CN106713334A - Encryption method, decryption method, access method and corresponding apparatuses of virtual storage volume - Google Patents

Encryption method, decryption method, access method and corresponding apparatuses of virtual storage volume Download PDF

Info

Publication number
CN106713334A
CN106713334A CN201611264455.XA CN201611264455A CN106713334A CN 106713334 A CN106713334 A CN 106713334A CN 201611264455 A CN201611264455 A CN 201611264455A CN 106713334 A CN106713334 A CN 106713334A
Authority
CN
China
Prior art keywords
storage volume
information
metadata
user
authentication information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611264455.XA
Other languages
Chinese (zh)
Other versions
CN106713334B (en
Inventor
张小东
谢浩安
张炎民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aerospace Winhong Technology Co Ltd
GUANGZHOU WINHONG INFORMATION TECHNOLOGY Co Ltd
Original Assignee
Aerospace Winhong Technology Co Ltd
GUANGZHOU WINHONG INFORMATION TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aerospace Winhong Technology Co Ltd, GUANGZHOU WINHONG INFORMATION TECHNOLOGY Co Ltd filed Critical Aerospace Winhong Technology Co Ltd
Priority to CN201611264455.XA priority Critical patent/CN106713334B/en
Publication of CN106713334A publication Critical patent/CN106713334A/en
Application granted granted Critical
Publication of CN106713334B publication Critical patent/CN106713334B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an encryption method, decryption method, access method and corresponding apparatuses of a virtual storage volume, applied to the virtual storage volume. The encryption method comprises the following steps: obtaining a user encryption request, wherein the user encryption request comprises user information and information of the storage volume; reading metadata stored in a metadata area corresponding to the storage volume according to the information of the storage volume; converting the metadata into metadata ciphertext by using an encryption algorithm; generating first authentication information according to the user information and the information of the storage volume; and storing the metadata ciphertext, the first authentication information and a security classification identifier in the corresponding metadata area so as to accomplish an encryption operation of the storage volume. By adoption of the encryption method disclosed by the invention, the security of the data can be ensured; and compared with the manner of integrally encrypting the storage volume in the prior art, the timeliness of accessing the encrypted storage volume can be greatly improved.

Description

The encryption method of virtual storage volume, decryption method, access method and device
Technical field
The present invention relates to the treatment of data, more particularly to virtual memory data processing.
Background technology
In field of cloud computer technology, storage resource by Intel Virtualization Technology, virtual memory mode by virtual Machine is used, storage resource can be common local hard drive, optical fiber storage, the NFS network storages, the ISCSI network storages or other Distributed storage etc., be then given to virtual machine by way of storage volume carry and use, these storage volume are with general virtual Disc format is stored, and in storage volume in addition to user data is stored, goes back size, type, the group of reservation record virtual disk Knit the metadata informations such as form.Except carry to virtual machine by way of in addition to access storage volumes, can also be by network or local The mode of copy, copies virtual storage volume to other places, and the content in virtual storage volume is parsed with virtual disk instrument.
But, in the fields such as cloud computing, virtualization, in general the disk of virtual machine with image file, Logical Disk or The form of the virtual memories such as network block is stored, and these storage volume are often to be carried out in plain text with general virtual disk form , there are data and the potential safety hazard such as be stolen, illegally distort in storage.One login user can be with all virtual in carry cloud system The virtual disk of machine is checked or is changed there is the security risk of greatly mistake use and information leakage.In addition, in encryption During treatment, typically it is encrypted by the way of to whole file or whole data block, the cipher mode needs reading and writing every time Encryption and decryption treatment is all carried out when user data, causes resource consumption huge, have a strong impact on the overall performance of system.Using upper , in user authentication management aspect, usually be saved in the authentication information of user in specific database by cipher mode, typically goes out Existing key or database lost, the problems such as will result directly in user and cannot access data.
The content of the invention
In order to overcome the deficiencies in the prior art, an object of the present invention is to provide a kind of encryption side of virtual storage volume Method, it can solve the problem that there is that resource consumption is huge to the encryption of virtual storage volume in the prior art, influences the entirety of system The problem of performance.
An object of the present invention is realized using following technical scheme:
The invention provides a kind of encryption method of virtual storage volume, the data memory format of virtual storage volume includes first number According to region and user data area, the metadata area includes metadata information area and trough, and the metadata information area uses In storage metadata, the metadata refers to the data related to the information of storage volume;The user data area is used to store to be used User data;The encryption method is comprised the following steps:
S11:User encryption request is obtained, user encryption request includes the information of the information of user and storage volume;
S12:Information according to the storage volume reads the metadata that the corresponding metadata area of the storage volume is stored;
S13:The metadata that the corresponding metadata area of the storage volume is stored is converted to by first number by AES According to ciphertext;
S14:The information of information and storage volume according to user generates the first authentication information;
S15:Metadata ciphertext, the first authentication information and security level identification are stored in corresponding metadata area, so that Complete the cryptographic operation to storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by systemic presupposition.
Preferably, the AES is code book, des encryption algorithm, 3DES encryption algorithm, RC2 AESs, RC4 Any one in AES, IDEA IDEA, advanced encryption algorithm AES.
In order to overcome the deficiencies in the prior art, the second object of the present invention is the encryption dress for providing a kind of virtual storage volume Put, it can solve the problem that there is that resource consumption is huge to the encryption of virtual storage volume in the prior art, influence the entirety of system The problem of performance.
The second object of the present invention is realized using following technical scheme:
The invention provides a kind of encryption device of virtual storage volume, including:
Acquisition request module, for obtaining user encryption request, user encryption request includes the information of user and storage The information of volume;
Metadata acquisition module, for reading the corresponding metadata area institute of the storage volume according to the information of the storage volume The metadata deposited;
Encrypting module, the metadata for being stored the corresponding metadata area of the storage volume by AES is turned It is changed to metadata ciphertext;
Authentication information generation module, the information for the information according to user and storage volume generates the first authentication information;
Memory module, for metadata ciphertext, the first authentication information and security level identification to be stored in into corresponding metadata Region, so as to complete the cryptographic operation to storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by system It is default.
In order to overcome the deficiencies in the prior art, the third object of the present invention is to provide a kind of decryption side of virtual storage volume Method, it can solve the problem that there is that resource consumption is huge to the decryption processing of virtual storage volume in the prior art, influences the entirety of system The problem of performance.
The third object of the present invention is realized using following technical scheme:
Present invention also offers a kind of decryption method of virtual storage volume, it is applied to such as the encryption of aforementioned virtual storage volume Method be encrypted after virtual storage volume, the decryption method comprises the following steps:
S21:User's decoding request is obtained, user's decoding request includes the information of user and the information of storage volume;
S23:Information according to user generates the second authentication information with the information of storage volume;
S24:The first authentication information in storage volume is read, and judges that first authentication information is with the second authentication information It is no consistent, when consistent, perform S25;
S25:The metadata ciphertext of storage volume is obtained, metadata ciphertext is converted to by metadata by AES, then The corresponding metadata area of storage volume is write metadata into, while remove the security level identification and first stored in storage volume recognizing Card information.
Preferably, S22 is also included between the step S21 and S23:The corresponding storage of information searching according to storage volume Volume, and read the security level identification stored in the storage volume;Then judge the security level identification whether the security level identification with systemic presupposition Unanimously, if unanimously, performing S23;If inconsistent, return or exit.
In order to overcome the deficiencies in the prior art, the fourth object of the present invention is the decryption dress for providing a kind of virtual storage volume Put, it can solve the problem that there is that resource consumption is huge to the decryption processing of virtual storage volume in the prior art, influence the entirety of system The problem of performance.
The fourth object of the present invention is realized using following technical scheme:
Present invention also offers a kind of decryption device of virtual storage volume, including:
Acquisition request module, for obtaining user's decoding request, user's decoding request includes the information of user and deposits Store up the information of volume;
