CN114386064A - Database transparent encryption method and device, computer equipment and storage medium - Google Patents
Database transparent encryption method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN114386064A CN114386064A CN202111629176.XA CN202111629176A CN114386064A CN 114386064 A CN114386064 A CN 114386064A CN 202111629176 A CN202111629176 A CN 202111629176A CN 114386064 A CN114386064 A CN 114386064A
- Authority
- CN
- China
- Prior art keywords
- encryption
- data
- database
- initial data
- disk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a database transparent encryption method, a database transparent encryption device, computer equipment and a storage medium. The method comprises the following steps: acquiring data to be written to obtain initial data; initializing configuration related information; judging whether the initial data needs to be encrypted or not; if the initial data needs to be encrypted, encrypting the initial data in a fragmentation encryption mode, and writing an encryption result into a disk file; and if the initial data does not need to be encrypted, writing the initial data into a disk file. The method of the embodiment of the invention can realize the initialization of the database under the condition of not stopping the service system, and can finish the encryption of the data stored in the database in the process of continuously inquiring and using the data, thereby having no need of interrupting the service, causing no performance loss and having short initialization time.
Description
Technical Field
The invention relates to a database, in particular to a transparent encryption method and device for the database, a computer device and a storage medium.
Background
Data has become one of the most important assets for users in all industries today, with increasing importance. Along with this, there are more and more attacks on data theft, and how to ensure data security becomes one of the most concerned issues for users. The encryption of important data is one of common means for protecting data security, and the prior three encryption technologies, namely a pre-proxy and encryption gateway technology, are characterized in that a security proxy service is added in front of a database, a user accessing the database must pass through the security proxy service, and security policies such as data encryption and decryption, access control and the like are realized in the service; the security proxy service then effects the final storage of the data in the database through the access interface of the database. The security agent service exists between the client application and the database storage engine and is responsible for completing the encryption and decryption work of the data in the database, and the encrypted data is stored in the security agent service; secondly, an application layer encryption technology, namely encrypting the sensitive data by an application system through an encryption API (application program interface) and the like, and storing the encrypted data into a bottom file of a database; when data retrieval is carried out, the ciphertext data is retrieved to the client side and then decrypted, and in addition, the application system can manage the key system by itself; thirdly, based on the rear proxy technology of the view and the trigger, the data encryption is realized by using the mode of 'view' + 'trigger' + 'extended index' + 'external call', and meanwhile, the complete transparency of the application is ensured. The key idea of the method is to fully utilize the application customization expansion capability provided by the database, and respectively use the technologies of trigger expansion capability, index expansion capability, custom function expansion capability, view and the like to meet the main requirements of data storage encryption, encrypted data retrieval, seamless and transparent application and the like.
However, in the above encryption technology, the original data cannot be encrypted in the initialization process, the service needs to be suspended, and the service system is restarted after the initialization is completed, so that the service system can be prevented from being out of order.
Therefore, it is necessary to design a new method to initialize the database without stopping the service system, and to encrypt the data stored in the database during the continuous query and use of the data, without interrupting the service, causing no performance loss, and having a short initialization time.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a database transparent encryption method, a database transparent encryption device, a computer device and a storage medium.
In order to achieve the purpose, the invention adopts the following technical scheme: the database transparent encryption method comprises the following steps:
acquiring data to be written to obtain initial data;
initializing configuration related information;
judging whether the initial data needs to be encrypted or not;
if the initial data needs to be encrypted, encrypting the initial data in a fragmentation encryption mode, and writing an encryption result into a disk file;
and if the initial data does not need to be encrypted, writing the initial data into a disk file.
The further technical scheme is as follows: the initialization configuration related information comprises:
setting data encryption rules and an interception strategy.
The further technical scheme is as follows: the encrypting the initial data by adopting a fragment encryption mode and writing an encryption result into a disk file comprises the following steps:
fragmenting the initial data to obtain a fragmentation result;
and encrypting the fragmentation result in a time-sharing manner, and when a disk IO exists in the encryption process, suspending the disk IO until the current fragmentation result is encrypted, and then executing the disk IO.
The further technical scheme is as follows: after encrypting the initial data by adopting a fragmentation encryption mode and writing an encryption result into a disk file, the method further comprises the following steps:
acquiring a reading request;
judging whether the data file corresponding to the reading request is a trust process or not;
if the data file corresponding to the reading request is a trust process, decrypting the data file corresponding to the reading request and returning the decrypted data file to the database, so that the database acquires a decryption result and then processes the decryption result, and returns processed data to the terminal;
and if the data file corresponding to the reading request is not the trust process, returning the data file corresponding to the reading request.
The invention also provides a database transparent encryption device, which comprises:
a write data acquisition unit for acquiring data to be written to obtain initial data;
an initialization unit for initializing configuration related information;
an encryption judgment unit for judging whether the initial data needs to be encrypted;
the fragment encryption unit is used for encrypting the initial data in a fragment encryption mode if the initial data needs to be encrypted and writing an encryption result into a disk file;
and the writing unit is used for writing the initial data into a disk file if the initial data does not need to be encrypted.
The further technical scheme is as follows: the initialization unit is used for setting a data encryption rule and an interception strategy.
The further technical scheme is as follows: the slice encryption unit includes:
the fragmentation subunit is used for fragmenting the initial data to obtain a fragmentation result;
and the encryption subunit is used for carrying out time-sharing encryption on the fragmentation result, suspending the disk IO when the disk IO exists in the encryption process until the current fragmentation result is encrypted, and then executing the disk IO.
The further technical scheme is as follows: further comprising:
a request acquisition unit configured to acquire a read request;
the file judging unit is used for judging whether the data file corresponding to the reading request is a trust process or not;
the decryption unit is used for decrypting the data file corresponding to the reading request and returning the decrypted data file to the database if the data file corresponding to the reading request is a trusted process, so that the database acquires a decryption result and then processes the decrypted result, and returns processed data to the terminal;
and the returning unit is used for returning the data file corresponding to the reading request if the data file corresponding to the reading request is not a trust process.
The invention also provides computer equipment which comprises a memory and a processor, wherein the memory is stored with a computer program, and the processor realizes the method when executing the computer program.
The invention also provides a storage medium storing a computer program which, when executed by a processor, implements the method described above.
Compared with the prior art, the invention has the beneficial effects that: the invention carries out configuration initialization, encrypts the initial data by adopting a fragment encryption mode when the initial data needs to be encrypted, writes an encryption result into a disk file, completes initialization of the database under the condition of not stopping a service system, completes encryption of data stored in the database in the process of continuously inquiring and using the data, does not need to interrupt service, does not cause performance loss, and has short initialization time.
The invention is further described below with reference to the accompanying drawings and specific embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of a database transparent encryption method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a database transparent encryption method according to an embodiment of the present invention;
fig. 3 is a schematic sub-flow chart of a database transparent encryption method according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a database transparent encryption method according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a database transparent encryption method according to another embodiment of the present invention;
fig. 6 is a schematic flow chart of a business system of a database transparent encryption method according to another embodiment of the present invention;
FIG. 7 is a block diagram illustrating a database transparent encryption method according to another embodiment of the present invention;
FIG. 8 is a schematic block diagram of a database transparent encryption apparatus provided by an embodiment of the present invention;
fig. 9 is a schematic block diagram of a fragmentation encryption unit of a database transparent encryption device according to an embodiment of the present invention;
FIG. 10 is a schematic block diagram of a database transparent encryption apparatus according to another embodiment of the present invention;
FIG. 11 is a schematic block diagram of a computer device provided by an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic view of an application scenario of a database transparent encryption method according to an embodiment of the present invention. Fig. 2 is a schematic flow chart of a database transparent encryption method according to an embodiment of the present invention. The database transparent encryption method is applied to the server. The server performs data interaction with the terminal, initiates a writing or reading request through the terminal, delays initialization and real-time encryption and decryption to data use by the server, performs encryption and decryption processing according to a file corresponding to the request, and outputs the file to the terminal for display.
Fig. 2 is a schematic flowchart of a database transparent encryption method according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S150.
S110, obtaining data to be written in to obtain initial data.
In this embodiment, the initial data refers to data that is input by the terminal and needs to be written into the database.
And S120, initializing configuration related information.
In this embodiment, the related information includes rules for data encryption and policies for which data is intercepted.
Specifically, a data encryption rule and an interception policy are set.
As shown in fig. 4, first adding a protection data source, obtaining information such as a database type, an IP, a port, and the like, and after obtaining basic information of the protection data source, selecting an encryption mode, such as a lightning encryption mode, to perform initial configuration, including: database verification, namely obtaining database authorization; operating system authentication, namely obtaining operating system authorization; configuring an encryption algorithm; and carrying out automatic pushing and installation of the encrypted user mode control program and the kernel module.
The encrypted user mode control program runs in a user space of a database operating system, is used for interacting with the control center, receiving relevant configuration and strategy from the control center and sending the relevant configuration and strategy to the kernel module. The method runs in a kernel space of a database operating system, receives the strategy and configuration information from a user mode control program, and intercepts and replaces system calls related to file IO on the operating system. When the target file of the file IO is a protected data file, the process identity of the initiated operation needs to be identified, and corresponding encryption and decryption actions are completed. And encrypting the database, verifying the database account number and selecting a protected object. And the control center issues the relevant configuration to the user mode control program, transmits the user mode control program to the kernel module, and performs encryption protection in the subsequent data use process (namely actual reading and writing).
S130, judging whether the initial data needs to be encrypted.
In this embodiment, whether the initial data needs to be encrypted is determined by an initialization rule.
And S140, if the initial data needs to be encrypted, encrypting the initial data in a fragment encryption mode, and writing an encryption result into a disk file.
In an embodiment, referring to fig. 3, the step S140 may include steps S141 to S142.
And S141, fragmenting the initial data to obtain a fragmentation result.
In this embodiment, the fragmentation result refers to a number of fragment data formed by fragmenting the initial data.
And S142, carrying out time-sharing encryption on the fragmentation result, and when a disk IO exists in the encryption process, suspending the disk IO until the current fragmentation result is encrypted, and then executing the disk IO.
When the encryption process is initialized, the original data fragments are encrypted in a time-sharing manner, in the encryption process, if a disk IO comes in, the disk IO is suspended firstly, and the disk IO is executed after the encryption of the current data fragments is finished, because the data fragments are very small, the suspension time of the disk IO is very short and can be ignored, so that the operation of the service is not influenced, the service does not need to be suspended, namely, the encryption initialization process is thermal initialization, the service does not need to be suspended, in addition, the mode of increasing the file header supporting metadata is abandoned in the encryption initialization, and the metadata information is written in by utilizing the existing structure.
When the write-in IO comes in, whether encryption is needed or not is judged according to the process attribute, and if the encryption is needed, the write-in IO is written after the encryption.
And S150, if the initial data does not need to be encrypted, writing the initial data into a disk file.
In the present embodiment, as shown in fig. 6, for example: the service system is connected with the database and reads and writes data. When the data file is written in the database, the kernel module identifies that the identity of the written data file is the database or a trust process, the plaintext data submitted to the writing request of the operating system by the database is encrypted according to the configured encryption algorithm and then written in the disk file, and the function of data encryption is achieved.
According to the transparent encryption method for the database, through configuration initialization, when the initial data needs to be encrypted, the initial data is encrypted in a fragmentation encryption mode, and an encryption result is written into a disk file, so that the initialization of the database is completed under the condition of a non-stop service system, the encryption of the data stored in the database is completed in the continuous query and use process of the data, the service does not need to be interrupted, the performance loss is avoided, and the initialization time is short.
Fig. 5 is a flowchart illustrating a database transparent encryption method according to another embodiment of the present invention. As shown in fig. 5, the database transparent encryption method of the present embodiment includes steps S210 to S290. Wherein steps S210 to S240 are similar to steps S110 to S140 in the above embodiment, step S290 is similar to step S150 in the above embodiment, and step S250 is entered after the execution of step S290, which is not described herein again. The added steps S250-S280 in this embodiment are described in detail below.
And S250, acquiring a reading request.
In this embodiment, the read request refers to a request for reading a file of a database.
And S260, judging whether the data file corresponding to the reading request is a trust process.
In this embodiment, whether the identity of the data file corresponding to the read request is a file in the database or a trusted process is determined according to the data file, that is, the identity is satisfactory.
S270, if the data file corresponding to the reading request is a trust process, decrypting the data file corresponding to the reading request and returning the decrypted data file to the database, so that the database acquires a decryption result and then processes the decryption result, and returns processed data to the terminal;
and S280, if the data file corresponding to the reading request is not a trust process, returning the data file corresponding to the reading request.
When the database reads the data file, the kernel module recognizes that the identity of the read data file is the database or a trust process, the file content to be read by the database is read from the disk into the kernel space, the disk file is in a ciphertext form at the moment, the kernel encryption module decrypts the encrypted data and returns the decrypted data to the database, the database is normally used after acquiring the plaintext data, and the processed plaintext data is returned to the service system.
As shown in fig. 6 and 7, when an IO is read in, an encryption/decryption operation is determined according to a process attribute, a trusted process may obtain a plaintext, and an untrusted process obtains a ciphertext. The specific processing logic is divided according to the process identity and the stock increment data. The inventory data is stored as plaintext before reading occurs. When reading for the first time, if the data is in a trust process, returning to the plaintext data of the trust process, encrypting the data, and storing a ciphertext; and if the process is the untrusted process, encrypting the process, returning the ciphertext data of the untrusted process, and storing the ciphertext. After reading occurs, the data is stored in a ciphertext mode. Then, the trust process reads and decrypts the returned plaintext data; and the untrusted process reads and returns the ciphertext data. And for the incremental data, when the trust process writes, the incremental data is encrypted and converted into ciphertext for storage. The trust process reads and decrypts the returned plaintext data; and the untrusted process reads and returns the ciphertext data. The above is the encryption protection of data when reading and writing occur in different time periods. When encryption is carried out, a data fragmentation technology is adopted, if a disk IO comes in, the disk IO is firstly suspended, and the disk IO is executed after the current data fragmentation encryption is finished. Because the data fragmentation is very small, the time for suspending the disk IO is very short, and the service is not influenced. The user can also configure the system if it is desired to remove the cryptographic protection of the protected object. And performing database account number verification, selecting an object needing to be unprotected, and decrypting the selected data.
Fig. 8 is a schematic block diagram of a database transparent encryption apparatus 300 according to an embodiment of the present invention. As shown in fig. 8, the present invention also provides a transparent database encryption apparatus 300 corresponding to the transparent database encryption method. The database transparent encryption apparatus 300 includes a unit for performing the above-described database transparent encryption method, and the apparatus may be configured in a server. Specifically, referring to fig. 8, the database transparent encryption apparatus 300 includes a write data obtaining unit 301, an initialization unit 302, an encryption determining unit 303, a fragment encryption unit 304, and a writing unit 305.
A write data obtaining unit 301, configured to obtain data to be written to obtain initial data; an initialization unit 302, configured to initialize configuration related information; an encryption judgment unit 303, configured to judge whether the initial data needs to be encrypted; a fragment encryption unit 304, configured to encrypt the initial data in a fragment encryption manner if the initial data needs to be encrypted, and write an encryption result into a disk file; a writing unit 305, configured to write the initial data into a disk file if the initial data does not need to be encrypted.
In an embodiment, the initialization unit 302 is configured to set a data encryption rule and an interception policy.
In an embodiment, as shown in fig. 9, the fragmentation encryption unit 304 includes a fragmentation sub-unit 3041 and an encryption sub-unit 3042.
A fragmentation subunit 3041, configured to fragment the initial data to obtain a fragmentation result; the encryption subunit 3042 is configured to encrypt the fragmentation result in a time-sharing manner, and when there is a disk IO in the encryption process, suspend the disk IO until the current fragmentation result is encrypted, and then execute the disk IO.
Fig. 10 is a schematic block diagram of a database transparent encryption apparatus 300 according to another embodiment of the present invention. As shown in fig. 10, the database transparent encryption apparatus 300 of the present embodiment is the above-described embodiment, and a request acquisition unit 306, a file judgment unit 307, a decryption unit 308, and a return unit 309 are added.
A request obtaining unit 306, configured to obtain a read request; a file determining unit 307, configured to determine whether the data file corresponding to the read request is a trusted process; the decryption unit 308 is configured to decrypt the data file corresponding to the read request and return the decrypted data file to the database if the data file corresponding to the read request is a trusted process, so that the database obtains a decryption result and then processes the decrypted data file, so as to return the processed data to the terminal; a returning unit 309, configured to return the data file corresponding to the read request if the data file corresponding to the read request is not a trusted process.
It should be noted that, as can be clearly understood by those skilled in the art, the specific implementation process of the database transparent encryption device 300 and each unit may refer to the corresponding description in the foregoing method embodiment, and for convenience and brevity of description, no further description is provided herein.
The database transparent encryption apparatus 300 may be implemented in the form of a computer program that can be run on a computer device as shown in fig. 11.
Referring to fig. 11, fig. 11 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, wherein the server may be an independent server or a server cluster composed of a plurality of servers.
Referring to fig. 11, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer programs 5032 include program instructions that, when executed, cause the processor 502 to perform a database transparent encryption method.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of the computer program 5032 in the non-volatile storage medium 503, and when the computer program 5032 is executed by the processor 502, the processor 502 can be enabled to execute a database transparent encryption method.
The network interface 505 is used for network communication with other devices. Those skilled in the art will appreciate that the configuration shown in fig. 11 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation of the computer device 500 to which the present application may be applied, and that a particular computer device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
Wherein the processor 502 is configured to run the computer program 5032 stored in the memory to implement the following steps:
acquiring data to be written to obtain initial data; initializing configuration related information; judging whether the initial data needs to be encrypted or not; if the initial data needs to be encrypted, encrypting the initial data in a fragmentation encryption mode, and writing an encryption result into a disk file; and if the initial data does not need to be encrypted, writing the initial data into a disk file.
In an embodiment, when the processor 502 implements the step of initializing configuration related information, the following steps are specifically implemented:
setting data encryption rules and an interception strategy.
In an embodiment, when implementing the steps of encrypting the initial data by using a fragment encryption method and writing an encryption result into a disk file, the processor 502 specifically implements the following steps:
fragmenting the initial data to obtain a fragmentation result; and encrypting the fragmentation result in a time-sharing manner, and when a disk IO exists in the encryption process, suspending the disk IO until the current fragmentation result is encrypted, and then executing the disk IO.
In an embodiment, after implementing the steps of encrypting the initial data by using the fragment encryption method and writing the encryption result into the disk file, the processor 502 further implements the following steps:
acquiring a reading request; judging whether the data file corresponding to the reading request is a trust process or not; if the data file corresponding to the reading request is a trust process, decrypting the data file corresponding to the reading request and returning the decrypted data file to the database, so that the database acquires a decryption result and then processes the decryption result, and returns processed data to the terminal; and if the data file corresponding to the reading request is not the trust process, returning the data file corresponding to the reading request.
It should be understood that in the embodiment of the present Application, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will be understood by those skilled in the art that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program instructing associated hardware. The computer program includes program instructions, and the computer program may be stored in a storage medium, which is a computer-readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program, wherein the computer program, when executed by a processor, causes the processor to perform the steps of:
acquiring data to be written to obtain initial data; initializing configuration related information; judging whether the initial data needs to be encrypted or not; if the initial data needs to be encrypted, encrypting the initial data in a fragmentation encryption mode, and writing an encryption result into a disk file; and if the initial data does not need to be encrypted, writing the initial data into a disk file.
In an embodiment, when the processor executes the computer program to implement the step of initializing configuration related information, the following steps are specifically implemented:
setting data encryption rules and an interception strategy.
In an embodiment, when the processor executes the computer program to implement the steps of encrypting the initial data in a fragment encryption manner and writing an encryption result in a disk file, the following steps are specifically implemented:
fragmenting the initial data to obtain a fragmentation result; and encrypting the fragmentation result in a time-sharing manner, and when a disk IO exists in the encryption process, suspending the disk IO until the current fragmentation result is encrypted, and then executing the disk IO.
In an embodiment, after the processor executes the computer program to implement the steps of encrypting the initial data in a fragmentation encryption manner and writing an encryption result into a disk file, the processor further implements the following steps:
acquiring a reading request; judging whether the data file corresponding to the reading request is a trust process or not; if the data file corresponding to the reading request is a trust process, decrypting the data file corresponding to the reading request and returning the decrypted data file to the database, so that the database acquires a decryption result and then processes the decryption result, and returns processed data to the terminal; and if the data file corresponding to the reading request is not the trust process, returning the data file corresponding to the reading request.
The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, which can store various computer readable storage media.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. The transparent encryption method for the database is characterized by comprising the following steps:
acquiring data to be written to obtain initial data;
initializing configuration related information;
judging whether the initial data needs to be encrypted or not;
if the initial data needs to be encrypted, encrypting the initial data in a fragmentation encryption mode, and writing an encryption result into a disk file;
and if the initial data does not need to be encrypted, writing the initial data into a disk file.
2. The database transparent encryption method according to claim 1, wherein the initializing configuration related information comprises:
setting data encryption rules and an interception strategy.
3. The transparent encryption method for the database according to claim 1, wherein the encrypting the initial data by using a fragment encryption method and writing the encryption result into a disk file comprises:
fragmenting the initial data to obtain a fragmentation result;
and encrypting the fragmentation result in a time-sharing manner, and when a disk IO exists in the encryption process, suspending the disk IO until the current fragmentation result is encrypted, and then executing the disk IO.
4. The transparent database encryption method according to claim 1, wherein after encrypting the initial data in a fragment encryption manner and writing an encryption result in a disk file, the method further comprises:
acquiring a reading request;
judging whether the data file corresponding to the reading request is a trust process or not;
if the data file corresponding to the reading request is a trust process, decrypting the data file corresponding to the reading request and returning the decrypted data file to the database, so that the database acquires a decryption result and then processes the decryption result, and returns processed data to the terminal;
and if the data file corresponding to the reading request is not the trust process, returning the data file corresponding to the reading request.
5. Database transparent encryption apparatus, characterized by comprising:
a write data acquisition unit for acquiring data to be written to obtain initial data;
an initialization unit for initializing configuration related information;
an encryption judgment unit for judging whether the initial data needs to be encrypted;
the fragment encryption unit is used for encrypting the initial data in a fragment encryption mode if the initial data needs to be encrypted and writing an encryption result into a disk file;
and the writing unit is used for writing the initial data into a disk file if the initial data does not need to be encrypted.
6. The database transparent encryption device according to claim 5, wherein the initialization unit is configured to set a data encryption rule and an interception policy.
7. The database transparent encryption device according to claim 5, wherein the shard encryption unit comprises:
the fragmentation subunit is used for fragmenting the initial data to obtain a fragmentation result;
and the encryption subunit is used for carrying out time-sharing encryption on the fragmentation result, suspending the disk IO when the disk IO exists in the encryption process until the current fragmentation result is encrypted, and then executing the disk IO.
8. The database transparent encryption device according to claim 5, further comprising:
a request acquisition unit configured to acquire a read request;
the file judging unit is used for judging whether the data file corresponding to the reading request is a trust process or not;
the decryption unit is used for decrypting the data file corresponding to the reading request and returning the decrypted data file to the database if the data file corresponding to the reading request is a trusted process, so that the database acquires a decryption result and then processes the decrypted result, and returns processed data to the terminal;
and the returning unit is used for returning the data file corresponding to the reading request if the data file corresponding to the reading request is not a trust process.
9. A computer arrangement, characterized in that the computer arrangement comprises a memory having stored thereon a computer program and a processor implementing the method according to any of claims 1-4 when executing the computer program.
10. A storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111629176.XA CN114386064A (en) | 2021-12-28 | 2021-12-28 | Database transparent encryption method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111629176.XA CN114386064A (en) | 2021-12-28 | 2021-12-28 | Database transparent encryption method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114386064A true CN114386064A (en) | 2022-04-22 |
Family
ID=81197636
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111629176.XA Pending CN114386064A (en) | 2021-12-28 | 2021-12-28 | Database transparent encryption method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114386064A (en) |
-
2021
- 2021-12-28 CN CN202111629176.XA patent/CN114386064A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10708051B2 (en) | Controlled access to data in a sandboxed environment | |
| RU2295834C2 (en) | Initialization, maintenance, renewal and restoration of protected mode of operation of integrated system, using device for controlling access to data | |
| US9461819B2 (en) | Information sharing system, computer, project managing server, and information sharing method used in them | |
| US20210141902A1 (en) | Provision of domains in secure enclave to support multiple users | |
| US8650406B2 (en) | Memory protection and security using credentials | |
| EP3274848B1 (en) | Providing enhanced replay protection for a memory | |
| US10726137B2 (en) | Copy protection for secured files | |
| US7827326B2 (en) | Method and apparatus for delegation of secure operating mode access privilege from processor to peripheral | |
| KR101613146B1 (en) | Method for encrypting database | |
| KR102030858B1 (en) | Digital signing authority dependent platform secret | |
| CN113498589B (en) | Managed secret management transmission system and method | |
| CN106992851B (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| CN101783801A (en) | Software protection method based on network, client side and server | |
| US11755753B2 (en) | Mechanism to enable secure memory sharing between enclaves and I/O adapters | |
| WO2022028289A1 (en) | Data encryption method and apparatus, data decryption method and apparatus, terminal, and storage medium | |
| US20220366030A1 (en) | Password Management Method and Related Apparatus | |
| JP4282472B2 (en) | Microprocessor | |
| CN108229190B (en) | Transparent encryption and decryption control method, device, program, storage medium and electronic equipment | |
| CA3086236A1 (en) | Encrypted storage of data | |
| CN107563228B (en) | Memory data encryption and decryption method | |
| KR20180009271A (en) | Apparatus and method for protecting file from encryption | |
| CN109829324B (en) | Method for safely storing and quickly calling data and mobile terminal | |
| CN114386064A (en) | Database transparent encryption method and device, computer equipment and storage medium | |
| CN114095236B (en) | Key searching method, device, computing equipment and storage medium | |
| US20240073013A1 (en) | High performance secure io |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |