CN111741068A - Virtual machine mirror image chain key model and data encryption key transmission method thereof - Google Patents
Virtual machine mirror image chain key model and data encryption key transmission method thereof Download PDFInfo
- Publication number
- CN111741068A CN111741068A CN202010430111.1A CN202010430111A CN111741068A CN 111741068 A CN111741068 A CN 111741068A CN 202010430111 A CN202010430111 A CN 202010430111A CN 111741068 A CN111741068 A CN 111741068A
- Authority
- CN
- China
- Prior art keywords
- key
- mirror image
- virtual machine
- chain
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The invention discloses a virtual machine mirror image chain key model and a data encryption key transmission method thereof, wherein the virtual machine mirror image chain key model comprises a movable mirror image, and the movable mirror image comprises a rear-end mirror image, a mirror image file 0, an encryption module 0 and a key ID 0; the invention defines a definition method of different file keys on a mirror chain and a matching method of files and keys from the perspective of data security on the virtual machine mirror chain, further enhances the management and transmission mechanism of the file chain data encryption keys on the virtual machine mirror, can flexibly define the file encryption keys on the mirror chain as required, further improves the security isolation and protection capability of user data in the mirror chain, and can effectively protect the security of the user data.
Description
Technical Field
The invention relates to the field of virtual machine mirror image data encryption, in particular to a virtual machine mirror image chain key model and a data encryption key transmission method thereof.
Background
With the large-scale application of a virtualization system in an enterprise informatization system, a large amount of enterprise user data is stored in a virtual machine disk, the problem of virtual machine disk data security becomes more important, and a reliable and flexible key management and transmission method needs to be adopted to encrypt and protect a virtual machine image so as to prevent data leakage.
A virtual machine typically comprises one or more virtual disks provided by virtual machine images organized by a chain structure, one node on the chain structure of virtual machine images being called a snapshot, each snapshot forming a chain of virtual machine images by indicating a corresponding backend file. Generally, a virtualization system makes a virtual machine template through a virtual machine mirror image, and then creates new virtual machines in batch and quickly through the virtual machine template, wherein the new virtual machines include data of original virtual machines in the template and data added by the new virtual machines. Different new virtual machines created based on the template are encrypted and protected by the same key, so that the security risk that all new virtual machine data can be cracked due to key leakage exists, and in order to solve the problem, the capability of isolating and encrypting different files on a mirror chain needs to be provided, so that key management and key transmission for encrypting different files on the mirror chain become a great difficulty.
At present, the industry only supports a method for performing encryption protection on a file on a mirror chain by using a single key, does not support isolation protection on the file on the mirror chain by using different keys, and lacks support for the following functions:
a virtual machine created based on the template;
creating a virtual machine of a snapshot;
disclosure of Invention
The invention aims to: the isolation protection of the virtualization platform on the mirror image data of the virtual machine is enhanced, the use of an independent key by one virtual machine is realized, and the safety isolation of the data of the virtual machine of a single user is ensured; even one virtual machine image uses an independent key, and the safety isolation of single file data on a snapshot chain is ensured.
The purpose of the invention is realized by the following technical scheme:
a virtual machine image chain key model comprises an active image, wherein the active image comprises a back-end image, an image file 0, an encryption module 0 and a key ID 0;
the back-end mirror image is a back-end file and comprises a back-end mirror image, a mirror image file, an encryption module and a secret key ID.
Further, the active image and the backend image each include a backend file definition module.
The invention also provides a data encryption key transmission method, which comprises the following steps,
step 1: matching the mirror image file of the active mirror image with the key;
step 2: and matching the mirror image file of the back-end file with the key.
Furthermore, the step 1 specifically comprises the steps of,
step 1-1: generating a random key 0 that encrypts the key transmission;
step 1-2: searching a key 0, and encrypting the key 0 to generate a key ciphertext 0;
step 1-3: generating a key alias 0, and establishing a matching relation between the random key 0 and the key ciphertext 0.
Further, key 0 is looked up based on key ID0 defined by the active image.
Further, the virtual machine image chain key method according to claim 3, wherein: the step 2 specifically comprises the steps of,
step 2-1: generating a random key i for encrypting key transmission;
step 2-2: searching a key i, and encrypting the key i to generate a key ciphertext i;
step 2-3: matching a key ciphertext i and a key alias i according to a path of a back-end file i defined in a mirror chain;
step 2-4: and continuing the steps 2-1-2-3, and defining other back-end files in the back-end file i.
Further, key i is looked up based on key IDi defined in the back-end image.
Furthermore, the method also comprises the following steps of,
all random keys are transmitted through files, and a key ciphertext, a key alias and an encryption algorithm are transmitted through a virtual machine starting command.
The main scheme and the further selection schemes can be freely combined to form a plurality of schemes which are all adopted and claimed by the invention; in the invention, the selection (each non-conflict selection) and other selections can be freely combined. The skilled person in the art can understand that there are many combinations, which are all the technical solutions to be protected by the present invention, according to the prior art and the common general knowledge after understanding the scheme of the present invention, and the technical solutions are not exhaustive herein.
The invention has the beneficial effects that: compared with the existing simple virtual machine mirror image key definition model and matching method, the invention defines the definition method of different file keys on the mirror image chain and the matching method of files and keys from the perspective of data security on the virtual machine mirror image chain, further enhances the management and transmission mechanism of the file chain data encryption key on the virtual machine mirror image, can flexibly define the file encryption key on the mirror image chain according to the requirement, further improves the security isolation and protection capability of user data in the mirror image chain, and can effectively protect the security of the user data.
Drawings
FIG. 1 is a schematic diagram of a virtual machine mirror chain key definition model;
FIG. 2 is a simplified diagram of mirror and key matching relationships;
fig. 3 shows a backend file and key matching process on a mirror chain.
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
Any feature disclosed in this specification may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
In order to enhance the isolation protection of the virtualization platform on the virtual machine mirror image data, it is necessary to realize that one virtual machine uses an independent key to ensure the safe isolation of the virtual machine data of a single user; even one virtual machine image uses an independent key, and the safety isolation of single file data on a snapshot chain is ensured. The invention researches a management and transmission mechanism of a virtual machine image encryption key based on libvirt and QEMU, and provides a method for isolating and protecting user data by using different encryption keys based on different files on a virtual machine image chain.
The invention is mainly divided into two functional parts:
1. a key definition method of different files on a mirror chain;
2. and matching the file and the key on the mirror chain.
1. Method for defining keys of different files on mirror chain
Currently, virtual machine mirror keys only support a simple definition model: the method supports the definition of a movable mirror image key and an encryption mode, and does not support the definition of an independent back-end file key and an independent encryption mode. On the basis of the existing implementation, the invention improves the key definition method, provides a virtual machine image chain key definition model based on a virtual machine image chain storage structure, and supports flexible definition of independent back-end file encryption modes and keys. The improved virtual machine image chain key definition model is shown in fig. 1:
in the virtual machine mirror image chain key definition model, according to the organization mode that the virtual machine mirror image chain is similar to a single chain table, the active mirror image definition comprises pointed definition information of a back-end file 1, the definition of the back-end file 1 comprises pointed definition information of a back-end file 2, and the active mirror image definition model comprises the definition information of the pointed back-end file 2 step by step according to the method and describes complete mirror image chain information. The virtual machine mirror chain key definition model defines the format in the virtual disk defined by the virtual machine XML Domain as follows:
the active mirror image and the back-end file both comprise mirror image files, the back-end file, encryption modes of the mirror image files and the secret key ID, and the active mirror image and the back-end file can be abstracted into a unified structure in code implementation, so that design and implementation are simplified.
2. Method for matching files and keys on mirror chain
Currently, virtual machine images only support a simple image and key matching relationship: the method comprises the steps of defining a movable mirror image key and an encryption mode and automatically applying the movable mirror image key and the encryption mode to a back-end file, and does not support flexible definition of an independent back-end file key and an independent encryption mode, wherein the key transmission adopts a random key for encryption protection, encrypted data and the random key are transmitted through different ways, and the encrypted data and the random key establish a matching relation through a key alias. A simple mirror and key matching relationship is shown in fig. 2:
simple mirroring and key matching procedure:
1. generating a random key 0 that encrypts the key transmission;
2. searching a key 0 according to a key ID0 defined by the movable mirror image, and encrypting the key 0 to generate a key ciphertext 0;
3. generating a key alias 0, establishing a matching relation between the random key 0 and the key ciphertext 0, and transmitting the key alias through a command line and a file.
The invention provides a method for matching a back-end file and a key on a mirror chain based on a virtual machine mirror chain key definition model on the basis of a simple mirror and key matching process, which comprises the following steps: and defining a back-end file path and a key alias in the active mirror image and the back-end file metadata, and associating the key ciphertext information matched with the key ID through matching the back-end file path and the alias with the key ID defined by the defined virtual machine XML Domain.
The process of matching the backend file and the key on the mirror chain is shown in fig. 3, and includes:
1. generating a random key 0 that encrypts the key transmission;
2. searching a key 0 according to a key ID0 defined by the movable mirror image, and encrypting the key 0 to generate a key ciphertext 0;
3. generating a key alias 0, and establishing a matching relation between the random key 0 and a key ciphertext 0;
4. according to the back-end file information defined by the active mirror image in the XML Domain of the virtual machine;
a) generating a random key 1 for encrypting a key transmission
b) Searching a key 1 according to a key ID1 defined in a back-end file, and encrypting the key 1 to generate a key ciphertext 1;
c) matching a key ciphertext 1 and a key alias 1 according to a back-end file path defined in a mirror chain;
d) if the back-end file 1 has the back-end file defined, continuing the process;
5. transmitting all random keys through a file, and transmitting a key ciphertext, a key alias and an encryption algorithm through a command line;
while the foregoing description shows and describes a preferred embodiment of the invention, it is to be understood, as noted above, that the invention is not limited to the form disclosed herein, but is not intended to be exhaustive or to exclude other embodiments and may be used in various other combinations, modifications, and environments and may be modified within the scope of the inventive concept described herein by the above teachings or the skill or knowledge of the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (8)
1. A virtual machine mirror chain key model, characterized by: the method comprises the following steps of including an active mirror image, wherein the active mirror image comprises a back-end mirror image, a mirror image file 0, an encryption module 0 and a key ID 0;
the back-end mirror image is a back-end file and comprises a back-end mirror image, a mirror image file, an encryption module and a secret key ID.
2. The virtual machine image chain key model of claim 1, wherein: the active mirror image and the back-end mirror image both comprise back-end file definition modules.
3. A method for transmitting a data encryption key, comprising: comprises the steps of (a) preparing a mixture of a plurality of raw materials,
step 1: matching the mirror image file of the active mirror image with the key;
step 2: and matching the mirror image file of the back-end file with the key.
4. The data encryption key transmission method according to claim 3, characterized in that: the step 1 specifically comprises the steps of,
step 1-1: generating a random key 0 that encrypts the key transmission;
step 1-2: searching a key 0, and encrypting the key 0 to generate a key ciphertext 0;
step 1-3: generating a key alias 0, and establishing a matching relation between the random key 0 and the key ciphertext 0.
5. The data encryption key transmission method according to claim 4, characterized in that: key 0 is looked up according to key ID0 defined by the active image.
6. The data encryption key transmission method according to claim 3, characterized in that: the virtual machine image chain key method of claim 3, wherein: the step 2 specifically comprises the steps of,
step 2-1: generating a random key i for encrypting key transmission;
step 2-2: searching a key i, and encrypting the key i to generate a key ciphertext i;
step 2-3: matching a key ciphertext i and a key alias i according to a path of a back-end file i defined in a mirror chain;
step 2-4: and continuing the steps 2-1-2-3, and defining other back-end files in the back-end file i.
7. The data encryption key transmission method according to claim 6, characterized in that: the key i is looked up according to the key IDi defined in the back-end image.
8. The data encryption key transmission method according to any one of claims 4 to 7, characterized in that: also comprises the following steps of (1) preparing,
all random keys are transmitted through files, and a key ciphertext, a key alias and an encryption algorithm are transmitted through a virtual machine starting command.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010430111.1A CN111741068B (en) | 2020-05-20 | 2020-05-20 | Data encryption key transmission method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010430111.1A CN111741068B (en) | 2020-05-20 | 2020-05-20 | Data encryption key transmission method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111741068A true CN111741068A (en) | 2020-10-02 |
| CN111741068B CN111741068B (en) | 2022-03-18 |
Family
ID=72647458
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010430111.1A Active CN111741068B (en) | 2020-05-20 | 2020-05-20 | Data encryption key transmission method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111741068B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103069428A (en) * | 2010-06-07 | 2013-04-24 | 思科技术公司 | Secure virtual machine bootstrap in untrusted cloud infrastructures |
| CN103107994A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Vitualization environment data security partition method and system |
| CN103516728A (en) * | 2013-10-14 | 2014-01-15 | 武汉大学 | Mirror image encryption and decryption method for preventing cloud platform virtual machine illegal starting |
| CN104156659A (en) * | 2014-08-14 | 2014-11-19 | 电子科技大学 | Embedded system secure start method |
| WO2016106566A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Method, apparatus and system for encryption/decryption in virtualization system |
| CN106293994A (en) * | 2015-05-15 | 2017-01-04 | 株式会社日立制作所 | Virtual machine cloning process in NFS and NFS |
| CN106911744A (en) * | 2015-12-23 | 2017-06-30 | 北京神州泰岳软件股份有限公司 | The management method and managing device of a kind of image file |
| CN107493204A (en) * | 2016-06-13 | 2017-12-19 | 阿里巴巴集团控股有限公司 | The method and device of a kind of microscope testing |
| CN107943556A (en) * | 2017-11-10 | 2018-04-20 | 中国电子科技集团公司第三十二研究所 | KMIP and encryption card based virtualized data security method |
| US20190044927A1 (en) * | 2018-09-27 | 2019-02-07 | Intel Corporation | Technologies for providing secure utilization of tenant keys |
| CN109814978A (en) * | 2018-12-15 | 2019-05-28 | 华南理工大学 | Across cluster moving method and system based on more OpenStack platforms |
| US20200034458A1 (en) * | 2018-07-25 | 2020-01-30 | Commvault Systems, Inc. | Distributed and scalable client-based storage management |
| CN110806919A (en) * | 2019-09-25 | 2020-02-18 | 苏州浪潮智能科技有限公司 | Method and system for protecting virtual machine image in cloud environment |
| CN110955901A (en) * | 2019-10-12 | 2020-04-03 | 烽火通信科技股份有限公司 | Storage method and server for virtual machine image file of cloud computing platform |
-
2020
- 2020-05-20 CN CN202010430111.1A patent/CN111741068B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103069428A (en) * | 2010-06-07 | 2013-04-24 | 思科技术公司 | Secure virtual machine bootstrap in untrusted cloud infrastructures |
| CN103107994A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Vitualization environment data security partition method and system |
| CN103516728A (en) * | 2013-10-14 | 2014-01-15 | 武汉大学 | Mirror image encryption and decryption method for preventing cloud platform virtual machine illegal starting |
| CN104156659A (en) * | 2014-08-14 | 2014-11-19 | 电子科技大学 | Embedded system secure start method |
| WO2016106566A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Method, apparatus and system for encryption/decryption in virtualization system |
| CN106293994A (en) * | 2015-05-15 | 2017-01-04 | 株式会社日立制作所 | Virtual machine cloning process in NFS and NFS |
| CN106911744A (en) * | 2015-12-23 | 2017-06-30 | 北京神州泰岳软件股份有限公司 | The management method and managing device of a kind of image file |
| CN107493204A (en) * | 2016-06-13 | 2017-12-19 | 阿里巴巴集团控股有限公司 | The method and device of a kind of microscope testing |
| CN107943556A (en) * | 2017-11-10 | 2018-04-20 | 中国电子科技集团公司第三十二研究所 | KMIP and encryption card based virtualized data security method |
| US20200034458A1 (en) * | 2018-07-25 | 2020-01-30 | Commvault Systems, Inc. | Distributed and scalable client-based storage management |
| US20190044927A1 (en) * | 2018-09-27 | 2019-02-07 | Intel Corporation | Technologies for providing secure utilization of tenant keys |
| CN109814978A (en) * | 2018-12-15 | 2019-05-28 | 华南理工大学 | Across cluster moving method and system based on more OpenStack platforms |
| CN110806919A (en) * | 2019-09-25 | 2020-02-18 | 苏州浪潮智能科技有限公司 | Method and system for protecting virtual machine image in cloud environment |
| CN110955901A (en) * | 2019-10-12 | 2020-04-03 | 烽火通信科技股份有限公司 | Storage method and server for virtual machine image file of cloud computing platform |
Non-Patent Citations (2)
| Title |
|---|
| JUAN WANG ET AL.: "Towards a Trusted Launch Mechanism for Virtual Machines in Cloud Computing", 《INTERNATIONAL CONFERENCE ON CLOUD COMPUTING》 * |
| 龙恺 等: "虚拟机监控器的安全威胁及规避措施", 《信息安全与通信保密》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111741068B (en) | 2022-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11108753B2 (en) | Securing files using per-file key encryption | |
| US11263020B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| US10985902B2 (en) | Dynamic symmetric searchable encryption | |
| CN103530201B (en) | A kind of secure data De-weight method and system being applicable to standby system | |
| CN106022155B (en) | Method and server for database security management | |
| CN101587479B (en) | Database management system kernel oriented data encryption/decryption system and method thereof | |
| EP2430789B1 (en) | Protection of encryption keys in a database | |
| EP2874151B1 (en) | Method and apparatus for controlling access to encrypted data | |
| CN105426775B (en) | A kind of method and system for protecting smart mobile phone information security | |
| US20180341556A1 (en) | Data backup method and device, storage medium and server | |
| US20140129848A1 (en) | Method and Apparatus for Writing and Reading Hard Disk Data | |
| CN103955654A (en) | USB (Universal Serial Bus) flash disk secure storage method based on virtual file system | |
| US10284534B1 (en) | Storage system with controller key wrapping of data encryption key in metadata of stored data item | |
| US8189790B2 (en) | Developing initial and subsequent keyID information from a unique mediaID value | |
| CN108491724A (en) | A kind of hardware based computer interface encryption device and method | |
| CN113568568B (en) | Hardware encryption method, system and device based on distributed storage | |
| CN104361297A (en) | File encryption and decryption method based on Linux operating system | |
| CN103049705B (en) | A kind of based on virtualized method for secure storing, terminal and system | |
| CN111079188B (en) | mybatis field encryption and decryption device and encryption and decryption system | |
| CN111741068B (en) | Data encryption key transmission method | |
| CN100550735C (en) | The method of multifunction intelligent key equipment and security control thereof | |
| CN102184370B (en) | Document security system based on microfiltration drive model | |
| GB2446200A (en) | Encryption system for peer-to-peer networks which relies on hash based self-encryption and mapping | |
| CN113656817A (en) | Data encryption method | |
| CN112560065A (en) | Method for directly indexing database ciphertext |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |