CN115098877A

CN115098877A - File encryption and decryption method and device, electronic equipment and medium

Info

Publication number: CN115098877A
Application number: CN202211023033.9A
Authority: CN
Inventors: 张延昌
Original assignee: Beijing Frontier Principal Technology Co ltd
Current assignee: Beijing Frontier Principal Technology Co ltd
Priority date: 2022-08-25
Filing date: 2022-08-25
Publication date: 2022-09-23

Abstract

The method comprises the steps of obtaining user information, transmitting a file from a storage medium to a native file system when an opening instruction of the file triggered by a user is detected, judging the file type of the file, wherein the file type comprises an encrypted file and an unencrypted file, allocating the file from the native file system to an upper-layer application if the file belongs to the unencrypted file, transmitting the file from the native file system to the encrypted file system if the file belongs to the encrypted file, judging whether a user has an access right or not based on the user information, and decrypting the file in the encrypted file system and allocating the decrypted file to the upper-layer application if the user has the access right. The method and the device have the effect of reducing resource occupation when the file is decrypted.

Description

File encryption and decryption method and device, electronic equipment and medium

Technical Field

The present application relates to the field of file processing, and in particular, to a method, an apparatus, an electronic device, and a medium for encrypting and decrypting a file.

Background

With the development of information security technology and the importance of society on information security, the related technologies of file encryption and decryption have come to the fore, at present, when encrypted files need to be accessed, a framework of a fuse (file in user space) file system is usually used for decryption, when the fuse framework is used for decryption, a corresponding decryption program is usually required to be called from a local service application layer, namely, cross-process communication, and resources are occupied when the decryption program is called for decryption in a cross-process communication mode.

Disclosure of Invention

In order to reduce resource occupation during decryption operation of a file, the application provides a file encryption and decryption method, a file encryption and decryption device, an electronic device and a medium.

In a first aspect, the present application provides a file encryption and decryption method, which adopts the following technical scheme:

a method of encrypting and decrypting a file, comprising:

acquiring user information;

when an opening instruction of a file triggered by a user is detected, the file is transmitted to a native file system from a storage medium;

judging the file types of the files, wherein the file types comprise encrypted files and unencrypted files;

if the file belongs to the unencrypted file, deploying the file from a native file system to an upper layer application;

if the file belongs to the encrypted file, transmitting the file from the original file system to the encrypted file system;

judging whether the user has access authority or not based on the user information;

and if so, decrypting the file in the encrypted file system and deploying the decrypted file to an upper application.

By adopting the technical scheme, the user information is obtained, so that the permission of the user for the file is conveniently determined subsequently. When an opening instruction about a file triggered by a user is detected, the file stored in the storage medium is transmitted to the native file system, so that the management of the file is realized. The file is transmitted to a primary file system, the type of the file is judged, if the file belongs to an unencrypted file, the file does not need to be decrypted, and the file is directly allocated to an upper-layer application, so that the output of the file is realized. If the file belongs to the encrypted file, the file needs to be decrypted, and the user can access and view the file after decryption. And transmitting the unencrypted file to the encrypted file system, and judging whether the user has the access right to the file or not according to the user information. And if the user has the access authority, decrypting the file through the encrypted file system to obtain the decrypted file. And allocating the decrypted file to an upper-layer application, thereby realizing the output of the encrypted file. The file is decrypted by using the encrypted file system, namely the decryption can be completed on a driving layer, and compared with a program for calling the decryption in a cross-process mode, resources are saved.

In another possible implementation manner, when the user-triggered opening instruction for the file is detected, the method further includes:

establishing a running sandbox corresponding to the file;

and controlling the running sandbox to output the file according to the control authority corresponding to the file.

By adopting the technical scheme, when the file is opened, the running sandbox is established for the opened file so as to distinguish the control authority of each file. Access rights according to the content of the file. And controlling the files in the sandbox environment to operate according to the corresponding authority. The file is operated by operating the sandbox, so that the authority of each file is more accurate, and the file is not easy to leak.

In another possible implementation manner, the method further includes:

when a desensitization instruction triggered by a user and about a file is detected, and the file belongs to a document, identifying sensitive text in text information of the file;

determining a preset desensitization rule corresponding to the sensitive text according to the content type of the sensitive text;

determining desensitization texts corresponding to the sensitive texts based on the preset desensitization rules and the sensitive texts;

and replacing the sensitive text with the desensitized text to obtain a desensitized file.

By adopting the technical scheme, if the file belongs to the document and a desensitization instruction about the file triggered by the user is detected, the user needs to desensitize the file. Sensitive texts in the files are identified, and corresponding preset desensitization rules are determined according to the types of the sensitive texts. Desensitizing the sensitive text according to a preset desensitization rule corresponding to the sensitive text to obtain a desensitized text after desensitization. And the desensitized text is replaced by the sensitive text, so that a desensitized file is obtained. And determining a corresponding preset desensitization rule according to the type corresponding to the sensitive text and desensitizing, so that desensitization is more accurate, and errors are not easy to occur in the desensitization process.

In another possible implementation manner, the method further includes:

acquiring binary data of the file;

determining the corresponding relation between each character of the text information in the file and binary data;

when desensitization operation on the sensitive text is detected, replacing binary data corresponding to the sensitive text with preset placeholder characters.

By adopting the technical scheme, the binary data corresponding to the file is obtained, and the binary data is used for representing the bottom layer data corresponding to the text information in the file. When desensitization of the sensitive text is detected, binary data corresponding to the sensitive text is determined, and the binary data corresponding to the sensitive text is replaced by the preset placeholder, so that the effect of deep desensitization is achieved, and the desensitized file is not easy to crack.

In another possible implementation manner, the replacing the desensitized text with the sensitive text to obtain a desensitized file includes:

determining a text format corresponding to the sensitive text;

and replacing the sensitive text with the desensitization text according to a text format corresponding to the sensitive text.

By adopting the technical scheme, the text format of the sensitive text is determined, and the desensitization text is replaced by the sensitive text according to the text format corresponding to the sensitive text. The format and the typesetting of the file after desensitization and the file before desensitization are consistent, the file after desensitization is not easy to distort, and the desensitization effect is improved.

In another possible implementation manner, the method further includes:

desensitization records are generated based on the sensitive texts, desensitization texts corresponding to the sensitive texts and desensitization time;

storing the desensitization record.

By adopting the technical scheme, the files can be conveniently restored subsequently according to the desensitization record, and the desensitization process is tracked.

In another possible implementation manner, the user information includes a user ID, and the method further includes:

acquiring the operation time of the user operation file, and generating traceability information based on the operation time and user information;

if the file is in a picture format, carrying out encryption calculation on the user ID to obtain a characteristic value of the user ID;

compressing the characteristic value to a preset length byte to obtain an ID compressed value;

if the operation time is within a preset time period, determining the difference value between the operation time and the starting time of the preset time period;

converting the difference value to obtain a time compression value;

obtaining compressed tracing information according to the ID compression value and the time compression value;

determining a preset number of target positions from preset positions of the file;

and writing the compressed tracing information into the target position to obtain a new file.

By adopting the technical scheme, when the target file is operated by the user, the electronic equipment acquires the operation time for the user to operate the target file, and generates the traceability information according to the operation time and the user information. And determining a preset amount of target data from the preset position of the target file to ensure that the tracing information cannot be deleted easily and increase the reliability of the tracing information. And writing the compressed tracing information into a target position to obtain a new target file. Therefore, the user is helped to leave the tracing information when the target file is sent out, and the user is further helped to lock a specific divulger according to the tracing information and provide evidence.

The method comprises the steps of carrying out encryption calculation on a user ID to obtain a characteristic value of the user ID, compressing the obtained characteristic value of the user ID to a preset length byte to obtain an ID compressed value, determining a difference value between operation time and preset time period starting time when the operation time of a user is within the preset time, and converting the obtained difference value into a time compressed value. By compressing two kinds of information in the tracing information, smaller tracing information is obtained, so that the tracing information can be written into a file with a smaller picture format.

In a second aspect, the present application provides a device for encrypting and decrypting a file, which adopts the following technical solutions:

an apparatus for encrypting and decrypting a file, comprising:

the information acquisition module is used for acquiring user information;

the file processing device comprises a first transmission module, a first storage module and a second transmission module, wherein the first transmission module is used for transmitting a file from a storage medium to a native file system when an opening instruction of the file triggered by a user is detected;

the type judging module is used for judging the file type of the file, and the file type comprises an encrypted file and an unencrypted file;

the first deployment module is used for deploying the file from a native file system to an upper-layer application when the file belongs to an unencrypted file;

the second transmission module is used for transmitting the file from the original file system to the encrypted file system when the file belongs to the encrypted file;

the authority judging module is used for judging whether the user has access authority or not based on the user information;

and the second deployment module is used for decrypting the file in the encrypted file system and deploying the decrypted file to an upper-layer application when the file exists.

By adopting the technical scheme, the information acquisition module acquires the user information, so that the permission of the user for the file can be conveniently determined subsequently. When an opening instruction about a file triggered by a user is detected, the first transmission module transmits the file stored in the storage medium to the native file system, so that management of the file is achieved. After the file is transmitted to the original file system, the type of the file is judged by the type judgment module, if the file belongs to an unencrypted file, the file does not need to be decrypted, and the first allocation module directly allocates the file to an upper-layer application, so that the output of the file is realized. If the file belongs to the encrypted file, the file needs to be decrypted, and the decrypted file can be checked by a user. The second transmission module transmits the unencrypted file to the encrypted file system, and the permission judgment module judges whether the user has the access permission to the file or not according to the user information. And if the user has the access right, decrypting the file in the encrypted file system through the second allocation module to obtain the decrypted file. And allocating the decrypted file to an upper layer application, thereby realizing the output of the encrypted file. The file is decrypted by using the encrypted file system, namely the decryption can be completed on a driving layer, and compared with a program for calling the decryption in a cross-process mode, resources are saved.

In another possible implementation manner, the apparatus further includes:

the establishing module is used for establishing an operation sandbox corresponding to the file;

and the output module is used for controlling the running sandbox to output the file according to the control authority corresponding to the file.

In another possible implementation manner, the apparatus further includes:

the identification module is used for identifying sensitive texts in text information of the files when desensitization instructions about the files triggered by users are detected, and the files belong to the documents;

the rule determining module is used for determining a preset desensitization rule corresponding to the sensitive text according to the content type of the sensitive text;

the text determination module is used for determining desensitization texts corresponding to the sensitive texts based on the preset desensitization rules and the sensitive texts;

and the first replacing module is used for replacing the desensitized text with the sensitive text to obtain a desensitized file.

In another possible implementation manner, the apparatus further includes:

the data acquisition module is used for acquiring binary data of the file;

the relation determining module is used for determining the corresponding relation between each character of the text information in the file and the binary data;

and the second replacement module is used for replacing the binary data corresponding to the sensitive text with the preset placeholder character when the desensitization operation on the sensitive text is detected.

In another possible implementation manner, when the desensitization text is substituted for the sensitive text to obtain a desensitized file, the first replacing module is specifically configured to:

determining a text format corresponding to the sensitive text;

and replacing the sensitive text with the desensitized text according to the text format corresponding to the sensitive text to obtain a desensitized file.

In another possible implementation manner, the apparatus further includes:

the record generating module is used for generating desensitization records based on the sensitive texts, desensitization texts corresponding to the sensitive texts and desensitization time;

a record storage module for storing the desensitization record.

In another possible implementation manner, the user information includes a user ID, and the apparatus further includes:

the time acquisition module is used for acquiring the operation time of the user operation file and generating traceability information based on the operation time and the user information;

the encryption calculation module is used for carrying out encryption calculation on the user ID to obtain a characteristic value of the user ID when the file is in a picture format;

the first compression module is used for compressing the characteristic value to a preset length byte to obtain an ID compression value;

a difference value determining module, configured to determine a difference value between the operation time and a start time of a preset time period when the operation time is within the preset time period;

the conversion module is used for converting the difference value to obtain a time compression value;

a traceability information determining module, configured to determine compressed traceability information according to the ID compression value and the time compression value;

the position determining module is used for determining a preset number of target positions from preset positions of the file;

and the writing module is used for writing the compressed tracing information into the target position to obtain a new file.

In a third aspect, the present application provides an electronic device, which adopts the following technical solutions:

an electronic device, comprising:

one or more processors;

a memory;

one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the one or more processors, the one or more application programs configured to: a method for encrypting and decrypting a file according to any one of the possible implementation manners of the first aspect is performed.

In a fourth aspect, the present application provides a computer-readable storage medium, which adopts the following technical solutions:

a computer-readable storage medium, which, when executed in a computer, causes the computer to perform a method of encrypting and decrypting a file according to any one of the first aspect.

In a fifth aspect, the present application provides a desensitization method, which adopts the following technical scheme:

a method of desensitization comprising:

By adopting the technical scheme, if the file belongs to the document and a desensitization instruction about the file triggered by the user is detected, the user needs to desensitize the file. Sensitive texts in the files are identified, and corresponding preset desensitization rules are determined according to the types of the sensitive texts. Desensitizing the sensitive text according to a preset desensitization rule corresponding to the sensitive text to obtain a desensitized text after desensitization. And the desensitization text is replaced by the sensitive text, so that a desensitized file is obtained. And determining a corresponding preset desensitization rule according to the type corresponding to the sensitive text and desensitizing, so that desensitization is more accurate, and errors are not easy to occur in the desensitization process.

In another possible implementation manner, the method further includes:

acquiring binary data of the file;

In another possible implementation manner, the method further includes:

determining a text format corresponding to the sensitive text;

and replacing the sensitive text with the desensitized text according to the text format corresponding to the sensitive text.

In another possible implementation manner, the method further includes:

storing the desensitization record.

In a sixth aspect, the present application provides a desensitizing device, which adopts the following technical scheme:

a desensitizing apparatus, comprising:

the identification module is used for identifying sensitive text in the text information of the file when a desensitization instruction about the file triggered by a user is detected and the file belongs to the file;

and the first replacing module is used for replacing the desensitization text with the sensitive text to obtain a desensitized file.

By adopting the technical scheme, if the file belongs to the document and a desensitization instruction which is triggered by the user and is related to the file is detected, the user needs to desensitize the file. The identification module identifies the sensitive texts in the files, and the rule determination module determines corresponding preset desensitization rules according to the types of the sensitive texts. Desensitizing the sensitive text according to a text determination module through a preset desensitization rule corresponding to the sensitive text to obtain a desensitized text after desensitization. And the first replacing module replaces the desensitization text with the sensitive text, so as to obtain a desensitized file. And determining a corresponding preset desensitization rule according to the type corresponding to the sensitive text and desensitizing, so that desensitization is more accurate, and errors are not easy to occur in the desensitization process.

In another possible implementation manner, the apparatus further includes:

the data acquisition module is used for acquiring binary data of the file;

the relation determining module is used for determining the corresponding relation between each character of the text information in the file and binary data;

determining a text format corresponding to the sensitive text;

In another possible implementation manner, the apparatus further includes:

a record storage module for storing the desensitization record.

In a seventh aspect, the present application provides an electronic device, which adopts the following technical solutions:

an electronic device, comprising:

one or more processors;

a memory;

one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the one or more processors, the one or more application programs configured to: a desensitization method according to any one of the possible implementations of the fifth aspect is performed.

In an eighth aspect, the present application provides a computer-readable storage medium, which adopts the following technical solutions:

a computer readable storage medium, which when executed in a computer, causes the computer to perform a desensitization method according to any of the fifth aspects.

In summary, the present application includes at least one of the following beneficial technical effects:

1. and acquiring user information so as to facilitate the subsequent determination of the authority of the user on the file. When an opening instruction about a file triggered by a user is detected, the file stored in the storage medium is transmitted to the native file system, so that the management of the file is realized. After the file is transmitted to the original file system, the type of the file is judged, if the file belongs to an unencrypted file, the file does not need to be decrypted, and the file is directly allocated to an upper layer application, so that the file is output. If the file belongs to the encrypted file, the file needs to be decrypted, and the user can access and view the file after decryption. And transmitting the unencrypted file to the encrypted file system, and judging whether the user has the access right to the file or not according to the user information. And if the user has the access authority, decrypting the file through the encrypted file system to obtain the decrypted file. And allocating the decrypted file to an upper-layer application, thereby realizing the output of the encrypted file. The file is decrypted by using the encrypted file system, namely the decryption can be completed on a driving layer, and compared with a program for calling the decryption in a cross-process mode, resources are saved.

2. If the file belongs to the document and a desensitization instruction triggered by the user and related to the file is detected, it indicates that the user needs to desensitize the file. Sensitive texts in the files are identified, and corresponding preset desensitization rules are determined according to the types of the sensitive texts. Desensitizing the sensitive text according to a preset desensitization rule corresponding to the sensitive text to obtain a desensitized text after desensitization. And the desensitization text is replaced by the sensitive text, so that a desensitized file is obtained. And determining a corresponding preset desensitization rule according to the type corresponding to the sensitive text and desensitizing, so that desensitization is more accurate, and errors are not easy to occur in the desensitization process.

Drawings

Fig. 1 is a schematic flowchart of a file encryption and decryption method according to an embodiment of the present application.

Fig. 2 is a schematic flow diagram of a desensitization method according to an embodiment of the present application.

Fig. 3 is a schematic structural diagram of a file encryption and decryption apparatus according to an embodiment of the present application.

Fig. 4 is a schematic structural view of a desensitizing apparatus according to an embodiment of the present application.

Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The present application is described in further detail below with reference to the attached drawings.

A person skilled in the art, after reading the present specification, may make modifications to the present embodiments as necessary without inventive contribution, but only within the scope of the claims of the present application are protected by patent laws.

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In addition, the term "and/or" herein is only one kind of association relationship describing the association object, and means that there may be three kinds of relationships, for example, a and/or B, and may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship, unless otherwise specified.

The embodiments of the present application will be described in further detail with reference to the drawings attached hereto.

The embodiment of the application provides a file encryption and decryption method, which is executed by electronic equipment, wherein the electronic equipment can be a server or terminal equipment, the server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server for providing cloud computing service. The terminal device may be a smart phone, a tablet computer, a notebook computer, a desktop computer, and the like, but is not limited thereto, the terminal device and the server may be directly or indirectly connected through a wired or wireless communication manner, and an embodiment of the present application is not limited thereto, as shown in fig. 1, the method includes:

s101, obtaining user information.

For the embodiment of the present application, the user information may be related information about the user, such as a user ID, a user name, a user rating, and the like, which is input by the user through an input device such as a keyboard, a mouse, a touch screen, and the like. The electronic equipment acquires the user information, so that the specific situation of the user can be known conveniently.

S102, when an opening instruction of the file triggered by a user is detected, the file is transmitted to the native file system from the storage medium.

For the embodiment of the application, the file opening instruction triggered by the user may be a click instruction triggered by the user through a mouse, a keyboard and a touch screen. After the electronic device detects an instruction for opening a file, it indicates that a user needs to view the file or perform other operations. In order to enable a user to view or operate the file, the electronic device transmits the file stored in the storage medium to the native file system, and the file is managed by the native file system.

S103, judging the file type of the file, wherein the file type comprises an encrypted file and an unencrypted file.

For the embodiment of the application, when the user downloads the file, the electronic device judges the target file, detects the type of the target file, and performs different operations according to different file types of the target file. The file type of the target file can be judged through the electronic tag of the target file, and if the electronic tag of the target file contains the encrypted related information, the target file is an encrypted file. Assuming that the file downloaded by the user A is the file A, the electronic device judges the file A and determines the file type of the file A so as to facilitate different subsequent operations on the file.

And S104, if the file belongs to the unencrypted file, deploying the file from the native file system to an upper-layer application.

For the embodiment of the application, if the electronic tag of the target file does not have the relevant encrypted information, it indicates that the target file is not encrypted. When the electronic equipment detects that the file type of the target file is an unencrypted file, the target file does not need to be encrypted, and the electronic equipment only needs to control the target file to display the authority corresponding to the user. Taking step S103 as an example, assuming that the file a belongs to an unencrypted file and the user a has only read permission for the file a, the electronic device directly controls the file a to display the read permission for the user a. After the electronic device transmits the target file to the native file system, the target file is allocated to an upper layer application such as a Word application program through an I/O manager, an API (application program interface) and the like in the electronic device to be output.

And S105, if the file belongs to the encrypted file, transmitting the file from the native file system to the encrypted file system.

For the embodiment of the application, it is assumed that the file a belongs to an encrypted file, and it is stated that the content of the file a cannot be directly accessed and viewed by the user a, and the electronic device is required to decrypt the file a, so that the user can view the content in the encrypted file conveniently. In the embodiment of the present application, the access request for the file may also be forwarded to the encrypted file system for processing.

Since the file A is an encrypted file, the encrypted file is transmitted to the encrypted file system, and data is transmitted between the encrypted file system and the native file system in a bidirectional mode. Compared with the method for creating a new decryption process, the method for encrypting and decrypting the file in the encrypted file system saves resources of the electronic equipment.

And S106, judging whether the user has the access authority or not based on the user information.

For the embodiment of the application, the user information comprises information whether the user has the access right to the target file, the information such as the access right of the target file is stored in the electronic tag of the target file, and the electronic equipment judges whether the information describing the access right in the user information has the information of the access right of the target file in the encrypted file system, so that whether the user has the access right to the target file is determined.

And S107, if the file exists, decrypting the file in the encrypted file system and deploying the decrypted file to an upper-layer application.

For the embodiment of the application, the electronic device judges that the user has the access right, and indicates that the user has the right to view the decrypted target file. In the encrypted file system, the electronic device can determine a corresponding decryption mode through encryption-related information such as an encryption algorithm, an encryption mode and the like recorded in an electronic tag of a target file, so as to decrypt the target file, and finally allocate the decrypted target file to an upper application so as to facilitate the user to view.

The file is decrypted by using the encrypted file system, namely the decryption can be completed on a driving layer, and the decrypted file is allocated to an upper layer application, so that resources are saved compared with a cross-process calling decryption program.

In the embodiment of the application, applications can be further classified, for example, a notepad is determined as an untrusted application, and a Word document and an Excel table are determined as trusted applications. When the electronic equipment detects an opening instruction triggered by a user, whether the application opened by the user is a trusted application or not is identified through API (application programming interface) interception processing and security policy service calling, if the application is an untrusted process, encryption and decryption service is not provided, and the file is directly transmitted to a native file system from a storage medium and allocated to the untrusted application opened by the user.

If the application is a trusted application, the electronic equipment redirects read-write and other access operations to the encrypted file system, and the encrypted file system provides transparent encryption and decryption service and content access right control.

Assuming that a user has write access to an encrypted file, data input by the user reaches an encrypted file system through a system API (application program interface), an IO (input output) manager, a file filter driver and the like, and in the encrypted file system, encryption related services are called to encrypt the data and transmit the encrypted data to a native file system so as to write the encrypted data into a physical disk.

In a possible implementation manner of the embodiment of the present application, the method further includes step S108 (not shown in the figure) and step S109 (not shown in the figure), wherein step S108 may be executed simultaneously with step S102, or may be executed after step S102, wherein,

and S108, establishing a running sandbox corresponding to the file.

For the embodiment of the application, the running sandbox belongs to a virtual system program, the file is run in the sandbox environment, and the change generated in the running process can be deleted after the sandbox is closed. By creating an independent work environment by running a sandbox, files running inside the running sandbox cannot permanently affect the hard disk. The file is operated in the isolation environment, and tools for testing behaviors such as untrusted files or application programs are used, so that the file is safer, and the possibility of disclosure is reduced.

And S109, controlling the running sandbox to output the file according to the control authority corresponding to the file.

For the embodiment of the application, after the electronic device detects a file opening instruction triggered by a user, a process-level operation sandbox is created, and the file is operated in the operation sandbox according to the authority corresponding to the file. For example, the file a only has read-only permission, and after the electronic device creates the running sandbox corresponding to the file a, the running sandbox only outputs the file a with read-only permission. Therefore, the situations of information leakage and the like are not easy to occur in the running process of the file.

In a possible implementation manner of the embodiment of the present application, the method further includes step S110, step S111, step S112, and step S113, where step S110 may be executed after step S102, where,

s110, when a desensitization instruction about the file triggered by a user is detected and the file belongs to the document, sensitive text in the text information of the file is identified.

For the present example, if the file is a document type file, the information is primarily described in text, and thus the user may need to desensitize encryption of the information in the file. When the electronic equipment detects a desensitization instruction about the file triggered by the user, the desensitization instruction indicates that the user needs to desensitize the file. The electronic equipment can extract text information in the file and obtain words in the file through sliding scanning of a window with a preset length. And inputting the text information into a trained neural network model to perform word recognition to obtain at least one word. And the text information can be processed through an LSTM network model and a CRF conditional random field to obtain words and the types corresponding to the words. For example, the text may be entered into a preset country name library for searching, so as to determine whether the country name exists in the text information. And determining whether the Arabic numeral character strings in the text information accord with the format corresponding to the identity card number or not, and if so, indicating that the identity card number exists in the text information. And judging whether the character string conforms to a format corresponding to the mobile phone number, and if so, indicating that the mobile phone number exists in the text information. The name of the person can also be determined from the text information through NLP natural language processing.

And S111, determining a preset desensitization rule corresponding to the sensitive text according to the content type of the sensitive text.

For the embodiment of the application, the corresponding desensitization rules are different because the sensitive texts are different in type. Therefore, the corresponding preset desensitization rule is determined through the type of the sensitive text, so that errors are not easy to occur in the desensitization process, and the desensitization process is more accurate.

And S112, determining desensitization texts corresponding to the sensitive texts based on the preset desensitization rules and the sensitive texts.

For the embodiment of the application, the sensitive text is assumed to be a country name, and the electronic device desensitizes the sensitive text according to a desensitization rule corresponding to the country name. The name of the country is replaced by 'a country', and the 'a country' is desensitization text after desensitization. And if the sensitive text is the name of the person, the electronic equipment desensitizes the sensitive text according to a desensitization rule corresponding to the name of the person, and replaces the name of the person with the surname plus 'certain'. For example, the sensitive text is "zhangsan" and the corresponding desensitization text is "zhangao". Assuming that the sensitive text is the identification number, the electronic equipment can replace the middle 8-bit character of the identification number with a special symbol, thereby achieving the desensitization effect. For example, the central 8-digit arabic numerals are all replaced by "".

And S113, replacing the desensitized text with the sensitive text to obtain a desensitized file.

For the embodiment of the application, after the electronic equipment determines desensitization texts corresponding to all sensitive texts in the text information, the desensitization texts are replaced with the sensitive texts at the positions of the sensitive texts, so that desensitized files are obtained.

In a possible implementation manner of the embodiment of the present application, the method further includes step S114 (not shown), step S115 (not shown), and step S116 (not shown), where step S114 may be executed after step S110, or may be executed simultaneously with step S110, where,

s114, binary data of the file are obtained.

For the embodiment of the present application, in order to achieve deeper desensitization, if the file is a document, the electronic device obtains binary data corresponding to the text information in the file.

S115, determining the corresponding relation between each character of the text information in the file and the binary data.

For the embodiment of the application, after acquiring the binary data, the electronic device generates the corresponding relationship between each word and the corresponding binary data according to the position arrangement of each word in the text information and the binary data corresponding to the length of each word in the binary data.

And S116, when the desensitization operation on the sensitive text is detected, replacing binary data corresponding to the sensitive text with preset placeholder characters.

For the embodiment of the application, when a desensitization instruction triggered by a user is detected, binary data corresponding to sensitive text is replaced by using a preset placeholder. For example, if a country is replaced with "country" in the document, the binary data corresponding to the country is replaced with the binary data corresponding to "country". Therefore, double-layer desensitization of the file and the binary data at the bottom layer of the file is realized, the desensitized file is not easy to restore, and the file is safer.

In a possible implementation manner of the embodiment of the present application, the step S113 replaces the desensitization text with the sensitive text to obtain the desensitized file, which specifically includes a step S1131 (not shown in the figure) and a step S1132 (not shown in the figure), wherein,

s1131, determining a text format corresponding to the sensitive text.

For the embodiment of the application, when the electronic equipment desensitizes the sensitive text, the text format of the sensitive text is temporarily stored. For example, the text format of country a is "bold, four, bold", and the electronic device temporarily stores the text format.

And S1132, replacing the sensitive text with the desensitized text according to the text format corresponding to the sensitive text.

For the embodiment of the present application, taking step S112 as an example, after determining that the desensitization text corresponding to country a is "a country", the electronic device determines that the desensitization text corresponds to country a. The electronic device generates "a country" in "bold, four, plus bold" format and replaces country a. Therefore, the desensitized files are ensured to be consistent with the typesetting layout of the original files, and the files are not easy to distort.

In a possible implementation manner of the embodiment of the present application, the method further includes step S117 (not shown in the figure) and step S118 (not shown in the figure), wherein,

and S117, generating desensitization records based on the sensitive texts, the desensitization texts corresponding to the sensitive texts and the desensitization time.

For the present embodiment, assume that the sensitive text is country a, the corresponding desensitization text is a country, and the time for desensitization is 2022, 7, 10, 8: 00. the electronic device determines the correspondence of the three and generates a desensitization record for the three.

And S118, storing desensitization records.

For the embodiment of the application, after the desensitization record is determined by the electronic device, the desensitization record is stored, and the electronic device can store the desensitization record in a local storage medium or a cloud server, so that a subsequent administrator can call the desensitization record for checking conveniently. And when a restoring instruction triggered by a user is detected, restoring the file according to the desensitization record corresponding to the file, so that the accuracy of restoration is ensured.

In this embodiment of the application, the electronic device may further reduce the desensitization text in the file to a text before desensitization according to the desensitization record when detecting an instruction for reducing the desensitization text triggered by the user. Furthermore, the sensitive text after the desensitization text is restored can be highlighted, for example, underlining can be added to the restored sensitive text, the restored sensitive text can be bolded, and the restored sensitive text can be highlighted with a preset color. Thereby achieving the effect of convenient viewing for users.

Further, when the desensitization text is restored, the user authority can be determined according to the user information. The user right may be a right allowing desensitization restoration of a certain type of information, for example, the user a only has a right to desensitize restoration of sensitive text of a country name, and the user B only has a right to desensitize restoration of sensitive text of an identification number type.

The electronic device may also generate a copy document of the file when performing a desensitization restore operation, the document supporting only viewing and not overwriting editing. And the electronic equipment controls to display the copy document, and the personnel only view the information in the desensitized document through the copy document. When the electronic equipment detects a screen capturing instruction or a downloading instruction triggered by a person, the screen capturing instruction or the downloading instruction is intercepted, so that the person cannot propagate the content in the document. The electronic equipment can also determine the authority for generating the copy document according to the user authority, for example, if the user only has read authority, the document copy only having read authority is generated, if the user has read and write authority, the document copy having read and write authority is generated, and if the user has read, write and download authority, the document copy having read, write and download authority is generated. The electronic device can also determine whether to generate the copy document according to the user authority, that is, when the user has higher authority, such as editing and downloading, the electronic device directly displays the original document so as to be convenient for the user to view.

In a possible implementation manner of the embodiment of the present application, the user information includes a user ID, the method further includes step S119 (not shown in the figure), step S120 (not shown in the figure), step S121 (not shown in the figure), step S122 (not shown in the figure), step S123 (not shown in the figure), step S124 (not shown in the figure), step S125 (not shown in the figure), and step S126 (not shown in the figure), wherein the step S119 may be executed simultaneously with the step S102 or after the step S102, wherein,

s119, obtaining the operation time of the user operation file, and generating the tracing information based on the operation time and the user information.

For the embodiment of the application, the operation of the user includes downloading, reading, writing and other operations. The tracing information is the use record of the downloading, use and propagation process of the target file. In order to keep the usage record of the target file, for example, when the user downloads the target file, the electronic device obtains the operation time of the user downloading the target file, and the operation time can be accurate to hours. And generating the tracing information according to the operation time of the user and the user information. Assuming that the target file is file a, the time for downloading file a by user a is 8 of 10/7/2022: 00, the tracing information includes the information of the user a and 8 of 7/10/2022: 00.

and S120, if the file is in a picture format, encrypting the user ID to obtain a characteristic value of the user ID.

For the embodiment of the application, the size of the picture format file is fixed and cannot be increased, and if the picture format file is too small, the traceability information is not easily added into the picture format file, so that the smaller the traceability information is, the more beneficial the traceability information is to be hidden in the picture specification file. Therefore, when the electronic device detects that the target file is in the picture format, the electronic device compresses the traceability information to obtain the compressed traceability information. Taking step S119 as an example, when the file a is a file in a picture format, the electronic device will compare the information of the user a and No. 8/7/10/2022: 00, compressing to obtain the compressed tracing information.

Assuming that the ID of the user a is zhang san, the encryption calculation may be to encrypt the user ID by using a digest algorithm, for example, the electronic device encrypts zhang san by using the digest algorithm to obtain a characteristic value "615 db57aa314529aaa0fbe95b3e95bd 3" of zhang san.

And S121, compressing the characteristic value to a preset length byte to obtain an ID compressed value.

For the embodiment of the present application, taking step S120 as an example, the electronic device selects a character segment with a preset length from a preset bit character in the feature value to obtain an ID compression value. Assuming that the preset bit character is the third bit and the preset length character is 4 characters, the electronic device determines "5 db 5" to characterize "zhang san". Further, the "5 db 5" is converted into binary data, so as to obtain "0101110110110101", and the binary data is the ID compression value.

And S122, if the operation time is within the preset time period, determining the difference value between the operation time and the starting time of the preset time period.

For the embodiment of the present application, the preset time period is a time period set in advance, and it is assumed that the preset time period is No. 0 at 7/10/2022: number 0 of 7 month 10 from 00 to 2029: 00, i.e., seven years after the start of the download time. Suppose that the time 2022 year 7 month 10 # 8 when user a operates the file: 00, the operation time is within a preset time period, and the operation time of the user A is 2022, 7, month, 10, 8: 00 and start time of preset time period 2022, 7/month 10 No. 0: 00, giving a difference of 8 hours.

And S123, converting the difference value to obtain a time compression value.

For the present embodiment, the time difference value may be compressed into 2 bytes of 16 bits, i.e., 8 hours is converted into "0000000000001000", i.e., a time-compressed value. And determining the time when the user operates the file according to the time compression value and the downloading time of the file. That is, "0000000000001000" is converted into decimal number to obtain "8", and the download time is "0 No. 7/10 in 2022: 00 ", so that the operation time can be determined as" 8 No. 7/10/2022: 00".

And S124, obtaining the compressed tracing information according to the ID compression value and the time compression value.

For the embodiment of the present application, taking steps S123 and S125 as an example, the binary data corresponding to "5 db 5" and the binary data corresponding to 8 hours constitute the compressed tracing information, and the length of the tracing information is 4 bytes.

And S125, determining a preset number of target positions from the preset positions of the file.

For the embodiment of the application, in order to further prevent the tracing information from being cracked and deleted easily, a preset number of target positions are determined in a plurality of preset positions of the target file, and the tracing information is written in the target positions.

The preset positions and the preset number may be set by the number of pixels of the picture, for example, a plurality of pixel intervals are divided, and each interval may correspond to a plurality of preset positions and the preset number. Taking step S120 as an example, when the file a is a 288-pixel picture, the corresponding interval is [200, 400], the number of the preset positions corresponding to the interval is 100, and the corresponding preset number is 32. That is, the electronic device will select 32 target positions from 100 preset positions.

The target position may be determined by random extraction, by numbering preset positions, by sequentially using the preset positions, or by other methods capable of determining the target position.

And S126, writing the compressed tracing information into a target position to obtain a new file.

For the embodiment of the present application, taking step S125 as an example, each part of the compressed tracing information is written into 32 target locations of the file a, respectively, so as to obtain a new file a.

Taking the pixel gray value of the picture as an example, after the target position is determined, assuming that the pixel gray value of the target position is an 8-bit binary number, and the lowest bit of the 8-bit binary number is "1", the electronic device selects the lowest bit of the 8-bit binary number to modify the lowest bit into the corresponding binary data in the tracing information. Taking step S123 as an example, the highest bit of the tracing information is "0", the electronic device rewrites the lowest bit "1" of the 8-bit binary number to "0", and since only the gray value is reduced by 1, the influence on the color of the picture is small, each bit of data of the tracing information is written into the file in the picture format in the above manner, after the writing of the tracing information is completed, the difference between two pictures before and after the writing is small, and the two pictures are not easily found and cracked by other people. In the embodiment of the application, after the target position written by the tracing information is determined, the electronic device further establishes the corresponding relationship between each tracing information and the target position and stores the corresponding relationship, so that the tracing information can be conveniently restored according to the corresponding relationship.

In the embodiment of the application, if the file is a document, a plurality of target positions can be randomly selected from a plurality of preset positions in a file body of the document, and the traceability information is written into the target positions in the file body, so that the traceability of the operation and use process of the document is facilitated, and the traceability information is randomly written into the preset positions of the file body, so that the traceability information is not easy to crack and delete.

In the embodiment of the application, the documents are assumed to be cloud documents, shared documents and online documents, and when the fact that the tracing information of a certain user is greater than a preset quantity threshold value is detected, it is indicated that the user may have abnormal operation behaviors, the tracing information of the user is uploaded to a server to be stored in the cloud. Each operation behavior can also be classified, for example, the access operation is classified into 1 grade, the editing operation is classified into 2 grades, and the downloading operation is classified into three grades, each grade of operation corresponds to a preset threshold number of times, for example, the threshold number of times of the access operation is 1000 times, the threshold number of times of the editing operation is 100 times, and the threshold number of times of the downloading operation is 10 times. When the operation frequency of the personnel reaches the frequency threshold corresponding to the operation, that is, the traceability information of a certain operation reaches the number corresponding to the frequency threshold, it can be shown that the operation behavior of the personnel is possibly abnormal. And the electronic equipment stores the tracing information into the server.

Furthermore, taking an editing operation as an example, a threshold value may be set for the position of the editing operation, and if a certain person modifies multiple places of the document, it is indicated that the person is suspicious in operation. Assuming that the threshold value of the number of times of editing positions is 50, that is, when a person edits different positions in the document to 50, it can be determined that the person is suspicious.

Further, if the editing times of the personnel reach the corresponding preset time threshold value, or the editing positions reach the corresponding preset time threshold value, the editing authority of the personnel is locked, and the personnel cannot continuously edit, so that the safety of the document is ensured.

The embodiment of the application provides a desensitization method, which is executed by an electronic device, wherein the electronic device may be a server or a terminal device, the server may be an independent physical server, a server cluster or a distributed system formed by multiple physical servers, or a cloud server providing cloud computing services. The terminal device may be a smart phone, a tablet computer, a notebook computer, a desktop computer, and the like, but is not limited thereto, the terminal device and the server may be directly or indirectly connected through a wired or wireless communication manner, and the embodiment of the present application is not limited thereto, as shown in fig. 2, the method includes step S201, step S202, step S203, and step S204, wherein,

s201, when a desensitization instruction about the file triggered by a user is detected and the file belongs to the document, identifying sensitive text in the text information of the file.

For the present example, if the file is a document type file, the information is primarily described in text, and thus the user may need to desensitize encryption of the information in the file. When the electronic equipment detects a desensitization instruction about the file triggered by the user, the desensitization instruction indicates that the user needs to desensitize the file. The electronic equipment can extract text information in the file and obtain words in the file through sliding scanning of a window with a preset length. And inputting the text information into a trained neural network model to perform word recognition to obtain at least one word. And the text information can be processed through an LSTM network model and a CRF conditional random field to obtain words and the types corresponding to the words. For example, the text may be entered into a preset country name library for searching, so as to determine whether the country name exists in the text information. And determining the Arabic numeral character strings in the text information to judge whether the character strings accord with the format corresponding to the identity card number, and if so, indicating that the identity card number exists in the text information. And judging whether the character string conforms to a format corresponding to the mobile phone number, and if so, indicating that the mobile phone number exists in the text information. The name of the person can also be determined from the text information through NLP natural language processing.

S202, determining a preset desensitization rule corresponding to the sensitive text according to the content type of the sensitive text.

For the embodiment of the application, the corresponding desensitization rules are different because the sensitive texts are different in types. Therefore, the corresponding preset desensitization rule is determined through the type of the sensitive text, so that errors are not easy to occur in the desensitization process, and the desensitization process is more accurate.

S203, determining desensitization texts corresponding to the sensitive texts based on preset desensitization rules and the sensitive texts.

For the embodiment of the application, it is assumed that the sensitive text is a country name, and the electronic device desensitizes the sensitive text according to a desensitization rule corresponding to the country name. The name of the country is replaced by 'a country', and the 'a country' is desensitization text after desensitization. And if the sensitive text is the name of the person, the electronic equipment desensitizes the sensitive text according to a desensitization rule corresponding to the name of the person, and replaces the name of the person with the surname plus 'certain'. For example, the sensitive text is "zhang san", and the corresponding desensitization text is "zhang a. Assuming that the sensitive text is the identification number, the electronic equipment can replace the middle 8-bit characters of the identification number with special symbols, thereby achieving the desensitization effect. For example, the central 8-digit arabic numerals are all replaced with "".

And S204, replacing the desensitized text with the sensitive text to obtain a desensitized file.

In a possible implementation manner of the embodiment of the present application, the method further includes step S205 (not shown), step S206 (not shown), and step S207 (not shown), wherein step S205 may be executed after step S202, or may be executed simultaneously with step S202, wherein,

s205, binary data of the file is acquired.

S206, determining the corresponding relation between each character of the text information in the file and the binary data.

For the embodiment of the application, after the electronic device acquires the binary data, the electronic device generates the corresponding relation between each character and the corresponding binary data according to the position arrangement of each character in the text information and the binary data corresponding to each character length in the binary data.

And S207, when the desensitization operation of the sensitive text is detected, replacing binary data corresponding to the sensitive text with preset placeholder characters.

For the embodiment of the application, when a desensitization instruction triggered by a user is detected, binary data corresponding to sensitive text is replaced by using a preset placeholder. For example, if a country is replaced with "a country" in the file, the binary data corresponding to the country is replaced with the binary data corresponding to "a country". Therefore, double-layer desensitization of the file and the binary data at the bottom layer of the file is realized, the desensitized file is not easy to restore, and the file is safer.

In a possible implementation manner of the embodiment of the present application, the step S204 replaces the desensitized text with the sensitive text to obtain the desensitized file, which specifically includes a step S2041 (not shown in the figure) and a step S2042 (not shown in the figure), wherein,

s2041, determining a text format corresponding to the sensitive text.

For the embodiment of the application, the electronic device temporarily stores the text format of the sensitive text when the sensitive text is desensitized. For example, the text format of country a is "bold, four, bold", and the electronic device temporarily stores the text format.

And S2042, replacing the sensitive text with the desensitized text according to the text format corresponding to the sensitive text.

For the embodiment of the present application, taking step 203 as an example, after determining that the desensitization text corresponding to country a is "a country", the electronic device determines that the desensitization text corresponds to country a. The electronic device generates "a country" in "bold, four, plus bold" format and replaces country a. Therefore, the desensitized files are ensured to be consistent with the typesetting layout of the original files, and the files are not easy to distort.

In a possible implementation manner of the embodiment of the present application, the method further includes step S208 (not shown in the figure) and step S209 (not shown in the figure), wherein,

and S208, generating desensitization records based on the sensitive texts, desensitization texts corresponding to the sensitive texts and desensitization time.

For the embodiment of the present application, it is assumed that the sensitive text is country a, the corresponding desensitization text is a country, and the time of the desensitization operation is 2022, 7, 10, 8: 00. the electronic device determines the correspondence of the three and generates a desensitization record for the three.

S209, storing the desensitization record.

The above embodiment introduces a method for encrypting and decrypting a file from the perspective of method flow, and the following embodiment introduces a device 30 for encrypting and decrypting a file from the perspective of virtual modules or virtual units, and is described in detail in the following embodiment.

An embodiment of the present application provides a device 30 for encrypting and decrypting a file, as shown in fig. 3, where the device 30 for encrypting and decrypting a file may specifically include:

an information obtaining module 301, configured to obtain user information;

the first transmission module 302 is used for transmitting the file from the storage medium to the native file system when an opening instruction of the file triggered by a user is detected;

a type determining module 303, configured to determine a file type of the file, where the file type includes an encrypted file and an unencrypted file;

a first deployment module 304, configured to deploy the file from the native file system to an upper-level application when the file belongs to an unencrypted file;

a second transmission module 305, configured to transmit the file from the native file system to the encrypted file system when the file belongs to the encrypted file;

the permission judging module 306 is used for judging whether the user has access permission or not based on the user information;

and a second deployment module 307, configured to decrypt the file in the encrypted file system and deploy the decrypted file to an upper layer application when the file exists.

In the file encryption and decryption apparatus 30 provided in the embodiment of the present application, the information obtaining module 301 obtains the user information, so as to facilitate subsequent determination of the authority of the user for the file. When an opening instruction about a file triggered by a user is detected, the first transmission module 302 transmits the file stored in the storage medium to the native file system, so that management of the file is realized. After the file is transmitted to the native file system, the type judgment module 303 judges the type of the file, if the file belongs to an unencrypted file, the file does not need to be decrypted, and the first deployment module 304 deploys the file to an upper application directly, so that the file is output. If the file belongs to the encrypted file, the file needs to be decrypted, and the decrypted file can be checked by a user. The second transmission module 305 transmits the unencrypted file to the encrypted file system, and the permission judgment module 306 judges whether the user has an access permission to the file according to the user information. If the user has the access right, the file is decrypted in the encrypted file system through the second deployment module 307, so as to obtain the decrypted file. And allocating the decrypted file to an upper-layer application, thereby realizing the output of the encrypted file. The file is decrypted by using the encrypted file system, namely the decryption can be completed on a driving layer, and compared with a program for calling the decryption in a cross-process mode, resources are saved.

In a possible implementation manner of the embodiment of the present application, the apparatus 30 further includes:

the establishing module is used for establishing a running sandbox corresponding to the file;

the identification module is used for identifying sensitive texts in text information of the files when desensitization instructions about the files triggered by users are detected and the files belong to the documents;

the text determining module is used for determining desensitization texts corresponding to the sensitive texts based on preset desensitization rules and the sensitive texts;

the data acquisition module is used for acquiring binary data of the file;

In a possible implementation manner of the embodiment of the present application, when the desensitization text is replaced with the sensitive text by the first replacing module to obtain a desensitized file, the first replacing module is specifically configured to:

determining a text format corresponding to the sensitive text;

and replacing the sensitive text with the desensitized text according to the text format corresponding to the sensitive text to obtain the desensitized file.

and the record storage module is used for storing desensitization records.

In a possible implementation manner of the embodiment of the present application, the user information includes a user ID, and the apparatus 30 further includes:

the time acquisition module is used for acquiring the operation time of the user operation file and generating the source tracing information based on the operation time and the user information;

the difference value determining module is used for determining the difference value between the operation time and the starting time of the preset time period when the operation time is within the preset time period;

the traceability information determining module is used for determining the compressed traceability information according to the ID compression value and the time compression value;

and the writing module is used for writing the compressed tracing information into a target position to obtain a new file.

It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the above-described apparatus 30 for encrypting and decrypting a file may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.

The above-described embodiment describes a desensitization method from the perspective of the method flow, and the following embodiments describe a desensitization apparatus 40 from the perspective of a virtual module or virtual unit, as described in detail in the following embodiments.

The present embodiment provides a desensitization device 40, as shown in fig. 4, the desensitization device 40 may specifically include:

the identification module 401 is configured to identify a sensitive text in text information of a file when a desensitization instruction about the file triggered by a user is detected and the file belongs to the file;

a rule determining module 402, configured to determine a preset desensitization rule corresponding to the sensitive text according to the content type of the sensitive text;

the text determining module 403 is configured to determine a desensitization text corresponding to the sensitive text based on a preset desensitization rule and the sensitive text;

a first replacing module 404, configured to replace the desensitized text with the sensitive text, so as to obtain a desensitized file.

According to the desensitization device 40 provided by the embodiment of the present application, if a file belongs to a document and a desensitization instruction triggered by a user on the file is detected, it indicates that the user needs to desensitize the file. The recognition module 401 recognizes the sensitive text in the file, and the rule determination module 402 determines the corresponding preset desensitization rule according to the type of the sensitive text. And desensitizing the sensitive text according to a preset desensitization rule corresponding to the sensitive text by the text determination module 403 to obtain a desensitized text after desensitization. And the first replacement module 404 replaces the desensitization text with the sensitive text to obtain a desensitized file. And determining a corresponding preset desensitization rule according to the type corresponding to the sensitive text and performing desensitization, so that desensitization is more accurate, and errors are not easy to occur in the desensitization process.

In a possible implementation manner of the embodiment of the present application, the apparatus 40 further includes:

the data acquisition module is used for acquiring binary data of the file;

In a possible implementation manner of the embodiment of the present application, when the desensitization text is replaced with the sensitive text to obtain a desensitized file, the first replacing module 404 is specifically configured to:

determining a text format corresponding to the sensitive text;

and the record storage module is used for storing desensitization records.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific operation of the desensitization apparatus 40 described above may refer to the corresponding process in the foregoing method embodiment, and will not be described herein again.

In an embodiment of the present application, an electronic device is provided, as shown in fig. 5, an electronic device 50 shown in fig. 5 includes: a processor 501 and a memory 503. Wherein the processor 501 is coupled to the memory 503, such as via the bus 502. Optionally, the electronic device 50 may also include a transceiver 504. It should be noted that the transceiver 504 is not limited to one in practical application, and the structure of the electronic device 50 is not limited to the embodiment of the present application.

The Processor 501 may be a CPU (Central Processing Unit), a general-purpose Processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor 501 may also be a combination of implementing computing functionality, e.g., comprising one or more microprocessors, a combination of DSPs and microprocessors, and the like.

Bus 502 may include a path that carries information between the aforementioned components. The bus 502 may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus 302 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 5, but this does not represent only one bus or one type of bus.

The Memory 503 may be a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory) or other type of dynamic storage device that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory), a CD-ROM (Compact Disc Read Only Memory) or other optical Disc storage, optical Disc storage (including Compact Disc, laser Disc, optical Disc, digital versatile Disc, blu-ray Disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these.

The memory 503 is used for storing application program codes for executing the scheme of the application, and the processor 501 controls the execution. The processor 501 is configured to execute application program code stored in the memory 503 to implement the content shown in the foregoing method embodiments.

Among them, electronic devices include but are not limited to: mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. But also a server, etc. The electronic device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.

The embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, which, when running on a computer, enables the computer to execute the corresponding content of one of the aforementioned method embodiments for encrypting and decrypting a file. Compared with the related art, the method and the device for acquiring the file authority acquire the user information, so that the authority of the user on the file can be determined conveniently in the follow-up process. When an opening instruction about a file triggered by a user is detected, the file stored in the storage medium is transmitted to the native file system, so that the management of the file is realized. The file is transmitted to a primary file system, the type of the file is judged, if the file belongs to an unencrypted file, the file does not need to be decrypted, and the file is directly allocated to an upper-layer application, so that the output of the file is realized. If the file belongs to the encrypted file, the file needs to be decrypted, and the user can access and view the file after decryption. And transmitting the unencrypted file to the encrypted file system, and judging whether the user has the access right to the file or not according to the user information. And if the user has the access authority, decrypting the file through the encrypted file system to obtain the decrypted file. And allocating the decrypted file to an upper-layer application, thereby realizing the output of the encrypted file. The file is decrypted by using the encrypted file system, so that resources are saved compared with the situation that a new process for decryption is created.

The present application provides a computer readable storage medium, which stores a computer program, and when the computer program runs on a computer, the computer can execute the contents of one desensitization method in the foregoing method embodiments. Compared with the related art, in the embodiment of the application, if the file belongs to the document and a desensitization instruction about the file triggered by a user is detected, it indicates that the user needs to desensitize the file. Sensitive texts in the files are recognized, and corresponding preset desensitization rules are determined according to the types of the sensitive texts. Desensitizing the sensitive text according to a preset desensitization rule corresponding to the sensitive text to obtain a desensitized text after desensitization. And allocating the decrypted file to an upper layer application, thereby realizing the output of the encrypted file. The file is decrypted by using the encrypted file system, namely the decryption can be completed on a driving layer, and compared with a program for calling the decryption in a cross-process mode, resources are saved.

It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.

The foregoing is only a few embodiments of the present application and it should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present application, and that these improvements and modifications should also be considered as the protection scope of the present application.

Claims

1. A method for encrypting and decrypting a file, comprising:

acquiring user information;

if the file belongs to the unencrypted file, deploying the file from a native file system to an upper-layer application;

and if so, decrypting the file in the encrypted file system and deploying the decrypted file to an upper-layer application.

2. The method for encrypting and decrypting the file according to claim 1, wherein when the user-triggered opening instruction for the file is detected, the method further comprises:

establishing a running sandbox corresponding to the file;

3. The method for encrypting and decrypting the file according to claim 1 or 2, wherein the method further comprises:

when a desensitization instruction which is triggered by a user and is about a file is detected, and the file belongs to a document, identifying sensitive text in text information of the file;

4. The method for encrypting and decrypting the file according to claim 3, wherein the method further comprises:

acquiring binary data of the file;

5. The method for encrypting and decrypting the file according to claim 3, wherein the step of replacing the sensitive text with the desensitized text to obtain the desensitized file comprises the steps of:

determining a text format corresponding to the sensitive text;

6. The method for encrypting and decrypting the file according to claim 3, wherein the method further comprises:

storing the desensitization record.

7. The method for encrypting and decrypting the file according to claim 1, wherein the user information includes a user ID, the method further comprising:

acquiring the operation time of the user operation file, and generating tracing information based on the operation time and user information;

converting the difference value to obtain a time compression value;

8. An apparatus for encrypting and decrypting a file, comprising:

the information acquisition module is used for acquiring user information;

9. An electronic device, comprising:

one or more processors;

a memory;

one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to: a method of encrypting or decrypting a file according to any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed in a computer, the computer is caused to execute a method for encrypting and decrypting a file according to any one of claims 1 to 7.