CN104580181A - Device and method for data encryption and encryption accelerator engine - Google Patents
Device and method for data encryption and encryption accelerator engine Download PDFInfo
- Publication number
- CN104580181A CN104580181A CN201410834853.5A CN201410834853A CN104580181A CN 104580181 A CN104580181 A CN 104580181A CN 201410834853 A CN201410834853 A CN 201410834853A CN 104580181 A CN104580181 A CN 104580181A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- key
- accelerating engine
- sas
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2121—Chip on media, e.g. a disk or tape with a chip embedded in its case
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2153—Using hardware token as a secondary aspect
Abstract
The invention discloses a method and a device for data encryption and an encryption accelerator engine, relates to the technical field of information, and can realize data encryption. The method comprises the following steps: the encryption accelerator engine firstly passes through an SAS interface and receives IO data sent by encryption equipment, then performing encryption on the IO data according to an SAS protocol, and finally sending the encrypted IO data to the encryption equipment through the SAS interface. The method, the device and the encryption accelerator engine are applicable to IO data encryption or decryption.
Description
Technical field
The present invention relates to areas of information technology, particularly a kind of method of enciphered data, device and encryption accelerating engine.
Background technology
Along with the development of encryption technology, increasing mechanism, equipment and system need to be encrypted data message, to ensure the safety of data message.Such as, the technology such as internet electronic commercial, cell phone network and automatic teller machine, need to be encrypted protection to data message, to ensure the safety of data message.
At present, a kind of method of enciphered data, high speed peripheral component interlinkage (English full name: PeripheralComponent Interconnect-Express, english abbreviation: PCIe) first encrypted card pass through PCIe interface, receive input and output (English full name: Input-Output, english abbreviation: the IO) data that controller sends, then this I/O data is encrypted, obtain the I/O data after encrypting, finally the I/O data after encryption is sent to controller.
But, when being realized the I/O data between controller and encrypted card by PCIe encrypted card and being mutual, the PCIe interface arranged due to encryption device is less, and some plug-in cards with other functions need to pass through PCIe interface, carry out data interaction with encryption device, such as, the plug-in card such as sound card and network interface card needs to carry out data interaction by PCIe interface and encryption device, thus cause encryption device to lack the PCIe interface of carrying out data interaction with PCIe encrypted card, and then cause to be encrypted data.
Summary of the invention
The invention provides a kind of method of enciphered data, device and encryption accelerating engine, can realize being encrypted data.
The technical solution used in the present invention is:
First aspect, the invention provides a kind of method of enciphered data, the method of described enciphered data is applied to enciphered data system, described enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between described encryption accelerating engine and described encryption device by serial connecting small computer system SAS interface; Described method comprises:
Described encryption accelerating engine, by described SAS interface, receives the input and output I/O data that described encryption device sends;
Described encryption accelerating engine, according to SAS agreement, is encrypted described I/O data;
I/O data after encryption, by described SAS interface, is sent to described encryption device by described encryption accelerating engine.
In conjunction with first aspect, in the first possible implementation of first aspect, described method also comprises:
Described encryption accelerating engine is by described SAS interface, and receive the second I/O data that described encryption device sends, described second I/O data is the I/O data of having encrypted;
Described encryption accelerating engine, according to described SAS agreement, is decrypted described second I/O data;
The second I/O data after deciphering, by described SAS interface, is sent to described encryption device by described encryption accelerating engine.
In conjunction with first aspect, in the implementation that the second of first aspect is possible, described encryption accelerating engine, by described SAS interface, before receiving the step of the input and output I/O data that described encryption device sends, also comprises:
Described encryption accelerating engine, by described SAS interface, receives each key that described encryption device sends;
Described encryption accelerating engine, according to each key described, generates each key identification, and each key identification described is the mark that each key described is corresponding respectively.
In conjunction with the implementation that the second of first aspect is possible, in the third possibility implementation of first aspect, described method also comprises:
Described encryption accelerating engine configures the corresponding relation between each LUN LUN mark with each key identification described.
In conjunction with the third possible implementation of first aspect, in the 4th kind of possibility implementation of first aspect, described I/O data carries LUN mark;
Described encryption accelerating engine, by described SAS interface, after receiving the step of the input and output I/O data that described encryption device sends, also comprises:
Described encryption accelerating engine identifies the corresponding relation between each key identification described according to each LUN described, determines that described LUN identifies corresponding key identification;
Described encryption accelerating engine obtains described key corresponding to described key identification;
Described encryption accelerating engine, according to SAS agreement, to the step that described I/O data is encrypted, specifically comprises:
Described encryption accelerating engine, according to described SAS agreement and described key, is encrypted described I/O data.
Second aspect, the invention provides a kind of device of enciphered data, comprise: the application of installation of described enciphered data is in enciphered data system, described enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between described encryption accelerating engine and described encryption device by serial connecting small computer system SAS interface; Described device comprises:
Receiving element, for by described SAS interface, receives the input and output I/O data that described encryption device sends;
Ciphering unit, for according to SAS agreement, is encrypted the described I/O data that described receiving element receives;
Transmitting element, for described encryption accelerating engine by described SAS interface, sends to described encryption device by the I/O data after described encryption unit encrypts.
In conjunction with second aspect, in the first possible implementation of second aspect,
Described receiving element, also for passing through described SAS interface, receive the second I/O data that described encryption device sends, described second I/O data is the I/O data of having encrypted;
Described device also comprises: decryption unit;
Described decryption unit, for according to described SAS agreement, is decrypted described second I/O data that described receiving element receives;
Described transmitting element, also for by described SAS interface, sends to described encryption device by the second I/O data after described decryption unit deciphering.
In conjunction with second aspect, in the implementation that the second of second aspect is possible,
Described receiving element, also for by described SAS interface, receives each key that described encryption device sends;
Described device also comprises: generation unit;
Described generation unit, for each key described in receiving according to described receiving element, generates each key identification, and each key identification described is the mark that each key described is corresponding respectively.
In conjunction with the implementation that the second of second aspect is possible, in the third possibility implementation of second aspect, described device also comprises: dispensing unit;
Described dispensing unit, for configure each LUN LUN identify and described generation unit generate described in corresponding relation between each key identification.
In conjunction with the third possible implementation of second aspect, in the 4th kind of possibility implementation of second aspect, the described I/O data that described receiving element receives carries LUN mark;
Described device also comprises: determining unit, acquiring unit;
Described determining unit, identifies the corresponding relation between each key identification described for each LUN described in configuring according to described dispensing unit, determines that described LUN identifies corresponding key identification;
Described acquiring unit, for obtaining described key corresponding to described key identification;
Described ciphering unit, specifically for the described key obtained according to described SAS agreement and described acquiring unit, is encrypted described I/O data.
The third aspect, the invention provides a kind of encryption accelerating engine, described encryption accelerating engine is arranged in enciphered data system, described enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between described encryption accelerating engine and described encryption device by serial connecting small computer system SAS interface; Described encryption accelerating engine comprises:
Receiver, for by described SAS interface, receives the input and output I/O data that described encryption device sends;
Processor, for according to SAS agreement, is encrypted the described I/O data that described receiver receives;
Transmitter, for described encryption accelerating engine by described SAS interface, sends to described encryption device by the I/O data after described processor process.
In conjunction with the third aspect, in the first possible implementation of the third aspect,
Described receiver, also for passing through described SAS interface, receive the second I/O data that described encryption device sends, described second I/O data is the I/O data of having encrypted;
Described processor, also for according to described SAS agreement, is decrypted described second I/O data that described receiver receives;
Described transmitter, also for by described SAS interface, sends to described encryption device by the second I/O data after described processor deciphering.
In conjunction with the third aspect, in the implementation that the second of the third aspect is possible,
Described receiver, also for by described SAS interface, receives each key that described encryption device sends;
Described processor, also for each key described in receiving according to described receiver, generates each key identification, and each key identification described is the mark that each key described is corresponding respectively.
In conjunction with the implementation that the second of the third aspect is possible, in the third possibility implementation of the third aspect,
Described processor, also for configuring the corresponding relation between each LUN LUN mark with each key identification described.
In conjunction with the third possible implementation of the third aspect, in the 4th kind of possibility implementation of the third aspect, the described I/O data that described receiver receives carries LUN mark;
Described processor, for identifying the corresponding relation between each key identification described according to each LUN described, determines that described LUN identifies corresponding key identification;
Described processor, also for obtaining described key corresponding to described key identification;
Described processor, specifically for according to described SAS agreement and described key, is encrypted described I/O data.
The method of enciphered data provided by the invention, device and encryption accelerating engine, be applied to enciphered data system, enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between encryption accelerating engine and encryption device by SAS interface; Encryption accelerating engine, first by SAS interface, receives the I/O data that encryption device sends, then according to SAS agreement, is encrypted I/O data, finally by SAS interface, the I/O data after encryption is sent to encryption device.With current by PCIe encrypted card realize I/O data between controller and encrypted card alternately compared with, the I/O data that the present invention is sent by SAS interface encryption device, can after encryption accelerating engine be encrypted I/O data, data after encryption send to encryption device by SAS interface, namely encryption device carries out data interaction with encryption accelerating engine by SAS interface, owing to arranging sufficient SAS interface in encryption device, and the SAS interface arranged in encryption device can expand according to the needs of quantity, therefore there is the SAS interface carrying out data interaction with encryption accelerating engine in encryption device, thus can realize being encrypted data.
Accompanying drawing explanation
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in the present invention or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic diagram of enciphered data system in the embodiment of the present invention;
Fig. 2 is the method flow diagram of enciphered data in the embodiment of the present invention;
Fig. 3 is the method flow diagram of another kind of enciphered data in the embodiment of the present invention;
Fig. 4 is the apparatus structure schematic diagram of enciphered data in the embodiment of the present invention;
Fig. 5 is the apparatus structure schematic diagram of another kind of enciphered data in the embodiment of the present invention;
Fig. 6 is the structural representation encrypting accelerating engine in the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making other embodiments all obtained under creative work prerequisite, belong to the scope of protection of the invention.
Technical scheme provided by the invention can be applied to enciphered data system, and enciphered data system comprises encryption accelerating engine and encryption device, as shown in Figure 1.Wherein, encrypt between accelerating engine and encryption device and carry out data interaction by serial connecting small computer system (English full name: Serial Attached SCSI, english abbreviation: SAS) interface.
The embodiment of the present invention provides a kind of method of enciphered data, can realize being encrypted data, and as shown in Figure 2, described method comprises:
201, encrypt accelerating engine by SAS interface, receive the I/O data that encryption device sends.
For the embodiment of the present invention, encryption accelerating engine is connected by SAS interface with encryption device.In embodiments of the present invention, encrypt accelerating engine to may be used for being encrypted I/O data or being decrypted the I/O data after encryption.
For the embodiment of the present invention, SAS is serial connecting small computer system interface, with serial hard disk interface technology (the English full name: Serial Advanced Technology Attachment of current trend, english abbreviation: SATA) hard disk is identical, all adopt serial technology to obtain higher transmission speed, and improve inner space by shortening tie line.In embodiments of the present invention, the new interfaces developed after being Parallel Small Computer System (English full name: SmallComputer System Interface, english abbreviation: SCSI) interface of SAS.
202, encrypt accelerating engine according to SAS agreement, I/O data is encrypted.
For the embodiment of the present invention, SAS agreement is the interface protocol of encryption accelerating engine, and cipher key change and data interaction are all using SAS agreement as bearing bed agreement.In embodiments of the present invention, a lot of different host-host protocol of SAS protocol definition, may be used for carrying out information exchange between different scsi devices.
For the embodiment of the present invention, I/O data is the inputoutput data needing to be encrypted.Ciphering process is to need the I/O data of encryption to process according to certain algorithm, to become unreadable one section of code, to ensure the fail safe of I/O data to make this I/O data.
203, encrypt accelerating engine by SAS interface, the I/O data after encryption is sent to encryption device.
For the embodiment of the present invention, at the end of encryption accelerating engine is encrypted I/O data, this I/O data is encrypted as unreadable code, and the I/O data after encryption is sent to encryption device by encryption accelerating engine, continues the flow process of former I/O data with the I/O data after making this encryption.
For the embodiment of the present invention, encryption device can be the server and disk array controller etc. of main frame.It should be noted that, other any can by SAS interface with encryption accelerating engine the encryption device carrying out data interaction all be applicable to the embodiment of the present invention.
Such as, encryption accelerating engine can be arranged on the server of main frame by SAS interface, and the server of encryption accelerating engine and main frame carries out data interaction by SAS interface.
The method of the enciphered data that the embodiment of the present invention provides, is applied to enciphered data system, and enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between encryption accelerating engine and encryption device by SAS interface; Encryption accelerating engine, first by SAS interface, receives the I/O data that encryption device sends, then according to SAS agreement, is encrypted I/O data, finally by SAS interface, the I/O data after encryption is sent to encryption device.With current by PCIe encrypted card realize I/O data between controller and encrypted card alternately compared with, the I/O data that the embodiment of the present invention is sent by SAS interface encryption device, can after encryption accelerating engine be encrypted I/O data, data after encryption send to encryption device by SAS interface, namely encryption device carries out data interaction with encryption accelerating engine by SAS interface, owing to arranging sufficient SAS interface in encryption device, and the SAS interface arranged in encryption device can expand according to the needs of quantity, therefore there is the SAS interface carrying out data interaction with encryption accelerating engine in encryption device, thus can realize being encrypted data.
As illustrating method shown in Fig. 2, the embodiment of the present invention provides the method for another kind of enciphered data, and as shown in Figure 3, described method comprises:
301, encrypt accelerating engine by SAS interface, receive each key that encryption device sends.
For the embodiment of the present invention, encryption accelerating engine encryption accelerating engine is connected by SAS interface with encryption device.In embodiments of the present invention, encrypt accelerating engine to may be used for being encrypted I/O data or being decrypted the I/O data after encryption.
For the embodiment of the present invention, SAS is serial connecting small computer system interface, with serial hard disk interface technology (the English full name: Serial Advanced Technology Attachment of current trend, english abbreviation: SATA) hard disk is identical, all adopt serial technology to obtain higher transmission speed, and improve inner space by shortening tie line.In embodiments of the present invention, the new interfaces developed after being Parallel Small Computer System (English full name: SmallComputer System Interface, english abbreviation: SCSI) interface of SAS.
For the embodiment of the present invention, the I/O data in encryption device carries LUN (English full name: Logical Unit Number, english abbreviation: LUN) mark.In embodiments of the present invention, encryption device comprises: control extension drive software module.The LUN mark that control extension drive software module is carried according to I/O data is sent a request message to Key Management server by close pipe agreement.Wherein, this request message is used for control extension drive software identifies key from correspondence to this LUN of Key Management server application.
For the embodiment of the present invention, when encryption device creates LUN, a parameter information will be increased in LUN.Wherein, this parameter information is for characterizing this LUN the need of encryption.In embodiments of the present invention, there is attribute list in LUN, this attribute list is for storing the cryptographic attributes of this LUN.
For the embodiment of the present invention, first encryption device detects I/O data and carries LUN mark, then inquires about this LUN mark and whether there is the first corresponding key identification, thus can determine that this I/O data is the need of being encrypted.Particularly, if there is not the first key identification of the LUN mark correspondence that this I/O data is carried in encryption device, then this I/O data does not need to be encrypted; If there is the first key identification of the LUN mark correspondence that this I/O data is carried in encryption device, then this I/O data needs to be encrypted.
For the embodiment of the present invention, when this encryption device powers on, namely when this encryption acceleration drive software module powers on, drive software is accelerated in encryption can obtain the first key identification corresponding to each LUN mark difference from encryption accelerating engine card.In embodiments of the present invention, the LUN mark of encryption accelerating engine by carrying in I/O data, and the corresponding relation between multiple LUN marks and multiple first key identification, can determine that LUN identifies counterpart keys mark, and corresponding key can be obtained from Key Management server, the key got is sent to encryption accelerating engine by SAS interface, thus can key be obtained, and then can realize being encrypted data.
302, encrypt accelerating engine according to each key, generate each key identification.
Wherein, each key identification is the mark that each key is corresponding respectively.
For the embodiment of the present invention, encryption accelerating engine can comprise: cipher key subsystem and symmetrical encryption module.In embodiments of the present invention, encryption device sends multiple key by SAS interface to encryption accelerating engine, the cipher key subsystem of first encrypting in accelerating engine receives the key that encryption device sends, then corresponding respectively according to each key of each secret generating mark.Wherein, key identification is for distinguishing different keys.
Alternatively, after step 302, can also comprise: encryption accelerating engine configures the corresponding relation between each LUN LUN mark with each key identification.
303, encrypt accelerating engine by SAS interface, receive the I/O data that encryption device sends.
For the embodiment of the present invention, first encrypt multiple keys that the close tube system in accelerating engine is sent by SAS interface encryption device, then encrypt the I/O data that the symmetrical encryption module in accelerating engine is sent by SAS interface encryption device.
For the embodiment of the present invention, encryption device can be the server and disk array controller etc. of main frame.It should be noted that, other any can SAS interface with encryption accelerating engine the encryption device carrying out data interaction all be applicable to embodiment.
304, encrypt accelerating engine according to the corresponding relation between each LUN mark with each key identification, determine the key identification that LUN mark is corresponding.
Wherein, I/O data carries LUN mark.
305, encrypt accelerating engine and obtain key corresponding to key identification.
For the embodiment of the present invention, the symmetrical encryption module comprised in encryption accelerating engine receives I/O data, and can according to the corresponding relation between each LUN mark with each key identification, determine the key identification that this I/O data is corresponding, and obtain key corresponding to this I/O data in the cipher key subsystem that can comprise from encryption accelerating engine.
306, encrypt accelerating engine according to SAS agreement and key, I/O data is encrypted.
For the embodiment of the present invention, SAS consensus standard is the interface protocol of encryption accelerating engine, and cipher key change and data interaction be all using SAS as bearing bed agreement.In embodiments of the present invention, a lot of different host-host protocol of SAS protocol definition, may be used for carrying out information exchange between different scsi devices.
For the embodiment of the present invention, encryption accelerating engine carries LUN mark by I/O data, and each LUN identifies the corresponding relation between each key identification, the key identification that this I/O data is corresponding can be determined, and obtain key corresponding to this key identification, namely encrypt the symmetrical encryption module comprised in accelerating engine and obtain key corresponding to this I/O data, thus can realize being encrypted data.
307, encrypt accelerating engine by SAS interface, the I/O data after encryption is sent to encryption device.
For the embodiment of the present invention, after encryption accelerating engine is encrypted I/O data, I/O data is encrypted as unreadable dark text, in embodiments of the present invention, I/O data, by I/O data being encrypted, can being encrypted as one section of unreadable dark text, and unreadable dark text is sent to encryption device by encryption accelerating engine, to make this I/O data arbitrarily not understood, thus the fail safe of I/O data can be improved.
For the embodiment of the present invention, encryption accelerating engine, first by SAS interface, receives the second I/O data that encryption device sends, then according to SAS agreement, second I/O data is decrypted, finally by SAS interface, the second I/O data after deciphering is sent to encryption device.Wherein, the second I/O data is the I/O data of having encrypted.
It should be noted that, the above-mentioned cryptographic operation that encryption accelerating engine and encryption device carry out is applicable to the I/O data after by encryption and is decrypted.
For the embodiment of the present invention, encryption accelerating engine passes through decruption key corresponding to the I/O data after encryption, I/O data after encryption can be decrypted, namely encrypt accelerating engine and one section of unreadable dark text can be converted to the information that can read, to make the encryption device that there is decruption key that I/O data can be read, thus the fail safe of I/O data can be improved further.
The method of the enciphered data that the embodiment of the present invention provides, is applied to enciphered data system, and enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between encryption accelerating engine and encryption device by SAS interface; Encryption accelerating engine, first by SAS interface, receives the I/O data that encryption device sends, then according to SAS agreement, is encrypted I/O data, finally by SAS interface, the I/O data after encryption is sent to encryption device.With current by PCIe encrypted card realize I/O data between controller and encrypted card alternately compared with, the I/O data of the embodiment of the present invention by being sent by SAS interface encryption device, can after encryption accelerating engine be encrypted I/O data, data after encryption send to encryption device by SAS interface, namely encryption device carries out data interaction with encryption accelerating engine by SAS interface, owing to arranging sufficient SAS interface in encryption device, and the SAS interface arranged in encryption device can expand according to the needs of quantity, therefore there is the SAS interface carrying out data interaction with encryption accelerating engine in encryption device, thus can realize being encrypted data.
Further, the method of the enciphered data that the embodiment of the present invention provides, the LUN mark of encryption accelerating engine by carrying in I/O data, and the corresponding relation between multiple LUN marks and multiple first key identification, can determine that LUN identifies counterpart keys mark, and corresponding key can be obtained from Key Management server, the key got is sent to encryption accelerating engine by SAS interface, thus can key be obtained, and then can realize being encrypted data; Encryption accelerating engine carries LUN mark by I/O data, and each LUN identifies the corresponding relation between each key identification, the key identification that this I/O data is corresponding can be determined, and obtain key corresponding to this key identification, namely encrypt the symmetrical encryption module comprised in accelerating engine and obtain key corresponding to this I/O data, thus can realize being encrypted data; I/O data, by I/O data being encrypted, can being encrypted as one section of unreadable dark text, and unreadable dark text is sent to encryption device, to make this I/O data arbitrarily not understood, thus can improve the fail safe of I/O data by encryption accelerating engine; Encryption accelerating engine passes through decruption key corresponding to the I/O data after encryption, I/O data after encryption can be decrypted, namely encrypt accelerating engine and one section of unreadable dark text can be converted to the information that can read, to make the encryption device that there is decruption key that I/O data can be read, thus the fail safe of I/O data can be improved further.
Further, as the realization to method shown in Fig. 2 and Fig. 3, the embodiment of the present invention additionally provides a kind of device of enciphered data, this device can be arranged in encryption accelerating engine, encryption accelerating engine is positioned at enciphered data system, enciphered data system also comprises encryption device, carries out data interaction between encryption accelerating engine and encryption device by SAS interface; This device is used for realizing being encrypted data, and as shown in Figure 4, described device comprises: receiving element 41, ciphering unit 42, transmitting element 43.
Receiving element 41, for by SAS interface, receives the I/O data that encryption device sends.
Ciphering unit 42, for according to SAS agreement, is encrypted the I/O data that receiving element 41 receives.
Transmitting element 43, for passing through SAS interface, the I/O data after being encrypted by ciphering unit 42 sends to encryption device.
Receiving element 41, also for passing through SAS interface, receive the second I/O data that encryption device sends, the second I/O data is the I/O data of having encrypted.
Further, as shown in Figure 5, described device also comprises: decryption unit 51.
Decryption unit 51, for according to SAS agreement, is decrypted the second I/O data that receiving element 41 receives.
Transmitting element 43, also for passing through SAS interface, the second I/O data after decryption unit 51 being deciphered sends to encryption device.
Receiving element 41, also for by SAS interface, receives each key that encryption device sends.
Further, as shown in Figure 5, described device also comprises: generation unit 52.
Generation unit 52, for each key received according to receiving element 41, generates each key identification.
Wherein, each key identification is the mark that each key is corresponding respectively.
Further, as shown in Figure 5, described device also comprises: dispensing unit 53.
Dispensing unit 53, identifies corresponding relation between each key identification of generating of generation unit 52 for configuring each LUN LUN.
Further, as shown in Figure 5, described device also comprises: determining unit 54, acquiring unit 55.
Determining unit 54, each LUN for configuring according to dispensing unit 53 identifies the corresponding relation between each key identification, determines the key identification that LUN mark is corresponding.
Wherein, the I/O data that receiving element 41 receives carries LUN mark.
Acquiring unit 55, for obtaining described key corresponding to key identification that determining unit 54 determines.
Ciphering unit 42, specifically for the key obtained according to SAS agreement and acquiring unit 55, is encrypted I/O data.
The device of the enciphered data that the embodiment of the present invention provides, is applied to enciphered data system, and enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between encryption accelerating engine and encryption device by SAS interface; Encryption accelerating engine, first by SAS interface, receives the I/O data that encryption device sends, then according to SAS agreement, is encrypted I/O data, finally by SAS interface, the I/O data after encryption is sent to encryption device.With current by PCIe encrypted card realize I/O data between controller and encrypted card alternately compared with, the I/O data of the embodiment of the present invention by being sent by SAS interface encryption device, can after encryption accelerating engine be encrypted I/O data, data after encryption send to encryption device by SAS interface, namely encryption device carries out data interaction with encryption accelerating engine by SAS interface, owing to arranging sufficient SAS interface in encryption device, and the SAS interface arranged in encryption device can expand according to the needs of quantity, therefore there is the SAS interface carrying out data interaction with encryption accelerating engine in encryption device, thus can realize being encrypted data.
Further, the device of the enciphered data that the embodiment of the present invention provides, the LUN mark of encryption accelerating engine by carrying in I/O data, and the corresponding relation between multiple LUN marks and multiple first key identification, can determine that LUN identifies counterpart keys mark, and corresponding key can be obtained from Key Management server, the key got is sent to encryption accelerating engine by SAS interface, thus can key be obtained, and then can realize being encrypted data; Encryption accelerating engine carries LUN mark by I/O data, and each LUN identifies the corresponding relation between each key identification, the key identification that this I/O data is corresponding can be determined, and obtain key corresponding to this key identification, namely encrypt the symmetrical encryption module comprised in accelerating engine and obtain key corresponding to this I/O data, thus can realize being encrypted data; I/O data, by I/O data being encrypted, can being encrypted as one section of unreadable dark text, and unreadable dark text is sent to encryption device, to make this I/O data arbitrarily not understood, thus can improve the fail safe of I/O data by encryption accelerating engine; Encryption accelerating engine passes through decruption key corresponding to the I/O data after encryption, I/O data after encryption can be decrypted, namely encrypt accelerating engine and one section of unreadable dark text can be converted to the information that can read, to make the encryption device that there is decruption key that I/O data can be read, thus the fail safe of I/O data can be improved further.
It should be noted that, other the corresponding descriptions in the device of the enciphered data provided in the embodiment of the present invention corresponding to each unit, the correspondence in reference diagram 2 and Fig. 3 can describe, do not repeat them here.
Again further, the embodiment of the present invention additionally provides a kind of encryption accelerating engine, encryption accelerating engine is positioned at enciphered data system, enciphered data system also comprises encryption device, data interaction is carried out by SAS interface between encryption accelerating engine and described encryption device, as shown in Figure 6, described encryption accelerating engine comprises: receiver 61, processor 62, transmitter 63, memory 64, and described memory 64 is connected with described processor 62.
Receiver 61, for by SAS interface, receives the I/O data that encryption device sends.
Processor 62, for according to SAS agreement, is encrypted the I/O data that receiver 61 receives.
Transmitter 63, for encrypting accelerating engine by SAS interface, the I/O data after being deciphered by processor 62 sends to encryption device.
Receiver 61, also for by SAS interface, receives the second I/O data that encryption device sends.
Wherein, the second I/O data is the I/O data of having encrypted.
Processor 62, also for according to SAS agreement, is decrypted the second I/O data that receiver 61 receives.
Transmitter 63, also for passing through SAS interface, the second I/O data after being processed by processor 62 sends to encryption device.
Receiver 61, also for by SAS interface, receives each key that encryption device sends.
Processor 62, each key also for receiving according to receiver 61, generates each key identification.
Wherein, each key identification is the mark that each key is corresponding respectively.
Processor 62, also for configuring the corresponding relation between each LUN mark with each key identification.
Processor 62, also for identifying the corresponding relation between each key identification according to each LUN, determines the key identification that LUN mark is corresponding.
Wherein, the I/O data that receiver 61 receives carries LUN mark.
Processor 62, also for obtaining key corresponding to key identification.
Processor 62, specifically for according to SAS agreement and described key, is encrypted I/O data.
The encryption accelerating engine that the embodiment of the present invention provides, is applied to enciphered data system, and enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between encryption accelerating engine and encryption device by SAS interface; Encryption accelerating engine, first by SAS interface, receives the I/O data that encryption device sends, then according to SAS agreement, is encrypted I/O data, finally by SAS interface, the I/O data after encryption is sent to encryption device.With current by PCIe encrypted card realize I/O data between controller and encrypted card alternately compared with, the I/O data of the embodiment of the present invention by being sent by SAS interface encryption device, can after encryption accelerating engine be encrypted I/O data, data after encryption send to encryption device by SAS interface, namely encryption device carries out data interaction with encryption accelerating engine by SAS interface, owing to arranging sufficient SAS interface in encryption device, and the SAS interface arranged in encryption device can expand according to the needs of quantity, therefore there is the SAS interface carrying out data interaction with encryption accelerating engine in encryption device, thus can realize being encrypted data.
Further, the encryption accelerating engine that the embodiment of the present invention provides, the LUN mark of encryption accelerating engine by carrying in I/O data, and the corresponding relation between multiple LUN marks and multiple first key identification, can determine that LUN identifies counterpart keys mark, and corresponding key can be obtained from Key Management server, the key got is sent to encryption accelerating engine by SAS interface, thus can key be obtained, and then can realize being encrypted data; Encryption accelerating engine carries LUN mark by I/O data, and each LUN identifies the corresponding relation between each key identification, the key identification that this I/O data is corresponding can be determined, and obtain key corresponding to this key identification, namely encrypt the symmetrical encryption module comprised in accelerating engine and obtain key corresponding to this I/O data, thus can realize being encrypted data; I/O data, by I/O data being encrypted, can being encrypted as one section of unreadable dark text, and unreadable dark text is sent to encryption device, to make this I/O data arbitrarily not understood, thus can improve the fail safe of I/O data by encryption accelerating engine; Encryption accelerating engine passes through decruption key corresponding to the I/O data after encryption, I/O data after encryption can be decrypted, namely encrypt accelerating engine and one section of unreadable dark text can be converted to the information that can read, to make the encryption device that there is decruption key that I/O data can be read, thus the fail safe of I/O data can be improved further.
It should be noted that, other the corresponding descriptions in the encryption accelerating engine provided in the embodiment of the present invention corresponding to each equipment, the correspondence in reference diagram 2 or Fig. 3 can describe, do not repeat them here.
Device and the encryption accelerating engine of the enciphered data that the embodiment of the present invention provides can realize the above-mentioned embodiment of the method provided, and concrete function realizes the explanation referred in embodiment of the method, does not repeat them here.The method of the enciphered data that the embodiment of the present invention provides, device and encryption accelerating engine go for being encrypted I/O data or deciphering, but are not limited only to this.
One of ordinary skill in the art will appreciate that all or part of flow process realized in above-described embodiment method, that the hardware that can carry out instruction relevant by computer program has come, described program can be stored in a computer read/write memory medium, this program, when performing, can comprise the flow process of the embodiment as above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (15)
1. the method for an enciphered data, it is characterized in that, the method of described enciphered data is applied to enciphered data system, described enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between described encryption accelerating engine and described encryption device by serial connecting small computer system SAS interface; Described method comprises:
Described encryption accelerating engine, by described SAS interface, receives the input and output I/O data that described encryption device sends;
Described encryption accelerating engine, according to SAS agreement, is encrypted described I/O data;
I/O data after encryption, by described SAS interface, is sent to described encryption device by described encryption accelerating engine.
2. the method for enciphered data according to claim 1, is characterized in that, described method also comprises:
Described encryption accelerating engine is by described SAS interface, and receive the second I/O data that described encryption device sends, described second I/O data is the I/O data of having encrypted;
Described encryption accelerating engine, according to described SAS agreement, is decrypted described second I/O data;
The second I/O data after deciphering, by described SAS interface, is sent to described encryption device by described encryption accelerating engine.
3. the method for enciphered data according to claim 1, is characterized in that, described encryption accelerating engine, by described SAS interface, before receiving the step of the input and output I/O data that described encryption device sends, also comprises:
Described encryption accelerating engine, by described SAS interface, receives each key that described encryption device sends;
Described encryption accelerating engine, according to each key described, generates each key identification, and each key identification described is the mark that each key described is corresponding respectively.
4. the method for enciphered data according to claim 3, it is characterized in that, described method also comprises:
Described encryption accelerating engine configures the corresponding relation between each LUN LUN mark with each key identification described.
5. the method for enciphered data according to claim 4, is characterized in that, described I/O data carries LUN mark;
Described encryption accelerating engine, by described SAS interface, after receiving the step of the input and output I/O data that described encryption device sends, also comprises:
Described encryption accelerating engine identifies the corresponding relation between each key identification described according to each LUN described, determines that described LUN identifies corresponding key identification;
Described encryption accelerating engine obtains described key corresponding to described key identification;
Described encryption accelerating engine, according to SAS agreement, to the step that described I/O data is encrypted, specifically comprises:
Described encryption accelerating engine, according to described SAS agreement and described key, is encrypted described I/O data.
6. the device of an enciphered data, it is characterized in that, the application of installation of described enciphered data is in enciphered data system, described enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between described encryption accelerating engine and described encryption device by serial connecting small computer system SAS interface; Described device comprises:
Receiving element, for by described SAS interface, receives the input and output I/O data that described encryption device sends;
Ciphering unit, for according to SAS agreement, is encrypted the described I/O data that described receiving element receives;
Transmitting element, for by described SAS interface, sends to described encryption device by the I/O data after described encryption unit encrypts.
7. the device of enciphered data according to claim 6, is characterized in that,
Described receiving element, also for passing through described SAS interface, receive the second I/O data that described encryption device sends, described second I/O data is the I/O data of having encrypted;
Described device also comprises: decryption unit;
Described decryption unit, for according to described SAS agreement, is decrypted described second I/O data that described receiving element receives;
Described transmitting element, also for by described SAS interface, sends to described encryption device by the second I/O data after described decryption unit deciphering.
8. the device of enciphered data according to claim 6, is characterized in that,
Described receiving element, also for by described SAS interface, receives each key that described encryption device sends;
Described device also comprises: generation unit;
Described generation unit, for each key described in receiving according to described receiving element, generates each key identification, and each key identification described is the mark that each key described is corresponding respectively.
9. the device of enciphered data according to claim 8, it is characterized in that, described device also comprises: dispensing unit;
Described dispensing unit, for configure each LUN LUN identify and described generation unit generate described in corresponding relation between each key identification.
10. the device of enciphered data according to claim 9, is characterized in that,
The described I/O data that described receiving element receives carries LUN mark;
Described device also comprises: determining unit, acquiring unit;
Described determining unit, identifies the corresponding relation between each key identification described for each LUN described in configuring according to described dispensing unit, determines that described LUN identifies corresponding key identification;
Described acquiring unit, for obtaining described key corresponding to described key identification that described determining unit determines;
Described ciphering unit, specifically for the described key obtained according to described SAS agreement and described acquiring unit, is encrypted described I/O data.
11. 1 kinds of encryption accelerating engines, it is characterized in that, described encryption accelerating engine is arranged in enciphered data system, described enciphered data system comprises encryption accelerating engine and encryption device, carries out data interaction between described encryption accelerating engine and described encryption device by serial connecting small computer system SAS interface; Described encryption accelerating engine comprises:
Receiver, for by described SAS interface, receives the input and output I/O data that described encryption device sends;
Processor, for according to SAS agreement, is encrypted the described I/O data that described receiver receives;
Transmitter, for described encryption accelerating engine by described SAS interface, sends to described encryption device by the I/O data after described processor encryption.
12. encryption accelerating engines according to claim 11, is characterized in that,
Described receiver, also for passing through described SAS interface, receive the second I/O data that described encryption device sends, described second I/O data is the I/O data of having encrypted;
Described processor, also for according to described SAS agreement, is decrypted described second I/O data that described receiver receives;
Described transmitter, also for by described SAS interface, sends to described encryption device by the second I/O data after described processor deciphering.
13. encryption accelerating engines according to claim 11, is characterized in that,
Described receiver, also for by described SAS interface, receives each key that described encryption device sends;
Described processor, also for each key described in receiving according to described receiver, generates each key identification, and each key identification described is the mark that each key described is corresponding respectively.
14. encryption accelerating engines according to claim 13, is characterized in that,
Described processor, also for configuring the corresponding relation between each LUN LUN mark with each key identification described.
15. encryption accelerating engines according to claim 14, is characterized in that,
The described I/O data that described receiver receives carries LUN mark;
Described processor, also for identifying the corresponding relation between each key identification described according to each LUN described, determines that described LUN identifies corresponding key identification;
Described processor, also for obtaining described key corresponding to described key identification;
Described processor, specifically for according to described SAS agreement and described key, is encrypted described I/O data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410834853.5A CN104580181A (en) | 2014-12-29 | 2014-12-29 | Device and method for data encryption and encryption accelerator engine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410834853.5A CN104580181A (en) | 2014-12-29 | 2014-12-29 | Device and method for data encryption and encryption accelerator engine |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104580181A true CN104580181A (en) | 2015-04-29 |
Family
ID=53095362
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410834853.5A Pending CN104580181A (en) | 2014-12-29 | 2014-12-29 | Device and method for data encryption and encryption accelerator engine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104580181A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109033849A (en) * | 2018-06-29 | 2018-12-18 | 无锡艾立德智能科技有限公司 | The encryption method and device encrypted to deposit data of magnetic disk array |
| CN109474429A (en) * | 2018-12-24 | 2019-03-15 | 无锡市同威科技有限公司 | A kind of cipher key configuration strategy process towards FC storage encryption gateway |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060075201A1 (en) * | 2004-10-04 | 2006-04-06 | Hitachi, Ltd. | Hard disk device with an easy access of network |
| CN101488112A (en) * | 2009-02-18 | 2009-07-22 | 浪潮电子信息产业股份有限公司 | Multi-host interface SAS//SATA hard disk real-time encryption and decryption method |
| CN103107889A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | System and method for cloud computing environment data encryption storage and capable of searching |
| CN104217180A (en) * | 2014-09-07 | 2014-12-17 | 杭州华澜微科技有限公司 | Encrypted storage disc |
-
2014
- 2014-12-29 CN CN201410834853.5A patent/CN104580181A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060075201A1 (en) * | 2004-10-04 | 2006-04-06 | Hitachi, Ltd. | Hard disk device with an easy access of network |
| CN101488112A (en) * | 2009-02-18 | 2009-07-22 | 浪潮电子信息产业股份有限公司 | Multi-host interface SAS//SATA hard disk real-time encryption and decryption method |
| CN103107889A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | System and method for cloud computing environment data encryption storage and capable of searching |
| CN104217180A (en) * | 2014-09-07 | 2014-12-17 | 杭州华澜微科技有限公司 | Encrypted storage disc |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109033849A (en) * | 2018-06-29 | 2018-12-18 | 无锡艾立德智能科技有限公司 | The encryption method and device encrypted to deposit data of magnetic disk array |
| CN109474429A (en) * | 2018-12-24 | 2019-03-15 | 无锡市同威科技有限公司 | A kind of cipher key configuration strategy process towards FC storage encryption gateway |
| CN109474429B (en) * | 2018-12-24 | 2022-02-15 | 无锡市同威科技有限公司 | Key configuration strategy method facing FC storage encryption gateway |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9735962B1 (en) | Three layer key wrapping for securing encryption keys in a data storage system | |
| KR101712784B1 (en) | System and method for key management for issuer security domain using global platform specifications | |
| CN100380274C (en) | Method and system for backup and restore of a context encryption key | |
| CN108345806B (en) | Hardware encryption card and encryption method | |
| CN102138300B (en) | Message authentication code pre-computation with applications to secure memory | |
| CN100524265C (en) | Apparatus and method for operating plural applications between portable storage device and digital device | |
| CN105245505A (en) | Data transmitting method and device, data receiving method and device, and receiving-transmitting system | |
| CN105122203A (en) | Storage device assisted inline encryption and decryption | |
| CN104380652A (en) | Multi-issuer secure element partition architecture for NFC enabled devices | |
| CN103235906A (en) | Method and device for encrypting and decrypting application program | |
| CN103580852A (en) | Initialization of embedded secure elements | |
| US9307403B2 (en) | System and method for NFC peer-to-peer authentication and secure data transfer | |
| CN101582109A (en) | Data encryption method and device, data decryption method and device and solid state disk | |
| CN103873440A (en) | Application program upgrading method and system | |
| US20160180102A1 (en) | Computer program, method, and system for secure data management | |
| JP2017514390A (en) | Method and system for protecting electronic data exchange between industrial programmable devices and portable programmable devices | |
| CN104967591A (en) | Cloud storage data read-write method and device, and read-write control method and device | |
| US20170093816A1 (en) | Remote encryption method and cryptographic center | |
| CN112636916A (en) | Data processing method, data processing device, storage medium and electronic equipment | |
| CN104104650A (en) | Data file visit method and terminal equipment | |
| CN103592927A (en) | Method for binding product server and service function through license | |
| CN114095277A (en) | Power distribution network secure communication method, secure access device and readable storage medium | |
| CN104580181A (en) | Device and method for data encryption and encryption accelerator engine | |
| CN103873245A (en) | Virtual machine system data encryption method and apparatus | |
| CN108154037B (en) | Inter-process data transmission method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150429 |
|
| RJ01 | Rejection of invention patent application after publication |