CN104751081A - Disk data encryption method and device - Google Patents
Disk data encryption method and device Download PDFInfo
- Publication number
- CN104751081A CN104751081A CN201310726617.7A CN201310726617A CN104751081A CN 104751081 A CN104751081 A CN 104751081A CN 201310726617 A CN201310726617 A CN 201310726617A CN 104751081 A CN104751081 A CN 104751081A
- Authority
- CN
- China
- Prior art keywords
- encrypted
- disc unit
- disk partition
- disk
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a disk data encryption method and device. According to the disk data encryption method, a to-be-encrypted disk partition needing to be encrypted is determined firstly before disk encryption, and whether or not file data is stored in disk units in the to-be-encrypted disk partition is determined according to the file system type of the to-be-encrypted disk partition. Disk unit blocks are encrypted only under the situation that the file data is stored in the disk units, and the disk units in which the file data is not stored do need to be encrypted, so that all disk units in the whole disk partition do not need to be encrypted totally; the encryption time is greatly shortened; and the processing efficiency is increased. A supplier of cloud computation and a virtual machine does not need to allocate a large amount of redundant idle disk capacity to a user even in the environments of the cloud computation and the virtual machine, so that waste of storage resources in a host of the supplier of the cloud computation and the virtual machine is avoided.
Description
Technical field
The present invention relates to data protection field, in particular, relate to method and the device of a kind of data in magnetic disk encryption.
Background technology
It is an important method of protected data safety to disc content encryption.In recent years along with cloud computing and the application of virtual machine technique and the generation often of assault privacy of user data cases, problem of data safety is more and more subject to the attention of user.
In prior art, there is a kind of disk encryption method, the method, in the process be encrypted disk or disk partition, is all encrypted all sectors of this disk or disk partition.But this disk encryption method of the prior art, owing to needing all to be encrypted all sectors of whole disk or disk partition, therefore its encryption times is very long.And, in cloud computing and virtual machine environment, the hard-disc storage space that user generally applies for is all very large, but the hard-disc storage space of reality its application have more than is needed, the storage space that therefore supplier of cloud computing and virtual machine often distributes to user does not reach the application value of user to storage space.In this case, if user adopts the encryption method of prior art to be encrypted, then the supplier of cloud computing and virtual machine just need rapidly by the storage space dilatation that distributes for user to the application value of user to storage space, thus waste is caused to the storage resources of the host of the supplier parties of cloud computing and virtual machine.
Summary of the invention
In view of this, the invention provides method and the device of a kind of data in magnetic disk encryption, to overcome the problem that encryption times is grown and storage resources is wasted that disk encryption method of the prior art causes owing to needing to be encrypted all sectors of whole disk.
For achieving the above object, the invention provides following technical scheme:
First aspect, this application discloses the method for a kind of data in magnetic disk encryption, comprising:
Determine disk partition to be encrypted;
Obtain the file system type of described disk partition to be encrypted;
According to described file system type, determine the disc unit of store file data in described disk partition to be encrypted;
The disc unit of described store file data is encrypted.
In the first mode in the cards of first aspect, described according to described file system type, determine that the disc unit of store file data in described disk partition to be encrypted comprises:
According to described file system type, obtain the file allocation table of described disk partition to be encrypted;
According to described file allocation table, determine the disc unit of store file data in described disk partition to be encrypted.
In the second of first aspect mode in the cards, described method also comprises:
In data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then record stores the physical address of the disc unit of described new data;
Then, according to described file system type, determine that the disc unit of store file data in described disk partition to be encrypted comprises: according to the physical address of described file allocation table and record, determine the disc unit of store file data in described disk partition to be encrypted.
On the basis of the first and the second mode in the cards of first aspect, first aspect, the described disc unit to described store file data is encrypted and comprises: circulation performs step a) and step b), several times the disc unit of described store file data is encrypted, until the disc unit encryption of all store file data is complete in described disk partition to be encrypted;
A) in the first preset duration, the disc unit of store file data in described disk partition to be encrypted is encrypted, at the end of the first preset duration, performs step b);
B) in the second preset duration, perform the instruction in disk I/O queue, described instruction comprises write command and reads instruction, at the end of the second preset duration, returns execution step a).
On the basis of the first and the second mode in the cards of first aspect, first aspect, described method also comprises:
In step b), before the second preset duration terminates, if detect, the instruction in disk I/O queue is finished, and returns execution step a).
Second aspect, this application discloses the device of a kind of data in magnetic disk encryption, comprising:
Determination module to be encrypted, for determining disk partition to be encrypted;
File system acquisition module, for obtaining the file system type of described disk partition to be encrypted;
Disc unit determination module, for according to described file system type, determines the disc unit of store file data in described disk partition to be encrypted;
Encrypting module, for being encrypted the disc unit of described store file data.
In the first mode in the cards of second aspect, described disc unit determination module comprises:
File allocation table acquisition module, for according to described file system type, obtains the file allocation table of described disk partition to be encrypted;
Disc unit determination submodule, for according to described file allocation table, determines the disc unit of store file data in described disk partition to be encrypted.
In the second of second aspect mode in the cards, the encryption device of described data in magnetic disk also comprises:
Relation record module, in data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then record stores the physical address of the disc unit of described new data;
Then described disc unit determination module specifically for: according to the physical address of described file allocation table and described record, determine the disc unit of store file data in described disk partition to be encrypted.
On the basis of the first and the second mode in the cards of second aspect, second aspect, described encrypting module comprises:
Flow executing modules, for circulate executable operations a) and operation b), several times the disc unit of described store file data is encrypted, until in described disk partition to be encrypted all store file data disc unit encryption complete;
Wherein, operation a) is: in the first preset duration, be encrypted the disc unit of store file data in described disk partition to be encrypted, at the end of the first preset duration, and executable operations b);
Operation b) is: in the second preset duration, and perform the instruction in disk I/O queue, described instruction comprises reads instruction and write command, at the end of the second preset duration, returns executable operations a).
On the basis of the first and the second mode in the cards of second aspect, second aspect, the encryption device of described data in magnetic disk also comprises:
Detection module, in operation b), before the second preset duration terminates, if detect, the instruction in disk I/O queue is finished, and returns executable operations a).
Known via above-mentioned technical scheme, compared with prior art, the embodiment of the invention discloses method and the device of the encryption of a kind of data in magnetic disk, the method of described data in magnetic disk encryption is before being encrypted disk, first the disk partition of the disk needing to be encrypted can be determined, namely disk partition to be encrypted is determined, determine whether the disc unit in this disk partition to be encrypted stores file data according to the file system type of described disk partition to be encrypted again, only when described disc unit has stored file data, just can be encrypted this disc unit block, and for there is no the disc unit of store file data, can not be encrypted, thus do not need to be encrypted all disc units of whole disk partition, substantially reduce encryption times, improve treatment effeciency.Even if under the environment of cloud computing and virtual machine, the supplier of cloud computing and virtual machine does not need for user distributes the free disk capacity of great quantities of spare yet, thus can not cause the waste of the storage resources of the host of the supplier parties of cloud computing and virtual machine.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only embodiments of the invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to the accompanying drawing provided.
The process flow diagram of Fig. 1 method of data in magnetic disk encryption disclosed in the embodiment of the present invention;
Fig. 2 determines the process flow diagram of the disc unit of store file data disclosed in the embodiment of the present invention;
Fig. 3 is the process flow diagram of the encryption method of the embodiment of the present invention another data in magnetic disk disclosed;
Fig. 4 is the method flow diagram of the encryption of the embodiment of the present invention another data in magnetic disk disclosed;
Fig. 5 is disclosed schematic diagram encryption data in magnetic disk being carried out to read-write operation of the embodiment of the present invention;
The structural representation of Fig. 6 device of data in magnetic disk encryption disclosed in the embodiment of the present invention;
The structural representation of Fig. 7 disc unit determination module disclosed in the embodiment of the present invention;
Fig. 8 is the structural representation of the encryption device of the embodiment of the present invention another data in magnetic disk disclosed;
Fig. 9 is the structural representation of the encryption device of the embodiment of the present invention another data in magnetic disk disclosed.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
The process flow diagram of Fig. 1 method of data in magnetic disk encryption disclosed in the embodiment of the present invention, shown in Figure 1, the method for described data in magnetic disk encryption can comprise:
Step 101: determine disk partition to be encrypted;
The implementing precondition of step 101 is requests that user have issued encryption disk or encryption disk partition, and then disk partition to be encrypted is determined in the request of the system encryption disk that can send according to user or encryption disk partition.
Step 102: the file system type obtaining described disk partition to be encrypted;
The corresponding a kind of file system type of each disk partition, the file system type that different disk partition possibilities is corresponding different, and the type of the relevant information that different file system is corresponding (as file allocation table) is all different with obtain manner, therefore, to determine in described disk partition to be encrypted which sector storage file data accurately for the ease of reaching in subsequent step, need the file system type first obtaining described disk partition to be encrypted.
Step 103: according to described file system type, determines the disc unit of store file data in described disk partition to be encrypted;
Concrete, described disc unit can comprise several sectors.Sector is logic unit minimum in disk partition, and its capacity is very little, is generally 512 bytes, and file data generally also can not be so little, therefore, the disc unit that multiple sector can be formed, as a basic judgement unit, judges wherein whether store file data.It should be noted that, the sector number that described disc unit comprises is also uncertain, and it can set according to the needs of user, if the file data that user stores usually in disk partition is all larger, it is more that the sector number that sector block comprises then can be set, as 30; If the file data that user stores usually in disk partition is smaller, then it is few that the sector number that sector block comprises can be set, as 8.
Step 103, after determining and storing the disc unit of file data in described disk partition to be encrypted, can obtain: the disc unit storing file data is the disc unit needing to be encrypted.Follow-uply can be encrypted the described disc unit storing file data further, to protect the privacy information of user.
Step 104: the disc unit of described store file data is encrypted.
Send the request of encryption disk partition user after, disk partition file data to be encrypted are just the privacy information of user.Therefore, determining after which disc unit stores file data in described disk partition, with regard to needing, the described disc unit storing file data being encrypted.The process of this encryption can be that the key arranged by user encrypts described disc unit.And for there is no the disc unit of store file data, can not it be encrypted, to avoid wasting unnecessary resource.
In the present embodiment, the method of described data in magnetic disk encryption is before being encrypted the disc unit in disk partition, first can determine whether this disc unit stores file data according to the file system type of disk partition, when only having stored file data in described disc unit, just can be encrypted this disc unit, and for there is no the sector block of store file data, can not be encrypted, thus do not need to be encrypted all disc units of whole disk partition, substantially reduce encryption times, and it also avoid under the environment of cloud computing and virtual machine, the appearance of the storage resources waste problem of the host of the supplier parties of cloud computing and virtual machine.
In the above-described embodiments, whether store file data in determination disc unit conveniently, the file allocation table that belonging to described disc unit, disk partition is corresponding can be adopted.Have recorded which disc unit in described file allocation table to be used, which is not used, and is to store file data in which disc unit yet, and which does not have store file data.Make referrals in superincumbent content, the type of the file allocation table of different file system and obtain manner difference.Therefore, described in above-mentioned steps 103 according to described file system type, determine that the detailed process of the disc unit of store file data in described disk partition to be encrypted can see Fig. 2, Fig. 2 determines the process flow diagram of the disc unit of store file data disclosed in the embodiment of the present invention, as shown in Figure 2, can comprise:
Step 201: according to described file system type, obtains the file allocation table of described disk partition to be encrypted;
Before step 202 determines the disc unit of store file data in described disk partition, first determine the file allocation table that described disk partition is corresponding, those disc units can directly determined in described disk partition according to the information recorded in described file allocation table so in step 202. store file data.
Step 202: according to described file allocation table, determines the disc unit of store file data in described disk partition to be encrypted.
In the present embodiment, directly can reflect due to the information recorded in file allocation table in those disc units in described disk partition and store file data, therefore, first obtain the file allocation table of described disk partition to be encrypted according to the file system type of described disc unit, and then just can determine according to described file allocation table the disc unit storing file data easily.This process direct convenience, can accelerate the process be encrypted disk partition on the whole.
When current operating system carries out write operation in disk partition, all there is caching mechanism, therefore, file allocation table may not reflect the up-to-date service condition of the disc unit in disk partition to a certain extent timely.That is, if operating system just incorporates file data in certain disc unit of disk partition, due to the impact of caching mechanism, the relevant information in file allocation table also may can indicate in this disc unit and not store file data, thus affects the accuracy of determination result.On the basis of above-described embodiment, can also comprise: in data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then record stores the physical address of the disc unit of described new data
Then described according to described file system type, determine the disc unit of store file data in described disk partition to be encrypted, can comprise: according to the physical address of described file allocation table and record, determine the disc unit of store file data in described disk partition to be encrypted.
The idiographic flow of above-described embodiment can be the process flow diagram of the encryption method of the embodiment of the present invention another data in magnetic disk disclosed see Fig. 3, Fig. 3, as shown in Figure 3, can comprise:
Step 301: determine disk partition to be encrypted; Enter step 302 and step 303 simultaneously;
Step 302: the file system type obtaining described disk partition to be encrypted; Enter step 305;
Step 303: judge whether that new data is stored to described disk partition to be encrypted; If so, step 304 is entered;
When judged result is no, then can be left intact.
Step 304: record stores the physical address of the disc unit of described new data; Enter step 305;
Step 305: according to the physical address of described file allocation table and record, determine the disc unit of store file data in described disk partition to be encrypted;
Step 306: the disc unit of described store file data is encrypted.
When the physical address of foundation file allocation table and described record determines the disc unit of store file data at the same time, specific implementation can be, after the request of the encryption disk partition sent receiving user, in data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then record the corresponding relation of the physical address of the disc unit of described new data and the described new data of storage.This corresponding relation can reflect that disk partition to be encrypted is encrypted in process, newly adds the corresponding relation of the described file data of disk partition to be encrypted and the physical address of disc unit.And be not recorded in described encryption disk partition is encrypted before be stored in the corresponding relation of the physical address of file data in described disk partition to be encrypted and disc unit.In the process that disk partition to be encrypted is encrypted, the executive agent of the method for described data in magnetic disk encryption can after the instruction of user's toggle-write operations, which parse the file data of write operation instruction should being stored to position of disk from described write operation instruction, then operational order to be written complete after, namely also after file data is stored to disk partition to be encrypted, more described new data and the corresponding relation of physical address of disc unit storing described new data is upgraded.
Concrete, described new data can adopt the mode of Disk Mapping table to realize with the corresponding relation of the physical address of the disc unit of the described new data of storage.And the implementation of described Disk Mapping table can be understood by example below.For example, the disk partition of an existing 80G, 1M is a cryptographic block, 80*1024=81920 block altogether, can regard described Disk Mapping table as a bitmap, 1 bit representation 1 piece, byte representation 8 pieces, 1K represents 8*1024=8192 block, then 10K represents 81920 pieces.Can be defined on bitmap by preset rules, " position " instruction with fixation mark information stores file data, and then can judge to show that the physical address (disc unit) corresponding with described " position " stores file data.Just as intelligent parking lot, have a lot of pilot lamp, each pilot lamp represents a parking stall, and when parking stall has car, pilot lamp reddens look, and parking stall is green without pilot lamp during car.
Because present operating system has caching mechanism to file system, like this, file allocation table may not reflect that the data that application program newly writes are in disk partition in time.Therefore, in data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then the physical address of the disc unit storing described new data can be recorded.Like this, when determining the disc unit storing file data in disk partition, according to the physical address of file allocation table and record, the disc unit of store file data in described disk partition to be encrypted can be determined.Thus make determination result more accurate, also ensure that the accuracy of encrypted result and comprehensive.
In the above-described embodiments, owing to whole disk partition comprising very many disc units, and in ciphering process, need to judge each disc unit according to file allocation table, to determine wherein whether store file data.
In a practical situation, in the process that disk partition is encrypted, user also may can carry out read-write operation to the file data that the disc unit in described disk partition stores, in the present embodiment, when application program carries out write operation to described disc unit, the disc unit of the described store file data of described encryption specifically can comprise: circulation performs step a) and step b), several times the disc unit of described store file data is encrypted, until the disc unit encryption of all store file data is complete in described disk partition to be encrypted; Wherein, step a); In the first preset duration, the disc unit of store file data in described disk partition to be encrypted is encrypted, at the end of the first preset duration, performs step b); Step b): in the second preset duration, perform the instruction in disk I/O queue, described instruction comprises reads instruction and write command, at the end of the second preset duration, returns execution step a).
The first preset duration wherein and the second preset duration can set as required, normally work be as the criterion not affect user as far as possible, such as, half second time can be continued respectively to the duration of the process that disc unit is encrypted with the process allowing application program to carry out read-write operation.
Fig. 4 is the process flow diagram of the encryption method of the embodiment of the present invention another data in magnetic disk disclosed, as shown in Figure 4, can comprise:
Step 401: determine disk partition to be encrypted;
Step 402: the file system type obtaining described disk partition to be encrypted;
Step 403: according to described file system type, determines the disc unit of store file data in described disk partition to be encrypted;
Step 404: in the first preset duration, is encrypted the disc unit of store file data in described disk partition to be encrypted;
Step 405: in the second preset duration, perform the instruction in disk I/O queue, described instruction comprises reads instruction and write command;
Step 406: judge whether that the disc unit encryption of all store file data in described disk partition to be encrypted is complete; If so, step 407 is entered; If not, step 404 is entered;
Step 407: terminate.
The method of data in magnetic disk encryption disclosed in the present embodiment, when application program reads file data from disk partition, first encrypted file data is needed to be decrypted, then user is showed with the form normally shown, and when application program needs to disk partition file data, need data application program newly write to be stored in again on disk after encryption.Its schematic diagram can be disclosed schematic diagram encryption data in magnetic disk being carried out to read-write operation of the embodiment of the present invention see Fig. 5, Fig. 5.
In the process performing described switching flow, described step b) can also comprise: before the second preset duration terminates, if detect, the instruction in disk I/O queue is finished, and returns execution step a).Its concrete methods of realizing can be, if detect, the instruction in disk I/O queue is finished, and described second preset duration is set to 0; If detect, the instruction in disk I/O queue is not finished, then described second preset duration is set to initial value.Wherein, when described initial value can need to perform for having in disk I/O queue instruction, the duration needing instruction in execution disk I/O queue of system configuration, such as half second.After instruction in disk I/O queue is finished, there is no need again for the flow process performing instruction distributes the time, in order to accelerate the crypto process of data in magnetic disk, described second preset duration can be set to 0, make, after the flow process being switched to the instruction performed in disk I/O queue, to switch back the flow process of carrying out the disc unit of store file data in described disk partition to be encrypted immediately.
Before encryption, the file data stored in disk partition is all what can normally show, and after encryption, the file data in disk partition is ciphertext.But for whole disk partition, complete and piecemeal carrying out is needed to the encryption of all disc units, can not just complete quickly.Certainly, carrying out the disc unit in whole disk partition judging in the process of encryption, user also may can carry out write operation by operating system to the disc unit in disk partition, and for a disc unit, can not be encrypted operation and write operation simultaneously, therefore, in order to not affect the normal work of user, a blocks of data can be encrypted, then stopping and allowing operating system read-write, then stop user program read-write, continue next blocks of data of encryption ... its rough flow can be:
In the present embodiment, when application program carries out read-write operation to disk partition, can realize being encrypted operation and write operation to disk according to the mode that preset duration hockets by the process that controls the process that is encrypted new write data and allow application program disk to be carried out to read-write operation, preset duration wherein can set as required, ensure that user can work normally.
Describe method in detail in embodiment disclosed in the invention described above, the device of various ways can be adopted to realize for method of the present invention, therefore the invention also discloses a kind of device, provide specific embodiment below and be described in detail.
The structural representation of Fig. 6 device of data in magnetic disk encryption disclosed in the embodiment of the present invention, shown in Figure 6, the device 60 of described data in magnetic disk encryption can comprise:
Determination module 601 to be encrypted, for determining disk partition to be encrypted;
Described determination module to be encrypted 601 determines that the prerequisite of disk partition to be encrypted is the request that user have issued encryption disk or encryption disk partition, and then disk partition to be encrypted is determined in the request of the described determination module to be encrypted 601 encryption disk that can send according to user or encryption disk partition.
File system acquisition module 602, for obtaining the file system type of described disk partition to be encrypted;
The corresponding a kind of file system type of each disk partition, the file system type that different disk partition possibilities is corresponding different, and the type of the relevant information that different file system is corresponding (as file allocation table) is all different with obtain manner, therefore, to determine in described disk partition to be encrypted which sector storage file data accurately for the ease of reaching in subsequent step, need the file system type first obtaining described disk partition to be encrypted.
Disc unit determination module 603, for according to described file system type, determines the disc unit of store file data in described disk partition to be encrypted;
Concrete, described disc unit can comprise several sectors.Sector is logic unit minimum in disk partition, and its capacity is very little, is generally 512 bytes, and file data generally also can not be so little, therefore, the disc unit that multiple sector can be formed, as a basic judgement unit, judges wherein whether store file data.It should be noted that, the sector number that described disc unit comprises is also uncertain, and it can set according to the needs of user.
Encrypting module 604, for being encrypted the disc unit of described store file data.
Send the request of encryption disk partition user after, disk partition file data to be encrypted are just the privacy information of user.Therefore, determining after which disc unit stores file data in described disk partition, with regard to needing, the described disc unit storing file data being encrypted.The process of this encryption can be that the key arranged by user encrypts described disc unit.And for there is no the disc unit of store file data, can not it be encrypted, to avoid wasting unnecessary resource.
In the present embodiment, the device of described data in magnetic disk encryption is before being encrypted the disc unit in disk partition, first can determine whether this disc unit stores file data according to the file system type of disk partition, when only having stored file data in described disc unit, just can be encrypted this disc unit, and for there is no the sector block of store file data, can not be encrypted, thus do not need to be encrypted all disc units of whole disk partition, substantially reduce encryption times, and it also avoid under the environment of cloud computing and virtual machine, the appearance of the storage resources waste problem of the host of the supplier parties of cloud computing and virtual machine.
In the above-described embodiments, whether store file data in determination disc unit conveniently, the file allocation table that belonging to described disc unit, disk partition is corresponding can be adopted.Have recorded which disc unit in described file allocation table to be used, which is not used, and is to store file data in which disc unit yet, and which does not have store file data.Make referrals in superincumbent content, the type of the file allocation table of different file system and obtain manner difference.Therefore, the concrete structure of described disc unit determination module 603 can see the structural representation of Fig. 7, Fig. 7 disc unit determination module disclosed in the embodiment of the present invention, and as shown in Figure 7, described disc unit determination module 603 can comprise:
File allocation table acquisition module 701, for according to described file system type, obtains the file allocation table of described disk partition to be encrypted;
Before the disc unit determining store file data in described disk partition, first determine the file allocation table that described disk partition is corresponding, those disc units that follow-up like this disc unit determination submodule can directly be determined in described disk partition according to the information recorded in described file allocation table store file data.
Disc unit determination submodule 702, for according to described file allocation table, determines the disc unit of store file data in described disk partition to be encrypted.
In the present embodiment, directly can reflect due to the information recorded in file allocation table in those disc units in described disk partition and store file data, therefore, first obtain the file allocation table of described disk partition to be encrypted according to the file system type of described disc unit, and then just can determine according to described file allocation table the disc unit storing file data easily.This process direct convenience, can accelerate the process be encrypted disk partition on the whole.
When current operating system carries out write operation in disk partition, all there is caching mechanism, therefore, file allocation table may not reflect the up-to-date service condition of the disc unit in disk partition to a certain extent timely.That is, if operating system just incorporates file data in certain disc unit of disk partition, due to the impact of caching mechanism, the relevant information in file allocation table also may can indicate in this disc unit and not store file data, thus affects the accuracy of determination result.On the basis of above-described embodiment, the embodiment of the invention discloses the structural representation of the encryption device of another data in magnetic disk, as shown in Figure 8, the encryption device 80 of described data in magnetic disk can comprise:
Determination module 601 to be encrypted, for determining disk partition to be encrypted;
File system acquisition module 602, for obtaining the file system type of described disk partition to be encrypted;
Relation record module 801, in data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then record stores the physical address of the disc unit of described new data;
Disc unit determination module 603, for the physical address according to described file allocation table and record, determines the disc unit of store file data in described disk partition to be encrypted;
Encrypting module 604, for being encrypted the disc unit of described store file data.
When the physical address of foundation file allocation table and described new data and record determines the disc unit of store file data at the same time, specific implementation can be, after the request of the encryption disk partition sent receiving user, in data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then record the corresponding relation of the physical address of the disc unit of described new data and the described new data of storage.This corresponding relation can reflect that disk partition to be encrypted is encrypted in process, newly adds the corresponding relation of the described file data of disk partition to be encrypted and the physical address of disc unit.And be not recorded in described encryption disk partition is encrypted before be stored in the corresponding relation of the physical address of file data in described disk partition to be encrypted and disc unit.In the process that disk partition to be encrypted is encrypted, the executive agent of the method for described data in magnetic disk encryption can after the instruction of user's toggle-write operations, which parse the file data of write operation instruction should being stored to position of disk from described write operation instruction, then operational order to be written complete after, namely also after file data is stored to disk partition to be encrypted, more described new data and the corresponding relation of physical address of disc unit storing described new data is upgraded.
Because present operating system has caching mechanism to file system, like this, file allocation table may not reflect that the data that application program newly writes are in disk partition in time.Therefore, in data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then the physical address of the disc unit storing described new data can be recorded.Like this, when determining the disc unit storing file data in disk partition, according to the physical address of file allocation table and record, the disc unit of store file data in described disk partition to be encrypted can be determined.Thus make determination result more accurate, also ensure that the accuracy of encrypted result and comprehensive.
In the above-described embodiments, owing to whole disk partition comprising very many disc units, and in ciphering process, need to judge each disc unit according to file allocation table, to determine wherein whether store file data.
In a practical situation, in the process that disk partition is encrypted, user also may can carry out read-write operation to the file data that the disc unit in described disk partition stores, in the present embodiment, when application program carries out write operation to described disc unit, described encrypting module can comprise: flow executing modules, for circulate executable operations a) and operation b), several times the disc unit of described store file data is encrypted, until the disc unit encryption of all store file data is complete in described disk partition to be encrypted; Wherein, operation a); In the first preset duration, the disc unit of store file data in described disk partition to be encrypted is encrypted, at the end of the first preset duration, executable operations b); Operate b): in the second preset duration, perform the instruction in disk I/O queue, described instruction comprises reads instruction write command, at the end of the second preset duration, returns executable operations a).
The first preset duration wherein and the second preset duration can set as required, normally work be as the criterion not affect user as far as possible, such as, half second time can be continued respectively to the duration of the process that disc unit is encrypted with the process allowing application program to carry out read-write operation.
Fig. 9 is the structural representation of the encryption device of the embodiment of the present invention another data in magnetic disk disclosed, and as shown in Figure 9, the encryption device 90 of described data in magnetic disk can comprise:
Determination module 601 to be encrypted, for determining disk partition to be encrypted;
File system acquisition module 602, for obtaining the file system type of described disk partition to be encrypted;
Disc unit determination module 603, for according to described file system type, determines the disc unit of store file data in described disk partition to be encrypted;
Flow executing modules 901, for circulate executable operations a) and operation b), several times the disc unit of described store file data is encrypted, until in described disk partition to be encrypted all store file data disc unit encryption complete; Wherein, operation a) is; In the first preset duration, the disc unit of store file data in described disk partition to be encrypted is encrypted, at the end of the first preset duration, executable operations b); Operation b) is: in the second preset duration, and perform the instruction in disk I/O queue, described instruction comprises reads instruction write command, at the end of the second preset duration, returns executable operations a).
The method of data in magnetic disk encryption disclosed in the present embodiment, when application program reads file data from disk partition, first encrypted file data is needed to be decrypted, then user is showed with the form normally shown, and when application program needs to disk partition file data, need data application program newly write to be stored in again on disk after encryption.
The device of described data in magnetic disk encryption can also comprise detection module, and described detection module may be used in operation b), and before the second preset duration terminates, if detect, the instruction in disk I/O queue is finished, and returns executable operations a).Its specific implementation can be, detects that the instruction in disk I/O queue is finished, described second preset duration is set to 0 at described detection module; Detect that the instruction in disk I/O queue is not finished at described detection module, described second preset duration is set to initial value.
In the present embodiment, when application program carries out read-write operation to disk partition, can realize operating and write operation being encrypted of disk according to the mode that preset duration hockets with the process allowing application program to carry out read-write operation to the process that new write data are encrypted by control, preset duration wherein can set as required, ensure that user can work normally.
In this instructions, each embodiment adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar portion mutually see.For device disclosed in embodiment, because it corresponds to the method disclosed in Example, so description is fairly simple, relevant part illustrates see method part.
Also it should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical element.
The software module that the method described in conjunction with embodiment disclosed herein or the step of algorithm can directly use hardware, processor to perform, or the combination of the two is implemented.Software module can be placed in the storage medium of other form any known in random access memory (RAM), internal memory, ROM (read-only memory) (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field.
To the above-mentioned explanation of the disclosed embodiments, professional and technical personnel in the field are realized or uses the present invention.To be apparent for those skilled in the art to the multiple amendment of these embodiments, General Principle as defined herein can without departing from the spirit or scope of the present invention, realize in other embodiments.Therefore, the present invention can not be restricted to these embodiments shown in this article, but will meet the widest scope consistent with principle disclosed herein and features of novelty.
Claims (10)
1. a method for data in magnetic disk encryption, is characterized in that, comprising:
Determine disk partition to be encrypted;
Obtain the file system type of described disk partition to be encrypted;
According to described file system type, determine the disc unit of store file data in described disk partition to be encrypted;
The disc unit of described store file data is encrypted.
2. method according to claim 1, is characterized in that, described according to described file system type, determines that the disc unit of store file data in described disk partition to be encrypted comprises:
According to described file system type, obtain the file allocation table of described disk partition to be encrypted;
According to described file allocation table, determine the disc unit of store file data in described disk partition to be encrypted.
3. method according to claim 2, is characterized in that, described method also comprises:
In data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then record stores the physical address of the disc unit of described new data;
Then, according to described file system type, determine that the disc unit of store file data in described disk partition to be encrypted comprises: according to the physical address of described file allocation table and record, determine the disc unit of store file data in described disk partition to be encrypted.
4. the method according to any one of claim 1-3, it is characterized in that, the described disc unit to described store file data is encrypted and comprises: circulation performs step a) and step b), several times the disc unit of described store file data is encrypted, until the disc unit encryption of all store file data is complete in described disk partition to be encrypted;
A) in the first preset duration, the disc unit of store file data in described disk partition to be encrypted is encrypted, at the end of the first preset duration, performs step b);
B) in the second preset duration, perform the instruction in disk I/O queue, described instruction comprises write command and reads instruction, at the end of the second preset duration, returns execution step a).
5. method according to claim 4, is characterized in that, described step b) also comprise:
Before the second preset duration terminates, if detect, the instruction in disk I/O queue is finished, and returns execution step a).
6. a device for data in magnetic disk encryption, is characterized in that, comprising:
Determination module to be encrypted, for determining disk partition to be encrypted;
File system acquisition module, for obtaining the file system type of described disk partition to be encrypted;
Disc unit determination module, for according to described file system type, determines the disc unit of store file data in described disk partition to be encrypted;
Encrypting module, for being encrypted the disc unit of described store file data.
7. device according to claim 6, is characterized in that, described disc unit determination module comprises:
File allocation table acquisition module, for according to described file system type, obtains the file allocation table of described disk partition to be encrypted;
Disc unit determination submodule, for according to described file allocation table, determines the disc unit of store file data in described disk partition to be encrypted.
8. device according to claim 7, is characterized in that, also comprises:
Relation record module, in data in magnetic disk ciphering process, if there is new data to be stored to described disk partition to be encrypted, then record stores the physical address of the disc unit of described new data;
Then described disc unit determination module specifically for: according to the physical address of described file allocation table and described record, determine the disc unit of store file data in described disk partition to be encrypted.
9. the device according to any one of claim 6-8, is characterized in that, described encrypting module comprises:
Flow executing modules, for circulate executable operations a) and operation b), several times the disc unit of described store file data is encrypted, until in described disk partition to be encrypted all store file data disc unit encryption complete;
Wherein, operation a) is: in the first preset duration, be encrypted the disc unit of store file data in described disk partition to be encrypted, at the end of the first preset duration, and executable operations b);
Operation b) is: in the second preset duration, and perform the instruction in disk I/O queue, described instruction comprises reads instruction and write command, at the end of the second preset duration, returns executable operations a).
10. device according to claim 9, is characterized in that, also comprises:
Detection module, in operation b), before the second preset duration terminates, if detect, the instruction in disk I/O queue is finished, and returns executable operations a).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310726617.7A CN104751081A (en) | 2013-12-25 | 2013-12-25 | Disk data encryption method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310726617.7A CN104751081A (en) | 2013-12-25 | 2013-12-25 | Disk data encryption method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104751081A true CN104751081A (en) | 2015-07-01 |
Family
ID=53590748
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310726617.7A Pending CN104751081A (en) | 2013-12-25 | 2013-12-25 | Disk data encryption method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104751081A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105404824A (en) * | 2015-11-11 | 2016-03-16 | 成都比特信安科技有限公司 | Asynchronous data slow encryption system and method |
| CN107025388A (en) * | 2016-02-02 | 2017-08-08 | 上海格尔软件股份有限公司 | It is a kind of that the method that system disk is bound with machine is realized based on TPM chips |
| CN113268456A (en) * | 2021-05-20 | 2021-08-17 | 济南浪潮数据技术有限公司 | File processing method, system, equipment and computer readable storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1419196A (en) * | 2001-11-12 | 2003-05-21 | 联想(北京)有限公司 | Hard disk data backup and restore method |
-
2013
- 2013-12-25 CN CN201310726617.7A patent/CN104751081A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1419196A (en) * | 2001-11-12 | 2003-05-21 | 联想(北京)有限公司 | Hard disk data backup and restore method |
Non-Patent Citations (2)
| Title |
|---|
| 卞诚君等: "《完全掌握Windows8使用与维护超级手册》", 31 October 2013 * |
| 墨涩颓废: "《使用win7、win8、win8.1系统磁盘加密(图文教程)》", 《HTTPS_WWW.DOUBAN.COM_NOTE_312839226_》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105404824A (en) * | 2015-11-11 | 2016-03-16 | 成都比特信安科技有限公司 | Asynchronous data slow encryption system and method |
| CN105404824B (en) * | 2015-11-11 | 2018-09-25 | 成都比特信安科技有限公司 | Asynchronous data delays encryption system and method |
| CN107025388A (en) * | 2016-02-02 | 2017-08-08 | 上海格尔软件股份有限公司 | It is a kind of that the method that system disk is bound with machine is realized based on TPM chips |
| CN113268456A (en) * | 2021-05-20 | 2021-08-17 | 济南浪潮数据技术有限公司 | File processing method, system, equipment and computer readable storage medium |
| CN113268456B (en) * | 2021-05-20 | 2023-12-08 | 济南浪潮数据技术有限公司 | File processing method, system, equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102841852B (en) | Wear leveling method, storing device and information system | |
| US20230195654A1 (en) | Namespace encryption in non-volatile memory devices | |
| US9141558B2 (en) | Secure memory control parameters in table look aside buffer data fields and support memory array | |
| CN101808095B (en) | Encryption copy organization method under distributed storage environment | |
| CN104424016B (en) | Virtual tape concentration for self-encrypting drives | |
| US8977865B2 (en) | Data encryption conversion for independent agents | |
| CN108133144A (en) | A kind of virtual disk files guard method, device, equipment and readable storage medium storing program for executing | |
| CN103064797B (en) | Data processing method and virtual machine management platform | |
| CN105389265B (en) | The method and apparatus of zero content are generated on junk data when encryption parameter changes | |
| CN109144894B (en) | Memory access mode protection method based on data redundancy | |
| CN109670345A (en) | Guard method, accelerator module and the SOC chip of memory pages swapping in and out | |
| CN104364760A (en) | Parallel computation with multiple storage devices | |
| CN102930224A (en) | Hard drive data write/read method and device | |
| CN104537320A (en) | Automatic encrypting method and system for chip | |
| CN105893184A (en) | Incremental backup method and device | |
| Kang et al. | Iceclave: A trusted execution environment for in-storage computing | |
| CN102073808A (en) | Method for encrypting and storing information through SATA interface and encryption card | |
| CN102165407A (en) | Redundant array of independent disks-related operations | |
| KR20210103455A (en) | Integrity tree for memory integrity check | |
| KR101502718B1 (en) | Encryption of memory device with wear leveling | |
| CN111967065B (en) | Data protection method, processor and electronic equipment | |
| CN104751081A (en) | Disk data encryption method and device | |
| CN104463020A (en) | Method for protecting data integrity of memory | |
| CN108199827A (en) | Client code integrity checking method, storage medium, electronic equipment and system | |
| CN109840434A (en) | A kind of method for secure storing based on the close chip of state |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150701 |