CN106713334A - Encryption method, decryption method, access method and corresponding apparatuses of virtual storage volume - Google Patents
Encryption method, decryption method, access method and corresponding apparatuses of virtual storage volume Download PDFInfo
- Publication number
- CN106713334A CN106713334A CN201611264455.XA CN201611264455A CN106713334A CN 106713334 A CN106713334 A CN 106713334A CN 201611264455 A CN201611264455 A CN 201611264455A CN 106713334 A CN106713334 A CN 106713334A
- Authority
- CN
- China
- Prior art keywords
- storage volume
- information
- metadata
- user
- authentication information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an encryption method, decryption method, access method and corresponding apparatuses of a virtual storage volume, applied to the virtual storage volume. The encryption method comprises the following steps: obtaining a user encryption request, wherein the user encryption request comprises user information and information of the storage volume; reading metadata stored in a metadata area corresponding to the storage volume according to the information of the storage volume; converting the metadata into metadata ciphertext by using an encryption algorithm; generating first authentication information according to the user information and the information of the storage volume; and storing the metadata ciphertext, the first authentication information and a security classification identifier in the corresponding metadata area so as to accomplish an encryption operation of the storage volume. By adoption of the encryption method disclosed by the invention, the security of the data can be ensured; and compared with the manner of integrally encrypting the storage volume in the prior art, the timeliness of accessing the encrypted storage volume can be greatly improved.
Description
Technical field
The present invention relates to the treatment of data, more particularly to virtual memory data processing.
Background technology
In field of cloud computer technology, storage resource by Intel Virtualization Technology, virtual memory mode by virtual
Machine is used, storage resource can be common local hard drive, optical fiber storage, the NFS network storages, the ISCSI network storages or other
Distributed storage etc., be then given to virtual machine by way of storage volume carry and use, these storage volume are with general virtual
Disc format is stored, and in storage volume in addition to user data is stored, goes back size, type, the group of reservation record virtual disk
Knit the metadata informations such as form.Except carry to virtual machine by way of in addition to access storage volumes, can also be by network or local
The mode of copy, copies virtual storage volume to other places, and the content in virtual storage volume is parsed with virtual disk instrument.
But, in the fields such as cloud computing, virtualization, in general the disk of virtual machine with image file, Logical Disk or
The form of the virtual memories such as network block is stored, and these storage volume are often to be carried out in plain text with general virtual disk form
, there are data and the potential safety hazard such as be stolen, illegally distort in storage.One login user can be with all virtual in carry cloud system
The virtual disk of machine is checked or is changed there is the security risk of greatly mistake use and information leakage.In addition, in encryption
During treatment, typically it is encrypted by the way of to whole file or whole data block, the cipher mode needs reading and writing every time
Encryption and decryption treatment is all carried out when user data, causes resource consumption huge, have a strong impact on the overall performance of system.Using upper
, in user authentication management aspect, usually be saved in the authentication information of user in specific database by cipher mode, typically goes out
Existing key or database lost, the problems such as will result directly in user and cannot access data.
The content of the invention
In order to overcome the deficiencies in the prior art, an object of the present invention is to provide a kind of encryption side of virtual storage volume
Method, it can solve the problem that there is that resource consumption is huge to the encryption of virtual storage volume in the prior art, influences the entirety of system
The problem of performance.
An object of the present invention is realized using following technical scheme:
The invention provides a kind of encryption method of virtual storage volume, the data memory format of virtual storage volume includes first number
According to region and user data area, the metadata area includes metadata information area and trough, and the metadata information area uses
In storage metadata, the metadata refers to the data related to the information of storage volume;The user data area is used to store to be used
User data;The encryption method is comprised the following steps:
S11:User encryption request is obtained, user encryption request includes the information of the information of user and storage volume;
S12:Information according to the storage volume reads the metadata that the corresponding metadata area of the storage volume is stored;
S13:The metadata that the corresponding metadata area of the storage volume is stored is converted to by first number by AES
According to ciphertext;
S14:The information of information and storage volume according to user generates the first authentication information;
S15:Metadata ciphertext, the first authentication information and security level identification are stored in corresponding metadata area, so that
Complete the cryptographic operation to storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by systemic presupposition.
Preferably, the AES is code book, des encryption algorithm, 3DES encryption algorithm, RC2 AESs, RC4
Any one in AES, IDEA IDEA, advanced encryption algorithm AES.
In order to overcome the deficiencies in the prior art, the second object of the present invention is the encryption dress for providing a kind of virtual storage volume
Put, it can solve the problem that there is that resource consumption is huge to the encryption of virtual storage volume in the prior art, influence the entirety of system
The problem of performance.
The second object of the present invention is realized using following technical scheme:
The invention provides a kind of encryption device of virtual storage volume, including:
Acquisition request module, for obtaining user encryption request, user encryption request includes the information of user and storage
The information of volume;
Metadata acquisition module, for reading the corresponding metadata area institute of the storage volume according to the information of the storage volume
The metadata deposited;
Encrypting module, the metadata for being stored the corresponding metadata area of the storage volume by AES is turned
It is changed to metadata ciphertext;
Authentication information generation module, the information for the information according to user and storage volume generates the first authentication information;
Memory module, for metadata ciphertext, the first authentication information and security level identification to be stored in into corresponding metadata
Region, so as to complete the cryptographic operation to storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by system
It is default.
In order to overcome the deficiencies in the prior art, the third object of the present invention is to provide a kind of decryption side of virtual storage volume
Method, it can solve the problem that there is that resource consumption is huge to the decryption processing of virtual storage volume in the prior art, influences the entirety of system
The problem of performance.
The third object of the present invention is realized using following technical scheme:
Present invention also offers a kind of decryption method of virtual storage volume, it is applied to such as the encryption of aforementioned virtual storage volume
Method be encrypted after virtual storage volume, the decryption method comprises the following steps:
S21:User's decoding request is obtained, user's decoding request includes the information of user and the information of storage volume;
S23:Information according to user generates the second authentication information with the information of storage volume;
S24:The first authentication information in storage volume is read, and judges that first authentication information is with the second authentication information
It is no consistent, when consistent, perform S25;
S25:The metadata ciphertext of storage volume is obtained, metadata ciphertext is converted to by metadata by AES, then
The corresponding metadata area of storage volume is write metadata into, while remove the security level identification and first stored in storage volume recognizing
Card information.
Preferably, S22 is also included between the step S21 and S23:The corresponding storage of information searching according to storage volume
Volume, and read the security level identification stored in the storage volume;Then judge the security level identification whether the security level identification with systemic presupposition
Unanimously, if unanimously, performing S23;If inconsistent, return or exit.
In order to overcome the deficiencies in the prior art, the fourth object of the present invention is the decryption dress for providing a kind of virtual storage volume
Put, it can solve the problem that there is that resource consumption is huge to the decryption processing of virtual storage volume in the prior art, influence the entirety of system
The problem of performance.
The fourth object of the present invention is realized using following technical scheme:
Present invention also offers a kind of decryption device of virtual storage volume, including:
Acquisition request module, for obtaining user's decoding request, user's decoding request includes the information of user and deposits
Store up the information of volume;
Authentication information generation module, the information for the information according to user and storage volume generates the second authentication information;
Authentication module, for reading the first authentication information in storage volume, and judges first authentication information and second
Whether authentication information is consistent, when consistent, performs deciphering module;
Deciphering module, the metadata ciphertext for obtaining storage volume, unit is converted to by AES by metadata ciphertext
Data, then write metadata into the corresponding metadata area of storage volume, while removing the level of confidentiality mark stored in storage volume
Know and the first authentication information.
In order to overcome the deficiencies in the prior art, the fifth object of the present invention is to provide a kind of access side of virtual storage volume
Method, the problems such as it can solve the problem that, inefficiency slow to the access process speed of virtual storage volume in the prior art.
The fifth object of the present invention is realized using following technical scheme:
Present invention also offers a kind of access method of virtual storage volume, the access method is applied to virtually deposit as previously described
Store up in the storage volume that the encryption method rolled up is encrypted, comprise the following steps:
S31:User access request is obtained, the user access request includes the information of user and the information of storage volume;
S32:The data that information according to the storage volume is read in the metadata area of corresponding storage volume obtain this and deposit
The security level identification of volume is stored up, and judges whether the storage volume is encrypted volume according to the security level identification, if it is not, then directly being involved in storage
Row read-write operation;If so, then performing S33;
S33:Corresponding operation is performed to storage volume according to user access request.
Preferably, including:The S33 is specially:When user access request is read operation:
The information of information and storage volume first according to user generates the second authentication information, and judges the second certification letter
Whether breath is consistent with the first authentication information in storage volume;If consistent, the metadata ciphertext of storage volume is read, and according to encryption
The metadata ciphertext is converted to metadata and returns to user by algorithm;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification
Information, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close
Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
In order to overcome the deficiencies in the prior art, the sixth object of the present invention is the access dress for providing a kind of virtual storage volume
Put, the problems such as it can solve the problem that, inefficiency slow to the access process speed of virtual storage volume in the prior art.
The sixth object of the present invention is realized using following technical scheme:
Present invention also offers a kind of access mechanism of virtual storage volume, including:
Acquisition request module, for obtaining user access request, the user access request includes the information of user and deposits
Store up the information of volume;
Judge module, for the data in the metadata area that corresponding storage volume is read according to the information of the storage volume
The security level identification of the storage volume is obtained, and judges whether the storage volume is encrypted volume according to the security level identification, if it is not, then directly right
Storage volume is written and read operation;If so, then performing processing module;
Processing module, for performing corresponding operation to storage volume according to user access request.
Preferably, the processing module is specially:When user access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judge second authentication information with
Whether the first authentication information in storage volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES
The metadata ciphertext is converted into metadata and returns to user;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification
Information, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close
Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
Compared to existing technology, the beneficial effects of the present invention are:The present invention in encrypting and decrypting processing procedure, due to only locating
Reason meta-data section, therefore, the speed of encryption quickly, almost moment complete;Also, by encryption of the invention,
Virtual storage volume outside system cannot carry, also cannot by conventional virtual disk tools parse encrypted volume content, it is ensured that
The security of data;And in internal system, it is necessary to perform authentication determination before using encrypted volume, if certification cannot pass through,
Encrypted volume cannot be then accessed, the data safety of its user is kept in internal system.Meanwhile, in access process, also carry significantly
The treatment effeciency of system high.
Brief description of the drawings
The data memory format schematic diagram of the storage volume that Fig. 1 is provided for the present invention;
The flow chart of the encryption method of the virtual storage volume that Fig. 2 is provided for the present invention;
The module map of the encryption device of the virtual storage volume that Fig. 3 is provided for the present invention;
The flow chart of the decryption method of the virtual storage volume that Fig. 4 is provided for the present invention;
The module map of the decryption device of the virtual storage volume that Fig. 5 is provided for the present invention;
The flow chart of the access method of the virtual storage volume that Fig. 6 is provided for the present invention;
The module map of the access method of the virtual storage volume that Fig. 7 is provided for the present invention.
Specific embodiment
Below, with reference to accompanying drawing and specific embodiment, the present invention is described further:
As shown in Fig. 1 to 7, the present invention be directed to the data processing in virtual storage volume, come generally, for storage volume
Say, it includes metadata information area, trough and user data area, metadata information area includes storage volume format identification (FID), correspondence
Format version, creation time stab, store volume size, currently used the non-user data such as space, unique mark, check information.
Trough be reserve in storage volume space, will not use under normal circumstances.And user data area is the ground for storing user data
Side.Metadata information area and trough are collectively referred to as metadata area, i.e. non-user area.When user is in access storage volumes
During data, the data that the user data area for exactly accessing is stored.
And the encryption method of virtual storage volume provided by the present invention is exactly that make use of the space of trough to store user
Authentication information, so encryption when, neither influence data storage, can also cause user authentication information lose or leakage etc.
The occurrence of.In addition, metadata area (including metadata information area and trough) is only processed in encryption, therefore,
The processing speed of encryption it is just very fast, greatly improve the efficiency of encryption.
As shown in figure 1, the invention provides a kind of encryption method of virtual memory, the method is comprised the following steps:
S11:User encryption request is obtained, user encryption request includes the information of the information of user and storage volume.
Wherein, the information of the user includes user id, and the information of storage volume includes storage volume id.Here user id can
For the identity of identifying user, and storage volume id is that, for recognizing storage volume, the system of that is to say can be asked by user encryption,
Obtaining user needs to be encrypted which storage volume.
S12:Information according to the storage volume reads the metadata that the corresponding metadata area of the storage volume is stored.
Wherein, after system receives the instruction that user is encrypted to certain storage volume, first according to storage volume
Id reads the metadata that the corresponding metadata area of the storage volume is stored, due to metadata area include metadata information area and
Trough, any data are not stored in trough, therefore, metadata that is to say the data that metadata information area is stored, bag
Include storage volume format identification (FID), correspondence format version, creation time stamp, storage volume size, it is current used space, unique mark,
The data such as check information.
S13:The metadata that the corresponding metadata area of the storage volume is stored is converted to by first number by AES
According to ciphertext.
The AES can using existing comparative maturity AES, such as code book, des encryption algorithm,
3DES encryption algorithm, RC2 AESs, RC4 AESs, IDEA IDEA, advanced encryption algorithm AES etc.
Deng.Because AES is the technological means of comparative maturity, it be not discussed in detail herein.Metadata is changed by AES
It is metadata ciphertext.Encryption in the present invention is in units of metadata, to be greatly improved efficiency during encryption, no
All data in being needed as existing to whole storage volume are handled together so as to badly influence the performance of system.
S14:The information of information and corresponding storage volume according to user generates the first authentication information.
After converting the metadata into metadata ciphertext, corresponding first authentication information is regenerated.That is to say, according to user's
The information of information and storage volume generates the first authentication information, so as to different storage volume can be distinguished respectively, that is to say user
One-to-one relation is formed between storage volume.
S15:Metadata ciphertext, the first authentication information and security level identification are stored in corresponding metadata area, so that
So that storage volume is changed into encrypted volume, the encryption to storage volume is completed.Wherein, the security level identification is systemic presupposition, for knowing
Other data, such as numbering, text, character string or other data.
After being encrypted to metadata, the security level identification that metadata ciphertext, the first authentication information and system are distributed is deposited in the lump
Corresponding metadata area is stored in, metadata information area and trough is that is to say.Before encryption, trough is not data storage
, the present invention is exactly to utilize this point, by encryption after the information Store such as the first authentication information, security level identification in trough
In, the change of the data of user data area had not both been resulted in so;And authentication information also is stored in storage volume, certification letter
Breath will not also be lost or reveal.Encrypted volume after the encryption method that the present invention is provided is processed, has for each metadata
There are corresponding metadata ciphertext, the first authentication information and security level identification.
Above-mentioned encryption method is illustrated present invention also offers a specific example, for example:
When encryption, system can prepare a specific serial data A in advance for each storage volume, for setting
Security level identification, such as:Example character string:"XXXXXXX".
System obtains user encryption request first, carrys out Request System and performs encryption processing, and the CIPHERING REQUEST includes user
The information such as id, the storage volume id of request encryption.
Then corresponding storage volume is found according to storage volume id, then reads corresponding metadata area in the storage volume
The metadata B for being stored, such as metadata B1, metadata B2 in figure.
Then metadata B is converted into metadata ciphertext C using AES.AES can use des symmetric cryptographies
Algorithm.Corresponding metadata ciphertext C1 and metadata ciphertext C2 in such as figure.
User id and storage volume id is constituted into one group of data D again, then generating the first certification using hash algorithm disappears
Breath E.
Security level identification A, metadata ciphertext C, the first authentication information E are finally write into storage volume in the lump, original unit is covered
Data area forms encrypted volume, completes cryptographic operation.Wherein by intensive mark A, metadata ciphertext C and the first authentication information E
, it is necessary to ensure that three writes successfully during storage metadata area, if occurring in which a write-in failure it is necessary to re-write,
So as to ensure the uniformity of data.The write sequence of three can use security level identification, metadata ciphertext, the order of authentication information
It is written to metadata area.
Virtual storage volume after being processed by the encryption method, due to not knowing AES, virtual storage volume exists
Outside system cannot carry, also cannot by conventional virtual disk tools parse encrypted volume content.In addition, encrypted volume is by recognizing
After card, using consistent with generic storage volume, but bottom storage volume content remains ciphertext state, even if in use,
Storage volume is illegally duplicated theft from bottom, due to not knowing the AES or authentication mechanism of system, still cannot get
Cleartext information.In internal system, it is necessary to perform authentication determination before using encrypted volume, if certification cannot pass through, cannot visit
Encrypted volume is asked, the data safety of its user is kept in internal system.
Present invention also offers a kind of encryption device corresponding with the encryption method of virtual storage volume, it includes:
Acquisition request module, for obtaining user encryption request, user encryption request includes the information of user and storage
The information of volume;
Metadata acquisition module, for reading the corresponding metadata area institute of the storage volume according to the information of the storage volume
The metadata deposited;
Encrypting module, the metadata for being stored the corresponding metadata area of the storage volume by AES is turned
It is changed to metadata ciphertext;
Authentication information generation module, the information for the information according to user and storage volume generates the first authentication information;
Memory module, for metadata ciphertext, the first authentication information and security level identification to be stored in into corresponding metadata
Region, so as to complete the cryptographic operation to storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by system
It is default.
Present invention also offers a kind of decryption method of virtual storage volume, the decryption method and encryption method are reverse places
Reason process.The decryption method is comprised the following steps:
S21:User's decoding request is obtained, user's decoding request includes the information of user and the information of storage volume;
S22:The corresponding storage volume of information searching according to storage volume, and the security level identification of the storage volume is read, work as level of confidentiality
When being designated the security level identification of systemic presupposition, S23 is performed:
S23:Second authentication information is generated by the information of the information according to user and storage volume;
S24:The first authentication information in storage volume is read, and judges that first authentication information is with the second authentication information
It is no consistent, when consistent, perform S25;
S25:The metadata ciphertext of storage volume is obtained, metadata ciphertext is converted to by metadata by AES, finally
The corresponding metadata area of storage volume is write metadata into, while remove the security level identification stored in storage volume recognizing with first
Card information.
Decryption method is illustrated present invention also offers an example, it is comprised the following steps:
User's decryption storage volume is obtained first, and user's decoding request includes user id, storage volume id etc..
Then corresponding storage volume is searched according to storage volume id, and reads storage volume and obtain the first security level identification A1.
The first security level identification A1 is compared with the security level identification A of systemic presupposition, if identical, illustrates that the storage volume is
Encrypted volume, can perform decryption oprerations;If it is different, then illustrate that the storage volume is not encrypted volume, or the user does not have access right
Limit etc., exits or end operation.
Then one group of data F is constituted according to user id and storage volume id, is then recognized using hash algorithm generation second
Card message G;
The first certification message E is read from storage volume again, judge the second certification message G and the first authentication information E whether phase
Together, if it is different, then request processing failure, exits or end operation;
When the first authentication information E and the second authentication information G are identical, then illustrate that the encrypted volume can perform decryption oprerations, read
Metadata ciphertext H in storage volume, is decrypted by des symmetric encipherment algorithms to metadata ciphertext H, obtains metadata I.
Then by the corresponding metadata area of metadata I write-ins storage volume, while removing the security level identification A1 in storage volume
And the first authentication information E.This completes the decryption oprerations of encrypted volume.
Present invention also offers a kind of decryption device corresponding with the decryption method of virtual storage volume, it includes:
Acquisition request module, for obtaining user's decoding request, user's decoding request includes the information of user and deposits
Store up the information of volume;
Authentication information generation module, the information for the information according to user and storage volume generates the second authentication information;
Authentication module, for reading the first authentication information in storage volume, and judges first authentication information and second
Whether authentication information is consistent, when consistent, performs deciphering module;
Deciphering module, the metadata ciphertext for obtaining storage volume, unit is converted to by AES by metadata ciphertext
Data, then write metadata into the corresponding metadata area of storage volume, while removing the level of confidentiality mark stored in storage volume
Know and the first authentication information.
Present invention also offers a kind of access method of virtual storage volume, the access method is applied to foregoing virtual
The encryption method of storage volume be encrypted after virtual storage volume, it is comprised the following steps:
S31:User access request is obtained, the user access request includes the information of user and the information of storage volume;
S32:The data that information according to the storage volume is read in the metadata area of corresponding storage volume obtain this and deposit
The security level identification of volume is stored up, judges whether the storage volume is encrypted volume, if it is not, being then directly written and read operation to storage volume;If
It is then to perform S33.
S33:Corresponding operation is performed to storage volume according to user access request.
Preferably, the access request includes the two kinds of situations of read operation and write operation to storage volume, therefore, the S33 tools
Body also includes:
When user access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judge second authentication information with
Whether the first authentication information in storage volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES
The metadata ciphertext is converted into metadata and returns to user.That is to say after being decrypted to the metadata ciphertext in storage volume
Return to user.
When user access request is write operation:The information of information and storage volume first according to user generates the first certification
Information, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close
Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.That is to say, metadata to be written is turned first
Stored after being changed to metadata ciphertext.Metadata wherein to be written refers to that user deposits user data storage to corresponding
During storage volume, the data for being generated.Such as user data needs storage in which data field of storage volume, and its size is how many, is accounted for
With the space of the storage volume data such as be how many.
Present invention likewise provides a kind of example of the access method of virtual storage volume, it is comprised the following steps:
System obtains user access request first, and user access request includes user id and storage volume id.
Then corresponding storage volume is read according to the storage volume id, obtains security level identification;If the security level identification with it is pre-
If security level identification it is different (it is A that security level identification is set during as encrypted), then illustrate that the storage volume is not encrypted volume, can direct carry
Storage volume conducts interviews to user, if identical:
If it is read operation that user accesses, one group of data J is constituted according to user id and storage volume id first, then using list
Item hashing algorithm generates the second certification message;Then judge second authentication information is with the authentication information of storage in storage volume
It is no consistent, if unanimously, corresponding metadata ciphertext is read from storage volume, then change metadata ciphertext by AES
It is metadata, returns to user's access.
If it is write operation that user accesses, one group of data J is constituted according to user id and storage volume id first, then using list
Item hashing algorithm generates the first certification message.
Then the metadata being written into according to AES is converted to metadata ciphertext, finally by security level identification, first number
It is written in the lump on the corresponding position of storage volume according to ciphertext and the first authentication information.
The first signified authentication information is the authentication information generated during cryptographic operation in the present invention, first certification letter
Breath is stored in storage volume in the lump with security level identification, metadata ciphertext;And the second authentication information is generated in decryption oprerations
Authentication information, it is performed for authentication determination, such as verify the identity of user.
Present invention also offers a kind of access mechanism corresponding with the access method of virtual storage volume, it includes:
Acquisition request module, for obtaining user access request, the user access request includes the information of user and deposits
Store up the information of volume;
Judge module, for the data in the metadata area that corresponding storage volume is read according to the information of the storage volume
The security level identification of the storage volume is obtained, and judges whether the storage volume is encrypted volume according to the security level identification, if it is not, then direct
Operation is written and read to storage volume;If so, then performing processing module;
Processing module, for performing corresponding operation to storage volume according to user access request.
Preferably, the processing module is specially:When user access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judge second authentication information with
Whether the first authentication information in storage volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES
The metadata ciphertext is converted into metadata and returns to user;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification
Information, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close
Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
It will be apparent to those skilled in the art that technical scheme that can be as described above and design, make other various
It is corresponding to change and deformation, and all these change and deformation should all belong to the protection domain of the claims in the present invention
Within.
Claims (10)
1. a kind of encryption method of virtual storage volume, it is characterised in that the data memory format of virtual storage volume includes metadata
Region and user data area, the metadata area include metadata information area and trough, and the metadata information area is used for
Storage metadata, the metadata refers to the data related to the information of storage volume;The user data area is used to store user
Data;The encryption method is comprised the following steps:
S11:User encryption request is obtained, user encryption request includes the information of the information of user and storage volume;
S12:Information according to the storage volume reads the metadata that the corresponding metadata area of the storage volume is stored;
S13:The metadata that the corresponding metadata area of the storage volume is stored is converted to by metadata by AES close
Text;
S14:The information of information and storage volume according to user generates the first authentication information;
S15:Metadata ciphertext, the first authentication information and security level identification are stored in corresponding metadata area, so as to complete
To the cryptographic operation of storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by systemic presupposition.
2. the encryption method of virtual storage volume as claimed in claim 1, it is characterised in that the AES is code book, DES
AES, 3DES encryption algorithm, RC2 AESs, RC4 AESs, IDEA IDEA, superencipherment are calculated
Any one in method AES.
3. a kind of encryption device of virtual storage volume, it is characterised in that including:
Acquisition request module, for obtaining user encryption request, user encryption request includes the information of user and storage volume
Information;
Metadata acquisition module, for reading what the corresponding metadata area of the storage volume was deposited according to the information of the storage volume
Metadata;
Encrypting module, for being converted to the metadata that the corresponding metadata area of the storage volume is stored by AES
Metadata ciphertext;
Authentication information generation module, the information for the information according to user and storage volume generates the first authentication information;
Memory module, for metadata ciphertext, the first authentication information and security level identification to be stored in into corresponding metadata area,
So as to complete the cryptographic operation to storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by systemic presupposition
's.
4. a kind of decryption method of virtual storage volume, it is characterised in that it is applied to virtual storage volume as claimed in claim 1
Encryption method be encrypted after virtual storage volume, the decryption method comprises the following steps:
S21:User's decoding request is obtained, user's decoding request includes the information of user and the information of storage volume;
S23:Information according to user generates the second authentication information with the information of storage volume;
S24:Read the first authentication information in storage volume, and judge first authentication information and the second authentication information whether one
Cause, when consistent, perform S25;
S25:The metadata ciphertext of storage volume is obtained, metadata ciphertext is converted to by metadata by AES, then by unit
Data are written to the corresponding metadata area of storage volume, while removing the security level identification stored in storage volume and the first certification letter
Breath.
5. the decryption method of virtual storage volume as claimed in claim 4, it is characterised in that also wrapped between the step S21 and S23
Include S22:The corresponding storage volume of information searching according to storage volume, and read the security level identification stored in the storage volume;Then sentence
Whether the disconnected security level identification is consistent with the security level identification of systemic presupposition, if unanimously, performing S23;If inconsistent, return or move back
Go out.
6. the decryption device of a kind of virtual storage volume, it is characterised in that including:
Acquisition request module, for obtaining user's decoding request, user's decoding request includes the information and storage volume of user
Information;
Authentication information generation module, the information for the information according to user and storage volume generates the second authentication information;
Authentication module, for reading the first authentication information in storage volume, and judges first authentication information and the second certification
Whether information is consistent, when consistent, performs deciphering module;
Deciphering module, the metadata ciphertext for obtaining storage volume, metadata is converted to by AES by metadata ciphertext,
Then the corresponding metadata area of storage volume is write metadata into, while removing in storage volume the security level identification that is stored and the
One authentication information.
7. a kind of access method of virtual storage volume, the access method be applied to virtual storage volume as claimed in claim 1 plus
In the storage volume that decryption method is encrypted, it is characterised in that comprise the following steps:
S31:User access request is obtained, the user access request includes the information of user and the information of storage volume;
S32:The data that information according to the storage volume is read in the metadata area of corresponding storage volume obtain the storage volume
Security level identification, and judge whether the storage volume is encrypted volume according to the security level identification, if it is not, then directly reading storage volume
Write operation;If so, then performing S33;
S33:Corresponding operation is performed to storage volume according to user access request.
8. the access method of virtual storage volume as claimed in claim 7, it is characterised in that including:
The S33 is specially:When user access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judges second authentication information with storage
Whether the first authentication information in volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES by institute
State metadata ciphertext and be converted to metadata and return to user;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification letter
Breath, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close
Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
9. a kind of access mechanism of virtual storage volume, it is characterised in that including:
Acquisition request module, for obtaining user access request, the user access request includes the information and storage volume of user
Information;
Judge module, obtains for the data in the metadata area that corresponding storage volume is read according to the information of the storage volume
The security level identification of the storage volume, and judge whether the storage volume is encrypted volume according to the security level identification, if it is not, then directly to storage
Volume carries out read-write operation;If so, then performing processing module;
Processing module, for performing corresponding operation to storage volume according to user access request.
10. the access mechanism of virtual memory as claimed in claim 9, it is characterised in that the processing module is specially:Work as user
When access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judges second authentication information with storage
Whether the first authentication information in volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES by institute
State metadata ciphertext and be converted to metadata and return to user;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification letter
Breath, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close
Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611264455.XA CN106713334B (en) | 2016-12-31 | 2016-12-31 | Encryption method, decryption method, access method and device for virtual storage volume |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611264455.XA CN106713334B (en) | 2016-12-31 | 2016-12-31 | Encryption method, decryption method, access method and device for virtual storage volume |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106713334A true CN106713334A (en) | 2017-05-24 |
CN106713334B CN106713334B (en) | 2020-11-17 |
Family
ID=58906432
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611264455.XA Active CN106713334B (en) | 2016-12-31 | 2016-12-31 | Encryption method, decryption method, access method and device for virtual storage volume |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106713334B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107315964A (en) * | 2017-06-14 | 2017-11-03 | 郑州云海信息技术有限公司 | A kind of method that encryption volume switching is realized based on encryption equipment |
CN109711207A (en) * | 2018-12-29 | 2019-05-03 | 杭州宏杉科技股份有限公司 | A kind of data ciphering method and device |
CN110598429A (en) * | 2019-08-30 | 2019-12-20 | 百富计算机技术(深圳)有限公司 | Data encryption storage and reading method, terminal equipment and storage medium |
WO2020000391A1 (en) * | 2018-06-29 | 2020-01-02 | Intel Corporation | Virtual storage services for client computing devices |
CN111580753A (en) * | 2020-04-30 | 2020-08-25 | 中国工商银行股份有限公司 | Storage volume cascade architecture, batch job processing system and electronic device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101517589A (en) * | 2006-09-28 | 2009-08-26 | 国际商业机器公司 | Managing encryption for volumes in storage pools |
CN103065102A (en) * | 2012-12-26 | 2013-04-24 | 中国人民解放军国防科学技术大学 | Data encryption mobile storage management method based on virtual disk |
US8458491B1 (en) * | 2010-06-23 | 2013-06-04 | Raytheon Bbn Technologies Corp. | Cryptographically scrubbable storage device |
CN103563278A (en) * | 2011-05-20 | 2014-02-05 | 西里克斯系统公司 | Securing encrypted virtual hard disks |
CN104104692A (en) * | 2014-08-05 | 2014-10-15 | 山东中孚信息产业股份有限公司 | Virtual machine encryption method, decryption method and encryption-decryption control system |
CN104715207A (en) * | 2013-12-16 | 2015-06-17 | 航天信息股份有限公司 | Method for storing files through secret key on android platform |
-
2016
- 2016-12-31 CN CN201611264455.XA patent/CN106713334B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101517589A (en) * | 2006-09-28 | 2009-08-26 | 国际商业机器公司 | Managing encryption for volumes in storage pools |
US8458491B1 (en) * | 2010-06-23 | 2013-06-04 | Raytheon Bbn Technologies Corp. | Cryptographically scrubbable storage device |
CN103563278A (en) * | 2011-05-20 | 2014-02-05 | 西里克斯系统公司 | Securing encrypted virtual hard disks |
CN103065102A (en) * | 2012-12-26 | 2013-04-24 | 中国人民解放军国防科学技术大学 | Data encryption mobile storage management method based on virtual disk |
CN104715207A (en) * | 2013-12-16 | 2015-06-17 | 航天信息股份有限公司 | Method for storing files through secret key on android platform |
CN104104692A (en) * | 2014-08-05 | 2014-10-15 | 山东中孚信息产业股份有限公司 | Virtual machine encryption method, decryption method and encryption-decryption control system |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107315964A (en) * | 2017-06-14 | 2017-11-03 | 郑州云海信息技术有限公司 | A kind of method that encryption volume switching is realized based on encryption equipment |
WO2020000391A1 (en) * | 2018-06-29 | 2020-01-02 | Intel Corporation | Virtual storage services for client computing devices |
US11615194B2 (en) | 2018-06-29 | 2023-03-28 | Intel Corporation | Virtual storage services for client computing devices |
CN109711207A (en) * | 2018-12-29 | 2019-05-03 | 杭州宏杉科技股份有限公司 | A kind of data ciphering method and device |
CN109711207B (en) * | 2018-12-29 | 2020-10-30 | 杭州宏杉科技股份有限公司 | Data encryption method and device |
CN110598429A (en) * | 2019-08-30 | 2019-12-20 | 百富计算机技术(深圳)有限公司 | Data encryption storage and reading method, terminal equipment and storage medium |
CN111580753A (en) * | 2020-04-30 | 2020-08-25 | 中国工商银行股份有限公司 | Storage volume cascade architecture, batch job processing system and electronic device |
CN111580753B (en) * | 2020-04-30 | 2023-10-10 | 中国工商银行股份有限公司 | Storage volume cascade system, batch job processing system and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN106713334B (en) | 2020-11-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3547198B1 (en) | Method, system and apparatus for data access | |
CN106713334A (en) | Encryption method, decryption method, access method and corresponding apparatuses of virtual storage volume | |
US6249866B1 (en) | Encrypting file system and method | |
CN104579689B (en) | A kind of soft cipher key system and implementation method | |
CN103065082A (en) | Software security protection method based on Linux system | |
CN108776760B (en) | Safe storage and access method of electronic file | |
US20210142319A1 (en) | Systems and methods for distributed data mapping | |
CN102262721A (en) | Data encryption conversion for independent agents | |
CN106682521B (en) | File transparent encryption and decryption system and method based on driver layer | |
CN106100851B (en) | Password management system, intelligent wristwatch and its cipher management method | |
CN108229190B (en) | Transparent encryption and decryption control method, device, program, storage medium and electronic equipment | |
US20180315053A1 (en) | Systems and methods for identity atomization and usage | |
CN104778954A (en) | Optical disc partition encryption method and system | |
CN101127013A (en) | Enciphered mobile storage apparatus and its data access method | |
CN117150535A (en) | File management system and method based on homomorphic calculation | |
CN101099207B (en) | Portable data support with watermark function | |
JPH025158A (en) | Expanded ic card and its accessing method | |
JP2009064126A (en) | Ic card system, terminal device therefor and program | |
CN111404662B (en) | Data processing method and device | |
CN104036197A (en) | Vector map data protection and access control method based on file filter driver | |
CN104021357A (en) | Method for registering and binding storage card of computer and identifying registered and bound storage card | |
TW201339884A (en) | System for monitoring personal data file based on server verifying and authorizing to decrypt and method thereof | |
CN116383861B (en) | Computer security processing system based on user data protection | |
JP4697451B2 (en) | Data input / output device, data input / output method, data input / output program | |
US20130036474A1 (en) | Method and Apparatus for Secure Data Representation Allowing Efficient Collection, Search and Retrieval |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |