CN111695166A - Disk encryption protection method and device - Google Patents
Disk encryption protection method and device Download PDFInfo
- Publication number
- CN111695166A CN111695166A CN202010531450.9A CN202010531450A CN111695166A CN 111695166 A CN111695166 A CN 111695166A CN 202010531450 A CN202010531450 A CN 202010531450A CN 111695166 A CN111695166 A CN 111695166A
- Authority
- CN
- China
- Prior art keywords
- key
- disk
- storage slot
- security chip
- slot position
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000001514 detection method Methods 0.000 claims abstract description 21
- 230000004044 response Effects 0.000 claims description 32
- 230000015654 memory Effects 0.000 claims description 20
- 238000009434 installation Methods 0.000 abstract description 9
- 238000013473 artificial intelligence Methods 0.000 abstract description 2
- 230000000875 corresponding effect Effects 0.000 description 22
- 230000006870 function Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000010365 information processing Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 241000270295 Serpentes Species 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 235000000332 black box Nutrition 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C5/00—Registering or indicating the working of vehicles
- G07C5/08—Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle or waiting time
- G07C5/0841—Registering performance data
- G07C5/0875—Registering performance data using magnetic data carriers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Radar, Positioning & Navigation (AREA)
- Remote Sensing (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a disk encryption protection method and device, and relates to the technical field of artificial intelligence. The specific implementation scheme is as follows: encrypting a magnetic disk of target equipment to generate a key corresponding to the magnetic disk to obtain an encrypted magnetic disk; whether a security chip is arranged on target equipment is detected, and an encryption mode of a secret key and a storage slot position of secret key parameters are determined according to a detection result, wherein the encryption disk comprises a plurality of storage slot positions, and the first storage slot position stores the secret key parameters for encrypting the disk based on a fixed password. According to the scheme, the disk is protected by judging that different hardware adopts different encryption modes, so that the security of the encrypted disk is improved; and the first storage slot position stores a key parameter for encrypting the disk based on a fixed password, and the fixed password encryption mode can be adapted to the installation of the traditional Linux system.
Description
Technical Field
The embodiment of the disclosure relates to the technical field of computers, in particular to an artificial intelligence technology, and discloses a disk encryption protection method and device.
Background
To prevent confidential data from being stolen offline, disk devices generally employ disk encryption technology, and a conventional LUKS (Linux unified Key Setup) disk encryption Key is protected by a simple password or a file. The password protection mode needs manual input and does not meet the requirements of an automatic driving system. By means of file protection, files need to be stored on the non-encrypted disk, and safety cannot be guaranteed.
Disclosure of Invention
A disk encryption protection method, device, equipment and storage medium are provided.
According to a first aspect, there is provided a disk encryption protection method, including: encrypting a magnetic disk of target equipment to generate a key corresponding to the magnetic disk to obtain an encrypted magnetic disk; whether a security chip is arranged on target equipment is detected, and an encryption mode of a secret key and a storage slot position of a secret key parameter corresponding to the secret key are determined according to a detection result, wherein the encryption disk comprises a plurality of storage slot positions, and a password secret key parameter for encrypting the disk based on a fixed password is stored in a first storage slot position.
According to a second aspect, there is provided a disk encryption protection device, comprising: the encryption unit is configured to encrypt a disk of the target device, generate a key corresponding to the disk and obtain an encrypted disk; and the determining unit is configured to detect whether a security chip is arranged on the target device, and determine an encryption mode of the key and a storage slot position of a key parameter corresponding to the key according to a detection result, wherein the encrypted disk comprises a plurality of storage slot positions, and a password key parameter for encrypting the disk based on a fixed password is stored in a first storage slot position.
According to a third aspect, there is provided an electronic device comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of the first aspect.
According to a third aspect, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions, characterized in that the computer instructions are for causing a computer to perform the method of any of the above first aspects.
According to the technology of the application, the disk is protected by adopting different encryption modes by judging the detection results of different target devices about the security chip, so that the security of the encrypted disk is improved; and the first storage slot position stores a password key parameter for encrypting the disk based on a fixed password, and the fixed password encryption mode can be adapted to the installation of the traditional Linux system.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present disclosure, nor do they limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not intended to limit the present application. Wherein:
FIG. 1 is an exemplary system architecture diagram in which one embodiment of the present disclosure may be applied;
FIG. 2 is a flow diagram for one embodiment of a disk encryption protection method according to the present disclosure;
FIG. 3 is a schematic diagram of an application scenario of a disk encryption protection method according to the present disclosure;
FIG. 4 is a flow diagram of yet another embodiment of a disk encryption protection method according to the present disclosure;
FIG. 5 is a schematic block diagram of one embodiment of a disk encryption protection apparatus according to the present disclosure;
fig. 6 is a schematic structural diagram of a computer system of an electronic device/terminal device or server suitable for implementing embodiments of the present disclosure.
Detailed Description
The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 illustrates an exemplary architecture 100 to which the disk encryption protection method and apparatus of the present application may be applied.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The terminal devices 101, 102, 103 may be hardware devices or software that support network connections for data interaction and data processing. When the terminal devices 101, 102, 103 are hardware, they may be various electronic devices supporting functions of information interaction, network connection, information processing, etc., including but not limited to smart phones, tablet computers, e-book readers, laptop portable computers, desktop computers, car-mounted computers, etc. When the terminal apparatuses 101, 102, 103 are software, they can be installed in the electronic apparatuses listed above. It may be implemented, for example, as multiple software or software modules to provide distributed services, or as a single software or software module. And is not particularly limited herein.
The server 105 may be a server that provides various services, such as a background processing server that performs disk encryption on the terminal devices 101, 102, 103. The background processing server can encrypt the disk of the terminal device and determine the encryption mode of the secret key and the storage slot position of the secret key parameter corresponding to the secret key according to the detection result of whether the target device is provided with the security chip. As an example, the server 105 may be a cloud server.
The server may be hardware or software. When the server is hardware, it may be implemented as a distributed server cluster formed by multiple servers, or may be implemented as a single server. When the server is software, it may be implemented as multiple pieces of software or software modules (e.g., software or software modules used to provide distributed services), or as a single piece of software or software module. And is not particularly limited herein.
It should be further noted that the disk encryption protection method provided by the embodiment of the present disclosure may be executed by a server, or may be executed by a terminal device, or may be executed by the server and the terminal device in cooperation with each other. Accordingly, each part (for example, each unit, sub-unit, module, and sub-module) included in the information processing apparatus may be entirely provided in the server, may be entirely provided in the terminal device, and may be provided in the server and the terminal device, respectively.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. When the electronic device on which the disk encryption protection method operates does not need to perform data transmission with other electronic devices, the system architecture may only include the electronic device (e.g., a server or a terminal device) on which the disk encryption protection method operates.
With continued reference to FIG. 2, a flow 200 of one embodiment of a disk encryption protection method is shown, comprising the steps of:
In this embodiment, an execution main body (for example, the terminal device or the server in fig. 1) of the disk encryption protection method may encrypt the disk of the target device, generate a key corresponding to the disk, and obtain an encrypted disk.
As an example, the execution subject may encrypt the disk of the target device based on LUKS (Linux Unified Key Setup) technology, including but not limited to AES (Advanced encryption standard) encryption algorithm, Cast encryption algorithm, and Serpent encryption algorithm. The LUKS technology is a standard for Linux hard disk encryption. By providing a standard disk format, LUKS technology may not only facilitate compatibility between releases, but may also provide secure management of multiple user passwords.
The target device may be any terminal device provided with a magnetic disk, and the target device may be, for example, a desktop computer, a vehicle-mounted computer, or the like shown in fig. 1.
The execution subject of this step may be a terminal device or a server. When the terminal equipment has the disk encryption function, the execution main body of the step can be the terminal equipment with the disk encryption function; when the server has a disk encryption function, the execution subject of this step may be the server having the disk encryption function.
In this embodiment, the executing entity may detect whether the target device in step 201 is provided with a security chip, and determine an encryption manner of the key and a storage slot corresponding to a key parameter of the key according to a detection result.
The encrypted disk includes a plurality of storage slots, for example, an encrypted disk obtained by encryption based on LUKS technology, an encryption partition inside the encrypted disk is composed of a volume header, an encrypted data area, and the like, 8 slots (keylocations) can be provided by default in the volume header, and each slot can store key parameters of keys obtained based on different encryption modes. The key and the corresponding key parameters can be regarded as a key for decrypting the encrypted disk, and the encrypted disk obtained by encrypting based on the LUKS technology can be opened by using any key.
In this embodiment, the first storage slot stores a password key parameter for encrypting the disk based on the fixed password, and the fixed password encryption mode may be adapted to the installation of the conventional Linux system. As an example, a conventional Linux system may be an Ubuntu system. When the Ubuntu system is installed, a fixed password is manually input when a disk of the Ubuntu system is installed and encrypted, and password key parameters are stored in the first storage slot position by default.
In this embodiment, any encryption method may be adopted to encrypt the key. Including but not limited to white-box encryption, black-box encryption, binding keys to system state, etc. The encryption mode of binding the key and the System state is used for representing that when the state of any part of a preset System such as a Basic Input Output System (BIOS), a universal boot loader (GRUB), a kernel or an initialization mirror image is changed, the key cannot be obtained, and the security of the key is further ensured.
As an example, for a target device having a security chip, the execution main body may bind a key and a system state, associate the stored key and the preset system state to the security chip, and store a key parameter to a second storage slot of the encrypted disk; and for target equipment without a security chip, the key adopts white box protection, the cipher text is stored in the LUKSheader, and the key parameter is stored in the third storage slot position of the encrypted disk.
With continued reference to fig. 3, fig. 3 is a schematic diagram of an application scenario of the disk encryption protection method according to the present embodiment. In the application scenario of fig. 3, a user would install an autopilot system on the in-vehicle computer 302 of a home automobile 301. The vehicle-mounted computer 302 encrypts a disk 303 of the vehicle-mounted computer 302 to generate a secret key corresponding to the disk 303, so as to obtain an encrypted disk; then, the vehicle-mounted computer 302 detects whether a security chip is arranged on the vehicle-mounted computer, and determines an encryption mode of a secret key and a storage slot position of a secret key parameter corresponding to the secret key according to a detection result, wherein the encryption disk comprises a plurality of storage slot positions, and a password secret key parameter for encrypting the disk based on a fixed password is stored in a first storage slot position.
According to the method provided by the embodiment of the disclosure, the disk is protected by adopting different encryption modes by judging whether different hardware is provided with the security chip, so that the security of the encrypted disk is improved; and the first storage slot position stores a password key parameter for encrypting the disk based on a fixed password, and the fixed password encryption mode can be adapted to the installation of the traditional Linux system.
With continuing reference to FIG. 4, an exemplary flow 400 of another embodiment of a disk encryption protection method according to the present application is shown and includes the steps of:
And step 404, in response to determining that the activated slot position is the first storage slot position, decrypting the encrypted disk by fixing the password and the password key parameter to obtain a decrypted disk.
In this embodiment, the executing entity may execute the step 405 in the following specific manner:
4051, in response to determining that the security chip is disposed on the target device, associating and storing the first update key and the system state of the preset system to the security chip;
4052, in response to determining that the security chip is not disposed on the target device, white-box encrypting the first updated key;
4053, the fixed password is replaced by the first update key, and the first update key parameter is stored in the third storage slot.
At step 406, in response to determining that the activated slot is a second storage slot, it is determined whether the key matches a key parameter in the second storage slot.
And step 408, encrypting the decrypted disk to generate a second updated key and a second updated key parameter, and storing the second updated key and the system state of the preset system in association with the security chip.
And step 409, storing the second updated key parameter to the third storage slot.
And step 410, before upgrading the preset system, decrypting the encrypted disk, detecting the activated slot position during decryption, and determining whether the target device is provided with a security chip.
At step 412, the decrypted disk is encrypted to generate an upgrade key and upgrade key parameters.
And 413, performing white-box encryption on the upgrade key, and storing the upgrade key parameter to the second storage slot.
It should be noted that, besides the above-mentioned contents, the embodiment of the present disclosure may also include the same or similar features and effects as the embodiment corresponding to fig. 2, and no further description is provided herein.
As can be seen from fig. 4, compared with the embodiment corresponding to fig. 2, the flow 400 of the disk encryption protection method in this embodiment highlights the disk decryption flow during the installation, startup, and upgrade processes of the default system. It should be noted that, although the present embodiment includes a complete installation, startup, and upgrade process of the preset system, it should be understood that the embodiment of the disk encryption protection method may include a separate installation, startup, or upgrade process. Therefore, in the scheme described in this embodiment, in the installation, start and upgrade processes of the preset system, automatic decryption of the disk is realized, and the intelligent degree is improved; when the target device has the security chip, the key is bound with the system state, and when the system state changes, the key cannot be acquired, so that the security of the key is further ensured; and key migration is performed in the starting and upgrading processes of the preset system, so that whether the preset system is upgraded successfully or not does not influence disk decryption in the next system starting process, and the intelligent degree is further improved.
With further reference to fig. 5, as an implementation of the methods shown in the above figures, the present disclosure provides an embodiment of a disk encryption protection apparatus, which corresponds to the embodiment of the method shown in fig. 2, and which may include the same or corresponding features as the embodiment of the method shown in fig. 2 and produce the same or corresponding effects as the embodiment of the method shown in fig. 2, in addition to the features described below. The device can be applied to various electronic equipment.
As shown in fig. 5, the disk encryption protection apparatus 500 of the present embodiment includes: an encryption unit 501 configured to encrypt a disk of a target device, generate a key corresponding to the disk, and obtain an encrypted disk; the determining unit 502 is configured to detect whether a security chip is disposed on the target device, and determine an encryption manner of the key and a storage slot position of a key parameter corresponding to the key according to a detection result, where the encrypted disk includes a plurality of storage slot positions, and a first storage slot position stores a password key parameter for encrypting the disk based on the fixed password.
In some embodiments, the determining unit 502 is further configured to: when a preset system is installed on target equipment, white box encryption is carried out on a secret key; and storing the key parameter to the second storage slot position in response to the fact that the target device is provided with the security chip.
In some embodiments, the determining unit 502 is further configured to: and storing the key parameter to the third storage slot position in response to determining that the target device is not provided with the security chip.
In some embodiments, the determining unit 502 is further configured to: when a preset system is started, detecting the activated slot position when the encrypted disk is decrypted; in response to the fact that the activated slot position is the first storage slot position, decrypting the encrypted disk through the fixed password and the password key parameter to obtain a decrypted disk; and detecting whether a security chip is arranged on the target device, and determining an encryption mode of a first updated key obtained by encrypting the decrypted disk again and a storage slot position of a first updated key parameter corresponding to the first updated key according to the detection result.
In some embodiments, the determining unit 502 is further configured to: in response to the fact that the security chip is arranged on the target device, the first updating secret key and the system state of the preset system are stored in an associated mode to the security chip; performing white-box encryption on the first updated key in response to determining that the security chip is not arranged on the target device; and replacing the fixed password with the first updating key, and storing the updating key parameter to the third storage slot position.
In some embodiments, the determining unit 502 is further configured to: in response to determining that the activated slot is the second storage slot, determining whether the key matches key parameters in the second storage slot; in response to the matching of the key and the key parameter in the second storage slot, decrypting the encrypted disk through the key and the key parameter to obtain a decrypted disk; encrypting the decryption disk to generate a second updating key and a second updating key parameter, and storing the second updating key and the system state of the preset system in a related manner to the security chip; and storing the second updated key parameter to the third storage slot.
In some embodiments, the determining unit 502 is further configured to: before upgrading the preset system, decrypting the encrypted disk, detecting the activated slot position during decryption, and determining whether a security chip is arranged on the target equipment; in response to the determination that the activated slot position is the third storage slot position and the determination that the target device is provided with the security chip, decrypting the encrypted disk through the second update key and the second update key parameter to obtain a decrypted disk; encrypting the decrypted disk to generate an upgrade key and upgrade key parameters; and carrying out white-box encryption on the upgrade key, and storing the upgrade key parameters to the second storage slot position.
Referring now to fig. 6, the present application further provides an electronic device and a readable storage medium according to embodiments of the present application.
Fig. 6 is a block diagram of an electronic device 600 for a disk encryption protection method according to an embodiment of the present application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.
As shown in fig. 6, the electronic apparatus includes: one or more processors 601, memory 602, and interfaces for connecting the various components, including a high-speed interface and a low-speed interface. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display graphical information of a GUI on an external input/output apparatus (such as a display device coupled to the interface). In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations (e.g., as a server array, a group of blade servers, or a multi-processor system). In fig. 6, one processor 601 is taken as an example.
The memory 602 is a non-transitory computer readable storage medium as provided herein. The memory stores instructions executable by the at least one processor to cause the at least one processor to perform the disk encryption protection method provided by the present application. The non-transitory computer readable storage medium of the present application stores computer instructions for causing a computer to perform the disk encryption protection method provided by the present application.
The memory 602, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules (e.g., the encryption unit 501 and the determination unit 502 shown in fig. 5) corresponding to the disk encryption protection method in the embodiment of the present application. The processor 601 executes various functional applications and data processing of the server by running non-transitory software programs, instructions and modules stored in the memory 602, that is, implementing the disk encryption protection method in the above method embodiment.
The memory 602 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the electronic device of the disk encryption protection method, and the like. Further, the memory 602 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 602 optionally includes memory located remotely from the processor 601, and these remote memories may be connected over a network to the electronic device of the disk encryption protection method. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The electronic device of the disk encryption protection method may further include: an input device 603 and an output device 604. The processor 601, the memory 602, the input device 603 and the output device 604 may be connected by a bus or other means, and fig. 6 illustrates the connection by a bus as an example.
The input device 603 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the disc encryption protected electronic device, such as a touch screen, keypad, mouse, track pad, touch pad, pointer stick, one or more mouse buttons, track ball, joystick, or other input device. The output devices 604 may include a display device, auxiliary lighting devices (e.g., LEDs), and tactile feedback devices (e.g., vibrating motors), among others. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device can be a touch screen.
Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, application specific ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
These computer programs (also known as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
According to the technical scheme of the embodiment of the application, the disk is protected by judging that different hardware adopts different encryption modes, so that the security of the encrypted disk is improved; and the first storage slot position stores a password key for encrypting the disk based on a fixed password, and the fixed password encryption mode can be adapted to the installation of the traditional Linux system.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, and the present invention is not limited thereto as long as the desired results of the technical solutions disclosed in the present application can be achieved.
The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (16)
1. A disk encryption protection method is characterized by comprising the following steps:
encrypting a disk of target equipment to obtain an encrypted disk and generate a key corresponding to the encrypted disk;
detecting whether a safety chip is arranged on the target equipment or not;
and determining an encryption mode of the key and a storage slot position of a key parameter corresponding to the key according to a detection result, wherein the encrypted disk comprises a plurality of storage slot positions, and a password key parameter for encrypting the disk based on a fixed password is stored in a first storage slot position.
2. The method of claim 1, wherein the detecting whether a security chip is disposed on the target device and determining an encryption manner of the key and a storage slot corresponding to a key parameter of the key according to a detection result comprises:
when a preset system is installed on the target equipment, white-box encryption is carried out on the secret key;
and in response to the fact that the target equipment is provided with the security chip, storing the key parameter to a second storage slot position.
3. The method of claim 2, wherein the detecting whether a security chip is installed on the target device and determining an encryption manner of the key and a storage slot corresponding to a key parameter of the key according to a detection result further comprises:
and storing the key parameter to a third storage slot position in response to determining that the target device is not provided with the security chip.
4. The method of claim 3, wherein the detecting whether a security chip is installed on the target device and determining an encryption manner of the key and a storage slot corresponding to a key parameter of the key according to a detection result further comprises:
when the preset system is started, detecting the activated slot position when the encrypted disk is decrypted;
in response to the fact that the activated slot position is determined to be a first storage slot position, decrypting the encrypted disk through the fixed password and the password key parameter to obtain a decrypted disk;
and detecting whether a security chip is arranged on the target equipment, and determining an encryption mode of a first updated key obtained by re-encrypting the decrypted disk and a storage slot position of a first updated key parameter corresponding to the first updated key according to a detection result.
5. The method of claim 4, wherein the detecting whether the target device is provided with a security chip and determining, according to a detection result, an encryption manner of a first update key obtained by re-encrypting the decrypted disk and a storage slot of a first update key parameter corresponding to the first update key comprises:
in response to the fact that a security chip is arranged on the target device, the first updating secret key and the system state of the preset system are stored in an associated mode to the security chip;
performing white-box encryption on the first updated key in response to determining that a security chip is not set on the target device;
and replacing the fixed password with the first updating key, and storing the first updating key parameter to a third storage slot position.
6. The method of claim 4, wherein the detecting whether a security chip is installed on the target device and determining an encryption manner of the key and a storage slot corresponding to a key parameter of the key according to a detection result further comprises:
in response to determining that the activated slot is a second storage slot, determining whether the key matches a key parameter in the second storage slot;
in response to the key being matched with the key parameter in the second storage slot, decrypting the encrypted disk through the key and the key parameter to obtain a decrypted disk;
encrypting the decryption disk to generate a second updating key and a second updating key parameter, and storing the second updating key and the system state of a preset system in an associated manner to the security chip;
and storing the second updated key parameter to a third storage slot.
7. The method according to any one of claims 1 to 6, wherein the detecting whether a security chip is provided on the target device and determining an encryption manner of the key and a storage slot of a key parameter corresponding to the key according to a detection result further comprises:
before upgrading the preset system, decrypting the encrypted disk, detecting the activated slot position during decryption, and determining whether a security chip is arranged on the target equipment;
in response to determining that the activated slot position is a third storage slot position and that a security chip is arranged on the target device, decrypting the encrypted disk through the second updating key and the second updating key parameter to obtain a decrypted disk;
encrypting the decrypted disk to generate an upgrade key and upgrade key parameters;
and carrying out white-box encryption on the upgrade secret key, and storing the upgrade secret key parameter to a second storage slot position.
8. A disk encryption protection apparatus, comprising:
the encryption unit is configured to encrypt a disk of target equipment, generate a key corresponding to the disk and obtain an encrypted disk;
and the determining unit is configured to detect whether a security chip is arranged on the target device, and determine an encryption mode of the key and a storage slot position of a key parameter corresponding to the key according to a detection result, wherein the encrypted disk comprises a plurality of storage slot positions, and a first storage slot position stores the key parameter for encrypting the disk based on a fixed password.
9. The apparatus of claim 8, wherein the determining unit is further configured to: when a preset system is installed on the target equipment, white-box encryption is carried out on the secret key; and in response to the fact that the target equipment is provided with the security chip, storing the key parameter to a second storage slot position.
10. The apparatus of claim 9, wherein the determining unit is further configured to:
and storing the key parameter to a third storage slot position in response to determining that the target device is not provided with the security chip.
11. The method of claim 10, wherein the determination unit is further configured to: when the preset system is started, detecting the activated slot position when the encrypted disk is decrypted; in response to the fact that the activated slot position is determined to be a first storage slot position, decrypting the encrypted disk through the fixed password and the password key parameter to obtain a decrypted disk; and detecting whether a security chip is arranged on the target equipment, and determining an encryption mode of a first updated key obtained by re-encrypting the decrypted disk and a storage slot position of a first updated key parameter corresponding to the first updated key according to a detection result.
12. The method of claim 11, wherein the determination unit is further configured to: in response to the fact that a security chip is arranged on the target device, the first updating secret key and the system state of the preset system are stored in an associated mode to the security chip; performing white-box encryption on the first updated key in response to determining that a security chip is not set on the target device; and replacing the fixed password with the first updating key, and storing the updating key parameter to a third storage slot position.
13. The method of claim 11, wherein the determination unit is further configured to: in response to determining that the activated slot is a second storage slot, determining whether the key matches a key parameter in the second storage slot; in response to the key being matched with the key parameter in the second storage slot, decrypting the encrypted disk through the key and the key parameter to obtain a decrypted disk; encrypting the decryption disk to generate a second updating key and a second updating key parameter, and storing the second updating key and the system state of a preset system in an associated manner to the security chip; and storing the second updated key parameter to a third storage slot.
14. The method of any of claims 8-13, wherein the determination unit is further configured to: before upgrading the preset system, decrypting the encrypted disk, detecting the activated slot position during decryption, and determining whether a security chip is arranged on the target equipment; in response to determining that the activated slot position is a third storage slot position and that a security chip is arranged on the target device, decrypting the encrypted disk through the second updating key and the second updating key parameter to obtain a decrypted disk; encrypting the decrypted disk to generate an upgrade key and upgrade key parameters; and carrying out white-box encryption on the upgrade secret key, and storing the upgrade secret key parameter to a second storage slot position.
15. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.
16. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-6.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010531450.9A CN111695166B (en) | 2020-06-11 | 2020-06-11 | Disk encryption protection method and device |
JP2021053753A JP7203880B2 (en) | 2020-06-11 | 2021-03-26 | Disk encryption protection method and apparatus, electronic device, computer readable storage medium and computer program |
KR1020210041287A KR102490490B1 (en) | 2020-06-11 | 2021-03-30 | Method and device for magnetic disk encryption protection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010531450.9A CN111695166B (en) | 2020-06-11 | 2020-06-11 | Disk encryption protection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111695166A true CN111695166A (en) | 2020-09-22 |
CN111695166B CN111695166B (en) | 2023-06-06 |
Family
ID=72480461
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010531450.9A Active CN111695166B (en) | 2020-06-11 | 2020-06-11 | Disk encryption protection method and device |
Country Status (3)
Country | Link |
---|---|
JP (1) | JP7203880B2 (en) |
KR (1) | KR102490490B1 (en) |
CN (1) | CN111695166B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112905120A (en) * | 2021-02-19 | 2021-06-04 | 山东英信计算机技术有限公司 | Lock disc upgrading method and device, electronic equipment and storage medium |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113407964B (en) * | 2021-06-17 | 2024-02-13 | 上海明略人工智能(集团)有限公司 | Method, system, device, electronic equipment and readable storage medium for information encryption |
WO2023085217A1 (en) | 2021-11-15 | 2023-05-19 | 株式会社レゾナック | Inspection condition presenting device, surface inspecting device, inspection condition presenting method, and program |
CN115001702B (en) * | 2022-05-19 | 2024-07-09 | 浪潮思科网络科技有限公司 | Method, system, equipment and medium for encrypting and decrypting switch board card |
CN115147956B (en) * | 2022-06-29 | 2024-06-14 | 中国第一汽车股份有限公司 | Data processing method, device, electronic equipment and storage medium |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120151199A1 (en) * | 2010-12-09 | 2012-06-14 | International Business Machines Corporation | Secure Encrypted Boot With Simplified Firmware Update |
CN102930223A (en) * | 2012-09-21 | 2013-02-13 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting disk data |
CN106130721A (en) * | 2016-08-14 | 2016-11-16 | 北京数盾信息科技有限公司 | A kind of express network storage encryption equipment |
US20170364903A1 (en) * | 2014-08-22 | 2017-12-21 | Eduardo Lopez | Embedding cloud-based functionalities in a communication device |
CN107679425A (en) * | 2017-09-26 | 2018-02-09 | 天津麒麟信息技术有限公司 | A kind of credible startup method of the joint full disk encryption based on firmware and USBkey |
CN108171067A (en) * | 2017-12-28 | 2018-06-15 | 山东超越数控电子股份有限公司 | A kind of hard disk encryption method and device |
CN109190401A (en) * | 2018-09-13 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of date storage method, device and the associated component of Qemu virtual credible root |
CN109787756A (en) * | 2018-12-24 | 2019-05-21 | 吉林微思智能科技有限公司 | A kind of car-mounted terminal key distribution management method based on whitepack encryption technology |
CN110188555A (en) * | 2019-05-28 | 2019-08-30 | 深信服科技股份有限公司 | A kind of hard disk data protection method, system and associated component |
US20190354685A1 (en) * | 2018-05-21 | 2019-11-21 | Kct Holdings, Llc | Apparatus and method for secure router with layered encryption |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8745386B2 (en) | 2010-06-21 | 2014-06-03 | Microsoft Corporation | Single-use authentication methods for accessing encrypted data |
JP2016025616A (en) | 2014-07-24 | 2016-02-08 | レノボ・シンガポール・プライベート・リミテッド | Method for protecting data stored in disk drive, and portable computer |
JP2016181836A (en) * | 2015-03-24 | 2016-10-13 | キヤノン株式会社 | Information processor, cryptographic device, control method of information processor and program |
WO2017156417A1 (en) | 2016-03-11 | 2017-09-14 | Feng Youlin | Systems and methods for data encryption and decryption |
-
2020
- 2020-06-11 CN CN202010531450.9A patent/CN111695166B/en active Active
-
2021
- 2021-03-26 JP JP2021053753A patent/JP7203880B2/en active Active
- 2021-03-30 KR KR1020210041287A patent/KR102490490B1/en active IP Right Grant
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120151199A1 (en) * | 2010-12-09 | 2012-06-14 | International Business Machines Corporation | Secure Encrypted Boot With Simplified Firmware Update |
CN102930223A (en) * | 2012-09-21 | 2013-02-13 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting disk data |
US20170364903A1 (en) * | 2014-08-22 | 2017-12-21 | Eduardo Lopez | Embedding cloud-based functionalities in a communication device |
CN106130721A (en) * | 2016-08-14 | 2016-11-16 | 北京数盾信息科技有限公司 | A kind of express network storage encryption equipment |
CN107679425A (en) * | 2017-09-26 | 2018-02-09 | 天津麒麟信息技术有限公司 | A kind of credible startup method of the joint full disk encryption based on firmware and USBkey |
CN108171067A (en) * | 2017-12-28 | 2018-06-15 | 山东超越数控电子股份有限公司 | A kind of hard disk encryption method and device |
US20190354685A1 (en) * | 2018-05-21 | 2019-11-21 | Kct Holdings, Llc | Apparatus and method for secure router with layered encryption |
CN109190401A (en) * | 2018-09-13 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of date storage method, device and the associated component of Qemu virtual credible root |
CN109787756A (en) * | 2018-12-24 | 2019-05-21 | 吉林微思智能科技有限公司 | A kind of car-mounted terminal key distribution management method based on whitepack encryption technology |
CN110188555A (en) * | 2019-05-28 | 2019-08-30 | 深信服科技股份有限公司 | A kind of hard disk data protection method, system and associated component |
Non-Patent Citations (1)
Title |
---|
知乎 LINUX中国: "使用LUKS加密你的硬盘", 《HTTPS://ZHUANLAN.ZHIHU.COM/P/36870751》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112905120A (en) * | 2021-02-19 | 2021-06-04 | 山东英信计算机技术有限公司 | Lock disc upgrading method and device, electronic equipment and storage medium |
CN112905120B (en) * | 2021-02-19 | 2023-08-04 | 山东英信计算机技术有限公司 | Lock disc upgrading method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
JP7203880B2 (en) | 2023-01-13 |
JP2021185472A (en) | 2021-12-09 |
CN111695166B (en) | 2023-06-06 |
KR20210047285A (en) | 2021-04-29 |
KR102490490B1 (en) | 2023-01-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111695166B (en) | Disk encryption protection method and device | |
JP5940159B2 (en) | Method, computer program, device and apparatus for provisioning an operating system image to an untrusted user terminal | |
EP3084671B1 (en) | Automatic strong identity generation for cluster nodes | |
CN107408172B (en) | Securely booting a computer from a user-trusted device | |
US9779032B2 (en) | Protecting storage from unauthorized access | |
CN111464297B (en) | Transaction processing method, device, electronic equipment and medium based on block chain | |
US9160542B2 (en) | Authorizing use of a test key signed build | |
KR20050039548A (en) | Providing secure input and output to a trusted agent in a system with a high-assurance execution environment | |
EP3494482B1 (en) | Systems and methods for storing administrator secrets in management controller-owned cryptoprocessor | |
EP3921749B1 (en) | Device and method for authenticating application in execution environment in trust zone | |
CN114363088B (en) | Method and device for requesting data | |
US10296730B2 (en) | Systems and methods for automatic generation and retrieval of an information handling system password | |
US9772954B2 (en) | Protecting contents of storage | |
KR102368208B1 (en) | File leakage prevention based on security file system and commonly used file access interface | |
US20230409339A1 (en) | Muscle/memory wire lock of device component(s) | |
US9239937B2 (en) | Targeted security policy override | |
US11088923B2 (en) | Multi-stage authorization | |
KR102568514B1 (en) | Electronic device and method of operating the same | |
KR102565414B1 (en) | Data transmission with obfuscation using an obfuscation unit for a data processing(dp) accelerator | |
US9742725B2 (en) | Network address identification | |
CN114861207A (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
CN116361818A (en) | Automatic security verification for access management controllers | |
CN113779543A (en) | Software authentication method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20211014 Address after: 100176 101, floor 1, building 1, yard 7, Ruihe West 2nd Road, Beijing Economic and Technological Development Zone, Daxing District, Beijing Applicant after: Apollo Intelligent Connectivity (Beijing) Technology Co., Ltd. Address before: 2 / F, baidu building, 10 Shangdi 10th Street, Haidian District, Beijing 100085 Applicant before: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd. |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |