CN113806756A

CN113806756A - Disk data encryption method, disk data decryption method, disk data encryption device, disk data decryption device, disk data encryption equipment and disk data decryption equipment

Info

Publication number: CN113806756A
Application number: CN202010546080.6A
Authority: CN
Inventors: 申宗泽
Original assignee: Beijing Long Teng Rong Zhi Information Technology Co ltd
Current assignee: Beijing Long Teng Rong Zhi Information Technology Co ltd
Priority date: 2020-06-16
Filing date: 2020-06-16
Publication date: 2021-12-17

Abstract

The embodiment of the application discloses a disk data encryption method, a disk data decryption device, a disk data encryption equipment and a disk data storage medium, wherein the encryption method comprises the following steps: acquiring an encryption request of data to be encrypted; responding to the encryption request, and acquiring a working key of a target logic unit where data to be encrypted in the target disk array is located; carrying out hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be encrypted is located by using the working key to obtain a sector block key; and encrypting the data to be encrypted by using the sector block key to obtain corresponding ciphertext data. The embodiment of the application adopts the combination of the double keys of the working key and the sector block key, ensures that each sector of each logic unit of each disk array uses different sector block keys, improves the availability and the usability of storage encryption and decryption, and ensures the safety of the storage encryption and decryption.

Description

Disk data encryption method, disk data decryption method, disk data encryption device, disk data decryption device, disk data encryption equipment and disk data decryption equipment

Technical Field

The present application relates to the field of disk data processing technologies, and in particular, to a disk data encryption method, decryption method, device, apparatus, and storage medium.

Background

Disk encryption is an underlying encryption that depends only on the format of the disk. The disk encryption is to directly write the corresponding ciphertext obtained by encrypting the plaintext data into the corresponding position of the disk, and perform decryption operation when the encrypted information needs to be read, so as to recover the ciphertext into the corresponding plaintext. However, the conventional encryption method is not suitable for the disk data because the encryption method expands the plaintext data.

In 2002, Moses Liskov, Ronald l.rivest and David Wagner proposed for the first time an adjustable Block cipher (TBC) for the features of disk encryption, which, compared to the conventional Block cipher, adds an input, called an adjustable value (Tweak), in addition to two inputs, namely an encryption key and a plaintext to be encrypted. Common adjustable block cipher algorithms include a narrow block cipher algorithm and a wide block cipher algorithm, wherein Xor encryption (Xor-Encrypt-Xor, XEX) in the narrow block cipher algorithm is an adjustable block cipher algorithm for encryption and decryption of data of a disk sector, and an adjustable value is expressed as a combination of a disk array number, a logical unit number and a sector address.

The conventional XEX adjustable block cipher algorithm is characterized in that an adjustable value is generated directly through combination of a disk array number, a logic unit number and a sector address, and then an encrypted plaintext is encrypted directly by combining the adjustable value and an encryption key.

Disclosure of Invention

The application provides a disk data encryption method, a disk data decryption device, a disk data encryption device and a disk data storage medium, aims to solve the problem that in the prior art, different sectors of the same disk use the same encryption key to encrypt plaintext data, so that the safety is low, ensures that each sector uses different keys when the disk sector data is encrypted and decrypted, and improves the safety of storage encryption.

In a first aspect, the present application provides a disk data encryption method, which is applied to a fiber channel storage crypto machine, where the fiber channel storage crypto machine is located in a storage area network system, the storage area network system further includes a memory in communication connection with the fiber channel storage crypto machine, the memory includes a plurality of disk arrays, the plurality of disk arrays include a target disk array where data to be encrypted is located, and the method includes:

acquiring an encryption request of data to be encrypted;

responding to the encryption request, and acquiring a working key of a target logic unit where the data to be encrypted is located in the target disk array;

carrying out Hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be encrypted is located by using the working key to obtain a sector block key;

and encrypting the data to be encrypted by using the sector block key to obtain corresponding ciphertext data.

In a possible implementation manner of this application, the obtaining a working key of a target logical unit in which the data to be encrypted is located in the target disk array includes:

acquiring a logic unit number of a target logic unit in which the data to be encrypted is located in the target disk array;

acquiring a logic block key factor randomly generated in advance;

and encrypting the logic unit number of the target logic unit according to the logic block key factor to obtain a working key of the target logic unit in which the data to be encrypted is located in the target disk array.

In a possible implementation manner of the present application, the performing hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and the sector address of the target sector where the data to be encrypted is located by using the working key to obtain a sector block key includes:

performing series connection processing on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be encrypted is located to obtain a connection string;

performing hash operation on the connection string to obtain a first hash;

dividing the first hash into a second hash and a third hash according to the byte number;

and carrying out XOR processing on each byte of the second hash and each byte of the third hash in sequence according to byte number to obtain the sector block key.

In a possible implementation manner of this application, before the obtaining of the working key of the target logical unit in which the data to be encrypted is located in the target disk array, the method further includes:

acquiring the logic unit number of each logic unit of the plurality of disk arrays;

acquiring a working key corresponding to each logic unit randomly generated in advance;

and generating a key mapping relation table according to the logic unit numbers of the logic units of the disk arrays and the working keys corresponding to the logic units, wherein in the key mapping relation table, the logic unit numbers of the logic units of the disk arrays correspond to the working keys corresponding to the logic units one by one.

acquiring the disk array numbers of the plurality of disk arrays;

and generating a disk mapping table according to the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays, wherein the disk array numbers of the multiple disk arrays in the disk mapping table correspond to the logic unit numbers of the logic units of the multiple disk arrays one by one.

On the other hand, the application provides a disk data decryption method, which is applied to a fiber channel storage cryptographic machine, the fiber channel storage cryptographic machine is located in a storage area network system, the storage area network system further comprises a memory in communication connection with the fiber channel storage cryptographic machine, the memory comprises a plurality of disk arrays, the plurality of disk arrays comprise target disk arrays where data to be decrypted is located, and the method comprises the following steps:

receiving a fiber channel protocol message sent by a memory;

analyzing the optical fiber channel protocol message to obtain the logic unit number information of the target logic unit where the data to be decrypted is located and the sector address of the target sector where the data to be decrypted is located;

calling a key mapping relation table, wherein the key mapping relation table reflects the corresponding relation between the logic unit numbers of the logic units of the plurality of disk arrays and the working keys corresponding to the logic units;

searching and obtaining a working key corresponding to the target logic unit according to the logic unit number information of the target logic unit;

calling a disk mapping table, wherein the disk mapping table reflects the corresponding relation between the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays;

searching and obtaining the disk array number information of the target disk array corresponding to the target logic unit according to the logic unit number information of the target logic unit;

carrying out Hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be decrypted is located by using the working key to obtain a sector block key;

and decrypting the data to be decrypted by using the sector block key to obtain corresponding decrypted data.

On the other hand, the present application further provides a disk data encryption apparatus, including:

the acquisition module is used for acquiring an encryption request of data to be encrypted;

a working key obtaining module, configured to respond to the encryption request and obtain a working key of a target logic unit in which the data to be encrypted is located in the target disk array;

a sector block key generation module, configured to perform hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and a sector address of a target sector where the data to be encrypted is located, using the working key, to obtain a sector block key;

and the encryption module is used for encrypting the data to be encrypted by utilizing the sector block key to obtain corresponding ciphertext data.

In a possible implementation manner of the present application, the work key obtaining module is specifically configured to:

acquiring a logic block key factor randomly generated in advance;

In a possible implementation manner of the present application, the sector block key generation module is specifically configured to:

performing hash operation on the connection string to obtain a first hash;

In a possible implementation manner of the present application, the disk data encryption apparatus further includes a key mapping table module, where the key mapping table module is specifically configured to:

In a possible implementation manner of the present application, the disk data encryption apparatus further includes a disk mapping table module, where the disk mapping table module is specifically configured to:

acquiring the disk array numbers of the plurality of disk arrays;

On the other hand, the present application further provides a disk data decryption apparatus, including:

the receiving module is used for receiving the fiber channel protocol message sent by the memory;

the analysis module is used for analyzing the optical fiber channel protocol message to obtain the logic unit number information of the target logic unit where the data to be decrypted is located and the sector address of the target sector where the data to be decrypted is located;

a key mapping relation table calling module, configured to call a key mapping relation table, where the key mapping relation table reflects a correspondence between logical unit numbers of the logical units of the multiple disk arrays and working keys corresponding to the logical units;

the working key searching module is used for searching and obtaining a working key corresponding to the target logic unit according to the logic unit number information of the target logic unit;

the disk mapping table calling module is used for calling a disk mapping table, and the disk mapping table reflects the corresponding relation between the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays;

the disk array searching module is used for searching and obtaining the disk array number information of the target disk array corresponding to the target logic unit according to the logic unit number information of the target logic unit;

a sector block key generation module, configured to perform hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and a sector address of a target sector where the data to be decrypted is located by using the working key, to obtain a sector block key;

and the decryption module is used for decrypting the data to be decrypted by using the sector block key to obtain corresponding decrypted data.

In another aspect, the present application also provides an apparatus, comprising:

one or more processors;

a memory; and

one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the processor to implement the method of any of the above aspects.

In another aspect, the present application also provides a computer-readable storage medium, on which a computer program is stored, the computer program being loaded by a processor to perform the steps in the method of any one of the above aspects.

In the application, the data to be encrypted is not directly encrypted by using the working key, but the hash operation is performed on the disk array number of the target disk array where the data to be encrypted is located, the logical unit number of the target logical unit and the sector address of the target sector by using the working key to obtain the sector block key, and the data to be encrypted is processed by using the sector block key. In essence, the sector block key of the present application guarantees key security according to space division, and since the logical unit numbers of each logical unit of the same disk array are different, the working keys corresponding to each logical unit are also different, and further the sector block key of each sector of each logical unit is also different; for different disk arrays, even if the same logic unit has the same working key, because the disk array numbers of each disk array are different, the sector block keys of the same sector on the same logic unit numbers of different disk arrays are also different, so that the application adopts the combination of the working key and the sector block key double keys to ensure that each sector of each logic unit of each disk array uses different sector block keys, improve the availability and the usability of storage encryption and decryption, and ensure the safety of storage encryption and decryption.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 is a schematic diagram of a storage area network system according to an embodiment of the present disclosure;

FIG. 2 is a schematic diagram of another scenario of a storage area network system provided in an embodiment of the present application;

FIG. 3 is a flowchart illustrating an embodiment of a disk data encryption method provided in an embodiment of the present application;

FIG. 4 is a flowchart illustrating an embodiment of step 302 in an embodiment of the present application;

FIG. 5 is a schematic flow chart diagram illustrating an embodiment of step 303 in the present application;

FIG. 6 is a flowchart illustrating a disk data encryption method provided in an embodiment of the present application;

FIG. 7 is a flowchart illustrating a disk data encryption method provided in an embodiment of the present application;

FIG. 8 is a flowchart illustrating an embodiment of a disk data decryption method provided in an embodiment of the present application;

FIG. 9 is a schematic structural diagram of an embodiment of a disk data encryption apparatus provided in an embodiment of the present application;

fig. 10 is a schematic structural diagram of an embodiment of a disk data decryption apparatus provided in an embodiment of the present application;

fig. 11 is a schematic structural diagram of an embodiment of the apparatus provided in the embodiments of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In the description of the present application, it is to be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like indicate orientations or positional relationships based on those shown in the drawings, and are used merely for convenience of description and for simplicity of description, and do not indicate or imply that the referenced device or element must have a particular orientation, be constructed in a particular orientation, and be operated, and thus should not be considered as limiting the present application. Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second", may explicitly or implicitly include one or more of the described features. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.

In this application, the word "exemplary" is used to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. The following description is presented to enable any person skilled in the art to make and use the application. In the following description, details are set forth for the purpose of explanation. It will be apparent to one of ordinary skill in the art that the present application may be practiced without these specific details. In other instances, well-known structures and processes are not set forth in detail in order to avoid obscuring the description of the present application with unnecessary detail. Thus, the present application is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.

Some basic concepts involved in the embodiments of the present application are first described below:

storage Area Network (SAN): a SAN is a high-speed, storage-specific Network, typically independent of a Local Area Network (LAN). A SAN connects different data storage devices together to form a storage network. The user can add or delete nodes to the network, so that data backup and archiving and data protection can be easily realized.

Fibre channel Storage Area Network (FC-SAN): FC-SAN is usually composed of a Fibre Channel (FC) connected to a disk array, and in an FC-SAN network, data communication between a server and a client is performed by a Small Computer System Interface (SCSI) command instead of a Transmission Control Protocol/Internet Protocol (TCP/IP), and data processing is performed at a "Block Level" (Block Level). The FC-SAN takes data storage as a center, adopts a scalable network topology structure, provides multiple selectable data exchanges between any nodes in the FC-SAN through a direct connection mode of a fiber channel with high transmission rate, and concentrates data storage management in a relatively independent storage area network. The FC-SAN network is connected between the application server and the storage device formed by the storage array through a fabric Switch (FC Switch).

Fibre channel storage ciphers (SecFC): namely an FC storage cryptographic engine, in an FC-SAN network using an encryption mechanism, the FC storage cryptographic engine is used for encrypting and decrypting data of a plurality of disk arrays.

Embodiments of the present application provide a disk data encryption method, a disk data decryption method, an apparatus, a device, and a storage medium, which are described in detail below.

Referring to fig. 1, fig. 1 is a schematic view of a scenario of a storage area network system according to an embodiment of the present application, where the storage area network system may include: the storage 400 comprises a plurality of disk arrays, wherein the plurality of disk arrays comprise a target disk array where data to be encrypted is located, and the plurality of disk arrays are in communication connection with the fibre channel storage cryptographic machine 300. In this embodiment, the Fibre Channel storage cryptographic machine 300 and the memory 400 may communicate with each other in a FC Protocol (FCP) based communication manner, and the Fibre Channel storage cryptographic machine 300 is used to implement a data encryption and decryption mechanism based on the FC Protocol, and can implement centralized protection on the content of the memory 400. Referring to fig. 1, the memory 400 includes three disk arrays, which are a disk array a, a disk array B, and a disk array C, it should be noted that the memory according to the embodiment of the present application may further include more or less disk arrays, and the specific number is selected according to an actual application scenario, and is not limited herein.

In addition, the storage area network system according to the embodiment of the present application may further include other devices capable of communicating with the fibre channel cryptographic machine 300, as shown in fig. 2, the storage area network system according to the embodiment of the present application may further include: the system comprises at least one server 100 and a fiber switch 200, wherein the fiber channel storage crypto-machine 300 is in communication connection with the fiber switch 200, and the fiber channel storage crypto-machine 300 is in communication connection with the at least one server 100 through the fiber switch 200. The fibre channel storage cipher machine 300 analyzes the FC protocol between the server 100 and the memory 400 in the storage area network system, encrypts data in a write data request frame from the server side to the memory side, and decrypts data in a read data reply frame from the memory side to the server side, so as to ensure that the data stored in the memory 400 after passing through the fibre channel storage cipher machine 300 is a cipher, and the server 100 can still see a plaintext after passing through the fibre channel storage cipher machine 300 without changing the use of the memory 400.

In this embodiment, the server 100 may be an independent server, or may be a server network or a server cluster composed of servers, for example, the server 100 described in this embodiment includes, but is not limited to, a computer, a network host, a single network server, a plurality of network server sets, or a cloud server composed of a plurality of servers. Among them, the Cloud server is constituted by a large number of computers or web servers based on Cloud Computing (Cloud Computing). At least one Storage 400 is connected to each server 100 for storing data Of the servers 100, wherein each Storage 400 may be a Storage Device known in the art, such as one or more interconnected disk drives Of a Redundant array Of independent Disks (RAID), a cluster Of Disks (JBOD), a Direct Access Storage Device (DASD), such as a tape Storage Device Of one or more Storage units.

The fibre channel storage crypto-engine 300 may be deployed in front of the memory 400 or the server 100 without changing the original network topology. The fibre channel storage crypto-engine 300 may be accessed before the memory 400 or before the server 100.

The fibre channel storage crypto-engine 300 in the embodiment of the present application is mainly used for: acquiring an encryption request of data to be encrypted; responding to the encryption request, and acquiring a working key of a target logic unit where the data to be encrypted is located in the target disk array; carrying out Hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be encrypted is located by using the working key to obtain a sector block key; and encrypting the data to be encrypted by using the sector block key to obtain corresponding ciphertext data.

Fibre channel FC has three common topologies: a Point-to-Point (Point-to-Point) structure, a fibre Channel arbitrated Loop (FC _ AL), and a fibre Switch (FC Switch) transport network (FC _ Fabric), wherein the intermediate transport network composed of fibre switches (FC switches) is called FC Switched network (FC Switched Fabric). The topology shown in fig. 2 is that an FC storage crypto-engine 300 is deployed before disk arrays A, B and C. Assuming that server a mounts LUN0 virtual disk of disk array a, when server a stores data to the disk, the data of each sector is encrypted by FC storage crypto 300 using a specific key; when server a reads data from the disk, each sector of data is decrypted by FC storage crypto engine 300 using a specific key. The data of each sector on LUN0 of disk array a is ciphertext, and the data seen by server a is always plaintext.

The above is an example of a topology with an optical fiber switch, and it can be understood that the technical solution of the embodiment of the present application can also be implemented without an optical fiber switch in an FC-SAN network, and does not form a limitation on the technical solution provided by the embodiment of the present application.

It should be noted that the scenario diagrams of the storage area network systems shown in fig. 1 and fig. 2 are only examples of the solution of the present application, and the storage area network systems and the scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the embodiments of the present application, other application scenarios may also include more or less memories 400 than shown in fig. 1 and 2, e.g., only 1 memory 400 is shown in fig. 1, it being understood that, the storage area network system may further include one or more other memories in communication with the fibre channel storage crypto-engine 300, and as will be appreciated by those skilled in the art, with the evolution of SAN systems and the emergence of new service scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

First, an embodiment of the present application provides a disk data encryption method, where an execution main body of the disk data encryption method is a disk data encryption device, the disk data encryption device is applied to a fiber channel storage crypto engine 300, the fiber channel storage crypto engine 300 is located in a storage area network system, the storage area network system further includes a memory 400 communicatively connected to the fiber channel storage crypto engine 300, the memory 400 includes a plurality of disk arrays, the plurality of disk arrays include a target disk array where data to be encrypted is located, and the disk data encryption method includes: acquiring an encryption request of data to be encrypted; responding to the encryption request, and acquiring a working key of a target logic unit where the data to be encrypted is located in the target disk array; carrying out Hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be encrypted is located by using the working key to obtain a sector block key; and encrypting the data to be encrypted by using the sector block key to obtain corresponding ciphertext data.

Fig. 3 is a schematic flowchart of an embodiment of a disk data encryption method in an embodiment of the present application, where the disk data encryption method includes:

301. and acquiring an encryption request of data to be encrypted.

In this embodiment, the manner in which the fibre channel storage cryptographic machine 300 obtains the encryption request may be that, in a storage area network system, when the server 100 initiates an encryption request for encrypting data in a write data request frame of the memory 400, the fibre channel storage cryptographic machine 300 analyzes an FC protocol between the server 100 and the memory 400, so as to obtain an encryption request for encrypting data in the write data request frame, that is, obtain an encryption request for data to be encrypted.

302. And responding to the encryption request, and acquiring a working key of a target logic unit in which the data to be encrypted is located in the target disk array.

In this embodiment, the data to be encrypted is located in the target logical unit of the target disk array in the memory 400, and each logical unit of each disk array possesses a unique work key. Before encryption and decryption are performed by using the fibre channel storage crypto engine 300, the device administrator assigns a unique disk array number to each disk array, assigns a logical unit number to a logical unit of each disk array, and assigns a sector address to a sector of each logical unit. In a specific embodiment, after the optical fiber channel storage crypto-engine 300 is powered on and passes the authentication, a corresponding working key is generated for each logic unit of each disk array, and in a general case, the optical fiber channel storage crypto-engine 300 can store at most 1024 ciphertext information of the working keys, so that, after the optical fiber channel storage crypto-engine 300 passes the power-on authentication, the optical fiber channel storage crypto-engine 300 can generate 1024 working keys at one time, and store the ciphertext information of each working key and the corresponding relationship between the logic unit and the working key in a protocol parsing engine (FPGA) of the optical fiber channel storage crypto-engine 300, so as to search the working key corresponding to the target logic unit from the protocol parsing engine when responding to the encryption request. Specifically, the encryption request in the embodiment of the present application includes a fibre channel protocol packet sent by the server 100 to the memory 400, and by analyzing a Command Description Block (CDB) of the fibre channel protocol packet, the logical unit number information of the target logical unit in which the data to be encrypted is located may be obtained, and according to the logical unit number information, the working key corresponding to the target logical unit may be found and obtained.

It should be noted that, in some other application scenarios, the working key in this embodiment may also be generated in real time according to the relevant information of the data to be encrypted when responding to the encryption request, and is not limited herein.

303. And carrying out Hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be encrypted is located by using the working key to obtain a sector block key.

In a specific embodiment, the Hash operation uses an SM3 cryptographic Hash algorithm, and uses a working key as a key of the SM3 cryptographic Hash algorithm, and under a Hash-based Message Authentication Code (HMAC) mode of the SM3 cryptographic Hash algorithm, Hash processing is performed on a disk array number of a target disk array where data to be encrypted is located, a logical unit number of the target logical unit where the data to be encrypted is located, and a sector address of a target sector where the data to be encrypted is located, so as to obtain the sector block key. In this embodiment, since the logical unit number of each logical unit and the sector address of each sector block in the same disk array are different, the sector block key of each sector of each logical unit is different; although the same logical unit has the same logical unit number and the sector address of the same sector under the same logical unit is the same for different disk arrays, the sector block key of each sector of each logical unit under each disk array is different because the disk array number of each disk array is different.

In the embodiment of the present application, the sector block key is used for encrypting data of a disk sector in the optical fiber channel, and the disk array number of each disk array, the logical unit number of each logical unit, and the sector block address of each sector correspond to each other one to one, and the corresponding relationship may be stored in a protocol parsing engine (FPGA) of the optical fiber channel storage crypto machine 300.

304. And encrypting the data to be encrypted by using the sector block key to obtain corresponding ciphertext data.

In this embodiment, since each sector of each logical unit under each disk array uses a different sector block key, the sector block keys used for encrypting different data to be encrypted in the memory 400 are different. In a specific embodiment, when the target sector performs data write operation of the data to be encrypted, the sector block key of the target sector of the target logic unit is dynamically calculated and obtained in step 303, and when the target sector of the target logic unit completes the data write operation of the data to be encrypted, the sector block key corresponding to the target sector is immediately destroyed, so that the encryption of the data to be encrypted is completed, and the corresponding ciphertext data is obtained.

In the embodiment of the application, the working key is not directly used for encrypting the data to be encrypted, but the working key is used for carrying out hash operation on the disk array number of the target disk array where the data to be encrypted is located, the logic unit number of the target logic unit and the sector address of the target sector to obtain the sector block key, and the sector block key is used for processing the data to be encrypted. In essence, the sector block key of the present application guarantees key security according to space division, and since the logical unit numbers of each logical unit of the same disk array are different, the working keys corresponding to each logical unit are also different, and further the sector block key of each sector of each logical unit is also different; for different disk arrays, even if the same logical unit has the same working key, since the disk array numbers of each disk array are different, the sector block keys of the same sector on the same logical unit numbers of different disk arrays are also different, so that the embodiment of the application adopts the combination of the working key and the sector block key, ensures that each sector of each logical unit of each disk array uses different sector block keys, improves the availability and the usability of storage encryption and decryption, and ensures the security of storage encryption and decryption.

As shown in fig. 4, in some embodiments of the present application, the obtaining the working key of the target logical unit in which the data to be encrypted is located in the target disk array in step 302 may further include:

401. and acquiring the logic unit number of the target logic unit in which the data to be encrypted is positioned in the target disk array.

In this embodiment, before encryption and decryption are performed by using the fibre channel storage cryptographic machine 300, the device administrator assigns a unique disk array number to each disk array, assigns a logical unit number to a logical unit of each disk array, and assigns a sector address to a sector of each logical unit. After the fibre channel storage crypto machine 300 obtains the encryption request, it parses the FC protocol packet initiated by the server 100, and obtains the logical unit number of the target logical unit where the data to be encrypted is located according to the Command Description Block (CDB) of the FC protocol packet.

402. And acquiring a logic block key factor randomly generated in advance.

In one embodiment, the storage area network system further comprises a random number generator communicatively coupled to the fibre channel storage crypto-engine 300, the random number generator generating a logical block key factor for each logical unit, each logical block key factor being 128 bits in length; it should be noted that the logical block key factor in the embodiment of the present application may also be generated by a built-in random number generation program in the fibre channel storage crypto machine 300, and is not limited herein.

403. And encrypting the logic unit number of the target logic unit according to the logic block key factor to obtain a working key of the target logic unit in which the data to be encrypted is located in the target disk array.

The working modes of the Block Cipher of the fibre channel storage Cipher machine 300 include an Electronic Code Book (ECB) mode, a Cipher Block Chaining (CBC) mode, a Cipher Feedback (CFB) mode, an Output Feedback (OFB) mode and a Counter (CTR) mode, in this embodiment, the block cipher mode of operation of the fibre channel storage cipher machine 300 is an Electronic Code Book (ECB) mode, encrypting the logic unit number of the target logic unit, specifically, under an ECB mode, taking a logic block key factor as a key, and encrypting the logic unit number of the target logic unit by adopting an SM4 cryptographic algorithm, wherein the packet length and the key length of the SM4 cryptographic algorithm are both 128 bits, the encryption algorithm and the key expansion algorithm both adopt 32-round nonlinear iteration structures, and an S box is a fixed 8-bit input 8-bit output. Assuming that LBK represents the working key, LKF represents the logical block key factor, LUNID represents the logical unit number of the target logical unit, and ECB _ MODE represents the electronic codebook MODE, the working key is calculated as:

LBK＝SM4(LKF，LUNID，ECB_MODE)

because the logic unit numbers of each logic unit are different, the working keys corresponding to each logic unit are different; although the same logical unit has the same operation key in different disk arrays, the sector block keys of the same sector of the same logical unit in different disk arrays are different because the disk array numbers of the disk arrays are different.

As shown in fig. 5, in some embodiments of the application, the performing, in step 303, a hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and the sector address of the target sector where the data to be encrypted is located by using the working key to obtain a sector block key may further include:

501. and performing series connection processing on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be encrypted is located to obtain a connection string.

Assuming that mesig represents a connection string, TID represents a disk array number of a target disk array, LUNID represents a logical unit number of a target logical unit, LBA represents a sector address of a target sector, LBK represents a work key, SBK represents a sector block key, where LBK is 128 bits, SBK is 16 bits, TID is 6 bits, LUNID is 19 bits, and LBA is 64 bits, a calculation formula of the connection string is:

MESG＝LBA||LUNID||TID

where, | | represents string concatenation.

502. And carrying out Hash operation on the connection string to obtain a first Hash.

In this embodiment, the Hash operation is performed on the connection string, specifically, under a Hash-based Message Authentication Code (HMAC) mode of the SM3 cryptographic Hash algorithm, the Hash operation is performed on the connection string with the work key as the key, assuming that HMAC represents a first Hash, LBK represents the work key, MESG represents the connection string, and SM3_ HMAC represents the HMAC mode of the SM3 cryptographic Hash algorithm, the calculation formula of the first Hash is:

HMAC＝SM3_HMAC(LBK，MESG)

in this embodiment, the first hash obtained by the calculation using the above calculation formula is 32 bits.

503. And dividing the first hash according to the byte number, and equally dividing the first hash into a second hash and a third hash.

In this embodiment, the first hash is divided equally by the number of bytes, and then the second hash and the third hash are both 16 bits, the second hash is represented as HMAC [ i ], and the third hash is represented as HMAC [ i +15], where i is 0, 1.

504. And carrying out XOR processing on each byte of the second hash and each byte of the third hash in sequence according to byte number to obtain the sector block key.

Assuming that the SBK represents a sector block key, the sector block key is calculated as:

SBK[i]＝HMAC[i]^HMAC[i+15]，for i＝0,1,...,15

where SBK [ i ] represents the ith byte of the sector block key and ^ represents an XOR operation.

As shown in fig. 6, in some embodiments of the present application, before the obtaining the working key of the target logical unit in which the data to be encrypted is located in the target disk array, the method may further include:

601. and acquiring the logic unit number of each logic unit of the plurality of disk arrays.

In this embodiment, the logical unit numbers are assigned to the logical units of each disk array by the device administrator before the encryption and decryption are performed by using the fibre channel storage crypto engine 300, the logical unit numbers of the logical units of the same disk array are different, and the logical unit numbers of the same logical unit of different disk arrays are the same.

602. And acquiring the working key corresponding to each logic unit randomly generated in advance.

In a specific embodiment, after the fiber channel storage cryptographic engine 300 is powered on and passes the authentication, the corresponding working key is generated for each logical unit of each disk array, and in a normal case, the fiber channel storage cryptographic engine 300 can store at most the ciphertext information of 1024 working keys, so that after the fiber channel storage cryptographic engine 300 passes the power-on authentication, the fiber channel storage cryptographic engine 300 can generate 1024 working keys at one time.

603. And generating a key mapping relation table according to the logic unit numbers of the logic units of the disk arrays and the working keys corresponding to the logic units, wherein in the key mapping relation table, the logic unit numbers of the logic units of the disk arrays correspond to the working keys corresponding to the logic units one by one.

In the embodiment of the present application, the key mapping relationship table is stored in a protocol parsing engine (FPGA) of the fibre channel storage crypto machine 300, and reflects a one-to-one correspondence between the logic unit numbers of the logic units of the plurality of disk arrays and the working keys corresponding to the logic units.

As shown in fig. 7, in some embodiments of the present application, before the obtaining the working key of the target logical unit in which the data to be encrypted is located in the target disk array, the method may further include:

701. and acquiring the disk array numbers of the plurality of disk arrays.

In this embodiment, the serial number of the disk array is an identifier that uniquely identifies the disk array and is allocated to each disk array by the device administrator before encryption and decryption are performed by using the fibre channel storage cryptographic machine 300, and therefore the serial numbers of the disk arrays are different.

702. And acquiring the logic unit number of each logic unit of the plurality of disk arrays.

703. And generating a disk mapping table according to the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays, wherein the disk array numbers of the multiple disk arrays in the disk mapping table correspond to the logic unit numbers of the logic units of the multiple disk arrays one by one.

In this embodiment, the disk mapping table is stored in a protocol parsing engine (FPGA) of the fibre channel storage crypto engine 300, and reflects a one-to-one correspondence between the disk array numbers of the plurality of disk arrays and the logic unit numbers of the logic units of the plurality of disk arrays.

As shown in fig. 8, which is a flowchart illustrating an embodiment of a disk data decryption method in this embodiment of the present application, the disk data decryption method is applied to a fiber channel storage cryptographic machine 300, the fiber channel storage cryptographic machine 300 is located in a storage area network system, the storage area network system further includes a memory 400 communicatively connected to the fiber channel storage cryptographic machine 300, the memory 400 includes a plurality of disk arrays, the plurality of disk arrays include a target disk array where data to be decrypted is located, and the disk data decryption method includes:

801. and receiving a fiber channel protocol message sent by the memory.

In this embodiment, in the storage area network system, when the memory 400 initiates a decryption request for decrypting data in the read data request frame of the server 100, the fibre channel storage cryptographic machine 300 receives a fibre channel protocol message sent by the memory 400 to the server 100.

802. And analyzing the optical fiber channel protocol message to obtain the logic unit number information of the target logic unit where the data to be decrypted is located and the sector address of the target sector where the data to be decrypted is located.

Specifically, when the fibre channel storage cryptographic machine 300 receives a fibre channel protocol packet sent by the memory 400 to the server 100, the FC protocol between the server 100 and the memory 400 is firstly analyzed, and since a Command Description Block (CDB) of the fibre channel protocol packet includes the logical unit number information of a target logical unit in which data to be decrypted is located and the sector address of a target sector in which the data to be decrypted is located, the fibre channel storage cryptographic machine 300 obtains the logical unit number information of the target logical unit in which the data to be decrypted is located and the sector address of the target sector in which the data to be decrypted is located from the Command description block of the fibre channel protocol packet.

803. And calling a key mapping relation table, wherein the key mapping relation table reflects the corresponding relation between the logic unit number of each logic unit of the plurality of disk arrays and the working key corresponding to each logic unit.

In the embodiment of the present application, the key mapping relationship table is stored in a protocol parsing engine (FPGA) of the fibre channel storage crypto engine 300.

804. And searching and obtaining the working key corresponding to the target logic unit according to the logic unit number information of the target logic unit.

Specifically, since the key mapping relationship table reflects the correspondence between the logical unit number of each logical unit of the plurality of disk arrays and the working key corresponding to each logical unit, the working key corresponding to the target logical unit can be found in the key mapping relationship table according to the logical unit number information of the target logical unit.

805. And calling a disk mapping table, wherein the disk mapping table reflects the corresponding relation between the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays.

In the embodiment of the present application, the disk mapping table is also stored in a protocol parsing engine (FPGA) of the fibre channel storage crypto engine 300.

806. And searching and obtaining the disk array number information of the target disk array corresponding to the target logic unit according to the logic unit number information of the target logic unit.

Specifically, since the disk mapping table reflects the correspondence between the disk array numbers of the multiple disk arrays and the logical unit numbers of the logical units of the multiple disk arrays, the disk array number information of the target disk array corresponding to the target logical unit can be found in the disk mapping table according to the logical unit number information of the target logical unit.

807. And carrying out Hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be decrypted is located by using the working key to obtain a sector block key.

In a specific embodiment, the Hash operation uses an SM3 cryptographic Hash algorithm, and uses a working key as a key of the SM3 cryptographic Hash algorithm, and under a Hash-based Message Authentication Code (HMAC) mode of the SM3 cryptographic Hash algorithm, hashes the disk array number of the target disk array where the data to be decrypted is located, the logical unit number of the target logical unit where the data to be decrypted is located, and the sector address of the target sector where the data to be decrypted is located, to obtain the sector block key. In this embodiment, since the logical unit number of each logical unit and the sector address of each sector block in the same disk array are different, the sector block key of each sector of each logical unit is different; although the same logical unit has the same logical unit number and the sector address of the same sector under the same logical unit is the same for different disk arrays, the sector block key of each sector of each logical unit under each disk array is different because the disk array number of each disk array is different.

808. And decrypting the data to be decrypted by using the sector block key to obtain corresponding decrypted data.

In this embodiment, since each sector of each logical unit under each disk array uses a different sector block key, the sector block keys used for decrypting different data to be decrypted in the server 100 are different. In a specific embodiment, when the target sector performs the data reading operation of the data to be decrypted, the sector block key of the target sector of the target logical unit is dynamically calculated and obtained in step 807, and when the target sector of the target logical unit completes the data reading operation of the data to be decrypted, the sector block key corresponding to the target sector is immediately destroyed, and the decryption of the data to be decrypted is completed, so as to obtain the corresponding decrypted data, that is, the plaintext data.

Assuming that the storage space of a logical unit on a disk array is 1TB and the size of a sector is 1MB, the number of sector block keys allocated to the logical unit by the fibre channel storage crypto engine 300 can reach the million level; and one fibre channel storage cryptographic machine 300 supports 64 disk arrays at most, each disk array can configure 1024 logic units at most, and the total number of distributable sector block keys in the fibre channel cryptographic machine 300 is more than one trillion, so the sector block key of the embodiment of the present application can be a session key meeting the cryptographic standard of the quotient, and meets the requirement that one session corresponds to one session key.

On the other hand, because the read-write times in the design life cycle of each logic unit are within 3000, the number of the ciphertexts which are taken by the sector with the size of 1MB in the whole life cycle is less than 3GB, and the data with the magnitude is not enough to crack the sector block key by using the means of cipher text data attack, the embodiment of the application adopts the double key combination of the working key and the sector block key, improves the usability and the usability of storage encryption and decryption, and ensures the safety of storage encryption and decryption.

In addition, the fiber channel storage cryptographic machine 300 in this embodiment may also be in a cluster mode, that is, multiple fiber channel storage cryptographic machines 300 may operate in a master-slave mode, at this time, only the logical disk key factor of the master control device in the cluster needs to be encrypted and then distributed, and each cluster partner device obtains the encrypted logical disk key factor distributed by the master control device, decrypts the encrypted logical disk key factor, and encrypts the logical unit number of each logical unit of the disk array in the corresponding fiber channel storage cryptographic machine 300 by using the SM4 cryptographic algorithm to generate a working key. When the optical fiber channel storage ciphers 300, which are active and standby, access the same sector of the same logical unit of the same disk array, the same sector block key can be obtained according to the above step 303 or step 807, and by means of only transmitting the logical block key factor between the devices in the cluster, the consistency of the sector block keys between different devices is ensured, while insecurity caused by transmission of the actual encryption key, i.e., the sector block key, is also avoided, the security of storage encryption and decryption is improved, so that the optical fiber channel storage ciphers 300 are more widely applied in the cluster environment.

In order to better implement the disk data encryption method in the embodiment of the present application, on the basis of the disk data encryption method, the embodiment of the present application further provides a disk data encryption device, the disk data encryption device is applied to the optical fiber channel storage cryptographic machine 300, the optical fiber channel storage cryptographic machine 300 is located in a storage area network system, the storage area network system further includes a memory 400 in communication connection with the optical fiber channel storage cryptographic machine 300, the memory includes a plurality of disk arrays, the plurality of disk arrays include a target disk array where data to be encrypted is located, as shown in fig. 9, the disk data encryption device 900 includes:

an obtaining module 901, configured to obtain an encryption request for data to be encrypted;

a working key obtaining module 902, configured to respond to the encryption request, and obtain a working key of a target logic unit in which the data to be encrypted is located in the target disk array;

a sector block key generation module 903, configured to perform hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and a sector address of a target sector where the data to be encrypted is located by using the working key, to obtain a sector block key;

and an encrypting module 904, configured to encrypt the data to be encrypted by using the sector block key to obtain corresponding ciphertext data.

In some embodiments of the present application, the working key obtaining module 902 is specifically configured to:

acquiring a logic block key factor randomly generated in advance;

In some embodiments of the present application, the sector key generation module 903 is specifically configured to:

performing hash operation on the connection string to obtain a first hash;

In some embodiments of the present application, the disk data encryption apparatus 900 further includes a key mapping table module 905, where the key mapping table module 905 is specifically configured to:

In some embodiments of the present application, the disk data encryption apparatus 900 further includes a disk mapping table module 906, where the disk mapping table module 906 is specifically configured to:

acquiring the disk array numbers of the plurality of disk arrays;

In order to better implement the disk data decryption method in the embodiment of the present application, on the basis of the disk data decryption method, the embodiment of the present application further provides a disk data decryption device, where the disk data decryption device is applied to the optical fiber channel storage cryptographic machine 300, the optical fiber channel storage cryptographic machine 300 is located in a storage area network system, the storage area network system further includes a storage 400 communicatively connected to the optical fiber channel storage cryptographic machine 300, the storage includes a plurality of disk arrays, the plurality of disk arrays include a target disk array where data to be decrypted is located, as shown in fig. 10, the disk data decryption device 1000 includes:

a receiving module 1001, configured to receive a fibre channel protocol packet sent by a memory;

an analyzing module 1002, configured to analyze the fibre channel protocol packet, to obtain logical unit number information of a target logical unit where the data to be decrypted is located and a sector address of a target sector where the data to be decrypted is located;

a key mapping relation table calling module 1003, configured to call a key mapping relation table, where the key mapping relation table reflects a correspondence between a logical unit number of each logical unit of the multiple disk arrays and a working key corresponding to each logical unit;

a working key searching module 1004, configured to search for a working key corresponding to the target logic unit according to the logic unit number information of the target logic unit;

a disk mapping table calling module 1005, configured to call a disk mapping table, where the disk mapping table reflects a correspondence between disk array numbers of the multiple disk arrays and logic unit numbers of each logic unit of the multiple disk arrays;

a disk array searching module 1006, configured to search, according to the logical unit number information of the target logical unit, to obtain disk array number information of a target disk array corresponding to the target logical unit;

a sector block key generating module 1007, configured to perform a hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and the sector address of the target sector where the data to be decrypted is located by using the working key, to obtain a sector block key;

a decryption module 1008, configured to decrypt the data to be decrypted by using the sector block key to obtain corresponding decrypted data.

In some embodiments of the present application, the sector key generation module 1007 is specifically configured to:

performing series connection processing on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be decrypted is located to obtain a connection string;

performing hash operation on the connection string to obtain a first hash;

An embodiment of the present application further provides an apparatus, which integrates any one of the disk data encryption devices or disk data decryption devices provided in the embodiment of the present application, where the apparatus includes:

one or more processors;

a memory; and

one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the processor by the steps of the disk data encryption method in any embodiment of the disk data encryption method or the steps of the disk data decryption method in any embodiment of the disk data decryption method.

The embodiment of the invention also provides equipment which integrates any disk data encryption device or disk data decryption device provided by the embodiment of the application. As shown in fig. 11, it shows a schematic structural diagram of the apparatus according to the embodiment of the present application, specifically:

the device may include components such as a processor 1101 of one or more processing cores, memory 1102 of one or more computer-readable storage media, a power supply 1103, and an input unit 1104. Those skilled in the art will appreciate that the configuration of the device shown in fig. 11 does not constitute a limitation of the device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:

the processor 1101 is a control center of the apparatus, connects various parts of the entire apparatus using various interfaces and lines, performs various functions of the apparatus and processes data by running or executing software programs and/or modules stored in the memory 1102 and calling data stored in the memory 1102, thereby performing overall monitoring of the apparatus. Optionally, processor 1101 may include one or more processing cores; the Processor 1101 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, preferably the processor 1101 may integrate an application processor, which handles primarily the operating system, user interfaces, application programs, etc., and a modem processor, which handles primarily wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 1101.

The memory 1102 may be used to store software programs and modules, and the processor 1101 executes various functional applications and data processing by operating the software programs and modules stored in the memory 1102. The memory 1102 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to the use of the server, and the like. Further, the memory 1102 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 1102 may also include a memory controller to provide the processor 1101 with access to the memory 1102.

The device further includes a power supply 1103 for supplying power to the various components, and preferably, the power supply 1103 is logically connected to the processor 1101 via a power management system, so that functions of managing charging, discharging, and power consumption are implemented via the power management system. The power supply 1103 may also include any component, such as one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.

The device may further include an input unit 1104, the input unit 1104 being operable to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.

Although not shown, the server may further include a display unit and the like, which will not be described in detail herein. Specifically, in this embodiment, the processor 1101 in the device loads an executable file corresponding to a process of one or more application programs into the memory 1102 according to the following instructions, and the processor 1101 runs the application programs stored in the memory 1102, thereby implementing various functions as follows:

acquiring an encryption request of data to be encrypted;

It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.

To this end, an embodiment of the present invention provides a computer-readable storage medium, which may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like. The computer program is loaded by a processor to execute the steps in any one of the disk data encryption methods or the steps in the disk data decryption method provided by the embodiments of the present application. For example, the computer program may be loaded by a processor to perform the steps of:

acquiring an encryption request of data to be encrypted;

In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and parts that are not described in detail in a certain embodiment may refer to the above detailed descriptions of other embodiments, and are not described herein again.

In a specific implementation, each unit or structure may be implemented as an independent entity, or may be combined arbitrarily to be implemented as one or several entities, and the specific implementation of each unit or structure may refer to the foregoing embodiments, which are not described herein again.

The above detailed description is given to a disk data encryption method, a disk data decryption apparatus, a disk data encryption device, a disk data decryption device, and a storage medium provided in the embodiments of the present application, and a specific example is applied in the present application to explain the principles and embodiments of the present application, and the description of the above embodiments is only used to help understand the method and the core ideas of the present application; meanwhile, for those skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims

1. A disk data encryption method is applied to a fiber channel storage cipher machine, the fiber channel storage cipher machine is positioned in a storage area network system, the storage area network system further comprises a memory which is in communication connection with the fiber channel storage cipher machine, the memory comprises a plurality of disk arrays, the plurality of disk arrays comprise target disk arrays where data to be encrypted are located, and the method comprises the following steps:

acquiring an encryption request of data to be encrypted;

2. The method according to claim 1, wherein the obtaining the working key of the target logical unit in which the data to be encrypted is located in the target disk array comprises:

acquiring a logic block key factor randomly generated in advance;

3. The method according to claim 1, wherein the performing a hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and the sector address of the target sector where the data to be encrypted is located by using the working key to obtain a sector block key comprises:

performing hash operation on the connection string to obtain a first hash;

4. The method according to claim 1, wherein before the obtaining the working key of the target logical unit in which the data to be encrypted is located in the target disk array, the method further comprises:

5. The method according to claim 1, wherein before the obtaining the working key of the target logical unit in which the data to be encrypted is located in the target disk array, the method further comprises:

acquiring the disk array numbers of the plurality of disk arrays;

6. A disk data decryption method is characterized in that the disk data decryption method is applied to a fiber channel storage cipher machine, the fiber channel storage cipher machine is located in a storage area network system, the storage area network system further comprises a storage which is in communication connection with the fiber channel storage cipher machine, the storage comprises a plurality of disk arrays, the plurality of disk arrays comprise target disk arrays where data to be decrypted are located, and the method comprises the following steps:

receiving a fiber channel protocol message sent by a memory;

7. A disk data encryption apparatus, comprising:

8. A disk data decryption apparatus, comprising:

9. An apparatus, comprising:

one or more processors;

a memory; and

one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the processor to implement the disk data encryption method of any one of claims 1 to 5 or the disk data decryption method of claim 6.

10. A computer-readable storage medium, having stored thereon a computer program, which is loaded by a processor to execute the steps in the disk data encryption method according to any one of claims 1 to 5 or the disk data decryption method according to claim 6.