CN114611123A - File transparent encryption and decryption method and system - Google Patents

File transparent encryption and decryption method and system Download PDF

Info

Publication number
CN114611123A
CN114611123A CN202210228822.XA CN202210228822A CN114611123A CN 114611123 A CN114611123 A CN 114611123A CN 202210228822 A CN202210228822 A CN 202210228822A CN 114611123 A CN114611123 A CN 114611123A
Authority
CN
China
Prior art keywords
file
content
shared cache
reading
read
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210228822.XA
Other languages
Chinese (zh)
Other versions
CN114611123B (en
Inventor
朱盼盼
石春刚
张永静
郑宇宁
李静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jinghang Computing Communication Research Institute
Original Assignee
Beijing Jinghang Computing Communication Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jinghang Computing Communication Research Institute filed Critical Beijing Jinghang Computing Communication Research Institute
Priority to CN202210228822.XA priority Critical patent/CN114611123B/en
Publication of CN114611123A publication Critical patent/CN114611123A/en
Application granted granted Critical
Publication of CN114611123B publication Critical patent/CN114611123B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • G06F16/162Delete operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/172Caching, prefetching or hoarding of files
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A file transparent encryption and decryption method and system are provided, and the method comprises the following steps: establishing a shared cache in a kernel mode for caching read-write contents of files; intercepting a file reading operation in a kernel mode, and acquiring a reading operation parameter; judging whether the file is an encrypted file or not according to the reading operation parameters, if so, reading the file content from the shared cache according to the reading operation parameters and sending the file content to a user mode process; otherwise, reading the file content by adopting a system function and sending the file content to a user mode process; intercepting file write operation in a kernel mode, and acquiring write operation parameters; storing the written content in a shared cache; and when the shared cache space is full or the written content is the tail of the file, judging whether the file is an encrypted file or not according to the write operation parameters, if so, encrypting the file content stored in the shared cache in a user mode, writing the encrypted content into the file in a kernel mode, and otherwise, directly writing the written content into the file in the kernel mode.

Description

File transparent encryption and decryption method and system
Technical Field
The invention relates to the technical field of file encryption and decryption, in particular to a file transparent encryption and decryption method and system.
Background
With the popularization of personal computers and office automation, the protection of sensitive files from being leaked becomes a hot spot problem concerned by people. At present, office business systems of various companies use respective security control means to encrypt and decrypt office files, and prevent leakage of confidential files and information. Since office documents are public to the insiders, they are usually implemented using transparent encryption and decryption techniques. Transparent encryption and decryption means that the encryption and decryption process cannot be perceived by a user in the operation process of the user, namely, the encryption and decryption operation on a file is realized under the condition that the user does not perceive the encryption and decryption process.
At present, the transparent encryption and decryption method based on the file is either completely realized in a user mode or completely realized in a kernel mode. The transparent encryption and decryption method based on the user state often has the problems of potential safety hazard and low speed; the transparent encryption and decryption method based on the kernel state can cause the problems of instability of the system and difficulty in upgrading the system.
Disclosure of Invention
In view of the foregoing analysis, an embodiment of the present invention is directed to providing a file transparent encryption and decryption method, so as to solve the problems of potential safety hazards, slow speed, and difficulty in upgrading existing in the existing file transparent encryption and decryption method.
In one aspect, an embodiment of the present invention provides a file transparent encryption and decryption method, including:
establishing a shared cache in a kernel mode for caching read-write contents of the file;
intercepting a file reading operation in a kernel mode, and acquiring a reading operation parameter; judging whether the file is an encrypted file or not according to the reading operation parameters, if so, reading the file content from the shared cache according to the reading operation parameters and sending the file content to a user mode process; otherwise, reading the file content by adopting a system function and sending the file content to a user mode process;
intercepting file write operation in a kernel mode, and acquiring write operation parameters; storing the written content in a shared cache; and when the shared cache space is full or the written content is the tail of the file, judging whether the file is an encrypted file or not according to the write operation parameters, if so, encrypting the file content stored in the shared cache in a user mode, writing the encrypted content into the file in a kernel mode, and otherwise, directly writing the written content into the file in the kernel mode.
Based on the further improvement of the technical proposal,
the read operation parameters include: file descriptor, read offset and read length;
the write operation parameters include: file descriptor, write offset and write length;
judging whether the file is an encrypted file according to the read operation parameter or the write operation parameter, including:
obtaining a file name, a file type and a file opening process according to the file descriptor, if the file type is a monitoring type or the file opening process is a monitoring process, obtaining an extended attribute or a file header according to the file name, and judging whether the file is an encrypted file or not according to the file extended attribute or the file header; otherwise, judging the file to be a non-encrypted file.
Based on the further improvement of the technical scheme, the method for reading the file content from the shared cache according to the read operation parameters and sending the file content to the user mode process comprises the following steps:
judging whether the read file content is in a shared cache or not according to the read operation parameters, if so, directly reading the file content from the shared cache and sending the file content to a user mode process; otherwise, reading the encrypted file content in the user mode, calling a decryption algorithm to decrypt, writing the decrypted content into the shared cache, reading the decrypted file content from the shared cache in the kernel mode according to the read offset and the read length, and sending the decrypted file content to the user mode process.
Further, judging whether the read file content is in the shared cache according to the read operation parameter includes:
judging whether the file exists in the shared cache or not according to the file name, and if not, judging that the read file content is not in the shared cache; if not, then,
and judging whether the read offset is more than or equal to the offset of the cache in the shared cache region and the read length is less than the length from the read offset to the end of the cache content, if so, judging that the read file content is in the shared cache, otherwise, judging that the read file content is not in the shared cache.
Further, reading the encrypted file content in the user mode, calling a decryption algorithm to decrypt, and writing the decrypted content into the shared cache, including:
sending a message to a user mode encryption and decryption process in a kernel mode, wherein the message comprises a file name, a reading offset, a reading length and a shared cache address;
and the user mode encryption and decryption process reads the encrypted file content according to the file name, the reading offset and the reading length, decrypts the encrypted file content according to a decryption algorithm, and stores the decrypted content into the shared cache address.
Further, storing the write content in a shared cache, comprising:
judging whether the file exists in the shared cache according to the file name, if not, directly storing the written content into the shared cache; if so, then:
if the offset of the cache in the shared cache region is less than or equal to the write offset and the sum of the difference between the write offset and the cache offset and the write length is less than or equal to the size of the cache region, storing the write content in a position corresponding to the write offset in the shared cache; if the offset of the cache in the shared cache region is less than or equal to the write-in offset and the sum of the difference between the write-in offset and the cache offset and the write-in length is greater than the size of the cache region, writing the cache content into the file, deleting the content of the file in the shared cache, and storing the written content into the shared cache; if the offset of the cache in the shared cache region is larger than the write-in offset, deleting the content of the file in the shared cache, and storing the write-in content in the shared cache.
Further, encrypting the file content stored in the shared cache in the user mode, and calling a system function to write the encrypted content into the file in the kernel mode, including:
sending a message to a user mode encryption and decryption process in a kernel mode, wherein the message comprises a shared cache address of unencrypted file content, a file content length and a shared cache address of encrypted file content;
the user mode encryption and decryption process reads the unencrypted content with the file content length from the storage address of the unencrypted file content in the shared cache, encrypts the unencrypted content according to an encryption algorithm, and stores the encrypted content into the shared cache address of the encrypted file content;
and writing the encrypted content into the file in the kernel mode according to the file descriptor and the write offset.
Furthermore, the user mode encryption and decryption process is a daemon process, and the user mode encryption and decryption process adopts a multithreading parallel mode for encryption or decryption.
Compared with the prior art, the file transparent encryption and decryption method provided by the embodiment has the advantages that the shared cache is established in the kernel mode, the file content is encrypted through the cache, the file content is read from the shared cache when the file is read, so that the file reading is accelerated, the file is firstly placed into the shared cache when the file is written, the content of the shared cache is encrypted in the user mode after the writing is finished or the cache is full, the file is written, and the performance and the safety of the file transparent encryption and decryption are improved through the mutual matching of the user mode and the kernel mode; meanwhile, when the encryption and decryption algorithms are updated, only the corresponding algorithm library needs to be updated in a user mode, the upgrading process is simple, and the stability of the system is improved. The kernel mode module directly intercepts the read-write operation of the user without using an additional file system stacking and directory mounting mode, and the encrypted file management is simplified.
On the other hand, an embodiment of the present invention provides a file transparent encryption and decryption system, including:
the shared cache creating module is used for creating a shared cache in a kernel mode and caching read-write content of the file;
the file reading module is used for intercepting file reading operation in a kernel mode and acquiring reading operation parameters; judging whether the file is an encrypted file or not according to the reading operation parameters, if so, reading the file content from the shared cache according to the reading operation parameters and sending the file content to a user mode process; otherwise, reading the file content by adopting a system function and sending the file content to a user mode process;
the file writing module is used for intercepting file writing operation in a kernel mode and acquiring writing operation parameters; storing the written content in a shared cache; and when the shared cache space is full or the written content is the tail of the file, judging whether the file is an encrypted file or not according to the write operation parameters, if so, encrypting the file content stored in the shared cache in a user mode, writing the encrypted content into the file in a kernel mode, and otherwise, directly writing the written content into the file in the kernel mode.
Further, the file reading module reads file contents from the shared cache according to the read operation parameters and sends the file contents to the user mode process, and the file reading module includes:
judging whether the read file content is in a shared cache or not according to the read operation parameters, if so, directly reading the file content from the shared cache and sending the file content to a user mode process; otherwise, reading the encrypted file content in the user mode, calling a decryption algorithm to decrypt, writing the decrypted content into the shared cache, reading the decrypted file content from the shared cache in the kernel mode according to the read offset and the read length, and sending the decrypted file content to the user mode process.
In the invention, the technical schemes can be combined with each other to realize more preferable combination schemes. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, wherein like reference numerals are used to designate like parts throughout.
FIG. 1 is a flowchart of a file transparent encryption and decryption method according to an embodiment of the present invention;
fig. 2 is a block diagram of a file transparent encryption and decryption system according to an embodiment of the present invention.
Detailed Description
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate preferred embodiments of the invention and together with the description, serve to explain the principles of the invention and not to limit the scope of the invention.
The transparent encryption and decryption method based on the user state often has the problems of potential safety hazard and low speed; the transparent encryption and decryption method based on the kernel state can cause the instability of the system, and when the encryption algorithm is upgraded, the kernel state program needs to be re-developed, so that the system is difficult to upgrade.
To solve the above problem, a specific embodiment of the present invention discloses a file transparent encryption and decryption method, as shown in fig. 1, including:
s1, creating a shared cache in the kernel mode for caching the read-write content of the file;
s2, intercepting the file reading operation in the kernel state to obtain reading operation parameters; judging whether the file is an encrypted file or not according to the reading operation parameters, if so, reading the file content from the shared cache according to the reading operation parameters and sending the file content to a user mode process; otherwise, reading the file content by adopting a system function and sending the file content to a user mode process;
s3, intercepting the file writing operation in a kernel mode, and acquiring writing operation parameters; storing the written content in a shared cache; and when the shared cache space is full or the written content is the tail of the file, judging whether the file is an encrypted file or not according to the write operation parameters, if so, encrypting the file content stored in the shared cache in a user mode, writing the encrypted content into the file in a kernel mode, and otherwise, directly writing the written content into the file in the kernel mode.
Compared with the prior art, the file transparent encryption and decryption method provided by the embodiment has the advantages that the shared cache is established in the kernel mode, the file content is encrypted through the cache, the file content is read from the shared cache when the file is read, so that the file reading is accelerated, the file is firstly placed into the shared cache when the file is written, the content of the shared cache is encrypted in the user mode after the writing is finished or the cache is full, the file is written, and the performance and the safety of the file transparent encryption and decryption are improved through the mutual matching of the user mode and the kernel mode; meanwhile, when the encryption and decryption algorithms are updated, only the corresponding algorithm library needs to be updated in a user mode, the upgrading process is simple, and the stability of the system is improved. The kernel mode module directly intercepts the read-write operation of the user without using an additional file system stacking and directory mounting mode, and the encrypted file management is simplified.
In implementation, in a Linux environment, for example, a memory is applied through get _ free _ pages, a cache is shared to a user mode through mmap, and the user mode realizes reading and writing of the shared cache through an equipment interface.
In Windows environment, an internal memory is created by calling an ExallocatePoolWithTag function at a kernel layer, then the internal memory is mapped into an MDL shared internal memory through an IoAllocatemdl function, and the user mode realizes the reading and writing of a shared cache through a DeviceIoControl function.
In implementation, for convenience of management, a read file hash chain table and a write file hash chain table are established in the shared cache and are respectively used for managing read file contents and write file contents stored in the shared cache region.
And reading the file hash linked list, wherein the file name/MAGIC is used as a hash function, and storing a decrypted content structure body on the linked list, wherein the decrypted content structure body comprises the file name, the buffer offset, the buffer length and a decrypted file content pointer. The decrypted file content refers to an address indicating that the decrypted file content is stored.
In practice, a fixed size buffer, for example 2M, may be set for each read file.
The file writing hash linked list takes a file name/MAGIC as a hash function, and an encrypted content structure body is stored on the linked list and comprises the file name, a cache offset, a cache length, a source content pointer and an encrypted content pointer, wherein the source content pointer is used for indicating a storage address of source file content (namely, file content before encryption), and the encrypted content pointer is used for indicating a storage address of encrypted file content (namely, file content after encryption).
In practice, a fixed size buffer, e.g., 2M, may be provided for each write file.
When the file processing method is implemented, when a user opens a file processing file on an operating system, the read-write operation of the file is intercepted in a kernel state to obtain read operation parameters and write operation parameters, so that the transparent encryption and decryption of the file are performed. In implementation, in a Linux environment, the read file HOOK is realized by replacing _ sys _ call _ table [ __ NR _ read ], and the write file HOOK is realized by replacing _ sys _ call _ table [ __ NR _ write ]. Registering an IRP _ MJ _ READ type PreRead on a windows through a minilite framework to realize HOOK for reading operation; HOOK for WRITE operations is implemented by registering IRP _ MJ _ WRITE type PreWrite through the minimaliter framework.
Specifically, the read operation parameters include: file descriptor, read offset, and read length. The write operation parameters include: file descriptor, write offset, and write length.
Where a file descriptor is an index that the system creates for efficient management of files. The file name (file path + file name), the process of opening the file, and the file type can be obtained from the file descriptor information. The specific acquisition process is the prior art and is not described herein again.
The read offset is the offset of the read content from the beginning of the file. The write offset is the offset of the written content from the beginning of the file.
Judging whether the file is an encrypted file according to the read operation parameter or the write operation parameter, including:
obtaining a file name, a file type and a file opening process according to the file descriptor, if the file type is a monitoring type or the file opening process is a monitoring process, obtaining an extended attribute or a file header according to the file name, and judging whether the file is an encrypted file or not according to the file extended attribute or the file header; otherwise, judging the file to be a non-encrypted file.
For example, if the monitoring process is a process such as wps, wpp, et, and getit, the monitoring file type is doc, docx, ppt, pptx, et. And when the process of opening the file is wps, wpp, et and getit, or the type of the file is doc, docx, ppt, pptx and et, judging whether the file is an encrypted file or not according to the file extension attribute, and otherwise, judging that the file is a non-encrypted file.
In implementation, under a linux environment, obtaining a file extension attribute key value by calling getxattr through a system; and acquiring a file extension attribute key value through NtQueryInformationFile in a windows environment, and judging whether the file is an encrypted file or not according to the extension attribute key value.
In the implementation process, if whether the file is encrypted is identified by the content of the file header, the file header can be obtained according to the file name, and whether the file is an encrypted file is judged according to the file header.
And when the file read by the reading operation is the non-encrypted file, calling the original system reading function, and returning the read file content to the user-mode file reading process.
When the read file is an encrypted file, reading file content from the shared cache according to the read operation parameter, and sending the file content to the user mode process, specifically comprising:
judging whether the read file content is in a shared cache or not according to the read operation parameters, if so, directly reading the file content from the shared cache and sending the file content to a user mode process; otherwise, reading the encrypted file content in the user mode, calling a decryption algorithm to decrypt, writing the decrypted content into the shared cache, reading the decrypted file content from the shared cache in the kernel mode according to the read offset and the read length, and sending the decrypted file content to the user mode process.
If the shared cache always contains the content to be read, the content is directly read from the shared cache and sent to a user-mode file reading process, so that the file reading speed is accelerated, if the content to be read does not exist in the shared cache, the encrypted file is read and decrypted in the user mode, the decrypted content is written into the shared cache, and the decrypted file content is read from the shared cache and sent to the user-mode file reading process. The decryption algorithm is realized in a user mode, when the decryption algorithm is updated, only the dynamic algorithm library needs to be replaced, the stability of the system is not affected, and the decrypted content is directly written into the shared cache of the user mode. Only the content needing to be read is decrypted, because the reading speed is high, and the decrypted content is directly written into the kernel-state shared content, the safety is improved.
Specifically, the determining whether the read file content is in the shared cache according to the read operation parameter includes:
judging whether the file exists in the shared cache or not according to the file name, and if not, judging that the read file content is not in the shared cache; if not, then,
and judging whether the read offset is more than or equal to the offset of the cache in the shared cache region and the read length is less than the length from the read offset to the end of the cache content, if so, judging that the read file content is in the shared cache, otherwise, judging that the read file content is not in the shared cache.
When the method is implemented, whether the file exists in the read file hash chain table is judged according to the file name, and if the file does not exist, the read file content is directly judged not to be in the shared cache. If the file name exists, judging whether the read offset is larger than or equal to the offset cached in the shared cache region and the read length is smaller than the length from the read offset to the end of the cache content, if so, indicating that the content to be read is completely present in the shared cache region, otherwise, indicating that the content to be read is not present in the shared cache region.
If the content to be read completely exists in the shared cache region, the shared cache region stores the decrypted content, so that the file content is read from the corresponding address directly according to the read offset and the read length and according to the decrypted file content pointer stored in the read file hash chain table, and the read file content is sent to the process of reading the file in the user mode.
If the read offset is smaller than the cache offset, or the read offset is greater than or equal to the cache offset but the read length is greater than the length from the read offset to the end of the cache content, at this time, the content to be read is not all in the shared cache, and file decryption needs to be performed in a user mode, and the decrypted content is written into the shared cache.
Specifically, reading the encrypted file content in the user mode, calling a decryption algorithm to decrypt the encrypted file content, and writing the decrypted content into the shared cache includes:
sending a message to a user mode encryption and decryption process in a kernel mode, wherein the message comprises a file name, a reading offset, a reading length and a shared cache address;
and the user mode encryption and decryption process reads the encrypted file content according to the file name, the reading offset and the reading length, decrypts the encrypted file content according to a decryption algorithm, and stores the decrypted content into the shared cache address.
In the implementation process, in a Linux environment, a message is sent to a user mode encryption and decryption process in a kernel mode through a netlink protocol, and in a windows environment, the message is sent to the user mode encryption and decryption process in the kernel mode through a KeSetEvent.
In implementation, in order to further increase the file reading rate, when the kernel mode sends a message to the user mode encryption and decryption process, the read offset may be the maximum length of the shared cache region corresponding to the file. The shared cache region is filled at one time, so that the content can be directly read from the shared cache when the file is read later, and the reading speed is increased.
The user mode encryption and decryption process is a daemon process, and the user mode encryption and decryption process is a self-starting service process.
After the user mode encryption and decryption module receives the message, firstly, the position of the reading offset in the encrypted file is calculated according to the used encryption and decryption algorithm, the length of the reading offset corresponds to the length of the encrypted content, then, a system reading function is called to read the corresponding encrypted file content, then, a decryption algorithm library is called to decrypt the encrypted file content, and the decrypted content is written into the shared cache.
In implementation, in order to improve the file reading speed, the user mode encryption and decryption process adopts a multithreading parallel mode for decryption. For example, the content of the encrypted file is divided into 16 parts, 16 threads are started and the content is decrypted, the offset of each thread is offset + round (MAX _ SIZE/16) × i, the read length is round (MAX _ SIZE/16), namely the pre-read length is divided by 16 and rounded up. offset represents the position of the read offset in the encrypted file, and MAX _ SIZE represents the length of the read length corresponding to the encrypted content.
During implementation, a fixed address can be set in the shared cache region as a flag bit, and the corresponding flag bit is modified after each thread of the user mode encryption and decryption process completes decryption. The kernel state can judge whether decryption is completed according to the state of the zone bit, and after all threads finish decryption, namely all the zone bits are set, the kernel state reads corresponding decryption content and returns to the user state.
And writing the decrypted content into the corresponding shared cache address after decryption, and updating the cache offset and the cache length stored in the hash chain table. And the kernel state reads corresponding content from the shared cache and sends the corresponding content to the file reading process according to the reading offset and the reading length, so that transparent decryption of the file is completed.
The on-demand processing technology is adopted, only the fragments which need to be read and written by a user are processed, full-text processing is not needed, and therefore the file reading and writing speed is increased.
For file write operation, after obtaining write operation parameters, firstly storing write contents in a shared cache, specifically including:
judging whether the file exists in the shared cache according to the file name, if not, directly storing the written content into the shared cache; if so, then:
if the offset of the cache in the shared cache region is less than or equal to the write offset, storing the write content in a position corresponding to the write offset in the shared cache; otherwise, deleting the content of the file in the shared cache, and storing the written content into the shared cache.
When the method is implemented, whether the file exists in the write file hash chain table is judged according to the file name, if the file does not exist in the write file hash chain table, a cache region is distributed for the file in a shared cache, the written content is stored in the shared cache, and nodes representing the content of the file are added in the write file hash chain table.
If the file name exists, after the file is modified, the file is stored in a content block sequence from the file head or the modification position to the file tail, so that the specific storage address of the written content in the shared cache area can be judged according to the cache offset and the size of the written offset. If the offset of the cache in the shared cache region is less than or equal to the write offset, and the sum of the difference between the write offset and the cache offset and the write length is less than or equal to the size of the cache region, the previous content of the currently stored content block is already stored in the cache, and the cache region has a space for storing the content of the current content block, the write content is directly stored in the position corresponding to the write offset in the shared cache. If the offset of the cache in the shared cache region is less than or equal to the write offset, but the difference between the write offset and the cache offset and the sum of the write length are greater than the cache region, it indicates that the cache region does not have enough space to store the content of the current content block at the moment, and at the moment, the cache region is considered to be full, the content of the cache region needs to be written into the file first, then the content of the cache region is deleted, and the written content is written into the initial address of the shared cache region corresponding to the file.
If the offset of the cache in the shared cache region is larger than the write-in offset, deleting the content of the file in the shared cache, and storing the write-in content into the initial address of the shared cache region corresponding to the file. The content in the shared cache region can be deleted, and the written content is stored into the initial address of the shared cache region corresponding to the file.
In implementation, the shared cache for reading files and the shared cache for writing files are different cache areas.
And when the space of the file sharing cache region is full or the written content is the tail of the file, judging whether the file is an encrypted file or not according to the write operation parameters.
Judging whether the file is an encrypted file according to the write operation parameters and judging whether the file is the encrypted file according to the read operation parameters, wherein the judging process is the same as the judging process, the file name, the file type and the file opening process are obtained according to the file descriptor, if the file type is the monitoring type or the file opening process is the monitoring process, the extended attribute or the file header is obtained according to the file name, and whether the file is the encrypted file is judged according to the file extended attribute or the file header; otherwise, judging the file to be a non-encrypted file.
If the file is an unencrypted file, the original system write function is directly called to write the content in the shared cache into the file.
If the file is an encrypted file, encrypting the file content stored in the shared cache in the user mode, and calling a system function to write the encrypted content into the file in the kernel mode, which specifically comprises:
sending a message to a user mode encryption and decryption process in a kernel mode, wherein the message comprises a shared cache address of unencrypted file content, a file content length and a shared cache address of encrypted file content;
the user mode encryption and decryption process reads the unencrypted content with the file content length from the storage address of the unencrypted file content in the shared cache, encrypts the unencrypted content according to an encryption algorithm, and stores the encrypted content into the shared cache address of the encrypted file content;
and writing the encrypted content into the file in the kernel mode according to the file descriptor and the write offset.
In the implementation process, in a Linux environment, a message is sent to a user mode encryption and decryption process in a kernel mode through a netlink protocol, and in a windows environment, the message is sent to the user mode encryption and decryption process in the kernel mode through a KeSetEvent.
And after receiving the message, the user mode encryption and decryption module reads the unencrypted content with the file content length from the storage address of the unencrypted file content in the shared cache, encrypts the unencrypted content according to an encryption algorithm, and stores the encrypted content into the shared cache address of the encrypted file content.
In implementation, in order to improve the file encryption speed, the user mode encryption and decryption process adopts a multi-thread parallel encryption mode for encryption. For example, dividing the source content, i.e., the unencrypted content, into 16 parts, starting 16 threads to encrypt the content concurrently, and writing the encrypted content into the shared cache address of the encrypted file content.
Under the Linux environment, the read-write of the shared cache is realized by the user mode encryption and decryption process through the device interface/dev/hangdun _ mb. Under the Windows environment, the user mode encryption and decryption process realizes the read-write of the shared cache through a DeviceIoControl function.
And after encryption is finished, calling the original system write function in the kernel state, writing the encrypted content into the encrypted file, and emptying the shared cache corresponding to the file after the encryption writing is finished. Thereby realizing transparent encryption of the file.
A specific embodiment of the present invention discloses a file transparent encryption and decryption system, as shown in fig. 2, including:
the shared cache creating module is used for creating a shared cache in a kernel mode and caching read-write content of the file;
the file reading module is used for intercepting file reading operation in a kernel mode and acquiring reading operation parameters; judging whether the file is an encrypted file or not according to the reading operation parameters, if so, reading the file content from the shared cache according to the reading operation parameters and sending the file content to a user mode process; otherwise, reading the file content by adopting a system function and sending the file content to a user mode process;
the file writing module is used for intercepting file writing operation in a kernel mode and acquiring writing operation parameters; storing the written content in a shared cache; and when the shared cache space is full or the written content is the tail of the file, judging whether the file is an encrypted file according to the write operation parameters, if so, encrypting the file content stored in the shared cache in a user mode, and writing the encrypted content into the file in a kernel mode, otherwise, directly writing the written content into the file in the kernel mode.
Preferably, the file reading module reads file contents from the shared cache according to the read operation parameters and sends the file contents to the user mode process, and the file reading module includes:
judging whether the read file content is in a shared cache or not according to the read operation parameters, if so, directly reading the file content from the shared cache and sending the file content to a user mode process; otherwise, reading the encrypted file content in the user mode, calling a decryption algorithm to decrypt, writing the decrypted content into the shared cache, reading the decrypted file content from the shared cache in the kernel mode according to the read offset and the read length, and sending the decrypted file content to the user mode process.
The method embodiment and the system embodiment are based on the same principle, and related parts can be referenced mutually, and the same technical effect can be achieved. For a specific implementation process, reference is made to the foregoing embodiments, which are not described herein again.
Those skilled in the art will appreciate that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program, which is stored in a computer readable storage medium, to instruct related hardware. The computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory.
While the invention has been described with reference to specific preferred embodiments, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the following claims.

Claims (10)

1. A file transparent encryption and decryption method is characterized by comprising the following steps:
establishing a shared cache in a kernel mode for caching read-write contents of the file;
intercepting a file reading operation in a kernel mode, and acquiring a reading operation parameter; judging whether the file is an encrypted file or not according to the reading operation parameters, if so, reading the file content from the shared cache according to the reading operation parameters and sending the file content to a user mode process; otherwise, reading the file content by adopting a system function and sending the file content to a user mode process;
intercepting file write operation in a kernel mode, and acquiring write operation parameters; storing the written content in a shared cache; and when the shared cache space is full or the written content is the tail of the file, judging whether the file is an encrypted file according to the write operation parameters, if so, encrypting the file content stored in the shared cache in a user mode, and writing the encrypted content into the file in a kernel mode, otherwise, directly writing the written content into the file in the kernel mode.
2. The file transparent encryption and decryption method according to claim 1,
the read operation parameters include: file descriptor, read offset and read length;
the write operation parameters include: file descriptor, write offset and write length;
judging whether the file is an encrypted file according to the read operation parameter or the write operation parameter, including:
obtaining a file name, a file type and a file opening process according to the file descriptor, if the file type is a monitoring type or the file opening process is a monitoring process, obtaining an extended attribute or a file header according to the file name, and judging whether the file is an encrypted file or not according to the file extended attribute or the file header; otherwise, judging the file to be a non-encrypted file.
3. The method for transparently encrypting and decrypting the file according to claim 2, wherein the step of reading the file content from the shared cache according to the read operation parameter and sending the file content to the user mode process comprises the following steps:
judging whether the read file content is in a shared cache or not according to the read operation parameters, if so, directly reading the file content from the shared cache and sending the file content to a user mode process; otherwise, reading the encrypted file content in the user mode, calling a decryption algorithm to decrypt, writing the decrypted content into the shared cache, reading the decrypted file content from the shared cache in the kernel mode according to the read offset and the read length, and sending the decrypted file content to the user mode process.
4. The method for transparently encrypting and decrypting the file according to claim 3, wherein the step of judging whether the read file content is in the shared cache according to the read operation parameter comprises the steps of:
judging whether the file exists in the shared cache or not according to the file name, and if not, judging that the read file content is not in the shared cache; if not, then,
and judging whether the read offset is more than or equal to the offset of the cache in the shared cache region and the read length is less than the length from the read offset to the end of the cache content, if so, judging that the read file content is in the shared cache, otherwise, judging that the read file content is not in the shared cache.
5. The method for transparently encrypting and decrypting the file according to claim 3, wherein the steps of reading the content of the encrypted file in the user mode, calling a decryption algorithm to decrypt the content, and writing the decrypted content into the shared cache include:
sending a message to a user mode encryption and decryption process in a kernel mode, wherein the message comprises a file name, a reading offset, a reading length and a shared cache address;
and the user mode encryption and decryption process reads the encrypted file content according to the file name, the reading offset and the reading length, decrypts the encrypted file content according to a decryption algorithm, and stores the decrypted content into the shared cache address.
6. The file transparent encryption and decryption method of claim 2, wherein storing the written content in a shared cache comprises:
judging whether the file exists in the shared cache according to the file name, if not, directly storing the written content into the shared cache; if so, then:
if the offset of the cache in the shared cache region is less than or equal to the write offset and the sum of the difference between the write offset and the cache offset and the write length is less than or equal to the size of the cache region, storing the write content in a position corresponding to the write offset in the shared cache; if the offset of the cache in the shared cache region is less than or equal to the write-in offset and the sum of the difference between the write-in offset and the cache offset and the write-in length is greater than the size of the cache region, writing the cache content into the file, deleting the content of the file in the shared cache, and storing the written content into the shared cache; if the offset of the cache in the shared cache region is larger than the write-in offset, deleting the content of the file in the shared cache, and storing the write-in content in the shared cache.
7. The method for transparently encrypting and decrypting the file according to claim 2, wherein the file contents stored in the shared cache are encrypted in a user mode, and a system function is called in a kernel mode to write the encrypted contents into the file, and the method comprises the following steps:
sending a message to a user mode encryption and decryption process in a kernel mode, wherein the message comprises a shared cache address of unencrypted file content, a file content length and a shared cache address of encrypted file content;
the user mode encryption and decryption process reads the unencrypted content with the file content length from the storage address of the unencrypted file content in the shared cache, encrypts the unencrypted content according to an encryption algorithm, and stores the encrypted content into the shared cache address of the encrypted file content;
and writing the encrypted content into the file in the kernel mode according to the file descriptor and the write offset.
8. The method for transparently encrypting and decrypting the file according to claim 5 or 7, wherein the user mode encryption and decryption process is a daemon process, and the user mode encryption and decryption process adopts a multithreading parallel mode for encryption or decryption.
9. A file transparent encryption and decryption system, comprising:
the shared cache creating module is used for creating a shared cache in a kernel mode and caching read-write content of the file;
the file reading module is used for intercepting file reading operation in a kernel mode and acquiring reading operation parameters; judging whether the file is an encrypted file or not according to the reading operation parameters, if so, reading the file content from the shared cache according to the reading operation parameters and sending the file content to a user mode process; otherwise, reading the file content by adopting a system function and sending the file content to a user mode process;
the file writing module is used for intercepting file writing operation in a kernel mode and acquiring writing operation parameters; storing the written content in a shared cache; and when the shared cache space is full or the written content is the tail of the file, judging whether the file is an encrypted file or not according to the write operation parameters, if so, encrypting the file content stored in the shared cache in a user mode, writing the encrypted content into the file in a kernel mode, and otherwise, directly writing the written content into the file in the kernel mode.
10. The system according to claim 9, wherein the file reading module reads the file content from the shared cache according to the read operation parameter and sends the file content to the user mode process, and the system comprises:
judging whether the read file content is in a shared cache or not according to the read operation parameters, if so, directly reading the file content from the shared cache and sending the file content to a user mode process; otherwise, reading the encrypted file content in the user mode, calling a decryption algorithm to decrypt, writing the decrypted content into the shared cache, reading the decrypted file content from the shared cache in the kernel mode according to the read offset and the read length, and sending the decrypted file content to the user mode process.
CN202210228822.XA 2022-03-08 2022-03-08 Transparent encryption and decryption method and system for file Active CN114611123B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210228822.XA CN114611123B (en) 2022-03-08 2022-03-08 Transparent encryption and decryption method and system for file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210228822.XA CN114611123B (en) 2022-03-08 2022-03-08 Transparent encryption and decryption method and system for file

Publications (2)

Publication Number Publication Date
CN114611123A true CN114611123A (en) 2022-06-10
CN114611123B CN114611123B (en) 2023-05-26

Family

ID=81861457

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210228822.XA Active CN114611123B (en) 2022-03-08 2022-03-08 Transparent encryption and decryption method and system for file

Country Status (1)

Country Link
CN (1) CN114611123B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115098034A (en) * 2022-07-07 2022-09-23 北京双洲科技有限公司 Storage method of context encryption key in linux operating system environment
CN116881869A (en) * 2023-09-07 2023-10-13 麒麟软件有限公司 Encryption protection method and system for executable program on Linux system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447397A (en) * 2016-01-07 2016-03-30 成都卫士通信息产业股份有限公司 File security level identification method based on kernel module
US20190081990A1 (en) * 2017-09-08 2019-03-14 Salesforce.Com, Inc. Intercepting calls for encryption handling in persistent access multi-key systems
CN113468112A (en) * 2021-09-02 2021-10-01 武汉华工安鼎信息技术有限责任公司 File management method and device, storage medium and computer equipment
CN113536369A (en) * 2021-06-29 2021-10-22 上海浩霖汇信息科技有限公司 Electronic file real-time transparent storage encryption and decryption method and system and related products

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447397A (en) * 2016-01-07 2016-03-30 成都卫士通信息产业股份有限公司 File security level identification method based on kernel module
US20190081990A1 (en) * 2017-09-08 2019-03-14 Salesforce.Com, Inc. Intercepting calls for encryption handling in persistent access multi-key systems
CN113536369A (en) * 2021-06-29 2021-10-22 上海浩霖汇信息科技有限公司 Electronic file real-time transparent storage encryption and decryption method and system and related products
CN113468112A (en) * 2021-09-02 2021-10-01 武汉华工安鼎信息技术有限责任公司 File management method and device, storage medium and computer equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
朱盼盼等: "一种分布式存储监控管理系统的设计与实现" *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115098034A (en) * 2022-07-07 2022-09-23 北京双洲科技有限公司 Storage method of context encryption key in linux operating system environment
CN116881869A (en) * 2023-09-07 2023-10-13 麒麟软件有限公司 Encryption protection method and system for executable program on Linux system
CN116881869B (en) * 2023-09-07 2023-12-26 麒麟软件有限公司 Encryption protection method and system for executable program on Linux system

Also Published As

Publication number Publication date
CN114611123B (en) 2023-05-26

Similar Documents

Publication Publication Date Title
US10558377B2 (en) Deduplication-based data security
CN114611123B (en) Transparent encryption and decryption method and system for file
US11366918B1 (en) Methods and apparatus for encrypted indexing and searching encrypted data
KR101221310B1 (en) System and method of transparent aware data transformation at file system level
US7222231B2 (en) Data security for distributed file systems
KR100503906B1 (en) Microprocessor
US8423592B2 (en) Method and system for accessing a storage system with multiple file systems
US20040064485A1 (en) File management apparatus and method
EP1536307B1 (en) Encryption of system paging file
US11288212B2 (en) System, apparatus, and method for secure deduplication
WO2021169121A1 (en) Method for switching between data storage schemes, device, and storage medium
CN111339034B (en) Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method
WO2024045407A1 (en) Virtual disk-based secure storage method
CN115758420A (en) File access control method, device, equipment and medium
US8132025B2 (en) Management method for archive system security
US11720270B2 (en) Client-side compression
CN113326526A (en) Data access method, device, equipment and storage medium
CN112733189A (en) System and method for realizing file storage server side encryption
US20150212951A1 (en) Low-latency, low-overhead hybrid encryption scheme
CN116680715A (en) Database encryption configuration method and device, electronic equipment and storage medium
KR102090374B1 (en) The Method and Apparatus for File System Level Encryption Using GPU
CN114329607A (en) Method for realizing transparent encryption and decryption of WAL log in PostgreSQL database
WO1996000942A1 (en) File encryption scheme
KR100906149B1 (en) Data Reading Method and Data Writing Method in it
CN118410501A (en) System and method for dynamically alternating keys of mirror image files of virtual machine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant