CN101295342A - Magnetic disk enciphering and recovery method based on single file system - Google Patents
Magnetic disk enciphering and recovery method based on single file system Download PDFInfo
- Publication number
- CN101295342A CN101295342A CN 200810056742 CN200810056742A CN101295342A CN 101295342 A CN101295342 A CN 101295342A CN 200810056742 CN200810056742 CN 200810056742 CN 200810056742 A CN200810056742 A CN 200810056742A CN 101295342 A CN101295342 A CN 101295342A
- Authority
- CN
- China
- Prior art keywords
- disk
- file
- user
- backup
- txt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000011084 recovery Methods 0.000 title claims abstract description 22
- 230000009467 reduction Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 8
- 230000002093 peripheral effect Effects 0.000 description 6
- 150000003839 salts Chemical class 0.000 description 4
- 230000006378 damage Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 241001347978 Major minor Species 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000001256 tonic effect Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a single-file-based system disk encryption and recovery method, which can improve safety of the existing storage system. The technical proposal comprises the following steps: a single file with a file name which is specified by a user is formatted, and the size of the file and a login password for entering a disk after the file is loaded as the disk are simultaneously set; the file which is completely formatted is loaded as a local disk of a computer system, and a disk symbol is specified by the user and provided to the user for usage; when in using process of the user, encryption or decryption of the reading and writing operation on the disk is carried out; the loaded disk is unloaded.
Description
Technical field
The invention belongs to computer memory system structure field, especially a kind of method based on single file system disk encryption and recovery.Utilize single file system as this method of reliable disk on the computer system, to the file content on the disk encrypt, backup and recovery operation, thereby the security that improves existing storage system greatly.Simultaneously, the present invention can also be applied to the mobile storage peripheral hardware (comprising the USB portable hard drive, flash disk, flash card etc.) that now widely used, obviously improves the security performance of mobile storage peripheral hardware.
Background technology
Now, from a lot of aspects, wherein the destruction for data in magnetic disk is one of the most serious threat for the threat of the security of computer system.Enquiry data according to famous data survey institute Gartner company shows: lose fully and cause having 2/5 again fail to recover operation in the enterprise that system stops transport having experienced data, remaining enterprise also has 1/3 declaring bankruptcy in two years.That is to say that sixty percent enterprise's factor closes down according to losing fully.And partial data is lost or stolenly can cause damage to enterprise equally, but a lot of enterprise does not take corresponding measure yet.In the current research report according to " the needing prestige and income under compliance-risk why " of the issue of IT Policy Compliance Group by the end of July, shown alarming result equally: 87% do not disposed by investigation enterprise suitable rules defer to the IT Managed Solution to reduce the loss of data risk, that is to say, face factor according to losing or stolen and financial risk that cause with regard to 9 families that have an appointment in the 10 tame enterprises.It is exactly losing of disk or mobile storage peripheral hardware that another one threatens the problem of data in magnetic disk security.No matter be that others has a mind to steal or oneself is lost accidentally, in this case,, all can cause some the important private data on disk to leak if there is not reliable cryptographic algorithm that the data on the memory device are encrypted.Little of the individual, will be by invasion of privacy, the big country that arrives will threaten national security.
Angle from data are recovered can adopt multiple different backup mode that data are carried out backup protection, in case data are damaged owing to accident or lost, can recover.Difference according to the backup granularity can be divided into piece level incremental backup, file-level backup and whole disk level backup.For the size of backup amount, the piece level is minimum.The disk level is maximum.
From the angle of data encryption, adopt the superencipherment algorithm that whole data are encrypted, reduce the possibility that enciphered data is cracked.Like this, even under the situation that the mobile storage peripheral hardware is lost, still can guarantee not leaking of data, private data can not fall into the hostile force hand.
Therefore crucial problem is how to utilize data to recover and encryption technology, improves the security of computer system, reduces the threat for significant data from various aspects, should have cheapness and versatility simultaneously.
At present, the use of movable storage device (as portable hard drive, flash disk) has more and more widely almost become the standard configuration of PC.Movable storage device has been the same with hard disk to become an indispensable important step in the storage system of PC.The same with other equipment important for Data Protection on the movable storage device.
Summary of the invention
The purpose of this invention is to provide a kind of a kind of method of security that can improve existing storage system based on single file system disk encryption and recovery.
Technical scheme of the present invention is: based on the method for single file system disk encryption and recovery, it is characterized in that containing and have the following steps: the user has been specified the monofile row formatization of filename, the size of this document and this document have been set simultaneously are loaded as the password that lands that enters this disk behind the disk;
The file load that format is finished is a local disk of computer system, and drive is specified by the user, offers the user and uses;
In user's use, the read-write operation on the disk is decrypted or encrypts;
Unload this loading disk.
Described is that computing machine local disk step comprises with file load: judge that the user uses pattern, carry out related command according to the use pattern;
If the user is to be disk with administrator mode with file load, the user can add the Log.txt file in the disk that loads, be used to provide the file name of read-only file, add the DRLog.txt file simultaneously, be used to provide the file name that needs backup and recover; In the disk that loads, add the file that comprises among Log.txt and the DRLog.txt, add the file that allows under user model, freely to use and do not need backup and reduction simultaneously;
If the user is to be disk with user model with file load, the file for specified name on the disk by Log.txt under user model, can only carry out read operation; For the alternative document on the disk, under user model, can operate arbitrarily.
Read-write operation on the disk is decrypted or encrypting step comprises: it is the decryption oprerations of unit that the read operation on each disk is all carried out with the data block, and it is the cryptographic operation of unit that the write operation on each disk is all carried out with the data block.
Unloading loads the disk step and specifically comprises following content: need to judge whether the file among the Backup DR Log.txt, backup then in command mode, is withdrawed from backup mode if desired; If do not need backup, continue then to judge whether that needs recover the file among the DRLog.txt, need to recover, then in command mode, withdraw from the recovery pattern; If do not need to recover the file among the DRLog.txt, then withdraw from by common mode.
Described backup mode is for when administrator mode withdraws from, the file among the system backup DRLog.txt, and the backup of file is carried out the disk unloading operation then with the form storage of hidden file.
Described backup mode is for when administrator mode withdraws from, and the file among the system recovery DRLog.txt is carried out the disk unloading operation then.
Effect of the present invention is: core content of the present invention is to utilize monofile as a file system, storage medium as some data on the main frame (often maintain secrecy or can not lose the significant data of damage), and back up for significant data wherein, recover to use in order to data.Simultaneously whole single file system is a file after encrypting through the high strength encrypting algorithm, no matter be host hard drive is lost or the situation that the mobile storage peripheral hardware is lost under, can both guarantee that data are not leaked.
The present invention has following characteristics: (1) versatility, and cost is low---and on existing hard disk and movable storage device, just can realize, and need not to increase any hardware device; (2) high efficiency---for any operation on the single file system, just quick rapidly as what operate on any one disk of tangible this locality.And because usb protocol develops into 2.0, its maximum transmission rate 480Mpbs; IEEE-1394 also is in the same order of magnitude.Therefore can not feel delay for the operation of single file system on the mobile storage peripheral hardware yet; (3) advance---data encryption, backup is in the ascendant with the development of recovery technology, can be not out-of-date from technical standpoint.
The main innovative point of the present invention is as follows: 1, utilize single file to load into disk as a file system; 2, monofile itself is the file through the high strength encrypting algorithm for encryption; 3, the file read-write of loading disk is operated all is the operation of encrypting at every turn.
The present invention is described further below in conjunction with drawings and Examples.
Description of drawings
Fig. 1 is an operational flowchart of the present invention;
Fig. 2 is a FormatVolume program flow chart of the present invention;
Fig. 3 is a MountVolume program flow chart of the present invention;
Fig. 4 is TCSDReadLog of the present invention and TCStopDelete program flow chart;
Fig. 5 is a TCDRReadLog program flow chart of the present invention.
Embodiment
Software and hardware structure based on the disk encryption of single file system and restoration methods is as follows:
PC, mobile device, single file system disk encryption and recover software, relevant application program and windows platform.As shown in Figure 1, the operational process of total system is as follows:
Step 1: using monofile of Format command formatization, is A as file, in this process, the size of this monofile A can be set, and loads into the password when entering file system behind the disk.
Step 2: with the disk of administrator mode with the monofile A system of loading into, as X, this drive can freely be selected by the user.This operates in the order line and finishes.
Step 3: the keeper adds the Log.txt file in the X dish, be used to provide the file name of read-only file, adds the DRLog.txt file simultaneously, is used to provide the file name of the file that needs backup and recover.
Step 4: the keeper adds the file that comprises among Log.txt and the DRLog.txt in the X dish.Simultaneously, add the file that allows under user model, freely to use and do not need backup and reduction.
Step 5: withdraw from when loading and do as judging:
Need the file among the Backup DR Log.txt? if in command mode, withdraw from backup mode; Need to recover the file among the DRLog.txt? if in command mode, withdraw from the recovery pattern.In above two kinds of situations any one.So just normally withdraw from.
Step 6: load disk X by graphical interface of user, the password that input provides in the time of Format, file system just can be used for the user.
Be described below with regard to relevant issues below:
1, disk structure volume head (Volume Header)
The user cipher of importing when the present invention uses Format is not that whether simple differentiation mates in using in the back.But there is this password to produce a series of ciphering process.
The encryption of Volume Header:
At first, the encryption of Volume Header is finished in the time of routine call Format.Program reads by the preceding 512bytes of the monofile A of Format, puts it into RAM.The preceding 64bytes of this 512bytes is as random character value (salt).Salt fills generation by random number generator when Volume creates.
Secondly, the salt that reads in the password of user's input and the previous step has been delivered to the Key generation functions HMAC-RIPED-160 of VolumeHeader.Generate and encrypt master key and the assistant key that Volume Header needs.Because that use is the salt of 512bits.So can both produce 2 for each user cipher
512Individual key.Greatly reduce the possibility that key is cracked.
Once more, use the AES-256 cryptographic algorithm that Volume Header is encrypted.Key comes from the major and minor key that previous step produces, and the length of key is 256bits (because being the AES-256 cryptographic algorithm).
At last, by among the 512bytes before the random number generator filling monofile A.Master key that begins from the #288 position and the assistant key that begins from the #256 position.Their effect is to provide key for the file read-write cryptographic operation.
The standard of Volume Header successful decryption:
After decryption oprerations executes, if the ASCII String of back 4 bytes that the #64bytes of 512bytes begins before the monofile A " TRUE ", and be positioned at decrypted value and the decrypted value coupling of #8, the successful decryption of Volume Header so of the last 256bytes of #72CRC-32chechsum.
2, file read-write is encrypted
After Volume Header successful decryption, can read the major-minor key from #288 and the #256 of the preceding 512bytes of monofile A.
After A loaded into disk X, the read operation for the file on the X all was to decipher through the AES-256 cryptographic algorithm at every turn.Write operation for file on it all is to encrypt through the AES-256 cryptographic algorithm.And, no matter be at administrator mode or user model all can move encryption and decryption.
Therefore, guaranteed that for the data on the SFCB all be ciphertext and expressly not existing.Guaranteed the confidentiality of file content.
3, the intercepting and capturing of I/O request
The intercepting and capturing of I/O request realize at inner nuclear layer.There is the two situation in request for I/O:
First kind of situation, this kind I/O request does not need to intercept and capture, and in the time of this, IPR passed to lower floor's driver go to handle.
Second kind of situation needs to intercept and capture the specific I/O request among the IRP.When the function of tonic chord sign indicating number of IRP is to read or when writing, this IRP can not be passed to lower floor's driver, at this moment, need program to enter specific finishing in the routine.For example, if read operation in finishing routine, is decrypted the data of reading so.If write operation in finishing routine, carries out cryptographic operation to the data that will write so.
4, application
The present invention can also be applied to movable storage device except being applied to host hard drive.
At present, the memory device of supporting the connecting interface agreement comprises Windows series, Linux, MAC OS, Solaris etc. by the operating system support of most of main flows.Generally speaking, be connected to these equipment on the computing machine after, operating system utilize its driver with these equipment as independent partition holding---as Windows 2000 times, be used as a new disk; And under Linux, then can be used as one independently disk be mapped to a certain catalogue, then to its operation with as broad as long to the hard disk operation of this machine.Therefore, the installation to movable storage device is solved by operating system with use.This illustrates that also the present invention has bigger portability and ease for use.
Reference under the Windows system realizes
The present invention has carried out successful Application in Windows XP system, and its concrete system is composed as follows: Windows XP Professional (sp2); Format program of the present invention, user interface and driver; The movable storage device of host hard drive or USB 2.0.Process description is as follows:
The present invention has comprised user class under Windows and kernel level is two-layer calls.
1, the main function that calls of user class comprises: FormatVolume and MountVolume.Operating process is as follows:
Call FormatVolume function F ormat monofile A.Comprise disk size and land password (these needs artificial appointment), call the MountVolume function monofile A is loaded as the disk that the user selectes (such as X :).、
Specifically comprise the steps (referring to Fig. 2,): the order of sending the input format file name, read the title that needs formatted file, specified file is formatd, reading disk byte length and enter the password of file system, MountVolume is encrypted, start the MountVolume program, specified file is loaded as the disk that the user selectes.
The MountVolume program flow chart is seen Fig. 3, judge at first whether file loads, if judged result is to load, then point out user file to put down in writing, do not load, then verify the password that the user inputs if judged result is a file, password and parameter are passed to kernel state by user's attitude, Volume Header is decrypted, obtains the disk read-write key, file load is become disk.
2, the main function that calls of kernel level comprises: TCDRReadLog, and TCSDReadLog and TCStopDelete, operating process is as follows:
Input according to the user makes the following judgment, and the disk loading mode is administrator mode or user model, when withdrawing from the disk loading mode, requires to recover, and backup is still normally withdrawed from.
If administrator mode loads disk, at this moment, do not intercepted and captured for any operation of disk.If user model loads disk, then call function TCSDReadLog obtain readable, can not write, the title of unsuppressible file, call function TCStopDelete prevents that specified file is deleted afterwards.
TCSDReadLog and TCStopDelete program flow chart are seen Fig. 4; specifically comprise the following steps: to obtain the filename that needs protection from the Log.txt file; filename is passed to the anti-function of revising; open at kernel state and take file to share the form read, when the unloading disk, close the handle of occupied file.
If the words that administrator mode withdraws from make the following judgment, if the part of asking for perfection so at the last interpolation/i that exits command, will be carried out backup operation by the file that function T CDRReadLog provides to all.If require to recover, so at the last interpolation/r that exits command, will carry out recovery operation by the file that function T CDRReadLog provides to all, if normally withdraw from, so directly unload disk.
In function F ormatVolume, carried out the cryptographic operation of Volume Header, simultaneously, produced the AES encrypted secret key.In function MountVolume, if the password of user's input is correct, to be decrypted operation to Volume Header so at first exactly, thereby obtain key, the effect of key is that the read-write operation on each disk is encrypted or deciphered.
When the disk unloading was withdrawed from, by the self-defining dismount order in the intercepting I/O request, and the parameter of being followed thereafter can judge that this withdraws from is to need backup, recovers still to withdraw from normally.Carry out according to the different branch of selection of parameter at function T CDRReadLog.Function T CDRReadLog process flow diagram is seen Fig. 5, specifically comprises the following steps: unloading disk input parameter under the administrator mode, if backup, then obtain the filename of backup or recovery from DRLog.txt, the file-level backup, backup is stored with hidden file, the user can not revise, finish the disk unloading,, then obtain the filename of backup or recovery from DRLog.txt if recover, file-level is recovered, backup is stored with hidden file, and the user can not revise, and finishes the disk unloading.
After file load becomes disk, call function TCSDReadLog function comes the file among the resolution file Log.txt, the filename that obtains is passed to the TCStopDelete function, TCStopDelete opens with the shared form of reading at kernel state and takies the file that receives, thereby reaches the purpose that prevents that vital document from being revised.When disk unloads, discharge the handle of all occupied files.
Claims (6)
1,, it is characterized in that containing and have the following steps based on the method for single file system disk encryption and recovery:
---specified the monofile of filename to format to the user is provided with the size of this document and this document simultaneously and is loaded as the password that lands that enters this disk behind the disk;
The file load of---format is finished is a local disk of computer system, and drive is specified by the user, offers the user and uses;
---in user's use is decrypted or encrypts the read-write operation on the disk;
--this loads disk-unloading.
2, according to claim 1 based on the disk encryption of single file system and the method for recovery, it is characterized in that described is that computing machine local disk step comprises with file load:
----judges that the user uses pattern, carries out related command according to the use pattern;
If the user is to be disk with administrator mode with file load, the user can add the Log.txt file in the disk that loads, be used to provide the file name of read-only file, add the DRLog.txt file simultaneously, be used to provide the file name that needs backup and recover; In the disk that loads, add the file that comprises among Log.txt and the DRLog.txt, add the file that allows under user model, freely to use and do not need backup and reduction simultaneously;
If the user is to be disk with user model with file load, the file for specified name on the disk by Log.txt under user model, can only carry out read operation; For the alternative document on the disk, under user model, can operate arbitrarily.
3, according to claim 1 based on the disk encryption of single file system and the method for recovery, it is characterized in that the read-write operation on the disk is decrypted or encrypting step comprises: it is the decryption oprerations of unit that the read operation on each disk is all carried out with the data block, and it is the cryptographic operation of unit that the write operation on each disk is all carried out with the data block.
4, according to claim 1 based on the disk encryption of single file system and the method for recovery, it is characterized in that unloading loads the disk step and specifically comprises following content: need to judge whether the file among the Backup DR Log.txt, backup if desired, then in command mode, withdraw from backup mode; If do not need backup, continue then to judge whether that needs recover the file among the DRLog.txt, need to recover, then in command mode, withdraw from the recovery pattern; If do not need to recover the file among the DRLog.txt, then withdraw from by common mode.
5, according to claim 4 based on the disk encryption of single file system and the method for recovery, it is characterized in that described backup mode is for when administrator mode withdraws from, file among the system backup DRLog.txt, the backup of file is carried out the disk unloading operation then with the form storage of hidden file.
6, according to claim 4 based on the disk encryption of single file system and the method for recovery, it is characterized in that described backup mode for when administrator mode withdraws from, the file among the system recovery DRLog.txt is carried out the disk unloading operation then.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810056742 CN101295342A (en) | 2008-01-24 | 2008-01-24 | Magnetic disk enciphering and recovery method based on single file system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810056742 CN101295342A (en) | 2008-01-24 | 2008-01-24 | Magnetic disk enciphering and recovery method based on single file system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101295342A true CN101295342A (en) | 2008-10-29 |
Family
ID=40065622
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810056742 Pending CN101295342A (en) | 2008-01-24 | 2008-01-24 | Magnetic disk enciphering and recovery method based on single file system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101295342A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110008724A (en) * | 2019-03-29 | 2019-07-12 | 记忆科技(深圳)有限公司 | Solid-state hard disk controller method for secure loading, device and storage medium |
-
2008
- 2008-01-24 CN CN 200810056742 patent/CN101295342A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110008724A (en) * | 2019-03-29 | 2019-07-12 | 记忆科技(深圳)有限公司 | Solid-state hard disk controller method for secure loading, device and storage medium |
| CN110008724B (en) * | 2019-03-29 | 2023-03-21 | 记忆科技(深圳)有限公司 | Solid state hard disk controller safe loading method and device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103106372B (en) | For lightweight privacy data encryption method and the system of android system | |
| US8571220B2 (en) | Method and apparatus for securing data in a memory device | |
| CN100449561C (en) | Divulging secrets prevention system of USB storage device date based on certificate and transparent encryption technology | |
| CN102646077B (en) | A kind of method of the full disk encryption based on credible password module | |
| CN103065102B (en) | Data encryption mobile storage management method based on virtual disk | |
| CN105426775B (en) | A kind of method and system for protecting smart mobile phone information security | |
| US10250387B1 (en) | Quantum computer resistant algorithm cryptographic key generation, storage, and transfer device | |
| Lee et al. | Secure Data Deletion for USB Flash Memory. | |
| CN102647712B (en) | A kind of mobile phone data encryption method and decryption method | |
| CN106415585A (en) | Key extraction during secure boot | |
| CN104618096A (en) | Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center | |
| CN109190401A (en) | A kind of date storage method, device and the associated component of Qemu virtual credible root | |
| CN104333545A (en) | Method for encrypting cloud storage file data | |
| CN107145531A (en) | The user management method of distributed file system and distributed file system | |
| CN106682521A (en) | File transparent encryption and decryption system and method based on driver layer | |
| CN110543775B (en) | Data security protection method and system based on super-fusion concept | |
| CN102769525B (en) | The user key backup of a kind of TCM and restoration methods | |
| CN102662871B (en) | A kind of virtual disk integrity protection system and method based on credible password module | |
| KR20120118267A (en) | A flash memory control device for secure deletion and the method thereof | |
| CN111539042B (en) | Safe operation method based on trusted storage of core data files | |
| CN107092815A (en) | The method and server of a kind of protection module file | |
| CN106656492A (en) | Key migration method and device for TPM (Trusted Platform Module) chip | |
| CN116594567A (en) | Information management method and device and electronic equipment | |
| CN102184370B (en) | Document security system based on microfiltration drive model | |
| CN113342896B (en) | Scientific research data safety protection system based on cloud fusion and working method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081029 |