CN106326757A - Data encryption device of storage system - Google Patents
Data encryption device of storage system Download PDFInfo
- Publication number
- CN106326757A CN106326757A CN201610742160.2A CN201610742160A CN106326757A CN 106326757 A CN106326757 A CN 106326757A CN 201610742160 A CN201610742160 A CN 201610742160A CN 106326757 A CN106326757 A CN 106326757A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- key management
- encryption device
- master key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The invention discloses a data encryption device of a storage system. The data encryption device of the storage system comprises a storage device for storing data, an encryption device used for carrying out encryption and decryption operations on the data stored in the storage device, a main key management device used for providing passwords needed by the encryption device during carrying out the encryption and decryption operations on the data, and a secondary key management device used for maintaining data synchronization with the main key management device when the main key management device operates normally and providing the passwords needed by the encryption device during carrying out the encryption and decryption operations on the data when the main key management device cannot operate normally. Through the data encryption device of the storage system, the structure in which the storage device, the encryption device and the key management devices in the background art are dispersed to three devices is changed into a structure in which the storage device, the encryption device and the key management devices are integrated into a single device; the unification of the security storage structure is achieved, so that the occurrence of the situation that a secret key is captured when the secret key is transmitted among the devices in the background art is avoided; the security of the data is improved.
Description
Technical field
The present invention relates to memory system technologies field, more particularly, it relates to a kind of data encryption device storing system.
Background technology
Computer information safe is always an important topic of computer research, and in order to ensure the peace of computerized information
Entirely, it usually needs information is encrypted.
And the mode realizing being encrypted computerized information at present mainly includes the mode that is encrypted on network, the most just
It is to say between main frame and storage, add encryption device and key management apparatus, and after encryption gateway, is only final depositing
Storage, this all of equipment combines and constitutes safe storage.In this stores safely, owing to key management apparatus sets with encryption
Need to be carried out by switch the exchange of key between Bei, if therefore key is intercepted in this process, may result in number
According to the inefficacy of encryption function, and then cause the safety of data relatively low.
In sum, the safety and the reliability that there is data storage in the Data Encryption Scheme that prior art provides are relatively low
Problem.
Summary of the invention
It is an object of the invention to provide a kind of data encryption device storing system, to solve the data that prior art provides
The problem that present in encipherment scheme, Information Security is relatively low.
To achieve these goals, the present invention provides following technical scheme:
A kind of data encryption device storing system, including encryption device, master key management equipment, standby key management apparatus
And storage device;
Described storage device, is used for storing data;
Described encryption device, carries out encryption and decryption operation for the data storing described storage device;
Described master key management equipment, required for providing it to carry out when the encryption and decryption of data operates for described encryption device
Password;
Described standby key management apparatus, for managing with described master key when described master key management equipment normally works
Equipment keeps data syn-chronization, and provides it to carry out when described master key management equipment cannot normally work for described encryption device
The password that the encryption and decryption of data is required when operating.
Preferably, described encryption device is specially the PCIE encrypted card corresponding with the industry requirement of user.
Preferably, described master key management equipment passes through interface and the described PCIE encrypted card that described PCIE encrypted card provides
Realize communication.
Preferably, described standby key management apparatus is by non-transparent bridge NTB and described PCIE encrypted card and described master key
Management equipment realizes communication.
Preferably, the encrypted card slot that described PCIE encrypted card is provided by data encryption device is arranged on this data encryption
The inside of device.
Preferably, also including encrypting module, described encrypting module is for the profit when described encryption device cannot normally work
The password provided with described master key management equipment or described standby key management apparatus realizes the encryption and decryption operation of data.
Preferably, described encryption device and described encrypting module all include:
Ciphering unit, for, after receiving the data of external world's write, being encrypted operation to these data;
Decryption unit, for after the read request receiving external world's input, by the encrypted number corresponding with described read request
According to the promoter returning to described read request after being decrypted.
Preferably, described ciphering unit includes:
Encryption sub-unit operable, for utilizing different passwords that the data belonging to different volume are carried out encryption and decryption operation.
A kind of data encryption device storing system that the present invention provides, including encryption device, master key management equipment, standby
Key management apparatus and storage device;Described storage device, is used for storing data;Described encryption device, for described storage
The data of equipment storage carry out encryption and decryption operation;Described master key management equipment, for providing it to carry out for described encryption device
The password that the encryption and decryption of data is required when operating;Described standby key management apparatus, for normal at described master key management equipment
Keep data syn-chronization during work with described master key management equipment, and when described master key management equipment cannot normally work be
Described encryption device provides it to carry out password required during the operation of the encryption and decryption of data.In technical scheme disclosed in the present application, will
The framework that in background technology, storage device, encryption device and key management apparatus are distributed on three equipment is changed into and is set above-mentioned
For being all integrated in single device, it is achieved the unification of safe storage structure, thus avoid the key occurred in background technology and exist
Transmit situation about being intercepted between the said equipment to occur, improve Information Security.It addition, the application uses master key management
Equipment and standby key management apparatus backup each other, and improve the reliability of data encryption device, availability and safety.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Inventive embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to according to
The accompanying drawing provided obtains other accompanying drawing.
The structural representation of a kind of data encryption device storing system that Fig. 1 provides for the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise
Embodiment, broadly falls into the scope of protection of the invention.
Refer to Fig. 1, it illustrates the structure of a kind of data encryption device storing system that the embodiment of the present invention provides
Schematic diagram, including encryption device 11, master key management equipment 12, standby key management apparatus 13 and storage device 14;
Storage device 14, is used for storing data;
Encryption device 11, for carrying out encryption and decryption operation to the data of storage device storage;
Master key management equipment 12, required close during for providing it to carry out the operation of the encryption and decryption of data for encryption device
Code;
Standby key management apparatus 13, for keeping number when master key management equipment normally works with master key management equipment
According to synchronization, and when providing it to carry out the operation of the encryption and decryption of data when master key management equipment cannot normally work for encryption device
Required password.
Wherein, master key management equipment all can be arranged on corresponding controller with standby key management apparatus, the most standby
Part, specifically, in the case of master key management equipment can normally work, standby key devices only need to be responsible for and master key pipe
Reason equipment synchronizes to ensure the concordance of key in encryption device, and the feelings that cannot normally work at master key management equipment
Under condition, key management apparatus occurs that switching, standby key management apparatus replace master key management equipment, and continuing as encryption device provides
Its required key.Wherein, when on the controller that above-mentioned key management apparatus is arranged on correspondence, the switching of key management apparatus
Can be realized by the switching between the controller of its correspondence, and the function that key management apparatus mainly realizes includes generating close
Key, distribution key, storage key and backup and recovery key etc., arranged it is of course also possible to carry out other according to actual needs,
All within protection scope of the present invention.The reliable of data encryption device is improve by the setting of above-mentioned dual key management equipment
The performances such as property, availability and safety.
It addition, the integration of equipments in the data encryption device of the embodiment of the present invention is in single device, the most all it is integrated in number
According in encryption device, cooperate the encryption and decryption functions of paired data, it is achieved the safety for data stores.
In technical scheme disclosed in the present application, storage device, encryption device and key management apparatus in background technology are divided
The framework being scattered on three equipment is changed into and is all integrated in single device by the said equipment, it is achieved the system of safe storage structure
One, thus avoid the key occurred in background technology between the said equipment, transmit the situation generation being intercepted, improve number
According to safety.It addition, the application uses master key management equipment and standby key management apparatus backup each other, improve data and add
The reliability of close device, availability and safety.
A kind of data encryption device storing system that the embodiment of the present invention provides, encryption device is specifically as follows and uses
The PCIE encrypted card that the industry requirement of person is corresponding.
Wherein, corresponding with the industry requirement of user PCIE encrypted card is specifically as follows and requires to use according to different industries
Require the close certification of business by the PCIE encrypted card of corresponding certification, such as ordinary enterprises unit, and army require the close certification of army,
Therefore, the PCIE encrypted card by the close certification of business can be used for ordinary enterprises unit, and can use for army and pass through
The PCIE encrypted card of the close certification of army, so that PCIE device can merge the security requirements of different users, improves user
Experience.
A kind of data encryption device storing system that the embodiment of the present invention provides, master key management equipment is added by PCIE
The interface that close card provides realizes communicating with PCIE encrypted card.
It is limited owing to the key of PCIE encrypted card preserves quantity, typically at about 2048, and itself does not carries
For Premium Features such as backup keys, therefore to the ability of the safety of key and raising PCIE encrypted card device keys management needs
Key management apparatus to be arranged.And carried out by optical fiber switch network with encryption device in prior art and key management apparatus
Interconnection difference, in the application, PCIE encrypted card and master key management equipment directly can be led to by the interface that PCIE encrypted card provides
Letter, the most safe and efficient, and do not affected by network security performance.
And can realize leading to PCIE encrypted card and master key management equipment by non-transparent bridge NTB for key management apparatus
Letter.
Specifically, use NTB the highest between master key management equipment and standby key management apparatus and PCIE encrypted card
Speed interconnection, wherein, NTB interconnection at a high speed is cured on circuit board, is the other link of PCIE switch-level, this connected mode
It is transparent sightless for data encryption device outside, compared with use fiber optic communication in prior art, is greatly improved
The safety of transmitted data and transfer rate.
A kind of data encryption device storing system that the embodiment of the present invention provides, PCIE encrypted card can be added by data
The encrypted card slot that close device provides is arranged on the inside of this data encryption device.
Specifically, this encrypted card slot is specifically as follows the high half long PCIe card slot of standard half, naturally it is also possible to according to
It is actually needed and carries out other settings, all within protection scope of the present invention.And encrypted card slot is arranged on data encryption device
Inside, invisible for extraneous user;Thus, PCIE encrypted card is integrated into inside data encryption device, it is achieved PCIE encrypts
Card and the fusion of data encryption device.
A kind of data encryption device storing system that the embodiment of the present invention provides, it is also possible to include encrypting module, encryption
Module is close for utilize master key management equipment or standby key management apparatus to provide when encryption device cannot normally work
Code realizes the encryption and decryption operation of data.
Wherein encrypting module is specifically as follows encryption software, i.e. can realize software cryptography by encryption software, and software adds
The close algorithm realizing exactly needing encryption and decryption in code, utilizes the processor of data encryption device to perform the stream of encryption and decryption
Journey, the extensibility of algorithm is extremely strong.It can be encrypted the standby of (i.e. encryption device) as hardware, at encryption device, event occurs
Barrier or be temporarily removed (PCIE encrypted card support hot plug) when safeguard, data encryption device detects relevant mistake
By mistake, software cryptography can be hot-switched onto at once, and upper layer application is to soft or hard encryption switching unaware;Thus, realize software to add simultaneously
Close and hardware is encrypted, and improves the high availability of encryption function.
A kind of data encryption device storing system that the embodiment of the present invention provides, encryption device and encrypting module are the most permissible
Including:
Ciphering unit, for, after receiving the data of external world's write, being encrypted operation to these data;
Decryption unit, for, after the read request receiving external world's input, entering the encrypted data corresponding with read request
The promoter of read request is returned to after row deciphering.
In the application, all encryption and decryption functions all realize in device drive layer, say, that need when data according to such scheme
It is written and read the when of operation just data to be carried out real-time encryption and decryption operation.This implementation ensure that storage upper strata IO
The integrity of stack, does not interferes with data in the IO stack of upper strata, and can adjust storage phase according to advanced I/O mode recognizer
Related parameter, promotes storage performance.
A kind of data encryption device storing system that the embodiment of the present invention provides, ciphering unit may include that
Encryption sub-unit operable, for utilizing different passwords that the data belonging to different volume are carried out encryption and decryption operation.
Can utilize encryption sub-unit operable that the data of difference volume (LUN) carry out different corresponding the adding of password according to actual needs
Decryption oprerations, thus improve the high availability of encryption function.
Described above to the disclosed embodiments, makes those skilled in the art be capable of or uses the present invention.To this
The multiple amendment of a little embodiments will be apparent from for a person skilled in the art, and generic principles defined herein can
With without departing from the spirit or scope of the present invention, realize in other embodiments.Therefore, the present invention will not be limited
It is formed on the embodiments shown herein, and is to fit to consistent with principles disclosed herein and features of novelty the widest
Scope.
Claims (8)
1. the data encryption device storing system, it is characterised in that include encryption device, master key management equipment, for close
Key management equipment and storage device;
Described storage device, is used for storing data;
Described encryption device, carries out encryption and decryption operation for the data storing described storage device;
Described master key management equipment, required close during for providing it to carry out the operation of the encryption and decryption of data for described encryption device
Code;
Described standby key management apparatus, for managing equipment when described master key management equipment normally works with described master key
Keep data syn-chronization, and provide it to carry out data when described master key management equipment cannot normally work for described encryption device
Encryption and decryption operation time required password.
Device the most according to claim 1, it is characterised in that described encryption device is specially the industry requirement with user
Corresponding PCIE encrypted card.
Device the most according to claim 2, it is characterised in that described master key management equipment is by described PCIE encrypted card
The interface provided realizes communicating with described PCIE encrypted card.
Device the most according to claim 3, it is characterised in that described standby key management apparatus by non-transparent bridge NTB with
Described PCIE encrypted card and described master key management equipment realize communication.
Device the most according to claim 4, it is characterised in that described PCIE encrypted card is provided by data encryption device
Encrypted card slot is arranged on the inside of this data encryption device.
Device the most according to claim 1, it is characterised in that also include encrypting module, described encrypting module is in institute
State utilize described master key management equipment or described standby key management apparatus to provide when encryption device cannot normally work close
Code realizes the encryption and decryption operation of data.
Device the most according to claim 6, it is characterised in that described encryption device and described encrypting module all include:
Ciphering unit, for, after receiving the data of external world's write, being encrypted operation to these data;
Decryption unit, for, after the read request receiving external world's input, entering the encrypted data corresponding with described read request
The promoter of described read request is returned to after row deciphering.
Device the most according to claim 6, it is characterised in that described ciphering unit includes:
Encryption sub-unit operable, for utilizing different passwords that the data belonging to different volume are carried out encryption and decryption operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610742160.2A CN106326757A (en) | 2016-08-26 | 2016-08-26 | Data encryption device of storage system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610742160.2A CN106326757A (en) | 2016-08-26 | 2016-08-26 | Data encryption device of storage system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106326757A true CN106326757A (en) | 2017-01-11 |
Family
ID=57791183
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610742160.2A Pending CN106326757A (en) | 2016-08-26 | 2016-08-26 | Data encryption device of storage system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106326757A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106529350A (en) * | 2016-11-11 | 2017-03-22 | 郑州云海信息技术有限公司 | Secure storage system |
| CN107835157A (en) * | 2017-10-17 | 2018-03-23 | 郑州云海信息技术有限公司 | A kind of data redundancy encryption method based on heartbeat mechanism |
| JP2019033402A (en) * | 2017-08-09 | 2019-02-28 | 三菱電機株式会社 | Communication device |
| CN112383426A (en) * | 2020-11-12 | 2021-02-19 | 中国农业银行股份有限公司佛山分行 | Encryption system |
| CN113285950A (en) * | 2021-05-21 | 2021-08-20 | 清创网御(合肥)科技有限公司 | Encryption card-based key transmission and storage method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101034424A (en) * | 2007-01-12 | 2007-09-12 | 深圳兆日技术有限公司 | Date safety storing system, device and method |
| CN102073808A (en) * | 2010-11-17 | 2011-05-25 | 北京曙光天演信息技术有限公司 | Method for encrypting and storing information through SATA interface and encryption card |
| CN102571488A (en) * | 2011-12-21 | 2012-07-11 | 北京星网锐捷网络技术有限公司 | Failure processing method, device and system for encryption card |
| CN105303124A (en) * | 2015-11-26 | 2016-02-03 | 浪潮电子信息产业股份有限公司 | Mother-and-son secret key encryption method used for physical tape library |
-
2016
- 2016-08-26 CN CN201610742160.2A patent/CN106326757A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101034424A (en) * | 2007-01-12 | 2007-09-12 | 深圳兆日技术有限公司 | Date safety storing system, device and method |
| CN102073808A (en) * | 2010-11-17 | 2011-05-25 | 北京曙光天演信息技术有限公司 | Method for encrypting and storing information through SATA interface and encryption card |
| CN102571488A (en) * | 2011-12-21 | 2012-07-11 | 北京星网锐捷网络技术有限公司 | Failure processing method, device and system for encryption card |
| CN105303124A (en) * | 2015-11-26 | 2016-02-03 | 浪潮电子信息产业股份有限公司 | Mother-and-son secret key encryption method used for physical tape library |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106529350A (en) * | 2016-11-11 | 2017-03-22 | 郑州云海信息技术有限公司 | Secure storage system |
| JP2019033402A (en) * | 2017-08-09 | 2019-02-28 | 三菱電機株式会社 | Communication device |
| JP7080024B2 (en) | 2017-08-09 | 2022-06-03 | 三菱電機株式会社 | Communication device |
| CN107835157A (en) * | 2017-10-17 | 2018-03-23 | 郑州云海信息技术有限公司 | A kind of data redundancy encryption method based on heartbeat mechanism |
| CN112383426A (en) * | 2020-11-12 | 2021-02-19 | 中国农业银行股份有限公司佛山分行 | Encryption system |
| CN113285950A (en) * | 2021-05-21 | 2021-08-20 | 清创网御(合肥)科技有限公司 | Encryption card-based key transmission and storage method |
| CN113285950B (en) * | 2021-05-21 | 2023-02-24 | 清创网御(合肥)科技有限公司 | Encryption card-based key transmission and storage method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106326757A (en) | Data encryption device of storage system | |
| CN106169041B (en) | A kind of safety encryption mobile hard disk and its data transmission method based on USBKEY authentication | |
| US20150244778A1 (en) | Assembling of Isolated Remote Data | |
| CN106549750A (en) | With computer-implemented method and the system and computer program using which | |
| CN103353931A (en) | Security-enhanced computer systems and methods | |
| CN1319294A (en) | Adapter having secure function and computer secure system using it | |
| EP2577936A2 (en) | Accelerator system for use with secure data storage | |
| CN104252375A (en) | Method and system for sharing USB (Universal Serial Bus) Key by multiple virtual machines positioned in different host computers | |
| CN110378097A (en) | Ensure sensing data safety | |
| US11356445B2 (en) | Data access interface for clustered devices | |
| CN102081713B (en) | Office system for preventing data from being divulged | |
| CN102799831B (en) | Information safety protection system of application system based on database and information safety protection method | |
| CN104320389A (en) | Fusion identify protection system and fusion identify protection method based on cloud computing | |
| CN102932140A (en) | Key backup method for enhancing safety of cipher machine | |
| US20180285219A1 (en) | Adaptive data recovery for clustered data devices | |
| CN105740733B (en) | A kind of encryption mobile hard disk and its implementation | |
| CN106302316A (en) | Cipher management method and device, system | |
| CN105205416A (en) | Mobile hard disk password module | |
| CN101118639A (en) | Safety electric national census system | |
| CN101533504A (en) | Electric medical affairs system and device | |
| CN101699456A (en) | Computer security system and method thereof | |
| CN105472030A (en) | Remote mirror image method and system based on iSCSI | |
| TWI789291B (en) | Module and method for authenticating data transfer between a storage device and a host device | |
| CN104732134B (en) | Information safety devices and its authentication method with software protection function | |
| CN102761559A (en) | Private data-based network security sharing method and communication terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170111 |