CN109190401A - A kind of date storage method, device and the associated component of Qemu virtual credible root - Google Patents
A kind of date storage method, device and the associated component of Qemu virtual credible root Download PDFInfo
- Publication number
- CN109190401A CN109190401A CN201811068657.6A CN201811068657A CN109190401A CN 109190401 A CN109190401 A CN 109190401A CN 201811068657 A CN201811068657 A CN 201811068657A CN 109190401 A CN109190401 A CN 109190401A
- Authority
- CN
- China
- Prior art keywords
- password
- key
- data
- ciphertext
- root
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
This application discloses a kind of date storage method of Qemu virtual credible root, it includes obtaining password ciphertext and the corresponding key of the password ciphertext, and be decrypted to obtain Secret object using password ciphertext described in the key pair that the data, which deposit method,;When detecting the corresponding Secret object of the password ciphertext, the key is deleted;Trusted root disk file is created, and will be stored to the data of the trusted root disk file and encrypted using the Secret object.This method, which can prevent file to be stolen, causes user data to be revealed, and improves the Information Security of Qemu virtual credible root.Disclosed herein as well is a kind of data-storage system of Qemu virtual credible root, a kind of computer readable storage medium and a kind of electronic equipment, have the above beneficial effect.
Description
Technical field
The present invention relates to field of information security technology, in particular to a kind of date storage method of Qemu virtual credible root,
Data storage device, virtual platform, a kind of computer readable storage medium and a kind of electronic equipment of Qemu virtual credible root.
Background technique
Currently, information security has become cloud computing application and develops an important ring, and cryptological technique is solved in cloud data
The core technology means of heart data confidentiality.Currently, the virtual machine trusted root technology based on Qemu cryptographic functions is gradually
It is mature.
The persistent data of physics trusted root is stored in phy chip, and because of the characteristic of phy chip, outside is difficult to obtain
The data of chip interior, therefore can guarantee that physics trusted root data are not destroyed or steal, and Qemu in the prior art is empty
Persistent data in quasi- trusted root will be stored in the file on system upper layer, and the data in most virtual credible implementations
It is to be stored in the form of plaintext, once the system of virtual credible root operation is attacked, the virtual credible radical in the system is according to just
The risk for being stolen or destroying is faced, the data crypticity of virtual machine user is directly threatened.
Therefore, how to prevent file to be stolen causes user data to be revealed, and improves the data safety of Qemu virtual credible root
Property is a technical problem that technical personnel in the field need to solve at present.
Summary of the invention
The purpose of the application is to provide the number of a kind of date storage method of Qemu virtual credible root, Qemu virtual credible root
According to storage device, virtual platform, a kind of computer readable storage medium and a kind of electronic equipment, file can be prevented to be stolen
Cause user data to be revealed, improves the Information Security of Qemu virtual credible root.
In order to solve the above technical problems, the application provides a kind of date storage method of Qemu virtual credible root, the data
Storage method includes:
Password ciphertext and the corresponding key of the password ciphertext are obtained, and is carried out using password ciphertext described in the key pair
Decryption obtains Secret object;
When detecting the corresponding Secret object of the password ciphertext, the key is deleted;
Trusted root disk file is created, and will be stored using the Secret object to the number of the trusted root disk file
According to being encrypted.
Optionally, before obtaining password ciphertext and the corresponding key of the password ciphertext, further includes:
Password generated request is sent to password management module, so that the password management module generates password ciphertext and close
Key;
Wherein, the password ciphertext is encrypted to obtain by password management module using the key pair target password, institute
It states target ciphertext and the key and is obtained by the password management module using random number generator, the target ciphertext storage
In the database of the password management module.
Optionally, after deleting the key, further includes:
Delete the password ciphertext.
Optionally, further includes:
When receiving virtual credible root enabled instruction, the integrity information of the trusted root disk file is obtained;
Judge whether the integrity information is identical as preset value;If so, starting virtual credible root.
Optionally, the integrity information for obtaining the trusted root disk file includes:
Starting password ciphertext and the corresponding starting key of the starting password ciphertext are obtained, and utilizes the starting key pair
The starting password ciphertext is decrypted to obtain decryption Secret object;
When detecting the corresponding decryption Secret object of the starting password ciphertext, the starting key is deleted;
It is decrypted to obtain data in magnetic disk and described to the trusted root disk file using the decryption Secret object
Integrity information, and calculate the digest value of the data in magnetic disk;
Correspondingly, judging whether the integrity information is identical as preset value and including:
Judge whether the integrity information is identical as the digest value.
Optionally, the data stored to the trusted root disk file are subjected to encrypted packet using the Secret object
It includes:
The digest value of status information when the virtual credible root is run is as integrity information, and by the integrality
Information and the status information are set as data to be written;
The data to be written are encrypted using the Secret object, and the data to be written are stored to institute
State trusted root disk file.
Present invention also provides a kind of data storage device of Qemu virtual credible root, which includes:
Data decryption module for obtaining password ciphertext and the corresponding key of the password ciphertext, and utilizes the key
The password ciphertext is decrypted to obtain Secret object;When detecting the corresponding Secret object of the password ciphertext,
Delete the key;
Data memory module will be stored for creating trusted root disk file, and using the Secret object to described
The data of trusted root disk file are encrypted.
Present invention also provides a kind of virtual platform, which includes the number such as above-mentioned Qemu virtual credible root
According to storage device and password management module;
Wherein, password management module is used for the mouth when the data storage device for receiving the Qemu virtual credible root is sent
When enabling generation request, target password and key are generated by random number generator and store the target password to database
In, the target password is encrypted using the key and obtains password ciphertext, and the password ciphertext and the key are sent to
The data storage device of the Qemu virtual credible root.
Present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, the computer
Program realizes the step of date storage method of above-mentioned Qemu virtual credible root executes when executing.
Present invention also provides a kind of electronic equipment, including memory and processor, calculating is stored in the memory
Machine program, the processor realize that the data of above-mentioned Qemu virtual credible root are deposited when calling the computer program in the memory
The step of method for storing executes.
The present invention provides a kind of date storage methods of Qemu virtual credible root, including obtain password ciphertext and the mouth
The corresponding key of ciphertext is enabled, and is decrypted to obtain Secret object using password ciphertext described in the key pair;When detecting
When the corresponding Secret object of the password ciphertext, the key is deleted;Trusted root disk file is created, and described in utilization
Secret object will be stored to the data of the trusted root disk file and be encrypted.
For the application by being decrypted to obtain Secret object using key pair password ciphertext, which is Qemu
The data structure of key, password is saved with form, is used when running for the component and virtual unit of Qemu, therefore utilizing should
Secret object encrypts the safety that can guarantee data to storing to the data of the trusted root disk file.Further
, since the application deletes key after detecting the corresponding Secret object of the password ciphertext, can guarantee even if void
The system of quasi- trusted root operation is attacked, other people can not also obtain the corresponding password original text of password ciphertext, avoids other people logical
Cross the data that back door obtains virtual credible root.The application, which can prevent file to be stolen, causes user data to be revealed, and improves
The Information Security of Qemu virtual credible root.The application additionally provides a kind of data storage dress of Qemu virtual credible root simultaneously
It sets, a kind of virtual platform, a kind of computer readable storage medium and a kind of electronic equipment, there is above-mentioned beneficial effect, herein
It repeats no more.
Detailed description of the invention
In ord to more clearly illustrate embodiments of the present application, attached drawing needed in the embodiment will be done simply below
It introduces, it should be apparent that, the drawings in the following description are only some examples of the present application, for ordinary skill people
For member, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of the date storage method of Qemu virtual credible root provided by the embodiment of the present application;
Fig. 2 is the flow chart of the date storage method of another kind Qemu virtual credible root provided by the embodiment of the present application;
Fig. 3 is the structural schematic diagram of Qemu+KVM virtual platform;
Fig. 4 is a kind of flow chart of the starting method of Qemu virtual credible root provided by the embodiment of the present application;
Fig. 5 is a kind of structural representation of the data storage device of Qemu virtual credible root provided by the embodiment of the present application
Figure.
Specific embodiment
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application
In attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is
Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall in the protection scope of this application.
Below referring to Figure 1, Fig. 1 is a kind of data storage side of Qemu virtual credible root provided by the embodiment of the present application
The flow chart of method.
Specific steps may include:
S101: password ciphertext and the corresponding key of the password ciphertext are obtained, and close using password described in the key pair
Text is decrypted to obtain Secret object;
Wherein, Qemu (Quick Emulator) is that the simulator of a open source and virtual machine monitor, Qemu virtually may be used
Letter root is provides the module of trusted root service in virtualization level for virtual machine, the function and object that virtual credible root can be realized
Reason trusted root is identical, and the technical solution of the present embodiment is namely based on Qemu realization.
There are the password management module of system where Qemu generation password ciphertext is corresponding with the password ciphertext for this step default
The operation of key and the password is stored in data specifically, password management module generates password by random number generator
In library, password management module also generates key by random number generator, encrypts generated password using the key, and export
Password ciphertext and corresponding key.It should be noted that the password management module for generating password ciphertext and key is with Qemu
Module in same virtualization system, Qemu can carry out information exchange with password management module, such as password ciphertext, that is, key
Request and granting etc..
Secret object is the data structure that key, password or other sensitive datas are saved when Qemu operation, for
Qemu other assemblies or virtual unit use when running.It is decrypted using password ciphertext described in the key pair available
Secret object, Secret object are password forms present in Qemu, i.e., Secret object is equivalent to mouth in Qemu
It enables.
S102: when detecting the corresponding Secret object of the password ciphertext, the key is deleted;
Wherein, this step is defaulted in the presence of the operation for detecting whether the corresponding Secret object of generation password ciphertext, and the inspection
Surveying operation can exist after S103, therefore the execution sequence of S102 and S103 can exchange, and can also carry out simultaneously, herein
Embodiment as one preferred is immediately performed default presence after having executed S101 and detects whether that generating password ciphertext corresponds to
Secret object operation, to delete key as early as possible.
Since the persistent data in Qemu virtual credible root will be stored in the file on system upper layer, and majority virtually may be used
The data of letter root are the storages in the form of plaintext, once the system of virtual credible root operation is attacked, the void in the system
Quasi- trusted root data just face the risk for being stolen or destroying, and directly threaten the data crypticity of virtual machine user.If in life
After Secret object, key is not deleted, it will there are the system acquisitions that criminal attacks the operation of virtual credible root
Secret object and key, and then obtain the password of plaintext state.After generating Secret object, deleting key immediately can
Avoid the problem that bring password is revealed due to system is by attack.
It should be noted that operations systems manager can forbid the delete operation of file under certain application scenarios, therefore
First original cipher key content can be covered before deleting key file, guarantee the key in the case where key file can not be deleted
It will not reveal, further improve the safety of Qemu virtual credible root.
As a preferred embodiment, password ciphertext can also be deleted after deleting key, so that in Qemu
Information relevant to password is only recorded in Secret object, and due to Secret Properties of Objects, criminal can not lead to
The password that attacking system obtains plaintext form from Secret object is crossed, i.e., can not obtain the reality of password from Secret object
Content.
S103: creation trusted root disk file, and will be stored using the Secret object to the trusted root disk text
The data of part are encrypted.
Wherein, the trusted root disk file created in this step is the text for storing the data of Qemu virtual credible root
Part can all be encrypted whenever having data to store to trusted root disk file using Secret object, i.e., this step will
Secret object is set as the access password of trusted root disk file, trusted root can be accessed by being only provided with correct password
Content in disk file.
By being decrypted to obtain Secret object using key pair password ciphertext, which is the present embodiment
Qemu and form save the data structure of key, password, use when running for the component and virtual unit of Qemu, therefore utilize
The Secret object encrypts the safety that can guarantee data to storing to the data of the trusted root disk file.Into one
Step, since the present embodiment deletes key after detecting the corresponding Secret object of the password ciphertext, can guarantee i.e.
The system for running virtual credible root is attacked, other people can not also obtain the corresponding password original text of password ciphertext, avoid other
People obtains the data of virtual credible root by back door.The present embodiment, which can prevent file to be stolen, causes user data to be let out
Dew improves the Information Security of Qemu virtual credible root.
Fig. 2 is referred to below, and Fig. 2 is the data storage of another kind Qemu virtual credible root provided by the embodiment of the present application
The flow chart of method;
Specific steps may include:
S201: password generated request is sent to password management module, so that the password management module generates password ciphertext
And key;
Wherein, the password ciphertext is encrypted to obtain by password management module using the key pair target password, institute
It states target ciphertext and the key and is obtained by the password management module using random number generator, the target ciphertext storage
In the database of the password management module.
S202: password ciphertext and the corresponding key of the password ciphertext are obtained, and close using password described in the key pair
Text is decrypted to obtain Secret object;
S203: it when detecting the corresponding Secret object of the password ciphertext, deletes the key and the password is close
Text.
S204: creation trusted root disk file, status information and the state when virtual credible root is run are believed
The digest value of breath is as data to be written;
S205: the data to be written are encrypted using the Secret object, and the data to be written are deposited
It stores up to the trusted root disk file.
The Qemu that the date storage method of the corresponding Qemu virtual credible root of Fig. 2 can be applied to virtual platform virtually may be used
Believe root initialization operation.Virtual credible root initialization in practical application includes the operation of document creation, password creation, password
Need to generate key when being stored in the database of password management module save in plain text, and exporting password every time to encrypt the mouth
It enables, while generating the file of the key.Password once create, then key when no longer changing, and exporting password every time be then with
Machine creation.Qemu virtual credible root initialization operation may comprise steps of:
1) generate password: password management module generates password by random number generator, and the password is stored in data
In library.Password management module generates key by random number generator, encrypts generated password using the key, and export close
It is literary with corresponding key;
2) Qemu Secret management module restores password: Qemu Secret management module reads password ciphertext and key text
Part using key recovery password, and generates Secret object when Qemu operation for the use of other modules of Qemu.To guarantee password
Safety, this document is deleted immediately once having read after key file, even if guaranteeing to obtain Qemu start-up parameter and also can not
Obtain cipher key content.
3) Qemu LUKS module creation virtual credible root disk file: Qemu LUKS module is that virtual credible root creates magnetic
Disk file, and use the password of generated Secret object in step 2) as in the access password encryption file of this document
Hold, as long as correct password, which can be provided, may have access to this document.
It should be noted that Qemu Secret management module and Qemu LUKS module are the module in Qemu, in Qemu
It further include Qemu virtual credible root, the specific structure of virtual platform may refer to Fig. 3, and Fig. 3 is Qemu+KVM virtual platform
Structural schematic diagram.LUKS module in Fig. 3 is exactly Qemu LUKS module, and Secret object management module is exactly Qemu
Secret management module.
Fig. 4 is referred to below, and Fig. 4 is a kind of starting method of Qemu virtual credible root provided by the embodiment of the present application
Flow chart;
S301: when receiving virtual credible root enabled instruction, the integrity information of the trusted root disk file is obtained;
Integrity information in the present embodiment is using the digest value (such as Hash) of data as its integrity information, commonly
There are SHA-1, SHA256, SM3 scheduling algorithm.It, can only when the integrity information of trusted root disk file meets preset value
Normal starting Qemu virtual credible root.
Specifically, obtaining the concrete operations of integrity information may comprise steps of:
Step 1: obtaining starting password ciphertext and the corresponding starting key of the starting password ciphertext, and utilize the starting
Starting password ciphertext described in key pair is decrypted to obtain decryption Secret object;
It should be noted that being mentioned in the starting password ciphertext and starting key embodiment corresponding with Fig. 1 that obtain herein
Password ciphertext and starting key it is not identical, but start the password decrypted of password ciphertext by starting key pair and lead to
It is identical for crossing the password that key counterpart enables ciphertext be decrypted.Therefore, the decryption Secret object obtained herein can be with
Access password as the trusted root disk file mentioned in the corresponding embodiment of access Fig. 1.
Step 2: when detecting the corresponding decryption Secret object of the starting password ciphertext, it is close to delete the starting
Key;
It is equally for security reasons, to need to delete starting key, embodiment party as one preferred in time herein
Formula can also delete starting password ciphertext, in case password is stolen in the form of plaintext.
Step 3: the trusted root disk file being decrypted to obtain data in magnetic disk using the decryption Secret object
With the integrity information, and the digest value of the data in magnetic disk is calculated;
It should be noted that the present embodiment default exist using virtual credible root run when status information digest value as
Integrity information is stored using the integrity information and status information as data to be written to trusted root disk file.This is walked
The digest value of the data in magnetic disk calculated in rapid is compared with the integrity information that there is trusted root disk file originally then can be with
When determining integrity information meets preset value.The above process is illustrated, such as status information A1 when trusted root operation
Digest value is a1, is stored digest value a1 as integrity information and status information to trusted root disk file, when receiving void
When quasi- trusted root enabled instruction, it is decrypted to obtain data A2 and integrity information using decryption Secret object, obtains data
The digest value a2 of A2, illustrating that the data in trusted root disk file are not destroyed completely if a1 is equal to a2 can star Qemu
Virtual credible root;Illustrate that the data in trusted root disk file are imperfect if a1 is not equal to a2, it is not possible to it is virtual to start Qemu
Trusted root.
S302: judge whether the integrity information is identical as preset value;If so, into S303;If it is not, then terminating to flow
Journey;
Judge whether the integrity information is identical as the digest value.
S303: starting virtual credible root.
The Qemu that the date storage method of the corresponding Qemu virtual credible root of Fig. 3 can be applied to virtual platform virtually may be used
Believe root start-up operation.The password that virtual credible root starting in practical application needs to create in initialization procedure is literary to decrypt disk
Part content, successful decryption then want the integrality of verify data after reading data, and specific starting step is as follows:
1) password management module exports password: password management module obtains generated password, generates random key encryption
Password simultaneously exports password ciphertext and this secondary key into file;
2) Qemu restores disk file data: Qemu parses password and key, and restores the corresponding Secret of password generated
Object decrypts disk file for LUKS, removes corresponding content and file in time after having read password and key;
3) data in Qemu LUKS module decryption disk: Qemu LUKS uses the password Secret object in 2) to decrypt
Data content in virtual credible root disk file is used for virtual credible root;
4) checking data integrity: after Qemu LUKS completes data deciphering, obtaining the integrity information in data, and
The integrity value for calculating this data content, compares with integrity information, judges whether data wreck.According to check results
Judge whether Qemu virtual credible root continues to run.
After the operation of virtual credible root, the run time behaviour data in memory can be by all status datas when changing
It is written in the file of disk and saves, at this point, the Secret object of storage file password is still deposited when Qemu virtual credible root starts
With memory, then disk file is written in status data LUKS to be written using the object encryption again.Specific steps are such as
Under:
1) generate integrity information: the digest value for calculating Qemu virtual credible root run time behaviour information is believed as integrality
Breath, and the value is added to and is run in data to be written;
2) LUKS encrypts data to be written: LUKS is using integrity information and run time behaviour information as data to be written
Encryption generates ciphertext;
3) disk file is written: Qemu uses BlockDriver as the object of operation disk file, each disk text
Part corresponds to a BlockDriver object, and BlockDriver will be in the ciphertext write-in disk file that generated in step 3).
Fig. 5 is referred to, Fig. 5 is a kind of data storage device of Qemu virtual credible root provided by the embodiment of the present application
Structural schematic diagram;
The apparatus may include:
Data decryption module 100 for obtaining password ciphertext and the corresponding key of the password ciphertext, and utilizes described close
Key is decrypted to obtain Secret object to the password ciphertext;When detecting the corresponding Secret object of the password ciphertext
When, delete the key;
Data memory module 200 will be stored for creating trusted root disk file, and using the Secret object to institute
The data for stating trusted root disk file are encrypted.
Further, further includes:
Password request module, for sending password generated request to password management module, so as to the password management module
Generate password ciphertext and key;
Wherein, the password ciphertext is encrypted to obtain by password management module using the key pair target password, institute
It states target ciphertext and the key and is obtained by the password management module using random number generator, the target ciphertext storage
In the database of the password management module.
Further, further includes:
Password ciphertext removing module, for deleting the password ciphertext.
Further, further includes:
Integrity verification module, for when receiving virtual credible root enabled instruction, obtaining the trusted root disk text
The integrity information of part;Judge whether the integrity information is identical as preset value;If so, starting virtual credible root.
Further, integrity verification module includes:
Password acquiring unit, for obtaining starting password ciphertext and the corresponding starting key of the starting password ciphertext, and
It is decrypted to obtain decryption Secret object using starting password ciphertext described in the starting key pair;
Decryption unit, for when detecting the corresponding decryption Secret object of the starting password ciphertext, described in deletion
Start key;
Digest value determination unit, for the trusted root disk file to be decrypted using the decryption Secret object
Data in magnetic disk and the integrity information are obtained, and calculates the digest value of the data in magnetic disk;
Judging unit, for judging whether the integrity information is identical as the digest value.
Further, data memory module 200 is used for the digest value of status information when running the virtual credible root
Data to be written are set as integrity information, and by the integrity information and the status information;It is also used to utilize institute
It states Secret object to encrypt the data to be written, and the data to be written is stored to the trusted root disk text
Part.
Since the embodiment of device part is corresponded to each other with the embodiment of method part, the embodiment of components of system as directed is asked
Referring to the description of the embodiment of method part, wouldn't repeat here.
By being decrypted to obtain Secret object using key pair password ciphertext, which is the present embodiment
Qemu and form save the data structure of key, password, use when running for the component and virtual unit of Qemu, therefore utilize
The Secret object encrypts the safety that can guarantee data to storing to the data of the trusted root disk file.Into one
Step, since the present embodiment deletes key after detecting the corresponding Secret object of the password ciphertext, can guarantee i.e.
The system for running virtual credible root is attacked, other people can not also obtain the corresponding password original text of password ciphertext, avoid other
People obtains the data of virtual credible root by back door.The present embodiment, which can prevent file to be stolen, causes user data to be let out
Dew improves the Information Security of Qemu virtual credible root.
Present invention also provides a kind of virtual platform, which includes as any one of the above Qemu virtually may be used
Believe the data storage device and password management module of root;
Wherein, password management module is used for the mouth when the data storage device for receiving the Qemu virtual credible root is sent
When enabling generation request, target password and key are generated by random number generator and store the target password to database
In, the target password is encrypted using the key and obtains password ciphertext, and the password ciphertext and the key are sent to
The data storage device of the Qemu virtual credible root.
Present invention also provides a kind of computer readable storage mediums, have computer program thereon, the computer program
It is performed and step provided by above-described embodiment may be implemented.The storage medium may include: USB flash disk, mobile hard disk, read-only deposit
Reservoir (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or
The various media that can store program code such as CD.
Present invention also provides a kind of electronic equipment, may include memory and processor, have meter in the memory
Calculation machine program may be implemented provided by above-described embodiment when the processor calls the computer program in the memory
Step.Certain electronic equipment can also include various network interfaces, the components such as power supply.
Each embodiment is described in a progressive manner in specification, the highlights of each of the examples are with other realities
The difference of example is applied, the same or similar parts in each embodiment may refer to each other.For system disclosed in embodiment
Speech, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration
?.It should be pointed out that for those skilled in the art, under the premise of not departing from the application principle, also
Can to the application, some improvement and modification can also be carried out, these improvement and modification also fall into the protection scope of the claim of this application
It is interior.
It should also be noted that, in the present specification, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that
A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or
The intrinsic element of equipment.Under the situation not limited more, the element limited by sentence "including a ..." is not arranged
Except there is also other identical elements in the process, method, article or apparatus that includes the element.
Claims (10)
1. a kind of date storage method of Qemu virtual credible root characterized by comprising
Password ciphertext and the corresponding key of the password ciphertext are obtained, and is decrypted using password ciphertext described in the key pair
Obtain Secret object;
When detecting the corresponding Secret object of the password ciphertext, the key is deleted;
Create trusted root disk file, and using the Secret object will store to the data of the trusted root disk file into
Row encryption.
2. date storage method according to claim 1, which is characterized in that obtaining password ciphertext and the password ciphertext pair
Before the key answered, further includes:
Password generated request is sent to password management module, so that the password management module generates password ciphertext and key;
Wherein, the password ciphertext is encrypted to obtain by password management module using the key pair target password, the mesh
Mark ciphertext and the key are obtained by the password management module using random number generator, and the target ciphertext is stored in institute
In the database for stating password management module.
3. date storage method according to claim 1, which is characterized in that after deleting the key, further includes:
Delete the password ciphertext.
4. date storage method according to claim 1, which is characterized in that further include:
When receiving virtual credible root enabled instruction, the integrity information of the trusted root disk file is obtained;
Judge whether the integrity information is identical as preset value;If so, starting virtual credible root.
5. date storage method according to claim 4, which is characterized in that obtain the integrality of the trusted root disk file
Information includes:
Starting password ciphertext and the corresponding starting key of the starting password ciphertext are obtained, and using described in the starting key pair
Starting password ciphertext is decrypted to obtain decryption Secret object;
When detecting the corresponding decryption Secret object of the starting password ciphertext, the starting key is deleted;
It is decrypted to obtain data in magnetic disk and described complete to the trusted root disk file using the decryption Secret object
Property information, and calculate the digest value of the data in magnetic disk;
Correspondingly, judging whether the integrity information is identical as preset value and including:
Judge whether the integrity information is identical as the digest value.
6. date storage method according to claim 1, which is characterized in that will be stored using the Secret object to described
The data of trusted root disk file carry out encryption
The digest value of status information when the virtual credible root is run is as integrity information, and by the integrity information
Data to be written are set as with the status information;
The data to be written are encrypted using the Secret object, and by the data to be written store to it is described can
Believe root disk file.
7. a kind of data storage device of Qemu virtual credible root characterized by comprising
Data decryption module for obtaining password ciphertext and the corresponding key of the password ciphertext, and utilizes the key pair institute
Password ciphertext is stated to be decrypted to obtain Secret object;When detecting the corresponding Secret object of the password ciphertext, delete
The key;
Data memory module will be stored for creating trusted root disk file, and using the Secret object to described credible
The data of root disk file are encrypted.
8. a kind of virtual platform, which is characterized in that the data storage including Qemu virtual credible root as claimed in claim 7
Device and password management module;
Wherein, the password that password management module is used to send when the data storage device for receiving the Qemu virtual credible root is raw
When at request, target password and key are generated by random number generator and store the target password into database, benefit
The target password is encrypted with the key and obtains password ciphertext, and the password ciphertext and the key is sent to described
The data storage device of Qemu virtual credible root.
9. a kind of electronic equipment characterized by comprising
Memory, for storing computer program;
Processor realizes the Qemu virtual credible root as described in any one of claim 1 to 6 when for executing the computer program
Date storage method the step of.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program, realizing the Qemu virtual credible root as described in any one of claim 1 to 6 when the computer program is executed by processor
The step of date storage method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811068657.6A CN109190401A (en) | 2018-09-13 | 2018-09-13 | A kind of date storage method, device and the associated component of Qemu virtual credible root |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811068657.6A CN109190401A (en) | 2018-09-13 | 2018-09-13 | A kind of date storage method, device and the associated component of Qemu virtual credible root |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109190401A true CN109190401A (en) | 2019-01-11 |
Family
ID=64910737
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811068657.6A Pending CN109190401A (en) | 2018-09-13 | 2018-09-13 | A kind of date storage method, device and the associated component of Qemu virtual credible root |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109190401A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110210236A (en) * | 2019-05-27 | 2019-09-06 | 北京品友互动信息技术股份公司 | Data correlation method and device |
| CN110601846A (en) * | 2019-08-30 | 2019-12-20 | 苏州浪潮智能科技有限公司 | System and method for verifying virtual trusted root |
| CN111695166A (en) * | 2020-06-11 | 2020-09-22 | 北京百度网讯科技有限公司 | Disk encryption protection method and device |
| CN112380548A (en) * | 2020-11-13 | 2021-02-19 | 杭州弗兰科信息安全科技有限公司 | Data storage method, system, equipment and readable storage medium |
| CN112825093A (en) * | 2019-11-21 | 2021-05-21 | 北京天融信网络安全技术有限公司 | Security baseline checking method, host, server, electronic device and storage medium |
| CN113987599A (en) * | 2021-12-28 | 2022-01-28 | 苏州浪潮智能科技有限公司 | Method, device, equipment and readable storage medium for realizing firmware trusted root |
| CN116578505A (en) * | 2023-07-11 | 2023-08-11 | 苏州浪潮智能科技有限公司 | Data sharing method, device, equipment and storage medium based on disk encryption |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102646077A (en) * | 2012-03-28 | 2012-08-22 | 山东超越数控电子有限公司 | Method for full-disk encryption based on trusted cryptography module |
| CN107943556A (en) * | 2017-11-10 | 2018-04-20 | 中国电子科技集团公司第三十二研究所 | KMIP and encryption card based virtualized data security method |
| US20180113610A1 (en) * | 2014-05-12 | 2018-04-26 | The Research Foundation For The State University Of New York | Gang migration of virtual machines using cluster-wide deduplication |
| CN108133144A (en) * | 2017-12-22 | 2018-06-08 | 浪潮(北京)电子信息产业有限公司 | A kind of virtual disk files guard method, device, equipment and readable storage medium storing program for executing |
-
2018
- 2018-09-13 CN CN201811068657.6A patent/CN109190401A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102646077A (en) * | 2012-03-28 | 2012-08-22 | 山东超越数控电子有限公司 | Method for full-disk encryption based on trusted cryptography module |
| US20180113610A1 (en) * | 2014-05-12 | 2018-04-26 | The Research Foundation For The State University Of New York | Gang migration of virtual machines using cluster-wide deduplication |
| CN107943556A (en) * | 2017-11-10 | 2018-04-20 | 中国电子科技集团公司第三十二研究所 | KMIP and encryption card based virtualized data security method |
| CN108133144A (en) * | 2017-12-22 | 2018-06-08 | 浪潮(北京)电子信息产业有限公司 | A kind of virtual disk files guard method, device, equipment and readable storage medium storing program for executing |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110210236B (en) * | 2019-05-27 | 2020-07-14 | 北京深演智能科技股份有限公司 | Data association method and device |
| CN110210236A (en) * | 2019-05-27 | 2019-09-06 | 北京品友互动信息技术股份公司 | Data correlation method and device |
| CN110601846B (en) * | 2019-08-30 | 2022-12-27 | 苏州浪潮智能科技有限公司 | System and method for verifying virtual trusted root |
| CN110601846A (en) * | 2019-08-30 | 2019-12-20 | 苏州浪潮智能科技有限公司 | System and method for verifying virtual trusted root |
| CN112825093B (en) * | 2019-11-21 | 2024-03-12 | 北京天融信网络安全技术有限公司 | Security baseline checking method, host, server, electronic device and storage medium |
| CN112825093A (en) * | 2019-11-21 | 2021-05-21 | 北京天融信网络安全技术有限公司 | Security baseline checking method, host, server, electronic device and storage medium |
| CN111695166B (en) * | 2020-06-11 | 2023-06-06 | 阿波罗智联(北京)科技有限公司 | Disk encryption protection method and device |
| CN111695166A (en) * | 2020-06-11 | 2020-09-22 | 北京百度网讯科技有限公司 | Disk encryption protection method and device |
| CN112380548A (en) * | 2020-11-13 | 2021-02-19 | 杭州弗兰科信息安全科技有限公司 | Data storage method, system, equipment and readable storage medium |
| CN113987599B (en) * | 2021-12-28 | 2022-03-22 | 苏州浪潮智能科技有限公司 | Method, device, equipment and readable storage medium for realizing firmware trusted root |
| CN113987599A (en) * | 2021-12-28 | 2022-01-28 | 苏州浪潮智能科技有限公司 | Method, device, equipment and readable storage medium for realizing firmware trusted root |
| CN116578505A (en) * | 2023-07-11 | 2023-08-11 | 苏州浪潮智能科技有限公司 | Data sharing method, device, equipment and storage medium based on disk encryption |
| CN116578505B (en) * | 2023-07-11 | 2023-09-15 | 苏州浪潮智能科技有限公司 | Data sharing method, device, equipment and storage medium based on disk encryption |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109190401A (en) | A kind of date storage method, device and the associated component of Qemu virtual credible root | |
| CN102624699B (en) | Method and system for protecting data | |
| Dwoskin et al. | Hardware-rooted trust for secure key management and transient trust | |
| CN111723383B (en) | Data storage and verification method and device | |
| US9798677B2 (en) | Hybrid cryptographic key derivation | |
| Hao et al. | Deleting secret data with public verifiability | |
| CN202795383U (en) | Device and system for protecting data | |
| CN102262599B (en) | Trusted root-based portable hard disk fingerprint identification method | |
| CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
| CN101441601B (en) | Ciphering transmission method of hard disk ATA instruction and system | |
| CN107908574B (en) | Safety protection method for solid-state disk data storage | |
| Lee et al. | Secure Data Deletion for USB Flash Memory. | |
| CN105468940B (en) | Method for protecting software and device | |
| CN110874726A (en) | TPM-based digital currency security protection method | |
| CN104104650B (en) | data file access method and terminal device | |
| CN110837634B (en) | Electronic signature method based on hardware encryption machine | |
| CN111008390A (en) | Root key generation protection method and device, solid state disk and storage medium | |
| CN111585995A (en) | Method and device for transmitting and processing safety wind control information, computer equipment and storage medium | |
| CN114942729A (en) | Data safety storage and reading method for computer system | |
| CN105933117A (en) | Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage | |
| CN110851851B (en) | Authority management method, device and equipment in block chain type account book | |
| CN110932853B (en) | Key management device and key management method based on trusted module | |
| CN107315945A (en) | The disk decryption method and device of a kind of electronic equipment | |
| CN101355424B (en) | Method for safely migrating handhold equipment data | |
| CN110855429A (en) | Software key protection method based on TPM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190111 |
|
| RJ01 | Rejection of invention patent application after publication |