CN103198263A

CN103198263A - Method for establishing encrypted/decrypted storage space by virtue of personnel computer external secrete key

Info

Publication number: CN103198263A
Application number: CN2012104162612A
Authority: CN
Inventors: 马国强
Original assignee: 马国强
Current assignee: Shenzhen sidit Technology Co.,Ltd.
Priority date: 2012-10-26
Filing date: 2012-10-26
Publication date: 2013-07-10
Anticipated expiration: 2032-10-26
Also published as: CN103198263B

Abstract

A method for establishing encrypted/decrypted storage space by virtue of a personnel computer external secrete key is based on a personnel computer and an external hardware device where a secrete key is stored. The method comprises the following steps: mounting a data filter screen type encryption/decryption driving function on an upper bottom layer of an internal operating system of the personnel computer; establishing encrypted data storage partitions in available data storage space detected by the operating system; after the external hardware device is electrically connected with the personnel computer, mounting the encrypted data storage partitions in the operating system; and after the external hardware device is electrically disconnected from the personnel computer, demounting the encrypted data storage partitions from the operating system, and encrypting/decrypting data interactively of the encrypted data storage partitions. The method realizes isolation of the secrete key from the encrypted data as well as isolation of the common data from the encrypted data, enhances the crypticity of the encrypted data, and ensures the security of the encrypted data.

Description

Set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer

Technical field

The present invention relates to the data enciphering/deciphering in the electronic data storage, particularly relate to and need finish data enciphering/deciphering in the electronic data storage of data storage by personal computer.

Background technology

In increasing occasion, need implement enciphering/deciphering for the data in the data-carrier store relevant with personal computer and handle.Described personal computer comprises small-size computer, portable computer and palmtop computer, and described small-size computer comprises main frame, input equipment and output device.Be provided with mainboard in the described main frame, be electrically connected with central processor CPU on the described mainboard, be used for the hard disk of storage operating system and data, and interface.Common input equipment adopts keyboard and mouse, and common output device adopts display.Described portable computer is with the synthetic portable equipment integrating of host display, keyboard and mouse.Described palmtop computer is with comparing portable computer, and with display, keyboard and mouse, namely input equipment and output device synthesize touching-type monitor, and this touch display and main frame are combined into more microminiaturized computing machine.The described data-carrier store relevant with personal computer comprises the hard disk that is used for the data storage in the personal computer, is independent of personal computer and can be connected electrically in external data memory on the personal computer by interface for convenience detachly.Described external data memory is to be equipped with USB (universal serial bus) Universal Serial Bus interface, and namely the pocket memory of USB interface is main avatar.

A kind of method to described data-carrier store enforcement enciphering/deciphering of prior art is at hardware aspect a special-purpose enciphering/deciphering chip or integrated circuit board to be set, data to the turnover data-carrier store are implemented enciphering/deciphering, but this method realizes the cost height, be applicable to height encryption requirements unit, for example army, government bodies, and be unsuitable for universalness.

The method that the prior art another kind is implemented enciphering/deciphering to described data-carrier store is that enciphering/deciphering software is installed in operating system, when needing enciphered data, move this enciphering/deciphering software earlier, preserve in the data to data storer behind the input password, but this kind method all is stored in key and enciphered data in the same data-carrier store, obtain encrypt file in this data-carrier store and just mean and obtained key, be easy to by other people deciphering.Therefore substantial data encryption is not accomplished in the data encryption of this method and dangerous.Also be because key and enciphered data are not isolated, enciphered data is not anti-computer virus and the anti-Trojan program ability of invading almost.

Prior art enciphering/deciphering software engineering is just implemented above-mentioned enciphering/deciphering with document form usually, and do not provide enciphering/deciphering operation interface at the specific function demand for the user, for example the user often will directly preserve user name, account number, password, web site collection information, individual's memo information etc.In addition, for how to back up and recover core datas such as user's data information, password and enciphering/deciphering key, the method that prior art does not all provide better security and ease for use to take into account.

Summary of the invention

The technical problem to be solved in the present invention is to avoid the deficiencies in the prior art part and the data method for encryption/decryption that proposes a kind of software and hardware combining, realize key and the isolation of enciphering/deciphering software by individual adding machine peripheral hardware hardware, and the isolation of enciphered data and general data, guarantee the data encryption high reliability, and provide simple data is directly encrypted, and the method that core datas such as enciphered data, password, key are backed up and recover.

The present invention solve the technical problem can be by realizing by the following technical solutions:

Implement a kind ofly to set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, based on personal computer, and be independent of outside this personal computer, have an external hardware devices of storage capacity; Described personal computer comprises main frame, input equipment and output device, is provided with central processor CPU in the described main frame, and the hard disk that is stored with operating system and data; Described external hardware devices can be connected electrically on this personal computer by the interface of personal computer, and also can power on from described personal computer removes; Especially described method comprises the steps:

A. in the operating system of described personal computer enciphering/deciphering software is installed; In described external hardware devices, deposit key in;

B. in the operating system of described personal computer driver based on described external hardware devices is installed, thereby between the physical equipment of operating system bottom and incoming/outgoing management device, is set up the enciphering/deciphering driving function of a data filter net type;

C. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software is set according to the user, by the key that is stored in the described external hardware devices, in the data available storage space that operating system can detect, set up at least one enciphered data partition holding; Make each enciphered data partition holding mutual by following condition implementation data,

K1. when external hardware devices was not electrically connected with described personal computer, described enciphering/deciphering software did not load described enciphered data partition holding, and namely operating system can not detect described enciphered data partition holding;

K2. when external hardware devices and described personal computer set up be electrically connected after, the enciphered data partition holding carry that described operating system will be set up according to the key stored in this external hardware devices is in the incoming/outgoing management device, even operating system can detect described enciphered data partition holding; And during from described enciphered data partition holding sense data, described enciphering/deciphering driving function is implemented deciphering by key to sense data; When writing data to described enciphered data partition holding, described enciphering/deciphering driving function is implemented to encrypt to writing data by key;

K3. after external hardware devices removes from the operating system of described personal computer, described enciphering/deciphering software will unload from the incoming/outgoing management device according to the enciphering/deciphering data partition holding that the key of storing in this external hardware devices is set up, even operating system can not detect described enciphering/deciphering data partition holding.

Prevent that key from repeating to cause giving away secrets, the described key of steps A is corresponding one by one with the external hardware devices of this key of storage, and namely the key of storage is unique in each external hardware devices.

Particularly, the storage space that is used for storage key in the described external hardware devices is that the operating system of personal computer can't correctly be read and write wherein data and enciphering/deciphering software can correctly be read and write the wherein storage space of data.

Especially, described external hardware devices is for the external data storage device of finishing the data storage outside personal computer.

Particularly, described operating system from the I/O management device to being disposed with installable file system layer Installable File System, file system driver layer, device driver layer and hardware extraction layer Hardware Abstraction Layer between the physical equipment; The enciphering/deciphering driving function of described data filter net type is based upon between described installable file system layer IFS and the described file system driver layer.

The enciphering/deciphering driving function of described data filter net type refers to only the data exchange process between described enciphered data partition holding and the incoming/outgoing management device be implemented enciphering/deciphering according to key, and can directly finish data interaction between other hardware device and the incoming/outgoing management device.

The free memory that described operating system can detect not only comprises the interior idle storage space of hard disk of operating system place computing machine, the free memory that the described operating system of step C can detect comprises the free memory from the personal computer hard disk, from the free memory that is connected electrically in the external data storage device on the personal computer, and from the free memory of described external hardware devices.Described external data storage device is the external data storage device that is independent of described personal computer, can be connected electrically on the described personal computer by the interface of this personal computer, and also can power on from described personal computer removes.

The interface of described personal computer is USB (universal serial bus) Universal Serial Bus interface.

In order further to guarantee the security of enciphered data partition holding, step C also comprises step by step following,

C1. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software is set according to the user, by the key that is stored in the described external hardware devices, in the data available storage space that operating system can detect, set up at least one enciphered data partition holding, for each enciphered data partition holding disposes one respectively by the connection password of user's input; Make each enciphered data partition holding mutual by following condition implementation data,

K11. when external hardware devices was not electrically connected with described personal computer, described enciphering/deciphering software did not load described enciphered data partition holding, and namely operating system can not detect described enciphered data partition holding;

K21. when external hardware devices and described personal computer set up be electrically connected after, have only the enciphered data partition holding of setting up according to storage key in this external hardware devices to exist, the user inputs under the password situation consistent with the connection password of setting for this enciphered data partition holding simultaneously, described enciphering/deciphering software just with described enciphered data partition holding carry in the incoming/outgoing management device, even operating system can detect described enciphered data partition holding; And during from described enciphered data partition holding sense data, described enciphering/deciphering driving function is implemented deciphering by key to sense data; When writing data to described enciphered data partition holding, described enciphering/deciphering driving function is implemented to encrypt to writing data by key;

K31. after external hardware devices removes from the operating system of described personal computer, described enciphering/deciphering software will unload from the incoming/outgoing management device according to the enciphering/deciphering data partition holding that the key of storing in this external hardware devices is set up, even operating system can not detect described enciphered data partition holding.

The other method of further guaranteeing the security of enciphered data partition holding is, step C also comprises step by step following,

C2. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software is set according to the user, by the key that is stored in the described external hardware devices, in the data available storage space that operating system can detect, set up at least one enciphered data partition holding, for one of all enciphered data partition holdings configuration of setting up based on same key connect password by user's input based on key; Make each enciphered data partition holding mutual by following condition implementation data,

K12. when external hardware devices was not electrically connected with described personal computer, described enciphering/deciphering software did not load described enciphered data partition holding, and namely operating system can not detect described enciphered data partition holding;

K22. when external hardware devices and described personal computer set up be electrically connected after, have only the enciphered data partition holding of setting up according to storage key in this external hardware devices to exist, simultaneously, the user inputs password and connecting under the consistent situation of password based on key of setting for the enciphered data partition holding of setting up based on same key, described enciphering/deciphering software just with all enciphered data partition holding carries of setting up based on same key in the incoming/outgoing management device, even operating system can detect all based on the enciphered data partition holding of same key; And during from described enciphered data partition holding sense data, described enciphering/deciphering driving function is implemented deciphering by key to sense data; When writing data to described enciphered data partition holding, described enciphering/deciphering driving function is implemented to encrypt to writing data by key;

K32. after external hardware devices removes from the operating system of described personal computer, described enciphering/deciphering software will unload from the incoming/outgoing management device according to the enciphering/deciphering data partition holding that the key of storing in this external hardware devices is set up, even operating system can not detect described enciphered data partition holding.

Another method of further guaranteeing the security of enciphered data partition holding is, step C also comprises step by step following,

C3. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software is set according to the user, by the key that is stored in the described external hardware devices, in the data available storage space that operating system can detect, set up at least one enciphered data partition holding; Make each enciphered data partition holding mutual by following condition implementation data,

K13. when external hardware devices was not electrically connected with described personal computer, described enciphering/deciphering software did not load described enciphered data partition holding, and namely operating system can not detect described enciphered data partition holding;

K23. when external hardware devices and described personal computer set up be electrically connected after, the enciphered data partition holding carry that described enciphering/deciphering software will be set up according to the key stored in this external hardware devices is in the incoming/outgoing management device, even operating system can detect described enciphered data partition holding; And when writing file data to described enciphered data partition holding, described enciphering/deciphering driving function is implemented to encrypt to writing data by key, and writes data file password by user's input of data setting for this; When reading file data from described enciphered data partition holding, only input under the password situation consistent with the data file password of reading the file data setting for this user, described enciphering/deciphering driving function is just implemented deciphering by key to sense data;

K33. after external hardware devices removes from the operating system of described personal computer, described enciphering/deciphering software will unload from the incoming/outgoing management device according to the enciphering/deciphering data partition holding that the key of storing in this external hardware devices is set up, even operating system can not detect described enciphered data partition holding.

Can also be with above-mentioned wherein two kinds of method combinations, step C also comprises step by step following,

C4. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software is set according to the user, by the key that is stored in the described external hardware devices, in the data available storage space that operating system can detect, set up at least one enciphered data partition holding, for each enciphered data partition holding disposes one respectively by the connection password of user's input; Make each enciphered data partition holding mutual by following condition implementation data,

K14. when external hardware devices was not electrically connected with described personal computer, described enciphering/deciphering software did not load described enciphered data partition holding, and namely operating system can not detect described enciphered data partition holding;

K24. when external hardware devices and described personal computer set up be electrically connected after, have only the enciphered data partition holding of setting up according to the key of storing in this external hardware devices to exist, simultaneously, the user inputs under the password situation consistent with the connection password of setting for this enciphered data partition holding, described enciphering/deciphering software just with described enciphered data partition holding carry in the incoming/outgoing management device, even operating system can detect described enciphered data partition holding; And when writing file data to described enciphered data partition holding, described enciphering/deciphering driving function is implemented to encrypt to writing data by key, and writes data file password by user's input of data setting for this; When reading file data from described enciphered data partition holding, only input under the password situation consistent with the data file password of reading the file data setting for this user, described enciphering/deciphering driving function is implemented deciphering by key to sense data;

K34. after external hardware devices removes from the operating system of described personal computer, described enciphering/deciphering software will unload from the incoming/outgoing management device according to the enciphering/deciphering data partition holding that the key of storing in this external hardware devices is set up, even operating system can not detect described enciphered data partition holding.

In addition, can also be with above-mentioned wherein two kinds of method combinations, step C also comprises step by step following,

C5. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software is set according to the user, by the key that is stored in the described external hardware devices, in the data available storage space that operating system can detect, set up at least one enciphered data partition holding, for one of all enciphered data partition holdings configuration of setting up based on same key connect password by user's input based on key; Make each enciphered data partition holding mutual by following condition implementation data,

K15. when external hardware devices was not electrically connected with described personal computer, described enciphering/deciphering software did not load described enciphered data partition holding, and namely operating system can not detect described enciphered data partition holding;

K25. when external hardware devices and described personal computer set up be electrically connected after, have only the enciphered data partition holding of setting up according to the key of storing in this external hardware devices to exist, simultaneously, the user inputs password and connecting under the consistent situation of password based on key of setting for the enciphered data partition holding of setting up based on same key, described enciphering/deciphering software just with all enciphered data partition holding carries of setting up based on same key in the incoming/outgoing management device, even operating system can detect described enciphered data partition holding; And when writing file data to described enciphered data partition holding, described enciphering/deciphering driving function is implemented to encrypt to writing data by key, and writes data file password by user's input of data setting for this; When reading file data from described enciphered data partition holding, only input under the password situation consistent with the data file password of reading the file data setting for this user, described enciphering/deciphering driving function is implemented deciphering by key to sense data;

K35. after external hardware devices removes from the operating system of described personal computer, described enciphering/deciphering software will unload from the incoming/outgoing management device according to the enciphering/deciphering data partition holding that the key of storing in this external hardware devices is set up, even operating system can not detect described enciphered data partition holding.

In order to realize the enciphering/deciphering of simple data form, for example to user name, account number, password, web site collection information, individual's encryption and decryption such as memo information, described method also comprises the steps,

D1. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software directly is kept at the information of the need to be keep secret of user input in the data available storage space that operating system can detect.

Particularly, the free memory that the described operating system of step D1 can detect comprises the free memory from the personal computer hard disk, from the free memory that is connected electrically in the external data storage device on the personal computer, and from the free memory of described external hardware devices.

More specifically, the free memory that the described operating system of step D1 can detect comprises the enciphered data partition holding from the personal computer hard disk, from the enciphered data partition holding that is connected electrically in the external data storage device on the personal computer, and from the enciphered data partition holding of described external hardware devices.

The another kind of realization user name, account number, password, the method for the enciphering/deciphering of web site collection information, individual's simple data forms such as memo information, described method also comprise the steps,

D2. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software directly is kept at the information of the need to be keep secret of user's input in the external hardware devices, thereby makes the information of the need to be keep secret of key and user's input be stored in the same storage space.

The storage space of the information of the need to be keep secret that is used for storage key and user's input of described external hardware devices is that the operating system of personal computer can't correctly be read and write wherein data and enciphering/deciphering software can correctly be read and write the wherein storage space of data.

In order to realize backup and the recovery to key, described method also comprises the steps E1,

E1. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software to user's data designated storage space, forms the encrypted backup data with secret key encryption ground back-up storage; When needs recover described encrypted backup data, described external hardware devices is electrically connected described personal computer, described enciphering/deciphering software returns to being used in the storage space of storage key of external hardware devices with the encrypted backup data.

Based on backup and the recovery of execution behind above-mentioned steps D1 to the information of the need to be keep secret of key and user's input, described method also comprises the steps E2 behind step D1,

E2. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software to user's data designated storage space, forms the encrypted backup data with the information encryption ground back-up storage of the need to be keep secret of the described user's input of key and step D1; When needs recover described encrypted backup data, described external hardware devices is electrically connected described personal computer, described enciphering/deciphering software is by the encrypted backup data being returned to being used in the storage space of storage key of external hardware devices.

Based on backup and the recovery of execution behind above-mentioned steps D2 to the information of the need to be keep secret of key and user's input, described method also comprises the steps E3 behind step D2,

E3. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software to user's data designated storage space, forms the encrypted backup data with the information encryption ground back-up storage of the need to be keep secret of the described key of step D2 and user input; When needs recover described encrypted backup data, described external hardware devices is electrically connected described personal computer, described enciphering/deciphering software is by the encrypted backup data being returned to being used in the storage space of storage key of external hardware devices.

Particularly, among above-mentioned steps E1, E2 and the E3, the storage space that is used for storage key of external hardware devices is that the operating system of personal computer can't correctly be read and write wherein data and enciphering/deciphering software can correctly be read and write the wherein storage space of data.

In addition, among above-mentioned steps E1, E2 and the E3, the storage space of the described encrypted backup data of the back-up storage of described user's appointment comprises the storage space from the personal computer hard disk, from the storage space that is connected electrically in the external data storage device on the personal computer, from the storage space of described external hardware devices, and from the network storage space of internet or LAN (Local Area Network).

Compare with prior art, the present invention " sets up the method for enciphering/deciphering storage space " by the peripheral hardware key of personal computer technique effect is:

1. the present invention realizes the isolation of key and enciphered data by the external hardware devices that stores key, even obtain the data in the described enciphered data partition holding, can not obtain corresponding secret key, and enciphered data can't be deciphered, and has guaranteed data security;

2. the present invention is by the external hardware devices that stores key, realize the isolation of general data and enciphered data, increased the disguise of enciphered data, do not having under the situation of key, other people there is no telling has the existence of enciphered data partition holding, just do not have the motivation of the encrypted data of deciphering yet, further strengthened the security of enciphered data;

3. enciphering/deciphering driving function of the present invention is arranged on the bottom of operating system, logarithm is executed filter net type factually and is handled, and to not influence of operating system running, applies close, deciphering factually at data gateway logarithm, preventing that data are robbed before encryption gets, and guarantees the reliability of data enciphering/deciphering process;

Enciphering/deciphering software of the present invention can provide to user's particular demands, by the user directly the data of input implement direct enciphering/deciphering, do not need user-specific information, for example the account number of user name, password, website information, memo information etc. are at first preserved hereof, again this document is carried out enciphering/deciphering operation, for user's specific function demand provides better security and convenience;

5. enciphering/deciphering software of the present invention can be to the data message specific functional requirement of user, that directly imported by the user, data such as Shang Wang account number, password, memo for example, and the core enciphered messages such as key of preserving in the described external hardware device back up and recover, prevent from losing because of external hardware devices and cause the user encryption data to recover again, further guarantee the security of enciphered data.

Description of drawings

Fig. 1 is the present invention's hardware based structural representation of first embodiment of " setting up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer ";

Fig. 2 is the described first embodiment operating system layering synoptic diagram;

Fig. 3 is the schematic flow sheet of user, personal computer and the external hardware devices of described first embodiment;

Fig. 4 is the schematic flow sheet of user, personal computer and the external hardware devices of described second embodiment.

Embodiment

Be described in further detail below in conjunction with each embodiment shown in the accompanying drawing.

The present invention proposes a kind ofly to set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, and as shown in Figure 1, described method is based on personal computer, and is independent of outside this personal computer, has an external hardware devices 4 of storage capacity; Described personal computer comprises main frame 1, input equipment and output device, is provided with central processor CPU 11 in the described main frame 1, and the hard disk 12 that is stored with operating system and data.In the first embodiment of the invention, described input equipment adopts keyboard 31 and mouse 32, and they are connected electrically on the main frame 1 by interface 14.Described output device adopts display screen 2, and this display screen is by the video card 13 in the interface electrical connection main frame 1, and described video card 13 is finished data interaction with central processor CPU 11.Can also coordinate to connect each hardware unit in the main frame 1 by mainboard in certain described main frame 1.

Described external hardware devices 4 can be connected electrically on this personal computer by the interface 14 of personal computer, and also can power on from described personal computer removes.Described electromigration is except referring to that external hardware devices 4 and personal computer thoroughly disconnect hardware and be connected, be removing mode and propose from operating system of mentioning among the following relatively condition K3, described removing from operating system refers to that software removes external hardware devices 4, might described external hardware devices 4 also keep hardware to be connected electrically on the personal computer this moment, be external hardware devices being unloaded of operating system bottom, operating system can not detect described external hardware devices 4.Therefore described electromigration connects except referring to that hardware disconnects, and described removing from operating system refers to that the software disconnection connects.

Described external hardware devices 4 has storage capacity and has contained the personal computer external device (ED) that next part of normal conditions itself possesses data space, finishes the specific function of non-memory function, for example described external hardware devices adopts video card, just comprise the video memory that possesses data space in the video card, but the major function of video card is to provide interface to graphic processing data and for display; Described external hardware devices 4 has storage capacity and also comprises personal computer external device (ED) specific function, set up data storage capacities specially in order to realize the object of the invention that does not possess data space, finishes non-memory function itself, for example network interface card does not have data storage function under normal conditions, but in order to realize the present invention, the dedicated data stores space can be set in network interface card, thereby support the external hardware devices with storage capacity of the present invention; Certainly most be convenient to use one itself possesses the personal computer external device (ED) that data space, self function also are applicable to the data storage, be that described external hardware devices is for the external data storage device of finishing the data storage outside personal computer, for example portable hard disk.

In order to improve the disguise of key, the storage spaces that are used for storage key in the described external hardware devices 4 are that the operating system of personal computer can't correctly be read and write wherein data and enciphering/deciphering software can correctly be read and write the wherein storage space of data.Though just the data in the storage space of described storage key can be read and write by the operating system of personal computer, but operating system can not be correct the storage space of the described storage key of identification in data, the operating system that is personal computer can't the specified data type, can't judgment data be used for any software, and then true content that can't judgment data, could correctly identify data in the storage space of storage key, i.e. specified data type, Identification Data content and have only with described enciphering/deciphering software.The simplest implementation of the storage space of described storage key; be exactly by enciphering/deciphering software the data in the storage space of this storage key to be implemented the enciphering/deciphering protection; thereby make the interior data of storage space of storage key correctly be read and write by enciphering/deciphering software, and can not correctly be read and write by the operating system of personal computer.Described external hardware devices 4 should be to be electrically connected personal computer easily, also can power on from personal computer easily removes, and namely described external hardware devices 4 should be that electrical connection and the electromigration that does not need just to finish external hardware devices 4 to personal computer enforcement dismounting removes.First embodiment of the invention, described is USB (universal serial bus) Universal Serial Bus interface for the interface that is electrically connected described external hardware devices 4, it is USB interface, thereby consider most applicable cases, the external hardware devices 4 of first embodiment of the invention adopts the low capacity data storage device that possesses USB interface, the portable hard disk that namely possesses USB interface, the USB flash disk that just is commonly called as.Described method comprises the steps:

A. at described personal computer internal operating system enciphering/deciphering software is installed; In described external hardware devices 4, deposit key in; In the first embodiment of the invention, described key is corresponding one by one with the external hardware devices 4 of this key of storage, and namely the key of storage is unique in each external hardware devices 4.Described key deposits in the external hardware devices 4 externally hardware unit manufacturings in and finishes and carry out before dispatching from the factory.

B. at described personal computer internal operating system driver based on described external hardware devices is installed, thereby between the physical equipment of operating system bottom and incoming/outgoing management device, is set up the enciphering/deciphering driving function of a data filter net type.

First embodiment of the invention, as shown in Figure 2, described operating system from I/O management device 63 to being disposed with installable file system layer Installable File System 64, file system driver layer 65, device driver layer 66 and hardware extraction layer Hardware Abstraction Layer 67 between the physical equipment.Described installable file system layer Installable File System 64 is called for short IFS layer 64, and described hardware extraction layer Hardware Abstraction Layer 67 is called for short HAL layer 67.The enciphering/deciphering driving function 61 of described data filter net type is based upon between described installable file system layer IFS 64 and the described file system driver layer 65.Described I/O management device 63 and operating system kernel 62 interaction datas.Described enciphering/deciphering driving function is arranged on the bottom of operating system, and logarithm is executed filter net type factually and handled, and to not influence of operating system running, applies close, deciphering factually at data gateway logarithm, guarantees the reliability of data enciphering/deciphering process.In the first embodiment of the invention, as shown in Figure 2, described physical equipment comprises hard disk 12, external data storage device 5 and the external hardware devices 4 of personal computer.

C. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software is set according to the user, by the key that is stored in the described external hardware devices, in the data available storage space that operating system can detect, set up at least one enciphered data partition holding.

As depicted in figs. 1 and 2, the free memory that described operating system can detect not only comprises the idle storage space in the hard disk 12 of operating system place computing machine, the free memory that described operating system can detect comprises the free memory from personal computer hard disk 12, from the free memory that is connected electrically in the external data storage device 5 on the personal computer, from the free memory of described external hardware devices 4.First embodiment of the invention, described enciphered data partition holding is based upon the free memory of the hard disk 12 of personal computer.

Described external data storage device 5 is the external data storage devices that are independent of described personal computer, can be connected electrically on the described personal computer by the interface of this personal computer, and also can power on from described personal computer removes.

Through above-mentioned steps C, make each enciphered data partition holding mutual by following condition implementation data,

K1. when external hardware devices 4 was not electrically connected with described personal computer, described enciphering/deciphering software did not load described enciphered data partition holding, and namely operating system can not detect described enciphered data partition holding; This moment, the enciphered data partition holding was in hidden state;

K2. when external hardware devices 4 and described personal computer set up be electrically connected after, the enciphered data partition holding carry that described enciphering/deciphering software will be set up according to the keys of storage in this external hardware devices 4 is in the incoming/outgoing management device, even operating system can detect described enciphered data partition holding; And during from described enciphered data partition holding sense data, described enciphering/deciphering driving function is implemented deciphering by key to sense data; When writing data to described enciphered data partition holding, described enciphering/deciphering driving function is implemented to encrypt to writing data by key;

The present invention allows to exist and uses the situation of setting up the enciphered data partition holding from the different keys of different external hardware devices 4 respectively separately in the personal computer, in such cases, be electrically connected an external hardware devices 4 and can only make the enciphered data partition holding carry of setting up with the key of storage in this external hardware devices 4 in the incoming/outgoing management device, and the enciphered data partition holding of setting up with the key of storage in other external hardware devices 4 still is in hidden state.Just the enciphered data partition holding is corresponding with the key of setting up this enciphered data partition holding institute foundation.

Above-mentioned condition has realized the isolation of key and enciphered data, key is stored in the external hardware devices 4, enciphered data is stored in the enciphered data partition holding, except the user of external hardware devices 4, other people are difficult to obtain simultaneously key and enciphered data, the possibility of giving away secrets is dropped to minimum, make enciphered data safer.Above-mentioned condition has realized the isolation of general data and enciphered data simultaneously, generally, except the user of external hardware devices 4, other people can't see the enciphered data partition holding from the operating system of personal computer, just do not know to have enciphered data to exist yet, avoid other people to produce the motivation of stealing secret information.Further strengthened the security of enciphered data.The isolation of general data and enciphered data also makes virus and trojan horse program be difficult to invade the enciphered data partition holding, makes enciphered data possess the ability of anti-virus and opposing trojan horse program.

First embodiment of the invention as shown in Figure 3, has embodied the idiographic flow in implementing the enciphering/deciphering process between user thread 710, PC operating system thread 720 and the external hardware devices thread 730.

711 users are electrically connected to personal computer with external hardware devices 4 by flow process; Flow process 731, external hardware devices 4 is carried out device authentication with personal computer, and through verification process, flow process 732 has been passed through device authentication, and personal computer reads the key in the external hardware devices; When having the enciphered data partition holding of setting up according to this key in the data available storage space that operating system can detect, flow process 721 is just opened described enciphered data partition holding, operating system can detect described enciphered data partition holding, just with enciphered data partition holding carry on operating system.As mentioned above, first embodiment of the invention is based upon the enciphered data partition holding in the hard disk of personal computer.Said process is finished with the key in the external hardware devices 4 and is loaded enciphered data partition holding process.

During file in the user need open the enciphered data partition holding, it is flow process 712, during from described enciphered data partition holding sense data, by flow process 722, operating system reads encrypt data from the enciphered data partition holding in the hard disk, and when data during by described enciphering/deciphering driving function, this function is implemented deciphering by key to the encrypt data of reading, in flow process 723, operating system is shown to the user with the plaintext document in the enciphered data partition holding subsequently.Said process is finished the process that reads to the enciphered data partition holding.

When the user need be saved to the enciphered data partition holding with file, it is flow process 713, when writing data to described enciphered data partition holding, by flow process 724, operating system is stored in the enciphered data partition holding in this hard disk after with file encryption, when data during by described enciphering/deciphering driving function, described enciphering/deciphering driving function is implemented to encrypt to the file data that writes by key, subsequently in flow process 725, operating system shows to preserve to the user to be finished, and namely can see the described file that is saved at the enciphered data partition holding.Said process is finished the ablation process to the enciphered data partition holding.

When the user powers on external hardware devices 4 when removing from personal computer, be that flow process 714 is pulled up external hardware devices 4 from personal computer, operating system is obtained the information that external hardware devices 4 is pulled up, just unload described enciphered data partition holding, finish flow process 726, namely at I/O management device unloading enciphered data partition holding, flow process 727 subsequently, operating system reflects the unloading of enciphered data partition holding to the user, and namely operating system can not detect the enciphered data partition holding.

Little owing to take up room, portable, a lot of users are kept at information and the file that individual demand is maintained secrecy in the external data storage device 5, namely externally set up the enciphered data partition holding in the data storage device 5, and described external data storage device 5 adopts USB flash disk mostly.But carrying 5 two hardware of external hardware devices 4 and external data storage device makes the user feel inconvenience easily, thereby second embodiment of the invention unites two into one external hardware devices 4 and external data storage device 5, namely externally set up the enciphered data partition holding in the hardware unit 4, described external hardware devices 4 is exactly the external data storage device that is used for finishing the data storage outside personal computer.。As shown in Figure 4, externally set up under the enciphered data partition holding situation idiographic flow between user thread 810, PC operating system thread 820 and the external hardware devices thread 830 in implementing the enciphering/deciphering process in the hardware unit 4.

811 users are electrically connected to personal computer with external hardware devices 4 by flow process; Flow process 831, external hardware devices 4 is carried out device authentication with personal computer, and through verification process, flow process 832 has been passed through device authentication, and personal computer reads the key in the external hardware devices; When having the enciphered data partition holding of setting up according to this key in the data available storage space that operating system can detect, flow process 821 is just opened described enciphered data partition holding, operating system can detect described enciphered data partition holding, just with enciphered data partition holding carry on operating system.As mentioned above, second embodiment of the invention is based upon the enciphered data partition holding in the external hardware devices 4.Said process is finished with the key in the external hardware devices 4 and load enciphered data partition holding process in this external hardware devices 4.

During file in the user need open the enciphered data partition holding, it is flow process 812, during from described enciphered data partition holding sense data, by flow process 833, operating system reads encrypt data from the enciphered data partition holding in the external hardware devices, and when data during by described enciphering/deciphering driving function, this function is implemented deciphering by key to the encrypt data of reading, in flow process 823, operating system is shown to the user with the plaintext document in the enciphered data partition holding subsequently.Said process is finished the process that reads to the enciphered data partition holding.

When the user need be saved to the enciphered data partition holding with file, it is flow process 813, when writing data to described enciphered data partition holding, by flow process 824, operating system is stored in the enciphered data partition holding in the external hardware devices after with file encryption, when data during by described enciphering/deciphering driving function, described enciphering/deciphering driving function is implemented to encrypt to the file data that writes by key, subsequently in flow process 825, operating system shows to preserve to the user to be finished, and namely can see the described file that is saved at the enciphered data partition holding.Said process is finished the ablation process to the enciphered data partition holding.

When the user powers on external hardware devices 4 when removing from personal computer, be that flow process 814 is pulled up external hardware devices 4 from personal computer, described enciphering/deciphering software obtains the information that external hardware devices 4 is pulled up, just unload described enciphered data partition holding, finish flow process 826, namely at I/O management device unloading enciphered data partition holding, flow process 827 subsequently, operating system reflects the unloading of enciphered data partition holding to the user, and namely operating system can not detect the enciphered data partition holding.

As mentioned above, the described external hardware devices 4 of pulling up is that the hardware that electromigration removes disconnects connection procedure, can replace described hardware fully and disconnect connection procedure and disconnect process from the software that operating system removes external hardware devices 4, namely use to remove external hardware devices 4 from operating system and replace and pull up external hardware devices 4 and can replace.

The present invention also proposes further to guarantee by the connection password method of data security on the key basis, described step C also comprises step by step following,

Said method has also increased the password differentiation except key is differentiated in the enciphered data partition holding connects process, both must all verify by loading the enciphered data partition holding in operating system.

Above-mentioned connection password is to encrypt partition holding the connection password is set at each, and namely described connection password is corresponding with each encryption partition holding, is used for screening the encryption partition holding.By above-mentioned steps C of the present invention, obviously can set up a plurality of enciphered data partition holdings based on a key, operation to the enciphered data partition holding of setting up based on this key can be finished with the external hardware devices 4 that has a key, operation to the enciphered data partition holding of setting up based on another key can be finished with the external hardware devices 4 that has another key.Just can not operate all enciphered data partition holdings by external hardware devices 4, can only operate the enciphered data partition holding of setting up based on a key.Above-mentioned steps C1 can carry out password respectively to each the enciphered data partition holding based on same key again and screen.Be equivalent to before opening the enciphered data partition holding, add " little lock " at the enciphered data partition holding, and to add before at all " little locks " be representative " locking greatly " together with the key.Open " big lock " and also need open " little lock " at different enciphered data partition holdings afterwards, could really open corresponding enciphered data partition holding.

The present invention also proposes to screen user's the method for further guaranteeing data security with connecting password, and described step C also comprises step by step following,

The connection code surface of above-mentioned steps C2 is based on key and connects password, and what in fact finish is examination to user identity, has only key correct, and user identity is correct, could operate corresponding enciphered data partition holding.Be equivalent to before loading the enciphered data partition holding, be provided with " door lock " with two " keyholes ", have only the key in the twice " keyhole " correct, could open " door lock ".

The present invention also proposes further to guarantee by the data file password method of data security on the key basis, step C also comprises step by step following,

Said method also is that the encrypt file in the enciphered data partition holding is implemented cryptoguard on the basis of enciphered data partition holding, for each file in the enciphered data partition holding has increased " lock " together, further guarantees enciphered data safety.

So, above-mentioned steps C1 is combined with step C3, step C also comprises step by step following,

K24. when external hardware devices and described personal computer set up be electrically connected after, have only the enciphered data partition holding of setting up according to the key of storing in this external hardware devices to exist, simultaneously, the user inputs under the password situation consistent with the connection password of setting for this enciphered data partition holding, described enciphering/deciphering software just with described enciphered data partition holding carry in the incoming/outgoing management device, even operating system can detect described enciphered data partition holding; And when writing file data to described enciphered data partition holding, described enciphering/deciphering driving function is implemented to encrypt to writing data by key, and writes data file password by user's input of data setting for this; When reading file data from described enciphered data partition holding, input immediately under the password situation consistent with the data file password of reading the file data setting for this user, described enciphering/deciphering driving function is implemented deciphering by key to sense data;

Above-mentioned steps C2 can also be combined with step C3, step C also comprises step by step following,

Prior art is for the personal information of specific function demand; information such as account number, password, web site collection commonly used, memo for example; in order to realize encipherment protection; need create a file; the described personal information of record in this document; and then file encryption handled, operate very inconveniently, and be not easy to the user and browse.The present invention is head it off, and described method also comprises the steps,

D1. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software directly is kept at the information of the need to be keep secret of user input in the data available storage space that operating system can detect.The information of the need to be keep secret of described user input is exactly the personal information of specific function demand, information such as account number, password, web site collection commonly used, memo for example, and they are the directly information of input of user, but not the information of preserving into document form.

The free memory that the described operating system of step D1 can detect comprises the free memory from the personal computer hard disk, from the free memory that is connected electrically in the external data storage device on the personal computer, and from the free memory of described external hardware devices.

Especially, because the enciphered data partition holding is that operating system can detect when externally hardware unit inserts personal computer, the described operating system of the step D1 free memory that can detect comprises the enciphered data partition holding from the personal computer hard disk so, from the enciphered data partition holding that is connected electrically in the external data storage device on the personal computer, and from the enciphered data partition holding of described external hardware devices, thereby further guarantee Information Security

Particularly, at the enciphering/deciphering software interface simple information is set and encrypts storage area, the user is as long as just can be kept at these information on the enciphered data partition holding in the operation of enciphering/deciphering software interface.Described enciphering/deciphering software interface can arrange account encrypted area, password encryption district and/or collection etc. and be convenient to the user and just can operate realization directly to the personal information encipherment protection on the enciphering/deciphering software interface.

Preserve the different angle in position from information, described method also comprises following realization to the step D2 of the information encryption storage of the need to be keep secret of user's input,

The storage space of the information of the need to be keep secret that is used for storage key and user's input of described external hardware devices is that the operating system of personal computer can't correctly be read and write wherein data and enciphering/deciphering software can correctly be read and write the wherein storage space of data.The operating system of personal computer can't correctly read and write wherein data and enciphering/deciphering software can correctly be read and write wherein that the meaning of the storage space of data has described in detail at preamble, repeats no more herein.Here the storage space with the information storage of the need to be keep secret of key and user input makes operating system not detect, and with improving the disguise of information of the need to be keep secret of key and user input, makes their security higher.

E. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software to user's data designated storage space, forms the encrypted backup data with secret key encryption ground back-up storage; When needs recover described encrypted backup data, described external hardware devices is electrically connected described personal computer, described enciphering/deciphering software recovers being used in the storage space of storage key of external hardware devices with the encrypted backup data.

The present invention also proposes based on the data backup of step D1 and recovering step E2,

In like manner, the present invention also proposes based on the data backup of step D2 and recovering step E3,

Above-mentioned steps E1, E2 and E3 are mainly used in preventing that the loss because of external hardware devices from causing loses key, thereby described cryptographically backup should be the simple encryption backup, and preferably are not based on the encryption of backup keys, for example only get final product with simple password encryption.Because, the recovery of encrypted backup data is the remedial measuress of losing external hardware devices, so under the convention, the position of recovering should be the storage space that is used for storage key on the new external hardware devices, the encrypted backup data can also be returned to data available storage space user's appointment, that operating system can detect certainly and comprise the enciphered data partition holding of setting up according to the key of storing in the described external hardware devices.

Particularly, for step e 2 and E3, the content of described backup is the information that the user is saved in the need to be keep secret of the user's input in the external hardware devices, be the information of described user's particular demands function, for example account number, password, web site collection commonly used, memo etc., and the information such as password set of the encryption key in this External memory equipment, user.

From improving the concealed angle of key, the storage space that is used for storage key of external hardware devices is that the operating system of personal computer can't correctly be read and write wherein data and enciphering/deciphering software can correctly be read and write the wherein storage space of data.The operating system of personal computer can't correctly read and write wherein data and enciphering/deciphering software can correctly be read and write wherein that the meaning of the storage space of data has described in detail at preamble, repeats no more herein.

The storage space of the described encrypted backup data of the back-up storage of described user's appointment comprises the storage space from the personal computer hard disk, from the storage space that is connected electrically in the external data storage device on the personal computer, from the storage space of described external hardware devices, and from the network storage space of internet or LAN (Local Area Network).That is to say that the user not only can backup to the encrypted backup data on the carry-on memory storage of individual, the encrypted backup data can also be backuped on the based on network storage space, for example in the E-mail address.

Claims

1. set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer for one kind, based on personal computer, and be independent of outside this personal computer, have an external hardware devices of storage capacity; Described personal computer comprises main frame, input equipment and output device, is provided with central processor CPU in the described main frame, and the hard disk that is stored with operating system and data; Described external hardware devices can be connected electrically on this personal computer by the interface of personal computer, and also can power on from described personal computer removes; It is characterized in that described method comprises the steps:

K2. when external hardware devices and described personal computer set up be electrically connected after, the enciphered data partition holding carry that described enciphering/deciphering software will be set up according to the key stored in this external hardware devices is in the incoming/outgoing management device, even operating system can detect described enciphered data partition holding; And during from described enciphered data partition holding sense data, described enciphering/deciphering driving function is implemented deciphering by key to sense data; When writing data to described enciphered data partition holding, described enciphering/deciphering driving function is implemented to encrypt to writing data by key;

2. according to claim 1ly set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, it is characterized in that:

The described key of steps A is corresponding one by one with the external hardware devices of this key of storage, i.e. each external hardware devices internal memory

The key of storage is unique.

3. according to claim 1ly set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, it is characterized in that:

The free memory that the described operating system of step C can detect comprises the free memory from the personal computer hard disk, from the free memory that is connected electrically in the external data storage device on the personal computer, and from the free memory of described external hardware devices;

Described external data storage device is the external data storage device that is independent of described personal computer, can be connected electrically on the described personal computer by the interface of this personal computer, and also can power on from described personal computer removes.

4. according to claim 1ly set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, it is characterized in that:

5. according to claim 1ly set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, it is characterized in that:

Step C also comprises step by step following,

6. according to claim 1ly set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, it is characterized in that:

Also comprise the steps,

7. according to claim 1ly set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, it is characterized in that:

Also comprise the steps,

8. according to claim 1ly set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, it is characterized in that:

Also comprise the steps E1,

E1. be electrically connected under the situation of described personal computer in described external hardware devices, described enciphering/deciphering software to user's data designated storage space, forms the encrypted backup data with secret key encryption ground back-up storage; When needs recover described encrypted backup data, described external hardware devices is electrically connected described personal computer, described enciphering/deciphering software is by the encrypted backup data being returned to being used in the storage space of storage key of external hardware devices.

9. according to claim 6ly set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, it is characterized in that:

Also comprise the steps E2,

10. according to claim 7ly set up the method for enciphering/deciphering storage space by the peripheral hardware key of personal computer, it is characterized in that:

Also comprise the steps E3,