CN107273769A - The guard method of a kind of electronic equipment and device - Google Patents
The guard method of a kind of electronic equipment and device Download PDFInfo
- Publication number
- CN107273769A CN107273769A CN201710562050.2A CN201710562050A CN107273769A CN 107273769 A CN107273769 A CN 107273769A CN 201710562050 A CN201710562050 A CN 201710562050A CN 107273769 A CN107273769 A CN 107273769A
- Authority
- CN
- China
- Prior art keywords
- file
- electronic equipment
- disk
- decryption
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
This application discloses the guard method of a kind of electronic equipment, the security of the data stored for improving in electronic equipment.This method includes:To the disk encryption of electronic equipment;Disk decryption file is added in initial root file system files in electronic equipment, to cause during the os starting in the electronic equipment by performing the disk decryption file, operations described below is completed:Verify the key in the ukey equipment being connected with the electronic equipment;According to the result, it is determined whether the disk is decrypted.Disclosed herein as well is the protection device of a kind of electronic equipment.
Description
Technical field
The application is related to field of computer technology, more particularly to a kind of electronic equipment guard method and device.
Background technology
Disk is important memory cell in electronic equipment, and therefore, the most significant data file of user is stored in electronics
In the disk of equipment.With cloud computing and the application of virtual machine technique, problem of data safety is increasingly paid attention to by user.For
Improve the security that electronic equipment is used, it is to avoid the data leak of the storage in electronic equipment, it is necessary to electronic equipment
Data in disk are protected.
The content of the invention
The embodiment of the present application provides guard method and the device of a kind of electronic equipment, for improving what is stored in electronic equipment
The security of data.
The embodiment of the present application uses following technical proposals:
The guard method of a kind of electronic equipment, it is characterised in that including:To the disk encryption of electronic equipment;Set in electronics
Addition disk decryption file in standby interior initial root file system files, to cause the os starting in the electronic equipment
When decrypt file by performing the disk, complete operations described below:Verify in the ukey equipment being connected with the electronic equipment
Key;According to the result, it is determined whether the disk is decrypted;To the initial root file system text of addition disk decryption file
Part is encrypted;Redundant code is inserted in the initial root file system files of encryption, to change the initial root text of insertion redundant code
The file magic number of part system file;Corresponding decryption file is added in the kernel file of electronic equipment, wherein, the kernel text
Part is used to guide the initial root file system files for performing the insertion redundant code, when the decryption file is performed, for pair
The initial root file system files of insertion redundant code are decrypted.
The guard method of a kind of electronic equipment, including:To the disk encryption of electronic equipment;Initial root in electronic equipment
Addition disk decryption file in file system files, to cause during the os starting in the electronic equipment by performing
Disk decryption file is stated, operations described below is completed:Verify the key in the ukey equipment being connected with the electronic equipment;According to checking
As a result, it is determined whether the disk is decrypted.
Alternatively, in the initial root file system files in electronic equipment after addition disk decryption file, the side
Method also includes:Initial root file system files encryption to addition disk decryption file, and in the initial root file system of encryption
Redundant code is inserted in file;Corresponding decryption file is added in the kernel file of electronic equipment, wherein, the kernel file
The initial root file system files of the insertion redundant code are performed for guiding;When the decryption file is performed, for inserting
The initial root file system files for entering redundant code are decrypted.
Alternatively, added in the kernel file of electronic equipment after corresponding decryption file, methods described also includes:Prohibit
With the first default script file in the kernel file, to limit the start-up mode of the electronic equipment.
Alternatively, added in the kernel file of electronic equipment after corresponding decryption file, methods described also includes:Prohibit
With the second default script file in the kernel file, to close the single user login mode of the electronic equipment.
Alternatively, to the disk encryption of electronic equipment, specifically include:To storage file number in the disk partition of electronic equipment
According to disk cell encryption.
The protection device of a kind of electronic equipment, including:Disk encryption module, for the disk encryption to electronic equipment;Text
Part add module, it is described to cause for adding disk decryption file in the initial root file system files in electronic equipment
File is decrypted by performing the disk during os starting in electronic equipment, operations described below is completed:Checking and the electricity
Key in the ukey equipment of sub- equipment connection;According to the result, it is determined whether the disk is decrypted.
Alternatively, described device also includes Encryption Decryption module, wherein, the Encryption Decryption module, for addition
The initial root file system files encryption of disk decryption file, and inserted redundancy generation in the initial root file system files of encryption
Code;And, corresponding decryption file is added in the kernel file of electronic equipment, wherein, the kernel file is held for guiding
The initial root file system files of the row insertion redundant code;When the decryption file is performed, for insertion redundant code
Initial root file system files be decrypted.
Alternatively, described device also includes the first script file disabled module and the second script file disabled module, its
In, the first script file disabled module, for disabling the first default script file in the kernel file, to limit
State the start-up mode of electronic equipment;The second script file disabled module, it is second pre- in the kernel file for disabling
If script file, to close the single user login mode of the electronic equipment.
Alternatively, the disk encryption module, specifically for storage file data in the disk partition to electronic equipment
Disk cell is encrypted.
At least one above-mentioned technical scheme that the embodiment of the present application is used can reach following beneficial effect:By to electronics
The disk of equipment is encrypted, so, only possesses the user of key authority and disk could be decrypted, it is ensured that electronics is set
Standby security.
In addition, addition disk decryption file in initial root file system files in electronic equipment so that electronic equipment
File is decrypted by performing disk during interior os starting, the key in the ukey equipment being connected with electronic equipment is verified,
It is manual without user relative to using being manually entered by the way of key according to the result, it is determined whether the disk is decrypted
Operation, in the data safety for ensureing safe electronic equipment simultaneously, simplifies the operation of user.
Brief description of the drawings
Accompanying drawing described herein is used for providing further understanding of the present application, constitutes the part of the application, this Shen
Schematic description and description please is used to explain the application, does not constitute the improper restriction to the application.In the accompanying drawings:
Fig. 1 is the guard method implementation process schematic diagram for the electronic equipment that the embodiment of the present application 1 is provided;
Fig. 2 is the guard method application scenarios schematic diagram for the electronic equipment that the embodiment of the present application 2 is provided;
Fig. 3 is the protection device structural representation for the electronic equipment that the embodiment of the present application 3 is provided.
Embodiment
To make the purpose, technical scheme and advantage of the application clearer, below in conjunction with the application specific embodiment and
Technical scheme is clearly and completely described corresponding accompanying drawing.Obviously, described embodiment is only the application one
Section Example, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Go out the every other embodiment obtained under the premise of creative work, belong to the scope of the application protection.
Embodiment 1
Embodiment 1 provides the guard method of a kind of electronic equipment, the peace of the data stored for improving in electronic equipment
Quan Xing.The idiographic flow schematic diagram of this method is as shown in figure 1, comprise the steps:
Step S11:To the disk encryption of electronic equipment.
Electronic equipment in the embodiment, can be specially server, PC etc..In these electronic equipments generally
Operating system is installed, for example, Ubuntu systems, openSUSE systems or kylin system based on linux kernel etc..
When the disk of electronic equipment being encrypted in the step, the operating system that can be chosen with electronic equipment matches
Encryption Tool, for example, the operating system of electronic equipment be Ubuntu systems when, cryptsetup pairs of Encryption Tool can be used
The disk of electronic equipment is encrypted, during concrete operations, when can install Ubuntu systems in the electronic device, enables
Cryptsetup instruments are with to HD encryption.
In addition, when the disk of electronic equipment is encrypted, specifically can be to storing number in the disk partition of electronic equipment
According to disk cell be encrypted, to do not have in the disk partition of electronic equipment the disk cell of data storage do not perform encryption behaviour
Make.
Disk cell can include several sectors at this, and sector is logic unit minimum in disk partition, its capacity
Very little, and data (file data) are generally large, therefore, it can the disk cell that constitutes multiple sectors basic as one
Judge unit, to judge the file data that wherein whether is stored with, only judging that disk cell stored file data
In the case of, the disk cell block can be just encrypted, and for the disk cell without storage file data, can be with
Without encryption, it is encrypted without all disk cells to whole electronic equipment, substantially reduces encryption
Time, improve treatment effeciency.
Step S12:Disk decryption file is added in initial root file system files in electronic equipment, it is described to cause
File is decrypted by performing the disk during os starting in electronic equipment, operations described below is completed:Checking and the electricity
Key in the ukey equipment of sub- equipment connection;According to the result, it is determined whether the disk is decrypted.
Ukey equipment (Universal Key Device) in the embodiment, can be that (general serial is total using USB
Line) interface be connected with electronic equipment, small memory device with cryptographic authorization functions.
As it was previously stated, operating system is generally fitted with electronic equipment, in order that carry initial root when electric on electronic equipment
Kernel file is also generally embedded with file system files and then guiding os starting, electronic equipment, specifically such as
Vmlinuz files.
When above-mentioned kernel file starts, initial root file system files can be typically first carried out, load driver module etc. is completed
Task, the initial root file system files at this can be specially initrd.img files.
Grasped in general, can also install can also be run in many virtual machines, these virtual machines in the electronic device
Make system, therefore, the operating system in electronic equipment in the step can be the master operating system in electronic equipment, may be used also
To be the sub-operating system program installed in virtual machine, wherein, the virtual machine is installed on the main operation system of the electronic equipment
In system.
Disk decryption file is added in the embodiment, in the initial root file system files in electronic equipment, it is main to make
During with being the os starting in electronic equipment, by kernel file control, the initial root text of disk decryption file will be added
Part system file is loaded into internal memory, is completed loading USB drivings, the task of communicating etc. is carried out with ukey equipment, eventually through checking
Key in ukey equipment determines whether to decrypt disk.
Wherein, can be to be connected by USB between ukey equipment and electronic equipment.Key in specific checking ukey equipment
When, for example, when the key authentication in ukey equipment by when, disk is decrypted, operating system by continue start;Work as ukey
When key in equipment is not verified or is not detected by ukey equipment, not to disk decrypt, operating system will be unable to after
It is continuous to start.
This method provided using embodiment 1, is encrypted by the disk to electronic equipment, so, only possessed close
Disk could be decrypted by the user of key authority, it is ensured that the security of electronic equipment.
In addition, addition disk decryption file in initial root file system files in electronic equipment so that electronic equipment
File is decrypted by performing disk during interior os starting, the key in the ukey equipment being connected with electronic equipment is verified,
It is manual without user relative to using being manually entered by the way of key according to the result, it is determined whether the disk is decrypted
Operation, in the data safety for ensureing safe electronic equipment simultaneously, simplifies the operation of user.
The embodiment selects that the disk of electronic equipment is encrypted, when making the os starting in electronic equipment, leads to
Cross and verify the key in the ukey equipment being connected with electronic equipment to determine whether to decrypt disk, relative to system encryption (e.g.,
Electronic equipment start shooting when input username and password login authentication method) method, electronic equipment disk quilt can also be avoided
The risk of leaking data is installed on other electronic equipments and caused after disassembling.
Disk decryption file is added in the step S12 of embodiment 1, in the initial root file system files in electronic equipment
Afterwards, the initial root file system files of addition disk decryption file can also be encrypted, and in the initial root file system of encryption
Redundant code is inserted in system file;The effect of insertion redundant code has:First, the initial root file system of modification insertion redundant code
The file magic number of file, makes this document be looked like with original document, to confuse cracker;2nd, kernel file carry is inserted
During the initial root file system files of redundant code, redundant code can be skipped automatically, cracked (decryption) even if cracker obtains
Initial root file system files, can not also run or cause operation to malfunction.
In the initial root file system files of encryption insert redundant code after, can also electronic equipment kernel text
Corresponding decryption file is added in part, wherein, the kernel file is used to guide the initial root for performing the insertion redundant code
File system files;When the decryption file is performed, for being solved to the initial root file system files for inserting redundant code
It is close.
In addition, after corresponding decryption file is added in the kernel file of electronic equipment, the kernel can also be disabled
The first default script file in file, to limit the start-up mode of the electronic equipment, because the system of electronic equipment is general
A variety of start-up modes are reserved, the correct configuration mode of such as safe mode, the safe mode with network connection, last time leads to
The operation that above-mentioned disabling first presets script file is crossed, only retains a kind of start-up mode, prevents disabled user from starting by other
Pattern, the step of skipping secret key decryption disk and successfully start up server.
Add after corresponding decryption file, can also be disabled in the kernel file in the kernel file of electronic equipment
The second default script file, to close the single user login mode of the electronic equipment because in the single-user mode, user
Be possible to can in case key log in.
Embodiment 2
To describe the electronic equipment guard method that embodiment 1 is provided in detail, carried out below with reference to a specific implementation example
Explanation.
Electronic equipment in the embodiment is specially server, and a kind of applicable scene first to the application makees brief below
Introduce.As shown in Fig. 2 the outermost in Fig. 2 is server 10, Ubuntu server systems 20 are installed on server 10,
Many virtual machines 30 (Virtual Box), the i.e. disk in the server 10 can be generally simulated on above-mentioned server 10
Upper is to divide in one section of memory space, virtual machine 30 equally to run Ubuntu systems 40 per virtual machine 30, typically in Ubuntu
Run service routine (not shown) in system 40, these service routines can in response to client operation, be that client is carried
For service.In addition, ukey equipment (not shown) is connected using USB interface with above-mentioned server 10.
The disk of server 10 is not encrypted in the prior art, if these disks are illegally accessed, installed
Program code and data on disk in service routine etc. are then faced with the risk of leakage.Therefore, the embodiment is from following
Two dimensions are protected to the data in server disk:
1) disk in server is encrypted;
2) determine whether to decrypt disk by verifying the key in ukey equipment.Due to the virtual machine number in server
Amount is generally more, Ubuntu systems in each virtual machine (or perhaps distributed by the Ubuntu systems in each virtual machine
Disk) the different keys of correspondence, it is to avoid after server electrifying startup, it is necessary to user repeatedly, be manually entered key to each void
The corresponding disk of system in plan machine is decrypted.
Below by from the 1) disk encryption in server, 2) linxu kernels transformation and initial root file system files transformation,
3) ukey firmware developments etc., the server guard method in the present embodiment is described in detail.
1) disk encryption (the step S11 corresponded in embodiment 1).
The data in disk to ensure server 10 are not stolen or replicated, and the embodiment can be entered to server disk
Row encryption.Ubuntu systems are the releases of linux system, therefore, and the embodiment can be using cryptsetup (under Linux
Subregion Encryption Tool), install Ubuntu systems when hard disk is encrypted.
In addition, not only the corresponding disk of Ubuntu server systems 20 can be encrypted for the embodiment, also to virtual
The corresponding disk of Ubuntu systems 40 run in machine 30 is encrypted, and configures corresponding close in ukey equipment after encryption
Key.
2) (the step S12 corresponded in embodiment 1, should for linux kernel transformation and the transformation of initial root file system files
Place mainly modifies to kernel file vmlinuz, and initial root file system files initrd.img).
Linux kernel transformation and the transformation of initial root file system files are performed at this, the main purpose to be realized has two
It is individual, one, when realizing that the Ubuntu systems 40 run in Ubuntu server systems 20 and virtual machine 30 start, pass through checking
Key in ukey equipment determines whether to decrypt disk;2nd, Ubuntu server systems 20 and Ubuntu systems 40 are made
Run in safety, believable environment, be further ensured that the security of the data stored in electronic equipment.Below will be divided to two
Part is illustrated to linux kernel transformation and the transformation of initial root file system files.
First, the automatic decryption program of hard disk.Entered by the system initial root file system files initrd.img to Ubuntu
Row updates, and when realizing that the Ubuntu systems 40 run in Ubuntu server systems 20 and virtual machine 30 start, passes through checking
Key in ukey equipment determines whether to decrypt disk.
The automatic decryption program sec_boxOpen of hard disk in the embodiment realizes that (libUSB is responsible for using C language exploitation
Usb communication, libcryptsetup is responsible for hard disk decryption, and primary control program sec_boxOpen realizes automatic right from ukey acquisition keys
Decryption program is performed to disk afterwards).Wherein, disk decrypting process occurs before linux kernel carry file system, now interior
Core uses initrd.img as temporary file system, carries out guiding and the carry of each hardware device.
Can be specifically after exploitation completes the automatic decryption program sec_boxOpen of above-mentioned disk, before modification
Initrd.img files (cpio forms) are decompressed, and the automatic decryption program sec_boxOpen of disk is added to initrd.img texts
In part (associated script can also be changed to close debug information, forbid single user login mode etc., be follow-up to introduce), final weight
Newly pack above-mentioned amended initrd.img files.
Finally kernel file vmlinuz is modified, amended vmlinuz files is recognized amended
Initrd.img files, and amended initrd.img files are loaded into internal memory perform and then make Ubuntu servers
When the Ubuntu systems 40 run in system 20 and virtual machine 30 start, determine to be by verifying the key in ukey equipment
It is no that disk is decrypted
2nd, server system is started and disk decryption operation all under trusted context, specifically include:
Kernel file vmlinuz is modified, can be specifically to close linux-source-3.13.0/init/
Dangerous initializtion script in main.c files, a reservation/sbin/init system initialization scripts.Because linux kernel system
The reserved a variety of start-up modes of system, the correct configuration mode of such as safe mode, the safe mode with network connection, last time,
By the operation of the dangerous initializtion script of above-mentioned closing, only retain a kind of start-up mode, prevent disabled user from being opened by other
Dynamic model formula, the step of skipping secret key decryption disk and successfully start up server.
Initrd.img files after the addition automatic decryption program of disk are modified, can be specifically to close debug
Information, sets quiet=y to hide console debug information in init scripts.The single user for closing server logs in mould
Formula, because in the single-user mode, user is possible to can be in order to avoid key be logged in.
Then the initrd.img files after aforesaid operations are encrypted, can specifically use rc4 AESs, and
The false magic number of prefix construction are added, allow initrd.img files to seem to decrypt journey automatically also like addition disk
The initrd.img files of any transformation are not carried out before sequence.In the linux-source- of system kernel vmlinuz files
3.13.0/init/initramfs.c middle addition initrd.img file decryption programs, when making the execution of initrd.img files, are jumped
The prefix crossed in initrd.img, performs rc4 decryption.By aforesaid operations, it can prevent attacker from distorting
Initrd.img changes script, control disk decryption flow, such linux kernel file vmlinuz, and initial root file system
System file initrd.img will not successfully start up system after being tampered and decrypt disk.
3) ukey firmware developments
The ukey equipment used in the embodiment, the concrete model of its chip can be in the market Hua Da Xin An companies
IS8U192A, can effectively prevent that firmware is illegally accessed and inversely.
Ukey firmware developments can use IDE Keil, by configuring the firmware in ukey equipment, make ukey
By usb communication between equipment and server host, and implement function such as:Ukey device configurations are HID free drive patterns;Realize
Pass through the encryption and decryption of the data of usb communication between server and ukey equipment;Safety when Custom Encryption is with decryption is held
Handball Association discusses;Key in ukey equipment can be with configuration management etc..
This method provided using embodiment 2, when the system installed in the server starts, by verifying in ukey equipment
Key come determine whether to disk decrypt, it is manually operated without user relative to using being manually entered by the way of key, guarantor
While demonstrate,proving safe electronic equipment, the operation of user is simplified.
In addition, passing through the Ubuntu systems for making to run in the Ubuntu server systems 20 and virtual machine 30 in server 10
When system 40 starts, determine whether to decrypt disk respectively by verifying the key in ukey equipment, equivalent to in server
Disk carry out double-encryption, further increase the security of the data stored in server disk.
In addition, the present embodiment is based on, ukey device securitys are high, technical specification uniformity is strong, Compatibility of Operating System is good,
Carry using it is flexible the features such as, evade to a greater extent because of the safety problem for the initiation such as divulge a secret, raising server disk data
Security.
Embodiment 3
Corresponding with the method that embodiment 1 is provided, the application also provides the embodiment of protection device 300 of a kind of electronic equipment,
The security of the data stored for improving in electronic equipment.The concrete structure schematic diagram of the device as shown in figure 3, including:
Disk encryption module 31, can be used for the disk encryption to electronic equipment.Specifically it can be used for electronic equipment
The disk cell encryption of storage file data in disk partition.
File add module 32, can be used in the initial root file system files in electronic equipment adding disk decryption
File, to cause during the os starting in the electronic equipment by performing the disk decryption file, completes following behaviour
Make:Verify the key in the ukey equipment being connected with the electronic equipment;According to the result, it is determined whether to the disk solution
It is close.
As shown in figure 3, said apparatus can also include Encryption Decryption module 33, wherein, the Encryption Decryption module 33,
Encrypted for the initial root file system files to addition disk decryption file, and in the initial root file system files of encryption
Insert redundant code;And, corresponding decryption file is added in the kernel file of electronic equipment, wherein, the kernel file
The initial root file system files of the insertion redundant code are performed for guiding;When the decryption file is performed, for inserting
The initial root file system files for entering redundant code are decrypted.
Said apparatus also includes the first script file disabled module and the second script file disabled module, wherein, described the
One script file disabled module, the first default script file that can be used for disabling in the kernel file, to limit the electricity
The start-up mode of sub- equipment;The second script file disabled module, second can be used for disabling in the kernel file is pre-
If script file, to close the single user login mode of the electronic equipment.
The device provided using embodiment 3, is encrypted by the disk to electronic equipment, so, only possessed close
Disk could be decrypted by the user of key authority, it is ensured that the security of electronic equipment.
In addition, addition disk decryption file in initial root file system files in electronic equipment so that electronic equipment
File is decrypted by performing disk during interior os starting, the key in the ukey equipment being connected with electronic equipment is verified,
It is manual without user relative to using being manually entered by the way of key according to the result, it is determined whether the disk is decrypted
Operation, in the data safety for ensureing safe electronic equipment simultaneously, simplifies the operation of user.
The embodiment selects that the disk of electronic equipment is encrypted, when making the os starting in electronic equipment, leads to
Cross checking ukey equipment in key come determine whether to disk decrypt, relative to system encryption (e.g., electronic equipment start shooting when it is defeated
Access customer name and password login authentication method) method, electronic equipment disk can also be avoided to be installed to after being disassembled other
The risk of leaking data is caused on electronic equipment.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program
Product.Therefore, the application can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.Moreover, the application can be used in one or more computers for wherein including computer usable program code
The computer program production that usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The application is the flow with reference to method, equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram are described.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram
Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real
The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which is produced, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moved
State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus
Or any other non-transmission medium, the information that can be accessed by a computing device available for storage.Define, calculate according to herein
Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
It should also be noted that, term " comprising ", "comprising" or its any other variant are intended to nonexcludability
Comprising so that process, method, commodity or equipment including a series of key elements are not only including those key elements, but also wrap
Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including key element
Also there is other identical element in process, method, commodity or equipment.
Embodiments herein is these are only, the application is not limited to.To those skilled in the art,
The application can have various modifications and variations.All any modifications made within spirit herein and principle, equivalent substitution,
Improve etc., it should be included within the scope of claims hereof.
Claims (10)
1. the guard method of a kind of electronic equipment, it is characterised in that including:
To the disk encryption of electronic equipment;
Disk decryption file is added in initial root file system files in electronic equipment, to cause in the electronic equipment
File is decrypted by performing the disk during os starting, operations described below is completed:What checking was connected with the electronic equipment
Key in ukey equipment, according to the result, it is determined whether decrypted to the disk;
Initial root file system files encryption to addition disk decryption file;
Redundant code is inserted in the initial root file system files of encryption, to change the initial root file system of insertion redundant code
The file magic number of system file;
Corresponding decryption file is added in the kernel file of electronic equipment, wherein, the kernel file, which is used to guide, performs institute
The initial root file system files of insertion redundant code are stated, when the decryption file is performed, for the first of insertion redundant code
Beginning root file system file is decrypted.
2. the guard method of a kind of electronic equipment, it is characterised in that including:
To the disk encryption of electronic equipment;
Disk decryption file is added in initial root file system files in electronic equipment, to cause in the electronic equipment
File is decrypted by performing the disk during os starting, operations described below is completed:
Verify the key in the ukey equipment being connected with the electronic equipment;According to the result, it is determined whether to the disk
Decryption.
3. method according to claim 2, it is characterised in that add in the initial root file system files in electronic equipment
Plus after disk decryption file, methods described also includes:
Initial root file system files encryption to addition disk decryption file, and in the initial root file system files of encryption
Insert redundant code;
Corresponding decryption file is added in the kernel file of electronic equipment, wherein,
The kernel file is used to guide the initial root file system files for performing the insertion redundant code;The decryption file
During execution, for the initial root file system files for inserting redundant code to be decrypted.
4. method according to claim 3, it is characterised in that corresponding decryption is added in the kernel file of electronic equipment
After file, methods described also includes:
The first default script file in the kernel file is disabled, to limit the start-up mode of the electronic equipment.
5. method according to claim 3, it is characterised in that corresponding decryption is added in the kernel file of electronic equipment
After file, methods described also includes:
The second default script file in the kernel file is disabled, to close the single user login mode of the electronic equipment.
6. the method according to any one of claim 2 to 5, it is characterised in that to the disk encryption of electronic equipment, specific bag
Include:
Disk cell encryption to storage file data in the disk partition of electronic equipment.
7. the protection device of a kind of electronic equipment, it is characterised in that including:
Disk encryption module, for the disk encryption to electronic equipment;
File add module, for adding disk decryption file in the initial root file system files in electronic equipment, so that
File is decrypted by performing the disk when obtaining the os starting in the electronic equipment, operations described below is completed:Checking with
Key in the ukey equipment of the electronic equipment connection;According to the result, it is determined whether the disk is decrypted.
8. device according to claim 7, it is characterised in that described device also includes Encryption Decryption module, wherein,
The Encryption Decryption module, is encrypted for the initial root file system files to addition disk decryption file, and in encryption
Initial root file system files in insert redundant code;And,
Corresponding decryption file is added in the kernel file of electronic equipment, wherein,
The kernel file is used to guide the initial root file system files for performing the insertion redundant code;The decryption file
During execution, for the initial root file system files for inserting redundant code to be decrypted.
9. device according to claim 8, it is characterised in that described device also includes the first script file disabled module
With the second script file disabled module, wherein,
The first script file disabled module, for disabling the first default script file in the kernel file, to limit
The start-up mode of the electronic equipment;
The second script file disabled module, for disabling the second default script file in the kernel file, to close
The single user login mode of the electronic equipment.
10. the device according to any one of claim 7 to 9, it is characterised in that the disk encryption module, specifically for
Disk cell encryption to storage file data in the disk partition of electronic equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710562050.2A CN107273769A (en) | 2017-07-11 | 2017-07-11 | The guard method of a kind of electronic equipment and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710562050.2A CN107273769A (en) | 2017-07-11 | 2017-07-11 | The guard method of a kind of electronic equipment and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107273769A true CN107273769A (en) | 2017-10-20 |
Family
ID=60072012
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710562050.2A Pending CN107273769A (en) | 2017-07-11 | 2017-07-11 | The guard method of a kind of electronic equipment and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107273769A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108287988A (en) * | 2017-12-25 | 2018-07-17 | 武汉华工安鼎信息技术有限责任公司 | Safety management system and method for mobile terminal document |
CN110188555A (en) * | 2019-05-28 | 2019-08-30 | 深信服科技股份有限公司 | A kind of hard disk data protection method, system and associated component |
CN110196718A (en) * | 2018-05-10 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Script obscures method |
CN110457920A (en) * | 2019-07-30 | 2019-11-15 | 苏州赛器信息安全科技有限公司 | A kind of data ciphering method and encryption device |
CN110874467A (en) * | 2018-08-29 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Information processing method, device, system, processor and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104636685A (en) * | 2015-02-25 | 2015-05-20 | 山东超越数控电子有限公司 | Method for protecting linux operation system on loongson hardware platform |
CN104871174A (en) * | 2012-12-14 | 2015-08-26 | 国际商业机器公司 | Boot mechanisms for 'bring your own' management |
-
2017
- 2017-07-11 CN CN201710562050.2A patent/CN107273769A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104871174A (en) * | 2012-12-14 | 2015-08-26 | 国际商业机器公司 | Boot mechanisms for 'bring your own' management |
CN104636685A (en) * | 2015-02-25 | 2015-05-20 | 山东超越数控电子有限公司 | Method for protecting linux operation system on loongson hardware platform |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108287988A (en) * | 2017-12-25 | 2018-07-17 | 武汉华工安鼎信息技术有限责任公司 | Safety management system and method for mobile terminal document |
CN110196718A (en) * | 2018-05-10 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Script obscures method |
CN110874467A (en) * | 2018-08-29 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Information processing method, device, system, processor and storage medium |
CN110874467B (en) * | 2018-08-29 | 2023-05-02 | 阿里巴巴集团控股有限公司 | Information processing method, device, system, processor and storage medium |
CN110188555A (en) * | 2019-05-28 | 2019-08-30 | 深信服科技股份有限公司 | A kind of hard disk data protection method, system and associated component |
CN110188555B (en) * | 2019-05-28 | 2023-09-05 | 深信服科技股份有限公司 | Disk data protection method, system and related components |
CN110457920A (en) * | 2019-07-30 | 2019-11-15 | 苏州赛器信息安全科技有限公司 | A kind of data ciphering method and encryption device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107273769A (en) | The guard method of a kind of electronic equipment and device | |
CN109313690B (en) | Self-contained encrypted boot policy verification | |
CN102208000B (en) | Method and system for providing security mechanisms for virtual machine images | |
CN111723383B (en) | Data storage and verification method and device | |
CN103843006B (en) | Method and equipment for provisioning of operating systems to user terminals | |
EP2795829B1 (en) | Cryptographic system and methodology for securing software cryptography | |
CN104462965B (en) | Application integrity verification method and the network equipment | |
CN102624699B (en) | Method and system for protecting data | |
US8429389B2 (en) | ROM BIOS based trusted encrypted operating system | |
CN107679393B (en) | Android integrity verification method and device based on trusted execution environment | |
US20090193211A1 (en) | Software authentication for computer systems | |
CA2618544C (en) | Rom bios based trusted encrypted operating system | |
CN107003866A (en) | The safety establishment of encrypted virtual machine from encrypted template | |
CN109669734A (en) | Method and apparatus for starting device | |
CN109960903A (en) | A kind of method, apparatus, electronic equipment and storage medium that application is reinforced | |
CN109840430A (en) | The secure processing units and its bus arbitration method of PLC | |
CN106778283A (en) | A kind of guard method of system partitioning critical data and system | |
CN105308610A (en) | Method and system for platform and user application security on a device | |
CN107315945B (en) | The disk decryption method and device of a kind of electronic equipment | |
CN104794394A (en) | Virtual machine starting verification method and device | |
CN103970540B (en) | Key Functions secure calling method and device | |
CN107092838A (en) | A kind of safety access control method of hard disk and a kind of hard disk | |
CN112955888A (en) | Protecting a group of nodes | |
CN107835075A (en) | The processing method and processing device of local password | |
CN109728912A (en) | Broadcasting content safe transmission method, system and terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 100083 Beijing, Haidian District Xueyuan Road 30 days building A 20 floor Applicant after: Beijing Bang Bang Safety Technology Co. Ltd. Address before: 100083 Beijing, Haidian District Xueyuan Road 30 days building A 20 floor Applicant before: Yangpuweiye Technology Limited |
|
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171020 |