CN115130142A - Encrypted file processing method and device and nonvolatile storage medium - Google Patents
Encrypted file processing method and device and nonvolatile storage medium Download PDFInfo
- Publication number
- CN115130142A CN115130142A CN202211060037.4A CN202211060037A CN115130142A CN 115130142 A CN115130142 A CN 115130142A CN 202211060037 A CN202211060037 A CN 202211060037A CN 115130142 A CN115130142 A CN 115130142A
- Authority
- CN
- China
- Prior art keywords
- encrypted file
- file
- encrypted
- user space
- file system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 14
- 238000000034 method Methods 0.000 claims abstract description 71
- 238000012545 processing Methods 0.000 claims abstract description 60
- 230000008569 process Effects 0.000 claims abstract description 34
- 238000013507 mapping Methods 0.000 claims description 4
- 238000012550 audit Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/188—Virtual file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The application discloses a processing method and device of an encrypted file and a nonvolatile storage medium. Wherein, the method comprises the following steps: redirecting the encrypted file to a user space file system under the condition that the application program accessing the encrypted file is determined to be a trusted process; and carrying out access processing on the encrypted file in the user space file system. The method and the device solve the technical problems that the traditional transparent file encryption and decryption system is insufficient in the aspect of clearing cache processing, so that the file operation efficiency is low, and the compatibility exists.
Description
Technical Field
The present application relates to the field of file encryption, and in particular, to a method and an apparatus for processing an encrypted file, and a non-volatile storage medium.
Background
With the advent of the internet era, enterprise data has undergone explosive growth, which pushes enterprise informatization management to gradually enter the Data Technology (DT) era, and data resources have become the core competitiveness of enterprises, and most confidential data of enterprises exist in the form of electronic data. However, electronic documents that store confidential data are at risk of being compromised during creation, storage, use, transmission, and the like. The security problem of electronic documents in computers is not only the security threat from virus, trojan, network intrusion, system attack and other aspects, and according to research data, 78.9% of loss in the current information security divulgence event is from active divulgence of personnel in enterprises, and actually, the security threat in enterprises is more serious.
For traditional transparent file encryption systems based on file filter drivers, the program processes that access data are typically divided into trusted and untrusted processes. When the trusted process and the untrusted process access an encrypted file continuously and alternately, the file encryption system needs to continuously clear the cache data in the file cache to ensure that the cache in the file cache is correct data (plaintext or ciphertext).
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a processing method and device for an encrypted file and a nonvolatile storage medium, which are used for solving the technical problems of low file operation efficiency and compatibility caused by the fact that a traditional transparent file encryption and decryption system is insufficient in the aspect of clearing cache.
According to an aspect of an embodiment of the present application, there is provided a method for processing an encrypted file, including: redirecting the encrypted file to a user space file system under the condition that the application program accessing the encrypted file is determined to be a trusted process; and carrying out access processing on the encrypted file in the user space file system.
Optionally, before redirecting the encrypted file to the user space file system, the method further includes: mapping a virtual space in a user space file system; redirecting the encrypted file into a user space file system, comprising: the encrypted file is redirected into a virtual space mapped by a user space file system.
Optionally, after redirecting the encrypted file to the user space file system, the method further includes: and redirecting an access request of the application program for accessing the encrypted file to a virtual space mapped by the file system in the user space.
Optionally, performing access processing on the encrypted file in the user space file system includes: sending the access request to a user layer program of the user space file system through a driving program of the user space file system; and carrying out access processing on the encrypted file according to the access request through a user layer program of the user space file system.
Optionally, before the user layer program of the user space file system performs access processing on the encrypted file according to the access request, the method further includes: the access request is registered by a user layer program of the user space file system.
Optionally, the method further includes performing at least one of the following access processing on the encrypted file: open, create, read, write, delete, and rename.
Optionally, after redirecting the encrypted file to the user space file system, the method further includes: adding attribute information of the encrypted file to a file header of the encrypted file in the form of a tag, wherein the attribute information comprises: the document encryption level of the encrypted file, the document digest of the encrypted file, and the identification of the encrypted file.
Optionally, the accessing the encrypted file in the user space file system further includes: receiving an instruction for opening the encrypted file added with the label, wherein the instruction comprises information of a target object for accessing the encrypted file; in response to the instruction, verifying the integrity of the content of the encrypted file through the document abstract of the encrypted file, and refusing to open the encrypted file if the content of the encrypted file is modified; if the content of the encrypted file is complete, judging whether the target object meets the requirement of opening the encrypted file or not according to the file encryption level of the encrypted file, and if the target object does not meet the requirement of opening the encrypted file, refusing to open the encrypted file; if the target object meets the requirement of opening the encrypted file, judging whether the target object has the authority of opening the encrypted file or not through the identifier of the encrypted file, and if the target object does not have the authority of opening the encrypted file, refusing to open the encrypted file; and if the target object has the authority of opening the encrypted file, opening the encrypted file.
Optionally, after adding the attribute information of the encrypted file to the file header of the encrypted file in the form of a tag, the method further includes: judging whether the currently operated file is an encrypted file added with a label; if the currently operated file is the encrypted file with the label, performing log audit on the encrypted file with the label as follows: open, edit, copy, cut, and delete.
Optionally, after performing access processing on the encrypted file in the user space file system, the method further includes: encrypting the encrypted file by adopting a symmetric algorithm; and encrypting the encryption key of the encrypted file by adopting an asymmetric algorithm.
According to another aspect of the embodiments of the present application, there is also provided an apparatus for processing an encrypted file, including: the redirection module is used for redirecting the encrypted file to a user space file system under the condition that the application program accessing the encrypted file is determined to be a trusted process; and the processing module is used for performing access processing on the encrypted file in the user space file system.
According to still another aspect of the embodiments of the present application, there is provided a non-volatile storage medium, where the non-volatile storage medium includes a stored program, and the apparatus in which the non-volatile storage medium is located is controlled to execute the above processing method of the encrypted file when the program runs.
According to still another aspect of the embodiments of the present application, there is also provided a processor configured to execute a program stored in a memory, where the program executes the above processing method for an encrypted file.
In the embodiment of the application, the encrypted file is redirected to a user space file system under the condition that an application program accessing the encrypted file is determined to be a trusted process; the method for carrying out access processing on the encrypted file in the user space file system redirects the encrypted file accessed by the trusted process to the user space file system, and converts the operation of the encrypted file into the operation of the file in the user space file system, thereby realizing the transparent encryption and decryption processing of reading and writing the encrypted file in the user space file system, simplifying the development complexity, simultaneously enhancing the technical effect of program stability, and further solving the technical problems of low efficiency of file operation and compatibility caused by the deficiency of the traditional transparent file encryption and decryption system in the aspect of clearing cache.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing a processing method of an encrypted file;
FIG. 2 is a flow chart of a method of processing an encrypted file according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a FUSE-based transparent file encryption system according to an embodiment of the present application;
fig. 4 is a block diagram of a processing apparatus for encrypting a file according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:
a Virtual File System (VFS), which is an interface layer between a physical File System and a service, abstracts all details of each File System in Linux, so that different File systems look the same at the Linux kernel and other processes running in the System.
File redirection is the redirection of various requests for one file operation to another file operation request by various methods.
The user space file system (FUSE) refers to a file system implemented completely in a user mode.
The method provided by the embodiment of the application can be executed in a mobile terminal, a computer terminal or a similar operation device. Fig. 1 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing a processing method of an encrypted file. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more (shown as 102a, 102b, … …, 102 n) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 104 for storing data, and a transmission device 106 for communication functions. In addition, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module or incorporated, in whole or in part, into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of variable resistance termination paths connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the control method of the home appliance in the embodiment of the present application, and the processor 102 executes various functional applications and data processing, i.e., implements the processing method of the encrypted file by running the software programs and modules stored in the memory 104. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
According to an embodiment of the present application, there is provided an embodiment of a processing method for encrypted files, it should be noted that the steps shown in the flowchart of the figure may be executed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowchart, in some cases, the steps shown or described may be executed in an order different from that here.
Fig. 2 is a flowchart of a processing method of an encrypted file according to an embodiment of the present application, and as shown in fig. 2, the method includes the following steps:
and step S202, redirecting the encrypted file to a user space file system under the condition that the application program accessing the encrypted file is determined to be a trusted process.
FIG. 3 is a schematic diagram of a FUSE-based transparent file encryption system according to an embodiment of the present application, wherein the redirection filter driver belongs to a filter type driver dynamically inserted into a computer file system, as shown in FIG. 3. When an encrypted file is opened by an application program, the encrypted file is intercepted by a redirection filter driver, whether the application program is a trusted process or not is judged, and if the application program is the trusted process, the opened encrypted file is redirected to a user-defined encrypted file system (namely the user space file system in the text).
Step S204, the encrypted file is accessed in the user space file system.
Through the steps, the encrypted file accessed by the trusted process is redirected to the user space file system, and the operation of the encrypted file is converted into the operation of the file in the user space file system, so that the transparent encryption and decryption processing of the encrypted file read and write in the user space file system is realized, the development complexity is simplified, and the technical effect of the stability of the program is enhanced.
According to an alternative embodiment of the present application, before step S202 is executed to redirect the encrypted file to the user space file system, a virtual space needs to be mapped in the user space file system.
At present, two implementation ways are directly carried on a directory based on FUSE, the first way maps an a directory into a B directory, and the second way maps on the a directory directly. In the first mode, a user directly accesses the directory A without passing through a file system of the user, and the user can only realize transparent encryption and decryption of files by accessing the directory B, so that the use habit of the user is changed, and the use experience of the user is influenced. The second way is to mount the directory a directly, so that all requests of the operating system need to pass through the file system of the operating system, thereby reducing the performance of the system, causing poor compatibility and possibly affecting the functions of some software.
In the method, a redirection technology is combined, an empty directory (namely the virtual space) is mounted in the FUSE, and only the encrypted file is redirected to the virtual space through the redirection technology, so that the processing of the file is greatly reduced, and the system performance and the software compatibility are not influenced.
Executing step S202 to redirect the encrypted file to the user space file system, which is implemented by the following manner: the encrypted file is redirected into a virtual space mapped by a user space file system.
Referring to fig. 3, the encrypted file accessed by the trusted process is redirected into the virtual space mapped by the file system in user space, i.e. the file opened by the application is converted into a file in the virtual space.
According to another alternative embodiment of the present application, after the encrypted file is redirected to the user space file system, an access request of the application program for accessing the encrypted file needs to be redirected to the virtual space mapped by the user space file system.
As an optional embodiment, in the process of redirecting the encrypted file accessed by the trusted process to the virtual space mapped by the user space file system, all file I/O operations on the original file are converted into I/O operations of the user space file system.
In some optional embodiments of the present application, the step S204 of performing access processing on the encrypted file in the user space file system includes the following steps: sending the access request to a user layer program of the user space file system through a driving program of the user space file system; and carrying out access processing on the encrypted file according to the access request through a user layer program of the user space file system.
Referring to fig. 3, the user space file system maps a virtual space, receives the redirected file and the I/O operation performed on the file using the custom encrypted file system. The FUSE file system driver sends the access request of the file to the FUSE user layer program, and finally the user layer program completes various I/O request processing of the encrypted file. Therefore, the transparent encryption and decryption of the encrypted file by one application program process is finally converted into the realization of the transparent encryption and decryption of the file by the Fuse user space process in the encrypted file system.
In an alternative embodiment of the present application, before the user layer program of the user space file system performs access processing on the encrypted file according to the access request, the user layer program of the user space file system needs to register the access request.
As an alternative embodiment, before the user layer program of the user space file system performs access processing on the encrypted file according to the access request, the Fuse user layer program registers various I/O operations of the file.
In an alternative embodiment, the above access processing to the encrypted file includes the following processing to the file: open, create, read, write, delete, rename, and the like.
According to an optional embodiment of the present application, after the encrypted file is redirected to the user space file system, attribute information of the encrypted file is added to a file header of the encrypted file in the form of a tag, where the attribute information includes: the document encryption level of the encrypted file, the document digest of the encrypted file, and the identification of the encrypted file.
According to another alternative embodiment of the present application, the access processing of the encrypted file in the user space file system further includes the following steps: receiving an instruction for opening the encrypted file added with the label, wherein the instruction comprises information of a target object for accessing the encrypted file; in response to the instruction, verifying the integrity of the content of the encrypted file through the document abstract of the encrypted file, and refusing to open the encrypted file if the content of the encrypted file is modified; if the content of the encrypted file is complete, judging whether the target object meets the requirement for opening the encrypted file or not according to the file encryption level of the encrypted file, and if the target object does not meet the requirement for opening the encrypted file, refusing to open the encrypted file; if the target object meets the requirement of opening the encrypted file, judging whether the target object has the authority of opening the encrypted file or not through the identifier of the encrypted file, and if the target object does not have the authority of opening the encrypted file, refusing to open the encrypted file; and if the target object has the authority of opening the encrypted file, opening the encrypted file.
In the embodiment provided by the application, the integrity check, the access control and the differentiated control of the file after the redirected and opened tagged file are realized by combining the user grade and tagging the file.
As an optional embodiment, by tagging a file, attributes such as document security level, document abstract and document identification are written in the head of an encrypted file, when a user opens the tagged file, a user upper layer module firstly performs integrity check on document contents, and if the file is tampered, the user directly rejects access. And reading the file security level and the file identification from the file tag, sending the file security level and the file identification to the client, and judging whether the current user identity meets the security level flow direction control requirement or not, and does not meet the requirement of directly refusing to open. And finally, sending the user information and the document identification to a server to judge whether the user has the authority to operate the document.
In some optional embodiments of the present application, after adding the attribute information of the encrypted file to the file header of the encrypted file in the form of a tag, determining whether the currently operated file is the encrypted file with the tag added; if the current operated file is the encrypted file added with the label, performing log audit on the encrypted file added with the label according to the following operation: open, edit, copy, cut, and delete.
In the step, the whole file path of the current operation file is obtained through real-time monitoring of the clipboard and the desktop process, whether the operation file is a marked file or not is judged, if the operation file is the marked file, the specific operation type and the document information are sent to a server through a client, and log auditing of operations such as reading, editing, copying, cutting, deleting and the like of the marked file and whole life cycle management of the file are realized.
In some optional embodiments of the present application, after performing access processing on an encrypted file in a user space file system, the encrypted file needs to be encrypted by using a symmetric algorithm; and encrypting the encryption key of the encrypted file by adopting an asymmetric algorithm.
In the embodiment provided by the application, the encryption and decryption processing of the file is realized by adopting three encryption modes of AES-ECB, SM4 and SM 2. Symmetric algorithms AES-ECB and SM4 are adopted for file encryption, and SM2 asymmetric algorithm is adopted for file encryption keys for encryption protection.
AES encryption is simply an algorithm that applies the addition and subtraction of encrypted data to and from multiple shifts of the plaintext and key in bytes.
SM4 is a block cipher algorithm that mainly consists of xor, shift and box transform operations.
SM2 is an elliptic curve public key cryptographic algorithm.
According to the method, the encrypted file is redirected to the virtual space through the redirection filter driver by means of the virtual space created by the FUSE user space file system playing a bridge role, and transparent encryption and decryption processing of the encrypted file is completed through the user space file system. The following technical effects can be achieved:
the realization mode of combining the driving layer and the application layer is adopted, and the business logic is processed in the application layer, so that the complexity of the driving layer is reduced, and the stability of the product is greatly improved;
the file is redirected to a virtual space, the space of a disk is not occupied, and a plaintext file is not generated while the encrypted file is opened, so that the safety of opening the file is greatly improved;
for opening the encrypted file, the cache design processing is added, the transparent encryption and decryption file system with a cache mechanism is realized, and the file opening efficiency is greatly improved.
Fig. 4 is a block diagram of a device for processing encrypted files according to an embodiment of the present application, and as shown in fig. 4, the device includes:
a redirection module 40 configured to redirect the encrypted file to the user space file system if it is determined that the application accessing the encrypted file is a trusted process.
Referring to FIG. 3, a redirect filter driver belongs to a filter type driver that is dynamically inserted into a computer file system. When an encrypted file is opened by an application program, the encrypted file is intercepted by a redirection filter driver, whether the application program is a trusted process or not is judged, and if the application program is the trusted process, the opened encrypted file is redirected to a user-defined encrypted file system (namely the user space file system in the text).
And the processing module 42 is configured to perform access processing on the encrypted file in the user space file system.
It should be noted that, reference may be made to the description related to the embodiment shown in fig. 2 for a preferred implementation of the embodiment shown in fig. 4, and details are not described here again.
As an optional embodiment, the apparatus further includes: a mapping module configured to map a virtual space in the user space file system before redirecting the encrypted file to the user space file system.
At present, two implementation modes are directly carried out on a directory based on FUSE, wherein the first mode is used for mapping an A directory into a B directory, and the second mode is directly mapped on the A directory. In the first mode, a user directly accesses the directory A without passing through a file system of the user, and the user can only realize transparent encryption and decryption of files by accessing the directory B, so that the use habit of the user is changed, and the use experience of the user is influenced. The second way is to mount the directory a directly, so that all requests of the operating system need to pass through the file system of the operating system, thereby reducing the performance of the system, causing poor compatibility and possibly affecting the functions of some software.
In the method, a redirection technology is combined, an empty directory (namely the virtual space) is mounted in the FUSE, and only the encrypted file is redirected to the virtual space through the redirection technology, so that the processing of the file is greatly reduced, and the system performance and the software compatibility are not influenced.
According to an alternative embodiment of the present application, the redirection module 40 is further configured to redirect the encrypted file to a virtual space mapped by a user space file system.
Referring to fig. 3, the encrypted file accessed by the trusted process is redirected into the virtual space mapped by the file system in user space, i.e. the file opened by the application is converted into a file in the virtual space.
According to another alternative embodiment of the present application, the redirection module 40 is further configured to redirect an access request of an application program to access the encrypted file to a virtual space mapped by a user space file system.
As an optional embodiment, in the process of redirecting the encrypted file accessed by the trusted process to the virtual space mapped by the user space file system, all file I/O operations on the original file are converted into I/O operations of the user space file system.
In some optional embodiments of the present application, the processing module 42 comprises: the sending unit is set to send the access request to a user layer program of the user space file system through a driving program of the user space file system; and the processing unit is set to perform access processing on the encrypted file according to the access request through a user layer program of the user space file system.
Referring to fig. 3, the user space file system maps a virtual space, receives the redirected file and the I/O operation performed on the file using the custom encrypted file system. The FUSE file system driver sends the access request of the file to the FUSE user layer program, and finally the user layer program completes various I/O request processing of the encrypted file. Therefore, the transparent encryption and decryption of the encrypted file by one application program process is finally converted into the realization of the transparent encryption and decryption of the file by the Fuse user space process in the encrypted file system.
The embodiment of the application also provides a nonvolatile storage medium, wherein the nonvolatile storage medium comprises a stored program, and the device where the nonvolatile storage medium is located is controlled to execute the processing method of the encrypted file when the program runs.
The nonvolatile storage medium stores a program for executing the following functions: redirecting the encrypted file to a user space file system under the condition that the application program accessing the encrypted file is determined to be a trusted process; and carrying out access processing on the encrypted file in the user space file system.
The embodiment of the application also provides a processor, wherein the processor is used for running the program stored in the memory, and the program runs to execute the above processing method of the encrypted file.
The processor is used for running a program for executing the following functions: redirecting the encrypted file to a user space file system under the condition that the application program accessing the encrypted file is determined to be a trusted process; and carrying out access processing on the encrypted file in the user space file system.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technical content can be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (12)
1. A method for processing an encrypted file, comprising:
redirecting the encrypted file to a user space file system under the condition that an application program accessing the encrypted file is determined to be a trusted process;
and performing access processing on the encrypted file in the user space file system.
2. The method of claim 1,
before redirecting the encrypted file into a user space file system, the method further comprises: mapping a virtual space in the user space file system;
redirecting the encrypted file to a user space file system, comprising: and redirecting the encrypted file to a virtual space mapped by the user space file system.
3. The method of claim 1 or 2, wherein after redirecting the encrypted file into a user space file system, the method further comprises:
and redirecting an access request of the application program for accessing the encrypted file to a virtual space mapped by the user space file system.
4. The method of claim 3, wherein performing access processing on the encrypted file in the user space file system comprises:
sending the access request to a user layer program of the user space file system through a driving program of the user space file system;
and carrying out access processing on the encrypted file according to the access request through a user layer program of the user space file system.
5. The method according to claim 4, wherein before the access processing of the encrypted file by the user layer program of the user space file system according to the access request, the method further comprises:
registering the access request through a user layer program of the user space file system.
6. The method of claim 4, further comprising performing at least one of the following access processing on the encrypted file: open, create, read, write, delete, and rename.
7. The method of claim 1, wherein after redirecting the encrypted file into a user space file system, the method further comprises:
adding attribute information of the encrypted file to a file header of the encrypted file in the form of a tag, wherein the attribute information includes: the document encryption level of the encrypted file, the document digest of the encrypted file, and the identification of the encrypted file.
8. The method of claim 7, wherein accessing the encrypted file in the user space file system further comprises:
receiving an instruction for opening the encrypted file added with the label, wherein the instruction comprises information of a target object for accessing the encrypted file;
in response to the instruction, verifying the content integrity of the encrypted file through the document digest of the encrypted file, and if the content of the encrypted file is modified, refusing to open the encrypted file;
if the content of the encrypted file is complete, judging whether the target object meets the requirement for opening the encrypted file or not according to the document encryption level of the encrypted file, and if the target object does not meet the requirement for opening the encrypted file, refusing to open the encrypted file;
if the target object meets the requirement of opening the encrypted file, judging whether the target object has the authority of opening the encrypted file or not through the identifier of the encrypted file, and if the target object does not have the authority of opening the encrypted file, refusing to open the encrypted file;
and if the target object has the authority of opening the encrypted file, opening the encrypted file.
9. The method according to claim 7, wherein after adding the attribute information of the encrypted file to the file header of the encrypted file in the form of a tag, the method further comprises:
judging whether the currently operated file is an encrypted file added with the label;
if the currently operated file is the encrypted file added with the label, performing log audit of the following operations on the encrypted file added with the label: open, edit, copy, cut, and delete.
10. The method of claim 1, wherein after performing access processing on the encrypted file in the user space file system, the method further comprises:
encrypting the encrypted file by adopting a symmetric algorithm;
and encrypting the encryption key of the encrypted file by adopting an asymmetric algorithm.
11. A processing apparatus for encrypting a file, comprising:
the redirection module is used for redirecting the encrypted file to a user space file system under the condition that the application program accessing the encrypted file is determined to be a trusted process;
and the processing module is used for performing access processing on the encrypted file in the user space file system.
12. A non-volatile storage medium, comprising a stored program, wherein when the program runs, a device in which the non-volatile storage medium is located is controlled to execute the processing method of the encrypted file according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211060037.4A CN115130142A (en) | 2022-09-01 | 2022-09-01 | Encrypted file processing method and device and nonvolatile storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211060037.4A CN115130142A (en) | 2022-09-01 | 2022-09-01 | Encrypted file processing method and device and nonvolatile storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115130142A true CN115130142A (en) | 2022-09-30 |
Family
ID=83387059
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211060037.4A Pending CN115130142A (en) | 2022-09-01 | 2022-09-01 | Encrypted file processing method and device and nonvolatile storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115130142A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102821094A (en) * | 2012-07-09 | 2012-12-12 | 深圳市深信服电子科技有限公司 | Method and system for secure data processing in virtual desktop |
| CN103218575A (en) * | 2013-04-17 | 2013-07-24 | 武汉元昊科技有限公司 | Host file security monitoring method |
| CN105224882A (en) * | 2015-09-23 | 2016-01-06 | 武汉理工大学 | A kind of file encryption system based on bridge file system |
| US20180351749A1 (en) * | 2017-06-01 | 2018-12-06 | Silicon Motion, Inc. | Data Storage Devices and Methods for Encrypting and Decrypting a Firmware File Thereof |
| CN109446751A (en) * | 2018-09-30 | 2019-03-08 | 深圳市迷你玩科技有限公司 | Generate the method, apparatus and storage medium of the data set including multiple subfiles |
-
2022
- 2022-09-01 CN CN202211060037.4A patent/CN115130142A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102821094A (en) * | 2012-07-09 | 2012-12-12 | 深圳市深信服电子科技有限公司 | Method and system for secure data processing in virtual desktop |
| CN103218575A (en) * | 2013-04-17 | 2013-07-24 | 武汉元昊科技有限公司 | Host file security monitoring method |
| CN105224882A (en) * | 2015-09-23 | 2016-01-06 | 武汉理工大学 | A kind of file encryption system based on bridge file system |
| US20180351749A1 (en) * | 2017-06-01 | 2018-12-06 | Silicon Motion, Inc. | Data Storage Devices and Methods for Encrypting and Decrypting a Firmware File Thereof |
| CN109446751A (en) * | 2018-09-30 | 2019-03-08 | 深圳市迷你玩科技有限公司 | Generate the method, apparatus and storage medium of the data set including multiple subfiles |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6835999B2 (en) | Virtual service provider zone | |
| US9430659B2 (en) | Locating cryptographic keys stored in a cache | |
| US9479340B1 (en) | Controlling use of encryption keys | |
| US7877602B2 (en) | Transparent aware data transformation at file system level for efficient encryption and integrity validation of network files | |
| RU2584570C2 (en) | Implementing secure information exchange in runtime system | |
| US20070011469A1 (en) | Secure local storage of files | |
| US20070016771A1 (en) | Maintaining security for file copy operations | |
| US11841985B2 (en) | Method and system for implementing security operations in an input/output device | |
| US10003467B1 (en) | Controlling digital certificate use | |
| GB2412760A (en) | Distributed storage in a network with a fragmentation policy and a distribution policy | |
| US20200004695A1 (en) | Locally-stored remote block data integrity | |
| CN109635581A (en) | A kind of data processing method, equipment, system and storage medium | |
| Che Fauzi et al. | On cloud computing security issues | |
| CN113609221A (en) | Data storage method, data access device and storage medium | |
| WO2024045407A1 (en) | Virtual disk-based secure storage method | |
| CN113382029A (en) | File data processing method and device | |
| CN107622207A (en) | Encryption system DBMS structure | |
| US20210281608A1 (en) | Separation of handshake and record protocol | |
| US20200404001A1 (en) | Access control value systems | |
| WO2020044095A1 (en) | File encryption method and apparatus, device, terminal, server, and computer-readable storage medium | |
| Guo et al. | ShadowFPE: new encrypted Web application solution based on shadow DOM | |
| CN114666368B (en) | Access control method, device, equipment and storage medium of electric power Internet of things | |
| CN115130142A (en) | Encrypted file processing method and device and nonvolatile storage medium | |
| CN115834566A (en) | File transmission system and file transmission method | |
| CN113656817A (en) | Data encryption method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220930 |