Authentication information generation module, the information for the information according to user and storage volume generates the second authentication information;
Authentication module, for reading the first authentication information in storage volume, and judges first authentication information and second Whether authentication information is consistent, when consistent, performs deciphering module;
Deciphering module, the metadata ciphertext for obtaining storage volume, unit is converted to by AES by metadata ciphertext Data, then write metadata into the corresponding metadata area of storage volume, while removing the level of confidentiality mark stored in storage volume Know and the first authentication information.
In order to overcome the deficiencies in the prior art, the fifth object of the present invention is to provide a kind of access side of virtual storage volume Method, the problems such as it can solve the problem that, inefficiency slow to the access process speed of virtual storage volume in the prior art.
The fifth object of the present invention is realized using following technical scheme:
Present invention also offers a kind of access method of virtual storage volume, the access method is applied to virtually deposit as previously described Store up in the storage volume that the encryption method rolled up is encrypted, comprise the following steps:
S31:User access request is obtained, the user access request includes the information of user and the information of storage volume;
S32:The data that information according to the storage volume is read in the metadata area of corresponding storage volume obtain this and deposit The security level identification of volume is stored up, and judges whether the storage volume is encrypted volume according to the security level identification, if it is not, then directly being involved in storage Row read-write operation;If so, then performing S33;
S33:Corresponding operation is performed to storage volume according to user access request.
Preferably, including:The S33 is specially:When user access request is read operation:
The information of information and storage volume first according to user generates the second authentication information, and judges the second certification letter Whether breath is consistent with the first authentication information in storage volume;If consistent, the metadata ciphertext of storage volume is read, and according to encryption The metadata ciphertext is converted to metadata and returns to user by algorithm;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification Information, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
In order to overcome the deficiencies in the prior art, the sixth object of the present invention is the access dress for providing a kind of virtual storage volume Put, the problems such as it can solve the problem that, inefficiency slow to the access process speed of virtual storage volume in the prior art.
The sixth object of the present invention is realized using following technical scheme:
Present invention also offers a kind of access mechanism of virtual storage volume, including:
Acquisition request module, for obtaining user access request, the user access request includes the information of user and deposits Store up the information of volume;
Judge module, for the data in the metadata area that corresponding storage volume is read according to the information of the storage volume The security level identification of the storage volume is obtained, and judges whether the storage volume is encrypted volume according to the security level identification, if it is not, then directly right Storage volume is written and read operation;If so, then performing processing module;
Processing module, for performing corresponding operation to storage volume according to user access request.
Preferably, the processing module is specially:When user access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judge second authentication information with Whether the first authentication information in storage volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES The metadata ciphertext is converted into metadata and returns to user;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification Information, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
Compared to existing technology, the beneficial effects of the present invention are:The present invention in encrypting and decrypting processing procedure, due to only locating Reason meta-data section, therefore, the speed of encryption quickly, almost moment complete;Also, by encryption of the invention, Virtual storage volume outside system cannot carry, also cannot by conventional virtual disk tools parse encrypted volume content, it is ensured that The security of data;And in internal system, it is necessary to perform authentication determination before using encrypted volume, if certification cannot pass through, Encrypted volume cannot be then accessed, the data safety of its user is kept in internal system.Meanwhile, in access process, also carry significantly The treatment effeciency of system high.
Brief description of the drawings
The data memory format schematic diagram of the storage volume that Fig. 1 is provided for the present invention;
The flow chart of the encryption method of the virtual storage volume that Fig. 2 is provided for the present invention;
The module map of the encryption device of the virtual storage volume that Fig. 3 is provided for the present invention;
The flow chart of the decryption method of the virtual storage volume that Fig. 4 is provided for the present invention;
The module map of the decryption device of the virtual storage volume that Fig. 5 is provided for the present invention;
The flow chart of the access method of the virtual storage volume that Fig. 6 is provided for the present invention;
The module map of the access method of the virtual storage volume that Fig. 7 is provided for the present invention.
Specific embodiment
Below, with reference to accompanying drawing and specific embodiment, the present invention is described further:
As shown in Fig. 1 to 7, the present invention be directed to the data processing in virtual storage volume, come generally, for storage volume Say, it includes metadata information area, trough and user data area, metadata information area includes storage volume format identification (FID), correspondence Format version, creation time stab, store volume size, currently used the non-user data such as space, unique mark, check information. Trough be reserve in storage volume space, will not use under normal circumstances.And user data area is the ground for storing user data Side.Metadata information area and trough are collectively referred to as metadata area, i.e. non-user area.When user is in access storage volumes During data, the data that the user data area for exactly accessing is stored.
And the encryption method of virtual storage volume provided by the present invention is exactly that make use of the space of trough to store user Authentication information, so encryption when, neither influence data storage, can also cause user authentication information lose or leakage etc. The occurrence of.In addition, metadata area (including metadata information area and trough) is only processed in encryption, therefore, The processing speed of encryption it is just very fast, greatly improve the efficiency of encryption.
As shown in figure 1, the invention provides a kind of encryption method of virtual memory, the method is comprised the following steps:
S11:User encryption request is obtained, user encryption request includes the information of the information of user and storage volume.
Wherein, the information of the user includes user id, and the information of storage volume includes storage volume id.Here user id can For the identity of identifying user, and storage volume id is that, for recognizing storage volume, the system of that is to say can be asked by user encryption, Obtaining user needs to be encrypted which storage volume.
S12:Information according to the storage volume reads the metadata that the corresponding metadata area of the storage volume is stored.
Wherein, after system receives the instruction that user is encrypted to certain storage volume, first according to storage volume Id reads the metadata that the corresponding metadata area of the storage volume is stored, due to metadata area include metadata information area and Trough, any data are not stored in trough, therefore, metadata that is to say the data that metadata information area is stored, bag Include storage volume format identification (FID), correspondence format version, creation time stamp, storage volume size, it is current used space, unique mark, The data such as check information.
S13:The metadata that the corresponding metadata area of the storage volume is stored is converted to by first number by AES According to ciphertext.
The AES can using existing comparative maturity AES, such as code book, des encryption algorithm, 3DES encryption algorithm, RC2 AESs, RC4 AESs, IDEA IDEA, advanced encryption algorithm AES etc. Deng.Because AES is the technological means of comparative maturity, it be not discussed in detail herein.Metadata is changed by AES It is metadata ciphertext.Encryption in the present invention is in units of metadata, to be greatly improved efficiency during encryption, no All data in being needed as existing to whole storage volume are handled together so as to badly influence the performance of system.
S14:The information of information and corresponding storage volume according to user generates the first authentication information.
After converting the metadata into metadata ciphertext, corresponding first authentication information is regenerated.That is to say, according to user's The information of information and storage volume generates the first authentication information, so as to different storage volume can be distinguished respectively, that is to say user One-to-one relation is formed between storage volume.
S15:Metadata ciphertext, the first authentication information and security level identification are stored in corresponding metadata area, so that So that storage volume is changed into encrypted volume, the encryption to storage volume is completed.Wherein, the security level identification is systemic presupposition, for knowing Other data, such as numbering, text, character string or other data.
After being encrypted to metadata, the security level identification that metadata ciphertext, the first authentication information and system are distributed is deposited in the lump Corresponding metadata area is stored in, metadata information area and trough is that is to say.Before encryption, trough is not data storage , the present invention is exactly to utilize this point, by encryption after the information Store such as the first authentication information, security level identification in trough In, the change of the data of user data area had not both been resulted in so;And authentication information also is stored in storage volume, certification letter Breath will not also be lost or reveal.Encrypted volume after the encryption method that the present invention is provided is processed, has for each metadata There are corresponding metadata ciphertext, the first authentication information and security level identification.
Above-mentioned encryption method is illustrated present invention also offers a specific example, for example:
When encryption, system can prepare a specific serial data A in advance for each storage volume, for setting Security level identification, such as:Example character string:"XXXXXXX".
System obtains user encryption request first, carrys out Request System and performs encryption processing, and the CIPHERING REQUEST includes user The information such as id, the storage volume id of request encryption.
Then corresponding storage volume is found according to storage volume id, then reads corresponding metadata area in the storage volume The metadata B for being stored, such as metadata B1, metadata B2 in figure.
Then metadata B is converted into metadata ciphertext C using AES.AES can use des symmetric cryptographies Algorithm.Corresponding metadata ciphertext C1 and metadata ciphertext C2 in such as figure.
User id and storage volume id is constituted into one group of data D again, then generating the first certification using hash algorithm disappears Breath E.
Security level identification A, metadata ciphertext C, the first authentication information E are finally write into storage volume in the lump, original unit is covered Data area forms encrypted volume, completes cryptographic operation.Wherein by intensive mark A, metadata ciphertext C and the first authentication information E , it is necessary to ensure that three writes successfully during storage metadata area, if occurring in which a write-in failure it is necessary to re-write, So as to ensure the uniformity of data.The write sequence of three can use security level identification, metadata ciphertext, the order of authentication information It is written to metadata area.
Virtual storage volume after being processed by the encryption method, due to not knowing AES, virtual storage volume exists Outside system cannot carry, also cannot by conventional virtual disk tools parse encrypted volume content.In addition, encrypted volume is by recognizing After card, using consistent with generic storage volume, but bottom storage volume content remains ciphertext state, even if in use, Storage volume is illegally duplicated theft from bottom, due to not knowing the AES or authentication mechanism of system, still cannot get Cleartext information.In internal system, it is necessary to perform authentication determination before using encrypted volume, if certification cannot pass through, cannot visit Encrypted volume is asked, the data safety of its user is kept in internal system.
Present invention also offers a kind of encryption device corresponding with the encryption method of virtual storage volume, it includes:
Acquisition request module, for obtaining user encryption request, user encryption request includes the information of user and storage The information of volume;
Metadata acquisition module, for reading the corresponding metadata area institute of the storage volume according to the information of the storage volume The metadata deposited;
Encrypting module, the metadata for being stored the corresponding metadata area of the storage volume by AES is turned It is changed to metadata ciphertext;
Authentication information generation module, the information for the information according to user and storage volume generates the first authentication information;
Memory module, for metadata ciphertext, the first authentication information and security level identification to be stored in into corresponding metadata Region, so as to complete the cryptographic operation to storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by system It is default.
Present invention also offers a kind of decryption method of virtual storage volume, the decryption method and encryption method are reverse places Reason process.The decryption method is comprised the following steps:
S21:User's decoding request is obtained, user's decoding request includes the information of user and the information of storage volume;
S22:The corresponding storage volume of information searching according to storage volume, and the security level identification of the storage volume is read, work as level of confidentiality When being designated the security level identification of systemic presupposition, S23 is performed:
S23:Second authentication information is generated by the information of the information according to user and storage volume;
S24:The first authentication information in storage volume is read, and judges that first authentication information is with the second authentication information It is no consistent, when consistent, perform S25;
S25:The metadata ciphertext of storage volume is obtained, metadata ciphertext is converted to by metadata by AES, finally The corresponding metadata area of storage volume is write metadata into, while remove the security level identification stored in storage volume recognizing with first Card information.
Decryption method is illustrated present invention also offers an example, it is comprised the following steps:
User's decryption storage volume is obtained first, and user's decoding request includes user id, storage volume id etc..
