CN105656866A - Data encryption method and system - Google Patents

Data encryption method and system Download PDF

Info

Publication number
CN105656866A
CN105656866A CN201410719901.6A CN201410719901A CN105656866A CN 105656866 A CN105656866 A CN 105656866A CN 201410719901 A CN201410719901 A CN 201410719901A CN 105656866 A CN105656866 A CN 105656866A
Authority
CN
China
Prior art keywords
file
key
encryption
file system
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410719901.6A
Other languages
Chinese (zh)
Other versions
CN105656866B (en
Inventor
刘遵
刘遵一
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201410719901.6A priority Critical patent/CN105656866B/en
Priority to PCT/CN2015/096162 priority patent/WO2016086850A1/en
Publication of CN105656866A publication Critical patent/CN105656866A/en
Application granted granted Critical
Publication of CN105656866B publication Critical patent/CN105656866B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a data encryption method and system, belonging to the technical field of information safety. The data encryption method and system are used for a network-attached storage NAS system. The NAS system comprises a plurality of file systems. The method comprises the following steps of obtaining a file system encryption key of a first file system; generating a file key serial number for a first file in the first file system; generating a file encryption key for the first file according to the file system encryption key of the first file system and the file key serial number of the first file; and encrypting write-in data according to the file encryption key of the first file to obtain a ciphertext corresponding to the write-in data while detecting a write-in instruction of the first file. According to the invention, the problems that the data safety is relatively low, the data management intensity is too high and management of a single file in the file system cannot be realized due to the fact that data in the same file system is stored by adopting the same key can be solved; the file-level data encryption effect is realized; the data safety is improved; and management of the single file can be realized.

Description

Data ciphering method and system
Technical field
The present invention relates to field of information security technology, particularly a kind of data ciphering method and system.
Background technology
Along with the development of internet information technology, the storage security of information is more and more important. Deposit with network building-out(English: NetworkAttachedStorage is called for short: NAS) system is example, in NAS, conventionally can in storageTo comprise that (English: FileSystem is called for short: FS), the data in each FS are used multiple file systemSame secret key encryption, and NAS system adopts symmetric encipherment algorithm to be encrypted data conventionally, adds in symmetryIn close algorithm, the encryption and decryption of data are used same key.
When create file system in NAS system time, NAS system is this file system allocation document system automaticallySystem key identification (English: FileSystemKeyIDentity, be called for short: FS_Key_ID), and meanwhile, NASSystem be file system encryption key corresponding to this file system application (English: FileSystemKey, be called for short:FS_Key),, when needs are in file system when data writing, NAS system is used file system correspondingFS_Key is to the data encryption writing, and the ciphertext that encryption is obtained be stored to storage pool (English:StoragePool); When needs are from file system when reading out data, NAS system is first from StoragePoolRead ciphertext, then use FS_Key to be decrypted and to obtain data the ciphertext reading, then deciphering is obtainedData plaintext transmission to request read the module of these data; In the time that needs carry out data destroying to file system,NAS system is directly deleted FS_Key corresponding this file system.
Realizing in process of the present invention, inventor finds that prior art at least exists following problem:
The same key storage of data acquisition in NAS system in identical file system, the security of data is lower,And the management granularity of data is excessive, cannot realize the management of individual files in file system.
Summary of the invention
Lower in order to solve in prior art in NAS system the security of data, and the management granularity mistake of dataGreatly, cannot realize the problem of the management of individual files in file system, the invention provides a kind of data encryptionMethod and system. Described technical scheme is as follows:
First aspect, provides a kind of data ciphering method, for network attached storage NAS system, described inNAS system comprises multiple file system, and described method comprises:
Obtain the file system encryption key of the first file system, described the first file system is described multiple literary compositionAny one file system in part system;
For the first file generated in described the first file system close with the unique corresponding file of described the first fileKey sequence number;
According to the file key order of the file system encryption key of described the first file system and described the first fileRow number are described the first file generated and the unique corresponding file encryption key of described the first file;
When detect to described the first file write instruction time, close according to the file encryption of described the first fileKey is encrypted and is obtained ciphertext corresponding to said write data the data writing in said write instruction.
In conjunction with first aspect, in the possible embodiment of the first of first aspect, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text,
Describedly according to the file encryption key of described the first file, data writing in said write instruction is encryptedAfter obtaining ciphertext corresponding to said write data, described method also comprises:
When detect described the first file delete instruction time, detect the attribute of the first default file systemWhether option indicates is destroyed described the first file;
In the time that described the first file is destroyed in the attributes section instruction of described the first default file system, delete instituteState the file structure of the first file and the file Ciphering Key Sequence Number of described the first file;
In the time that the attributes section instruction of described the first default file system is not destroyed described the first file, deleteThe file structure of described the first file.
In conjunction with first aspect, in the possible embodiment of the second of first aspect, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text,
Describedly according to the file encryption key of described the first file, data writing in said write instruction is encryptedAfter obtaining ciphertext corresponding to said write data, described method also comprises:
When detect described the first file delete instruction time, the file structure of deleting described the first file.
In conjunction with first aspect, in the third possible embodiment of first aspect, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text,
Described according to the file of the file system encryption key of described the first file system and described the first fileCiphering Key Sequence Number be described the first file generated and the unique corresponding file encryption key of described the first file itAfter, described method also comprises:
Upgrade the file Ciphering Key Sequence Number of described the first file;
The literary composition of described the first file according to the file system encryption key of described the first file system and after upgradingPart Ciphering Key Sequence Number generates the new file encryption key of described the first file;
According to the file encryption key of described the first file, the file cipher text of described the first file is decryptedTo the file content of described the first file, described file cipher text is passed through institute for the file content of described the first fileThe file encryption key of stating first file is encrypted and is obtained;
According to the new file encryption key of described the first file, described file content is encrypted, obtains moreThe file cipher text of the first file after new.
In conjunction with first aspect, or the possible embodiment of the first of first aspect, or first aspectThe embodiment that the second is possible, or the third possible embodiment of first aspect, in first aspectThe 4th kind of possible embodiment in, described in obtain the file system encryption key of the first file system, bagDraw together:
When detecting create the instruction of described the first file system in described NAS system time, be described firstFile system spanned file system key mark;
Send the file system key identification of described the first file system to Key Management server KMS, so thatGenerate and described the first file system according to the file system key identification of described the first file system in described KMSThe file system encryption key of unique correspondence of uniting;
Receive that described KMS sends with the unique corresponding file system encryption key of described the first file system.
In conjunction with first aspect, or the possible embodiment of the first of first aspect, or first aspectThe embodiment that the second is possible, or the third possible embodiment of first aspect, in first aspectThe 5th kind of possible embodiment in, described in obtain the file system encryption key of the first file system, bagDraw together:
In the time that described NAS system powers on, obtain the file system key identification of described the first file system, instituteState the file system key identification of the first file system for create described the first file system in described NAS systemWhen system, generate;
Send the file system key identification of described the first file system to Key Management server KMS, so thatIn described KMS according to the file system key identification inquiry of described the first file system and described the first file beThe file system encryption key of unique correspondence of uniting;
Receive that described KMS sends with the unique corresponding file system encryption key of described the first file system.
In conjunction with first aspect, in the 6th kind of possible embodiment of first aspect, described in be the first fileThe first file generated in system and the unique corresponding file Ciphering Key Sequence Number of described the first file, comprising:
In the time the establishment instruction of described the first file being detected, be described the first file generated and described the first literary compositionThe file Ciphering Key Sequence Number of the unique correspondence of part;
Or,
In the time the OPEN first of described the first file being detected, be described the first file generated and describedThe file Ciphering Key Sequence Number of the unique correspondence of one file.
In conjunction with first aspect, in the 7th kind of possible embodiment of first aspect, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text,
Describedly according to the file encryption key of described the first file, data writing in said write instruction is encryptedAfter obtaining ciphertext corresponding to said write data, described method also comprises:
When detect described the first file reading command time, in the file cipher text of described the first file, obtainGet ciphertext corresponding to described reading command, ciphertext corresponding to described reading command is according to described the first fileFile encryption key encryption obtains;
According to the file encryption key of described the first file, ciphertext corresponding to described reading command is decryptedTo reading out data.
Second aspect, provides a kind of data encryption system, for network attached storage NAS system, described inNAS system comprises multiple file system, and described data encryption system comprises:
System key acquisition module, for obtaining the file system encryption key of the first file system, describedOne file system is any one file system in described multiple file system;
File sequence number generation module, be used to the first file generated in described the first file system with described inThe file Ciphering Key Sequence Number of the unique correspondence of the first file;
File key production module, for according to the file system encryption key of described the first file system and instituteThe file Ciphering Key Sequence Number of stating the first file is that described the first file generated is unique corresponding with described the first fileFile encryption key;
Data writing encrypting module, for detect to described the first file write instruction time, according to instituteStating the file encryption key of the first file encrypts and obtains said write number the data writing in said write instructionAccording to corresponding ciphertext.
In conjunction with second aspect, in the possible embodiment of the first of second aspect, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text, described data encryption system also comprises:
Destroy detection module, for when the delete instruction detecting described the first file, detect defaultWhether the attributes section of the first file system indicates is destroyed described the first file;
File is destroyed module, described in destroying for the attributes section instruction in described the first default file systemWhen the first file, delete the file structure of described the first file and the file Ciphering Key Sequence Number of described the first file;
The first removing module, does not destroy institute for the attributes section instruction in described the first default file systemWhile stating the first file, delete the file structure of described the first file.
In conjunction with second aspect, in the possible embodiment of the second of second aspect, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text, described data encryption system also comprises:
The second removing module, for when the delete instruction detecting described the first file, deletes describedThe file structure of one file.
In conjunction with second aspect, in the third possible embodiment of second aspect, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text, described data encryption system also comprises:
File sequence number update module, for upgrading the file Ciphering Key Sequence Number of described the first file;
File new key generation module, for according to the file system encryption key of described the first file system andIt is close that the file Ciphering Key Sequence Number of described the first file after renewal generates the new file encryption of described the first fileKey;
Upgrade deciphering module, for according to the file encryption key of described the first file to described the first fileFile cipher text is decrypted the file content that obtains described the first file, and described file cipher text is described the first literary compositionThe file content of part obtains by the file encryption key encryption of described the first file;
Upgrade encrypting module, for according to the new file encryption key of described the first file in described fileAppearance is encrypted, and obtains the file cipher text of the first file after upgrading.
In conjunction with second aspect, or the possible embodiment of the first of second aspect, or second aspectThe embodiment that the second is possible, or the third possible embodiment of second aspect, in second aspectThe 4th kind of possible embodiment in, described system key acquisition module, comprising:
Mark generation unit, for creating described the first file system detecting in described NAS systemWhen instruction, it is described the first file system spanned file system key mark;
The first transmitting element, for sending the file of described the first file system to Key Management server KMSSystem key mark, so that described KMS is raw according to the file system key identification of described the first file systemBecome and the unique corresponding file system encryption key of described the first file system;
The first receiving element, for receiving unique corresponding with described the first file system that described KMS sendsFile system encryption key.
In conjunction with second aspect, or the possible embodiment of the first of second aspect, or second aspectThe embodiment that the second is possible, or the third possible embodiment of second aspect, in second aspectThe 5th kind of possible embodiment in, described system key acquisition module, comprising:
Mark acquiring unit, in the time that described NAS system powers on, obtains the literary composition of described the first file systemPart system key mark, the file system key identification of described the first file system is in described NAS systemWhile creating described the first file system, generate;
The second transmitting element, for sending the file of described the first file system to Key Management server KMSSystem key mark, so that described KMS looks into according to the file system key identification of described the first file systemAsk and the unique corresponding file system encryption key of described the first file system;
The second receiving element, for receiving unique corresponding with described the first file system that described KMS sendsFile system encryption key.
In conjunction with second aspect, in the 6th kind of possible embodiment of second aspect, described file sequence numberGeneration module, comprising:
The first generation unit, for when the establishment instruction that described the first file detected, is described the first literary compositionPart generates and the unique corresponding file Ciphering Key Sequence Number of described the first file;
Or,
The second generation unit, in the time the OPEN first of described the first file being detected, is describedOne file generated and the unique corresponding file Ciphering Key Sequence Number of described the first file.
In conjunction with second aspect, in the 7th kind of possible embodiment of second aspect, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text, described data encryption system also comprises:
Ciphertext acquisition module, for when the reading command detecting described the first file, described firstIn the file cipher text of file, obtain ciphertext corresponding to described reading command, ciphertext corresponding to described reading command isObtain according to the file encryption key encryption of described the first file;
Decrypt ciphertext module, for according to the file encryption key of described the first file to described reading command pairThe ciphertext of answering is decrypted and obtains reading out data.
The beneficial effect that technical scheme provided by the invention is brought is:
By obtaining the file system encryption key of the first file system, it is the first literary composition in the first file systemPart generates and the unique corresponding file Ciphering Key Sequence Number of the first file, according to the file system of the first file systemThe file Ciphering Key Sequence Number of encryption key and the first file is that the first file generated is unique corresponding with the first fileFile encryption key, when detect to the first file write instruction time, according to the file encryption of the first fileKey obtains to the data writing encryption writing in instruction the ciphertext that data writing is corresponding, and the present invention is by being literary compositionEach file generated file encryption key in part system, and according to file encryption key, file is addedClose, solve the same key storage of data acquisition in identical file system, the security of data is lower, andThe management granularity of data is excessive, cannot realize the problem of the management of individual files in file system, has reached literary compositionThe effect that part DBMS is encrypted, has improved the security of data, and has realized the management of individual files.
Brief description of the drawings
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, institute in describing embodiment belowNeed the accompanying drawing using to be briefly described, apparently, the accompanying drawing in the following describes is only the present inventionSome embodiment, for those of ordinary skill in the art, do not paying under the prerequisite of creative work,Can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the schematic diagram of the related a kind of implementation environment of each embodiment of the present invention;
Fig. 2 is the method flow diagram of the data ciphering method that provides of one embodiment of the invention;
Fig. 3 is the method flow diagram of the data ciphering method that provides of another embodiment of the present invention;
Fig. 4 is the block diagram of the data encryption system that provides of one embodiment of the invention;
Fig. 5 is the block diagram of the data encryption system that provides of another embodiment of the present invention;
Fig. 6 is the block diagram of a kind of system key acquisition module providing embodiment illustrated in fig. 5;
Fig. 7 is the block diagram of the another kind of system key acquisition module providing embodiment illustrated in fig. 5;
Fig. 8 is the block diagram of a kind of file sequence number generation module providing embodiment illustrated in fig. 5;
Fig. 9 is the block diagram of the data encryption system that provides of one embodiment of the invention;
Figure 10 is the block diagram of the data encryption system that provides of another embodiment of the present invention.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to the present inventionEmbodiment is described in further detail.
Please refer to Fig. 1, it shows the related a kind of data encryption implementation environment of each embodiment of the present invention00 schematic diagram. This data encryption implementation environment 00 comprises: data encryption system 100 and cipher key management servicesDevice (English: KeyManagementServer, be called for short: KMS) 200, data encryption system 100 canBe NAS system, Key Management server 200 can provide key management for data encryption system 100, andKey Management server 200 can adopt proprietary tamper hardware, certificate, data encryption, transmission encryption, closeThe security means such as key self-destruction ensure the security of key.
Data encryption system 100 can comprise multiple file system 120 and at least one encrypt (English:Encrypt) module 140, this data encryption system 100 can also comprise at least one storage pool 160 and at leastA buffer memory (English: Cache) 180.
Wherein, file system 120 can be for receiving the number of upper layer module (such as the buffer memory 180 in Fig. 1)According to request of access instruction, this request of access instruction can comprise: write request instruction, read requests instruction,Update request instruction and removal request instruction etc.; File system 120 can also be used for to 140 of encrypting modulesSend need encrypt data and need encrypt data place file file Ciphering Key Sequence Number (English:F_Key_SN) and receive the encryption that sends of encrypting module 140 File_Key_SerialNumber, is called for short:The ciphertext obtaining; File system 120 can also be used for by the ciphertext receiving be stored to storage pool 160 or fromIn storage pool 160, obtain ciphertext corresponding to reading command, to encrypting module 140 send the ciphertext that gets andThe F_Key_SN of the file at this ciphertext place.
Encrypting module 140 is used to the file generated in file system 120 unique corresponding with this fileF_Key_SN, and according to the file system encryption key of file system 120 (English: FileSystem_Key,Be called for short: FS_Key) and the F_Key_SN of file derive and the unique corresponding file encryption key of this file(File_Key, be called for short: F_Key), derivative obtain with the unique corresponding F_Key of this file conventionally by closeKey management server 200 is preserved; Encrypting module 140 is the F_Key_SN for sending according to file system 120 alsoIn Key Management server 200, search the F_Key that this F_Key_SN is corresponding, according to the F_Key findingThe data that needs are encrypted are encrypted and obtain ciphertext, and send ciphertext to file system 120; Or according to literary compositionThe F_Key_SN that part system 120 sends searches this F_Key_SN correspondence in Key Management server 200F_Key, according to the F_Key finding in Key Management server 200, the ciphertext of needs deciphering is enteredRow deciphering obtains data, and sends data to file system 120; Encrypting module 140 also has F_Key_SNThe function of deleting and upgrading, in the time that encrypting module 140 is deleted F_Key_SN, with this F_Key_SNThe file content of the file of unique correspondence is destroyed.
Storage pool 160 is for storing ciphertext.
Buffer memory 180 can be upper layer module, or a unit in upper layer module, for to file system120 send data access request instruction, and wherein, buffer memory 180 is according to the client outside data encryption system 100The operational order of end sends data access request instruction to file system 120.
Please refer to Fig. 2, it shows the method flow of the data ciphering method that one embodiment of the invention providesFigure. Data ciphering method in the present embodiment can be carried out by data encryption system 100 as shown in Figure 1,In this data encryption system 100, can comprise multiple file system, this data encryption system 100 can be NASSystem, referring to Fig. 2, the method can comprise following step:
In step 201, obtain the file system encryption key of the first file system, the first file system isAny one file system in multiple file system.
In step 202, be that the first file generated in the first file system is unique corresponding with the first fileFile Ciphering Key Sequence Number.
In step 203, according to the file of the file system encryption key of the first file system and the first fileCiphering Key Sequence Number is the first file generated and the unique corresponding file encryption key of the first file.
In step 204, when detect to the first file write instruction time, according to the file of the first fileEncryption key obtains to the data writing encryption writing in instruction the ciphertext that data writing is corresponding.
In sum, the data ciphering method that the embodiment of the present invention provides, by obtaining first file systemFile system encryption key is that the first file generated in the first file system is unique corresponding with the first fileFile Ciphering Key Sequence Number, close according to the file of the file system encryption key of the first file system and the first fileKey sequence number is the first file generated and the unique corresponding file encryption key of the first file, when detectingOne file write instruction time, according to the file encryption key of the first file to writing the data writing in instructionEncryption obtains the ciphertext that data writing is corresponding, and the embodiment of the present invention is by each file in file systemSpanned file encryption key, and according to file encryption key, file is encrypted, identical file system solvedThe same key storage of data acquisition in system, the security of data is lower, and the management granularity of data is excessive,Cannot realize the problem of the management of individual files in file system, reach the effect of file-level data encryption,Improve the security of data, and realized the management of individual files.
Please refer to Fig. 3, it shows the method flow of the data ciphering method that another embodiment of the present invention providesFigure. Data ciphering method in the present embodiment can be carried out by data encryption system 100 as shown in Figure 1,In this data encryption system 100, can comprise multiple file system, the present embodiment is with this data encryption system 100For NAS system is that example describes, referring to Fig. 3, the method can comprise following step:
In step 301, obtain the file system encryption key of the first file system, the first file system isAny one file system in multiple file system.
In embodiments of the present invention, encrypting module 140 obtains the file system encryption key of the first file system(English: FileSystemKey, be called for short: FS_Key) can comprise following three steps:
Step 1, in the time that encrypting module 140 detects the instruction that creates the first file system in NAS system,Encrypting module 140 is the first file system spanned file system key mark (English: FileSystemKeyIDentity, is called for short: FS_Key_ID).
Wherein, FS_Key_ID is for a file system of unique identification NAS system. Particularly, whenWhen encrypting module 140 detects the instruction that creates the first file system in NAS system, encrypting module 140Automatically be that this first file system generates FS_Key_ID, also, as long as encrypting module 140 detects at NASIn system, create the instruction of file system, encrypting module 140 is just for the file system creating generates unique identificationThe FS_Key_ID of this file system.
When encrypting module 140 is that the first file system generates when FS_Key_ID, encrypting module 140 can be withFS_Key_ID corresponding to the first file system sends to the first file system, so that the first file system is obtainedKnow the FS_Key_ID corresponding with the first file system, and it is preserved.
Step 2, encrypting module 140 sends the FS_Key_ID of the first file system to KMS, so thatKMS generates and the unique corresponding FS_Key of the first file system according to the FS_Key_ID of the first file system.
Particularly, in the time that encrypting module 140 is the first file system generation FS_Key_ID, encrypting module 140Send the FS_Key_ID of the first file system to KMS, when KMS receives, encrypting module 140 sendsWhen FS_Key_ID, KMS is that the first file system is distributed FS_Key, this FS_Key according to FS_Key_IDUnique corresponding with this first file system, suppose KMS be first file system distribute with the first file systemThe FS_Key of unique correspondence is 010101,010101 deleted before, KMS is no longer by 010101Distribute to the file system except the first file system.
Step 3, encrypting module 140 receive KMS send with the unique corresponding FS_Key of the first file system.
When KMS generates unique corresponding with the first file system according to the FS_Key_ID of the first file systemWhen FS_Key, KMS will send to encrypting module 140 with the unique corresponding FS_Key of the first file system,Know and the unique corresponding FS_Key of the first file system to make encrypting module 140.
In the time that encrypting module 140 receives with the unique corresponding FS_Key of the first file system, encrypting module140 can store this FS_Key. Particularly, encrypting module 140 can be according to the first file beingStore with the unique corresponding FS_Key of the first file system for the FS_Key_ID of unique correspondence of uniting pair, alsoThat is, encrypting module 140 can be stored the corresponding relation of FS_Key_ID and FS_Key, and this corresponding relation canWith as shown in table 1 below.
Table 1
FS_Key_ID FS_Key
ID-A a
ID-B b
...... ......
Referring to table 1, the FS_Key corresponding with ID-A is a, and the FS_Key corresponding with ID-B is b, also,FS_Key_ID is that the FS_Key of the file system of ID-A is a, the file system that FS_Key_ID is ID-BFS_Key be b.
It should be noted that, because KMS can adopt proprietary tamper hardware, certificate, data encryption, transmissionThe security means such as encryption, key self-destruction ensure the security of key, and therefore, KMS's is safe in fileThe security of the encrypting module 140 in system, in embodiments of the present invention, the FS_Key of the first file systemCapital is stored in KMS, when the time that the FS_Key of the first file system stores in encrypting module 140While exceeding Preset Time section, the FS_Key of the first file system in encrypting module 140 removes automatically, or,In the time of the first file system power-off, the FS_Key of the first file system that encrypting module 140 is preserved removes automatically,And in the time that the first file system powers on, encrypting module 140 can obtain first file system again to KMSFS_Key, this FS_Key getting generates while being this first file system establishment, encrypting module 140Just inquire about the FS_Key of the first file system from KMS, so, above-mentioned steps 1 is all right to step 3With following three steps replacement, particularly:
Step 1a, encrypting module 140, in the time that NAS system powers on, obtains first file systemFS_Key_ID, the FS_Key_ID of the first file system is create the first file system in NAS system timeGenerate.
Wherein, encrypting module 140 can be stored the FS_Key_ID of the first file system, and this step 1a is alsoIn the FS_Key_ID that encrypting module 140 is stored at encrypting module 140, search the first file systemFS_Key_ID。
Step 2a, encrypting module 140 sends the FS_Key_ID of the first file system to KMS, so thatKMS is according to the FS_Key_ID inquiry and the unique corresponding FS_Key of the first file system of the first file system.
Particularly, KMS can safeguard the corresponding relation of FS_Key_ID and FS_Key, when KMS receivesWhen the FS_Key_ID of the first file system sending to encrypting module 140, KMS is according to the first file systemThe corresponding relation of the FS_Key_ID FS_Key_ID and the FS_Key that safeguard at KMS in inquiry and firstThe FS_Key of the unique correspondence of file system, and by inquire with the unique corresponding FS_Key of the first file systemSend to encrypting module 140.
Step 3a, encrypting module 140 receives unique corresponding with the first file system that KMS sendsFS_Key。
This step 3a is identical with above-mentioned steps 3 or similar, does not repeat them here.
In step 302, be that the first file generated in the first file system is unique corresponding with the first fileFile Ciphering Key Sequence Number.
Wherein, the first file is any one file in the first file system, file Ciphering Key Sequence Number (EnglishLiterary composition: File_Key_SerialNumber, is called for short: F_Key_SN) for unique identification the first file systemThe first file, F_Key_SN can be used as the first file file encryption key (File_Key, be called for short:F_Key) derivative factor, encrypting module 140 can be the derivative F_Key of the first file according to F_Key_SN.
It is this first file generated and the first file automatically that encrypting module 140 adopts random algorithm and checking algorithmThe F_Key_SN of unique correspondence. Particularly, first to use random algorithm be the first file generated to encrypting module 140Whether F_Key_SN, re-using this F_Key_SN of checking algorithm verification is unique in the first file systemF_Key_SN, if this F_Key_SN is F_Key_SN unique in the first file system, encrypting module140 using this F_Key_SN as with the unique corresponding F_Key_SN of the first file, if this F_Key_SN is notBe F_Key_SN unique in the first file system, encrypting module 140 repeats aforesaid operations, until generateF_Key_SN be F_Key_SN unique in the first file system till.
In embodiments of the present invention, encrypting module 140 is the first file generated and in the first file systemThe F_Key_SN of the unique correspondence of one file comprises following two kinds of situations:
The first situation, in the time that encrypting module 140 detects the establishment instruction of the first file, encrypting module 140Be the first file generated and the unique corresponding F_Key_SN of the first file.
Particularly, when detecting the establishment that creates the first file in the first file system, encrypting module 140 refers toWhile order, encrypting module 140 is that the first file generated in the first file system is unique corresponding with the first fileF_Key_SN。
The second situation, in the time that encrypting module 140 detects the OPEN first of the first file, encrypts mouldPiece 140 is the first file generated and the unique corresponding F_Key_SN of the first file.
This second situation also, when create the first file in the first file system time, encrypting module 140Do not have for this first file generated and the unique corresponding F_Key_SN of this first file, so, encrypting module140 can be in the time detecting the OPEN first of the first file in the first file system, is the first file systemThe first file generated in system and the unique corresponding F_Key_SN of the first file.
It should be noted that, in the time that encrypting module 140 is the first file generated F_Key_SN, encrypting module140 can be by sending to the first file with the unique corresponding F_Key_SN of the first file, so that the first file is obtainedKnow and the unique corresponding F_Key_SN of the first file, and it is preserved.
In step 303, according to the file of the file system encryption key of the first file system and the first fileCiphering Key Sequence Number is the first file generated and the unique corresponding file encryption key of the first file.
Particularly, encrypting module 140 is using the F_Key_SN of the first file as unique corresponding with the first fileThe derivative factor of F_Key, adopt hash algorithm or AES, according to the FS_Key of the first file systemWith the F_Key_SN of the first file be the first file generated and the unique corresponding F_Key of the first file.
It should be noted that, when encrypting module 140 is that the first file generated is unique corresponding with the first fileWhen F_Key, encrypting module 140 can be stored this F_Key. Particularly, encrypting module 140 canCarry out with the unique corresponding F_Key of the first file with unique corresponding F_Key_SN pair of the first file with basisStorage, also, encrypting module 140 can be stored the corresponding relation of F_Key_SN and F_Key, this correspondenceRelation can be as shown in table 2 below.
Table 2
F_Key_SN F_Key
SN-A a1
SN-B b1
...... ......
Referring to table 2, the F_Key corresponding with SN-A is a1, and the F_Key corresponding with SN-B is b1, also, the F_Key of the file that F_Key_SN is SN-A is a1, the F_Key of the file that F_Key_SN is SN-BFor b1.
Also it should be noted that, with the storage of the FS_Key to the first file system in like manner, the first fileF_Key also can be stored in KMS, when the time that the F_Key of the first file stores in encrypting module 140While exceeding Preset Time section, the F_Key of the first file in encrypting module 140 removes automatically, when encrypting mouldWhen piece 140 need to use the F_Key of the first file to be encrypted the first file, encrypting module 140 canObtain the F_Key of the first file to KMS, this F_Key getting is this first document creation or firstWhile opening, generate, encrypting module 140 is just inquired about the FS_Key of the first file from KMS.
Also it should be noted that, the data ciphering method that the embodiment of the present invention provides, employing be symmetric cryptographyAlgorithm is encrypted data, and in symmetric encipherment algorithm, the encryption and decryption of data are used same key,Therefore, encrypting module 140 and KMS, can bases in the time storing with the unique corresponding F_Key of the first fileMode in above-mentioned table 2 is stored, and in the time adopting rivest, shamir, adelman to be encrypted data, numberAccording to encryption and decryption use is different keys, therefore, encrypting module 140 and KMS are in storage and theWhen the F_Key of the unique correspondence of one file, can be respectively encryption key and decruption key and F_Key_SN be enteredRow corresponding stored, specific implementation process is same as described above or similar, does not repeat them here.
In step 304, when detect to the first file write instruction time, according to the file of the first fileEncryption key obtains to the data writing encryption writing in instruction the ciphertext that data writing is corresponding.
When the first file in the first file system detect to the first file write instruction time, the first fileThis is write to the data writing in instruction and sends to encryption mould with the unique corresponding F_Key_SN of the first filePiece 140, encrypting module 140 receives the data writing and unique corresponding with the first file that the first file sendsAfter F_Key_SN, according to the F_Key_SN receiving in encrypting module 140 or KMS storageIn the corresponding relation of F_Key_SN and F_Key, search the F_Key corresponding with this F_Key_SN, work as encryptionWhen module 140 finds the F_Key corresponding with this F_Key_SN, encrypting module 140 bases findF_Key is encrypted the data writing receiving, and obtains the ciphertext that this data writing is corresponding. Wherein, shouldWriting instruction can be that shown in Fig. 1, the buffer memory 180 in implementation environment sends.
It should be noted that, obtain after corresponding ciphertext when encrypting module 140 is encrypted data writing,This ciphertext is sent to the first file by encrypting module 140, so that the first file stores this ciphertext,Particularly, the first file can be stored to this ciphertext shown in Fig. 1 in the storage pool 160 in implementation environment.
In step 305, when detect the first file delete instruction time, detect the first default fileWhether the attributes section of system indicates is destroyed the first file.
Wherein, the first file comprises: file structure, F_Key_SN and file cipher text. Wherein, file structureFor the source data of this first file, it can comprise memory location, creation-time, first literary composition of the first fileThe size of part, the last time of upgrading etc.; File cipher text be this first file file content through encryptThe ciphertext obtaining.
Wherein, the first file system is the file system under the first file, the first default file systemAttribute pre-sets, when the attribute of the first default file system is deleted file structure and deletesWhen F_Key_SN, the first file is destroyed in the attribute instruction of this first default file system, when default firstWhen the attribute of file system is deleted file structure, the instruction of the attribute of the first default file system does not destroy theOne file.
Particularly, the first file can be stored the attribute of the first default file system, this first file systemAttribute can indicate and in the time of deleted file, destroy file, or in the time of deleted file, do not destroy file, ifThe first literary composition is destroyed in the attribute instruction of the first default file system of one file storage in the time deleting the first filePart, the first file is determined destruction the first file, if the instruction of the attribute of the first default file system is being deletedWhen the first file, do not destroy the first file, definite first file of not destroying of the first file, this first file systemThe attribute of system is generally that user sets in advance.
Wherein, this delete instruction can be that shown in Fig. 1, the buffer memory 180 in implementation environment sends.
In step 306, in the time that the first file is destroyed in the attributes section instruction of the first default file system,Delete the file structure of the first file and the file Ciphering Key Sequence Number of the first file.
If in step 305, the first file is determined the attributes section instruction destruction of the first default file systemThe first file, the first file is deleted the file structure of the first file and the F_Key_SN of the first file. WhenWhen the F_Key_SN of one file is deleted, the first file is thoroughly destroyed.
Because the embodiment of the present invention just can reach the first file by the F_Key_SN that deletes the first fileThorough destruction, therefore, the data ciphering method that the embodiment of the present invention provides, destroys the speed of file fast,Consuming time short, can within the several seconds, thoroughly destroy file, reach a second effect for level destruction file.
In step 307, in the time that the attributes section instruction of the first default file system is not destroyed the first file,Delete the file structure of the first file.
If in step 305, the attributes section instruction of definite the first default file system of the first file is not soldRuin the first file, the first file is deleted the file structure of the first file. Deleting the file knot of the first fileAfter structure, the ciphertext of the F_Key_SN of the first file and the first file is also stored in the first file, the first literary compositionPart is not destroyed, and can also recover.
It should be noted that, above step 305 is to 307 being sides of the destruction file that provides of the embodiment of the present inventionMethod, in a kind of possible embodiment, does not need to destroy the first file and directly deletion the first file of needsFile structure, for fear of the testing process in step 305, the first file can be directly by the first fileFile structure delete, now, above-mentioned steps 305 to step 307 can be replaced by following steps 305a,Particularly, in step 305a, the first file comprises: file structure, file Ciphering Key Sequence Number and file are closeLiterary composition, when detect the first file delete instruction time, the file structure of deleting the first file.
Affected the security of file by Brute Force for fear of file encryption key, the invention process providesData ciphering method can periodically upgrade file encryption key, concrete if following steps 308 are to stepShown in 311.
In step 308, upgrade the file Ciphering Key Sequence Number of the first file.
Particularly, encrypting module 140 carries out more the F_Key_SN of the first file every Preset Time intervalNewly, the derivative factor using the F_Key_SN after renewal as the F_Key of the first file, and according to after upgradingThe new F_Key of derivative the first file of F_Key_SN. Wherein, Preset Time interval is rule of thumb trueFixed, such as, Preset Time interval can be 3 hours etc.
It should be noted that, encrypting module 140 in the time upgrading the F_Key_SN of the first file, be also adopt withMachine algorithm and checking algorithm, generate the F_Key_SN's of the first file in specific implementation process and step 302Process is identical or similar, does not repeat them here.
Also it should be noted that, with step 302 in like manner, encrypting module 140 is generating the first file newWhen F_Key_SN, this new F_Key_SN is sent to the first file by encrypting module 140, to make firstFile is known and the unique corresponding new F_Key_SN of the first file, and it is preserved.
In step 309, the first literary composition according to the file system encryption key of the first file system and after upgradingThe file Ciphering Key Sequence Number of part generates the new file encryption key of the first file.
This step 309 is identical with above-mentioned steps 303 or similar, does not repeat them here. But need to illustrateThat similar with step 303, encrypting module 140, in the time obtaining the new F_Key of the first file, is encrypted mouldPiece 140 can be stored this new F_Key. Particularly, encrypting module 140 upgrades encrypting module 140The F_Key_SN of storage and the corresponding relation of F_Key, to obtain F_Key_SN and the first literary composition after renewalThe corresponding relation of the new F_Key of part.
Also it should be noted that, with the storage of the old F_Key to the first file in like manner, the first file newF_Key also can be stored in KMS, when the new F_Key of the first file deposits in encrypting module 140The time of storage, while exceeding Preset Time section, the new F_Key of the first file in encrypting module 140 was automatically clearRemove, in the time that encrypting module 140 need to use the new F_Key of the first file to be encrypted the first file,Encrypting module 140 can obtain to KMS the new F_Key of the first file, the F_Key that this getsFor F_Key to this first file is stored in the F_Key in KMS after upgrading, encrypting module 140 just fromKMS inquires about the new FS_Key of the first file.
In step 310, according to the file encryption key of the first file, the file cipher text of the first file is carried outDeciphering obtains the file content of the first file, and file cipher text is that the file content of the first file passes through the first fileFile encryption key encrypt and obtain.
Particularly, when F_Key_SN after the first file receives the renewal that encrypting module 140 sends,The first file is by the file cipher text of the first file and should be with after the unique corresponding renewal of the first fileF_Key_SN sends to encrypting module 140, and encrypting module 140 receives the file cipher text that the first file sendsWith with after F_Key_SN after the unique corresponding renewal of the first file, obtain according to the F_Key_SN after upgradingGet the F_Key_SN of the first file before renewal, and it is old to obtain the first file according to the F_Key_SN before upgradingF_Key, the F_Key old according to the first file is decrypted the file cipher text of the first file, obtainsThe file content of one file.
It should be noted that, the first file is sending to encrypting module 140 before the file cipher text of the first file,Can first in memory device, obtain the file cipher text of the first file, this memory device can be real shown in Fig. 1Execute the storage pool 160 in environment.
In step 311, according to the new file encryption key of the first file, file content is encrypted,Obtain the file cipher text of the first file after upgrading.
When encrypting module 140 obtains after the file content of the first file, encrypting module 140 according to upgrade afterThe F_Key_SN of F_Key_SN after the renewal of encrypting module 140 or KMS storage and the first file newThe corresponding relation of F_Key in search the new F_Key corresponding with F_Key_SN after this renewal, when addingWhen close module 140 finds corresponding with F_Key_SN after this renewal new F_Key, encrypting module 140According to the new F_Key finding, the file content of the first file receiving is encrypted, is upgradedAfter the file cipher text of the first file.
It should be noted that, encrypting module 140 is encrypted and obtains after renewal the file content of the first fileThe file cipher text of the first file after, encrypting module 140 sends the file cipher text of the first file after upgradingTo the first file, so that the first file stores the file cipher text of the first file after upgrading, firstFile can be stored to the storage in implementation environment shown in Fig. 1 by the file cipher text of the first file after this renewalIn pond 160.
The data ciphering method that the embodiment of the present invention provides, by periodically updating first fileF_Key_SN, according to derivative the first file of the FS_Key of the F_Key_SN after upgrading and the first file systemNew F_Key, and according to the new F_Key of the first file, the file content of the first file is encrypted,Reach and avoided file encryption key by the effect of Brute Force, improved the security of file system.
In step 312, when detect the first file reading command time, close at the file of the first fileIn literary composition, obtain ciphertext corresponding to reading command, ciphertext corresponding to reading command is to add according to the file of the first fileDecryption key encryption obtains.
Particularly, in the time that the first file in the first file system detects the reading command to the first file,In the file cipher text of this first file that the first file is stored in memory device, obtain this reading command correspondingCiphertext, such as, this first literary composition of storage in the storage pool 160 of the first file in implementation environment shown in Fig. 1In the file cipher text of part, obtain ciphertext corresponding to this reading command, concrete acquisition process is same as the prior artOr similar, do not repeat them here. Wherein, this reading command can be the buffer memory in implementation environment shown in Fig. 1180 send.
In step 313, according to the file encryption key of the first file, ciphertext corresponding to reading command carried outDeciphering obtains reading out data.
When the first file acquisition is during to ciphertext corresponding to reading command, the first file is by corresponding this reading commandThe F_Key_SN of ciphertext and the first file sends to encrypting module 140, and encrypting module 140 receives this and readsWhen the F_Key_SN of the ciphertext that instruction is corresponding and the first file, according to F_Key_SN at encrypting module 140Or in the F_Key_SN of KMS storage and the corresponding relation of F_Key, search with the first file unique correspondingF_Key, and according to the unique corresponding F_Key of the first file, ciphertext corresponding to reading command being decryptedObtain reading out data.
In the time that encrypting module 140 obtains reading out data, reading out data is sent to the first literary composition by encrypting module 140Part, the first file can send to upper layer module by this reading out data, and this upper layer module can be shown in Fig. 1Buffer memory 180 in implementation environment.
It should be noted that, the sequencing of the data ciphering method step that the embodiment of the present invention provides can enterRow is suitably adjusted, and step also can according to circumstances be carried out corresponding increase and decrease, illustratively, and in embodiments of the present invention,Step 301 and step 302 are carried out according to sequencing, in fact in other enforcements provided by the inventionIn example, this step 301 and step 302 can also be put upside down, and are anyly familiar with those skilled in the art and existIn the technical scope that the present invention discloses, can expect easily the method for variation, all should be encompassed in protection of the present inventionWithin scope, therefore repeat no more.
Also it should be noted that, above-mentioned steps 301 to 304 can implement separately to become the embodiment of the present inventionData ciphering method, step 305 can implement separately to become the file pin that the embodiment of the present invention provides to 307Damage method, step 308 can implement separately to become the key updating method that the embodiment of the present invention provides to 311,Step 312 and 313 can implement separately to become the data decryption method that the embodiment of the present invention provides.
In sum, the data ciphering method that the embodiment of the present invention provides, by obtaining first file systemFile system encryption key is that the first file generated in the first file system is unique corresponding with the first fileFile Ciphering Key Sequence Number, close according to the file of the file system encryption key of the first file system and the first fileKey sequence number is the first file generated and the unique corresponding file encryption key of the first file, when detectingOne file write instruction time, according to the file encryption key of the first file to writing the data writing in instructionEncryption obtains the ciphertext that data writing is corresponding, and the embodiment of the present invention is by each file in file systemSpanned file encryption key, and according to file encryption key, file is encrypted, identical file system solvedThe same key storage of data acquisition in system, the security of data is lower, and the management granularity of data is excessive,Cannot realize the problem of the management of individual files in file system, reach the effect of file-level data encryption,Improve the security of data, and realized the management of individual files.
Please refer to Fig. 4, it shows the block diagram of the data encryption system 400 that one embodiment of the invention provides.This data encryption system 400 can be realized shown in Fig. 1 and be implemented to encircle by software, hardware or both combinationsThe some or all of function of the data encryption system 100 in border, this data encryption system 100 can be NASSystem. Referring to Fig. 4, this data encryption system 400 can comprise: system key acquisition module 410, fileSequence number generation module 420, file key production module 430 and data writing encrypting module 440.
System key acquisition module 410, for obtaining the file system encryption key of the first file system, firstFile system is any one file system in multiple file system.
File sequence number generation module 420, is used to the first file generated and the first literary composition in the first file systemThe file Ciphering Key Sequence Number of the unique correspondence of part.
File key production module 430, for the first file getting according to system key acquisition module 410The file of the first file that the file system encryption key of system and file sequence number generation module 420 generate is closeKey sequence number is the first file generated and the unique corresponding file encryption key of the first file.
Data writing encrypting module 440, for detect to the first file write instruction time, according to fileThe file encryption key of the first file that key production module 430 generates adds the data writing writing in instructionClosely obtain the ciphertext that data writing is corresponding.
In sum, the data encryption system that the embodiment of the present invention provides, by obtaining first file systemFile system encryption key is that the first file generated in the first file system is unique corresponding with the first fileFile Ciphering Key Sequence Number, close according to the file of the file system encryption key of the first file system and the first fileKey sequence number is the first file generated and the unique corresponding file encryption key of the first file, when detectingOne file write instruction time, according to the file encryption key of the first file to writing the data writing in instructionEncryption obtains the ciphertext that data writing is corresponding, and the embodiment of the present invention is by each file in file systemSpanned file encryption key, and according to file encryption key, file is encrypted, identical file system solvedThe same key storage of data acquisition in system, the security of data is lower, and the management granularity of data is excessive,Cannot realize the problem of the management of individual files in file system, reach the effect of file-level data encryption,Improve the security of data, and realized the management of individual files.
Please refer to Fig. 5, it shows the block diagram of the data encryption system 500 that one embodiment of the invention provides.This data encryption system 500 can be realized shown in Fig. 1 and be implemented to encircle by software, hardware or both combinationsThe some or all of function of the data encryption system 100 in border, this data encryption system 100 can be NASSystem. Referring to Fig. 5, this data encryption system 500 can comprise: system key acquisition module 501, fileSequence number generation module 502, file key production module 503 and data writing encrypting module 504.
System key acquisition module 501, for obtaining the file system encryption key of the first file system, firstFile system is any one file system in multiple file system.
File sequence number generation module 502, is used to the first file generated and the first literary composition in the first file systemThe file Ciphering Key Sequence Number of the unique correspondence of part.
File key production module 503, for the first file getting according to system key acquisition module 501The file of the first file that the file system encryption key of system and file sequence number generation module 502 generate is closeKey sequence number is the first file generated and the unique corresponding file encryption key of the first file.
Data writing encrypting module 504, for detect to the first file write instruction time, according to fileThe file encryption key of the first file that key production module 503 generates adds the data writing writing in instructionClosely obtain the ciphertext that data writing is corresponding.
Alternatively, the first file comprises: file structure, file Ciphering Key Sequence Number and file cipher text, these dataEncryption system 500 also comprises:
Destroy detection module 505, for when the delete instruction detecting the first file, detect default theWhether the attributes section of one file system indicates is destroyed the first file;
File is destroyed module 506, for default the first file system being detected destroying detection module 505When the first file is destroyed in attributes section instruction, delete the file structure of the first file and the file of the first file closeKey sequence number;
The first removing module 507, for detecting default the first file system destroying detection module 505When attributes section instruction is not destroyed the first file, the file structure of deleting the first file.
Alternatively, the first file comprises: file structure, file Ciphering Key Sequence Number and file cipher text, these dataEncryption system 500 also comprises:
The second removing module 508, for when the delete instruction detecting the first file, deletes the first fileFile structure.
Alternatively, the first file comprises: file structure, file Ciphering Key Sequence Number and file cipher text, these dataEncryption system 500 also comprises:
File sequence number update module 509, for upgrading the file Ciphering Key Sequence Number of the first file;
File new key generation module 510, for according to file system encryption key and the literary composition of the first file systemThe file Ciphering Key Sequence Number of the first file after part sequence number update module 509 is upgraded generates the new of the first fileFile encryption key;
Upgrade deciphering module 511, for close to the file of the first file according to the file encryption key of the first fileLiterary composition is decrypted the file content that obtains the first file, and file cipher text is that the file content of the first file is by theThe file encryption key encryption of one file obtains;
Upgrade encrypting module 512, new for the first file of generating according to file new key generation module 510File encryption key file content is encrypted, obtain the file cipher text of the first file after upgrading.
Please refer to Fig. 6, a kind of system key acquisition module 501 providing embodiment illustrated in fig. 5 is provided for itBlock diagram. Referring to Fig. 6, this system key acquisition module 501 can comprise:
Mark generation unit 501a, for detecting the instruction that creates the first file system in NAS systemTime, be the first file system spanned file system key mark;
The first transmitting element 501b, for sending mark generation unit 501a to Key Management server KMSThe file system key identification of the first file system generating, so that KMS is according to the literary composition of the first file systemPart system key mark generates and the unique corresponding file system encryption key of the first file system;
The first receiving element 501c, for receive KMS send with the unique corresponding file of the first file systemSystem encryption key.
Please refer to Fig. 7, another kind of system key acquisition module 501 providing embodiment illustrated in fig. 5 is provided for itBlock diagram. Referring to Fig. 7, this system key acquisition module 501 can comprise:
Mark acquiring unit 501d, in the time that NAS system powers on, obtains the file system of the first file systemSystem key identification, the file system key identification of the first file system for creating the first file in NAS systemWhen system, generate;
The second transmitting element 501e, for sending mark acquiring unit 501 to Key Management server KMSThe file system key identification of the first file system getting, so that KMS is according to the first file systemThe inquiry of file system key identification and the unique corresponding file system encryption key of the first file system;
The second receiving element 501f, for receive KMS send with the unique corresponding file of the first file systemSystem encryption key.
Please refer to Fig. 8, a kind of file sequence number generation module 502 providing embodiment illustrated in fig. 5 is provided for itBlock diagram. Referring to Fig. 8, this file sequence number generation module 502 can comprise:
The first generation unit 502a, for when the establishment instruction that the first file detected, is that the first file is rawBecome and the unique corresponding file Ciphering Key Sequence Number of the first file;
Or,
The second generation unit 502b, in the time the OPEN first of the first file being detected, is the first literary compositionPart generates and the unique corresponding file Ciphering Key Sequence Number of the first file.
Please continue to refer to Fig. 5, alternatively, the first file comprises: file structure, file Ciphering Key Sequence Number and literary compositionPart ciphertext, this data encryption system 500 also comprises:
Ciphertext acquisition module 513, for when the reading command detecting the first file, at the first fileIn file cipher text, obtain ciphertext corresponding to reading command, ciphertext corresponding to reading command is according to the first fileFile encryption key encryption obtains;
Decrypt ciphertext module 514, for according to the file encryption key of the first file to ciphertext acquisition module 513Ciphertext corresponding to reading command getting is decrypted and obtains reading out data.
In sum, the data encryption system that the embodiment of the present invention provides, by obtaining first file systemFile system encryption key is that the first file generated in the first file system is unique corresponding with the first fileFile Ciphering Key Sequence Number, close according to the file of the file system encryption key of the first file system and the first fileKey sequence number is the first file generated and the unique corresponding file encryption key of the first file, when detectingOne file write instruction time, according to the file encryption key of the first file to writing the data writing in instructionEncryption obtains the ciphertext that data writing is corresponding, and the embodiment of the present invention is by each file in file systemSpanned file encryption key, and according to file encryption key, file is encrypted, identical file system solvedThe same key storage of data acquisition in system, the security of data is lower, and the management granularity of data is excessive,Cannot realize the problem of the management of individual files in file system, reach the effect of file-level data encryption,Improve the security of data, and realized the management of individual files.
The data encryption system that the embodiment of the present invention provides, just can by the F_Key_SN that deletes the first fileTo reach the thorough destruction to the first file, the speed of destroying file is fast, consuming time short, can be thorough within the several secondsFile is destroyed at the end, reaches a second effect for level destruction file.
The data encryption system that the embodiment of the present invention provides, by periodically updating first fileF_Key_SN, according to derivative the first file of the FS_Key of the F_Key_SN after upgrading and the first file systemNew F_Key, and according to the new F_Key of the first file, the file content of the first file is encrypted,Reach and avoided file encryption key by the effect of Brute Force, improved the security of file system.
Please refer to Fig. 9, it shows the block diagram of the data encryption system 900 that one embodiment of the invention provides.Data encryption system 900 can be realized implementation environment shown in Fig. 1 by software, hardware or both combinationsIn the some or all of function of data encryption system 100, this data encryption system 100 can be NASSystem. Referring to Fig. 9, this data encryption system 900 can comprise: processor 910.
Processor 910, for obtaining the file system encryption key of the first file system, the first file system isAny one file system in multiple file system.
Processor 910, is used to the first file generated in the first file system unique corresponding with the first fileFile Ciphering Key Sequence Number.
Processor 910, for according to the file of the file system encryption key of the first file system and the first fileCiphering Key Sequence Number is the first file generated and the unique corresponding file encryption key of the first file.
Processor 910, for detect to the first file write instruction time, according to the file of the first fileEncryption key obtains to the data writing encryption writing in instruction the ciphertext that data writing is corresponding.
In sum, the data encryption system that the embodiment of the present invention provides, by obtaining first file systemFile system encryption key is that the first file generated in the first file system is unique corresponding with the first fileFile Ciphering Key Sequence Number, close according to the file of the file system encryption key of the first file system and the first fileKey sequence number is the first file generated and the unique corresponding file encryption key of the first file, when detectingOne file write instruction time, according to the file encryption key of the first file to writing the data writing in instructionEncryption obtains the ciphertext that data writing is corresponding, and the embodiment of the present invention is by each file in file systemSpanned file encryption key, and according to file encryption key, file is encrypted, identical file system solvedThe same key storage of data acquisition in system, the security of data is lower, and the management granularity of data is excessive,Cannot realize the problem of the management of individual files in file system, reach the effect of file-level data encryption,Improve the security of data, and realized the management of individual files.
Please refer to Figure 10, it shows the frame of the data encryption system 1000 that another embodiment of the present invention providesFigure. Data encryption system 1000 can be realized shown in Fig. 1 and being implemented by software, hardware or both combinationsThe some or all of function of the data encryption system 100 in environment, this data encryption system 100 can beNAS system. Referring to Figure 10, this data encryption system 1000 can comprise: processor 1010.
Processor 1010, for obtaining the file system encryption key of the first file system, the first file systemFor any one file system in multiple file system.
Processor 1010, is used to the first file generated in the first file system unique corresponding with the first fileFile Ciphering Key Sequence Number.
Processor 1010, for according to the literary composition of the file system encryption key of the first file system and the first filePart Ciphering Key Sequence Number is the first file generated and the unique corresponding file encryption key of the first file.
Processor 1010, for detect to the first file write instruction time, according to the literary composition of the first filePart encryption key obtains to the data writing encryption writing in instruction the ciphertext that data writing is corresponding.
Alternatively, the first file comprises: file structure, file Ciphering Key Sequence Number and file cipher text,
Processor 1010, for when the delete instruction detecting the first file, detects the first default literary compositionWhether the attributes section of part system indicates is destroyed the first file;
Processor 1010, in the time that the first file is destroyed in the attributes section instruction of the first default file system,Delete the file structure of the first file and the file Ciphering Key Sequence Number of the first file;
Processor 1010, does not destroy the first file for the attributes section instruction of the first file system defaultTime, the file structure of deleting the first file.
Alternatively, the first file comprises: file structure, file Ciphering Key Sequence Number and file cipher text,
Processor 1010, for when the delete instruction detecting the first file, deletes the literary composition of the first filePart structure.
Alternatively, the first file comprises: file structure, file Ciphering Key Sequence Number and file cipher text,
Processor 1010, for upgrading the file Ciphering Key Sequence Number of the first file;
Processor 1010, for first according to the file system encryption key of the first file system and after upgradingThe file Ciphering Key Sequence Number of file generates the new file encryption key of the first file;
Processor 1010, for entering the file cipher text of the first file according to the file encryption key of the first fileRow deciphering obtains the file content of the first file, and file cipher text is that the file content of the first file passes through the first literary compositionThe file encryption key encryption of part obtains;
Processor 1010, is encrypted file content for the new file encryption key according to the first file,Obtain the file cipher text of the first file after upgrading.
Alternatively, this data encryption system 1000 can also comprise: emitter 1020 and receiver 1030.
Processor 1010, in the time the instruction that creates the first file system in NAS system being detected, forThe first file system spanned file system key mark;
Emitter 1020, close for send the file system of the first file system to Key Management server KMSKey mark, so that KMS generates and the first file system according to the file system key identification of the first file systemThe file system encryption key of unique correspondence of uniting;
Receiver 1030, for receiving adding with the unique corresponding file system of the first file system of KMS transmissionDecryption key.
Alternatively, processor 1010, in the time that NAS system powers on, obtains the file of the first file systemSystem key mark, the file system key identification of the first file system for creating the first literary composition in NAS systemWhen part system, generate;
Emitter 1020, close for send the file system of the first file system to Key Management server KMSKey mark, so that KMS is according to the file system key identification inquiry of the first file system and the first file systemThe file system encryption key of unique correspondence of uniting;
Receiver 1030, for receiving adding with the unique corresponding file system of the first file system of KMS transmissionDecryption key.
Alternatively, processor 1010, for when the establishment instruction that the first file detected, is the first fileGenerate and the unique corresponding file Ciphering Key Sequence Number of the first file;
Or,
Processor 1010, in the time the OPEN first of the first file being detected, is the first file generatedWith the unique corresponding file Ciphering Key Sequence Number of the first file.
Alternatively, the first file comprises: file structure, file Ciphering Key Sequence Number and file cipher text,
Processor 1010, for when the reading command detecting the first file, at the file of the first fileIn ciphertext, obtain ciphertext corresponding to reading command, ciphertext corresponding to reading command is according to the file of the first fileEncryption keys obtains;
Processor 1010, for entering ciphertext corresponding to reading command according to the file encryption key of the first fileRow deciphering obtains reading out data.
In sum, the data encryption system that the embodiment of the present invention provides, by obtaining first file systemFile system encryption key is that the first file generated in the first file system is unique corresponding with the first fileFile Ciphering Key Sequence Number, close according to the file of the file system encryption key of the first file system and the first fileKey sequence number is the first file generated and the unique corresponding file encryption key of the first file, when detectingOne file write instruction time, according to the file encryption key of the first file to writing the data writing in instructionEncryption obtains the ciphertext that data writing is corresponding, and the embodiment of the present invention is by each file in file systemSpanned file encryption key, and according to file encryption key, file is encrypted, identical file system solvedThe same key storage of data acquisition in system, the security of data is lower, and the management granularity of data is excessive,Cannot realize the problem of the management of individual files in file system, reach the effect of file-level data encryption,Improve the security of data, and realized the management of individual files.
The data encryption system that the embodiment of the present invention provides, just can by the F_Key_SN that deletes the first fileTo reach the thorough destruction to the first file, the speed of destroying file is fast, consuming time short, can be thorough within the several secondsFile is destroyed at the end, reaches a second effect for level destruction file.
The data encryption system that the embodiment of the present invention provides, by periodically updating first fileF_Key_SN, according to derivative the first file of the FS_Key of the F_Key_SN after upgrading and the first file systemNew F_Key, and according to the new F_Key of the first file, the file content of the first file is encrypted,Reach and avoided file encryption key by the effect of Brute Force, improved the security of file system.
The embodiment of the present invention also provides a kind of data encryption equipment, this equipment comprise transceiver, memory withAnd the processor being connected with transceiver, memory respectively, wherein, in memory, store batch processing code,And this processor is for calling the program code that memory is stored, for carrying out above-mentioned data ciphering method.
One of ordinary skill in the art will appreciate that all or part of step that realizes above-described embodiment can pass throughHardware completes, and also can carry out the hardware that instruction is relevant by program and complete, and described program can be stored inIn a kind of computer-readable recording medium, the above-mentioned storage medium of mentioning can be read-only storage, disk orCD etc.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all of the present inventionWithin spirit and principle, any amendment of doing, be equal to replacement, improvement etc., all should be included in of the present inventionWithin protection domain.

Claims (16)

1. a data ciphering method, is characterized in that, for network attached storage NAS system, described inNAS system comprises multiple file system, and described method comprises:
Obtain the file system encryption key of the first file system, described the first file system is described multiple literary compositionAny one file system in part system;
For the first file generated in described the first file system close with the unique corresponding file of described the first fileKey sequence number;
According to the file key order of the file system encryption key of described the first file system and described the first fileRow number are described the first file generated and the unique corresponding file encryption key of described the first file;
When detect to described the first file write instruction time, close according to the file encryption of described the first fileKey is encrypted and is obtained ciphertext corresponding to said write data the data writing in said write instruction.
2. method according to claim 1, is characterized in that, described the first file comprises: file knotStructure, file Ciphering Key Sequence Number and file cipher text,
Describedly according to the file encryption key of described the first file, data writing in said write instruction is encryptedAfter obtaining ciphertext corresponding to said write data, described method also comprises:
When detect described the first file delete instruction time, detect the attribute of the first default file systemWhether option indicates is destroyed described the first file;
In the time that described the first file is destroyed in the attributes section instruction of described the first default file system, delete instituteState the file structure of the first file and the file Ciphering Key Sequence Number of described the first file;
In the time that the attributes section instruction of described the first default file system is not destroyed described the first file, deleteThe file structure of described the first file.
3. method according to claim 1, is characterized in that, described the first file comprises: file knotStructure, file Ciphering Key Sequence Number and file cipher text,
Describedly according to the file encryption key of described the first file, data writing in said write instruction is encryptedAfter obtaining ciphertext corresponding to said write data, described method also comprises:
When detect described the first file delete instruction time, the file structure of deleting described the first file.
4. method according to claim 1, is characterized in that, described the first file comprises: file knotStructure, file Ciphering Key Sequence Number and file cipher text,
Described according to the file of the file system encryption key of described the first file system and described the first fileCiphering Key Sequence Number be described the first file generated and the unique corresponding file encryption key of described the first file itAfter, described method also comprises:
Upgrade the file Ciphering Key Sequence Number of described the first file;
The literary composition of described the first file according to the file system encryption key of described the first file system and after upgradingPart Ciphering Key Sequence Number generates the new file encryption key of described the first file;
According to the file encryption key of described the first file, the file cipher text of described the first file is decryptedTo the file content of described the first file, described file cipher text is passed through institute for the file content of described the first fileThe file encryption key of stating first file is encrypted and is obtained;
According to the new file encryption key of described the first file, described file content is encrypted, obtains moreThe file cipher text of the first file after new.
5. according to the method described in claim 1 to 4 any one claim, it is characterized in that, described inThe file system encryption key that obtains the first file system, comprising:
When detecting create the instruction of described the first file system in described NAS system time, be described firstFile system spanned file system key mark;
Send the file system key identification of described the first file system to Key Management server KMS, so thatGenerate and described the first file system according to the file system key identification of described the first file system in described KMSThe file system encryption key of unique correspondence of uniting;
Receive that described KMS sends with the unique corresponding file system encryption key of described the first file system.
6. according to the method described in claim 1 to 4 any one claim, it is characterized in that, described inThe file system encryption key that obtains the first file system, comprising:
In the time that described NAS system powers on, obtain the file system key identification of described the first file system, instituteState the file system key identification of the first file system for create described the first file system in described NAS systemWhen system, generate;
Send the file system key identification of described the first file system to Key Management server KMS, so thatIn described KMS according to the file system key identification inquiry of described the first file system and described the first file beThe file system encryption key of unique correspondence of uniting;
Receive that described KMS sends with the unique corresponding file system encryption key of described the first file system.
7. method according to claim 1, is characterized in that, described in be in the first file systemOne file generated and the unique corresponding file Ciphering Key Sequence Number of described the first file, comprising:
In the time the establishment instruction of described the first file being detected, be described the first file generated and described the first literary compositionThe file Ciphering Key Sequence Number of the unique correspondence of part;
Or,
In the time the OPEN first of described the first file being detected, be described the first file generated and describedThe file Ciphering Key Sequence Number of the unique correspondence of one file.
8. method according to claim 1, is characterized in that, described the first file comprises: file knotStructure, file Ciphering Key Sequence Number and file cipher text,
Describedly according to the file encryption key of described the first file, data writing in said write instruction is encryptedAfter obtaining ciphertext corresponding to said write data, described method also comprises:
When detect described the first file reading command time, in the file cipher text of described the first file, obtainGet ciphertext corresponding to described reading command, ciphertext corresponding to described reading command is according to described the first fileFile encryption key encryption obtains;
According to the file encryption key of described the first file, ciphertext corresponding to described reading command is decryptedTo reading out data.
9. a data encryption system, is characterized in that, for network attached storage NAS system, described inNAS system comprises multiple file system, and described data encryption system comprises:
System key acquisition module, for obtaining the file system encryption key of the first file system, describedOne file system is any one file system in described multiple file system;
File sequence number generation module, be used to the first file generated in described the first file system with described inThe file Ciphering Key Sequence Number of the unique correspondence of the first file;
File key production module, for according to the file system encryption key of described the first file system and instituteThe file Ciphering Key Sequence Number of stating the first file is that described the first file generated is unique corresponding with described the first fileFile encryption key;
Data writing encrypting module, for detect to described the first file write instruction time, according to instituteStating the file encryption key of the first file encrypts and obtains said write number the data writing in said write instructionAccording to corresponding ciphertext.
10. data encryption system according to claim 9, is characterized in that, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text, described data encryption system also comprises:
Destroy detection module, for when the delete instruction detecting described the first file, detect defaultWhether the attributes section of the first file system indicates is destroyed described the first file;
File is destroyed module, described in destroying for the attributes section instruction in described the first default file systemWhen the first file, delete the file structure of described the first file and the file Ciphering Key Sequence Number of described the first file;
The first removing module, does not destroy institute for the attributes section instruction in described the first default file systemWhile stating the first file, delete the file structure of described the first file.
11. data encryption systems according to claim 9, is characterized in that, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text, described data encryption system also comprises:
The second removing module, for when the delete instruction detecting described the first file, deletes describedThe file structure of one file.
12. data encryption systems according to claim 9, is characterized in that, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text, described data encryption system also comprises:
File sequence number update module, for upgrading the file Ciphering Key Sequence Number of described the first file;
File new key generation module, for according to the file system encryption key of described the first file system andIt is close that the file Ciphering Key Sequence Number of described the first file after renewal generates the new file encryption of described the first fileKey;
Upgrade deciphering module, for according to the file encryption key of described the first file to described the first fileFile cipher text is decrypted the file content that obtains described the first file, and described file cipher text is described the first literary compositionThe file content of part obtains by the file encryption key encryption of described the first file;
Upgrade encrypting module, for according to the new file encryption key of described the first file in described fileAppearance is encrypted, and obtains the file cipher text of the first file after upgrading.
13. according to the data encryption system described in claim 9 to 12 any one claim, its featureBe, described system key acquisition module, comprising:
Mark generation unit, for creating described the first file system detecting in described NAS systemWhen instruction, it is described the first file system spanned file system key mark;
The first transmitting element, for sending the file of described the first file system to Key Management server KMSSystem key mark, so that described KMS is raw according to the file system key identification of described the first file systemBecome and the unique corresponding file system encryption key of described the first file system;
The first receiving element, for receiving unique corresponding with described the first file system that described KMS sendsFile system encryption key.
14. according to the data encryption system described in claim 9 to 12 any one claim, its featureBe, described system key acquisition module, comprising:
Mark acquiring unit, in the time that described NAS system powers on, obtains the literary composition of described the first file systemPart system key mark, the file system key identification of described the first file system is in described NAS systemWhile creating described the first file system, generate;
The second transmitting element, for sending the file of described the first file system to Key Management server KMSSystem key mark, so that described KMS looks into according to the file system key identification of described the first file systemAsk and the unique corresponding file system encryption key of described the first file system;
The second receiving element, for receiving unique corresponding with described the first file system that described KMS sendsFile system encryption key.
15. data encryption systems according to claim 9, is characterized in that, described file sequence numberGeneration module, comprising:
The first generation unit, for when the establishment instruction that described the first file detected, is described the first literary compositionPart generates and the unique corresponding file Ciphering Key Sequence Number of described the first file;
Or,
The second generation unit, in the time the OPEN first of described the first file being detected, is describedOne file generated and the unique corresponding file Ciphering Key Sequence Number of described the first file.
16. data encryption systems according to claim 9, is characterized in that, described the first file bagDraw together: file structure, file Ciphering Key Sequence Number and file cipher text, described data encryption system also comprises:
Ciphertext acquisition module, for when the reading command detecting described the first file, described firstIn the file cipher text of file, obtain ciphertext corresponding to described reading command, ciphertext corresponding to described reading command isObtain according to the file encryption key encryption of described the first file;
Decrypt ciphertext module, for according to the file encryption key of described the first file to described reading command pairThe ciphertext of answering is decrypted and obtains reading out data.
CN201410719901.6A 2014-12-02 2014-12-02 Data ciphering method and system Active CN105656866B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201410719901.6A CN105656866B (en) 2014-12-02 2014-12-02 Data ciphering method and system
PCT/CN2015/096162 WO2016086850A1 (en) 2014-12-02 2015-12-01 Data encryption method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410719901.6A CN105656866B (en) 2014-12-02 2014-12-02 Data ciphering method and system

Publications (2)

Publication Number Publication Date
CN105656866A true CN105656866A (en) 2016-06-08
CN105656866B CN105656866B (en) 2019-10-22

Family

ID=56091027

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410719901.6A Active CN105656866B (en) 2014-12-02 2014-12-02 Data ciphering method and system

Country Status (2)

Country Link
CN (1) CN105656866B (en)
WO (1) WO2016086850A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106992979A (en) * 2017-03-29 2017-07-28 昆明飞利泰电子系统工程有限公司 The key acquisition method and system of video monitoring equipment
CN110460563A (en) * 2018-05-08 2019-11-15 北京京东尚科信息技术有限公司 Data encryption, decryption method and device, system, readable medium and electronic equipment

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106535178B (en) * 2016-11-16 2019-07-12 中国人民解放军信息工程大学 Access layer and Non-Access Stratum key safety insulating device and its method

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090196417A1 (en) * 2008-02-01 2009-08-06 Seagate Technology Llc Secure disposal of storage data
CN101630292A (en) * 2009-07-29 2010-01-20 东南大学 File encryption-decryption method of USB removable storage device
CN101692264A (en) * 2009-09-25 2010-04-07 天津大学 Method of encrypting and protecting files by using hidden partition (HPA), CPU ID and soft keyboard
CN101751427A (en) * 2008-12-12 2010-06-23 北京中电华大电子设计有限责任公司 Method for reasonably using file space of smart card
CN101753539A (en) * 2008-12-01 2010-06-23 北京大学 Network data storage method and server
CN102075544A (en) * 2011-02-18 2011-05-25 博视联(苏州)信息科技有限公司 Encryption system, encryption method and decryption method for local area network shared file
CN102821096A (en) * 2012-07-17 2012-12-12 华中科技大学 Distributed storage system and file sharing method thereof
CN103609059A (en) * 2010-09-20 2014-02-26 安全第一公司 Systems and methods for secure data sharing
CN103812927A (en) * 2012-11-14 2014-05-21 书生云服务公司 Storage method
US20140281514A1 (en) * 2013-03-12 2014-09-18 Commvault Systems, Inc. Automatic file encryption

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100536473C (en) * 2006-11-09 2009-09-02 华中科技大学 Encrypting read / write method in use for NAS storage system
CN201430599Y (en) * 2009-03-12 2010-03-24 天津七所信息技术有限公司 10 Gb network memory

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090196417A1 (en) * 2008-02-01 2009-08-06 Seagate Technology Llc Secure disposal of storage data
CN101753539A (en) * 2008-12-01 2010-06-23 北京大学 Network data storage method and server
CN101751427A (en) * 2008-12-12 2010-06-23 北京中电华大电子设计有限责任公司 Method for reasonably using file space of smart card
CN101630292A (en) * 2009-07-29 2010-01-20 东南大学 File encryption-decryption method of USB removable storage device
CN101630292B (en) * 2009-07-29 2012-02-29 东南大学 File encryption-decryption method of USB removable storage device
CN101692264A (en) * 2009-09-25 2010-04-07 天津大学 Method of encrypting and protecting files by using hidden partition (HPA), CPU ID and soft keyboard
CN103609059A (en) * 2010-09-20 2014-02-26 安全第一公司 Systems and methods for secure data sharing
CN102075544A (en) * 2011-02-18 2011-05-25 博视联(苏州)信息科技有限公司 Encryption system, encryption method and decryption method for local area network shared file
CN102821096A (en) * 2012-07-17 2012-12-12 华中科技大学 Distributed storage system and file sharing method thereof
CN103812927A (en) * 2012-11-14 2014-05-21 书生云服务公司 Storage method
US20140281514A1 (en) * 2013-03-12 2014-09-18 Commvault Systems, Inc. Automatic file encryption

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106992979A (en) * 2017-03-29 2017-07-28 昆明飞利泰电子系统工程有限公司 The key acquisition method and system of video monitoring equipment
CN110460563A (en) * 2018-05-08 2019-11-15 北京京东尚科信息技术有限公司 Data encryption, decryption method and device, system, readable medium and electronic equipment

Also Published As

Publication number Publication date
WO2016086850A1 (en) 2016-06-09
CN105656866B (en) 2019-10-22

Similar Documents

Publication Publication Date Title
CN109255251B (en) File data protection system and method based on block chain technology
US10873450B2 (en) Cryptographic key generation for logically sharded data stores
US9735962B1 (en) Three layer key wrapping for securing encryption keys in a data storage system
CN110798315B (en) Data processing method and device based on block chain and terminal
TW201740305A (en) Data encryption method, data decryption method, device and system capable of ensuring the security of the key distribution process and flexibly using different keys for data encryption
JP5020857B2 (en) Computer system and terminal
US10685141B2 (en) Method for storing data blocks from client devices to a cloud storage system
US20150026461A1 (en) System and Method to Create Resilient Site Master-key for Automated Access
US20090196417A1 (en) Secure disposal of storage data
EP3598714A1 (en) Method, device, and system for encrypting secret key
US10320757B1 (en) Bounded access to critical data
CN105245328A (en) User and file key generation and management method based on third party
CN104995621A (en) Server device, private search program, recording medium, and private search system
US10887085B2 (en) System and method for controlling usage of cryptographic keys
US11494508B2 (en) Secrets as a service
US10116442B2 (en) Data storage apparatus, data updating system, data processing method, and computer readable medium
CN103530581A (en) Hard disk encrypting method and operation system
CN114556869A (en) Key management for encrypted data
US9762388B2 (en) Symmetric secret key protection
CN105656866A (en) Data encryption method and system
US10380352B2 (en) Document security in enterprise content management systems
Zhang et al. Cloud shredder: Removing the laptop on-road data disclosure threat in the cloud computing era
KR100879212B1 (en) Method of making duplication file backup
US11356283B2 (en) Data storage using an encryption key with a time expiration associated therewith
JP2014170412A (en) Information processing device and program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant