CN107018208A - A kind of data ciphering method of the SAN storage system with function extending transversely - Google Patents
A kind of data ciphering method of the SAN storage system with function extending transversely Download PDFInfo
- Publication number
- CN107018208A CN107018208A CN201710421889.4A CN201710421889A CN107018208A CN 107018208 A CN107018208 A CN 107018208A CN 201710421889 A CN201710421889 A CN 201710421889A CN 107018208 A CN107018208 A CN 107018208A
- Authority
- CN
- China
- Prior art keywords
- data
- server
- encryption
- data encryption
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of data ciphering method of the SAN storage system with function extending transversely, implementation steps include:Installation data encryption protection system is disposed in advance, and keeper marks off the subregion A of free time by configuration management server in the memory space of SAN storage system;Data encryption services device uses the key obtained from Key Management server that subregion A is initialized as into corresponding encrypted volume B respectivelyi;Data encryption guard system is based on encrypted volume B of each number of units according to encryption serveriSAN storage services are externally provided, the encryption data after encryption is transmitted between clear data and SAN storage system that unencryption is transmitted between data encryption services device and application server.The present invention have the advantages that can extending transversely, high-performance, highly reliable, disclosure satisfy that and improve low time delay to encrypted stored data, the requirement of high reliability.
Description
Technical field
The present invention relates to safe field of storage, and in particular to a kind of high-performance, highly reliable has function extending transversely
The data ciphering method of SAN storage system.
Background technology
Currently, memory technology constantly improve, based on storage area network(SAN)Framework SAN storage system turn into enterprise
The main flow selection of industry level storage.SAN storage system mainly uses optical-fibre channel(FC-SAN)Or Ethernet(IP-SAN)Connection
Server host, it is centrally stored to data progress, user's IT system efficiency can be lifted, data O&M cost is reduced.
As shown in figure 1, in current SAN storage system, application server is plaintext for the access of SAN storage system
Form, the hidden danger that will necessarily so have security.Therefore, while SAN storage system extensive use, in order to ensure data
The security of storage, presently, there are the method that data storage is encrypted, but existing method can not be extending transversely, causes
Data encryption protection server can only the serial operation of separate unit or many so that encryption and decryption performance is low, delay is high, poor user experience,
And there is the risk of encryption data damage.
The content of the invention
The technical problem to be solved in the present invention:Above mentioned problem for prior art can extending transversely, Gao Xing there is provided one kind
Can, it is highly reliable, disclosure satisfy that and improves low time delay to encrypted stored data, the requirement of high reliability with work(extending transversely
The data ciphering method of the SAN storage system of energy.
In order to solve the above-mentioned technical problem, the technical solution adopted by the present invention is:
A kind of data ciphering method of the SAN storage system with function extending transversely, implementation steps include:
1)Deployment installation data encryption protection system in advance, the data encryption guard system includes configuration management server, close
Key management server and data encryption server group, the data encryption services device group include N number of units according to encryption server, described
Configuration management server, data encryption services device are connected with SAN storage system respectively, and the Key Management server and configuration are managed
Server is managed to be connected;
2)Keeper marks off the subregion A of free time by configuration management server in the memory space of SAN storage system;Configuration
Management server obtains key according to subregion A partition id from Key Management server, and key is distributed into each data encryption
Server, and subregion A is initialized as corresponding encrypted volume B by N number of units using key respectively according to encryption serveri;
3)The data encryption guard system is based on encrypted volume B of each number of units according to encryption serveriSAN storage clothes are externally provided
The plaintext number of unencryption is transmitted between business, and the application server of data encryption services device and access data encryption guard system
According between SAN storage system transmission be encrypted by key after encryption data.
