CN114282244A - Multi-cloud key management and BYOK-based data security management methods - Google Patents

Multi-cloud key management and BYOK-based data security management methods Download PDF

Info

Publication number
CN114282244A
CN114282244A CN202111613920.7A CN202111613920A CN114282244A CN 114282244 A CN114282244 A CN 114282244A CN 202111613920 A CN202111613920 A CN 202111613920A CN 114282244 A CN114282244 A CN 114282244A
Authority
CN
China
Prior art keywords
byok
cloud
encryption
data
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111613920.7A
Other languages
Chinese (zh)
Other versions
CN114282244B (en
Inventor
石先灿
王亚飞
欧志伟
吴坚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Zhenyun Information Technology Co ltd
Original Assignee
Shanghai Zhenyun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Zhenyun Information Technology Co ltd filed Critical Shanghai Zhenyun Information Technology Co ltd
Priority to CN202111613920.7A priority Critical patent/CN114282244B/en
Publication of CN114282244A publication Critical patent/CN114282244A/en
Application granted granted Critical
Publication of CN114282244B publication Critical patent/CN114282244B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a multi-cloud key management and BYOK-based data security management method, which can practically protect the security of encrypted data of an enterprise. The method comprises the following steps: acquiring SK and AK by using KMS provided by a plurality of cloud service manufacturers; acquiring a BYOK with a key; the encryption key EK corresponding to each cloud service manufacturer KMS is generated by calling the pre-compiled encryption and decryption API corresponding to each cloud service manufacturer KMS and combining BYOK; storing the SK, AK, and EK in a configuration file; and calling the API of the KMS to acquire the BYOK with the key during the starting process of the software or the program. The invention realizes that an organization is allowed to keep complete control over data and encryption keys while using key management services of different cloud service manufacturers, so that the organization can use own keys to encrypt the data in the cloud service, and meanwhile, the local encryption service of a cloud provider is still continuously utilized to ensure the data security.

Description

多云密钥管理和基于BYOK的数据安全管理方法Multi-cloud key management and BYOK-based data security management methods

技术领域technical field

本申请涉及云数据安全管理技术领域,具体涉及一种利用云厂商KMS密钥管理服务的数据安全管理方法。The present application relates to the technical field of cloud data security management, and in particular to a data security management method utilizing a cloud vendor KMS key management service.

背景技术Background technique

随着国家《数据安全法》、《个人信息保护法(草案)》的出台,将与《网络安全法》一起进一步保护国内企业及个人的信息安全,同时互联网企业的产品将迎来新的安全挑战。With the promulgation of the National Data Security Law and the Personal Information Protection Law (Draft), together with the Cybersecurity Law, the information security of domestic enterprises and individuals will be further protected. At the same time, the products of Internet companies will usher in new security challenge.

企业在保护数据安全时,需要对敏感数据进行加密处理。但企业在处理用于加密数据的数据密钥时。通常情况下,大部分公司或服务提供方都是将其存储在配置文件或持久化的存到数据库中。当软件或应用程序需要进行加、解密时,从配置文件或数据库中读取后进行使用。但是,数据密钥直接存于配置文件或存储于数据库中,那么当别人获取到产品的源代码或者通过漏洞、程序后门直接拖库后,容易导致数据密钥泄露,攻击者可以直接对加密数据进行解密,十分的不安全,无法保障加密数据,也无法满足合规性及报告要求。When enterprises protect data security, they need to encrypt sensitive data. But businesses are dealing with data keys used to encrypt data. Usually, most companies or service providers store it in a configuration file or persist it in a database. When the software or application needs to perform encryption and decryption, it is used after being read from the configuration file or database. However, the data key is directly stored in the configuration file or in the database, so when others obtain the source code of the product or directly drag the library through loopholes or program backdoors, it is easy to cause the data key to be leaked, and the attacker can directly encrypt the encrypted data. Decryption is very insecure, cannot protect encrypted data, and cannot meet compliance and reporting requirements.

有的公司也会直接使用云厂商所提供的KMS密钥管理服务,直接将密钥托管于第三方,当软件或应用程序需要使用密钥时,通过直接调用KMS服务的API来进行加、解密。这样虽然可以满足合规性及报告要求,但将密钥托管于第三方,那么当第三方发生信息泄露,从而导致数据密钥泄露,进而导致我们所加密的敏感数据泄露,而且也无法满足,部分客户想要使用自己的密钥加密数据的需求。Some companies will also directly use the KMS key management service provided by cloud vendors, and directly entrust the key to a third party. When the software or application needs to use the key, encryption and decryption are performed by directly calling the API of the KMS service. . Although this can meet the compliance and reporting requirements, but the key is escrowed to a third party, then when the third party leaks information, the data key is leaked, and the sensitive data we encrypt is leaked, and it cannot be satisfied. Some customers want to encrypt data with their own key.

发明内容SUMMARY OF THE INVENTION

基于此,针对上述技术问题,提供一种多云密钥管理和基于BYOK的数据安全管理方法,切实保护企业的加密数据安全。Based on this, in view of the above technical problems, a multi-cloud key management and BYOK-based data security management method is provided to effectively protect the encrypted data security of enterprises.

第一方面,多云密钥管理和基于BYOK的数据安全管理方法,包括:First, multi-cloud key management and BYOK-based data security management methods, including:

(1)使用多个云服务厂商提供的KMS,获取SK和AK;(1) Use KMS provided by multiple cloud service providers to obtain SK and AK;

(2)获取自带密钥BYOK;(2) Obtain the own key BYOK;

(3)通过调用预先编写的对应于各个云服务厂商KMS的加解密API,结合所述自带密钥BYOK,生成对应于各个云服务厂商KMS的加密密钥EK;(3) by calling the pre-written encryption and decryption API corresponding to each cloud service vendor KMS, in combination with the self-owned key BYOK, generate an encryption key EK corresponding to each cloud service vendor KMS;

(4)将所述SK、AK和EK存储于配置文件中;(4) the SK, AK and EK are stored in the configuration file;

(5)根据对系统内数据的分类分级,确定需要加密存储的数据类型;(5) According to the classification and grading of the data in the system, determine the data type that needs to be encrypted and stored;

(6)在软件或程序启动过程中,调用KMS的API获取所述自带密钥BYOK;对于内存缓存的需要加密存储的明文数据,使用BYOK加密存入数据库中;对于数据库中存储的密文数据,使用BYOK解密到内存。(6) in the software or program startup process, call the API of KMS to obtain the self-contained key BYOK; for the plaintext data that needs to be encrypted and stored in the memory cache, use BYOK encryption to store in the database; for the ciphertext stored in the database Data, decrypted to memory using BYOK.

可选地,步骤(6)中加密、解密过程,具体是通过引入预先编写的Starter,实现基于注解和Mybatis的typeHandler的自动加解密。Optionally, the encryption and decryption process in step (6), specifically by introducing a pre-written Starter, realizes automatic encryption and decryption based on annotations and the typeHandler of Mybatis.

进一步地,所述预先编写的Starter,具体包括:Further, the pre-written Starter specifically includes:

c)编写mybatis拦截器,用来实现拦截含有@DataSecurity注解的属性的对象进行加密;c) Write a mybatis interceptor to intercept objects containing @DataSecurity annotated attributes for encryption;

d)编写mybatis的typeHandler类型处理器,用来实现拦截含有加密文本前后缀的对象进行解密。d) Write the typeHandler type processor of mybatis to intercept objects containing encrypted text prefixes and suffixes for decryption.

可选地,所述多个云服务厂商包括华为云和AWS。Optionally, the multiple cloud service providers include HUAWEI CLOUD and AWS.

进一步地,编写华为云的KMS的加解密API,包括:Further, write the encryption and decryption API of HUAWEI CLOUD's KMS, including:

采用getToken方法通过AK、SK和keyId信息获取华为云的授权;Use the getToken method to obtain the authorization of HUAWEI CLOUD through the AK, SK and keyId information;

采用encryptKms方法调用华为云的密钥管理服务的加密API;Use the encryptKms method to call the encryption API of HUAWEI CLOUD's key management service;

采用decryptKms方法调用华为云的密钥管理服务的解密API。Use the decryptKms method to call the decryption API of HUAWEI CLOUD's key management service.

进一步地,编写ASW的KMS的加解密API,包括:Further, write the encryption and decryption API of ASW's KMS, including:

采用getAuthorize方法通过AK、SK、keyId信息获取AWS的授权;Use the getAuthorize method to obtain AWS authorization through AK, SK, and keyId information;

采用encrypt方法调用AWS的密钥管理服务的加密API;Use the encrypt method to call the encryption API of AWS's key management service;

采用decrypt方法调用AWS的密钥管理服务的解密API。Use the decrypt method to call the decryption API of AWS's key management service.

可选地,步骤(5)中,确定需要加密存储的数据类型为C3、C4级别数据;其中,C3为用户秘密数据,C4为用户机密数据。Optionally, in step (5), it is determined that the data types to be encrypted and stored are C3 and C4 level data; wherein, C3 is user secret data, and C4 is user secret data.

第二方面,一种计算机设备,包括存储器和处理器,所述存储器存储有计算机程序,其特殊之处在于,所述处理器执行所述计算机程序时实现上述多云密钥管理和基于BYOK的数据安全管理方法的步骤。In a second aspect, a computer device includes a memory and a processor, wherein the memory stores a computer program, and is special in that the processor implements the above-mentioned multi-cloud key management and BYOK-based data when the processor executes the computer program The steps of the security management method.

第三方面,一种计算机可读存储介质,其上存储有计算机程序,其特殊之处在于,所述计算机程序被处理器执行时实现上述多云密钥管理和基于BYOK的数据安全管理方法的步骤。A third aspect is a computer-readable storage medium on which a computer program is stored, the special feature of which is that when the computer program is executed by a processor, the steps of the above-mentioned multi-cloud key management and BYOK-based data security management method are implemented .

本发明至少具有以下有益效果:The present invention has at least the following beneficial effects:

本发明使用BYOK(自带密钥),可帮助企业更全面地解决合规性和报告要求,同时结合不同云服务厂商提供的KMS(密钥管理服务),实现了在使用不同云服务厂商的密钥管理服务的同时允许组织(企业用户)保留对数据和加密密钥的完全控制,使组织能够使用自己的密钥加密云服务中的数据,同时仍然继续利用云提供商的本机加密服务来保障其数据安全。The present invention uses BYOK (bring your own key), which can help enterprises to more comprehensively solve compliance and reporting requirements, and at the same time, combined with KMS (key management services) provided by different cloud service vendors, realizes the use of different cloud service vendors. Key management service while allowing organizations (enterprise users) to retain full control over data and encryption keys, enabling organizations to encrypt data in cloud services with their own keys, while still continuing to leverage the cloud provider's native encryption services to ensure the security of its data.

企业用户可以确保使用足够的熵源生成加密密钥,并且可以保护密钥不被泄露,保护企业的加密数据安全。Enterprise users can ensure that the encryption key is generated with a sufficient source of entropy, and the key can be protected from being leaked, and the encrypted data of the enterprise can be protected.

附图说明Description of drawings

图1为本发明一个实施例提供的多云密钥管理和基于BYOK的数据安全管理方法的运行流程示意图;1 is a schematic diagram of the operation flow of a multi-cloud key management and a BYOK-based data security management method provided by an embodiment of the present invention;

图2为本发明一个实施例实施多云密钥管理和基于BYOK的数据安全管理方法的原理(密钥获取及使用流程)示意图;2 is a schematic diagram of the principle (key acquisition and use process) of implementing multi-cloud key management and a BYOK-based data security management method according to an embodiment of the present invention;

图3为本发明一个实施例提供的KMS管理控制台界面样例。FIG. 3 is an example of a KMS management console interface provided by an embodiment of the present invention.

具体实施方式Detailed ways

为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solutions and advantages of the present application more clearly understood, the present application will be described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application.

本发明实施例的目的是为组织(尤其是企业用户)在使用密钥对敏感数据进行加密处理时,可以确保使用足够的熵源生成数据密钥,能够更加安全的保护数据密钥,防止密钥泄露造成的风险,又能满足合规性及报告要求,且能够满足客户的想要使用自己的数据密钥的需求。The purpose of the embodiments of the present invention is to ensure that sufficient entropy sources are used to generate data keys for organizations (especially enterprise users) when using keys to encrypt sensitive data, so as to protect data keys more securely and prevent encryption It can also meet compliance and reporting requirements, and can meet the needs of customers who want to use their own data keys.

在一个实施例中,如图1所示,多云密钥管理和基于BYOK的数据安全管理方法,应用于企业用户终端,包括以下步骤:In one embodiment, as shown in FIG. 1 , a method for multi-cloud key management and BYOK-based data security management, applied to an enterprise user terminal, includes the following steps:

S1:使用多个云服务厂商提供的KMS,获取SK和AK;S1: Use KMS provided by multiple cloud service providers to obtain SK and AK;

S2:获取自带密钥BYOK;S2: Get the own key BYOK;

S3:通过调用预先编写的对应于各个云服务厂商KMS的加解密API,结合所述自带密钥BYOK,生成对应于各个云服务厂商KMS的加密密钥EK;S3: generate an encryption key EK corresponding to each cloud service provider KMS by calling the pre-written encryption/decryption API corresponding to each cloud service provider KMS, combined with the self-owned key BYOK;

S4:将所述SK、AK和EK存储于配置文件中;S4: store the SK, AK and EK in the configuration file;

S5:根据对系统内数据的分类分级,确定需要加密存储的数据类型;S5: Determine the type of data that needs to be encrypted and stored according to the classification and grading of the data in the system;

S6:在软件或程序启动过程中,调用KMS的API获取所述自带密钥BYOK;对于内存缓存的需要加密存储的明文数据,使用BYOK加密存入数据库中;对于数据库中存储的密文数据,使用BYOK解密到内存。S6: During the software or program startup process, call the API of KMS to obtain the self-owned key BYOK; for the plaintext data that needs to be encrypted and stored in the memory cache, use BYOK encryption to store it in the database; for the ciphertext data stored in the database , decrypted to memory using BYOK.

在一个实施例中,如图2所示,实施该数据安全管理方法,具体包括以下环节:In one embodiment, as shown in Figure 2, implementing the data security management method specifically includes the following links:

1)在KMS中新建主密钥,并获取SK(Secret Access Key)、AK(Access Key Id);1) Create a new master key in KMS, and obtain SK (Secret Access Key) and AK (Access Key Id);

a)登录华为云、AWS等云服务厂商提供的KMS服务控制台;图3为KMS管理控制台界面样例;a) Log in to the KMS service console provided by cloud service providers such as HUAWEI CLOUD and AWS; Figure 3 is an example of the KMS management console interface;

b)创建密钥;b) create a key;

c)保存AK、SK、keyId等信息;c) Save AK, SK, keyId and other information;

2)编写不同云服务厂商的KMS的加解密API,本发明主要对接了华为云和AWS2) Write the encryption and decryption API of KMS of different cloud service vendors, the present invention mainly connects HUAWEI CLOUD and AWS

a)编写ASW的KMS加解密工具类;a) Write ASW's KMS encryption and decryption tool class;

采用getAuthorize方法通过AK、SK、keyId等信息获取AWS的授权,采用encrypt方法调用AWS的密钥管理服务的加密API,采用decrypt方法调用AWS的密钥管理服务的解密API。Use the getAuthorize method to obtain the authorization of AWS through AK, SK, keyId and other information, use the encrypt method to call the encryption API of the AWS key management service, and use the decrypt method to call the decryption API of the AWS key management service.

b)编写华为云的KMS加解密工具类;b) Write HUAWEI CLOUD KMS encryption and decryption tool classes;

采用getToken方法通过AK、SK、keyId等信息获取华为云的授权,采用encryptKms方法调用华为云的密钥管理服务的加密API,采用decryptKms方法调用华为云的密钥管理服务的解密API。Use the getToken method to obtain the authorization of HUAWEI CLOUD through AK, SK, keyId and other information, use the encryptKms method to call the encryption API of HUAWEI CLOUD's key management service, and use the decryptKms method to call the decryption API of HUAWEI CLOUD's key management service.

3)使用密码机或其它密钥生成设备生成数据密钥(BYOK);3) Use a cipher machine or other key generation device to generate a data key (BYOK);

4)使用加解密API获取EK4) Use encryption and decryption API to obtain EK

a)调用华为云的KMS服务提供的API,使用encryptKms方法加上步骤3)中获取的密钥(BYOK)生成华为云的EK;例如:a) Call the API provided by the KMS service of HUAWEI CLOUD, and use the encryptKms method plus the key (BYOK) obtained in step 3) to generate the EK of HUAWEI CLOUD; for example:

i.项目内引入华为云厂商提供的SDK依赖;i. Introduce SDK dependencies provided by HUAWEI CLOUD vendors into the project;

ii.编写程序调用SDK中的加密API;ii. Write a program to call the encryption API in the SDK;

iii.运行程序,使用encryptKms方法加上步骤3)中得到的数据密钥(BYOK)生成华为云的EK;iii. Run the program, use the encryptKms method plus the data key (BYOK) obtained in step 3) to generate the EK of HUAWEI CLOUD;

b)调用ASW的KMS服务提供的API,使用encrypt方法加上步骤3)中获取的密钥生成AWS的EK;例如:b) Call the API provided by the KMS service of ASW, and use the encrypt method plus the key obtained in step 3) to generate the EK of AWS; for example:

i.项目内引入华为云厂商提供的SDK依赖;i. Introduce SDK dependencies provided by HUAWEI CLOUD vendors into the project;

ii.编写程序调用SDK中的加密API;ii. Write a program to call the encryption API in the SDK;

iii.运行程序,使用encryptKms方法加上步骤3)中得到的数据密钥(BYOK)生成华为云的EK;iii. Run the program, use the encryptKms method plus the data key (BYOK) obtained in step 3) to generate the EK of HUAWEI CLOUD;

5)将上述步骤1)、3)中获取的SK、AK、EK等信息配置在CM中;5) configure the information such as SK, AK, EK obtained in the above steps 1), 3) in the CM;

6)编写Starter,实现基于注解和Mybatis的typeHandler的自动加解密;6) Write Starter to realize automatic encryption and decryption based on annotations and typeHandler of Mybatis;

a)编写mybatis拦截器用来实现拦截含有@DataSecurity注解的属性的对象进行加密;a) Write a mybatis interceptor to intercept objects containing @DataSecurity annotated attributes for encryption;

b)编写mybatis的typeHandler类型处理器,实现拦截含有加密文本前后缀的对象进行解密;b) Write the typeHandler type processor of mybatis to intercept objects containing encrypted text prefixes and suffixes for decryption;

7)对系统内数据进行分类分级,针对C3、C4级别数据进行加密存储7) Classify and grade the data in the system, and encrypt and store C3 and C4 level data

a)用户秘密数据(Customer Confidential)C3a) Customer Confidential C3

例子:组织架构中员工信息;Example: employee information in the organizational structure;

b)用户机密数据(Customer Secret)C4b) Customer Secret C4

例子:身份证等;Example: ID card, etc.;

8)业务服务引入Starter,实现对敏感数据的加密保护8) Starter is introduced into business services to realize encryption protection of sensitive data

a)各服务的pom文件中引入srm-starter-security的maven依赖并置于最前;a) The maven dependency of srm-starter-security is introduced into the pom file of each service and placed at the top;

b)对需要加密的数据库字段修改数据类型为VARCHAR,且做扩充varchar(32+字符长度*8);b) Modify the data type of the database field that needs to be encrypted to VARCHAR, and expand varchar (32+character length*8);

c)对需要加密的字段在实体类中添加@DataSecurity注解;c) Add the @DataSecurity annotation to the entity class for the fields that need to be encrypted;

d)字段加密后不支持模糊搜索;d) Fuzzy search is not supported after field encryption;

e)字段加密后,若要做为查询条件,需要调用以下方法手动加密后传入数据库进行查询DataSecurityInterceptor.encrypt("xxx");e) After the field is encrypted, if you want to use it as a query condition, you need to call the following method to manually encrypt it and then transfer it to the database for query DataSecurityInterceptor.encrypt("xxx");

f)字段加密后,不支持使用数据库函数进行处理,例如金额加密后,将无法使用FORMAT()函数进行精度处理。f) After the field is encrypted, it is not supported to use database functions for processing. For example, after the amount is encrypted, the FORMAT() function cannot be used for precision processing.

本发明实施例在使用BYOK(自带密钥)的同时,结合使用了不同云服务厂商提供的KMS密钥管理服务,通过将BYOK结合KMS生成的EK(加密密钥)存储于配置文件中,然后当软件或程序启动过程中,调用KMS的API获取数据密钥(BYOK)至于内存中,实现数据密钥的不落盘,进一步保障加密的敏感数据的安全性。In the embodiment of the present invention, while using BYOK (bring your own key), the KMS key management service provided by different cloud service vendors is used in combination, and the EK (encryption key) generated by BYOK combined with KMS is stored in the configuration file, Then, when the software or program is started, the API of KMS is called to obtain the data key (BYOK), which is stored in the memory, so that the data key does not fall to the disk, and the security of encrypted sensitive data is further guaranteed.

本发明实施例实现了在使用不同云服务厂商的密钥管理服务(KMS)的同时允许组织保留对数据和加密密钥的完全控制,使组织能够使用自己的密钥加密云服务中的数据,同时仍然继续利用云提供商的本机加密服务来保障其数据安全。BYOK可帮助企业更全面地解决合规性和报告要求。而且,企业用户可以确保使用足够的熵源生成加密密钥,并且可以保护密钥不被泄露,保护企业的加密数据安全。The embodiments of the present invention allow organizations to retain complete control over data and encryption keys while using key management services (KMS) of different cloud service vendors, so that organizations can use their own keys to encrypt data in cloud services, While still continuing to leverage the cloud provider's native encryption services to keep its data safe. BYOK helps businesses address compliance and reporting requirements more holistically. Moreover, enterprise users can ensure that the encryption key is generated with a sufficient source of entropy, and the key can be protected from being leaked, and the encrypted data of the enterprise can be protected.

在一个实施例中,还提供了一种计算机设备,该计算机设备可以是企业用户终端。该计算机设备,包括存储器和处理器,存储器中存储有计算机程序,涉及上述实施例方法中的全部或部分流程。In one embodiment, a computer device is also provided, and the computer device may be an enterprise user terminal. The computer device includes a memory and a processor, and a computer program is stored in the memory, which involves all or part of the processes in the methods of the above embodiments.

在一个实施例中,还提供了一种计算机可读存储介质,其上存储有计算机程序,涉及上述实施例方法中的全部或部分流程。In one embodiment, a computer-readable storage medium is also provided, on which a computer program is stored, involving all or part of the processes in the methods of the above-mentioned embodiments.

以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments can be combined arbitrarily. For the sake of brevity, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, all It is considered to be the range described in this specification.

以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only represent several embodiments of the present application, and the descriptions thereof are relatively specific and detailed, but should not be construed as a limitation on the scope of the invention patent. It should be noted that, for those skilled in the art, without departing from the concept of the present application, several modifications and improvements can be made, which all belong to the protection scope of the present application. Therefore, the scope of protection of the patent of the present application shall be subject to the appended claims.

Claims (9)

1.多云密钥管理和基于BYOK的数据安全管理方法,其特征在于,包括:1. Multi-cloud key management and BYOK-based data security management method, characterized in that, comprising: (1)使用多个云服务厂商提供的KMS,获取SK和AK;(1) Use KMS provided by multiple cloud service providers to obtain SK and AK; (2)获取自带密钥BYOK;(2) Obtain the own key BYOK; (3)通过调用预先编写的对应于各个云服务厂商KMS的加解密API,结合所述自带密钥BYOK,生成对应于各个云服务厂商KMS的加密密钥EK;(3) by calling the pre-written encryption and decryption API corresponding to each cloud service vendor KMS, in combination with the self-owned key BYOK, generate an encryption key EK corresponding to each cloud service vendor KMS; (4)将所述SK、AK和EK存储于配置文件中;(4) the SK, AK and EK are stored in the configuration file; (5)根据对系统内数据的分类分级,确定需要加密存储的数据类型;(5) According to the classification and grading of the data in the system, determine the data type that needs to be encrypted and stored; (6)在软件或程序启动过程中,调用KMS的API获取所述自带密钥BYOK;对于内存缓存的需要加密存储的明文数据,使用BYOK加密存入数据库中;对于数据库中存储的密文数据,使用BYOK解密到内存。(6) in the software or program startup process, call the API of KMS to obtain the self-contained key BYOK; for the plaintext data that needs to be encrypted and stored in the memory cache, use BYOK encryption to store in the database; for the ciphertext stored in the database Data, decrypted to memory using BYOK. 2.根据权利要求1所述的多云密钥管理和基于BYOK的数据安全管理方法,其特征在于,步骤(6)中加密、解密过程,具体是通过引入预先编写的Starter,实现基于注解和Mybatis的typeHandler的自动加解密。2. multi-cloud key management according to claim 1 and the data security management method based on BYOK, it is characterized in that, encryption, decryption process in step (6), specifically by introducing the Starter written in advance, realize based on annotation and Mybatis Automatic encryption and decryption of typeHandler. 3.根据权利要求2所述的多云密钥管理和基于BYOK的数据安全管理方法,其特征在于,所述预先编写的Starter,具体包括:3. multi-cloud key management according to claim 2 and data security management method based on BYOK, it is characterised in that described pre-written Starter, specifically includes: a)编写mybatis拦截器,用来实现拦截含有@DataSecurity注解的属性的对象进行加密;a) Write a mybatis interceptor to intercept objects containing @DataSecurity annotated attributes for encryption; b)编写mybatis的typeHandler类型处理器,用来实现拦截含有加密文本前后缀的对象进行解密。b) Write the typeHandler type processor of mybatis to intercept objects containing encrypted text prefixes and suffixes for decryption. 4.根据权利要求1所述的多云密钥管理和基于BYOK的数据安全管理方法,其特征在于,所述多个云服务厂商包括华为云和AWS。4. The method for multi-cloud key management and BYOK-based data security management according to claim 1, wherein the multiple cloud service providers include HUAWEI CLOUD and AWS. 5.根据权利要求4所述的多云密钥管理和基于BYOK的数据安全管理方法,其特征在于,编写华为云的KMS的加解密API,包括:5. multi-cloud key management according to claim 4 and the data security management method based on BYOK, it is characterized in that, write the encryption and decryption API of the KMS of HUAWEI CLOUD, comprising: 采用getToken方法通过AK、SK和keyId信息获取华为云的授权;Use the getToken method to obtain the authorization of HUAWEI CLOUD through the AK, SK and keyId information; 采用encryptKms方法调用华为云的密钥管理服务的加密API;Use the encryptKms method to call the encryption API of HUAWEI CLOUD's key management service; 采用decryptKms方法调用华为云的密钥管理服务的解密API。Use the decryptKms method to call the decryption API of HUAWEI CLOUD's key management service. 6.根据权利要求4所述的多云密钥管理和基于BYOK的数据安全管理方法,其特征在于,编写ASW的KMS的加解密API,包括:6. multi-cloud key management according to claim 4 and the data security management method based on BYOK, it is characterised in that writing the encryption and decryption API of the KMS of ASW, comprising: 采用getAuthorize方法通过AK、SK、keyId信息获取AWS的授权;Use the getAuthorize method to obtain AWS authorization through AK, SK, and keyId information; 采用encrypt方法调用AWS的密钥管理服务的加密API;Use the encrypt method to call the encryption API of AWS's key management service; 采用decrypt方法调用AWS的密钥管理服务的解密API。Use the decrypt method to call the decryption API of AWS's key management service. 7.根据权利要求1所述的多云密钥管理和基于BYOK的数据安全管理方法,其特征在于,步骤(5)中,确定需要加密存储的数据类型为C3、C4级别数据;其中,C3为用户秘密数据,C4为用户机密数据。7. multi-cloud key management according to claim 1 and the data security management method based on BYOK, it is characterised in that in step (5), it is determined that the data type that needs to be encrypted and stored is C3, C4 level data; Wherein, C3 is User secret data, C4 is user secret data. 8.一种计算机设备,包括存储器和处理器,所述存储器存储有计算机程序,其特征在于,所述处理器执行所述计算机程序时实现权利要求1至7中任一项所述多云密钥管理和基于BYOK的数据安全管理方法的步骤。8. A computer device, comprising a memory and a processor, wherein the memory stores a computer program, wherein the processor implements the multi-cloud key of any one of claims 1 to 7 when the processor executes the computer program Governance and steps of a BYOK-based approach to data security management. 9.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现权利要求1至7中任一项所述多云密钥管理和基于BYOK的数据安全管理方法的步骤。9. A computer-readable storage medium on which a computer program is stored, characterized in that, when the computer program is executed by the processor, the multi-cloud key management and BYOK-based key management of any one of claims 1 to 7 are realized. Steps of a data security management approach.
CN202111613920.7A 2021-12-27 2021-12-27 Multi-cloud key management and BYOK-based data security management method Active CN114282244B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111613920.7A CN114282244B (en) 2021-12-27 2021-12-27 Multi-cloud key management and BYOK-based data security management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111613920.7A CN114282244B (en) 2021-12-27 2021-12-27 Multi-cloud key management and BYOK-based data security management method

Publications (2)

Publication Number Publication Date
CN114282244A true CN114282244A (en) 2022-04-05
CN114282244B CN114282244B (en) 2025-01-24

Family

ID=80876078

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111613920.7A Active CN114282244B (en) 2021-12-27 2021-12-27 Multi-cloud key management and BYOK-based data security management method

Country Status (1)

Country Link
CN (1) CN114282244B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200053065A1 (en) * 2018-08-13 2020-02-13 Salesforce.Com, Inc. Key encryption key rotation

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200053065A1 (en) * 2018-08-13 2020-02-13 Salesforce.Com, Inc. Key encryption key rotation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王勇: "多云密钥管理与BYOK", 网络安全和信息化, 31 May 2020 (2020-05-31), pages 112 - 113 *

Also Published As

Publication number Publication date
CN114282244B (en) 2025-01-24

Similar Documents

Publication Publication Date Title
US12045361B1 (en) Methods and apparatus for encrypted indexing and searching encrypted data
US9825925B2 (en) Method and apparatus for securing sensitive data in a cloud storage system
US10762229B2 (en) Secure searchable and shareable remote storage system and method
US20210067320A1 (en) System and method to protect sensitive information via distributed trust
US6981141B1 (en) Transparent encryption and decryption with algorithm independent cryptographic engine that allows for containerization of encrypted files
US8489889B1 (en) Method and apparatus for restricting access to encrypted data
US9152813B2 (en) Transparent real-time access to encrypted non-relational data
CN102402664B (en) Data access control device and data access control method
US20230254126A1 (en) Encrypted search with a public key
CN110851843A (en) Data management method and device based on block chain
US11997191B2 (en) System and method for protecting secret data items using multiple tiers of encryption and secure element
JP4471129B2 (en) Document management system, document management method, document management server, work terminal, and program
US20180013730A1 (en) Blind cloud data leak protection
US8266445B2 (en) Encrypted communication system, encrypted communication method, encrypting device, and decrypting device
TWI428752B (en) Electronic file delivering system, portable communication apparatus with decryption functionality, and related computer program product
CN114282244B (en) Multi-cloud key management and BYOK-based data security management method
Mc Brearty et al. The performance cost of preserving data/query privacy using searchable symmetric encryption
JP2011164907A (en) Information management system
CN113434535B (en) Data processing method, communication system, device, product and storage medium
CN112214778A (en) Method and system for realizing discrete encryption of local file through virtual file
CN111404863A (en) Data processing method and device
TWI823673B (en) A password encryption management system
CN116074110B (en) A method, system, device and medium for realizing encrypted file sharing in a cloud environment
CN111475800B (en) A network-based file protection system for trade secrets
Waizenegger Deletion of content in large cloud storage systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant