CN102508791B - Method and device for encrypting hard disk partition - Google Patents
Method and device for encrypting hard disk partition Download PDFInfo
- Publication number
- CN102508791B CN102508791B CN201110300195.8A CN201110300195A CN102508791B CN 102508791 B CN102508791 B CN 102508791B CN 201110300195 A CN201110300195 A CN 201110300195A CN 102508791 B CN102508791 B CN 102508791B
- Authority
- CN
- China
- Prior art keywords
- user
- usbkey
- encryption key
- encryption
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to the field of computers and discloses a method and device for encrypting a hard disk partition. The method and the device are used for preventing data leakage of a hard disk and increasing data safety of the hard disk. The method comprises the following steps: when a starting process of an operation system on a user terminal is triggered, after being subjected to USBKEY authentication, an encryption key can be guided into the operation system to be stored temporarily according to a pre-set safety transmission mechanism; after obtaining the encryption key, the user terminal takes an appointed hard disk partition as an encryption partition to mount; and read-write operation of the encryption partition is encrypted and decrypted according to the obtained encryption key, therefore, data dynamic read-write encryption and decryption are realized in a driving layer; by means of driving of an independent file system, hook hijacking of the original file system of the operation system by a third party is stopped, so that the data safety is effectively increased; furthermore, mounting of the encryption partition and seamless integration of the starting process of the operation system are realized, and the execution efficiency of a hard disk encryption process is increased.
Description
Technical field
The present invention relates to computer realm, particularly a kind of method that fdisk is encrypted and device.
Background technology
Along with the range of application of computer technology is increasingly extensive, how assuring data security also becomes the problem that user is concerned about the most.In order to make data security be guaranteed, encryption technology is usually used to be encrypted the Miscellaneous Documents data stored.
At present, normally used encryption technology mainly comprises file ciphering technology and disk encryption technology two kinds.
First, first present document encryption technology.So-called file ciphering technology, its core realizes control extension based on application process, has the following advantages:
1, dispose simply, do not need to change user operation habits, also do not need the applied environment changing user;
2, technology is simple, only relates to process file corresponding technology, the interim redirecting technique of file and upper strata Hook technology;
3, simple to operate, be easily absorbed on a cognitive level by the user than being easier to and accepting.
But, the realization of file ciphering technology is mainly based on the incidence relation of application program and file, and security system and application program closely related, for application complex environment (such as, make design and Software for Design industry), the non-constant of deployable of security system, usually the security system of such Intranet is caused to need to re-start secondary development because user applies too complexity, the upgrading of application program or the increase of application, thus bring restriction and unstable hidden danger greatly to user environment, and then affect the security of file ciphering technology.Further, because file ciphering technology have employed the interim redirecting technique of file, therefore, temporal cache file can be produced, and temporal cache file is exist with plaintext state in a hard disk, this is easy to victim and uses disclosed file monitoring instrument to get, and causes the inefficacy of file encryption mechanism by copying this temporal cache file; Further, use temporal cache file, being equivalent to file will repeat twice read-write operation in a hard disk, this can cause the obvious decline of system service efficiency, (e.g., declining 50%), when being especially encrypted for mass file, more obvious on the impact of system service efficiency.On the other hand, owing to have employed numerous Hook technology in application program, be thus easy to cause the conflict with the software such as anti-virus, cause system unstable, affect the normal use of user, while Hook technology also easily cause use system service efficiency to decline.
Next, then introduce disk encryption technology.So-called disk encryption technology, its core is by being encrypted the sector magnetic track etc. making disk, then and to encryption disk reads and writes, has the following advantages:
1, have nothing to do with application program, can the applied environment of compatible various complexity, the upgrading of support application program and change, without the need to carrying out product-level secondary development for embody rule program, stability and availability are protected.
2, owing to not adopting the interim redirecting technique of file, thus file read-write number of times can not increase, and the system service efficiency of ensure that can not obviously decline.
But; because disk encryption technology is only protected for specific file storage area; lack the judgement to the privacy attribute of file own; therefore there is following shortcoming: adopt disk encryption technology to need to carry out condition restriction to the storage area of file, therefore must need to adapt to disk encryption technology to environment for use adjustment.Further, single disk encryption technology cannot prevent from being divulged a secret behavior by the file of network and other approach, and develops corresponding network security product to integrated network control technology, then development difficulty is large, the cycle is long.On the other hand, in current disk encryption technology, there is no complete key management mechanism, once occur that key to forget etc. situation not having effective recovery ways.
Summary of the invention
The embodiment of the present invention provides a kind of method of being encrypted fdisk and device, for preventing hard disc data from revealing, improves the security of hard disc data.
The concrete technical scheme that the embodiment of the present invention provides is as follows:
To the method that fdisk is encrypted, comprising:
When os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Confirm that user is by after described USBKEY authentication, obtains the encryption key being used for HD encryption from described USBKEY based on the secure transfer protocol preset;
Carry is carried out as encrypted partition in the fdisk of specifying;
Adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition.
A kind of key management method, comprising:
When os starting flow process is on the subscriber terminal triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Confirm that user is by after described USBKEY authentication, based on the secure transfer protocol preset, the encryption key that this locality is preset is mail to described user terminal, described user terminal is made to carry out carry in the fdisk of will specify as encrypted partition, and adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition.
To the device that fdisk is encrypted, comprising:
Log in and resource management module, for when os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Carry module, for confirming that user is by after described USBKEY authentication, obtaining the encryption key being used for HD encryption, and carry is carried out as encrypted partition in the fdisk of specifying from described USBKEY based on the secure transfer protocol preset;
File system driving module, for adopting described encryption key, carries out encryption and decryption to the read-write operation performed in described encrypted partition.
A kind of key management apparatus, comprising:
Password authentication module, when being triggered for os starting flow process on the subscriber terminal, according to the account password information of user's input, carries out USBKEY authentication to this user;
Key management module, for after confirmation user is by described USBKEY authentication, based on the secure transfer protocol preset, the encryption key that this locality is preset is mail to described user terminal, described user terminal is made to carry out carry in the fdisk of will specify as encrypted partition, and adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition.
To the system that fdisk is encrypted, comprising:
USBKEY, for after confirmation user passes through USBKEY authentication, is sent to user terminal based on the secure transfer protocol preset by the encryption key being used for HD encryption;
User terminal, for when os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user, and after confirmation user is by described USBKEY authentication, from described USBKEY, obtains described encryption key based on the secure transfer protocol preset, and carry is carried out as encrypted partition in the fdisk of specifying, and adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition.
In sum, in the embodiment of the present invention, implement encryption and decryption technology based on operating system drive layer Technique dynamic, realize carry to hard disc data, unloading and encryption and decryption read-write by file system driver, thus ensure the real-time encrypted of data in magnetic disk and decryption oprerations.Be specially: when the os starting flow process on user terminal is triggered, after have passed through USBKEY authentication, encryption key just can according to the secure transport mechanism preset, import in operating system safe and punctually and temporarily preserve, and after acquisition encryption key, carry is just carried out as encrypted partition in the fdisk of specifying by user terminal, and carries out encryption and decryption operation according to the encryption key obtained to the read-write operation of this encrypted partition.Like this, just the dynamic read/write encryption and decryption to data is achieved at driving layer, stop third party by independently file system driver to kidnap the hook of operating system existing file system, effectively improve data security, and achieve the carry of encrypted partition and the Seamless integration-of os starting flow process, save the execution efficiency of HD encryption flow process, meet to routine use custom, the extra stand-by period can not be brought to user.
Accompanying drawing explanation
Fig. 1 is that in the embodiment of the present invention, user terminal is encrypted process flow diagram to fdisk;
Fig. 2 is user terminal illustrative view of functional configuration in the embodiment of the present invention;
Fig. 3 is USBKEY illustrative view of functional configuration in the embodiment of the present invention.
Embodiment
Reveal to prevent hard disc data, improve data security, in the embodiment of the present invention, devise a kind of method that fdisk is encrypted completely newly, be specially: in the process of os starting, before each fdisk of system carry, according to the account password information of user's input, USBKEY authentication is carried out to this user, confirm that user is by after this USBKEY authentication, default encryption key is obtained from USBKEY, and carry is carried out as encrypted partition in the fdisk of specifying, then, adopt the encryption key obtained, encryption and decryption is carried out to the read-write operation performed in above-mentioned encrypted partition.
Like this, in the dynamic read/write encryption and decryption of system drive layer realization to data, thus effectively data security can be improve.
Preferably, the embodiment of the present invention is applicable to Windows operating system, and the operating system of other types also can improve the encryption and decryption of rear realization to fdisk based on thought of the present invention to the embodiment of the present invention, does not repeat them here.
Below in conjunction with accompanying drawing, the preferred embodiment of the present invention is described in detail.
Consult shown in Fig. 1, in the embodiment of the present invention, the detailed process that user terminal is encrypted fdisk is as follows:
Step 100: user terminal, when os starting flow process is triggered, according to the account password information of user's input, carries out USBKEY authentication to this user.
In the embodiment of the present invention, preferably, after USBKEY can be inserted the USB interface of user terminal by user, restart user terminal is with the startup of trigger action system; And after os starting flow process is triggered, user terminal first can carry out operating system login authentication according to the username and password of user's input to user, after logining successfully, perform the USBKEY authentication flow process recorded in step 200 again, or, also can first according to user input account password information carry out USBKEY authentication, to be verified pass through after, the system login that redos certification.
Further, preferably, in order to save the running time of user, the account password information used when the username and password inputted during user login operation system and user can be carried out USBKEY authentication is set to identical content, like this, user only needs input username and password namely can complete the login of USBKEY authentication and operating system, thus effectively improves system service efficiency.
On the other hand, the account password information that user terminal inputs according to user, when USBKEY authentication is carried out to this user, USBKEY authentication can be carried out in this locality according to the account password information of user's input, also the account password information that user inputs can be mail to USBKEY and carry out USBKEY authentication, and be verified according to the feedback acknowledgment of USBKEY.
Step 110: user terminal confirms that user is by after USBKEY authentication, obtains the encryption key being used for HD encryption from USBKEY based on the secure transfer protocol preset.
In the embodiment of the present invention, the concrete executive mode of step 110 is as follows:
Steps A: user terminal receives the transmission security key ciphertext transmitted from USBKEY, and according to the mode of arranging with USBKEY, this transmission security key ciphertext is decrypted, obtain corresponding transmission security key.
Step B: user terminal receives the encryption key ciphertext transmitted from USBKEY, and according to the transmission security key obtained, this encryption key ciphertext is decrypted, obtain corresponding encryption key.
Such as, suppose that a pair initial transmission key of USBKEY and user terminal being arranged is called key A and key B, then USBKEY generates corresponding first transmission security key based on key A, be called key A 1, then, the encryption key (being called key X) that USBKEY adopts key A 1 to pre-set this locality is encrypted, generate encryption key ciphertext x1 and corresponding identifying code x11 (identifying code x11 is generated through encryption by key X, encryption key ciphertext x1 and key A 1, and concrete mode does not repeat them here); Then, USBKEY adopts key A to be encrypted key A 1, generating transmission key ciphertext a1 and corresponding identifying code a11 (identifying code a11 is generated through encryption by key A 1, transmission security key ciphertext a1 and key A, and concrete mode does not repeat them here);
User terminal reads its transmission security key ciphertext a1 generated and identifying code a11 from USBKEY, and after confirming that the identity of USBKEY is legal according to identifying code a11, adopts the key B arranged with USBKEY to be decrypted transmission security key ciphertext a1, thus obtain key A 1; Connect, user terminal reads its encryption key ciphertext x1 generated and identifying code x11 from USBKEY, and after confirming that the identity of USBKEY is legal according to identifying code x11, adopts acquired key A 1 couple of encryption key ciphertext a1 to be decrypted, thus obtains key X.
Certainly, if operating system starts again, then when second time is encrypted secret key safety transmission, USBKEY can adopt the second transmission security key A2 (key A 2) generated based on initial transmission key A to be encrypted encryption key X, and adopt initial transmission key A or last key A 1 pair of key A 2 used to be encrypted, to complete the safe transmission of encryption key, by that analogy, follow-up flow process to be all encrypted encryption key according to this kind of method and to transmit, and will repeat no more.
Visible, in the present embodiment, user terminal adopts the mode of two encryption to realize the safe transmission (transmission security key that namely encryption key is encrypted by transmission security key, transmission security key is made by initial transmission key or last time is encrypted) of encryption key, thus effectively prevent the leakage of encryption key, further increase data security.
On the other hand, the encryption key preset in USBKEY, can adopt discrete logarithm to generate based on a random number (e.g., the identification number of user terminal) by USBKEY in advance; And the account password information verified when carrying out USBKEY identity can by user's regular update.
Step 120: carry is carried out as encrypted partition in the fdisk of specifying by user terminal.
If the username and password that user will use during register system, identical content is set to the account password information used when carrying out USBKEY authentication, then before execution step 120, before can being specifically execution step 100, also can be to perform after step 100 and before performing step 110, can also be to perform after step 110 and before performing step 120, user terminal can according to the account password information register system of user's input, thus when performing step 120, user terminal can start to carry out the carry of fdisk and the loading of other system resource.
When performing step 120, at least one fdisk of specifying is designated as encrypted partition by user terminal, and distributes corresponding drive for it, and the drive of distribution is mapped to explorer carry out registration preserve, the number of encrypted partition can be one or more, is specifically arranged by user.
Then, carry can be carried out as common subregion in other non-designated fdisks by user terminal, for it distributes corresponding drive, and each drive is mapped to explorer carry out registration preserve, do not repeat them here.
After the carry of each fdisk, user terminal can continue to load each class method required during os starting, with the Booting sequence of complete operation system.
Step 130: user terminal adopts the encryption key obtained, and carries out encryption and decryption to the read-write operation performed in above-mentioned encrypted partition.
In the present embodiment, user terminal both can be after execution step 120, in the process of each class method required when load operation system starts, adopted the encryption key obtained, carried out encryption and decryption to the read-write operation performed in above-mentioned encrypted partition; Also can be, according to the associative operation of user, adopt the encryption key obtained, encryption and decryption is carried out to the read-write operation performed in above-mentioned encrypted partition after os starting completes.Be specially: for the write operation performed in above-mentioned encrypted partition, adopt described encryption key to be encrypted, and for the read operation performed in above-mentioned encrypted partition, adopt described encryption key to be decrypted.
On the other hand, based on above-described embodiment, when user terminal detect that USBKEY is pulled out, the account password information authentication failed number of times of user reaches setting threshold value (as, 10 times), when user indicates logoff operation system account, user indicates any one or the multiple combination in shutdown etc. fortuitous event, encrypted partition is needed to unload, as, the drive of encrypted partition is deleted from explorer, to ensure the data security of encrypted partition.
Wherein, when the account password information authentication failed number of times of user reaches setting threshold value, if USBKEY verification operation is completed by user terminal, then user terminal also needs to indicate above-mentioned USBKEY to be locked its this locality, if and USBKEY verification operation is completed by USBKEY, then this locality directly locks by USBKEY, and lock operation is specially: USBKEY needs the encryption key of primary one-tenth to delete, and stops the production and transfer of encryption key; Until after user performs legal unlocking operation, USBKEY generates new encryption key according to predetermined manner again, e.g., discrete logarithm is adopted to generate corresponding encryption key based on user terminal machine numbering.
Based on above-described embodiment, in the security system that the embodiment of the present invention provides, user terminal needs the encryption key provided based on USBKEY to be encrypted fdisk, is specially:
Consult shown in Fig. 2, at least comprise login and resource management module 20 and carry module 21 and file system driving module 22 in user terminal, wherein
Log in and resource management module 20, for when os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Be specially: the account password information according to user's input carries out USBKEY authentication in this locality; Or, the account password information that user inputs is mail to USBKEY and carries out USBKEY authentication.
Carry module 21, after confirming that user passes through USBKEY authentication, obtains the encryption key being used for HD encryption, and carry is carried out as encrypted partition in the fdisk of specifying from USBKEY based on the secure transfer protocol preset;
Wherein, when obtaining encryption key, load-on module 21 first receives the transmission security key ciphertext that USBKEY sends, and according to the mode of arranging with USBKEY, transmission security key ciphertext is decrypted, obtain transmission security key, receive the encryption key ciphertext that USBKEY sends again, and according to transmission security key, encryption key ciphertext is decrypted, obtain corresponding encryption key.
File system driving module 22, for adopting the encryption key of acquisition, carries out encryption and decryption to the read-write operation performed in above-mentioned encrypted partition;
Be specially: for the write operation performed in above-mentioned encrypted partition, adopt the encryption key obtained to be encrypted, and for the read operation performed in above-mentioned encrypted partition, adopt the encryption key obtained to be decrypted.
On the other hand, in carry module 21 using the fdisk of specifying as before carry is carried out in encrypted partition, to log in and resource management module 20 according to the account password information of user's input, can also carry out operating system login authentication to user; And carry module 21 using the fdisk of specifying as after carry is carried out in encrypted partition, to log in and resource management module 20 can also load each class method required during os starting, with complete operation system Booting sequence.And login and resource management module 20 determine that user is by after USBKEY authentication, can load file system driving module 22, like this, carry is carried out in the fdisk of specifying by carry module 21 during as encrypted partition, file system driving module 22 can be passed through, the fdisk of at least one of specifying is designated as encrypted partition, and distributes corresponding drive for it, and the drive of distribution is mapped to explorer carry out registration preserve.
As shown in Figure 2, be provided with Unload module 23 further in the user terminal, for detecting that USBKEY is pulled out, the account password information authentication failed number of times of user reaches setting threshold value, user indicates logoff operation system account and user to indicate in this several situation of shutdown any one or multiple combination time, the encrypted partition of carry is unloaded; Wherein, if detect, the account password information authentication failed number of times of user reaches setting threshold value, then Unload module 23 also needs while unloading encrypted partition, and instruction USBKEY locks.
As shown in Figure 2, login and resource management module 20, carry module 21 and Unload module 23 as an independently application function existence in user terminal, in order to realize the partition management of hard disk, can be combined and be called fdisk administrative unit.
File system driving module 22 then also can be considered as an independently application function existence in user terminal, in order to realize the file driving of operating system, e.g., and the encryption and decryption driving layer just to carry out transmitting data to the encrypted partition in hard disk with dynamic-form.
Consult shown in Fig. 3, in the embodiment of the present invention, in USBKEY, at least comprise password authentication module 30 and key management module 31, wherein,
Password authentication module 30, when being triggered for os starting flow process on the subscriber terminal, according to the account password information of user's input, carries out USBKEY authentication to this user;
Key management module 31, for after confirmation user passes through USBKEY authentication, based on the secure transfer protocol preset, the encryption key that this locality is preset is mail to user terminal, user terminal is made to carry out carry in the fdisk of will specify as encrypted partition, and adopt the encryption key obtained, encryption and decryption is carried out to the read-write operation performed in above-mentioned encrypted partition.
Wherein, in the account password information that password authentication module 30 inputs according to user, before USBKEY authentication is carried out to this user, key management module 31 first generates the encryption key for carrying out HD encryption according to predetermined manner, and adopt the local transmission security key generated to be encrypted described encryption key, generate corresponding encryption key ciphertext, and to adopt and the user terminal mode of arranging is encrypted described transmission security key, generate corresponding transmission security key ciphertext; And key management module 31 based on preset secure transfer protocol by this locality preset encryption key mail to user terminal time, first the transmission security key ciphertext of generation is mail to user terminal, make user terminal adopt be decrypted transmission security key ciphertext with local mode of arranging, to obtain corresponding transmission security key, again the encryption key ciphertext of generation is mail to user terminal, user terminal is made to adopt the transmission security key deciphered to be decrypted encryption key ciphertext, to obtain corresponding encryption key.
As shown in Figure 3, in USBKEY, comprise locking unlocked state 32 further, for when detecting that the account password information authentication failed number of times of user reaches setting threshold value, this locality is locked, and when determining that user performs legal unlocking operation, instruction key module plumber block 31 regenerates corresponding encryption key according to predetermined manner.Certainly, locking unlocked state 32 can also adjust the safe class of USBKEY according to applied environment, carry out USBKEY authentication to indicate password authentication module 30 the need of to user.
In sum, in the embodiment of the present invention, implement encryption and decryption technology based on operating system drive layer Technique dynamic, realize carry to hard disc data, unloading and encryption and decryption read-write by file system driver, thus ensure the real-time encrypted of data in magnetic disk and decryption oprerations.Be specially: when the os starting flow process on user terminal is triggered, after have passed through USBKEY authentication, encryption key just can according to the secure transport mechanism preset, import in operating system safe and punctually and temporarily preserve, and after acquisition encryption key, carry is just carried out as encrypted partition in the fdisk of specifying by user terminal, and carries out encryption and decryption operation according to the encryption key obtained to the read-write operation of this encrypted partition.Like this, just the dynamic read/write encryption and decryption to data is achieved at driving layer, stop third party by independently file system driver to kidnap the hook of operating system existing file system, effectively improve data security, and achieve the carry of encrypted partition and the Seamless integration-of os starting flow process, save the execution efficiency of HD encryption flow process, meet to routine use custom, the extra stand-by period can not be brought to user.
Further, user terminal can also be extracted situation according to the insertion of USBKEY and drive the strategies such as the carry number of attempt of layer to select carry, unloading encrypted partition at any time, thus attack can be detected rapidly, implement the dynamic defence of effective landlord, obviously, this prevents the leakage of data further, enhances data security.And when user log off operating system account or shutdown, USBKEY can extract from user terminal, thus do not store any key information in user terminal, thoroughly prevent the possibility of hack encryption key,
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (23)
1. to the method that fdisk is encrypted, it is characterized in that, comprising:
When os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Confirm that user is by after described USBKEY authentication, obtains the encryption key being used for HD encryption from described USBKEY based on the secure transfer protocol preset;
Carry is carried out as encrypted partition in the fdisk of specifying, specifically comprises: at least one fdisk of specifying is designated as encrypted partition, and distribute corresponding drive for it, and the drive of distribution is mapped to explorer carry out registration preserve;
Adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition.
2. the method for claim 1, is characterized in that, the described account password information according to user's input, carries out USBKEY authentication, comprising this user:
Account password information according to user's input carries out USBKEY authentication in this locality; Or, the account password information that user inputs is mail to USBKEY and carries out USBKEY authentication.
3. the method for claim 1, is characterized in that, the described secure transfer protocol based on presetting obtains the encryption key being used for HD encryption from described USBKEY, comprising:
Receive the transmission security key ciphertext that described USBKEY sends, and according to the mode of arranging with described USBKEY, described transmission security key ciphertext is decrypted, obtain described transmission security key;
Receive the encryption key ciphertext that described USBKEY sends, and according to described transmission security key, described encryption key ciphertext is decrypted, obtain described encryption key.
4. the method for claim 1, is characterized in that, in the fdisk of will specify as before carry is carried out in encrypted partition, according to the account password information that described user inputs, carries out operating system login authentication to user; And in the fdisk of will specify as after carry is carried out in encrypted partition, each class method required during os starting is loaded, with complete operation system Booting sequence.
5. the method as described in any one of claim 1-4, it is characterized in that, adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition, comprise: for the write operation performed in described encrypted partition, adopt described encryption key to be encrypted, and for the read operation performed in described encrypted partition, adopt described encryption key to be decrypted.
6. the method as described in any one of claim 1-4, it is characterized in that, detecting that described USBKEY is pulled out, the account password information authentication failed number of times of user reaches setting threshold value, user indicates logoff operation system account and user to indicate in this several situation of shutdown any one or multiple combination time, described encrypted partition is unloaded.
7. method as claimed in claim 6, it is characterized in that, if detect, the account password information authentication failed number of times of user reaches setting threshold value, then while encrypted partition is unloaded, the described USBKEY of instruction locking.
8. a key management method, is characterized in that, comprising:
When os starting flow process is on the subscriber terminal triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Confirm that user is by after described USBKEY authentication, based on the secure transfer protocol preset, the encryption key that this locality is preset is mail to described user terminal, make described user terminal that carry is carried out as encrypted partition in the fdisk of specifying, and adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition, wherein, carry is carried out as encrypted partition in the fdisk of specifying, specifically comprise: at least one fdisk of specifying is designated as encrypted partition, and distribute corresponding drive for it, and the drive of distribution mapped to explorer and carry out registration and preserve.
9. method as claimed in claim 8, is characterized in that, according to the account password information of user's input, before carrying out USBKEY authentication, comprising this user:
The encryption key for carrying out HD encryption is generated according to predetermined manner;
Adopt the local transmission security key generated to be encrypted described encryption key, generate corresponding encryption key ciphertext;
Adopt the mode of arranging with user terminal to be encrypted described transmission security key, generate corresponding transmission security key ciphertext.
10. method as claimed in claim 9, is characterized in that, based on the secure transfer protocol preset, the encryption key that this locality is preset is mail to described user terminal, comprising:
Described transmission security key ciphertext is mail to described user terminal, makes described user terminal adopt and described transmission security key ciphertext is decrypted, to obtain corresponding transmission security key with local mode of arranging;
Described encryption key ciphertext is mail to described user terminal, makes described user terminal adopt described transmission security key to be decrypted described encryption key ciphertext, to obtain corresponding encryption key.
11. methods as described in claim 8,9 or 10, it is characterized in that, when detecting that the account password information authentication failed number of times of user reaches setting threshold value, this locality is locked, and when determining that user performs legal unlocking operation, regenerate corresponding encryption key according to predetermined manner.
12. 1 kinds of devices be encrypted fdisk, is characterized in that, comprising:
Log in and resource management module, for when os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Carry module, for confirming that user is by after described USBKEY authentication, from described USBKEY, the encryption key being used for HD encryption is obtained based on the secure transfer protocol preset, and carry is carried out as encrypted partition in the fdisk of specifying, specifically comprise: pass through file system driving module, at least one fdisk of specifying is designated as encrypted partition, and distributes corresponding drive for it, and the drive of distribution is mapped to explorer carry out registration preserve;
File system driving module, for adopting described encryption key, carries out encryption and decryption to the read-write operation performed in described encrypted partition.
13. devices as claimed in claim 12, it is characterized in that, the account password information that described login and resource management module input according to user, when carrying out USBKEY authentication to this user, the account password information according to user's input carries out USBKEY authentication in this locality; Or, the account password information that user inputs is mail to USBKEY and carries out USBKEY authentication.
14. devices as claimed in claim 12, it is characterized in that, when described carry module obtains based on the secure transfer protocol preset the encryption key being used for HD encryption from described USBKEY, first receive the transmission security key ciphertext that described USBKEY sends, and according to the mode of arranging with described USBKEY, described transmission security key ciphertext is decrypted, obtain described transmission security key, receive the encryption key ciphertext that described USBKEY sends again, and according to described transmission security key, described encryption key ciphertext is decrypted, obtain described encryption key.
15. devices as claimed in claim 12, it is characterized in that, described carry module is in the fdisk of will specify as before carry is carried out in encrypted partition, and the account password information that described login and resource management module input according to described user, carries out operating system login authentication to user; And described carry module using the fdisk of specifying as after carry is carried out in encrypted partition, described login and resource management module load each class method required during os starting, with complete operation system Booting sequence.
16. devices as described in any one of claim 12-15, it is characterized in that, described file system driving module adopts described encryption key, when encryption and decryption is carried out to the read-write operation performed in described encrypted partition, for the write operation performed in described encrypted partition, adopt described encryption key to be encrypted, and for the read operation performed in described encrypted partition, adopt described encryption key to be decrypted.
17. devices as described in any one of claim 13-15, is characterized in that, comprise further:
Unload module, for detecting that described USBKEY is pulled out, the account password information authentication failed number of times of user reaches setting threshold value, user indicates logoff operation system account and user to indicate in this several situation of shutdown any one or multiple combination time, described encrypted partition is unloaded.
18. devices as claimed in claim 17, is characterized in that, if detect, the account password information authentication failed number of times of user reaches setting threshold value, then described Unload module is while unloading encrypted partition, the described USBKEY of instruction locking.
19. 1 kinds of key management apparatus, is characterized in that, comprising:
Password authentication module, when being triggered for os starting flow process on the subscriber terminal, according to the account password information of user's input, carries out USBKEY authentication to this user;
Key management module, for after confirmation user is by described USBKEY authentication, based on the secure transfer protocol preset, the encryption key that this locality is preset is mail to described user terminal, make described user terminal that carry is carried out as encrypted partition in the fdisk of specifying, and adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition, wherein, carry is carried out as encrypted partition in the fdisk of specifying, specifically comprise: at least one fdisk of specifying is designated as encrypted partition, and distribute corresponding drive for it, and the drive of distribution mapped to explorer and carry out registration and preserve.
20. devices as claimed in claim 19, it is characterized in that, in the account password information that described password authentication module inputs according to user, before USBKEY authentication is carried out to this user, described key management module generates the encryption key for carrying out HD encryption according to predetermined manner, and adopt the local transmission security key generated to be encrypted described encryption key, generate corresponding encryption key ciphertext, and to adopt and the user terminal mode of arranging is encrypted described transmission security key, generate corresponding transmission security key ciphertext.
21. devices as claimed in claim 19, it is characterized in that, when the encryption key that this locality is preset is mail to described user terminal based on the secure transfer protocol preset by described key management module, first described transmission security key ciphertext is mail to described user terminal, make described user terminal adopt be decrypted described transmission security key ciphertext with local mode of arranging, to obtain corresponding transmission security key, again described encryption key ciphertext is mail to described user terminal, described user terminal is made to adopt described transmission security key to be decrypted described encryption key ciphertext, to obtain corresponding encryption key.
22. devices as described in claim 19,20 or 21, is characterized in that, comprise further:
Locking unlocked state, for when detecting that the account password information authentication failed number of times of user reaches setting threshold value, this locality is locked, and when determining that user performs legal unlocking operation, indicates described key module plumber block to regenerate corresponding encryption key according to predetermined manner.
23. 1 kinds of systems be encrypted fdisk, is characterized in that, comprising:
USBKEY, for after confirmation user passes through USBKEY authentication, is sent to user terminal based on the secure transfer protocol preset by the encryption key being used for HD encryption;
User terminal, for when os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user, and after confirmation user is by described USBKEY authentication, from described USBKEY, described encryption key is obtained based on the secure transfer protocol preset, and carry is carried out as encrypted partition in the fdisk of specifying, and adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition, wherein, carry is carried out as encrypted partition in the fdisk of specifying, specifically comprise: at least one fdisk of specifying is designated as encrypted partition, and distribute corresponding drive for it, and the drive of distribution mapped to explorer and carry out registration and preserve.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110300195.8A CN102508791B (en) | 2011-09-28 | 2011-09-28 | Method and device for encrypting hard disk partition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110300195.8A CN102508791B (en) | 2011-09-28 | 2011-09-28 | Method and device for encrypting hard disk partition |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102508791A CN102508791A (en) | 2012-06-20 |
| CN102508791B true CN102508791B (en) | 2015-05-13 |
Family
ID=46220882
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110300195.8A Expired - Fee Related CN102508791B (en) | 2011-09-28 | 2011-09-28 | Method and device for encrypting hard disk partition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102508791B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110221990B (en) * | 2019-04-26 | 2021-10-08 | 奇安信科技集团股份有限公司 | Data storage method and device, storage medium and computer equipment |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103198263B (en) * | 2012-10-26 | 2016-07-06 | 高榕科技(深圳)有限公司 | By the method that the peripheral hardware key of personal computer sets up enciphering/deciphering memory space |
| CN104217166A (en) * | 2013-05-30 | 2014-12-17 | 鈊象电子股份有限公司 | System execution environment verification method |
| CN103294969B (en) * | 2013-06-21 | 2016-09-14 | 福建伊时代信息科技股份有限公司 | File system mounted method and device |
| CN103944721A (en) * | 2014-04-14 | 2014-07-23 | 天津艾宝卓越科技有限公司 | Method and device for protecting terminal data security on basis of web |
| CN105095701A (en) * | 2014-05-06 | 2015-11-25 | 黄熙镜 | User authentication method and device and terminal equipment |
| CN104346556A (en) * | 2014-09-26 | 2015-02-11 | 中国航天科工集团第二研究院七〇六所 | Hard disk security protection system based on wireless security certification |
| US9805199B2 (en) * | 2015-03-12 | 2017-10-31 | International Business Machines Corporation | Securely booting a computer from a user trusted device |
| CN104951409B (en) * | 2015-06-12 | 2019-03-08 | 中国科学院信息工程研究所 | A kind of hardware based full disk encryption system and encryption method |
| CN105406963B (en) * | 2015-12-09 | 2019-02-15 | 中国联合网络通信集团有限公司 | Encryption method, encryption device and the decryption method of user account, decryption device |
| CN106911467A (en) * | 2015-12-23 | 2017-06-30 | 北京握奇智能科技有限公司 | A kind of data confidentiality storage and the method for transmission |
| CN105760789A (en) * | 2016-02-19 | 2016-07-13 | 山东超越数控电子有限公司 | Protection method for encryption key in encrypted mobile solid-state disk |
| CN106845261A (en) * | 2017-04-18 | 2017-06-13 | 广东浪潮大数据研究有限公司 | A kind of method and device of destruction SSD hard disc datas |
| TWI644229B (en) * | 2017-05-04 | 2018-12-11 | 慧榮科技股份有限公司 | Data center with data encryption and operating method thererfor |
| CN107315945B (en) * | 2017-07-11 | 2019-08-23 | 北京梆梆安全科技有限公司 | The disk decryption method and device of a kind of electronic equipment |
| CN109840435A (en) * | 2017-11-27 | 2019-06-04 | 深圳市朗科科技股份有限公司 | A kind of data guard method storing equipment |
| CN108171086B (en) * | 2017-12-26 | 2021-08-10 | 普华基础软件股份有限公司 | Hard disk partition encryption method based on hardware encryption card |
| CN109583242A (en) * | 2018-11-22 | 2019-04-05 | 郑州云海信息技术有限公司 | The method and system that fdisk encrypts under a kind of K-UX system |
| CN109977663A (en) * | 2019-03-14 | 2019-07-05 | 四川长虹电器股份有限公司 | The method for preventing Android intelligent terminal equipment from proposing power by malice root |
| CN110581764A (en) * | 2019-09-16 | 2019-12-17 | 杭州华澜微电子股份有限公司 | hard disk partition encryption and decryption system, method and device |
| CN111737771A (en) * | 2020-06-17 | 2020-10-02 | 山东大学 | Supervision place police service terminal system based on Android dual-system trusted operation framework |
| CN112035885B (en) * | 2020-08-26 | 2023-03-28 | 山谷网安科技股份有限公司 | Transparent encryption and decryption file driving method based on minifilter and usbkey |
| CN112131550B (en) * | 2020-09-30 | 2024-05-10 | 深圳软牛科技有限公司 | Windows system unlocking method and device, electronic equipment and computer readable medium |
| CN112560058B (en) * | 2020-12-17 | 2022-12-30 | 山东华芯半导体有限公司 | SSD partition encryption storage system based on intelligent password key and implementation method thereof |
| CN113938278B (en) * | 2021-10-25 | 2024-03-15 | 北京计算机技术及应用研究所 | Key management and protection method for encrypted hard disk |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1725196A (en) * | 2005-06-06 | 2006-01-25 | 付爱香 | Enciphered protection and read write control method for computer data |
| CN101408916A (en) * | 2008-08-27 | 2009-04-15 | 上海第二工业大学 | Internet software internet privacy protection method |
| CN101562040A (en) * | 2008-04-15 | 2009-10-21 | 航天信息股份有限公司 | High-security mobile memory and data processing method thereof |
| CN101788959A (en) * | 2010-02-03 | 2010-07-28 | 武汉固捷联讯科技有限公司 | Solid state hard disk secure encryption system |
-
2011
- 2011-09-28 CN CN201110300195.8A patent/CN102508791B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1725196A (en) * | 2005-06-06 | 2006-01-25 | 付爱香 | Enciphered protection and read write control method for computer data |
| CN101562040A (en) * | 2008-04-15 | 2009-10-21 | 航天信息股份有限公司 | High-security mobile memory and data processing method thereof |
| CN101408916A (en) * | 2008-08-27 | 2009-04-15 | 上海第二工业大学 | Internet software internet privacy protection method |
| CN101788959A (en) * | 2010-02-03 | 2010-07-28 | 武汉固捷联讯科技有限公司 | Solid state hard disk secure encryption system |
Non-Patent Citations (1)
| Title |
|---|
| 基于USBKey的可信安全增强系统的研究与实现;阮洪升;《万方学位论文数据库》;20110920;第33-35页、第47-51页 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110221990B (en) * | 2019-04-26 | 2021-10-08 | 奇安信科技集团股份有限公司 | Data storage method and device, storage medium and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102508791A (en) | 2012-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102508791B (en) | Method and device for encrypting hard disk partition | |
| US20210344669A1 (en) | Secure authorization systems and methods | |
| US11784823B2 (en) | Object signing within a cloud-based architecture | |
| US20190050598A1 (en) | Secure data storage | |
| US8103883B2 (en) | Method and apparatus for enforcing use of danbury key management services for software applied full volume encryption | |
| CN112042151B (en) | Secure distribution of secret keys using monotonic counters | |
| US9921978B1 (en) | System and method for enhanced security of storage devices | |
| US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
| CN112513857A (en) | Personalized cryptographic security access control in a trusted execution environment | |
| WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
| CN112074836A (en) | Apparatus and method for protecting data through trusted execution environment | |
| KR20210132216A (en) | Verification of the identity of emergency vehicles during operation | |
| US20080181406A1 (en) | System and Method of Storage Device Data Encryption and Data Access Via a Hardware Key | |
| CN102948114A (en) | Single-use authentication methods for accessing encrypted data | |
| CN101589398A (en) | Upgrading a memory card that has security mechanisms that prevent copying of secure content and applications | |
| CN105612715A (en) | Security processing unit with configurable access control | |
| JP2007335962A (en) | Data protection method of sensor node, calculator system for distributing sensor node, and sensor node | |
| CN103970540A (en) | Method and device for safely calling key function | |
| CN103592927A (en) | Method for binding product server and service function through license | |
| JP2008005408A (en) | Recorded data processing apparatus | |
| US10311240B1 (en) | Remote storage security | |
| CN109889334A (en) | Embedded firmware encrypting method, apparatus, wifi equipment and storage medium | |
| CN110659522B (en) | Storage medium security authentication method and device, computer equipment and storage medium | |
| US11601285B2 (en) | Securely authorizing service level access to a backup system using a specialized access key | |
| JP2007179357A (en) | Method for installing computer program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: LIAOYUAN HUANYU JIAXUN COMMUNICATION TECHNOLOGY CO Free format text: FORMER OWNER: LIANG SHOULONG Effective date: 20121115 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100085 HAIDIAN, BEIJING TO: 136200 LIAOYUAN, JILIN PROVINCE |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20121115 Address after: 136200 Beihai pharmacy, Liaoyuan, Jilin province (north of gymnasium Road) Applicant after: LIAOYUAN HUANYU JIAXUN COMMUNICATION TECHNOLOGY CO., LTD. Address before: 100085 Beijing City, Haidian District Renhe malianwa apartment A223 Applicant before: Liang Shoulong |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150513 Termination date: 20180928 |