CN111262688B - Yun Cipan secret key replacement method and device - Google Patents
Yun Cipan secret key replacement method and device Download PDFInfo
- Publication number
- CN111262688B CN111262688B CN201811459432.3A CN201811459432A CN111262688B CN 111262688 B CN111262688 B CN 111262688B CN 201811459432 A CN201811459432 A CN 201811459432A CN 111262688 B CN111262688 B CN 111262688B
- Authority
- CN
- China
- Prior art keywords
- key
- data
- target data
- processing
- section
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 103
- 238000006243 chemical reaction Methods 0.000 claims abstract description 257
- 230000008569 process Effects 0.000 claims description 57
- 230000007704 transition Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 16
- 238000004590 computer program Methods 0.000 description 10
- 230000004044 response Effects 0.000 description 8
- 230000008859 change Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000013500 data storage Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/067—Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/0671—In-line storage system
- G06F3/0683—Plurality of storage devices
- G06F3/0689—Disk arrays, e.g. RAID, JBOD
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Human Computer Interaction (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a method and a device for replacing a cloud disk key, comprising the following steps: responding to a key replacement instruction, dividing a first cloud disk into a plurality of sections, wherein the key replacement instruction comprises a first key; performing key conversion processing on data in each section of the first cloud disk according to the first key and the second key; determining and recording a key conversion state of any section according to a key conversion processing operation for the section; the first key is a key after the first cloud disk performs key conversion processing, and the second key is a key before the first cloud disk performs key conversion processing. According to the cloud disk key replacement method and device, key conversion time can be saved, and the problem of service interruption caused by key conversion of the first cloud disk can be avoided.
Description
Technical Field
The present disclosure relates to the field of cloud storage technologies, and in particular, to a method and an apparatus for replacing a cloud disk key.
Background
Cloud storage is a new concept which extends and develops in the concept of cloud computing (cloud computing), and is an emerging network storage technology. The storage system is characterized in that a large number of storage devices of different types in a network are combined to work cooperatively through application software through functions of cluster application, network technology or distributed storage system and the like, and the storage system provides data storage and service access functions together.
The cloud disk is a disk instance built on the storage system, and can be used as a computer disk for reading and writing, and in the process of reading and writing, in order to avoid the data from being tampered and read by others, the storage system can adopt a secret key to decrypt and decrypt the read and written data, for example: the user reads the data read by the cloud disk, which is actually the data after the storage system reads the data in the physical storage device and decrypts the read data according to the key; the user performs a write operation on the cloud disk, and in fact, the storage system writes the encrypted data into the physical storage device after encrypting the data according to the key.
In this case, if the key of the cloud disk is to be replaced, in the related art, after the cloud disk is offline, each piece of data in the cloud disk is re-encrypted by a new key, and after the key conversion processing of all the data is completed, the cloud disk is hung and re-put into use.
However, in the related art, the key exchange process is performed offline by Yun Cipan, so that the whole key exchange process takes a long time, and the user service is interrupted.
Disclosure of Invention
The embodiment of the application provides a cloud disk key replacement method, which is applied to a storage system and comprises the following steps:
responding to a key replacement instruction, dividing a first cloud disk into a plurality of sections, wherein the key replacement instruction comprises a first key;
performing key conversion processing on data in each section of the first cloud disk according to the first key and the second key;
determining and recording a key conversion state of any section according to a key conversion processing operation for the section;
the first key is a key after the first cloud disk performs key conversion processing, and the second key is a key before the first cloud disk performs key conversion processing.
The embodiment of the application also provides a device for replacing the cloud disk key, which is applied to a storage system and comprises:
the dividing module is used for responding to a key replacement instruction, dividing the first cloud disk into a plurality of sections, wherein the key replacement instruction comprises a first key;
the conversion module is used for carrying out key conversion processing on the data in each section of the first cloud disk according to the first key and the second key;
the recording module is used for determining and recording the key conversion state of any section according to the key conversion processing operation of the section;
The first key is a key after the first cloud disk performs key conversion processing, and the second key is a key before the first cloud disk performs key conversion processing.
The above-mentioned at least one technical scheme that this application embodiment adopted can reach following beneficial effect:
in this way, the storage system can respond to the key replacement instruction to divide the first cloud disk into a plurality of sections, and can perform key conversion processing on data in each section according to the first key carried in the key replacement instruction and the second key currently used by the first cloud disk. The storage system may determine and record the key conversion status of a sector according to the key conversion processing operation for the sector, so that the storage system may determine the read/write operation of the target data for the sector according to the key conversion status of any sector in the first cloud disk, for example: data is read/written using either the first key or the second key. According to the cloud disk key replacement method and device, the storage system can perform key conversion of the first cloud disk in the first cloud disk mounting state, so that the time for key conversion can be saved, and the problem of service interruption caused by key conversion of the first cloud disk can be avoided.
Other features and aspects of the present application will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a flow chart of a method for replacing a cloud disk key according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for cloud disk key exchange according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a cloud disk key exchange process according to an embodiment of the present application;
FIG. 4 is a flow chart of a method for cloud disk key exchange according to an embodiment of the present application;
FIG. 5 is a flow chart of a method for cloud disk key exchange according to an embodiment of the present application;
FIG. 6 is a flow chart illustrating a method of cloud disk key replacement according to an embodiment of the present application;
FIG. 7 is a schematic diagram of data processing performed by a cloud disk during a key conversion process according to an embodiment of the present application;
FIG. 8 is a schematic diagram of data processing performed by a cloud disk during a key conversion process according to an embodiment of the present application;
Fig. 9 is a schematic structural diagram of a device for replacing a cloud disk key according to an embodiment of the present application;
fig. 10 is a block diagram illustrating an apparatus 1900 for cloud disk keying in accordance with an example embodiment.
Detailed Description
For the purposes, technical solutions and advantages of the present application, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.
Example 1
Fig. 1 is a flowchart of a method for replacing a cloud disk key according to an embodiment of the present application, where the method may be applied to a storage system, for example, a server that may manage a cloud disk and a physical storage device. As shown in fig. 1, the method may include:
The storage system may receive a rekeying instruction, where the rekeying instruction may include a first key that is a new key of the cloud disk. For example, when the user needs to change the key of the first cloud disk, the user may send a key change instruction to the storage system through the terminal device. For example: the user can input the first key through a key input control or command line displayed by the terminal, trigger the terminal to generate a key replacement instruction according to the first key, and send the key replacement instruction to the storage system. The embodiment of the present application does not specifically limit the generation manner of the key exchange instruction herein.
After receiving the key replacement instruction, the storage system may divide the first cloud disk into a plurality of sections in response to the key replacement instruction. For example, the storage system may divide the first cloud disk into a plurality of segments according to a preset division specification, wherein the preset division specification may be a preset segment size or a preset segment number. For example: the size of each section may be indicated according to a preset division specification, and the storage system may divide the first cloud disk into a plurality of sections assuming that the size of each section is 2MB, wherein the size of each section is 2MB; alternatively, the preset division specification may indicate the number of divided sections, and the storage system may uniformly divide the first cloud disk into 50 sections, or the storage system may divide the first cloud disk into 50 sections according to a random size, assuming that 50 sections are indicated to be divided. The embodiment of the application does not specifically limit the method for dividing the sections of the first cloud disk. The preset division specification can be adjusted according to the current data storage condition of the first cloud disk, for example, when the data storage quantity is large, the size of each section is small, or the number of divided sections is large, otherwise, when the data storage quantity is small, the size of each section is large, or the number of divided sections is small, so that the key replacement efficiency is improved.
The second key is an original key of the first cloud disk, namely before the first cloud disk performs key conversion processing, the user performs decryption/encryption operation by adopting the second key aiming at the read/write operation in the first cloud disk.
In one possible implementation manner, performing key conversion processing on data in each section of the first cloud disk according to the first key and the second key includes:
performing key conversion processing on data in each section of the first cloud disk section by section according to the first key and the second key; or alternatively
And according to the first key and the second key, the plurality of sections perform key conversion processing on data in each section of the first cloud disk in parallel.
The storage system can sequentially perform key conversion on each section one by one, or the storage system can perform key conversion on any section by adopting a random sequence, and after the key conversion of one section is completed, the key conversion of the next section is started; alternatively, the storage system may perform key conversion of the segments in bulk, for example: the key conversion of N sections is performed in parallel each time, wherein N is a preset positive integer. Multi-segment parallel processing may further improve key conversion efficiency.
The storage system may perform key conversion processing of each segment according to the first key and the second key, for example: after the storage system reads the data in the section, the data can be decrypted according to the second key, the data obtained after the decryption is re-encrypted according to the first key, and the encrypted data is stored in the storage position of the original data.
Fig. 2 shows a flowchart of a method for replacing a cloud disk key according to an embodiment of the present application.
In a possible implementation manner, the performing, in step 102, the key conversion processing on the data in each section of the first cloud disk according to the first key and the second key may include the following steps 1021 to 1024.
For example, the storage system may determine a corresponding storage location in the physical storage device for the first data in the section of the first cloud disk and read the first data from the storage location in the physical storage device. The storage system can perform data decryption processing on the first data according to the second key to obtain second data. The storage system can conduct data encryption processing on the second data according to the first key to obtain third data. After the storage system indicates that the first data in the physical storage device is deleted, the third data may be written into the storage location in the physical storage device to complete the key conversion process of the first data.
Fig. 3 is a schematic diagram of a cloud disk key replacement process according to an embodiment of the present application.
For example, as shown in the example of fig. 3, after the storage system divides the first cloud disk into segments, the key conversion process of each segment is sequentially performed one by one. When the key conversion processing of the section t is executed, the storage system performs key conversion on the data X1 in the section t, and can read the data X1 from the storage position y of the physical storage device, perform data decryption processing on the data X1 by using the key 1 (second key) to obtain data X2, and perform data encryption processing on the data X2 according to the key 2 (first key) to obtain X3. The storage system may instruct the physical storage device to delete X1 at location y where X3 is written after which time data X1 completes the key conversion process. After all the data in the section t completes the key conversion process, it may be determined that the section t has completed the key conversion process.
The first key is a key after the first cloud disk performs key conversion processing, and the second key is a key before the first cloud disk performs key conversion processing. In one possible implementation, determining and recording the key conversion status of the segment may include:
after all data in the section completes the key conversion process, determining and recording the key conversion state of the section as a first state, wherein the first state is used for identifying that the section has completed key conversion.
For example, the storage system may create a first list that may be used to store segments for which the key conversion process has been completed. The storage system may record the section in the first list after all the data in the section has completed the key conversion process. The key conversion status of a sector recorded in the first list may be determined as a first status for identifying that the sector has completed key conversion, and the key conversion status of a sector not recorded in the first list may be determined as a fourth status for identifying that the sector has not completed key conversion. The fourth state may include that the section has not performed the key conversion process (the second state as follows) or that the section is performing the key conversion process (the third state as follows).
In one example, the storage system divides the first cloud disk into 5000 segments in a size of 2MB per segment, where the first 4 segments have completed the key conversion process, and the corresponding first list may refer to table 1 below.
TABLE 1
| Completed key conversion processing section |
| Section 1 |
| Section 2 |
| Section 3 |
| Section 4 |
Alternatively, the storage system may create a second list that may be used to store key conversion status for each segment. When the first cloud disk is partitioned, the key conversion state of each section can be recorded in the second list to be a fourth state, and after all data in the section are subjected to key conversion processing, the state of the section in the second list can be updated to be the first state.
In one example, the storage system divides the first cloud disk into 1000 segments in a size of 2MB per segment, where the first 4 segments have completed the key conversion process, and the corresponding second list may refer to table 2 below.
TABLE 2
| Section identification | Key transition state |
| Section 1 | First state |
| Section 2 | First state |
| Section 3 | First state |
| Section 4 | First state |
| Section 5 | Fourth state |
| …… | …… |
| 1000 th section | Fourth state |
In one possible implementation manner, the determining and recording the key conversion status of the segment may include the following steps:
determining and recording the initial key conversion state of the section as a second state;
updating the key conversion state of the section to a third state when key conversion processing is performed on the data in the section;
wherein the second state is used to identify that the section has not performed key conversion processing, and the third state is used to identify that the section is performing key conversion processing.
For example, the storage system may create a third list that may be used to record key conversion status for each sector. When the storage system partitions the first cloud disk, the key conversion state of each section may be recorded in a third list as a second state, where the second state may be used to identify that the section has not performed a key conversion processing operation. When performing key conversion processing of a segment, the key conversion state of the segment in the third list may be updated to a third state, which may be used to identify that the segment has begun performing key conversion processing operations. When all the data in the section completes the key conversion processing, the key conversion state of the section in the third list may be updated to the first state.
In one example, the storage system divides the first cloud disk into 1000 segments with a size of 2MB per segment, where the first 4 segments have completed the key conversion process and the 5 th segment is performing the key conversion process, and the corresponding third list may refer to table 3 below.
TABLE 3 Table 3
| Section identification | Key transition state |
| Section 1 | First state |
| Section 2 | First state |
| Section 3 | First state |
| Section 4 | First state |
| Section 5 | Third state |
| Section 6 | Second state |
| …… | …… |
| 1000 th section | Second state |
In one possible implementation, after the current key change instruction is executed, that is, after all the segments of the first cloud disk complete the key change, the key change state of each segment may be cleared, so that the state is re-recorded when the key change instruction is received next time.
In this way, the storage system can respond to the key replacement instruction to divide the first cloud disk into a plurality of sections, and can perform key conversion processing on data in each section according to the first key carried in the key replacement instruction and the second key currently used by the first cloud disk. The storage system may determine and record the key conversion status of a sector according to the key conversion processing operation for the sector, so that the storage system may determine the read/write operation of the target data for the sector according to the key conversion status of any sector in the first cloud disk, for example: data is read/written using either the first key or the second key. According to the cloud disk key replacement method provided by the embodiment of the application, the storage system can perform key conversion of the first cloud disk in the first cloud disk mounting state, so that the time for key conversion can be saved, and the problem of amateur interruption caused by key conversion of the first cloud disk can be avoided.
In order to better understand the advantages of the embodiments of the present application, the following describes the advantages of the implementation of the present application by means of specific examples.
The first cloud disk can perform key conversion processing of the first cloud disk in a mounting state, and in the process of performing key conversion processing on the first cloud disk, the storage system can perform read/write operation of target data in a section which is positioned in the section according to the first key, namely, the read/write operation processing of the data in the first cloud disk cannot be affected during the key conversion processing of the first cloud disk, so that amateur interruption problem can be avoided.
Fig. 4 shows a flowchart of a method for replacing a cloud disk key according to an embodiment of the present application.
In one possible implementation, referring to fig. 4, the method may further include:
The user may send data processing instructions to the storage system via the terminal device, for example: and the data reading instruction and the data writing instruction are used for reading data from the first cloud disk or writing data into the first cloud disk. The data processing instruction may include location information of the target data to be read/written, for example, the location information may include: the starting position of the target data and the number and size of the target data.
And step 105, responding to the data processing instruction, and determining the section to which the target data belongs according to the position information of the target data.
After the storage system receives the data processing instruction, the section of the target data in the first cloud disk can be determined according to the position information of the target data.
For example, assume that the starting position of the target data is 37MB and the number of data is 4MB, that is, the data stored for 37MB to 40MB in the first cloud disk of the target data. In one example, assume that the storage system divides the first cloud disk into a plurality of segments of size 2MB according to a preset division specification. The storage system may determine that the target data (37 MB-40 MB) belongs to the 19 th zone and the 20 th zone in the first cloud disk.
In another example, the storage system may divide the first cloud disk into a preset number of segments, such as: the storage system uniformly divides the first cloud disk into 100 sections, and assuming that the first cloud disk stores 500MB of data, the size of each section can be determined to be 5M. The storage system may determine that the target data (37 MB-40 MB) belongs to zone 8 in the first cloud disk.
Alternatively, the storage system may divide the first cloud disk into 100 segments according to a random size, and record position information (e.g., a start position and an end position) corresponding to each of the divided segments. The storage system can search for a zone to which target data (37 MB to 40 MB) belongs in each zone, for example: the storage system records that the 5 th section corresponds to 34 MB-38 MB and the 6 th section corresponds to 39 MB-50 MB, and then the storage system can determine that the target data (37 MB-40 MB) belong to the 5 th section and the 6 th section.
And 106, processing the target data according to the key conversion state of the section to which the target data belongs.
After determining the section to which the target data belongs, the storage system may determine the key conversion status of the section to which the target data belongs. For example, the storage system may search the first list (refer to the foregoing embodiment) for the section to which the target data belongs, and when the section to which the target data belongs is searched in the first list, it may determine that the section to which the target data belongs is in the first state, and otherwise, it may determine that the section to which the target data belongs is in the fourth state. Alternatively, the storage system may search the second list (refer to the foregoing embodiment) or the third list (refer to the foregoing embodiment) for the target data section and the key conversion state of the target data section.
After determining the key conversion state of the section to which the target data belongs, the storage system may determine a manner of processing the target data according to the key conversion state of the section to which the target data belongs.
In one possible implementation manner, the processing the target data according to the key conversion state of the section to which the target data belongs may include the following steps:
and when the section to which the target data belongs is in a first state, processing the target data according to the first key.
When the section to which the target data belongs is in the first state, it indicates that all the data in the section has completed the key conversion processing, that is, the data stored in the section is the data after the data encryption processing by the first key, so that the data decryption/data encryption processing can be performed on the target data by the first key for the read/write operation of the target data in the section.
In this way, the storage system can perform key replacement operation in the first cloud disk mounting state, and when a data processing instruction for the first cloud disk is received, if the target data in the section of the first cloud disk has completed key conversion processing, the target data can be directly and correspondingly processed through the first key, so that the time of key conversion can be saved, and the problem of amateur interruption caused by key conversion performed by the first cloud disk can be avoided.
Fig. 5 shows a flowchart of a method for replacing a cloud disk key according to an embodiment of the present application.
In one possible implementation manner, referring to fig. 5, the processing the target data according to the key conversion state of the section to which the target data belongs in step 106 may include the following steps:
After determining the section to which the target data belongs, the storage system may determine the key conversion status of the section to which the target data belongs. When the key conversion state of the section to which the target data belongs is in the second state, the storage system can immediately execute the key conversion of the section to which the target data belongs and process the target data according to the first key after completing the key conversion of the section to which the target data belongs.
It should be noted that, when the section to which the target data belongs includes a first section in a first state and a second section in a second state, the storage system may process the data in the first section according to the first key first, and process the data in the second section according to the first key after the second section completes the key conversion process; the storage system may further process the data in the first section and the second section according to the first key after the second section completes the key conversion process, which is not specifically limited in the embodiments of the present application.
Therefore, the storage system can perform key replacement operation in the first cloud disk mounting state, so that the time for key conversion can be saved, and the problem of amateur interruption caused by key conversion of the first cloud disk can be avoided. The storage system can perform key conversion of the section corresponding to the service requirement preferentially, so that the service requirement can be responded as soon as possible, and the processing efficiency of the service data can be improved.
Fig. 6 shows a flowchart of a method for replacing a cloud disk key according to an embodiment of the present application.
In a possible implementation manner, referring to fig. 6, the processing the target data according to the key conversion state of the section to which the target data belongs in step 106 may include the following steps:
When the section to which the target data belongs is in the second state, it is indicated that the section to which the target data belongs has not yet started executing the key conversion processing, or when the section to which the target data belongs is in the third state, it is indicated that the section to which the target data belongs has started executing the key conversion processing. In both states, the storage system may suspend processing the target data processing instruction and write the target data processing instruction into the cache queue.
The storage system may perform key conversion processing on the segments in the first cloud disk sequentially or randomly. After the key conversion process for any segment is completed, the storage system may determine whether there is a target data processing instruction for that segment in the cache queue. When there is a target data processing instruction for the section in the cache queue, the target data may be processed according to the first key in response to the target data processing instruction.
Therefore, the storage system can perform key replacement operation in the first cloud disk mounting state, so that the time for key conversion can be saved, and the problem of service interruption caused by key conversion of the first cloud disk is avoided.
In one possible implementation manner, the target data processing instruction may be a data reading instruction, and the processing the target data according to the first key may include the following steps:
Reading the encrypted target data according to the position information of the target data;
performing data decryption processing on the encrypted target data according to the first key to obtain the target data;
and sending the target data to a cloud server.
For example, when the target data processing instruction is a data read instruction sent by the cloud server, the storage system may read the target data from the first cloud disk in response to the data read instruction. The storage system may read the encrypted target data from the physical storage device according to the location information of the target data after the key conversion process is completed on the segment to which the target data belongs, that is, the target data is encrypted according to the first key. The storage system can execute data decryption processing on the encrypted target data according to the first key to obtain the target data, and the target data is returned to the cloud server.
In this way, the storage system can perform key replacement operation in the state of mounting the first cloud disk, and when a data reading instruction for the first cloud disk is received, if the target data in the section of the first cloud disk has completed key conversion processing, the target data can be directly read through the first key, so that the time of key conversion can be saved, and the problem of amateur interruption caused by key conversion performed by the first cloud disk is avoided.
In one possible implementation manner, the target data processing instruction is a data writing instruction, where the data writing instruction may further include target data, and the processing the target data according to the first key may include the following steps:
performing data encryption processing on the target data according to the first key;
writing the encrypted target data into a position corresponding to the address information of the target data.
For example, when the target data processing instruction is a data writing instruction sent by the cloud server, the storage system may write the target data to the first cloud disk in response to the data writing instruction. After the key conversion processing is completed on the section to which the target data belongs, the storage system can encrypt the target data according to the first key, and can write the encrypted target data into the physical storage device according to the address information of the target data.
In this way, the storage system can perform key replacement operation in the state of mounting the first cloud disk, and when a data writing instruction for the first cloud disk is received, if the target data has completed key conversion processing in the section of the first cloud disk, the target data can be directly written through the first key, so that the time of key conversion can be saved, and the problem of service interruption caused by key conversion performed by the first cloud disk can be avoided.
In one possible implementation manner, the processing the target data according to the key conversion state of the section to which the target data belongs may include the following steps:
and when the section to which the target data belongs is in the second state, processing the target data according to the second key.
When the section of the target data is in the second state, the section of the target data is not yet subjected to key conversion, that is, the data in the section of the target data are all data encrypted and stored by adopting the second key. Therefore, the second key can be used for data decryption/data encryption processing on the target data in the section.
When the section to which the target data belongs includes a first section in a first state and a second section in a second state, the storage system may process the data in the first section according to the first key and process the data in the second section according to the second key.
In one possible implementation manner, the target data processing instruction is a read data instruction, and the processing the target data according to the second key may include the following steps:
Reading the encrypted target data according to the position information of the target data;
performing data decryption processing on the encrypted target data according to the second key to obtain the target data;
and sending the target data to a cloud server.
For example, when the target data processing instruction is a read data instruction sent by the cloud server, the storage system may read the target data from the first cloud disk in response to the read data instruction. The storage system may read the encrypted target data from the physical storage device according to the location information of the target data after the key conversion process is completed on the segment to which the target data belongs, that is, the target data is encrypted according to the second key. The storage system can execute data decryption processing on the encrypted target data according to the second key to obtain the target data, and the target data is returned to the cloud server.
In this way, the storage system can perform key replacement operation in the state of mounting the first cloud disk, and when receiving a data reading instruction for the first cloud disk, if the target data in the section of the first cloud disk does not perform key conversion processing, the target data can be directly read through the second key, so that the time of key conversion can be saved, and the problem of amateur interruption caused by key conversion performed by the first cloud disk is avoided.
In one possible implementation manner, the target data processing instruction is a data writing instruction, where the data writing instruction may further include target data, and the processing the target data according to the second key may include the following steps:
performing data encryption processing on the target data according to the second key;
writing the encrypted target data into a position corresponding to the address information of the target data.
For example, when the target data processing instruction is a data writing instruction sent by the cloud server, the storage system may write the target data to the first cloud disk in response to the data writing instruction. When the section of the target data is not subjected to key conversion processing, the storage system can perform data encryption processing on the target data according to the second key, and write the encrypted target data into the physical storage device according to the address information of the target data.
In this way, the storage system can perform key replacement operation in the state of mounting the first cloud disk, and when receiving a data writing instruction for the first cloud disk, if the target data is not subjected to key conversion processing in the section of the first cloud disk, the target data can be directly written through the second key, so that the time of key conversion can be saved, and the problem of service interruption caused by key conversion of the first cloud disk is avoided.
FIG. 7 is a schematic diagram of data processing performed by a cloud disk during a key conversion process according to an embodiment of the present application; fig. 8 is a schematic diagram of data processing of a cloud disk in a key conversion process according to an embodiment of the present application.
In order for those skilled in the art to better understand the embodiments of the present application, the embodiments of the present application are described below by way of examples shown in fig. 7 and 8.
The storage system receives a key replacement instruction for the first cloud disk, the key replacement instruction instructing the storage system to convert a key of the first cloud disk from key 2 to key 1. The storage system may divide the first cloud disk into 100 segments according to a segment size of 2 MB. The storage system may perform key conversion of each sector one by one (the conversion process may refer to the foregoing example shown in fig. 3), and may record key conversion states of each sector in a state conversion list, where the key conversion states may include: a first state, a second state, and a third state.
For example, as shown in fig. 7, during the key conversion performed by the first cloud disk, the storage system receives a data reading instruction for the first cloud disk, where the data reading instruction indicates reading target data of a location X in the first cloud disk. The storage system can determine the section of the target data in the first cloud disk according to the position X, and can query and determine the key conversion state of the section of the target data in the state conversion list.
In one example, the section to which the target data belongs is in a first state, which indicates that the section to which the target data belongs has completed the key conversion, that is, the data stored in the section to which the target data belongs are all data encrypted with a new key (key 1). The storage system may determine a corresponding storage location y of the location X of the first cloud disk in the physical storage device, and read data 1 from the storage location y of the physical storage device (the data 1 is target data after encryption processing using the key 1). The storage device can perform data decryption processing on the data 1 according to the key 1 to obtain target data, and the target data is returned to the cloud server.
In another example, the section to which the target data belongs is in the second state, which indicates that the section to which the target data belongs has not yet started to perform the key conversion, the storage system may immediately perform the key conversion process of the section to which the target data belongs, and read the target data according to the key 1 when the key conversion process is completed (for a specific process of reading the target data, reference may be made to the foregoing embodiments). Alternatively, the section to which the target data belongs is in the third state, which indicates that the section to which the target data belongs has started but has not completed the key conversion of all the data, and the storage system may read the target data according to the key 1 when the key conversion process is completed (refer to the foregoing embodiment specifically).
In another example, the section to which the target data belongs is in a second state, which indicates that the section to which the target data belongs has not yet started performing key conversion, that is, the data stored in the section to which the target data belongs are all data encrypted with the old key (key 2). The storage system may determine a corresponding storage location y of the location X of the first cloud disk in the physical storage device, and read data 2 from the storage location y of the physical storage device (the data 2 is target data encrypted with the key 2). The storage device can perform data decryption processing on the data 2 according to the key 2 to obtain target data, and the target data is returned to the cloud server.
For example, as shown in fig. 8, in the process of performing key conversion on the first cloud disk, the storage system receives a data write instruction for the first cloud disk, the data write instruction indicating writing of target data at the location Y. The storage system can determine the section of the target data in the first cloud disk according to the position Y, and can query and determine the key conversion state of the section of the target data in the state conversion list.
In one example, the section to which the target data belongs is in a first state, which indicates that the section to which the target data belongs has completed the key conversion, that is, the data stored in the section to which the target data belongs are all data encrypted with a new key (key 1). The storage system can determine a storage position x corresponding to the position Y of the first cloud disk in the physical storage device, conduct data encryption processing on target data by adopting the key 1 to obtain data 3, and store the data 3 to the storage position x of the physical storage device.
In another example, the section to which the target data belongs is in the second state, which indicates that the section to which the target data belongs has not yet started to perform the key conversion, the storage system may immediately perform the key conversion process of the section to which the target data belongs, and write the target data to the first cloud disk according to the key 1 when the key conversion process is completed (for a specific writing process, reference may be made to the foregoing embodiment). Or, the section to which the target data belongs is in a third state, which indicates that the section to which the target data belongs has started but that the key conversion of all the data has not been completed. The storage system may write the target data to the first cloud disk according to the key 1 when the key conversion process is completed (the specific writing process may refer to the foregoing embodiment)
In another example, the section to which the target data belongs is in a second state, which indicates that the section to which the target data belongs has not yet started performing key conversion, that is, the data stored in the section to which the target data belongs are all data encrypted with the old key (key 2). The storage system can determine a corresponding storage position x of the position Y of the first cloud disk in the physical storage device, perform data encryption processing on target data by adopting the key 2 to obtain data 4, and store the data 4 to the storage position x of the physical storage device.
In practice, after the storage system receives the key replacement instruction, the second cloud disk and the key conversion list may also be created. After the storage system divides the first cloud disk into sections, key conversion processing of each section is sequentially executed one by one, data after the key conversion processing is completed can be written into the second cloud disk, and key conversion states of each section are recorded in a key conversion list. In this way, the storage system can read the data in the section from the second cloud disk or write the data into the section according to the first key after the section finishes the key conversion process; when the sector does not start key conversion processing, reading data in the sector from the first cloud disk according to the second key, or writing the data into the sector, so that the first cloud disk can perform key conversion operation in a mounting state, and the problem of service interruption caused by key replacement is avoided.
Fig. 9 is a schematic structural diagram of a device for replacing a cloud disk key according to an embodiment of the present application, where the device may be applied to a storage system, as shown in fig. 9, and the device may include:
the dividing module 901 may be configured to divide the first cloud disk into a plurality of sections in response to a key replacement instruction, where the key replacement instruction includes a first key;
The conversion module 902 may be configured to perform key conversion processing on data in each section of the first cloud disk according to the first key and the second key;
a recording module 903, configured to determine and record a key conversion status of any segment according to a key conversion processing operation for the segment;
the first key is a key after the first cloud disk performs key conversion processing, and the second key is a key before the first cloud disk performs key conversion processing.
In this way, the storage system can respond to the key replacement instruction to divide the first cloud disk into a plurality of sections, and can perform key conversion processing on data in each section according to the first key carried in the key replacement instruction and the second key currently used by the first cloud disk. The storage system may determine and record the key conversion status of a sector according to the key conversion processing operation for the sector, so that the storage system may determine the read/write operation of the target data for the sector according to the key conversion status of any sector in the first cloud disk, for example: data is read/written using either the first key or the second key. According to the cloud disk key replacing device, the storage system can perform key conversion of the first cloud disk in the first cloud disk mounting state, so that the time of key conversion can be saved, and the problem of amateur interruption caused by key conversion of the first cloud disk can be avoided.
In one possible implementation, the conversion module 902 may also be configured to:
for any section, reading first data from the section of the first cloud disk;
performing data decryption processing on the first data according to the second key to obtain second data;
carrying out data encryption processing on the second data according to the first key to obtain third data;
deleting the first data and storing the third data in a storage position of the first data.
In one possible implementation, the recording module 903 may be further configured to:
determining and recording the initial key conversion state of the section as a second state;
updating the key conversion state of the section to a third state when key conversion processing is performed on the data in the section;
wherein the second state is used to identify that the section has not performed key conversion processing, and the third state is used to identify that the section is performing key conversion processing.
In one possible implementation manner, the apparatus may further include:
the receiving module can be used for receiving a data processing instruction, wherein the data processing instruction comprises the position information of target data;
The first determining module can be used for responding to the data processing instruction and determining a section to which the target data belongs according to the position information of the target data;
and the processing module can be used for processing the target data according to the key conversion state of the section to which the target data belongs.
In one possible implementation, the processing module may be further configured to:
and when the section to which the target data belongs is in a first state, processing the target data according to the first key.
In one possible implementation, the processing module may be further configured to:
when the section of the target data is in the second state, performing key conversion processing on the section of the target data;
and after the section to which the target data belongs completes key conversion processing, processing the target data according to the first key.
In one possible implementation, the processing module may be further configured to:
when the section to which the target data belongs is in the second state or the third state, caching the target data processing instruction in a cache queue;
after the section to which the target data belongs completes key conversion processing, acquiring the target data processing instruction from the cache queue;
And responding to the target data processing instruction, and processing the target data according to the first key.
In one possible implementation, the target data processing instruction is a data reading instruction, and the processing module may be further configured to:
reading the encrypted target data according to the position information of the target data;
performing data decryption processing on the encrypted target data according to the first key to obtain the target data;
and sending the target data to a cloud server.
In one possible implementation manner, the target data processing instruction is a data writing instruction, where the data writing instruction further includes target data, and the processing module is further configured to:
performing data encryption processing on the target data according to the first key;
writing the encrypted target data into a position corresponding to the address information of the target data.
In one possible implementation, the processing module may be further configured to:
and when the section to which the target data belongs is in the second state, processing the target data according to the second key.
In one possible implementation, the target data processing instruction is a read data instruction, and the processing module may be further configured to:
Reading the encrypted target data according to the position information of the target data;
performing data decryption processing on the encrypted target data according to the second key to obtain the target data;
and sending the target data to a cloud server.
In a possible implementation manner, the target data processing instruction is a write data instruction, where the write data instruction further includes target data, and the processing module is further configured to:
performing data encryption processing on the target data according to the second key;
writing the encrypted target data into a position corresponding to the address information of the target data.
In one possible implementation, the conversion module may further be configured to:
performing key conversion processing on data in each section of the first cloud disk section by section according to the first key and the second key; or alternatively
And according to the first key and the second key, the plurality of sections perform key conversion processing on data in each section of the first cloud disk in parallel.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
Fig. 10 is a block diagram illustrating an apparatus 1900 for cloud disk keying in accordance with an example embodiment. For example, the apparatus 1900 may be provided as a server. Referring to fig. 10, the apparatus 1900 includes a processing component 1922 that further includes one or more processors and memory resources represented by memory 1932 for storing instructions, such as application programs, that are executable by the processing component 1922. The application programs stored in memory 1932 may include one or more modules each corresponding to a set of instructions. Further, processing component 1922 is configured to execute instructions to perform the methods described above.
The apparatus 1900 may further include a power component 1926 configured to perform power management of the apparatus 1900, a wired or wireless network interface 1950 configured to connect the apparatus 1900 to a network, and an input/output (I/O) interface 1958. The device 1900 may operate based on an operating system stored in memory 1932, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, or the like.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as memory 1932, including computer program instructions executable by processing component 1922 of apparatus 1900 to perform the above-described methods.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (28)
1. A method for replacing a cloud disk key, which is applied to a storage system, the method comprising:
responding to a key replacement instruction, dividing a first cloud disk into a plurality of sections, wherein the key replacement instruction comprises a first key;
performing key conversion processing on data in each section of the first cloud disk according to the first key and the second key;
determining and recording a key conversion state of any section according to key conversion processing operation aiming at the section, wherein the key conversion state is used for determining a mode of processing target data belonging to the section in the key conversion process of the first cloud disk;
the first key is a key after the first cloud disk performs key conversion processing, and the second key is a key before the first cloud disk performs key conversion processing.
2. The method of claim 1, wherein the performing key conversion processing on the data in each section of the first cloud disk according to the first key and the second key comprises:
for any section, reading first data from the section of the first cloud disk;
performing data decryption processing on the first data according to the second key to obtain second data;
carrying out data encryption processing on the second data according to the first key to obtain third data;
deleting the first data and storing the third data in a storage position of the first data.
3. The method of claim 1, wherein determining and recording the key transition status of the segment comprises:
after all data in the section completes the key conversion process, determining and recording the key conversion state of the section as a first state, wherein the first state is used for identifying that the section has completed key conversion.
4. A method according to claim 3, wherein said determining and recording key transition status for each segment comprises:
determining and recording the initial key conversion state of the section as a second state;
Updating the key conversion state of the section to a third state when key conversion processing is performed on the data in the section;
wherein the second state is used to identify that the section has not performed key conversion processing, and the third state is used to identify that the section is performing key conversion processing.
5. The method according to any one of claims 1 to 4, further comprising:
receiving a data processing instruction, wherein the data processing instruction comprises position information of target data;
responding to the data processing instruction, and determining a section to which the target data belongs according to the position information of the target data;
and processing the target data according to the key conversion state of the section to which the target data belongs.
6. The method of claim 5, wherein the processing the target data according to the key conversion state of the segment to which the target data belongs comprises:
and when the section to which the target data belongs is in a first state, processing the target data according to the first key.
7. The method of claim 5, wherein the processing the target data according to the key conversion state of the segment to which the target data belongs comprises:
When the section of the target data is in the second state, performing key conversion processing on the section of the target data;
and after the section to which the target data belongs completes key conversion processing, processing the target data according to the first key.
8. The method of claim 5, wherein the processing the target data according to the key conversion state of the segment to which the target data belongs comprises:
when the section to which the target data belongs is in the second state or the third state, caching the data processing instruction in a cache queue;
after the section to which the target data belongs completes key conversion processing, acquiring the data processing instruction from the cache queue;
and responding to the data processing instruction, and processing the target data according to the first key.
9. The method of any of claims 6 to 8, wherein the data processing instruction is a data read instruction, the processing the target data according to the first key comprising:
reading the encrypted target data according to the position information of the target data;
performing data decryption processing on the encrypted target data according to the first key to obtain the target data;
And sending the target data to a cloud server.
10. The method according to any one of claims 6 to 8, wherein the data processing instruction is a data writing instruction, the data writing instruction further includes target data therein, and the processing the target data according to the first key includes:
performing data encryption processing on the target data according to the first key;
writing the encrypted target data into a position corresponding to the address information of the target data.
11. The method of claim 5, wherein the processing the target data according to the key conversion state of the segment to which the target data belongs comprises:
and when the section to which the target data belongs is in the second state, processing the target data according to the second key.
12. The method of claim 11, wherein the data processing instruction is a read data instruction, and wherein the processing the target data according to the second key comprises:
reading the encrypted target data according to the position information of the target data;
performing data decryption processing on the encrypted target data according to the second key to obtain the target data;
And sending the target data to a cloud server.
13. The method of claim 11, wherein the data processing instruction is a write data instruction, the write data instruction further including target data therein, the processing the target data according to the second key comprising:
performing data encryption processing on the target data according to the second key;
writing the encrypted target data into a position corresponding to the address information of the target data.
14. The method of claim 1, wherein performing key conversion processing on data in each section of the first cloud disk according to the first key and the second key comprises:
performing key conversion processing on data in each section of the first cloud disk section by section according to the first key and the second key; or alternatively
And according to the first key and the second key, the plurality of sections perform key conversion processing on data in each section of the first cloud disk in parallel.
15. A cloud disk key replacement apparatus, for use in a storage system, the apparatus comprising:
the dividing module is used for responding to a key replacement instruction, dividing the first cloud disk into a plurality of sections, wherein the key replacement instruction comprises a first key;
The conversion module is used for carrying out key conversion processing on the data in each section of the first cloud disk according to the first key and the second key;
the recording module is used for determining and recording the key conversion state of any section according to key conversion processing operation of the section, and the key conversion state is used for determining the mode of processing target data belonging to the section in the key conversion process of the first cloud disk;
the first key is a key after the first cloud disk performs key conversion processing, and the second key is a key before the first cloud disk performs key conversion processing.
16. The apparatus of claim 15, wherein the conversion module is further configured to:
for any section, reading first data from the section of the first cloud disk;
performing data decryption processing on the first data according to the second key to obtain second data;
carrying out data encryption processing on the second data according to the first key to obtain third data;
deleting the first data and storing the third data in a storage position of the first data.
17. The apparatus of claim 15, wherein the recording module is further configured to:
After all data in the section completes the key conversion process, determining and recording the key conversion state of the section as a first state, wherein the first state is used for identifying that the section has completed key conversion.
18. The apparatus of claim 17, wherein the recording module is further configured to:
determining and recording the initial key conversion state of the section as a second state;
updating the key conversion state of the section to a third state when key conversion processing is performed on the data in the section;
wherein the second state is used to identify that the section has not performed key conversion processing, and the third state is used to identify that the section is performing key conversion processing.
19. The apparatus according to any one of claims 15 to 18, further comprising:
the receiving module is used for receiving a data processing instruction, wherein the data processing instruction comprises position information of target data;
the first determining module is used for responding to the data processing instruction and determining a section to which the target data belongs according to the position information of the target data;
and the processing module is used for processing the target data according to the key conversion state of the section to which the target data belongs.
20. The apparatus of claim 19, wherein the processing module is further configured to:
and when the section to which the target data belongs is in a first state, processing the target data according to the first key.
21. The apparatus of claim 19, wherein the processing module is further configured to:
when the section of the target data is in the second state, performing key conversion processing on the section of the target data;
and after the section to which the target data belongs completes key conversion processing, processing the target data according to the first key.
22. The apparatus of claim 19, wherein the processing module is further configured to:
when the section to which the target data belongs is in the second state or the third state, caching the data processing instruction in a cache queue;
after the section to which the target data belongs completes key conversion processing, acquiring the data processing instruction from the cache queue;
and responding to the data processing instruction, and processing the target data according to the first key.
23. The apparatus of any one of claims 20 to 22, wherein the data processing instruction is a data read instruction, the processing module further configured to:
Reading the encrypted target data according to the position information of the target data;
performing data decryption processing on the encrypted target data according to the first key to obtain the target data;
and sending the target data to a cloud server.
24. The apparatus of any one of claims 20 to 22, wherein the data processing instruction is a data writing instruction, the data writing instruction further including target data therein, and the processing module is further configured to:
performing data encryption processing on the target data according to the first key;
writing the encrypted target data into a position corresponding to the address information of the target data.
25. The apparatus of claim 19, wherein the processing module is further configured to:
and when the section to which the target data belongs is in the second state, processing the target data according to the second key.
26. The apparatus of claim 25, wherein the data processing instructions are read data instructions, the processing module further configured to:
reading the encrypted target data according to the position information of the target data;
performing data decryption processing on the encrypted target data according to the second key to obtain the target data;
And sending the target data to a cloud server.
27. The apparatus of claim 25, wherein the data processing instruction is a write data instruction, the write data instruction further including target data therein, the processing module further configured to:
performing data encryption processing on the target data according to the second key;
writing the encrypted target data into a position corresponding to the address information of the target data.
28. The apparatus of claim 15, wherein the conversion module is further configured to:
performing key conversion processing on data in each section of the first cloud disk section by section according to the first key and the second key; or alternatively
And according to the first key and the second key, the plurality of sections perform key conversion processing on data in each section of the first cloud disk in parallel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811459432.3A CN111262688B (en) | 2018-11-30 | 2018-11-30 | Yun Cipan secret key replacement method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811459432.3A CN111262688B (en) | 2018-11-30 | 2018-11-30 | Yun Cipan secret key replacement method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111262688A CN111262688A (en) | 2020-06-09 |
| CN111262688B true CN111262688B (en) | 2023-04-25 |
Family
ID=70953708
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811459432.3A Active CN111262688B (en) | 2018-11-30 | 2018-11-30 | Yun Cipan secret key replacement method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111262688B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930223A (en) * | 2012-09-21 | 2013-02-13 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting disk data |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2009111687A (en) * | 2007-10-30 | 2009-05-21 | Fujitsu Ltd | Storage device, and encrypted data processing method |
| US8495356B2 (en) * | 2010-12-31 | 2013-07-23 | International Business Machines Corporation | System for securing virtual machine disks on a remote shared storage subsystem |
| CN106788994B (en) * | 2016-12-06 | 2020-04-07 | 中国电子科技集团公司第三十二研究所 | Key updating method suitable for cloud storage system |
| CN107563226B (en) * | 2017-08-04 | 2020-05-12 | 海光信息技术有限公司 | Memory controller, processor module and key updating method |
-
2018
- 2018-11-30 CN CN201811459432.3A patent/CN111262688B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930223A (en) * | 2012-09-21 | 2013-02-13 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting disk data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111262688A (en) | 2020-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11474972B2 (en) | Metadata query method and apparatus | |
| JP4941556B2 (en) | ENCRYPTION DEVICE, ENCRYPTION METHOD, AND ENCRYPTION PROGRAM | |
| US9324361B2 (en) | Protecting stored data from traffic analysis | |
| US8595493B2 (en) | Multi-phase storage volume transformation | |
| CN103257831A (en) | Reading-writing control method of storage and corresponding storage | |
| CN112114753B (en) | Data writing method, device and equipment | |
| CN103324533A (en) | distributed data processing method, device and system | |
| EP2778953A1 (en) | Encoded-search database device, method for adding and deleting data for encoded search, and addition/deletion program | |
| CN110147203B (en) | File management method and device, electronic equipment and storage medium | |
| CN101315613A (en) | Apparatus and method of processing data of non-volatile memory | |
| US11372568B2 (en) | System and method for storing and accessing blockchain data | |
| KR20170102219A (en) | Method and apparatus for processing transactions | |
| CN103502960A (en) | Encryption of memory device with wear leveling | |
| CN113297611B (en) | Data processing, encryption storage and reading method, device and storage medium | |
| CN111262688B (en) | Yun Cipan secret key replacement method and device | |
| US9218296B2 (en) | Low-latency, low-overhead hybrid encryption scheme | |
| CN110286848B (en) | Data processing method and device | |
| CN107665224B (en) | Method, system and device for scanning HDFS cold data | |
| CN109271097A (en) | Data processing method, data processing equipment and server | |
| US11966487B2 (en) | Secure data deletion and sanitization in distributed file systems | |
| US20210064549A1 (en) | Enhancing the speed performance and endurance of solid-state data storage devices with embedded in-line encryption engines | |
| US20170206008A1 (en) | Method and apparatus for scheduling block device input/output requests | |
| US20200327053A1 (en) | Data write-in method and apparatus | |
| US8566686B2 (en) | System and method for optimizing read-modify-write operations in a RAID 6 volume | |
| CN111488557B (en) | Encryption and decryption method and device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231208 Address after: Room 1-2-A06, Yungu Park, No. 1008 Dengcai Street, Sandun Town, Xihu District, Hangzhou City, Zhejiang Province Patentee after: Aliyun Computing Co.,Ltd. Address before: Box 847, four, Grand Cayman capital, Cayman Islands, UK Patentee before: ALIBABA GROUP HOLDING Ltd. |
|
| TR01 | Transfer of patent right |