in cloud environment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102088367A (en) * 2010-12-10 2011-06-08 北京世纪互联工程技术服务有限公司 Method for quickly deploying in virtualization environment
CN102624522A (en) * 2012-03-30 2012-08-01 华中科技大学 Key encryption method based on file attribution
CN103138939A (en) * 2013-03-28 2013-06-05 武汉大学 Secret key use time management method based on credible platform module under cloud storage mode
US9660906B2 (en) * 2014-03-11 2017-05-23 Fujitsu Limited Method for acquiring packet, device and recording medium
CN107169373A (en) * 2017-05-11 2017-09-15 山东超越数控电子有限公司 A kind of virtual machine image file guard method and system
CN110806919A (en) * 2019-09-25 2020-02-18 苏州浪潮智能科技有限公司 Method and system for protecting virtual machine image in cloud environment

Also Published As

Publication number Publication date
CN110806919A (en) 2020-02-18
CN110806919B (en) 2021-11-02

Similar Documents

Publication Publication Date Title
WO2021057024A1 (en) Method and system for protecting virtual machine image in cloud environment
US7639819B2 (en) Method and apparatus for using an external security device to secure data in a database
US10586057B2 (en) Processing data queries in a logically sharded data store
CN107506659B (en) Data protection system and method of general database based on SGX
US7318235B2 (en) Attestation using both fixed token and portable token
WO2018032377A1 (en) Read-only security file storage system for block chain, and method thereof
US7480806B2 (en) Multi-token seal and unseal
US11184164B2 (en) Secure crypto system attributes
RU2756040C2 (en) Addressing trusted execution environment using signature key
US11232222B2 (en) Access management system, access management method and program
WO2016173264A1 (en) Electronic data protection method and device, and terminal device
US11436345B2 (en) Protection of secret client data in a multiple client data deduplication environment
CN104618096B (en) Protect method, equipment and the TPM key administrative center of key authorization data
US8181028B1 (en) Method for secure system shutdown
US10397216B2 (en) Systems and methods for performing secure backup operations
WO2022028289A1 (en) Data encryption method and apparatus, data decryption method and apparatus, terminal, and storage medium
US20030174842A1 (en) Managing private keys in a free seating environment
US20080235521A1 (en) Method and encryption tool for securing electronic data storage devices
US10164955B1 (en) Volatile encryption keys
KR20180010482A (en) Method and apparatus for security of internet of things devices
WO2023207975A1 (en) Data transmission method and apparatus, and electronic device
AU2017440029A1 (en) Cryptographic key generation for logically sharded data stores
CN110837634B (en) Electronic signature method based on hardware encryption machine
CN111949999A (en) Apparatus and method for managing data
JP2018110442A (en) Access management system, access management method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20869417

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20869417

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20869417

Country of ref document: EP

Kind code of ref document: A1