CN106712943A - Secure storage system - Google Patents

Secure storage system Download PDF

Info

Publication number
CN106712943A
CN106712943A CN201710042299.0A CN201710042299A CN106712943A CN 106712943 A CN106712943 A CN 106712943A CN 201710042299 A CN201710042299 A CN 201710042299A CN 106712943 A CN106712943 A CN 106712943A
Authority
CN
China
Prior art keywords
key
storage
data
management server
encrypting module
Prior art date
Application number
CN201710042299.0A
Other languages
Chinese (zh)
Inventor
徐洪志
Original Assignee
郑州云海信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 郑州云海信息技术有限公司 filed Critical 郑州云海信息技术有限公司
Priority to CN201710042299.0A priority Critical patent/CN106712943A/en
Publication of CN106712943A publication Critical patent/CN106712943A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/28Network-specific arrangements or communication protocols supporting networked applications for the provision of proxy services, e.g. intermediate processing or storage in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The invention discloses a secure storage system which comprises a storage device for storing data; the storage device is provided with a storage agent and an encryption module; the storage agent is used for issuing a key application to a key management server, and the key management server sends the key generated according to the key application to an encryption module; and the encryption module is used for encrypting or decrypting the data according to the key. As the storage agent and the encryption module are arranged in the storage device, all that is needed is to manage the storage device by a user. Compared with the prior art in which an encoder is managed independently, the management load of a user on a device can be reduced to encrypt and decrypt data. The storage agent and the encryption module are set in the storage device in the system. The user only needs to manage the storage device together, avoiding the separate management of the encryption machine compared with the prior art, thereby reducing the user's management burden on the device.

Description

A kind of safe storage system

Technical field

The present invention relates to technical field of memory, more particularly to a kind of safe storage system.

Background technology

At present, domestic safe storage system product is fewer, wherein having using the safety storage system of entrance guard's formula encryption equipment System, in this storage system, the data that client application main frame is produced are initially transmitted to encryption equipment, and encryption equipment utilizes key pipe The data key of reason center (Key Management Center, KMC) distribution is encrypted, then by encryption data Transmit to storage device and stored;When data are obtained, encryption equipment is solved client to the data obtained from storage device It is close, the data transfer that will then obtain to applied host machine.In this kind of storage system, user will not only supervise to storage device Keyholed back plate is managed, in addition it is also necessary to which to the independent management of encryption equipment, therefore this brings larger administrative burden to user.

The content of the invention

It is an object of the invention to provide a kind of safe storage system, pipe of the user to equipment can be reduced compared with prior art Reason burden.

To achieve the above object, the present invention provides following technical scheme:

A kind of safe storage system, including for the storage device of data storage, the storage device is provided with storage generation Reason and encrypting module;

The storage agent is used to send key application to Key Management server, and by the Key Management server root The key generated according to the key application sends the encrypting module to;

The encrypting module is used to be encrypted or be decrypted using the data key.

Alternatively, data storage includes in the storage device:

Storage pool is created in the storage device;

Choose disk and create disk array, disk array is added in the storage pool;

Selection disk array creates the logical volume for data storage in the storage pool.

Alternatively, the encrypting module is used to be encrypted or be decrypted using the data key to include:

The encrypting module specifically for:

According to write request, the key is used to be encrypted to write-in data in units of logical volume, by the number after encryption According to being written to the corresponding disk areas of logical volume;

According to read request, the data read from the corresponding disk areas of logical volume are decrypted using the key.

Alternatively, the storage agent is used to send key application to Key Management server, and by the key management Server sends the encrypting module to according to the key that the key application is generated to be included:

The storage agent specifically for:

The encrypting module generation public and private key pair is called, comprising public key first is sent to the Key Management server Key application, and the Key Management server is generated according to the public key and using the public key encryption equipment it is close Key sends the encrypting module to;

To the Key Management server send the second key application, and by the Key Management server generate and The data encryption key encrypted using the device keyses sends the encrypting module to;

To the Key Management server send the 3rd key application, and by the Key Management server generate and The data key encrypted using the data encryption key sends the encrypting module to, and the encrypting module uses the data Data key is encrypted or decrypts.

Alternatively, the encrypting module is additionally operable to:

It is decrypted and preserves using the device keys of private key pair encryption;

The data encryption key encrypted is decrypted and preserved using the device keyses;

The data key encrypted is decrypted and preserved using the data encryption key.

Alternatively, by the passage using secure encrypted protocol between the Key Management server and the storage device Transmission key.

Alternatively, the encrypting module is arranged in the controller of the storage device.

Alternatively, one or two described encrypting modules are provided with the controller of the storage device.

Alternatively, the storage device includes two or four controllers.

As shown from the above technical solution, safe storage system provided by the present invention, including for the storage of data storage Equipment, storage agent and encrypting module are provided with storage device.Wherein, send close to Key Management server from storage agent Key application sends Key Management server to encrypting module to apply for key according to the key that key application is generated, encryption Module is used to be encrypted or be decrypted using the data key.

Safe storage system of the present invention, realizes being interacted to apply for key with Key Management server by storage agent, Realize carrying out encryption and decryption using data key by encrypting module, storage agent and encrypting module are arranged on storage in the system In equipment, therefore user only need to be together managed storage device, and the independent management to encryption equipment is avoided compared with prior art, So as to administrative burden of the user to equipment can be reduced.

Brief description of the drawings

In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.

Fig. 1 is a kind of schematic diagram of safe storage system provided in an embodiment of the present invention;

Fig. 2 is the schematic diagram that safe storage system provided in an embodiment of the present invention writes data to storage device;

Fig. 3 is the schematic diagram that safe storage system provided in an embodiment of the present invention reads data from storage device;

A kind of schematic diagram of safe storage system that Fig. 4 is provided for further embodiment of this invention.

Specific embodiment

In order that those skilled in the art more fully understand the technical scheme in the present invention, below in conjunction with of the invention real The accompanying drawing in example is applied, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described implementation Example is only a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, this area is common The every other embodiment that technical staff is obtained under the premise of creative work is not made, should all belong to protection of the present invention Scope.

Refer to Fig. 1, a kind of safe storage system provided in an embodiment of the present invention, including set for the storage of data storage Standby 10, the storage device 10 is provided with storage agent 100 and encrypting module 101;

The storage agent 100 is used to send key application to Key Management server, and by the cipher key management services Device sends the encrypting module 101 to according to the key that the key application is generated;

The encrypting module 101 is used to be encrypted or be decrypted using the data key.

Wherein, interacted by storage agent 100 and Key Management server, the Key Management server is key pipe Reason center (KMC), for distributing and issuing key.

As can be seen that the present embodiment safe storage system, storage agent and encrypting module are provided with storage device.By depositing Storage agency sends key application to apply for key to Key Management server, and Key Management server is given birth to according to key application Into key send encrypting module to, encrypting module is used to be encrypted or be decrypted using the data key.

The present embodiment safe storage system, is realized close to apply with interacting for Key Management server by storage agent Key, realizes carrying out encryption and decryption using data key by encrypting module, and storage agent and encrypting module are arranged in the system In storage device, therefore user only need to be together managed storage device, avoided compared with prior art to the independent of encryption equipment Management, so as to administrative burden of the user to equipment can be reduced.

The present embodiment safe storage system is described further below.The present embodiment safe storage system is included for depositing Store up the storage device 10 of data.

Specifically, the framework of the storage device 10 can be set as follows, the data storage in the storage device 10 Including:

S100:Storage pool is created in the storage device;

S101:Choose disk and create disk array, disk array is added in the storage pool;

S102:Selection disk array creates the logical volume for data storage in the storage pool.Wherein, mathematical logic Volume can by the storage pool a disk array (Redundant Arrays of Independent Disks, RAID the segment space composition on), it is also possible to across disk array establishment, but mathematical logic volume can only use disk in this storage pool The space that array is provided.

S103:File system is set up on logical volume.Reuse.

Preferably, storage device 10 uses storage area network (Storage Area Network, SAN) in the present embodiment Storage device, SAN storage devices use netted passage (Fibre Channel, FC) technology, and connecting storage by FC interchangers sets Standby and server host, foundation is exclusively used in the Local Area Network of data storage.

The storage device 10 is provided with storage agent (Storage Agent, SA) 100 and encrypting module 101.Its In, interacted with Key Management server by storage agent, key application is sent to Key Management server, and key management is taken Business device sends encrypting module 101 to according to the key that key application is generated.

In the present embodiment, the key used in storage device is divided into three-level, specifically includes:For with logical volume as single The data key (Data-Key) that position is encrypted to data;For the data encryption key (ED- being encrypted to data key Key);For the device keyses (Storage-Key) being encrypted to data encryption key.

The storage agent 100 is used to send key application to Key Management server, and by the cipher key management services Device sends the encrypting module to according to the key that the key application is generated to be included:

The storage agent 100 specifically for:

The encrypting module generation public and private key pair is called, comprising public key first is sent to the Key Management server Key application, and the Key Management server is generated according to the public key and using the public key encryption equipment it is close Key sends the encrypting module to;

To the Key Management server send the second key application, and by the Key Management server generate and The data encryption key encrypted using the device keyses sends the encrypting module to;

To the Key Management server send the 3rd key application, and by the Key Management server generate and The data key encrypted using the data encryption key sends the encrypting module to, and the encrypting module uses the data Data key is encrypted or decrypts.

The encrypting module 101 also particularly useful for:

It is decrypted and preserves using the device keys of private key pair encryption;

The data encryption key encrypted is decrypted and preserved using the device keyses;

The data key encrypted is decrypted and preserved using the data encryption key.

Accordingly, storage agent 100 is interacted with Key Management server in the present embodiment, realizes the generation and distribution of key Process is as follows:

After storage device start, if reached the standard grade first, registered to Key Management server by storage agent 100 first, Storage agent 100 calls encrypting module 101 to generate public and private key pair, and it is close to send comprising public key first to Key Management server Key application, Key Management server generates device keyses (Storage-Key), and the public key sent using storage agent 100 Device keyses are encrypted, storage device 10 is then sent to.Encrypting module is decrypted using the device keyses of private key pair encryption, And preserve.

Request for data encryption key (ED-Key):Storage device 10 is sent out by storage agent 100 to Key Management server The second key application is sent, Key Management server generates data encryption key (ED-Key), and uses device keyses (Storage- Key) data encryption key is encrypted, storage device 10 is sent to.Encrypting module 101 is using device keyses to data encryption Secret key decryption, and preserve.

Request for data key (Data-Key):Storage device 10 is sent by storage agent 100 to Key Management server 3rd key application, Key Management server generates data key (Data-Key), and uses data encryption key (ED-Key) Data key is encrypted, storage device 10 is sent to.Encrypting module uses data encryption key to data secret key decryption, and Preserve.

After storage device 10 is shut down, the whole keys preserved in encrypting module disappear.After storage device 10 is restarted, can be by depositing Storage agency applies for Storage-Key, ED-Key and Data-Key again to Key Management server, and is stored in encrypting module In.

Encrypting module 101 is used to be encrypted or be decrypted using data key.

Specifically, the schematic diagram that Fig. 2 and Fig. 3, Fig. 2 write data for safety storage system to storage device is refer to, Fig. 3 Read the schematic diagram of data from storage device for safety storage system.The encrypting module 101 is used to use the key logarithm Include according to being encrypted or decrypting:

The encrypting module 101 specifically for:

According to write request, the key is used to be encrypted to write-in data in units of logical volume, by the number after encryption According to being written to the corresponding disk areas of logical volume;

According to read request, the data read from the corresponding disk areas of logical volume are decrypted using the key.

The encrypting module 101 uses data key that data are encrypted or are decrypted in units of logical volume, is patrolling Volume roll up this layer storage device data is encrypted or decrypted.

In the present embodiment, encrypting module 101 can support the close algorithm of state's business men, and support general AES.

Preferably, by using the logical of secure encrypted protocol between the Key Management server and the storage device 10 Road is connected, and transmits key, it is ensured that the security of data transfer.

In the present embodiment, the encrypting module 101 is arranged in the controller of the storage device 10.The storage device Two or four controllers can be included, you can be dual control or four control storage devices.

One or two described encrypting modules 101 can be set in the controller of the storage device 10.The encryption Module can be specifically encrypted card, and the driving of encrypted card itself can ensure that the encrypted card set in controller is more, encryption and decryption Speed is higher.

In the present embodiment, Fig. 4 is refer to, storage device 10 can be connected by IP/FC interchangers and Key Management server Connect, in this case, by using IP/FC interchangers Key Management server can easily by with many storage devices 10 Many storage devices are carried out key management by connection.

It is less for existing domestic safe storage system product, and the safe storage system that external storage manufacturer provides is simultaneously The close algorithm of state's business men is not supported, and the present embodiment safe storage system not only supports state's close algorithm of business men by the close certification of state, also General AES is supported, current domestic application demand is met.

A kind of safe storage system provided by the present invention is described in detail above.It is used herein specifically individual Example is set forth to principle of the invention and implementation method, and the explanation of above example is only intended to help and understands of the invention Method and its core concept.It should be pointed out that for those skilled in the art, not departing from the principle of the invention On the premise of, some improvement and modification can also be carried out to the present invention, these are improved and modification also falls into the claims in the present invention Protection domain in.

Claims (9)

1. a kind of safe storage system, it is characterised in that including the storage device for data storage, the storage device is set There are storage agent and encrypting module;
The storage agent is used to send key application to Key Management server, and by the Key Management server according to institute The key for stating key application generation sends the encrypting module to;
The encrypting module is used to be encrypted or be decrypted using the data key.
2. safe storage system according to claim 1, it is characterised in that the data storage bag in the storage device Include:
Storage pool is created in the storage device;
Choose disk and create disk array, disk array is added in the storage pool;
Selection disk array creates the logical volume for data storage in the storage pool.
3. safe storage system according to claim 2, it is characterised in that the encrypting module is used to use the key Data are encrypted or are decrypted includes:
The encrypting module specifically for:
According to write request, use the key to be encrypted to write-in data in units of logical volume, the data after encryption are write Enter disk areas corresponding to logical volume;
According to read request, the data read from the corresponding disk areas of logical volume are decrypted using the key.
4. safe storage system according to claim 1, it is characterised in that the storage agent is used to be taken to key management Business device sends key application, and the Key Management server is added according to the key that the key application is generated sends to Close module includes:
The storage agent specifically for:
The encrypting module generation public and private key pair is called, the first key comprising public key is sent to the Key Management server Application, and the Key Management server generate according to the public key and using the public key encryption device keyses biography Give the encrypting module;
To the Key Management server send the second key application, and by the Key Management server generate and use The data encryption key of the device keyses encryption sends the encrypting module to;
To the Key Management server send the 3rd key application, and by the Key Management server generate and use The data key of the data encryption key encryption sends the encrypting module to, and the encrypting module uses the data key Data are encrypted or are decrypted.
5. safe storage system according to claim 4, it is characterised in that the encrypting module is additionally operable to:
It is decrypted and preserves using the device keys of private key pair encryption;
The data encryption key encrypted is decrypted and preserved using the device keyses;
The data key encrypted is decrypted and preserved using the data encryption key.
6. safe storage system according to claim 1, it is characterised in that the Key Management server and the storage By the channel transfer key using secure encrypted protocol between equipment.
7. safe storage system according to claim 1, it is characterised in that the encrypting module is arranged on the storage and sets In standby controller.
8. safe storage system according to claim 7, it is characterised in that set in the controller of the storage device There are one or two encrypting modules.
9. safe storage system according to claim 8, it is characterised in that the storage device includes two or four Controller.
CN201710042299.0A 2017-01-20 2017-01-20 Secure storage system CN106712943A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710042299.0A CN106712943A (en) 2017-01-20 2017-01-20 Secure storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710042299.0A CN106712943A (en) 2017-01-20 2017-01-20 Secure storage system

Publications (1)

Publication Number Publication Date
CN106712943A true CN106712943A (en) 2017-05-24

Family

ID=58909978

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710042299.0A CN106712943A (en) 2017-01-20 2017-01-20 Secure storage system

Country Status (1)

Country Link
CN (1) CN106712943A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107018208A (en) * 2017-06-07 2017-08-04 湖南麒麟信安科技有限公司 A kind of data ciphering method of the SAN storage system with function extending transversely

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003032133A2 (en) * 2001-10-12 2003-04-17 Kasten Chase Applied Research Ltd. Distributed security architecture for storage area networks (san)
CN101788889A (en) * 2010-03-03 2010-07-28 浪潮(北京)电子信息产业有限公司 Memory virtualization system and method
CN101815078A (en) * 2009-02-24 2010-08-25 北京众志和达信息技术有限公司 Embedded type virtual tape library parallel memory system
CN104216805A (en) * 2014-08-26 2014-12-17 浪潮(北京)电子信息产业有限公司 System and method for link failure protection of disk cabinet at rear end of high-end disk array
CN104407939A (en) * 2014-11-24 2015-03-11 浪潮电子信息产业股份有限公司 Method and device for processing storage pool element data among plurality of controllers
CN105119719A (en) * 2015-10-16 2015-12-02 成都卫士通信息产业股份有限公司 Key management method of secure storage system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003032133A2 (en) * 2001-10-12 2003-04-17 Kasten Chase Applied Research Ltd. Distributed security architecture for storage area networks (san)
CN101815078A (en) * 2009-02-24 2010-08-25 北京众志和达信息技术有限公司 Embedded type virtual tape library parallel memory system
CN101788889A (en) * 2010-03-03 2010-07-28 浪潮(北京)电子信息产业有限公司 Memory virtualization system and method
CN104216805A (en) * 2014-08-26 2014-12-17 浪潮(北京)电子信息产业有限公司 System and method for link failure protection of disk cabinet at rear end of high-end disk array
CN104407939A (en) * 2014-11-24 2015-03-11 浪潮电子信息产业股份有限公司 Method and device for processing storage pool element data among plurality of controllers
CN105119719A (en) * 2015-10-16 2015-12-02 成都卫士通信息产业股份有限公司 Key management method of secure storage system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈少春: "《计算机存储技术与应用》", 31 December 2014 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107018208A (en) * 2017-06-07 2017-08-04 湖南麒麟信安科技有限公司 A kind of data ciphering method of the SAN storage system with function extending transversely

Similar Documents

Publication Publication Date Title
US10068103B2 (en) Systems and methods for securing data in motion
US8526615B2 (en) Storage system executing encryption and decryption processing
US7099477B2 (en) Method and system for backup and restore of a context encryption key for a trusted device within a secured processing system
CN1957553B (en) Key bank systems and methods for QKD
JP2012527838A (en) System and method for securing data in the cloud
US8098819B2 (en) Method, system and securing means for data archiving with automatic encryption and decryption by fragmentation of keys
US20120328105A1 (en) Techniques for achieving tenant data confidentiality from cloud service provider administrators
CN105027107B (en) Migrate the computer implemented method and computing system of computing resource
CN103701609B (en) A kind of server and the method and system operating terminal two-way authentication
CN103563278B (en) Securing encrypted virtual hard disks
US20140040633A1 (en) Secure transaction method from a non-secure terminal
US20100095118A1 (en) Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
WO2013095747A1 (en) System and method for key management for issuer security domain using global platform specifications
US20030084290A1 (en) Distributed security architecture for storage area networks
US20100125730A1 (en) Block-level data storage security system
CN1832403A (en) CPK credibility authorization system
CN101855860A (en) Systems and methods for managing cryptographic keys
US9129121B2 (en) Locating cryptographic keys stored in a cache
WO2010064666A1 (en) Key distribution system
EP2713548A1 (en) Key generation, backup and migration method and system based on trusted computing
US20100153749A1 (en) Device-access control program, device-access control process, and information processing apparatus for controlling access to device
CN102196425B (en) Quantum-key-distribution-network-based mobile encryption system and communication method thereof
EP2697931B1 (en) Qkd key management system
CN102761521A (en) Cloud security storage and sharing service platform
US7865741B1 (en) System and method for securely replicating a configuration database of a security appliance

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination