CN105335663A - Encrypted file system based on double-image file - Google Patents

Encrypted file system based on double-image file Download PDF

Info

Publication number
CN105335663A
CN105335663A CN201510690514.9A CN201510690514A CN105335663A CN 105335663 A CN105335663 A CN 105335663A CN 201510690514 A CN201510690514 A CN 201510690514A CN 105335663 A CN105335663 A CN 105335663A
Authority
CN
China
Prior art keywords
file
encrypted
image file
data
virtual image
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510690514.9A
Other languages
Chinese (zh)
Other versions
CN105335663B (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201510690514.9A priority Critical patent/CN105335663B/en
Publication of CN105335663A publication Critical patent/CN105335663A/en
Application granted granted Critical
Publication of CN105335663B publication Critical patent/CN105335663B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及一种基于双像文件的加密文件系统,加密文件系统中的每个加密文件都对应有一个虚拟的虚像文件,而与虚像文件对应的加密文件称为实像文件;当一个程序进程对虚像文件进行文件I/O操作时,加密文件系统在内部将针对虚像文件的文件I/O操作转化为针对对应实像文件的操作;通过文件重定向,针对一种文件类型的受信进程和非受信息进程分别被允许对实像文件和虚像文件两类文件中的一类文件且仅一类文件直接进行文件I/O操作;当一个受信进程对一个对实像文件或虚像文件进行数据读取或存写操作时,数据被自动解密或加密;由于受信进程和非受信进程分别对不同文件操作,故具有不同的文件控制块和数据缓存,从而避免了暴力清缓存的问题。

The invention relates to an encrypted file system based on dual-image files. Each encrypted file in the encrypted file system corresponds to a virtual virtual image file, and the encrypted file corresponding to the virtual image file is called a real image file; when a program process When virtual image files perform file I/O operations, the encrypted file system internally converts file I/O operations for virtual image files into operations for corresponding real image files; The information process is allowed to directly perform file I/O operations on one type of files in the real image file and the virtual image file, and only one type of file; when a trusted process reads or stores data on a real image file or a virtual image file During the write operation, the data is automatically decrypted or encrypted; since the trusted process and the untrusted process operate on different files, they have different file control blocks and data caches, thus avoiding the problem of violent cache clearing.

Description

A kind of encrypted file system based on double image file
Technical field
The invention belongs to field of information security technology, particularly a kind of encrypted file system based on double image file.
Background technology
Driving the transparent file encryption system of (FileFilterDriver) automatically can realize the encryption and decryption of file when not affecting user's use habit based on file filter device, is the important technical guaranteed data security.But the current following problem of transparent file encryption technology ubiquity driven based on file filter device.
Current file system (as Windows file system) is all the file system of band buffer memory, namely, when application program reads the data of a file, file system first sees in internal memory the content whether being cached with application program and will reading, if have, then direct the data of buffer memory in internal memory to be returned, otherwise, file system reads some file datas (normally data of several pages from storage medium, page read operation as by file), then on the one hand the file data of reading is buffered in internal memory, on the other hand application program desired data is returned to application program, when multiple process opens same file simultaneously, their shared files are data cached (in Windows file system, a file only has a file control block FCB, and when therefore multiple process opens same file simultaneously, they share a FCB and file cache).
In the file encryption system driven based on file filter device, usually program process is divided into trusted process and untrusted process, trusted process sets for specific file type; A trusted process is allowed to the clear data of the encrypt file obtaining respective file type, a untrusted process is not then allowed to, the such as program process of Word program is the trusted process of Word document encrypt file, can obtain the clear data in Word document encrypt file, browser process is not then allowed to obtain the clear data in Word document encrypt file as the untrusted process of Word document.Like this, when a trusted process reads an encrypt file, in internal memory, buffer memory should be clear data, and when a untrusted process reads an encrypt file, in internal memory, buffer memory should be encrypt data.When a trusted process and a untrusted process replace a reading encrypt file, file encryption system needs the data constantly emptying buffer memory in internal memory, to guarantee to be cached with correct data (plaintext or ciphertext) in internal memory, this is called violence brush buffer memory or the clear cache problem of violence, and violence brush buffer memory or the clear buffer memory of violence reduce the efficiency of file operation; Further, when a trusted process and a untrusted process read an encrypt file simultaneously, file encryption system is just difficult to process, at this moment in internal memory, the data of buffer memory likely exist expressly and encrypt data simultaneously, this both may cause sensitive data to leak, and made again trusted process normally to work.
For the data buffer storage problem in transparent file encryption, people propose some solutions, and as Double buffer scheme etc., it is different data cached that Double buffer scheme manages to make trusted process and untrusted process to read for same file, and scheme is complicated.
In fact, solving violence brush or clear buffer memory in transparent file encryption according to traditional file filter device Driving technique is very difficult, that technical difficulty is very high thing.To this, someone starts with from file system and solves relevant issues, namely directly exploitation one meets the transparent encrypted file system file system of file encryption, deciphering (automatically realize) of demand for security, and is namely such a encrypted file system (the SEFS transparent encryption platform technology white paper see based on LayerFSD technology) based on the SEFS transparent encrypted file system of the many FCB of LayerFSD+.SEFS transparent encrypted file system based on the many FCB of LayerFSD+ allows each process have oneself FCB and buffer memory, and the buffer memory of such trusted process is expressly, and the buffer memory of untrusted process is ciphertext.The encrypted file system Problems existing of such FCB more than is: when 1) multiple process accesses a file simultaneously, memory usage and file access efficiency low; 2) change the mode of operating system management file data and file operation, such as, operating system thinks that same file should only have a FCB and buffer memory, and may run into unpredictable problem to the change of this file data management mode; 3) there is the problem that data in multiple FCB and buffer memory are inconsistent.
Summary of the invention
The object of the invention is to propose a kind of encrypted file system based on double image file, to overcome the deficiencies in the prior art.
In order to realize object of the present invention, technical scheme proposed by the invention is:
Based on an encrypted file system for double image file, be specially:
Each (necessary being) file in described encrypted file system has a corresponding virtual image file; Described virtual image file is a kind of file of virtual, untrue existence, and the file of the necessary being corresponding with virtual image file is called real image file; Real image file is encrypt file (encrypted file); Encrypt file has identical file type (extension name) with the original file before encryption; Each virtual image file has a file path, is called virtual file paths (file path that non-genuine exists); Include the file path of corresponding real image file in the virtual file paths of virtual image file, or the file path of corresponding real image file can be obtained by the virtual file paths of virtual image file; Real image file and virtual image file antithesis file each other, namely virtual image file is the antithesis file of corresponding real image file, and real image file is the antithesis file of corresponding virtual image file; When being allowed to carry out file I/O operation to the program process that virtual image file directly carries out file I/O operation to virtual image file for one, the file I/O operation file I/O be converted into for corresponding real image file for virtual image file operates in inside by encrypted file system.
In described encrypted file system, the program process carrying out file I/O operation to real image file and virtual image file comprises the system process (as WindowsSystem process) of trusted process, untrusted process and operating system secondary file I/O operation; Described trusted process is the program process being allowed to the clear data obtaining encrypt file, comprises the clear data being allowed to directly access real image file acquisition encrypt file or the program process indirectly being obtained the clear data of encrypt file by access virtual image file; Described untrusted process is the program process not being allowed to the clear data obtaining encrypt file, comprises the clear data not being allowed to directly access real image file acquisition encrypt file or the program process indirectly being obtained the clear data of encrypt file by access virtual image file; Trusted process and untrusted process set for file type (the operation process as Word program is the trusted process of Word document, and the operation process of InternetExplorer is not then); The system process that operating system secondary file I/O operates does not belong to trusted process and the untrusted process of any one file type; When the auxiliary trusted process of the system process that operating system secondary file I/O operates carries out file I/O operation, the system process that operating system secondary file I/O operates is allowed to the clear data obtaining encrypt file; When the auxiliary untrusted process of the system process that operating system secondary file I/O operates carries out file I/O operation, the system process that operating system secondary file I/O operates is not allowed to the clear data obtaining encrypt file;
For each the class process in the trusted process set by a kind of file type and untrusted process two class process, to be allowed to the class file in the real image file of the file type of correspondence and virtual image file two class file and only a class file directly carries out file I/O operation (as the trusted process of Word document, as Word program process, only be allowed to directly carry out file I/O operation to Word document real image file, or be only allowed to directly carry out file I/O operation to Word document virtual image file; If the trusted process of Word document is only allowed to directly carry out file I/O operation to Word document real image file, the then untrusted process of Word document, as the process of InternetExplorer, be only allowed to directly carry out file I/O operation to Word document virtual image file); The system process that operating system secondary file I/O operates is allowed to directly carry out file I/O operation (it both directly can carry out file I/O operation to real image file, directly can carry out file I/O operation again to virtual image file) to the real image file of any one file type and virtual image file;
The program process being allowed to directly carry out a kind of real image file of file type or the virtual image file file I/O operation is called as the real image file of respective file type or the program process of being permitted of virtual image file; For the program process of being permitted that the trusted process set by a kind of file type or untrusted process can only be class files in the real image file of respective file type and virtual image file two class file; The system process that operating system secondary file I/O operates is the program process program process of being permitted of virtual image file (it to be real image file be also) of being permitted of the real image file of any one file type and virtual image file; If the program process of being permitted is trusted process, be then called the trusted process of being permitted; If the program process of being permitted is untrusted process, be then called the untrusted process of being permitted; agreement trusted process and untrusted process are allowed to be called that the license that trusted process and untrusted process directly carry out file I/O operation to real image file and the virtual image file specify to the regulation which kind of file in a kind of real image file of file type and virtual image file two class file directly carries out file I/O operation respectively and (specify the license that real image file and virtual image file directly carry out file I/O operation according to trusted process and untrusted process, a trusted process or untrusted process can only be the program process of being permitted of a class file in a kind of real image file of file type and virtual image file two class file, such as, if directly carry out the license regulation of file I/O operation according to trusted process and untrusted process to real image file and virtual image file, the trusted process of Word document directly can only carry out I/O operation to Word document real image file, the untrusted process of Word document directly can only carry out I/O operation to Word document virtual image file, so, Word program process is the trusted process of being permitted of Word document real image file, and InternetExplorer program process is the untrusted process of being permitted of Word document virtual image file) (trusted process and untrusted process and the program process of being permitted and non-program process of being permitted are two different concepts, the former refers to that can a program process directly or indirectly obtain a kind of clear data of encrypt file of file type, the latter refers to that can a program process directly directly carry out file I/O operation to the class in a kind of real image file of file type or virtual image file two class file, a program process or can not obtain the clear data of an encrypt file, but a program process total energy directly or indirectly accessing encrypt file, because it otherwise be the program process of being permitted of real image file (encrypt file), or be the program process of being permitted of virtual image file),
When a real image file is opened or is created in a program process request, the program process that described encrypted file system first judges to open or create real image file is trusted process or untrusted process, then according to trusted process and untrusted process, the license regulation of file I/O operation is directly carried out to real image file and virtual image file, determine whether program process is allowed to directly carry out file I/O operation (namely whether program process is the program process of being permitted of the real image file that will open or create) to real image file, if be not allowed to, the operation (outside) that then real image file was opened or created to program process by encrypted file system is redirected to the corresponding virtual image file of the real image file that program process will be opened or create (if program process is not the program process of being permitted of real image file, must be then the program process of being permitted of the corresponding virtual image file of real image file), be redirected after File Open or creation operation in, the file path of the real image file that program process will be opened or create is converted into the virtual file paths of corresponding virtual image file, if program process is allowed to directly carry out file I/O operation to real image file, then program process is directly opened or is created real image file,
When a virtual image file is opened or created to a program process of being permitted, encrypted file system obtains the file path of corresponding real image file by the virtual file paths of virtual image file that will open or create, and encrypted file system inner by for virtual image file open or creation operation is converted into opening or creation operation for real image file;
When a real image file or virtual image file are opened or created to a program process of being permitted, if encrypted file system finds the real image file opened or create, or the corresponding real image file of the virtual image file opened or create, be a unencrypted file, then unencrypted real image file encryption is become encrypt file by encrypted file system;
When the real image file that a program process of being permitted is opened to or created by trusted process or virtual image file carry out data read operation (file I/O read operation), encrypted file system returns after the decrypt encrypted data of reading; (program process of now, being permitted is the system process that trusted process and/or operating system secondary file I/O operate)
When the real image file that a program process of being permitted is opened to or created by trusted process or virtual image file carry out (file I/O write operation) when data deposit write operation, encrypted file system will carry out data again after will depositing the clear data encryption write and deposits write operation; (program process of now, being permitted is the system process that trusted process and/or operating system secondary file I/O operate)
When the real image file that a program process of being permitted is opened to or created by untrusted process or virtual image file carry out data read operation (file I/O read operation), the enciphered data of reading directly returns by encrypted file system; (program process of now, being permitted is the system process that untrusted process and/or operating system secondary file I/O operate)
When the real image file that a program process of being permitted is opened to or created by untrusted process or virtual image file carry out (file I/O write operation) when data deposit write operation, encrypted file system first checks determines that will deposit the data write is clear data or encrypt data, clear datas to deposit the data write, then encrypted file system will carry out data again and deposits write operation after first will depositing the clear data encryption write, are encrypt datas to deposit the data write, then directly carry out data and deposit write operation; (program process of now, being permitted is the system process that untrusted process and/or operating system secondary file I/O operate)
Before or after a program process of being permitted carries out fileinfo setting operation to a real image file or virtual image file, encrypted file system is the file control block (FileControlBlock in internal memory to real image file and virtual image file, FCB) and data buffer storage (Cache) carry out fileinfo and synchronously process, described fileinfo comprises file size (FileSize), file allocation length (FileAllocationSize), and affects the alternative document information of file I/O operation;
To carry out before or after data deposit write operation to a real image file or virtual image file at a program process of being permitted, to real image file and virtual image file, data cached (Cacheddata) in internal memory synchronously processes encrypted file system.
It should be noted that, open or create a file at a program process, carry out in the process of file I/O operation, the system process that operating system secondary file I/O operates, as WindowsSystem process, file I/O operation can be participated in, Page as carried out data reads, Page write operation etc., now, the file I/O operation that the system process that operating system secondary file I/O operates carries out is regarded as opening or creating file, a part for the file I/O operation that the program process carrying out file I/O operation carries out, such as, if open or create file, what carry out file I/O operation is a trusted process, the system process that then operating system secondary file I/O operates is considered to be a part for trusted process file I/O operation for the file I/O operation that the file that trusted process is opened or created carries out, if opening or create file, carrying out the program process of file I/O operation is a untrusted process, then the system process that operating system secondary file I/O operates is considered to be a part for untrusted process file I/O operation for the file I/O operation that the file that untrusted process is opened or created carries out.
Trusted process and untrusted process have multiple to the license regulation scheme that real image file and virtual image file directly carry out file I/O operation, are below that two kinds of possible trusted processes and untrusted process directly carry out the license regulation scheme of file I/O operation to real image file and virtual image file.
Trusted process and untrusted process directly carry out file I/O operation license regulation scheme one to real image file and virtual image file:
For in a kind of trusted process of file type and untrusted process two class process, untrusted process is only had to be allowed to directly carry out file I/O operation to the real image file of respective file type, untrusted process is not allowed to directly carry out file I/O operation to the virtual image file of respective file type, only have trusted process to be allowed to directly carry out file I/O operation to the virtual image file of respective file type, trusted process is not allowed to directly carry out file I/O operation to the real image file of respective file type.
Trusted process and untrusted process directly carry out file I/O operation license regulation scheme two to real image file and virtual image file:
For in a kind of trusted process of file type and untrusted process two class process, trusted process is only had to be allowed to directly carry out file I/O operation to the real image file of respective file type, trusted process is not allowed to directly carry out file I/O operation to the virtual image file of respective file type, only have untrusted process to be allowed to directly carry out file I/O operation to the virtual image file of respective file type, untrusted process is not allowed to directly carry out file I/O operation to the real image file of respective file type.
When a real image file or virtual image file are opened or created to a program process of being permitted, encrypted file system judges the real image file opened or create according to characteristic, or the corresponding real image file of the virtual image file opened or create is encrypt file or non-encrypted file;
When the real image file that a program process of being permitted is opened to or created by untrusted process or virtual image file carry out (file I/O write operation) when data deposit write operation, according to characteristic, encrypted file system judges that will deposit the file data write is clear data or encrypt data.
Encrypted file system has multiple to the scheme that real image file and virtual image file carry out fileinfo and data cached synchronous process, is below several possible schemes.
The scheme one of fileinfo and data cached synchronous process:
In encrypted file system, introduce a file synchronization filtrator drive and a file synchronization process; Described file synchronization process is a program process operating in user's space; Described file synchronization process is the program process of being permitted of real image file and virtual image file;
After a real image file or virtual image file are opened or created to a program process of being permitted beyond file synchronization process (the PostCreate process that the minifilter as Windows operates for file CreateI/O), self-defining user's context (CustomUserContext) whether has been created in the file control block of the file that file synchronization filtrator drives inspection to open or create in internal memory, if no, then file synchronization filtrator drives and create a self-defining user's context in file control block;
Before or after a program process of being permitted carries out fileinfo setting operation to a real image file or virtual image file, file synchronization filtrator drives and sends fileinfo synchronization notice to file synchronization process;
After receiving fileinfo synchronization notice, file synchronization process open or create the program process of being permitted carry out fileinfo setting operation for the antithesis file of file, the fileinfo of antithesis file is set, after completing fileinfo setting operation to make file synchronization process and the program process of being permitted, fileinfo in the file control block of antithesis file and data buffer storage and the program process of being permitted carry out fileinfo setting operation for the file control block of file and data buffer storage in fileinfo consistent (unanimously not necessarily the same, because consider the factor of possible additional header, for data buffer storage, the file size of data buffer storage can be made by fileinfo setting operation consistent),
File synchronization filtrator drives to be intercepted after file synchronization process arranges the request of the fileinfo of file, check in the file control block of file in internal memory whether have self-defining user's context, if have, then allow I/O operate sensitive information and request is set by (going down, arrange), otherwise, directly return setting operation success (without the need to carrying out renewal rewards theory);
To carry out before or after file data deposits write operation to a real image file or virtual image file at a program process of being permitted, file synchronization filtrator drives and sends file cache data syn-chronization notice to file synchronization process;
After receiving file cache data syn-chronization notice, file synchronization process open or create the program process of being permitted carry out file data deposit write operation for the antithesis file of file, deposit and write part random data (this random data deposits write operation as data cached synchronous signal, synchronous to distinguish fileinfo), then close antithesis file;
File synchronization filtrator drives to be intercepted after file synchronization process deposits the request of file data, check in the file control block of file in internal memory whether have self-defining user's context, if have, then empty data cached in internal memory of file, then directly return data deposits write operation success (not going down, really carry out data deposit write operation), otherwise do not carry out null clear operation, direct return data deposits write operation success;
File synchronization process, to the fileinfo of a real image file or virtual image file or data cached synchronous operation, does not trigger new synchronous process operation (avoiding circulation synchronous to upgrade);
Drive if described encrypted file system comprises a file encryption filter, then the synchronized update function that file synchronization filtrator drives is driven by file encryption filter to be implemented.
The scheme two of fileinfo and data cached synchronous process:
A file synchronization process is introduced in encrypted file system; Described file synchronization process is a program process operating in user's space; Described file synchronization process is the program process of being permitted of real image file and virtual image file;
Before or after a program process of being permitted carries out fileinfo setting operation to a real image file or virtual image file, encrypted file system sends fileinfo synchronization notice to file synchronization process;
After receiving fileinfo synchronization notice, file synchronization process open or create the program process of being permitted carry out fileinfo setting operation for the antithesis file of file, the fileinfo of antithesis file is set, after completing fileinfo setting operation to make file synchronization process and the program process of being permitted, the fileinfo in the file control block of antithesis file and data buffer storage and the program process of being permitted carry out fileinfo setting operation for the file control block of file and data buffer storage in fileinfo consistent;
Encrypted file system receives after file synchronization process arranges the request of the fileinfo of file, completes fileinfo setting operation;
To carry out before or after file data deposits write operation to a real image file or virtual image file at a program process of being permitted, encrypted file system sends file cache data syn-chronization notice to file synchronization process;
After receiving file cache data syn-chronization notice, file synchronization process open or create the program process of being permitted carry out file data deposit write operation institute for the antithesis file of file, deposit and write part random data, then closedown antithesis file;
Encrypted file system receives after file synchronization process deposits the request of file data, and empty data cached in internal memory of file, then directly return data deposits write operation success (really do not carry out data and deposit write operation);
File synchronization process does not trigger new synchronous process operation (avoiding circulation synchronous to upgrade) to the fileinfo of a real image file or virtual image file or data cached synchronous operation;
Drive if described encrypted file system comprises a file encryption filter, then the fileinfo of file synchronization filtrator driving and data cached synchronous processing capacity are driven by file encryption filter and implement.
The scheme three of fileinfo and data cached synchronous process:
In encrypted file system, introduce a file synchronization filtrator drive;
After a real image file or virtual image file are opened or created to a program process of being permitted, self-defining user's context (CustomUserContext) whether has been created in the file control block of the file that file synchronization filtrator drives inspection to open or create in internal memory, if no, then file synchronization filtrator drives and create a self-defining user's context in file control block;
Before or after a program process of being permitted carries out fileinfo setting operation to a real image file or virtual image file, file synchronization filtrator drive inner nuclear layer open or create the program process of being permitted carry out fileinfo setting operation for the antithesis file of file, check in the file control block of antithesis file in internal memory whether have self-defining user's context, if have, then file synchronization filtrator is driven through the fileinfo of file I/O operation setting antithesis file, or the fileinfo directly arranged in the file control block of antithesis file, and when arrange fileinfo be file size or file allocation length time, the data buffer storage size of file is reset by calling cache management function, after completing fileinfo setting operation to make file synchronization filtrator and the program process of being permitted, fileinfo in the file control block of antithesis file and data buffer storage and the program process of being permitted carry out fileinfo setting operation for the file control block of file and data buffer storage in fileinfo consistent, if there is no self-defining user's context, then fileinfo is not carried out to antithesis file and synchronously process,
A real image file or virtual image file carried out before or after file data deposits write operation at a program process of being permitted, file synchronization filtrator drive inner nuclear layer open or create the program process of being permitted carry out file data deposit write operation for the antithesis file of file, check in the file control block of antithesis file in internal memory whether have self-defining user's context, if have, then file synchronization filtrator drives and empties data cached in internal memory of antithesis file, otherwise, then data cached null clear operation is not carried out to antithesis file;
Drive if described encrypted file system comprises a file encryption filter, then the fileinfo of file synchronization filtrator driving and data cached synchronous processing capacity are driven by file encryption filter and implement.
If increase a file encryption filter to drive in described encrypted file system, the then file encryption processing capacity of described encrypted file system, comprise that trusted process and untrusted process differentiate, File Open or create be redirected, file data encryption and decryption, encrypt file and non-encrypted file differentiate, non-encrypted file be encrypted to encrypt file, deposit that to write data be ciphertext or differentiation expressly, fileinfo and data cached synchronous process, in part or all of driving by file encryption filter implement.
The license regulation scheme that foregoing two kinds of trusted processes and untrusted process directly carry out file I/O operation to real image file and virtual image file is static, namely a trusted process or untrusted process are allowed to directly carry out file I/O operation for a real image file or virtual image file regularly, in fact, license regulation scheme can be dynamic, namely a trusted process or untrusted process are dynamically determined to be no being allowed to and directly carry out file I/O operation for a real image file or virtual image file, are below a kind of dynamically license regulation schemes:
When a real image file is opened or created to a trusted process, described encrypted file system checks whether the real image file that existing untrusted process was opened or created current trusted process and will open or create, if have, then the operation that real image file was opened or created to current trusted process is redirected to the corresponding virtual image file of the real image file that current trusted process will be opened or create, otherwise, check whether that the corresponding virtual image file of the real image file that current trusted process will be opened or create is opened or created to other trusted processes existing further, if have, then the operation that real image file was opened or created to current trusted process is redirected to the corresponding virtual image file of the real image file that current trusted process will be opened or create, otherwise, current trusted process is allowed to open or create its real image file that will open or create,
When a real image file is opened or created to a untrusted process, described encrypted file system checks whether the real image file that existing trusted process was opened or created current untrusted process and will open or create, if have, then the operation that real image file was opened or created to current untrusted process is redirected to the corresponding virtual image file of the real image file that current untrusted process will be opened or create, otherwise, check whether that the corresponding virtual image file of the real image file that current untrusted process will be opened or create is opened or created to other untrusted processes existing further, if have, then the operation that real image file was opened or created to current untrusted process is redirected to the corresponding virtual image file of the real image file that current untrusted process will be opened or create, otherwise, current untrusted process is allowed to open or create its real image file that will open or create.
Encrypted file system, by marking in file control block, records a real image file or virtual image file is current is opened by trusted process or untrusted process or create.
Under dynamic license regulation scheme, the process that encrypted file system operates alternative document I/O is with to permit under regulation scheme in static state the same.
Can see from the above description, based on technical scheme of the present invention, 1) multiple process when accessing a file simultaneously, and there are two file caches at most, memory usage and file access efficiency are all improved; 2) do not change the mode of operating system management file data and file operation, because from the angle of operating system, the file of untrusted process access and the file of trusted process access are two different files; 3) data in two FCB and buffer memory are synchronized update; 4) frequent clear buffer memory is avoided, when trusted process and untrusted process open a file simultaneously, without the need to clear buffer memory, only occurring that trusted process and untrusted process open file simultaneously, and one of them process is when having carried out the retouching operation of fileinfo and/or data to file, just can upgrade and buffer memory clear operation for the FCB of a file and the data cached fileinfo that carries out.
Accompanying drawing explanation
Fig. 1 is system principle schematic diagram of the present invention.
Fig. 2 adopts the driving of file redirection filtrator and user's space file system to implement system architecture of the present invention under Windows.
Fig. 3 adopts file encryption filter driving, file redirection filtrator driving enforcement system architecture of the present invention for network file system(NFS).
Embodiment
Below in conjunction with accompanying drawing and case study on implementation, specific embodiment of the invention is described.
Embodiment one,
The driving of file filter device and user's space file system (FileSysteminUserSpace, FUSE) is adopted to implement the present invention under Windows.
Trusted process and untrusted process adopt the license regulation that real image file and virtual image file directly carry out file I/O operation: allow untrusted process directly to carry out file I/O operation to real image file, allow trusted process directly to carry out file I/O operation to virtual image file.
Fig. 2 adopts the driving of file filter device and user's space file system to implement system architecture of the present invention under Windows, wherein, it is that a file filter device drives that file redirection and synchronous filtering device drive, FUSE file driving is the file system driver of user's space file system, and FUSE user space program is the user space program of user's space file system; File redirection and synchronous filtering device drive the differentiation being responsible for implementing trusted process or untrusted process, redirected and the fileinfo of File Open or creation operation and data cached synchronous process is carried out according to the license regulation of file I/O operation, and FUSE user space program is responsible for implementing file data encryption and decryption, encrypt file and non-encrypted file and is differentiated, non-encrypted file is encrypted to encrypt file, deposits that to write data be ciphertext or differentiation expressly, the correspondence of virtual image file and real image file, and finally the file I/O of real image file is operated; Real image file can be positioned at any position, as local in subscriber's main station, the webserver.
The exploitation that file redirection and synchronous filtering device drive can adopt Windows file filter device to drive (filterdriver) or micro-filter to drive (mini-filterdriver) technological development.Utilize Windows file filter device to drive or micro-filter drives and carries out trusted process and untrusted process and judge it has been proven technique, seldom describe at this; For file redirection, the driving of Windows filtrator or micro-filter can be utilized to drive and to realize reparsepoint function (the simrep.c code see WDK).
The exploitation of user's space file system can utilize the user's space file system technology under Windows to develop, such as, the file driving of Windows or file filter device is utilized to drive exploitation FUSE file driving, by windows desktop development technique exploitation FUSE user space program, and communicated with the communication mechanism between client layer by the inner nuclear layer of Windows between FUSE file driving with FUSE user space program; Or, use existing WindowsFUSE framework to develop double image file system.How development of user space file system under a windows environment, comprises on internet in disclosed data and has introduction, seldom describe at this.
The adoptable a kind of technical scheme of virtual file paths of the virtual image file that real image file is corresponding is: virtual file directory real image file path, here, virtual file directory is a non-existent file directory in user's space file system, and the fullpath that real image file path is the real image file that process will be opened or create comprises file place file reel (here, file reel instruction in the fullpath of original can adopt the expression of inner nuclear layer, also can adopt the expression of client layer; According to the expression of client layer, then the colon after drive is removed, as D: convert D to).
Stream encryption or block encryption can be adopted to the encryption of file data.In order to distinguish encrypt file and non-encrypted file and deposit encrypting and decrypting for information about, special, to comprise a characteristic information head (encryption overhead) can be added to encrypt file.
If encrypt file comprises an additional encryption overhead, then:
When a real image file is opened or created to a untrusted program process, or when a virtual image file is opened or created to a trusted program process, encrypted file system judges the real image file opened or create according to the characteristic of encryption overhead, or the corresponding real image file of the virtual image file opened or create is encrypt file or non-encrypted file;
When the system process that a untrusted process and operating system secondary file I/O operate to the real image file of in encrypted file system carry out data deposit write operation time, according to the characteristic of encryption overhead, the user space program of encrypted file system judges that will deposit the file data write is clear data or encrypt data;
When the system process that trusted process and operating system secondary file I/O operate file data reading is carried out to the virtual image file of in encrypted file system, deposit write operation time, FUSE file driving or FUSE user space program will first to reading, deposit the reference position writing data and carry out head bias process, and then be converted into for corresponding real image file digital independent, deposit write operation;
When the system process that trusted process and operating system secondary file I/O operate carries out file size, file allocation length setting operation to the virtual image file of in encrypted file system, FUSE file driving or FUSE user space program also will first carry out corresponding head bias process, and then are converted into file size, the file allocation length setting operation for corresponding real image file.
Fileinfo and data cached synchronous process in file control block and data buffer storage or driven by file redirection and synchronous filtering device completes separately, or is driven with synchronous filtering device by file redirection, completes together with FUSE user space program; If driven with synchronous filtering device by file redirection, complete together with FUSE user space program, then the operation process of FUSE user space program implements the fileinfo of file synchronization process and data cached synchronizing function.
If fileinfo and data cached synchronous process are driven by file redirection and synchronous filtering device and complete separately, then fileinfo and data cached synchronous process should fileinfo arrange and data deposit write before carry out, namely the stage of process pre-operation (Pre-operation) is driven to carry out at file filter device, this is because Windows file filter device drives rear operational processes stage (Post-operation) due to IRQL restriction, a lot of operation can not directly be carried out.
If fileinfo is driven with synchronous filtering device by file redirection with data cached synchronous process, complete together with FUSE user space program, then file redirection and synchronous filtering device to drive with FUSE user space program between data interaction implemented by the communication mechanism of Windows inner nuclear layer and client layer.Fileinfo and data cached synchronous process can fileinfo arrange or data deposit write before or after carry out, if carrying out afterwards, then due to the IRQL restriction of the rear operational phase of Windows file filter device driving, file redirection and synchronous filtering device drive and possibly cannot send synchronization notice directly to FUSE user space program, and at this moment file redirection and synchronous filtering device drive the WorkItem by creating inner nuclear layer to send synchronization notice.
Other operating systems implement the present invention, some small difference on concrete enforcement, but general thought is the same.
Embodiment two,
In user's main system, the solution of the present invention is implemented by the network file system(NFS) inventing this domain for existing.
System architecture as shown in Figure 3.
Trusted process and untrusted process adopt the license regulation that real image file and virtual image file directly carry out file I/O operation: allow untrusted process directly to carry out file I/O operation to real image file, allow trusted process directly to carry out file I/O operation to virtual image file.
Each file in network file system(NFS) is real image file, and a corresponding virtual image file, method and the case study on implementation one of the structure of the file path of virtual image file are similar: be included in by real image file path in the path of virtual image file.
In user's main system, an enforcement file encryption and synchronous filtering device drive, its function comprises: trusted process and untrusted process differentiate, File Open or establishment are redirected, file data encryption and decryption, encrypt file and non-encrypted file differentiate, non-encrypted file is encrypted to encrypt file, depositing and writing data is ciphertext or differentiation expressly, file control block and data cached synchronous process, namely except the concrete operations process to file data, and the file I/O operation for virtual image file is converted into for almost other the every other functions outside the file I/O operation of real image file.
The main frame that file server runs is implemented a file redirection filtrator drive, its function is file redirection, operation File Serving System program being opened or created the virtual image is redirected to corresponding real image file, and the file I/O operation file I/O be converted into for real image file be about to for virtual image file operates.
Fileinfo and data cached synchronous process can be driven by file encryption and synchronous filtering device and complete separately, or introduce a file synchronization program, driven, complete together with file synchronization program process by file encryption with synchronous filtering device.Some main points that fileinfo and data cached synchronous process are implemented are with case study on implementation one.
File encryption filter drives and adopts file system driver technological development (the micro-filter Driving technique as Windows).
Other unaccounted concrete technology are implemented, and are well-known, self-explantory for those skilled in the relevant art.

Claims (10)

1.一种基于双像文件的加密文件系统,其特征是:1. A kind of encrypted file system based on double image file, it is characterized in that: 所述加密文件系统中的每个文件都有一个对应的虚像文件;所述虚像文件是一种虚拟的、不真实存在的文件,而与虚像文件相对应的真实存在的文件称为实像文件;所述实像文件是加密文件;加密文件与加密前的原有文件具有相同的文件类型;每个虚像文件有一个文件路径,称为虚拟文件路径;虚像文件的虚拟文件路径中包含有对应的实像文件的文件路径,或者通过虚像文件的虚拟文件路径可获得对应的实像文件的文件路径;实像文件和虚像文件互为对偶文件,即一个虚像文件是对应实像文件的对偶文件,而一个实像文件是对应虚像文件的对偶文件;当一个被允许对虚像文件直接进行文件I/O操作的程序进程对虚像文件进行文件I/O操作时,加密文件系统在内部将针对虚像文件的文件I/O操作转化为针对对应实像文件的文件I/O操作。Each file in the encrypted file system has a corresponding virtual image file; the virtual image file is a virtual, unreal file, and the real file corresponding to the virtual image file is called a real image file; The real image file is an encrypted file; the encrypted file has the same file type as the original file before encryption; each virtual image file has a file path, which is called a virtual file path; the virtual file path of the virtual image file contains a corresponding real image The file path of the file, or the file path of the corresponding real image file can be obtained through the virtual file path of the virtual image file; the real image file and the virtual image file are dual files, that is, a virtual image file is a dual file corresponding to a real image file, and a real image file is The dual file corresponding to the virtual image file; when a program process that is allowed to directly perform file I/O operations on the virtual image file performs file I/O operations on the virtual image file, the encrypted file system will internally perform file I/O operations on the virtual image file It is converted into a file I/O operation for the corresponding real image file. 2.根据权利要求1所述的基于双像文件的加密文件系统,其特征是:2. the encrypted file system based on double image file according to claim 1, is characterized in that: 对实像文件和虚像文件进行文件I/O操作的程序进程包括受信进程、非受信进程和操作系统辅助文件I/O操作的系统进程;所述受信进程是被允许获取加密文件的明文数据的程序进程,包括被允许直接访问实像文件获取加密文件的明文数据或通过访问虚像文件间接获取加密文件的明文数据的程序进程;所述非受信进程是不被允许获取加密文件的明文数据的程序进程,包括不被允许直接访问实像文件获取加密文件的明文数据或通过访问虚像文件间接获取加密文件的明文数据的程序进程;受信进程和非受信进程针对文件类型而设定;操作系统辅助文件I/O操作的系统进程不属于任一种文件类型的受信进程和非受信进程;当操作系统辅助文件I/O操作的系统进程辅助一个受信进程进行文件I/O操作时,操作系统辅助文件I/O操作的系统进程被允许获取加密文件的明文数据;当操作系统辅助文件I/O操作的系统进程辅助一个非受信进程进行文件I/O操作时,操作系统辅助文件I/O操作的系统进程不被允许获取加密文件的明文数据;The program process that carries out file I/O operation to real image file and virtual image file comprises trusted process, untrusted process and the system process of operating system auxiliary file I/O operation; Described trusted process is the program that is allowed to obtain the plain text data of encrypted file process, including the program process that is allowed to directly access the real image file to obtain the plaintext data of the encrypted file or indirectly obtain the plaintext data of the encrypted file by accessing the virtual image file; the untrusted process is a program process that is not allowed to obtain the plaintext data of the encrypted file, Including program processes that are not allowed to directly access the real image file to obtain the plaintext data of the encrypted file or indirectly obtain the plaintext data of the encrypted file by accessing the virtual image file; the trusted process and the untrusted process are set according to the file type; the operating system assists file I/O The operating system process does not belong to the trusted process and untrusted process of any file type; when the system process of the operating system assisting file I/O operation assists a trusted process to perform file I/O operations, the operating system assisting file I/O operation The system process of the operation is allowed to obtain the plaintext data of the encrypted file; when the system process of the operating system assisting the file I/O operation assists an untrusted process to perform the file I/O operation, the system process of the operating system assisting the file I/O operation cannot is allowed to obtain the plaintext data of encrypted files; 针对一种文件类型所设定的受信进程和非受信进程两类进程中的每一类进程,被允许对对应的文件类型的实像文件和虚像文件两类文件中的一类文件且仅一类文件直接进行文件I/O操作;操作系统辅助文件I/O操作的系统进程被允许对任一种文件类型的实像文件和虚像文件直接进行文件I/O操作;Each of the two types of processes, the trusted process and the untrusted process set for a file type, is allowed to process one type of files and only one type of files in the corresponding file type of real image files and virtual image files. The file directly performs file I/O operations; the system process of the operating system assisting file I/O operations is allowed to directly perform file I/O operations on real and virtual image files of any file type; 被允许对一种文件类型的实像文件或虚像文件直接进行文件I/O操作的程序进程被称为对应文件类型的实像文件或虚像文件的受许可的程序进程;针对一种文件类型所设定的受信进程或非受信进程只能是对应文件类型的实像文件和虚像文件两类文件中一类文件的受许可的程序进程;操作系统辅助文件I/O操作的系统进程是任一种文件类型的实像文件和虚像文件的受许可的程序进程;若受许可的程序进程是受信进程,则称为受许可的受信进程;若受许可的程序进程是非受信进程,则称为受许可的非受信进程;约定受信进程和非受信进程分别被允许对一种文件类型的实像文件和虚像文件两类文件中的哪一类文件直接进行文件I/O操作的规定称为受信进程和非受信进程对实像文件和虚像文件直接进行文件I/O操作的许可规定;A program process that is allowed to directly perform file I/O operations on a real image file or a virtual image file of a file type is called a permitted program process for a real image file or a virtual image file of a corresponding file type; The trusted process or untrusted process can only be a program process that is permitted for one of the two types of files, real image files and virtual image files, of the corresponding file type; the system process for operating system-assisted file I/O operations is any file type The licensed program process of the real image file and the virtual image file; if the licensed program process is a trusted process, it is called a licensed trusted process; if the licensed program process is an untrusted process, it is called a licensed untrusted process It is agreed that the trusted process and the untrusted process are allowed to directly perform file I/O operations on which type of file of a type of real image file and virtual image file. Permission regulations for direct file I/O operations of real and virtual image files; 当一个程序进程请求打开或创建一个实像文件时,所述加密文件系统先判断打开或创建实像文件的程序进程是受信进程还是非受信进程,然后根据受信进程和非受信进程对实像文件和虚像文件直接进行文件I/O操作的许可规定,确定程序进程是否被允许对实像文件直接进行文件I/O操作,若不被允许,则加密文件系统将程序进程打开或创建实像文件的操作重定向到程序进程要打开或创建的实像文件的对应虚像文件,在重定向后的文件打开或创建操作中,程序进程要打开或创建的实像文件的文件路径被转换成对应虚像文件的虚拟文件路径;若程序进程被允许对实像文件直接进行文件I/O操作,则程序进程直接打开或创建实像文件;When a program process requests to open or create a real image file, the encrypted file system first judges whether the program process that opens or creates the real image file is a trusted process or a non-trusted process, and then performs a process based on the trusted process and the untrusted process. Permission regulations for direct file I/O operations determine whether the program process is allowed to directly perform file I/O operations on real image files. If not allowed, the encrypted file system redirects the program process to open or create real image files. The corresponding virtual image file of the real image file to be opened or created by the program process, in the redirected file opening or creation operation, the file path of the real image file to be opened or created by the program process is converted into the virtual file path of the corresponding virtual image file; if If the program process is allowed to directly perform file I/O operations on the real image file, the program process will directly open or create the real image file; 当一个受许可的程序进程打开或创建一个虚像文件时,加密文件系统通过要打开或创建的虚像文件的虚拟文件路径获得对应实像文件的文件路径,并在加密文件系统内部将针对虚像文件的打开或创建操作转化为针对实像文件的打开或创建操作;When a licensed program process opens or creates a virtual image file, the encrypted file system obtains the file path of the corresponding real image file through the virtual file path of the virtual image file to be opened or created, and inside the encrypted file system will open the virtual image file Or the creation operation is transformed into an open or create operation for the real image file; 当一个受许可的程序进程打开或创建一个实像文件或虚像文件时,若加密文件系统发现打开或创建的实像文件,或者打开或创建的虚像文件的对应实像文件,是一个非加密的文件,则加密文件系统将非加密的实像文件加密成加密文件;When a licensed program process opens or creates a real image file or a virtual image file, if the encrypted file system finds that the opened or created real image file, or the corresponding real image file of the opened or created virtual image file, is an unencrypted file, then Encrypted file system encrypts non-encrypted real image files into encrypted files; 当一个受许可的程序进程对一个被受信进程打开或创建的实像文件或虚像文件进行数据读取操作时,加密文件系统将读取的加密数据解密后返回;When a permitted program process reads data from a real or virtual image file opened or created by a trusted process, the encrypted file system decrypts the read encrypted data and returns it; 当一个受许可的程序进程对一个被受信进程打开或创建的实像文件或虚像文件进行数据存写操作时,加密文件系统将要存写的明文数据加密后再进行数据存写操作;When an authorized program process performs data storage and writing operations on a real or virtual image file opened or created by a trusted process, the encrypted file system encrypts the plaintext data to be stored and written before performing data storage and writing operations; 当一个受许可的程序进程对一个被非受信进程打开或创建的实像文件或虚像文件进行数据读取操作时,加密文件系统将读取的加密数据直接返回;When an authorized program process reads data from a real or virtual image file opened or created by an untrusted process, the encrypted file system returns the encrypted data read directly; 当一个受许可的程序进程对一个被非受信进程打开或创建的实像文件或虚像文件进行数据存写操作时,加密文件系统先检查确定要存写的数据是明文数据还是密文数据,若要存写的数据是明文数据,则加密文件系统先将要存写的明文数据加密后再进行数据存写操作,若要存写的数据是密文数据,则直接进行数据存写操作;When an authorized program process performs data storage and writing operations on a real or virtual image file opened or created by an untrusted process, the encrypted file system first checks to determine whether the data to be stored and written is plaintext data or ciphertext data. If the data to be stored and written is plaintext data, the encryption file system first encrypts the plaintext data to be stored and written, and then performs the data storage and writing operation. If the data to be stored and written is ciphertext data, the data storage and writing operation is performed directly; 在一个受许可的程序进程对一个实像文件或虚像文件进行文件信息设置操作之前或之后,加密文件系统对实像文件和虚像文件在内存中的文件控制块及数据缓存进行文件信息同步处理,所述文件信息包括文件长度、文件分配长度,以及影响文件I/O操作的其他文件信息;Before or after a permitted program process performs a file information setting operation on a real image file or a virtual image file, the encrypted file system performs file information synchronization processing on the file control block and data cache of the real image file and the virtual image file in memory, the said File information includes file length, file allocation length, and other file information that affects file I/O operations; 在一个受许可的程序进程对一个实像文件或虚像文件进行数据存写操作之前或之后,加密文件系统对实像文件和虚像文件在内存中的缓存数据进行同步处理。Before or after a permitted program process performs data storage and writing operations on a real image file or a virtual image file, the encrypted file system performs synchronous processing on the cached data of the real image file and the virtual image file in memory. 3.根据权利要求2所述的基于双像文件的加密文件系统,其特征是:3. the encrypted file system based on double image file according to claim 2, is characterized in that: 受信进程和非受信进程对实像文件和虚像文件直接进行文件I/O操作的一种许可规定是:A permission regulation for the trusted process and the untrusted process to directly perform file I/O operations on the real image file and the virtual image file is: 针对一种文件类型的受信进程和非受信进程两类进程中,只有非受信进程被允许对对应文件类型的实像文件直接进行文件I/O操作,非受信进程不被允许对对应文件类型的虚像文件直接进行文件I/O操作,只有受信进程被允许对对应文件类型的虚像文件直接进行文件I/O操作,受信进程不被允许对对应文件类型的实像文件直接进行文件I/O操作。Among the trusted process and untrusted process for a file type, only the untrusted process is allowed to directly perform file I/O operations on the real image file of the corresponding file type, and the untrusted process is not allowed to perform file I/O operations on the virtual image of the corresponding file type. The file directly performs file I/O operations. Only the trusted process is allowed to directly perform file I/O operations on virtual image files of the corresponding file type, and the trusted process is not allowed to directly perform file I/O operations on real image files of the corresponding file type. 4.根据权利要求2所述的基于双像文件的加密文件系统,其特征是:4. the encrypted file system based on dual image files according to claim 2, characterized in that: 受信进程和非受信进程对实像文件和虚像文件直接进行文件I/O操作一种许可规定是:A permission regulation for the trusted process and the untrusted process to directly perform file I/O operations on the real image file and the virtual image file is: 针对一种文件类型的受信进程和非受信进程两类进程中,只有受信进程被允许对对应文件类型的实像文件直接进行文件I/O操作,受信进程不被允许对对应文件类型的虚像文件直接进行文件I/O操作,只有非受信进程被允许对对应文件类型的虚像文件直接进行文件I/O操作,非受信进程不被允许对对应文件类型的实像文件直接进行文件I/O操作。Among the trusted process and untrusted process for a file type, only the trusted process is allowed to directly perform file I/O operations on the real image file of the corresponding file type, and the trusted process is not allowed to directly perform file I/O operations on the virtual image file of the corresponding file type. For file I/O operations, only untrusted processes are allowed to directly perform file I/O operations on virtual image files of the corresponding file type, and untrusted processes are not allowed to directly perform file I/O operations on real image files of the corresponding file type. 5.根据权利要求2所述的基于双像文件的加密文件系统,其特征是:5. the encrypted file system based on double image file according to claim 2, is characterized in that: 当一个受许可的程序进程打开或创建一个实像文件或虚像文件时,加密文件系统根据特征数据判断打开或创建的实像文件,或者打开或创建的虚像文件的对应实像文件,是加密文件还是非加密文件;When a licensed program process opens or creates a real image file or a virtual image file, the encrypted file system determines whether the opened or created real image file, or the corresponding real image file of the opened or created virtual image file, is an encrypted file or an unencrypted file based on the feature data document; 当一个受许可的程序进程对一个被非受信进程打开或创建的实像文件或虚像文件进行数据存写操作时,加密文件系统根据特征数据判断要存写的文件数据是明文数据还是密文数据。When an authorized program process performs data storage and writing operations on a real or virtual image file opened or created by an untrusted process, the encrypted file system judges whether the file data to be stored and written is plaintext data or ciphertext data according to the characteristic data. 6.根据权利要求2所述的基于双像文件的加密文件系统,其特征是:6. The encrypted file system based on dual image files according to claim 2, characterized in that: 加密文件系统对实像文件和虚像文件进行文件信息和缓存数据同步处理的一种方案如下:A scheme for the encrypted file system to synchronize file information and cached data between real image files and virtual image files is as follows: 在加密文件系统中引入一个文件同步过滤器驱动和一个文件同步进程;所述文件同步进程是一个运行在用户空间的程序进程;所述文件同步进程是实像文件和虚像文件的受许可的程序进程;Introduce a file synchronization filter driver and a file synchronization process in the encrypted file system; the file synchronization process is a program process running in user space; the file synchronization process is a licensed program process for real image files and virtual image files ; 当文件同步进程以外的一个受许可的程序进程打开或创建一个实像文件或虚像文件后,文件同步过滤器驱动检查打开或创建的文件在内存中的文件控制块中是否已创建有自定义的用户上下文,若没有,则文件同步过滤器驱动在文件控制块中创建一个自定义的用户上下文;When a licensed program process other than the file synchronization process opens or creates a real or virtual image file, the file synchronization filter driver checks whether the opened or created file has been created with a custom user in the file control block in memory context, if not, the file synchronization filter driver creates a custom user context in the file control block; 在一个受许可的程序进程对一个实像文件或虚像文件进行文件信息设置操作之前或之后,文件同步过滤器驱动向文件同步进程发出文件信息同步通知;Before or after a permitted program process performs a file information setting operation on a real image file or a virtual image file, the file synchronization filter driver sends a file information synchronization notification to the file synchronization process; 接收到文件信息同步通知后,文件同步进程打开或创建受许可的程序进程进行文件信息设置操作所针对的文件的对偶文件,设置对偶文件的文件信息,以使得文件同步进程和受许可的程序进程完成文件信息设置操作后,对偶文件的文件控制块及数据缓存中的文件信息与受许可的程序进程进行文件信息设置操作所针对的文件的文件控制块及数据缓存中的文件信息一致;After receiving the file information synchronization notification, the file synchronization process opens or creates the dual file of the file for which the permitted program process performs the file information setting operation, and sets the file information of the dual file so that the file synchronization process and the permitted program process After the file information setting operation is completed, the file information in the file control block of the dual file and the file information in the data cache is consistent with the file information in the file control block and the file information in the data cache of the file for which the permitted program process performs the file information setting operation; 文件同步过滤器驱动拦截到文件同步进程设置文件的文件信息的请求后,检查文件在内存中的文件控制块中是否有自定义的用户上下文,若有,则让I/O操作敏感信息设置请求通过,否则,直接返回设置操作成功;After the file synchronization filter driver intercepts the request for setting the file information of the file in the file synchronization process, check whether the file has a user-defined user context in the file control block in the memory, and if so, let the I/O operate the sensitive information setting request Passed, otherwise, directly return the success of the setting operation; 在一个受许可的程序进程对一个实像文件或虚像文件进行文件数据存写操作之前或之后,文件同步过滤器驱动向文件同步进程发出文件缓存数据同步通知;Before or after a permitted program process performs a file data storage and writing operation on a real image file or a virtual image file, the file synchronization filter driver sends a file cache data synchronization notification to the file synchronization process; 接收到文件缓存数据同步通知后,文件同步进程打开或创建受许可的程序进程进行文件数据存写操作所针对的文件的对偶文件,存写部分随机数据,然后关闭对偶文件;After receiving the file cache data synchronization notification, the file synchronization process opens or creates a dual file of the file for which the permitted program process performs file data storage and writing operations, stores and writes some random data, and then closes the dual file; 文件同步过滤器驱动拦截到文件同步进程存写文件数据的请求后,检查文件在内存中的文件控制块中是否有自定义的用户上下文,若有,则清空文件在内存中的缓存数据,然后直接返回数据存写操作成功,否则,不进行清空操作,直接返回数据存写操作成功;After the file synchronization filter driver intercepts the request of the file synchronization process to store and write file data, check whether the file has a user-defined user context in the file control block in the memory, and if so, clear the cached data of the file in the memory, and then Directly return the success of the data storage and writing operation, otherwise, do not perform the clearing operation, and directly return the success of the data storage and writing operation; 文件同步进程对一个实像文件或虚像文件的文件信息或缓存数据的同步操作,不触发新的同步处理操作;The file synchronization process does not trigger a new synchronization processing operation on the file information or cached data of a real image file or virtual image file; 若所述加密文件系统包括一个文件加密过滤器驱动,则文件同步过滤器驱动的同步更新功能由文件加密过滤器驱动实施。If the encrypted file system includes a file encryption filter driver, then the file synchronization filter driver's synchronous update function is implemented by the file encryption filter driver. 7.根据权利要求2所述的基于双像文件的加密文件系统,其特征是:7. the encrypted file system based on double image file according to claim 2, is characterized in that: 加密文件系统对实像文件和虚像文件进行文件信息和缓存数据同步处理的一种方案如下:A scheme for the encrypted file system to synchronize file information and cached data between real image files and virtual image files is as follows: 在加密文件系统中引入一个文件同步进程;所述文件同步进程是一个运行在用户空间的程序进程;所述文件同步进程是实像文件和虚像文件的受许可的程序进程;Introducing a file synchronization process into the encrypted file system; the file synchronization process is a program process running in user space; the file synchronization process is a permitted program process of real image files and virtual image files; 在一个受许可的程序进程对一个实像文件或虚像文件进行文件信息设置操作之前或之后,加密文件系统向文件同步进程发出文件信息同步通知;Before or after a permitted program process performs a file information setting operation on a real image file or a virtual image file, the encrypted file system sends a file information synchronization notification to the file synchronization process; 接收到文件信息同步通知后,文件同步进程打开或创建受许可的程序进程进行文件信息设置操作所针对的文件的对偶文件,设置对偶文件的文件信息,以使得文件同步进程和受许可的程序进程完成文件信息设置操作后,对偶文件的文件控制块及数据缓存中的文件信息与受许可的程序进程进行文件信息设置操作所针对的文件的文件控制块及数据缓存中的文件信息一致;After receiving the file information synchronization notification, the file synchronization process opens or creates the dual file of the file for which the permitted program process performs the file information setting operation, and sets the file information of the dual file so that the file synchronization process and the permitted program process After the file information setting operation is completed, the file information in the file control block of the dual file and the file information in the data cache is consistent with the file information in the file control block and the file information in the data cache of the file for which the permitted program process performs the file information setting operation; 加密文件系统接收到文件同步进程设置文件的文件信息的请求后,完成文件信息设置操作;After the encrypted file system receives the request of the file synchronization process to set the file information of the file, it completes the file information setting operation; 在一个受许可的程序进程对一个实像文件或虚像文件进行文件数据存写操作之前或之后,加密文件系统向文件同步进程发出文件缓存数据同步通知;Before or after a permitted program process performs a file data storage and writing operation on a real image file or a virtual image file, the encrypted file system sends a file cache data synchronization notification to the file synchronization process; 接收到文件缓存数据同步通知后,文件同步进程打开或创建受许可的程序进程进行文件数据存写操作所针对的文件的对偶文件,存写部分随机数据,然后关闭对偶文件;After receiving the file cache data synchronization notification, the file synchronization process opens or creates a dual file of the file for which the permitted program process performs file data storage and writing operations, stores and writes some random data, and then closes the dual file; 加密文件系统接收到文件同步进程存写文件数据的请求后,清空文件在内存中的缓存数据,然后直接返回数据存写操作成功;After the encrypted file system receives the request of the file synchronization process to store and write the file data, it clears the cached data of the file in the memory, and then directly returns the success of the data store and write operation; 文件同步进程对一个实像文件或虚像文件的文件信息或缓存数据的同步操作不触发新的同步处理操作;The file synchronization process does not trigger a new synchronization processing operation on the file information or cache data of a real image file or virtual image file; 若所述加密文件系统包括一个文件加密过滤器驱动,则文件同步过滤器驱动的文件信息和缓存数据同步处理功能由文件加密过滤器驱动实施。If the encrypted file system includes a file encryption filter driver, the file information and cache data synchronization processing function of the file synchronization filter driver is implemented by the file encryption filter driver. 8.根据权利要求2所述的基于双像文件的加密文件系统,其特征是:8. The encrypted file system based on dual image files according to claim 2, characterized in that: 加密文件系统对实像文件和虚像文件进行文件信息和缓存数据同步处理的一种方案如下:A scheme for the encrypted file system to synchronize file information and cached data between real image files and virtual image files is as follows: 在加密文件系统中引入一个文件同步过滤器驱动;Introduced a file synchronization filter driver in the encrypted file system; 当一个受许可的程序进程打开或创建一个实像文件或虚像文件后,文件同步过滤器驱动检查打开或创建的文件在内存中的文件控制块中是否已创建有自定义的用户上下文,若没有,则文件同步过滤器驱动在文件控制块中创建一个自定义的用户上下文;When a licensed program process opens or creates a real image file or virtual image file, the file synchronization filter driver checks whether the opened or created file has a custom user context created in the file control block in memory, and if not, Then the file synchronization filter driver creates a custom user context in the file control block; 在一个受许可的程序进程对一个实像文件或虚像文件进行文件信息设置操作之前或之后,文件同步过滤器驱动在内核层打开或创建受许可的程序进程进行文件信息设置操作所针对的文件的对偶文件,检查对偶文件在内存中的文件控制块中是否有自定义的用户上下文,若有,则文件同步过滤器驱动通过文件I/O操作设置对偶文件的文件信息,或者直接设置对偶文件的文件控制块中的文件信息,且当设置的文件信息是文件长度或文件分配长度时,通过调用缓存管理函数重新设置文件的数据缓存大小,以使得文件同步过滤器和受许可的程序进程完成文件信息设置操作后,对偶文件的文件控制块及数据缓存中的文件信息与受许可的程序进程进行文件信息设置操作所针对的文件的文件控制块及数据缓存中的文件信息一致;若没有自定义的用户上下文,则不对对偶文件进行文件信息同步处理;Before or after a licensed program process performs a file information setting operation on a real image file or a virtual image file, the file synchronization filter driver opens or creates a dual of the file for which the licensed program process performs file information setting operations at the kernel layer file, check whether the dual file has a user-defined user context in the file control block in the memory, if so, the file synchronization filter driver sets the file information of the dual file through the file I/O operation, or directly sets the file of the dual file The file information in the control block, and when the set file information is the file length or the file allocation length, reset the data cache size of the file by calling the cache management function, so that the file synchronization filter and the permitted program process complete the file information After the setting operation, the file information in the file control block of the dual file and the file information in the data cache is consistent with the file information in the file control block and data cache of the file for which the permitted program process performs the file information setting operation; if there is no custom If the user context is used, the file information synchronization of the dual file will not be performed; 在一个受许可的程序进程对一个实像文件或虚像文件进行文件数据存写操作之前或之后,文件同步过滤器驱动在内核层打开或创建受许可的程序进程进行文件数据存写操作所针对的文件的对偶文件,检查对偶文件在内存中的文件控制块中是否有自定义的用户上下文,若有,则文件同步过滤器驱动清空对偶文件在内存中的缓存数据,否则,则不对对偶文件进行缓存数据清空操作;Before or after a licensed program process performs file data storage and writing operations on a real image file or a virtual image file, the file synchronization filter driver opens or creates the file for which the licensed program process performs file data storage and writing operations at the kernel layer For the dual file, check whether the dual file has a user-defined user context in the file control block in the memory. If so, the file synchronization filter driver will clear the cache data of the dual file in the memory; otherwise, the dual file will not be cached. Data clearing operation; 若所述加密文件系统包括一个文件加密过滤器驱动,则文件同步过滤器驱动的文件信息和缓存数据同步处理功能由文件加密过滤器驱动实施。If the encrypted file system includes a file encryption filter driver, the file information and cache data synchronization processing function of the file synchronization filter driver is implemented by the file encryption filter driver. 9.根据权利要求2所述的基于双像文件的加密文件系统,其特征是:9. The encrypted file system based on dual image files according to claim 2, characterized in that: 若在所述加密文件系统中增加一个文件加密过滤器驱动,则所述加密文件系统的文件加密处理功能,包括受信进程和非受信进程判别、文件打开或创建重定向、文件数据加密和解密、加密文件和非加密文件判别、将非加密文件加密成加密文件、存写数据是密文还是明文的判别、文件信息和缓存数据同步处理,中的部分或全部由文件加密过滤器驱动实施。If a file encryption filter driver is added in the encrypted file system, then the file encryption processing function of the encrypted file system includes trusted process and untrusted process discrimination, file opening or creating redirection, file data encryption and decryption, Encrypted files and non-encrypted file identification, encryption of non-encrypted files into encrypted files, identification of stored and written data in ciphertext or plaintext, synchronization of file information and cached data, part or all of which are driven by file encryption filters. 10.根据权利要求1所述的基于双像文件的加密文件系统,其特征是:10. The encrypted file system based on dual image files according to claim 1, characterized in that: 针对所述加密文件系统的一种基于动态许可的文件I/O操作方案如下:A dynamic license-based file I/O operation scheme for the encrypted file system is as follows: 当一个受信进程打开或创建一个实像文件时,所述加密文件系统检查是否已有非受信进程打开或创建了当前受信进程要打开或创建的实像文件,若有,则将当前受信进程打开或创建实像文件的操作重定向到当前受信进程要打开或创建的实像文件的对应虚像文件,否则,进一步检查是否已有其他受信进程打开或创建了当前受信进程要打开或创建的实像文件的对应虚像文件,若有,则将当前受信进程打开或创建实像文件的操作重定向到当前受信进程要打开或创建的实像文件的对应虚像文件,否则,当前受信进程被允许打开或创建其要打开或创建的实像文件;When a trusted process opens or creates a real image file, the encrypted file system checks whether an untrusted process has opened or created a real image file that the current trusted process will open or create, and if so, the current trusted process will open or create The operation of the real image file is redirected to the corresponding virtual image file of the real image file to be opened or created by the current trusted process, otherwise, further check whether other trusted processes have opened or created the corresponding virtual image file of the real image file to be opened or created by the current trusted process , if there is, the operation of opening or creating a real image file by the current trusted process is redirected to the corresponding virtual image file of the real image file to be opened or created by the current trusted process, otherwise, the current trusted process is allowed to open or create the real image file it wants to open or create real image file; 当一个非受信进程打开或创建一个实像文件时,所述加密文件系统检查是否已有受信进程打开或创建了当前非受信进程要打开或创建的实像文件,若有,则将当前非受信进程打开或创建实像文件的操作重定向到当前非受信进程要打开或创建的实像文件的对应虚像文件,否则,进一步检查是否已有其他非受信进程打开或创建了当前非受信进程要打开或创建的实像文件的对应虚像文件,若有,则将当前非受信进程打开或创建实像文件的操作重定向到当前非受信进程要打开或创建的实像文件的对应虚像文件,否则,当前非受信进程被允许打开或创建其要打开或创建的实像文件;When an untrusted process opens or creates a real image file, the encrypted file system checks whether a trusted process has opened or created a real image file that the current untrusted process will open or create, and if so, then the current untrusted process will be opened Or the operation of creating a real image file is redirected to the corresponding virtual image file of the real image file to be opened or created by the current untrusted process, otherwise, further check whether other untrusted processes have opened or created the real image to be opened or created by the current untrusted process The corresponding virtual image file of the file, if there is, the operation of opening or creating a real image file by the current untrusted process is redirected to the corresponding virtual image file of the real image file to be opened or created by the current untrusted process, otherwise, the current untrusted process is allowed to open or create the real image file it wants to open or create; 当一个程序进程打开或创建一个虚像文件时,加密文件系统通过要打开或创建的虚像文件的虚拟文件路径获得对应实像文件的文件路径,并在加密文件系统内部将针对虚像文件的打开或创建操作转化为针对实像文件的打开或创建操作;When a program process opens or creates a virtual image file, the encrypted file system obtains the file path of the corresponding real image file through the virtual file path of the virtual image file to be opened or created, and will open or create the virtual image file in the encrypted file system Converted to open or create operations for real image files; 当一个程序进程打开或创建一个实像文件或虚像文件时,若加密文件系统发现打开或创建的实像文件,或者打开或创建的虚像文件的对应实像文件,是一个非加密的文件,则加密文件系统将非加密的实像文件加密成加密文件;When a program process opens or creates a real image file or a virtual image file, if the encrypted file system finds that the opened or created real image file, or the corresponding real image file of the opened or created virtual image file, is a non-encrypted file, the encrypted file system Encrypt non-encrypted real image files into encrypted files; 当一个受信进程或操作系统辅助文件I/O操作的系统进程对一个被受信进程打开或创建的实像文件或虚像文件进行数据读取操作时,加密文件系统将读取的加密数据解密后返回;When a trusted process or a system process assisted by the operating system for file I/O operations reads data from a real or virtual image file opened or created by a trusted process, the encrypted file system decrypts the read encrypted data and returns it; 当一个受信进程或操作系统辅助文件I/O操作的系统进程对一个被受信进程打开或创建的实像文件或虚像文件进行数据存写操作时,加密文件系统将要存写的明文数据加密后再进行数据存写操作;When a trusted process or a system process that assists in file I/O operations of the operating system performs data storage and writing operations on a real or virtual image file opened or created by a trusted process, the encrypted file system encrypts the plaintext data to be stored and written before proceeding. Data storage and writing operations; 当一个非受信进程或操作系统辅助文件I/O操作的系统进程对一个被非受信进程打开或创建的实像文件或虚像文件进行数据读取操作时,加密文件系统将读取的加密数据直接返回;When an untrusted process or a system process that assists in file I/O operations of the operating system reads data from a real or virtual image file opened or created by an untrusted process, the encrypted file system will directly return the encrypted data read ; 当一个非受信进程或操作系统辅助文件I/O操作的系统进程对一个被非受信进程打开或创建的实像文件或虚像文件进行数据存写操作时,加密文件系统先检查确定要存写的数据是明文数据还是密文数据,若要存写的数据是明文数据,则加密文件系统先将要存写的明文数据加密后再进行数据存写操作,若要存写的数据是密文数据,则直接进行数据存写操作;When an untrusted process or a system process that assists in file I/O operations of the operating system performs data storage and writing operations on a real or virtual image file opened or created by an untrusted process, the encrypted file system first checks to determine the data to be stored and written Whether it is plaintext data or ciphertext data, if the data to be stored and written is plaintext data, the encrypted file system first encrypts the plaintext data to be stored and written before performing the data storage and writing operation; if the data to be stored and written is ciphertext data, then Direct data storage and writing operations; 在一个程序进程对一个实像文件或虚像文件进行文件信息设置操作之前或之后,加密文件系统对实像文件和虚像文件在内存中的文件控制块及数据缓存进行文件信息同步处理,所述文件信息包括文件长度、文件分配长度,以及影响文件I/O操作的其他文件信息;Before or after a program process performs file information setting operations on a real image file or a virtual image file, the encrypted file system performs file information synchronization processing on the file control block and data cache of the real image file and virtual image file in memory, and the file information includes File length, file allocation length, and other file information that affects file I/O operations; 在一个程序进程对一个实像文件或虚像文件进行数据存写操作之前或之后,加密文件系统对实像文件和虚像文件在内存中的缓存数据进行同步处理。Before or after a program process performs a data storage and writing operation on a real image file or a virtual image file, the encrypted file system performs synchronous processing on the cached data of the real image file and the virtual image file in memory.
CN201510690514.9A 2015-10-22 2015-10-22 A kind of encrypted file system based on double image file Expired - Fee Related CN105335663B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510690514.9A CN105335663B (en) 2015-10-22 2015-10-22 A kind of encrypted file system based on double image file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510690514.9A CN105335663B (en) 2015-10-22 2015-10-22 A kind of encrypted file system based on double image file

Publications (2)

Publication Number Publication Date
CN105335663A true CN105335663A (en) 2016-02-17
CN105335663B CN105335663B (en) 2018-08-03

Family

ID=55286182

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510690514.9A Expired - Fee Related CN105335663B (en) 2015-10-22 2015-10-22 A kind of encrypted file system based on double image file

Country Status (1)

Country Link
CN (1) CN105335663B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105760779A (en) * 2016-02-18 2016-07-13 武汉理工大学 Bidirectional file encryption system based on FUSE
CN106557684A (en) * 2016-10-14 2017-04-05 北京金山安全软件有限公司 File scanning method and device and terminal equipment
CN113824694A (en) * 2021-08-24 2021-12-21 武汉联影医疗科技有限公司 File decryption method, computer device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101710345A (en) * 2009-12-22 2010-05-19 成都市华为赛门铁克科技有限公司 Method and device for storing and reading documents and access system
CN101853363A (en) * 2010-05-07 2010-10-06 北京飞天诚信科技有限公司 File protection method and system
CN103268455A (en) * 2013-05-09 2013-08-28 华为技术有限公司 Method and device for accessing data
CN103778384A (en) * 2014-02-24 2014-05-07 北京明朝万达科技有限公司 Identity authentication based virtual terminal safety environment protection method and system
CN104021354A (en) * 2014-06-23 2014-09-03 成都卫士通信息产业股份有限公司 Data anti-leaking method in computer virtualization environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101710345A (en) * 2009-12-22 2010-05-19 成都市华为赛门铁克科技有限公司 Method and device for storing and reading documents and access system
CN101853363A (en) * 2010-05-07 2010-10-06 北京飞天诚信科技有限公司 File protection method and system
CN103268455A (en) * 2013-05-09 2013-08-28 华为技术有限公司 Method and device for accessing data
CN103778384A (en) * 2014-02-24 2014-05-07 北京明朝万达科技有限公司 Identity authentication based virtual terminal safety environment protection method and system
CN104021354A (en) * 2014-06-23 2014-09-03 成都卫士通信息产业股份有限公司 Data anti-leaking method in computer virtualization environment

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105760779A (en) * 2016-02-18 2016-07-13 武汉理工大学 Bidirectional file encryption system based on FUSE
CN105760779B (en) * 2016-02-18 2018-06-22 武汉理工大学 A kind of Two-way File encryption system based on FUSE
CN106557684A (en) * 2016-10-14 2017-04-05 北京金山安全软件有限公司 File scanning method and device and terminal equipment
CN106557684B (en) * 2016-10-14 2019-09-27 北京金山安全软件有限公司 File scanning method and device and terminal equipment
CN113824694A (en) * 2021-08-24 2021-12-21 武汉联影医疗科技有限公司 File decryption method, computer device and storage medium
CN113824694B (en) * 2021-08-24 2023-08-22 武汉联影医疗科技有限公司 File decryption method, computer device and storage medium

Also Published As

Publication number Publication date
CN105335663B (en) 2018-08-03

Similar Documents

Publication Publication Date Title
US11194920B2 (en) File system metadata protection
US9240883B2 (en) Multi-key cryptography for encrypting file system acceleration
CN103825953B (en) A kind of user model encrypted file system
CN101729550B (en) Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof
CN103106372B (en) For lightweight privacy data encryption method and the system of android system
US8880879B2 (en) Accelerated cryptography with an encryption attribute
Peterson et al. Secure Deletion for a Versioning File System.
CN104160407B (en) Using storage control EBI guaranteeing the data transmission security between storage device and main frame
CN100585608C (en) A method and system for securely processing data files
CN103745162B (en) A kind of secure network file storage system
US11030119B2 (en) Storage data encryption and decryption apparatus and method
US20120233472A1 (en) Securing non-volatile memory regions
Peters et al. DEFY: A Deniable, Encrypted File System for Log-Structured Storage.
WO2011137743A1 (en) File protection method and system
CN105426766B (en) A kind of file encryption system based on shadow file
CN102609667A (en) Automatic file encryption and decryption system and automatic file encryption and decryption method based on filter drive program
CN105224882B (en) A kind of file encryption system based on bridge file system
CN104252605A (en) Method and system for file transparent encryption and decryption of Android platform
CN103218575A (en) Host file security monitoring method
JP2020528608A5 (en)
CN106713334B (en) Encryption method, decryption method, access method and device for virtual storage volume
WO2023046207A1 (en) Data transmission method and apparatus, and non-volatile computer-readable storage medium
CN105335663A (en) Encrypted file system based on double-image file
CN103544443A (en) Application layer file hiding method under NTFS file system
CN108229190A (en) Control method, device, program, storage medium and the electronic equipment of transparent encryption and decryption

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180803