Preferably, step 3)Detailed step include:
3.1)Keeper configures N number of units according to the corresponding encrypted volume B of encryption server by configuration management serveriIt is mapped to respectively
The application server of data encryption guard system is accessed, the application server for accessing data encryption guard system adds each number of units evidence
The encrypted volume B of close server mappingsiA disk unit is aggregated into by multi-path software to use;
3.2)When application server sends write request to disk unit, execution step 3.3 is redirected);When application server is to magnetic
When disc apparatus sends read request, execution step 3.4 is redirected);
3.3)The write request of clear data with unencryption is decomposed into many sub- write requests and by poll by application server
Mode be sent to free time data encryption services device, then each number of units according to encryption server respectively by corresponding sub- write request
The clear data of unencryption writes corresponding encrypted volume B after being encrypted by keyi, and implementing result is returned to using clothes
Business device, redirects execution step 3.2);
3.4)Read request is decomposed into many sub- read requests and the data of free time is sent to by way of poll by application server
Encryption server, then each number of units perform corresponding sub- read request respectively according to encryption server from corresponding encrypted volume BiIt is middle to read
Encryption data after being encrypted by key simultaneously returns to application server after being decrypted by key, redirects execution step
3.2).
Preferably, the SAN storage system is Fibre Channel-SAN storage system, the configuration management server, number
It is connected respectively by optical fiber and optical fiber switch with SAN storage system according to encryption server.
The data ciphering method tool of SAN storage system of the present invention with function extending transversely has the advantage that:The present invention
The data ciphering method of SAN storage system with function extending transversely on existing SAN storage architectures by increasing the present invention
Described data encryption guard system, it is possible to achieve protection is encrypted to the SAN data stored, and due to this data encryption
Multiple data encryption protection nodes can externally provide service parallel in guard system, on the one hand improve data storage encryption and decryption
Performance, the fault-tolerance of data transfer path is on the other hand added, even if partial data encryption server failure or path
Error, application server still can read and write data storage by normal path, with can extending transversely, high-performance, Gao Ke
The advantage leaned on, disclosure satisfy that and improve low time delay to encrypted stored data, the requirement of high reliability.
Brief description of the drawings
Fig. 1 is existing SAN storage system application principle schematic diagram.
Fig. 2 is the basic procedure schematic diagram of present invention method.
Fig. 3 is the data encryption guard system topological structure schematic diagram in the embodiment of the present invention.
Fig. 4 is the internal data encryption flow schematic diagram of present invention method.
Embodiment
SAN of the present invention with function extending transversely will hereafter be stored by taking Fibre Channel-SAN storage system as an example
The data ciphering method of system is described in further detail.
As shown in Fig. 2 the implementation that the present embodiment has the data ciphering method of the SAN storage system of function extending transversely is walked
Suddenly include:
1)Installation data encryption protection system is disposed in advance, as shown in figure 3, data encryption guard system includes configuration admin service
Device, Key Management server and data encryption server group, data encryption services device group, according to encryption server, are matched somebody with somebody comprising N number of units
Put management server, data encryption services device respectively with SAN storage system to be connected, Key Management server and configuration admin service
Device is connected;
2)Keeper marks off the subregion A of free time by configuration management server in the memory space of SAN storage system;Configuration
Management server obtains key according to subregion A partition id from Key Management server, and key is distributed into each data encryption
Server, and subregion A is initialized as corresponding encrypted volume B by N number of units using key respectively according to encryption serveri;
3)Data encryption guard system is based on encrypted volume B of each number of units according to encryption serveriSAN storage services are externally provided, and
Data encryption services device and access data encryption guard system application server between transmission unencryption clear data, with
Encryption data after transmission is encrypted by key between SAN storage system.
As shown in figure 3, SAN storage system is Fibre Channel-SAN storage system, configuration admin service in the present embodiment
Device, data encryption services device are connected by optical fiber and optical fiber switch with SAN storage system respectively.As shown in figure 3, this implementation
Data encryption services device group is comprising two number of units according to encryption server in example, and their object machine end passes through optical fiber and FC interchangers 1
Connection, FC interchangers 1 are connected by optical fiber with application server;Handed over by optical fiber and FC at the starter end of data encryption services device
Change planes 2 connections, FC interchangers 2 are connected by optical fiber with disk array.Configuration management server is connected by optical fiber with FC interchangers 2
Connect, be connected by Ethernet with data encryption services device, Key Management server.Configuration management server, key management clothes
Business device and data encryption server group collectively constitute the high-performance of one, highly reliable data encryption guard system.
Configuration management server is used to manage to need encryption protection in each data encryption services device and SAN storage system
Disk, encrypted volume is set to by configuration management server by disk, and distributes to data encryption services device the key of encrypted volume
Information, notifies data encryption services device that volume initialization is encrypted, configuration management server is also by based on { encrypted volume, number
According to encryption server, application server } triple realize to the access control of encrypted volume, prevent unwarranted application service
Device accesses encrypted volume, and configuration management server is connected to SAN by FC optical fiber or Ethernet and stored, and passes through Ethernet and institute
There is the connection of data encryption services device, it can also be arranged in same server with a data encryption server.
Key Management server, which is used to generate, to be supplied to configuration admin service applied to the key of various AESs
Device, and the management operation such as it is updated, backs up, destroying to key;Key Management server passes through wired and configuration admin service
Device is connected, and can also set it with configuration management server in same server.
Data encryption services device is connected between SAN storage system and application server by FC optical fiber or Ethernet,
Re-map for the disk of SAN storage system to be converted into encrypted volume and used to application server.Application server and data add
What is transmitted between close server is clear data, and what is transmitted between data encryption services device and SAN storage system is ciphertext data.
Data encryption services utensil has extending transversely(scale-out)Multiple data encryption services devices can be parallel to SAN and deposited by characteristic
Between storage system and application server, multiple data encryption services devices concurrently can carry out encryption and decryption to same memory space,
Then encrypted volume is mapped away to application server respectively.
In the present embodiment, step 3)Detailed step include:
3.1)Keeper configures N number of units according to the corresponding encrypted volume B of encryption server by configuration management serveriIt is mapped to respectively
The application server of data encryption guard system is accessed, the application server for accessing data encryption guard system adds each number of units evidence
The encrypted volume B of close server mappingsiA disk unit is aggregated into by multi-path software to use;When a number of units is according to encryption protection
It is 1 paths failure on multipath during server fail, for application server, from an other server
1 paths be normal, do not influence application server to use.Further, since encryption/decryption module performance reason causes by number
When turning into bottleneck according to the I/O performances of encryption protection server, it can be increased by way of increasing data encryption and protecting server
Data link, the I/O performances of encrypted volume can be close to linear lifting;
3.2)When application server sends write request to disk unit, execution step 3.3 is redirected);When application server is to magnetic
When disc apparatus sends read request, execution step 3.4 is redirected);
A certain moment, user writes clear data by application server to disk unit, i.e., initiated to data encryption services device
Write data requests, data encryption services device is write data requests according to request type, redirects execution step 3.3);The a certain moment,
User initiates read data request by the data of application server reading disk equipment to data encryption services device, and data add
Close server is read data request according to request type, redirects execution step 3.4);
3.3)The write request of clear data with unencryption is decomposed into many sub- write requests and by poll by application server
Mode be sent to free time data encryption services device, then each number of units according to encryption server respectively by corresponding sub- write request
The clear data of unencryption writes corresponding encrypted volume B after being encrypted by keyi, and implementing result is returned to using clothes
Business device, redirects execution step 3.2);
3.4)Read request is decomposed into many sub- read requests and the data of free time is sent to by way of poll by application server
Encryption server, then each number of units perform corresponding sub- read request respectively according to encryption server from corresponding encrypted volume BiIt is middle to read
Encryption data after being encrypted by key simultaneously returns to application server after being decrypted by key, redirects execution step
3.2).
As shown in figure 4, being respectively equipped with encryption/decryption module, encryption and decryption in data encryption services device 1 and data encryption server 2
Module obtains key by configuration management server from Key Management server, so as to passing through the sum of data encryption services device 1
Encryption and decryption is carried out according to the data of encryption server 2.
The FC object machines of data encryption services device 1 and data encryption server 2 are based in FC agreements and application server
FC starters are connected, and the FC starters of data encryption services device 1 and data encryption server 2 are based respectively on FC agreements and optical fiber is logical
Road FC-SAN storage systems are connected.In the present embodiment, keeper is empty in the storage of SAN storage system by configuration management server
Between in mark off subregion A;Configuration management server obtains key according to partition id from Key Management server, and key is distributed to
Data encryption services device 1 and data encryption server 2, data encryption services device 1 and data encryption server 2 are close using identical
Subregion A is initialized as encrypted volume B by key1With encrypted volume B2.For application server, its disk unit encrypted volume B accessed
It is essentially encrypted volume B1With encrypted volume B2The set of the disk unit of composition, realizes the linear lifting of encryption performance, improves
System encryption and decryption performance.
Data encryption guard system in the present embodiment supports two kinds of agreements of FC-SAN and IP-SAN, is adopted during using IP-SAN
With Ethernet and Ethernet switch.
With reference to described above, it can be seen that the data encryption side of SAN storage system of the present invention with function extending transversely
The data encryption services device of method supports parallel way deployment, and many number of units externally provide service simultaneously according to encryption server, realizes high
Reliability, data encryption services device carries out encryption and decryption to same encrypted volume using identical key, therefore can be with concurrent efforts
Backup each other again, realize the linear lifting of encryption performance, improve system encryption and decryption performance.
Described above is only the preferred embodiment of the present invention, and protection scope of the present invention is not limited merely to above-mentioned implementation
Example, all technical schemes belonged under thinking of the present invention belong to protection scope of the present invention.It should be pointed out that for the art
Those of ordinary skill for, some improvements and modifications without departing from the principles of the present invention, these improvements and modifications
It should be regarded as protection scope of the present invention.
Claims (2)
1. a kind of data ciphering method of the SAN storage system with function extending transversely, it is characterised in that implementation steps include:
1)Deployment installation data encryption protection system in advance, the data encryption guard system includes configuration management server, close
Key management server and data encryption server group, the data encryption services device group include N number of units according to encryption server, described
Configuration management server, data encryption services device are connected with SAN storage system respectively, and the Key Management server and configuration are managed
Server is managed to be connected;
2)Keeper marks off the subregion A of free time by configuration management server in the memory space of SAN storage system;Configuration
Management server obtains key according to subregion A partition id from Key Management server, and key is distributed into each data encryption
Server, and subregion A is initialized as corresponding encrypted volume B by N number of units using key respectively according to encryption serveri;
3)The data encryption guard system is based on encrypted volume B of each number of units according to encryption serveriSAN storage services are externally provided,
And data encryption services device and access data encryption guard system application server between transmission unencryption clear data, with
Encryption data after transmission is encrypted by key between SAN storage system.
2. the data ciphering method of the SAN storage system according to claim 1 with function extending transversely, its feature exists
In step 3)Detailed step include:
3.1)Keeper configures N number of units according to the corresponding encrypted volume B of encryption server by configuration management serveriIt is mapped to respectively
The application server of data encryption guard system is accessed, the application server for accessing data encryption guard system adds each number of units evidence
The encrypted volume B of close server mappingsiA disk unit is aggregated into by multi-path software to use;
3.2)When application server sends write request to disk unit, execution step 3.3 is redirected);When application server is to magnetic
When disc apparatus sends read request, execution step 3.4 is redirected);
3.3)The write request of clear data with unencryption is decomposed into many sub- write requests and by poll by application server
Mode be sent to free time data encryption services device, then each number of units according to encryption server respectively by corresponding sub- write request
The clear data of unencryption writes corresponding encrypted volume B after being encrypted by keyi, and implementing result is returned to using clothes
Business device, redirects execution step 3.2);
3.4)Read request is decomposed into many sub- read requests and the data of free time is sent to by way of poll by application server
Encryption server, then each number of units perform corresponding sub- read request respectively according to encryption server from corresponding encrypted volume BiIt is middle to read
Encryption data after being encrypted by key simultaneously returns to application server after being decrypted by key, redirects execution step
3.2).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710421889.4A CN107018208B (en) | 2017-06-07 | 2017-06-07 | A kind of data ciphering method of the SAN storage system with function extending transversely |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710421889.4A CN107018208B (en) | 2017-06-07 | 2017-06-07 | A kind of data ciphering method of the SAN storage system with function extending transversely |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107018208A true CN107018208A (en) | 2017-08-04 |
CN107018208B CN107018208B (en) | 2019-07-16 |
Family
ID=59452326
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710421889.4A Active CN107018208B (en) | 2017-06-07 | 2017-06-07 | A kind of data ciphering method of the SAN storage system with function extending transversely |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107018208B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108616537A (en) * | 2018-04-28 | 2018-10-02 | 湖南麒麟信安科技有限公司 | A kind of conventional data encryption and decryption method and system of lower coupling |
CN110650008A (en) * | 2019-08-30 | 2020-01-03 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Multi-port FC encryption method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101841412A (en) * | 2010-04-09 | 2010-09-22 | 兰州韦尔斯信息科技有限公司 | Method and device for encrypting network environment of storage domain |
CN102158558A (en) * | 2011-04-13 | 2011-08-17 | 阮晓迅 | SAN (Storage Area Networking) storage encryption system and method |
CN106712943A (en) * | 2017-01-20 | 2017-05-24 | 郑州云海信息技术有限公司 | Secure storage system |
-
2017
- 2017-06-07 CN CN201710421889.4A patent/CN107018208B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101841412A (en) * | 2010-04-09 | 2010-09-22 | 兰州韦尔斯信息科技有限公司 | Method and device for encrypting network environment of storage domain |
CN102158558A (en) * | 2011-04-13 | 2011-08-17 | 阮晓迅 | SAN (Storage Area Networking) storage encryption system and method |
CN106712943A (en) * | 2017-01-20 | 2017-05-24 | 郑州云海信息技术有限公司 | Secure storage system |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108616537A (en) * | 2018-04-28 | 2018-10-02 | 湖南麒麟信安科技有限公司 | A kind of conventional data encryption and decryption method and system of lower coupling |
CN108616537B (en) * | 2018-04-28 | 2021-11-30 | 湖南麒麟信安科技股份有限公司 | Low-coupling general data encryption and decryption method and system |
CN110650008A (en) * | 2019-08-30 | 2020-01-03 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Multi-port FC encryption method and device |
Also Published As
Publication number | Publication date |
---|---|
CN107018208B (en) | 2019-07-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5331880B2 (en) | Safe and high performance multi-level security database system and method | |
US8422677B2 (en) | Storage virtualization apparatus comprising encryption functions | |
US8656100B1 (en) | System and method for managing provisioning of storage resources in a network with virtualization of resources in such a network | |
US7315914B1 (en) | Systems and methods for managing virtualized logical units using vendor specific storage array commands | |
US8285747B1 (en) | Incorporation of client storage into a storage system | |
AU2016203740B2 (en) | Simultaneous state-based cryptographic splitting in a secure storage appliance | |
US20060095705A1 (en) | Systems and methods for data storage management | |
US8782245B1 (en) | System and method for managing provisioning of storage resources in a network with virtualization of resources in such a network | |
US10007807B2 (en) | Simultaneous state-based cryptographic splitting in a secure storage appliance | |
US20100125730A1 (en) | Block-level data storage security system | |
US20100162002A1 (en) | Virtual tape backup arrangement using cryptographically split storage | |
US20080022120A1 (en) | System, Method and Computer Program Product for Secure Access Control to a Storage Device | |
US9384149B2 (en) | Block-level data storage security system | |
US20140108797A1 (en) | Storage communities of interest using cryptographic splitting | |
US20110188651A1 (en) | Key rotation for encrypted storage media using a mirrored volume revive operation | |
US20090327758A1 (en) | Storage apparatus and data processing method for storage apparatus | |
US20100161981A1 (en) | Storage communities of interest using cryptographic splitting | |
WO2010057196A2 (en) | Secure storage availability using cryptographic splitting | |
US20100162001A1 (en) | Secure network attached storage device using cryptographic settings | |
US7581056B2 (en) | Load balancing using distributed front end and back end virtualization engines | |
US20100169662A1 (en) | Simultaneous state-based cryptographic splitting in a secure storage appliance | |
US8713307B2 (en) | Computer system and volume migration control method using the same | |
CN107018208B (en) | A kind of data ciphering method of the SAN storage system with function extending transversely | |
US9417812B1 (en) | Methods and apparatus for minimally disruptive data migration | |
CN110633125A (en) | Integrated management platform and management method based on cloud platform storage |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 410000 4th floor, Gongmei building, 156 Sany Avenue, Kaifu District, Changsha City, Hunan Province Patentee after: Hunan Qilin Xin'an Technology Co., Ltd Address before: 410000 4th floor, Gongmei building, 156 Sany Avenue, Kaifu District, Changsha City, Hunan Province Patentee before: HUNAN KYLIN XINAN TECHNOLOGY Co.,Ltd. |
|
CP01 | Change in the name or title of a patent holder |