CN103186479A - Double hard disc isolation encryption device, method and computer based on single operating system - Google Patents
Double hard disc isolation encryption device, method and computer based on single operating system Download PDFInfo
- Publication number
- CN103186479A CN103186479A CN2012101690077A CN201210169007A CN103186479A CN 103186479 A CN103186479 A CN 103186479A CN 2012101690077 A CN2012101690077 A CN 2012101690077A CN 201210169007 A CN201210169007 A CN 201210169007A CN 103186479 A CN103186479 A CN 103186479A
- Authority
- CN
- China
- Prior art keywords
- data
- disk
- hard disk
- controller
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention can be applied to the field of computers and provides a double hard disc isolation encryption device, method and computer based on a single operating system. The device comprises a system hard disc, a data hard disc, a cipher module and a solid-state disc controller, wherein the system hard disc is used for providing the driving of an authentication device and an interactive interface authenticated by a user; the data hard disc is used for storing enciphered data; and the cipher module is used for storing a master key. When ciphers pass the cipher key authentication of the cipher module and the authentication of the solid-state disc controller, the ciphers are led to a user operation system in the data hard disc from an authentication system in the system hard disk. According to an embodiment of the device, the method and the computer, under the condition of the single operating system, a data disc is guided to be started through a system of a primary hard disc, so that the physical isolation of a system layer and a data layer is achieved; the data are subjected to security encryption, and under the condition that the system does not affect the safety functions of the data disc, the data resources in the hard disc are protected.
Description
Technical field
The invention belongs to computer realm, relate in particular to a kind of two hard disks based on single operating system and isolate encryption device, method and computing machine.
Background technology
Operating system is between bottom hardware and user, is the bridge of linking up between user and the bottom hardware; The user can be by the user interface input command of operating system; Operating system then makes an explanation to order, drives hardware device, realizes customer requirements.
Existing operating system is to utilize a main frame that system and data are incorporated in the hard disk to move, and makes the high data of safe class have potential safety hazard.
Summary of the invention
The purpose of the embodiment of the invention is to provide a kind of two hard disks based on single operating system to isolate encryption devices, is intended to solve the problem that there is potential safety hazard in safe class is high in the present operating system data.
The embodiment of the invention is achieved in that a kind of two hard disks isolation encryption devices based on single operating system, and comprising: system disk is used for providing the driving of authenticating device and the interactive interface that the user authenticates; The data hard disk is used for stored encrypted data; Solid state disk controller, the one end is connected with described data hard disk with described system disk; Crypto module is connected with the other end of described solid state disk controller, is used for the storage master key; When the password of input simultaneously behind the key authentication and the authentication of described solid state disk controller by the storage of described crypto module, be directed into operating system of user in the described data hard disk by the Verification System in the described system disk.
Further, described crypto module is the TCM chip.
Further, described system disk and described data hard disk are connected to described solid state disk controller by the SATA data line.
Further, described solid state disk controller comprises: master control system, and the SSD controller, the one end is connected with described data hard disk, the other end of described SSD controller is connected with described master control system, is undertaken alternately by read/write data between described SSD controller and the described master control system; CPU is connected with described master control system, takes out instruction from storer or cache memory, puts into order register, and to instruction decoding, and execution command; The authentication management module, the one end is connected with described CPU, and the other end is connected with described SSD controller; Give CPU earlier with the instruction of input and decipher, the crypto module verification feeds back to the authentication management module afterwards.
Further, described SSD controller comprises: encryption and decryption module and FLASH controller; The SSD controller adopts the institutional framework of hyperchannel Flash, and user data is band with 4Kyte, leaves in successively in 4 passages, and own self-adapting multi-channel technology is used in the design of SSD.
Further, the described master key in the described crypto module is moved to solid state disk controller after encrypting.
The present invention also aims to provide a kind of computing machine that comprises above-mentioned device.
The present invention also aims to provide a kind of two hard disks based on single operating system to isolate encryption method, comprise the steps:
After powering on, the data hard disk is identified as the bootable memory disc of low capacity, and described data hard disk is set to read-only;
BIOS obtains the Main Boot Record MBR that is set to read-only described data hard disk, and jumps to the embedded OS that its boot partition starts prepackage;
Loading authenticating device drives and authentication interface;
The input authentication voucher;
Judge whether authentication is successful;
If, then resetting automatically, described data hard disk is designated the common disk of normal capacity again, can be accessed;
Input the laggard access customer operating system of password of described data hard disk.
In embodiments of the present invention; system's vectoring information disk startup by Primary Hard Drive under single operating system is realized system layer and data Layer physical isolation; data are carried out safety encipher, under system does not influence the security function situation of data disks, realized the data resource in the protection hard disk.
Description of drawings
Fig. 1 be the embodiment of the invention provide isolate the modular structure synoptic diagram of encryption devices based on the two hard disks of single operating system;
Fig. 2 is the modular structure synoptic diagram based on solid state disk controller in two hard disks isolation encryption devices of single operating system that the embodiment of the invention provides;
Fig. 3 is the modular structure synoptic diagram of SSD controller in the solid state disk controller that provides of the embodiment of the invention;
Fig. 4 be the embodiment of the invention provide isolate the process flow diagram of encryption methods based on the two hard disks of single operating system.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explaining the present invention, and be not used in restriction the present invention.
The two hard disks based on single operating system that the embodiment of the invention provides are isolated encryption device and are mainly used in the computing machine, are used for the high data of safe class are encrypted isolation; Its modular structure for convenience of explanation, only shows the part relevant with the embodiment of the invention as shown in Figure 1, and details are as follows:
Isolating encryption device based on two hard disks of single operating system comprises: system disk 1, data hard disk 2, solid state disk controller 3 and crypto module 4; Wherein system disk 1 is used for providing the driving of authenticating device and the interactive interface that the user authenticates; Data hard disk 2 is used for stored encrypted data; One end of solid state disk controller 3 is connected with data hard disk 2 with system disk 1; Crypto module 4 is connected with the other end of solid state disk controller 3, is used for the storage master key; When the password of input simultaneously behind the key authentication and solid state disk controller 3 authentications by crypto module 4 storage, be directed into operating system of user in the data hard disk 2 by the Verification System in the system disk 1.
In embodiments of the present invention, crypto module 4 can adopt the TCM chip; Wherein TCM (Trusted Cryptography Module, credible password module) standard is released by some IT enterprises in the United Nations of national Password Management office; It is a kind of safety chip, can effectively protect PC, prevents that the disabled user from visiting computer.
In embodiments of the present invention, system and data are the physical hard disk of two isolation, the two can connect by the SATA line, and wherein SATA (Serial Advanced Technology Attachment, Serial Advanced Technology Attachment) is a kind of serial hardware driver interface based on industry standard.Data hard disk district is imported by Verification System, have only the double authentication of having passed through between user and USBKEY and the SSD dish after, just can enter the data hard disk.That is to say: user authorization code (password, fingerprint or other), USBKEY (depositing key), safe storage solid-state disk (depositing encrypt user data) three is unique binding, wants the calling party data, the three is indispensable.
In embodiments of the present invention; the computing machine of general relatively single hard disk operating system; should isolate encryption device based on the safeguard protection data based on two hard disks of single operating system; system and data are divided into two hard disks; system disk 1 provides the driving of authenticating device and the interactive interface that the user authenticates; data hard disk 2 is imported by Verification System; have only by after the authentication between TCM and the SSD dish; just can enter custom system; safety coefficient to effective protection of data is higher; be difficult for allowing data reveal, accomplish adequately protecting to data.
In embodiments of the present invention, solid state disk controller 3 modular structures as shown in Figure 2, solid state disk controller 3 comprises: SSD controller, authentication management module 33, CPU34 and master control system 35; Wherein, an end of SSD controller is connected with data hard disk 2, and the other end of SSD controller is connected with master control system 35, is undertaken alternately by read/write data between SSD controller and the master control system 35; CPU34 is connected with master control system 35, so that CPU and master control system are kept in communication; One end of authentication management module 33 is connected with CPU34, and the other end is connected with the SSD controller; So that authentication management is deciphered and is handled through CPU.
In embodiments of the present invention, the SSD controller comprises: FLASH controller 31 and encryption and decryption module 32; The SSD controller adopts the institutional framework of hyperchannel Flash, and user data is band with 4Kyte, leaves in successively in 4 passages, and own self-adapting multi-channel technology is used in the design of SSD.Wherein, encrypting the SDD encryption uses the data of symmetric encipherment algorithm AES to carry out the encryption and decryption operation, adopt XTS-AES encrypting module formula that length is carried out encryption and decryption for the 512Bytes data cell, the enforcement of enciphering and deciphering algorithm meets IEEE Standard for Crypptographic Protection of Data on Block-Oriented Storage Devices standard, and AES supports that length is the key of 128bits and 256bits; Encryption and decryption operation is realized by hardware that fully the encryption and decryption operation is transparent fully to the user, and key is stored in the TCM chip, can't be by any software (comprising the firmware in the solid-state disk) visit, and key is removed automatically after the power down.
As one embodiment of the present of invention, the master key in the crypto module 4 is moved to solid state disk controller 3 after encrypting; Concrete transition process as shown in Figure 3, master key is stored in the TCM chip, has only legal authentication input just can read master key among the TCM; Disabled user or validated user have unmatched solid-state disk, all can not obtain the ciphertext of master key; Master key is moved in the solid-state disk after encrypting.Thereby guaranteed the safety of data, prevented loss.
The embodiment of the invention also provides a kind of two hard disks based on single operating system to isolate encryption method, and concrete flow process comprises the steps: as shown in Figure 4
Step S 1:BIOS self check;
Step S2: loading equipemtn drives and authentication interface;
Step S3: input authentication authority;
Step S4: judge whether authentication is successful; If then enter step S5; If not, then be back to step S2;
Step S5: reset automatically;
Step S6: start-up system hard disk;
Step S7: log-on data hard disk;
Step S8: enter operating system of user.
In embodiments of the present invention, the Verification System in the security system participates in whole Verification System, the security that the confidence level of assurance Verification System can improve whole security system greatly.In the middle of this example, system and data are the physical hard disk of two isolation, and the two is connected to mainboard by a SATA interface, and the data hard disk comes the safety of protected data through encrypting (leaving the TCM chip in key is example); Particularly, after powering on, the data hard disk is identified as the bootable memory disc of low capacity, and described data hard disk is set to read-only; BIOS obtains the Main Boot Record MBR that is set to read-only described data hard disk, and jumps to the embedded OS that its boot partition starts prepackage; Loading authenticating device drives and authentication interface; The input authentication voucher; Judge whether authentication is successful; If, then resetting automatically, described data hard disk is designated the common disk of normal capacity again, can be accessed; Input the laggard access customer operating system of password of described data hard disk.
The method that the embodiment of the invention provides is moved under single operating system; the method of the system's vectoring information disk startup by Primary Hard Drive; realize system layer and data Layer physical isolation; to the data safety encipher; do not influence in system under the security function situation of data disks, realize the data resource in the protection hard disk.
In the embodiment of the invention, under single operating system operation, not by outside third party's instrument, can realize the physical isolation of system disk and data hard disk, in addition safeguard protection of data.The computing machine of general relatively single hard disk operating system; the Great Wall computer is based on the safeguard protection data; data and system are divided into two hard disks; there are sufficient storage and spatial cache in the one system; its two data HD encryption is isolated; safety coefficient to effective protection of data is higher, is difficult for allowing data reveal, and accomplishes adequately protecting to data.This method and traditional data protection are essentially different.After the BIOS self check, the power supply of data hard disk and controlled with the communication of system disk; When the operation system, the user is optionally with the data hard disk startup; The data hard disk is allowed for access after the security password protection.
In embodiments of the present invention; system's vectoring information hard disk startup by system disk under single operating system is realized system layer and data Layer physical isolation; data are carried out safety encipher, under system does not influence the security function situation of data disks, realized the data resource in the protection hard disk.
The above only is preferred embodiment of the present invention, not in order to limiting the present invention, all any modifications of doing within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1. the two hard disks based on single operating system are isolated encryption device, it is characterized in that, comprising:
System disk is used for providing the driving of authenticating device and the interactive interface that the user authenticates;
The data hard disk is used for stored encrypted data;
Solid state disk controller, the one end is connected with described data hard disk with described system disk;
Crypto module is connected with the other end of described solid state disk controller, is used for the storage master key;
When the password of input simultaneously behind the key authentication and the authentication of described solid state disk controller by the storage of described crypto module, be directed into operating system of user in the described data hard disk by the Verification System in the described system disk.
2. device as claimed in claim 1 is characterized in that, described crypto module is the TCM chip.
3. device as claimed in claim 1 is characterized in that, described system disk and described data hard disk are connected to described solid state disk controller by the SATA data line.
4. device as claimed in claim 1 is characterized in that, described solid state disk controller comprises:
Master control system,
The SSD controller, the one end is connected with described data hard disk, and the other end of described SSD controller is connected with described master control system, is undertaken alternately by read/write data between described SSD controller and the described master control system;
CPU is connected with described master control system, takes out instruction from storer or cache memory, puts into order register, and to instruction decoding, and execution command;
The authentication management module, the one end is connected with described CPU, and the other end is connected with described SSD controller; Give CPU earlier with the instruction of input and decipher, the crypto module verification feeds back to the authentication management module afterwards.
5. device as claimed in claim 4 is characterized in that, described SSD controller comprises: encryption and decryption module and FLASH controller; The SSD controller adopts the institutional framework of hyperchannel Flash, and user data is band with 4Kyte, leaves in successively in 4 passages, and own self-adapting multi-channel technology is used in the design of SSD.
6. device as claimed in claim 1 is characterized in that, the described master key in the described crypto module is moved to solid state disk controller after encrypting.
7. computing machine that comprises each described device of claim 1-6.
8. the two hard disks based on single operating system are isolated encryption method, it is characterized in that, comprise the steps:
After powering on, the data hard disk is identified as the bootable memory disc of low capacity, and described data hard disk is set to read-only;
BIO S obtains the Main Boot Record MBR that is set to read-only described data hard disk, and jumps to the embedded OS that its boot partition starts prepackage;
Loading authenticating device drives and authentication interface;
The input authentication voucher;
Judge whether authentication is successful;
If, then resetting automatically, described data hard disk is designated the common disk of normal capacity again, can be accessed;
Input the laggard access customer operating system of password of described data hard disk.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101690077A CN103186479A (en) | 2011-12-31 | 2012-05-28 | Double hard disc isolation encryption device, method and computer based on single operating system |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110459573.7 | 2011-12-31 | ||
| CN201110459573 | 2011-12-31 | ||
| CN2012101690077A CN103186479A (en) | 2011-12-31 | 2012-05-28 | Double hard disc isolation encryption device, method and computer based on single operating system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103186479A true CN103186479A (en) | 2013-07-03 |
Family
ID=48677654
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012101690077A Pending CN103186479A (en) | 2011-12-31 | 2012-05-28 | Double hard disc isolation encryption device, method and computer based on single operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103186479A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077243A (en) * | 2014-07-10 | 2014-10-01 | 王爱华 | SATA hard disc device encryption method and system |
| CN104598843A (en) * | 2015-02-06 | 2015-05-06 | 浪潮集团有限公司 | Encrypted SSD (Solid State Disk) authentication method |
| CN104794071A (en) * | 2015-04-22 | 2015-07-22 | 王爱华 | Method and system for unfreezing and adding coded lock on computer SATA hard disk based on USB flash disk |
| CN105577661A (en) * | 2015-12-23 | 2016-05-11 | 浪潮集团有限公司 | Step-by-step type encrypted storage system and method |
| CN107292201A (en) * | 2016-03-31 | 2017-10-24 | 天津青创科技有限公司 | A kind of double hard disc isolation encryption device based on single operating system |
| WO2018090213A1 (en) * | 2016-11-15 | 2018-05-24 | 深圳天下知网络科技有限公司 | Computer-based encryption and decryption system and encryption and decryption method |
| CN112182530A (en) * | 2020-10-14 | 2021-01-05 | 北京安石科技有限公司 | Method and device for controlling operating system permission through master control system |
| CN114153280A (en) * | 2021-11-18 | 2022-03-08 | 浪潮(山东)计算机科技有限公司 | Computer mainboard |
| CN116597874A (en) * | 2023-05-13 | 2023-08-15 | 汇钜电科(东莞)实业有限公司 | Mobile hard disk with built-in static discharge sheet and method for preventing static accumulation |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1475918A (en) * | 2002-08-14 | 2004-02-18 | 北京唯美星计算机安全保护技术有限公 | Multistorage type physical buffer computer data safety protection method and device |
| CN101788959A (en) * | 2010-02-03 | 2010-07-28 | 武汉固捷联讯科技有限公司 | Solid state hard disk secure encryption system |
| CN102024115A (en) * | 2010-11-19 | 2011-04-20 | 紫光股份有限公司 | Computer with user security subsystem |
| CN102289623A (en) * | 2011-09-02 | 2011-12-21 | 湖南国安思科计算机系统有限公司 | Anti-leakage laptop |
-
2012
- 2012-05-28 CN CN2012101690077A patent/CN103186479A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1475918A (en) * | 2002-08-14 | 2004-02-18 | 北京唯美星计算机安全保护技术有限公 | Multistorage type physical buffer computer data safety protection method and device |
| CN101788959A (en) * | 2010-02-03 | 2010-07-28 | 武汉固捷联讯科技有限公司 | Solid state hard disk secure encryption system |
| CN102024115A (en) * | 2010-11-19 | 2011-04-20 | 紫光股份有限公司 | Computer with user security subsystem |
| CN102289623A (en) * | 2011-09-02 | 2011-12-21 | 湖南国安思科计算机系统有限公司 | Anti-leakage laptop |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077243A (en) * | 2014-07-10 | 2014-10-01 | 王爱华 | SATA hard disc device encryption method and system |
| CN104598843A (en) * | 2015-02-06 | 2015-05-06 | 浪潮集团有限公司 | Encrypted SSD (Solid State Disk) authentication method |
| CN104794071A (en) * | 2015-04-22 | 2015-07-22 | 王爱华 | Method and system for unfreezing and adding coded lock on computer SATA hard disk based on USB flash disk |
| CN105577661A (en) * | 2015-12-23 | 2016-05-11 | 浪潮集团有限公司 | Step-by-step type encrypted storage system and method |
| CN107292201A (en) * | 2016-03-31 | 2017-10-24 | 天津青创科技有限公司 | A kind of double hard disc isolation encryption device based on single operating system |
| WO2018090213A1 (en) * | 2016-11-15 | 2018-05-24 | 深圳天下知网络科技有限公司 | Computer-based encryption and decryption system and encryption and decryption method |
| CN112182530A (en) * | 2020-10-14 | 2021-01-05 | 北京安石科技有限公司 | Method and device for controlling operating system permission through master control system |
| CN114153280A (en) * | 2021-11-18 | 2022-03-08 | 浪潮(山东)计算机科技有限公司 | Computer mainboard |
| CN114153280B (en) * | 2021-11-18 | 2023-12-19 | 浪潮(山东)计算机科技有限公司 | Computer main board |
| CN116597874A (en) * | 2023-05-13 | 2023-08-15 | 汇钜电科(东莞)实业有限公司 | Mobile hard disk with built-in static discharge sheet and method for preventing static accumulation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103186479A (en) | Double hard disc isolation encryption device, method and computer based on single operating system | |
| US10922439B2 (en) | Technologies for verifying memory integrity across multiple memory regions | |
| CN102646077B (en) | A kind of method of the full disk encryption based on credible password module | |
| CN104951409B (en) | A kind of hardware based full disk encryption system and encryption method | |
| US9954826B2 (en) | Scalable and secure key management for cryptographic data processing | |
| WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
| US9436812B2 (en) | Platform-hardened digital rights management key provisioning | |
| CN101430747B (en) | Movable equipment based on credible embedded platform and its security storage method | |
| JP6275653B2 (en) | Data protection method and system | |
| CN101441601B (en) | Ciphering transmission method of hard disk ATA instruction and system | |
| US9064135B1 (en) | Hardware implemented key management system and method | |
| CN101881997B (en) | Trusted safe mobile storage device | |
| CN107908574B (en) | Safety protection method for solid-state disk data storage | |
| US20080072071A1 (en) | Hard disc streaming cryptographic operations with embedded authentication | |
| CN102207999A (en) | Data protection method based on trusted computing cryptography support platform | |
| CN103154963A (en) | Scrambling an address and encrypting write data for storing in a storage device | |
| EP3059897B1 (en) | Methods and devices for authentication and key exchange | |
| KR20080101799A (en) | System and method of providing security to an external device | |
| CN102236755A (en) | One-machine multi-user security access control method | |
| CN112560058A (en) | SSD partition encryption storage system based on intelligent password key and implementation method thereof | |
| CN102163267A (en) | Solid state disk as well as method and device for secure access control thereof | |
| KR20140051350A (en) | Digital signing authority dependent platform secret | |
| CN105678173A (en) | vTPM safety protection method based on hardware transactional memory | |
| CN113704835A (en) | Trusted storage hard disk supporting encryption card function | |
| CN201549223U (en) | Trusted secure portable storage device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130703 |
|
| RJ01 | Rejection of invention patent application after publication |