Then corresponding storage volume is searched according to storage volume id, and reads storage volume and obtain the first security level identification A1.
The first security level identification A1 is compared with the security level identification A of systemic presupposition, if identical, illustrates that the storage volume is Encrypted volume, can perform decryption oprerations;If it is different, then illustrate that the storage volume is not encrypted volume, or the user does not have access right Limit etc., exits or end operation.
Then one group of data F is constituted according to user id and storage volume id, is then recognized using hash algorithm generation second Card message G;
The first certification message E is read from storage volume again, judge the second certification message G and the first authentication information E whether phase Together, if it is different, then request processing failure, exits or end operation;
When the first authentication information E and the second authentication information G are identical, then illustrate that the encrypted volume can perform decryption oprerations, read Metadata ciphertext H in storage volume, is decrypted by des symmetric encipherment algorithms to metadata ciphertext H, obtains metadata I.
Then by the corresponding metadata area of metadata I write-ins storage volume, while removing the security level identification A1 in storage volume And the first authentication information E.This completes the decryption oprerations of encrypted volume.
Present invention also offers a kind of decryption device corresponding with the decryption method of virtual storage volume, it includes:
Acquisition request module, for obtaining user's decoding request, user's decoding request includes the information of user and deposits Store up the information of volume;
Authentication information generation module, the information for the information according to user and storage volume generates the second authentication information;
Authentication module, for reading the first authentication information in storage volume, and judges first authentication information and second Whether authentication information is consistent, when consistent, performs deciphering module;
Deciphering module, the metadata ciphertext for obtaining storage volume, unit is converted to by AES by metadata ciphertext Data, then write metadata into the corresponding metadata area of storage volume, while removing the level of confidentiality mark stored in storage volume Know and the first authentication information.
Present invention also offers a kind of access method of virtual storage volume, the access method is applied to foregoing virtual The encryption method of storage volume be encrypted after virtual storage volume, it is comprised the following steps:
S31:User access request is obtained, the user access request includes the information of user and the information of storage volume;
S32:The data that information according to the storage volume is read in the metadata area of corresponding storage volume obtain this and deposit The security level identification of volume is stored up, judges whether the storage volume is encrypted volume, if it is not, being then directly written and read operation to storage volume;If It is then to perform S33.
S33:Corresponding operation is performed to storage volume according to user access request.
Preferably, the access request includes the two kinds of situations of read operation and write operation to storage volume, therefore, the S33 tools Body also includes:
When user access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judge second authentication information with Whether the first authentication information in storage volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES The metadata ciphertext is converted into metadata and returns to user.That is to say after being decrypted to the metadata ciphertext in storage volume Return to user.
When user access request is write operation:The information of information and storage volume first according to user generates the first certification Information, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.That is to say, metadata to be written is turned first Stored after being changed to metadata ciphertext.Metadata wherein to be written refers to that user deposits user data storage to corresponding During storage volume, the data for being generated.Such as user data needs storage in which data field of storage volume, and its size is how many, is accounted for With the space of the storage volume data such as be how many.
Present invention likewise provides a kind of example of the access method of virtual storage volume, it is comprised the following steps:
System obtains user access request first, and user access request includes user id and storage volume id.
Then corresponding storage volume is read according to the storage volume id, obtains security level identification;If the security level identification with it is pre- If security level identification it is different (it is A that security level identification is set during as encrypted), then illustrate that the storage volume is not encrypted volume, can direct carry Storage volume conducts interviews to user, if identical:
If it is read operation that user accesses, one group of data J is constituted according to user id and storage volume id first, then using list Item hashing algorithm generates the second certification message;Then judge second authentication information is with the authentication information of storage in storage volume It is no consistent, if unanimously, corresponding metadata ciphertext is read from storage volume, then change metadata ciphertext by AES It is metadata, returns to user's access.
If it is write operation that user accesses, one group of data J is constituted according to user id and storage volume id first, then using list Item hashing algorithm generates the first certification message.
Then the metadata being written into according to AES is converted to metadata ciphertext, finally by security level identification, first number It is written in the lump on the corresponding position of storage volume according to ciphertext and the first authentication information.
The first signified authentication information is the authentication information generated during cryptographic operation in the present invention, first certification letter Breath is stored in storage volume in the lump with security level identification, metadata ciphertext;And the second authentication information is generated in decryption oprerations Authentication information, it is performed for authentication determination, such as verify the identity of user.
Present invention also offers a kind of access mechanism corresponding with the access method of virtual storage volume, it includes:
Acquisition request module, for obtaining user access request, the user access request includes the information of user and deposits Store up the information of volume;
Judge module, for the data in the metadata area that corresponding storage volume is read according to the information of the storage volume The security level identification of the storage volume is obtained, and judges whether the storage volume is encrypted volume according to the security level identification, if it is not, then direct Operation is written and read to storage volume;If so, then performing processing module;
Processing module, for performing corresponding operation to storage volume according to user access request.
Preferably, the processing module is specially:When user access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judge second authentication information with Whether the first authentication information in storage volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES The metadata ciphertext is converted into metadata and returns to user;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification Information, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
It will be apparent to those skilled in the art that technical scheme that can be as described above and design, make other various It is corresponding to change and deformation, and all these change and deformation should all belong to the protection domain of the claims in the present invention Within.

Claims (10)

1. a kind of encryption method of virtual storage volume, it is characterised in that the data memory format of virtual storage volume includes metadata Region and user data area, the metadata area include metadata information area and trough, and the metadata information area is used for Storage metadata, the metadata refers to the data related to the information of storage volume;The user data area is used to store user Data;The encryption method is comprised the following steps:
S11:User encryption request is obtained, user encryption request includes the information of the information of user and storage volume;
S12:Information according to the storage volume reads the metadata that the corresponding metadata area of the storage volume is stored;
S13:The metadata that the corresponding metadata area of the storage volume is stored is converted to by metadata by AES close Text;
S14:The information of information and storage volume according to user generates the first authentication information;
S15:Metadata ciphertext, the first authentication information and security level identification are stored in corresponding metadata area, so as to complete To the cryptographic operation of storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by systemic presupposition.
2. the encryption method of virtual storage volume as claimed in claim 1, it is characterised in that the AES is code book, DES AES, 3DES encryption algorithm, RC2 AESs, RC4 AESs, IDEA IDEA, superencipherment are calculated Any one in method AES.
3. a kind of encryption device of virtual storage volume, it is characterised in that including:
Acquisition request module, for obtaining user encryption request, user encryption request includes the information of user and storage volume Information;
Metadata acquisition module, for reading what the corresponding metadata area of the storage volume was deposited according to the information of the storage volume Metadata;
Encrypting module, for being converted to the metadata that the corresponding metadata area of the storage volume is stored by AES Metadata ciphertext;
Authentication information generation module, the information for the information according to user and storage volume generates the first authentication information;
Memory module, for metadata ciphertext, the first authentication information and security level identification to be stored in into corresponding metadata area, So as to complete the cryptographic operation to storage volume;Wherein described security level identification is used to recognize the data of storage volume, is by systemic presupposition 's.
4. a kind of decryption method of virtual storage volume, it is characterised in that it is applied to virtual storage volume as claimed in claim 1 Encryption method be encrypted after virtual storage volume, the decryption method comprises the following steps:
S21:User's decoding request is obtained, user's decoding request includes the information of user and the information of storage volume;
S23:Information according to user generates the second authentication information with the information of storage volume;
S24:Read the first authentication information in storage volume, and judge first authentication information and the second authentication information whether one Cause, when consistent, perform S25;
S25:The metadata ciphertext of storage volume is obtained, metadata ciphertext is converted to by metadata by AES, then by unit Data are written to the corresponding metadata area of storage volume, while removing the security level identification stored in storage volume and the first certification letter Breath.
5. the decryption method of virtual storage volume as claimed in claim 4, it is characterised in that also wrapped between the step S21 and S23 Include S22:The corresponding storage volume of information searching according to storage volume, and read the security level identification stored in the storage volume;Then sentence Whether the disconnected security level identification is consistent with the security level identification of systemic presupposition, if unanimously, performing S23;If inconsistent, return or move back Go out.
6. the decryption device of a kind of virtual storage volume, it is characterised in that including:
Acquisition request module, for obtaining user's decoding request, user's decoding request includes the information and storage volume of user Information;
Authentication information generation module, the information for the information according to user and storage volume generates the second authentication information;
Authentication module, for reading the first authentication information in storage volume, and judges first authentication information and the second certification Whether information is consistent, when consistent, performs deciphering module;
Deciphering module, the metadata ciphertext for obtaining storage volume, metadata is converted to by AES by metadata ciphertext, Then the corresponding metadata area of storage volume is write metadata into, while removing in storage volume the security level identification that is stored and the One authentication information.
7. a kind of access method of virtual storage volume, the access method be applied to virtual storage volume as claimed in claim 1 plus In the storage volume that decryption method is encrypted, it is characterised in that comprise the following steps:
S31:User access request is obtained, the user access request includes the information of user and the information of storage volume;
S32:The data that information according to the storage volume is read in the metadata area of corresponding storage volume obtain the storage volume Security level identification, and judge whether the storage volume is encrypted volume according to the security level identification, if it is not, then directly reading storage volume Write operation;If so, then performing S33;
S33:Corresponding operation is performed to storage volume according to user access request.
8. the access method of virtual storage volume as claimed in claim 7, it is characterised in that including:
The S33 is specially:When user access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judges second authentication information with storage Whether the first authentication information in volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES by institute State metadata ciphertext and be converted to metadata and return to user;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification letter Breath, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
9. a kind of access mechanism of virtual storage volume, it is characterised in that including:
Acquisition request module, for obtaining user access request, the user access request includes the information and storage volume of user Information;
Judge module, obtains for the data in the metadata area that corresponding storage volume is read according to the information of the storage volume The security level identification of the storage volume, and judge whether the storage volume is encrypted volume according to the security level identification, if it is not, then directly to storage Volume carries out read-write operation;If so, then performing processing module;
Processing module, for performing corresponding operation to storage volume according to user access request.
10. the access mechanism of virtual memory as claimed in claim 9, it is characterised in that the processing module is specially:Work as user When access request is read operation:
The information of information and storage volume according to user generates the second authentication information, and judges second authentication information with storage Whether the first authentication information in volume is consistent;If consistent, the metadata ciphertext of storage volume is read, and according to AES by institute State metadata ciphertext and be converted to metadata and return to user;
When user access request is write operation:The information of information and storage volume first according to user generates the first certification letter Breath, the metadata being then written into is converted to metadata ciphertext by AES, then that security level identification, metadata is close Text, the first authentication information are stored in the corresponding metadata area of storage volume in the lump.
CN201611264455.XA 2016-12-31 2016-12-31 Encryption method, decryption method, access method and device for virtual storage volume Active CN106713334B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611264455.XA CN106713334B (en) 2016-12-31 2016-12-31 Encryption method, decryption method, access method and device for virtual storage volume

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611264455.XA CN106713334B (en) 2016-12-31 2016-12-31 Encryption method, decryption method, access method and device for virtual storage volume

Publications (2)

Publication Number Publication Date
CN106713334A true CN106713334A (en) 2017-05-24
CN106713334B CN106713334B (en) 2020-11-17

Family

ID=58906432

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611264455.XA Active CN106713334B (en) 2016-12-31 2016-12-31 Encryption method, decryption method, access method and device for virtual storage volume

Country Status (1)

Country Link
CN (1) CN106713334B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107315964A (en) * 2017-06-14 2017-11-03 郑州云海信息技术有限公司 A kind of method that encryption volume switching is realized based on encryption equipment
CN109711207A (en) * 2018-12-29 2019-05-03 杭州宏杉科技股份有限公司 A kind of data ciphering method and device
CN110598429A (en) * 2019-08-30 2019-12-20 百富计算机技术(深圳)有限公司 Data encryption storage and reading method, terminal equipment and storage medium
WO2020000391A1 (en) * 2018-06-29 2020-01-02 Intel Corporation Virtual storage services for client computing devices
CN111580753A (en) * 2020-04-30 2020-08-25 中国工商银行股份有限公司 Storage volume cascade architecture, batch job processing system and electronic device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101517589A (en) * 2006-09-28 2009-08-26 国际商业机器公司 Managing encryption for volumes in storage pools
CN103065102A (en) * 2012-12-26 2013-04-24 中国人民解放军国防科学技术大学 Data encryption mobile storage management method based on virtual disk
US8458491B1 (en) * 2010-06-23 2013-06-04 Raytheon Bbn Technologies Corp. Cryptographically scrubbable storage device
CN103563278A (en) * 2011-05-20 2014-02-05 西里克斯系统公司 Securing encrypted virtual hard disks
CN104104692A (en) * 2014-08-05 2014-10-15 山东中孚信息产业股份有限公司 Virtual machine encryption method, decryption method and encryption-decryption control system
CN104715207A (en) * 2013-12-16 2015-06-17 航天信息股份有限公司 Method for storing files through secret key on android platform

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101517589A (en) * 2006-09-28 2009-08-26 国际商业机器公司 Managing encryption for volumes in storage pools
US8458491B1 (en) * 2010-06-23 2013-06-04 Raytheon Bbn Technologies Corp. Cryptographically scrubbable storage device
CN103563278A (en) * 2011-05-20 2014-02-05 西里克斯系统公司 Securing encrypted virtual hard disks
CN103065102A (en) * 2012-12-26 2013-04-24 中国人民解放军国防科学技术大学 Data encryption mobile storage management method based on virtual disk
CN104715207A (en) * 2013-12-16 2015-06-17 航天信息股份有限公司 Method for storing files through secret key on android platform
CN104104692A (en) * 2014-08-05 2014-10-15 山东中孚信息产业股份有限公司 Virtual machine encryption method, decryption method and encryption-decryption control system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107315964A (en) * 2017-06-14 2017-11-03 郑州云海信息技术有限公司 A kind of method that encryption volume switching is realized based on encryption equipment
WO2020000391A1 (en) * 2018-06-29 2020-01-02 Intel Corporation Virtual storage services for client computing devices
US11615194B2 (en) 2018-06-29 2023-03-28 Intel Corporation Virtual storage services for client computing devices
CN109711207A (en) * 2018-12-29 2019-05-03 杭州宏杉科技股份有限公司 A kind of data ciphering method and device
CN109711207B (en) * 2018-12-29 2020-10-30 杭州宏杉科技股份有限公司 Data encryption method and device
CN110598429A (en) * 2019-08-30 2019-12-20 百富计算机技术(深圳)有限公司 Data encryption storage and reading method, terminal equipment and storage medium
CN111580753A (en) * 2020-04-30 2020-08-25 中国工商银行股份有限公司 Storage volume cascade architecture, batch job processing system and electronic device
CN111580753B (en) * 2020-04-30 2023-10-10 中国工商银行股份有限公司 Storage volume cascade system, batch job processing system and electronic equipment

Also Published As

Publication number Publication date
CN106713334B (en) 2020-11-17

Similar Documents

Publication Publication Date Title
EP3547198B1 (en) Method, system and apparatus for data access
CN106713334A (en) Encryption method, decryption method, access method and corresponding apparatuses of virtual storage volume
US6249866B1 (en) Encrypting file system and method
CN104579689B (en) A kind of soft cipher key system and implementation method
CN103065082A (en) Software security protection method based on Linux system
CN108776760B (en) Safe storage and access method of electronic file
US20210142319A1 (en) Systems and methods for distributed data mapping
CN102262721A (en) Data encryption conversion for independent agents
CN106682521B (en) File transparent encryption and decryption system and method based on driver layer
CN106100851B (en) Password management system, intelligent wristwatch and its cipher management method
CN108229190B (en) Transparent encryption and decryption control method, device, program, storage medium and electronic equipment
US20180315053A1 (en) Systems and methods for identity atomization and usage
CN104778954A (en) Optical disc partition encryption method and system
CN101127013A (en) Enciphered mobile storage apparatus and its data access method
CN117150535A (en) File management system and method based on homomorphic calculation
CN101099207B (en) Portable data support with watermark function
JPH025158A (en) Expanded ic card and its accessing method
JP2009064126A (en) Ic card system, terminal device therefor and program
CN111404662B (en) Data processing method and device
CN104036197A (en) Vector map data protection and access control method based on file filter driver
CN104021357A (en) Method for registering and binding storage card of computer and identifying registered and bound storage card
TW201339884A (en) System for monitoring personal data file based on server verifying and authorizing to decrypt and method thereof
CN116383861B (en) Computer security processing system based on user data protection
JP4697451B2 (en) Data input / output device, data input / output method, data input / output program
US20130036474A1 (en) Method and Apparatus for Secure Data Representation Allowing Efficient Collection, Search and Retrieval

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant