CN103020543A - System and method for image encryption management of virtual disk - Google Patents
System and method for image encryption management of virtual disk Download PDFInfo
- Publication number
- CN103020543A CN103020543A CN2012105934812A CN201210593481A CN103020543A CN 103020543 A CN103020543 A CN 103020543A CN 2012105934812 A CN2012105934812 A CN 2012105934812A CN 201210593481 A CN201210593481 A CN 201210593481A CN 103020543 A CN103020543 A CN 103020543A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- disk image
- encrypted
- key
- symmetric key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a system and a method for image encryption management of a virtual disk, and belongs to the technical field of information security. The system at least comprises virtual machine encrypted disk image management agents and a symmetric key management center, wherein the virtual machine encrypted disk image management agents ask for the symmetric key management center for key information, and a virtual machine encrypted disk image is generated according to the obtained key information, and managed according to the use operation; and when receiving the request from the virtual machine encrypted disk image management agents, the symmetric key management center sends the key information of the virtual machine encrypted disk image to the virtual machine encrypted disk image management agents. The invention further discloses a method for image encryption management of the virtual disk. Through the adoption of the technical scheme of the application, the security of the whole virtual machine disk image is protected, and the data security of users in the cloud or the virtualization environment is further protected; and furthermore, the management of the cloud or the virtualization management center to the encrypted virtual machine disk image is facilitated.
Description
Technical field
The present invention relates to field of information security technology, relate in particular to the system of data protection in cloud computing or the virtualized environment.
Background technology
Cloud computing is the very swift and violent new industry of current development, is considered to for the third time IT revolution behind microcomputer, internet.Main flow IT company, telecom operators and emerging Creative Company all devote great effort in the cloud computing, have consisted of a comparatively complete cloud computing ecologic environment at present.Except technical fusion, innovation, cloud computing has also brought brand-new service mode for social informatization, and various products ﹠ services are all with cloud name, and is standby etc. such as cloud computing, cloud software, cloud storage, cloud security, cloud calamity.
This Newly Sprouted Things of cloud computing has also been brought some new safety problems when bringing benefit to society, because virtual and many tenants' introducing is paid close attention to by people also day by day such as safety problems such as data isolation, secret protections.Forrester Research company shows investigation in 2009, has 51% medium and small sized enterprises to think that security and privacy concern are the main reasons that they not yet select cloud service.
Data security in the cloud environment can be divided into several aspects, divides from the zone of data, has:
1. border internal security, such as the border of virtualized environment border, main frame, the border of virtual machine, and the security boundary of virtual network and subnet etc.
2. the safety between the border is such as isolation safe between user and the virtualized environment, between virtual machine and the virtual machine, between the data of the data of user A and user B etc.
3. the nested safety on border, such as the virtualized environment borderline phase for main frame border, main frame borderline phase for virtual machine border etc.
Divide from the state of data, can be divided into:
1. dynamic data.Dynamic data can be divided into following two states:
A) data of transmitting state, such as border A to the data of transmitting between the boundary B, the internal storage data that is copied, shared internal storage data etc.
B) data of computing attitude are as carrying out the data of computing in CPU or virtual cpu.
2. static data is such as the data in the virtual machine disk, share user data in the storage etc.
At present; data security product in most cloud or the virtualized environment is still continued to use traditional mode, installs to encrypt in virtual machine to drive, and encrypts the data of a certain volume of disk or subregion; this mode can effectively be protected user's data security, but also underuses the characteristics of virtualized environment.
Summary of the invention
Technical matters to be solved by this invention is to provide a kind of virtual disk reflection encryption handling system and method, to take full advantage of virtualized characteristics, the data in more efficient, the safe protection user virtual machine.
In order to solve the problems of the technologies described above, the invention discloses a kind of virtual disk reflection encryption handling system, comprise at least symmetric key administrative center and the virtual machine that is installed in each virtual monitor is encrypted the disk image administration agent, wherein:
Described virtual machine is encrypted the disk image administration agent, to described symmetric key administrative center acquisition request key information, according to the key information that obtains, generating virtual machines is encrypted disk image, and encrypt disk image according to user's operational administrative virtual machine, described management comprises that virtual machine is encrypted the carry of disk image, opened, snapshot, migration and deletion action;
Described symmetric key administrative center receives when described virtual machine is encrypted the request of disk image administration agent, and the key information that virtual machine is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent.
Preferably, in the said system, described symmetric key administrative center receives when described virtual machine is encrypted the request of disk image administration agent, and the key information that virtual machine is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent and refer to:
Described symmetric key administrative center receives that when described virtual machine was encrypted the request of disk image administration agent, generating virtual machines was encrypted the key information of disk image, again the key information that generates is sent to described virtual machine and encrypts the disk image administration agent; Perhaps
Described symmetric key administrative center receives when described virtual machine is encrypted the request of disk image administration agent, and the key information that the virtual machine that this locality has been preserved is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent.
Preferably, in the said system, described symmetric key administrative center, when encrypting the request of disk image administration agent according to described virtual machine, whether the client of also determining the request of initiating is the client of authentication, only when the client of initiating request was the client of authentication, just generating virtual machines was encrypted the disk image encryption key.
Preferably, in the said system, but described virtual machine encryption disk image administration agent is divided into qemu-kvm agency and symmetric key administrative client, wherein:
The qemu-kvm agency, encrypt the general unique identification code (UUID) of disk submits key request to described symmetric key administrative client and receives the key information that returns according to virtual machine, encrypt disk image according to the key information generating virtual machines that returns, and according to user operation the virtual machine that generates is encrypted disk image and manage, described management comprises that virtual machine is encrypted the carry of disk image, opened, snapshot, migration and deletion action;
The symmetric key administrative client is communicated by letter with symmetric key administrative center according to the key request that the qemu-kvm agency submits to, and the key information that symmetric key administrative center sends is returned to the qemu-kvm agency.
Preferably, in the said system, the described symmetric key administrative client finger of communicating by letter with symmetric key administrative center:
The UUID that described symmetric key administrative client will be encrypted disk according to virtual machine sends encryption key to described symmetric key administrative center and generates request; Perhaps
The UUID that encrypts disk according to virtual machine sends encryption key to described symmetric key administrative center and obtains request.
Preferably, in the said system, described symmetric key administrative center comprises database module and the symmetric key management services module of password generation module, storage key and virtual machine information, wherein:
The password generation module, the ripe Pseudo-Random Number of employing cryptography safety provides the key of packet key AES to generate;
The database table module, store each virtual machine encryption disk image file name and corresponding virtual machine thereof, user profile, wherein, the list item that comprises comprises: virtual machine is encrypted symmetric key, key rise time, the nearest modification time of key, the key state after disk image UUID, user ID, symmetric key ID, the encryption;
The symmetric key management services module is encrypted disk image administration agent for each virtual machine management service is provided, and described management service comprises query key, deletion key and new key more.
Preferably, in the said system, described password generation module generates 128,192 and 256 AES packet key.
The invention also discloses a kind of virtual disk reflection encryption handling method, comprising:
The virtual machine that is installed in each virtual monitor is encrypted the disk image administration agent to the symmetric key administrative center acquisition request key information of network side;
Described symmetric key administrative center receives the request that described virtual machine is encrypted the disk image administration agent, and the key information that virtual machine is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent;
Described virtual machine is encrypted the disk image administration agent according to the key information that obtains, generating virtual machines is encrypted disk image, according to user's operation the virtual machine that generates being encrypted disk image manages, wherein, described management comprise that virtual machine is encrypted the carry of disk image, opened, snapshot, migration and deletion action.
Preferably, in the said method, described symmetric key administrative center receives the request that described virtual machine is encrypted the disk image administration agent, and the key information that virtual machine is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent and refer to:
Described symmetric key administrative center receives that when described virtual machine was encrypted the request of disk image administration agent, generating virtual machines was encrypted the key information of disk image, again the key information that generates is sent to described virtual machine and encrypts the disk image administration agent; Perhaps
Described symmetric key administrative center receives when described virtual machine is encrypted the request of disk image administration agent, and the key information that the virtual machine that this locality has been preserved is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent.
Preferably, in the said method, described symmetric key administrative center, when encrypting the request of disk image administration agent according to described virtual machine, whether the client of also determining the request of initiating is the client of authentication, only when the client of initiating request was the client of authentication, just generating virtual machines was encrypted the disk image encryption key.
Preferably, in the said method, described virtual machine encryption disk image administration agent refers to the symmetric key administrative center acquisition request key information of network side:
Described virtual machine is encrypted the disk image administration agent encrypts disk according to virtual machine general unique identification code (UUID) and is sent encryption key to described symmetric key administrative center and generate request; Perhaps
The UUID that encrypts disk according to virtual machine sends encryption key to described symmetric key administrative center and obtains request.
The present techniques scheme is protected the safety of whole virtual machine disk image, thus user's data security under protection cloud or the virtualized environment.And, made things convenient for cloud or virtual management center to encrypting the management of virtual machine disk image.
Description of drawings
Fig. 1 is the general frame synoptic diagram of virtual disk reflection encryption handling system in the present embodiment;
Fig. 2 is the system assumption diagram of virtual disk shown in Figure 1 reflection encryption handling system;
Fig. 3 is that virtual machine encryption disk image is opened process flow diagram in the present embodiment.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, hereinafter in connection with accompanying drawing technical solution of the present invention is described in further detail.Need to prove that in the situation of not conflicting, the application's embodiment and the feature among the embodiment can make up arbitrarily mutually.
Embodiment 1
The present application people proposes, can utilize virtual platform KVM (kernel-based VirtualMachine, virtual machine) characteristic of self and encryption function, virtual machine disk image encryption agents is installed in virtual monitor, encryption by agency control disk image, the operation such as open, and outwards provide virtual machine disk image Administration API (Application Programming Interface, application programming interface); Identity by KMC's managing cryptographic keys independently and checking agency and user guarantees the safety of key, thereby protects the safety of data in virtual machine disk image file and the disk.
Based on above-mentioned thought, present embodiment provides a kind of virtual disk reflection encryption handling system, comprises that at least virtual machine encrypts disk image administration agent and symmetric key administrative center.
Wherein, virtual machine is encrypted the disk image administration agent, be installed in each virtual monitor, mutual with symmetric key administrative center according to user's operation, the virtual machine of installing in the symmetric key administrative center requesting host encrypts the key information of disk, according to the key information that obtains, generating virtual machines is encrypted disk image, and encrypts disk image according to user's operational administrative virtual machine;
Wherein, virtual machine is encrypted the disk image Administration API and is contained virtual machine operation Life cycle, comprises the operations such as virtual machine is encrypted the generation of disk image, opened, snapshot, migration, deletion.
Particularly, virtual machine encryption disk image administration agent can be divided into qemu-kvm agency and the symmetric key administrative client that can utilize KVM virtual platform characteristic.The qemu-kvm agency, be responsible for virtual machine and encrypt disk image Administration API (be virtual machine generation, the carry of encrypting disk image, open, the operations such as snapshot, migration, deletion), and submit key request to the symmetric key administrative client and receive the key information that returns.The symmetric key administrative client is responsible for communicating by letter with symmetric key administrative center, key information is returned to the qemu-kvm agency.
The course of work that virtual machine is encrypted the disk image administration agent is as follows:
Qemu-kvm agency generates or obtains the key information that virtual machine is encrypted disk image to the request of symmetric key administrative client, and at this moment, the symmetric key administrative client is acted on behalf of to qemu-kvm through returning the key information of asking with KMC after alternately.Wherein, further, the symmetric key administrative client comprises following operation with communicating by letter of symmetric key administrative center:
Unique identification UUID (generated by the qemu-kvm agency, send to KMC by the symmetric key administrative client again) (the general unique identification code) request of encrypting disk according to corresponding virtual machine generates encryption key; Perhaps
Be kept at the encryption key of symmetric key administrative center according to the unique identification UUID acquisition request of corresponding virtual machine encryption disk.
Symmetric key administrative center encrypts the request of disk image administration agent and carries out generation, preservation and the management that virtual machine is encrypted the disk image encryption key according to virtual machine.
Preferably, symmetric key administrative center only encrypts the disk image administration agent for certified virtual machine service is provided, it can obtain necessary customer management information from cloud or Virtual Machine Manager center, according to the customer management information that obtains, judge whether the client of initiating bookkeeping is the client of authentication, if so, encrypt disk image for the virtual machine of the client of authentication again and carry out corresponding bookkeeping.
Symmetric key administrative center obtains necessary user profile from the virtual management center, refer to when KMC receives the request of symmetric key administrative client, inquiry cloud or virtual management center or cloud or virtual management center initiatively send information, by user's initiation but not from the inner initiation of cloud computing center, further strengthen user's data security with the authentication secret request.
Particularly, symmetric key administrative center comprises that provides the password that generates an at random safe symmetric key generation module, and the database module of storage key and virtual machine information and one externally provide the symmetric key management services module.
The password generation module, the ripe Pseudo-Random Number of employing cryptography safety provides the key of packet key AES to generate, and can generate 128,192 and 256 AES packet key.
The database table module, store each virtual machine encryption disk image file name and corresponding virtual machine thereof, user profile, the list item that wherein comprises comprises: the symmetric key after virtual machine encryption disk image UUID, user ID, symmetric key ID, the encryption, key rise time, the nearest modification time of key, key state etc.
The symmetric key management services module is encrypted disk image administration agent (namely wherein symmetric key administrative client) for each virtual machine service is provided, and main process is:
The symmetric key administrative client sends request to the symmetric key management services module of symmetric key administrative center, the symmetric key management services module uses information (can be kept at this locality by client certificate and user, perhaps real-time query cloud or virtual management center acquisition) whether the checking client identity is legal, if the legal request that then responds the symmetric key administrative client, the key information that information or transmission are asked in the Update Table storehouse.Comprise request key, query key, deletion key and new key etc. more.
Below in conjunction with accompanying drawing, illustrate that above-mentioned virtual disk reflection encryption handling system can be based on network frame shown in Figure 1 in the useful application.The figure illustrates management system the position of typical environment, required component and the installation disposed is installed.The native system deployed environment is cloud or virtualized environment, and Fig. 1 exists desktop cloud administrative center and virtual management center (VCenter) take desktop cloud as example.Have multiple host in the virtualized environment, every main frame is installed virtual platform, and many virtual machines of operation in virtual platform are preserved virtual machine disk image file by sharing storage storage.Native system is at the virtual platform layer of every main frame, and an agency namely is installed in the virtual machine monitor, be in charge of virtual machine and encrypt disk image and Administration API is provided, by one independently KMC provide and encrypt required symmetric key.
Particularly, the structure of virtual disk reflection encryption handling system as shown in Figure 2.It is to the abstract of general frame among Fig. 1 and specializing key component wherein.Virtual disk reflection encryption handling system is mainly by two large module compositions, and virtual machine is encrypted disk image administration agent and symmetric key administrative center.Wherein virtual machine encryption disk image administration agent is installed in every physical host, and symmetric key administrative center is the physical equipment of a platform independent.
Virtual machine is encrypted the disk image administration agent and is comprised of qemu-kvm agency and two assemblies of symmetric key administrative client, the qemu-kvm agency is by the qemu-kvm module management virtual machine disk image file of KVM virtual platform, realize to encrypt the disk image file generation, open, the functions such as snapshot, migration, deletion, and Administration API outwards is provided, Administration API comprises:
(1) virtual machine is encrypted the disk image systematic function: generate empty virtual machine and encrypt disk image;
(2) virtual machine is encrypted the disk image opening function: open the virtual machine that has generated and encrypt disk image;
(3) virtual machine is encrypted the disk image snapshot functions: for existing virtual machine disk image is done snapshot, to recover where necessary virtual machine state;
(4) encrypt the virtual machine (vm) migration function: support will be encrypted virtual machine and be migrated to the physical host that another is equipped with this administration agent from a physical host;
(5) virtual machine is encrypted disk image delete function etc.
Symmetric key administrative center is comprised of three main modular:
A, provide the crypto module that generates at random safe symmetric key;
The database module of B, storage key and virtual machine information;
C, externally provide the module of symmetric key management service.
Modules A adopts the Generating Random Number of cryptography safety, determines to adopt suitable algorithm according to actual conditions during practical application.Modules A can generate 128,192,256 AES block cipher key.
Module B preserves necessary key information, comprises that virtual machine is encrypted disk image UUID, user ID, symmetric key ID, the symmetric key after encrypting, key rise time, the nearest modification time of key, key state etc.Wherein symmetric key is preserved with ciphertext, is kept in the database after the master key encryption of method for use KMC.
The master key of symmetric key administrative center should keep regularly automatically upgrading, and the update cycle determines according to actual application environment.
Module C integrate module A and B provide the symmetric key management service with C/S model, and client is the symmetric key administrative client that is installed in the virtual machine encryption disk image administration agent.Service end is communicated by letter by the SSL cryptographic protocol with client, authenticates by the certificate that is contained in advance in service end and the client.
Once typical server and client side's communication step is:
(1) client is initiated to connect to service end;
(2) service end and client are carried out two-way authentication and are consulted to produce session key;
(3) client sends request;
(4) service end response request;
(5) conversation end.
Virtual machine is encrypted the cooperation that disk image management Life cycle needs each assembly in the system, and Fig. 3 encrypts disk image with virtual machine in the desktop cloud environment and is opened for example and described shut sequence between each assembly.Each step is respectively among Fig. 3:
(1) the mind-set virtual machine is encrypted the disk image administration agent and is sent the order of startup virtual machine in the desktop management;
(2) administration agent calls the virtual platform related command by qemu-kvm;
(3) qemu-kvm judges that the virtual machine disk image is encryption format, waits for the encryption key of administration agent input disk image;
(4) administration agent uses the UUID of virtual machine encryption disk image to inquire key to KMC;
(5) KMC authenticates the use state that corresponding virtual machine is inquired about at backward desktop management center to the agency;
(6) the use state of virtual machine is returned at the desktop management center;
(7) KMC determines whether send key to the agency according to the previous step return message.
It is similar that in the virtual machine encryption disk image management Life cycle other operate in above-mentioned steps such as establishment, snapshot, migration, deletion etc., repeats no more here.
Embodiment 2
Present embodiment provides a kind of virtual disk reflection encryption handling method, comprises the steps operation:
Step 100, the virtual machine that is installed in each virtual monitor is encrypted the disk image administration agent to the symmetric key administrative center acquisition request key information of network side;
Step 200, symmetric key administrative center receives the request that described virtual machine is encrypted the disk image administration agent, and the key information of virtual machine being encrypted disk image sends to described virtual machine encryption disk image administration agent;
Preferably, symmetric key administrative center is receiving when encrypting the request of disk image administration agent according to virtual machine, need also to determine whether the client of the request of initiating is the client of authentication, only when the client of initiating request was the client of authentication, the key information of just this virtual machine being encrypted disk sent to virtual machine and encrypts the disk image administration agent.
Step 300, virtual machine is encrypted the disk image administration agent according to the key information that obtains, generating virtual machines is encrypted disk image, according to user's operation the virtual machine that generates being encrypted disk image manages, wherein, described management comprise that virtual machine is encrypted the carry of disk image, opened, snapshot, migration and deletion action.
Be noted that, in said method, when stating virtual machine and encrypting the disk image administration agent to the symmetric key administrative center acquisition request key information of network side, can send to symmetric key administrative center according to the general unique identification code (UUID) that virtual machine is encrypted disk that encryption key generates request or encryption key obtains request.And corresponding ground, when symmetric key administrative center receives the request of described virtual machine encryption disk image administration agent, immediately generating virtual machines is encrypted the key information of disk image, again the key information that generates is sent to virtual machine and encrypts the disk image administration agent.Also may encrypt disk for this virtual machine and generate key information, at this moment, the key information that symmetric key administrative center has preserved this locality sends to virtual machine encryption disk image administration agent and gets final product.
Other details in the said method implementation procedure can referring to the description of above-described embodiment 1 correspondence, be not repeated herein.
One of ordinary skill in the art will appreciate that all or part of step in the said method can come the instruction related hardware to finish by program, described program can be stored in the computer-readable recording medium, such as ROM (read-only memory), disk or CD etc.Alternatively, all or part of step of above-described embodiment also can realize with one or more integrated circuit.Correspondingly, each the module/unit in above-described embodiment can adopt the form of hardware to realize, also can adopt the form of software function module to realize.The application is not restricted to the combination of the hardware and software of any particular form.
The above is preferred embodiments of the present invention only, is not for limiting protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of making, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (11)
1. virtual disk reflection encryption handling system is characterized in that, this system comprises symmetric key administrative center at least and the virtual machine that is installed in each virtual monitor is encrypted the disk image administration agent, wherein:
Described virtual machine is encrypted the disk image administration agent, to described symmetric key administrative center acquisition request key information, according to the key information that obtains, generating virtual machines is encrypted disk image, and encrypt disk image according to user's operational administrative virtual machine, described management comprises that virtual machine is encrypted the carry of disk image, opened, snapshot, migration and deletion action;
Described symmetric key administrative center receives when described virtual machine is encrypted the request of disk image administration agent, and the key information that virtual machine is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent.
2. the system as claimed in claim 1, it is characterized in that, described symmetric key administrative center receives when described virtual machine is encrypted the request of disk image administration agent, and the key information that virtual machine is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent and refer to:
Described symmetric key administrative center receives that when described virtual machine was encrypted the request of disk image administration agent, generating virtual machines was encrypted the key information of disk image, again the key information that generates is sent to described virtual machine and encrypts the disk image administration agent; Perhaps
Described symmetric key administrative center receives when described virtual machine is encrypted the request of disk image administration agent, and the key information that the virtual machine that this locality has been preserved is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent.
3. system as claimed in claim 2 is characterized in that,
Described symmetric key administrative center, when encrypting the request of disk image administration agent according to described virtual machine, whether the client of also determining the initiation request is the client of authentication, and only when the client of initiating request was the client of authentication, just generating virtual machines was encrypted the disk image encryption key.
4. such as claim 1,2 or 3 described systems, it is characterized in that, but described virtual machine encryption disk image administration agent is divided into qemu-kvm agency and symmetric key administrative client, wherein:
The qemu-kvm agency, encrypt the general unique identification code (UUID) of disk submits key request to described symmetric key administrative client and receives the key information that returns according to virtual machine, encrypt disk image according to the key information generating virtual machines that returns, and according to user operation the virtual machine that generates is encrypted disk image and manage, described management comprises that virtual machine is encrypted the carry of disk image, opened, snapshot, migration and deletion action;
The symmetric key administrative client is communicated by letter with symmetric key administrative center according to the key request that the qemu-kvm agency submits to, and the key information that symmetric key administrative center sends is returned to the qemu-kvm agency.
5. system as claimed in claim 4 is characterized in that, the described symmetric key administrative client finger of communicating by letter with symmetric key administrative center:
The UUID that described symmetric key administrative client will be encrypted disk according to virtual machine sends encryption key to described symmetric key administrative center and generates request; Perhaps
The UUID that encrypts disk according to virtual machine sends encryption key to described symmetric key administrative center and obtains request.
6. system as claimed in claim 4 is characterized in that, described symmetric key administrative center comprises database module and the symmetric key management services module of password generation module, storage key and virtual machine information, wherein:
The password generation module, the ripe Pseudo-Random Number of employing cryptography safety provides the key of packet key AES to generate;
The database table module, store each virtual machine encryption disk image file name and corresponding virtual machine thereof, user profile, wherein, the list item that comprises comprises: virtual machine is encrypted symmetric key, key rise time, the nearest modification time of key, the key state after disk image UUID, user ID, symmetric key ID, the encryption;
The symmetric key management services module is encrypted disk image administration agent for each virtual machine management service is provided, and described management service comprises query key, deletion key and new key more.
7. system as claimed in claim 6 is characterized in that,
Described password generation module generates 128,192 and 256 AES packet key.
8. virtual disk reflection encryption handling method is characterized in that the method comprises:
The virtual machine that is installed in each virtual monitor is encrypted the disk image administration agent to the symmetric key administrative center acquisition request key information of network side;
Described symmetric key administrative center receives the request that described virtual machine is encrypted the disk image administration agent, and the key information that virtual machine is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent;
Described virtual machine is encrypted the disk image administration agent according to the key information that obtains, generating virtual machines is encrypted disk image, according to user's operation the virtual machine that generates being encrypted disk image manages, wherein, described management comprise that virtual machine is encrypted the carry of disk image, opened, snapshot, migration and deletion action.
9. method as claimed in claim 8, it is characterized in that, described symmetric key administrative center receives the request that described virtual machine is encrypted the disk image administration agent, and the key information that virtual machine is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent and refer to:
Described symmetric key administrative center receives that when described virtual machine was encrypted the request of disk image administration agent, generating virtual machines was encrypted the key information of disk image, again the key information that generates is sent to described virtual machine and encrypts the disk image administration agent; Perhaps
Described symmetric key administrative center receives when described virtual machine is encrypted the request of disk image administration agent, and the key information that the virtual machine that this locality has been preserved is encrypted disk image sends to described virtual machine and encrypts the disk image administration agent.
10. method as claimed in claim 9 is characterized in that,
Described symmetric key administrative center, when encrypting the request of disk image administration agent according to described virtual machine, whether the client of also determining the initiation request is the client of authentication, and only when the client of initiating request was the client of authentication, just generating virtual machines was encrypted the disk image encryption key.
11., it is characterized in that described virtual machine encryption disk image administration agent refers to the symmetric key administrative center acquisition request key information of network side such as claim 8,9 or 10 described methods:
Described virtual machine is encrypted the disk image administration agent encrypts disk according to virtual machine general unique identification code (UUID) and is sent encryption key to described symmetric key administrative center and generate request; Perhaps
The UUID that encrypts disk according to virtual machine sends encryption key to described symmetric key administrative center and obtains request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210593481.2A CN103020543B (en) | 2012-12-31 | 2012-12-31 | A kind of virtual disk reflection encryption handling system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210593481.2A CN103020543B (en) | 2012-12-31 | 2012-12-31 | A kind of virtual disk reflection encryption handling system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103020543A true CN103020543A (en) | 2013-04-03 |
| CN103020543B CN103020543B (en) | 2016-08-03 |
Family
ID=47969137
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210593481.2A Expired - Fee Related CN103020543B (en) | 2012-12-31 | 2012-12-31 | A kind of virtual disk reflection encryption handling system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103020543B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468458A (en) * | 2013-09-12 | 2015-03-25 | 中国电信股份有限公司 | Method and system for migrating client work load to cloud environment, and migration agent |
| CN104780048A (en) * | 2015-04-13 | 2015-07-15 | 中国电子科技集团公司第二十八研究所 | Lightweight mirror image file encryption system and method |
| WO2017128720A1 (en) * | 2016-01-27 | 2017-08-03 | 华为技术有限公司 | Vtpm-based method and system for virtual machine security and protection |
| CN107111728A (en) * | 2014-08-04 | 2017-08-29 | 甲骨文国际公司 | Safe key export function |
| CN107609414A (en) * | 2017-09-26 | 2018-01-19 | 国云科技股份有限公司 | A kind of method that desktop cloud is automatically prevented from data leak |
| CN109376119A (en) * | 2018-10-30 | 2019-02-22 | 郑州云海信息技术有限公司 | It is a kind of to create disk mirroring file encryption snapshot, the method used and storage medium |
| CN111190695A (en) * | 2019-12-27 | 2020-05-22 | 山东乾云启创信息科技股份有限公司 | Virtual machine protection method and device based on Roc chip |
| CN118153080A (en) * | 2024-05-11 | 2024-06-07 | 三未信安科技股份有限公司 | System and method for calling password card by KVM (keyboard video mouse) virtualized password machine |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100011210A1 (en) * | 2005-05-13 | 2010-01-14 | Scarlata Vincent R | Method And Apparatus For Remotely Provisioning Software-Based Security Coprocessors |
| CN102194063A (en) * | 2010-03-12 | 2011-09-21 | 北京路模思科技有限公司 | Method and system for secure management and use of key and certificate based on virtual machine technology |
| CN102609643A (en) * | 2012-01-10 | 2012-07-25 | 道里云信息技术(北京)有限公司 | Dynamic cryptography protection for virtual machines and key management method thereof |
-
2012
- 2012-12-31 CN CN201210593481.2A patent/CN103020543B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100011210A1 (en) * | 2005-05-13 | 2010-01-14 | Scarlata Vincent R | Method And Apparatus For Remotely Provisioning Software-Based Security Coprocessors |
| CN102194063A (en) * | 2010-03-12 | 2011-09-21 | 北京路模思科技有限公司 | Method and system for secure management and use of key and certificate based on virtual machine technology |
| CN102609643A (en) * | 2012-01-10 | 2012-07-25 | 道里云信息技术(北京)有限公司 | Dynamic cryptography protection for virtual machines and key management method thereof |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468458A (en) * | 2013-09-12 | 2015-03-25 | 中国电信股份有限公司 | Method and system for migrating client work load to cloud environment, and migration agent |
| CN104468458B (en) * | 2013-09-12 | 2018-09-11 | 中国电信股份有限公司 | Method and system and migration agency of the Client Work load migration to cloud environment |
| CN107111728A (en) * | 2014-08-04 | 2017-08-29 | 甲骨文国际公司 | Safe key export function |
| CN107111728B (en) * | 2014-08-04 | 2020-07-14 | 甲骨文国际公司 | Secure key derivation functionality |
| CN104780048B (en) * | 2015-04-13 | 2018-04-10 | 中国电子科技集团公司第二十八研究所 | The image file encryption system and method for a kind of lightweight |
| CN104780048A (en) * | 2015-04-13 | 2015-07-15 | 中国电子科技集团公司第二十八研究所 | Lightweight mirror image file encryption system and method |
| WO2017128720A1 (en) * | 2016-01-27 | 2017-08-03 | 华为技术有限公司 | Vtpm-based method and system for virtual machine security and protection |
| US10922117B2 (en) | 2016-01-27 | 2021-02-16 | Huawei Technologies Co., Ltd. | VTPM-based virtual machine security protection method and system |
| CN107609414A (en) * | 2017-09-26 | 2018-01-19 | 国云科技股份有限公司 | A kind of method that desktop cloud is automatically prevented from data leak |
| CN109376119A (en) * | 2018-10-30 | 2019-02-22 | 郑州云海信息技术有限公司 | It is a kind of to create disk mirroring file encryption snapshot, the method used and storage medium |
| CN109376119B (en) * | 2018-10-30 | 2021-10-26 | 郑州云海信息技术有限公司 | Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium |
| CN111190695A (en) * | 2019-12-27 | 2020-05-22 | 山东乾云启创信息科技股份有限公司 | Virtual machine protection method and device based on Roc chip |
| CN118153080A (en) * | 2024-05-11 | 2024-06-07 | 三未信安科技股份有限公司 | System and method for calling password card by KVM (keyboard video mouse) virtualized password machine |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103020543B (en) | 2016-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6821857B2 (en) | Extension of single sign-on to dependent parties of federated logon providers | |
| CN109558721B (en) | Method and system for secure single sign-on and conditional access of client applications | |
| US11627120B2 (en) | Dynamic crypto key management for mobility in a cloud environment | |
| US9858428B2 (en) | Controlling mobile device access to secure data | |
| JP6539357B2 (en) | Password Encryption for Hybrid Cloud Services | |
| CN103020543B (en) | A kind of virtual disk reflection encryption handling system and method | |
| CN105184154B (en) | A kind of system and method that crypto-operation service is provided in virtualized environment | |
| CN104145444B (en) | Operate method, computing device and the computer program of computing device | |
| CN105340309A (en) | Application with multiple operation modes | |
| CN112789841A (en) | Accessing resources in a remote access or cloud-based network environment | |
| CN105637523A (en) | Secure client drive mapping and file storage system for mobile device management type security | |
| US8745371B2 (en) | Unified network architecture having storage devices with secure boot devices | |
| CN104904178A (en) | Providing virtualized private network tunnels | |
| CN111066307B (en) | Wrapping continuation tokens to support paging across multiple servers in different geographic locations | |
| US20130173903A1 (en) | Unified network architecture having storage devices with secure boot devices | |
| JP2021535521A (en) | Local map account on virtual desktop | |
| US10721719B2 (en) | Optimizing caching of data in a network of nodes using a data mapping table by storing data requested at a cache location internal to a server node and updating the mapping table at a shared cache external to the server node | |
| US9582676B2 (en) | Adding or replacing disks with re-key processing | |
| CN113574837A (en) | Tracking image senders on client devices | |
| US20130173906A1 (en) | Cloning storage devices through secure communications links | |
| CN117763529A (en) | Method for realizing fusion management of cloud desktop and cloud application | |
| WO2013103555A1 (en) | Providing cluster storage with fibre channel over ethernet and multipath input/output | |
| NZ627032B2 (en) | Secure data communications with network back end devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160803 Termination date: 20211231 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |