CN115146318B - Virtual disk safe storage method - Google Patents

Virtual disk safe storage method Download PDF

Info

Publication number
CN115146318B
CN115146318B CN202211068135.2A CN202211068135A CN115146318B CN 115146318 B CN115146318 B CN 115146318B CN 202211068135 A CN202211068135 A CN 202211068135A CN 115146318 B CN115146318 B CN 115146318B
Authority
CN
China
Prior art keywords
virtual disk
file
qcow2
virtual
image
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211068135.2A
Other languages
Chinese (zh)
Other versions
CN115146318A (en
Inventor
王宇锋
谢明
孙立明
张铎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kirin Software Co Ltd
Original Assignee
Kirin Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kirin Software Co Ltd filed Critical Kirin Software Co Ltd
Priority to CN202211068135.2A priority Critical patent/CN115146318B/en
Publication of CN115146318A publication Critical patent/CN115146318A/en
Application granted granted Critical
Publication of CN115146318B publication Critical patent/CN115146318B/en
Priority to PCT/CN2022/137630 priority patent/WO2024045407A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/064Management of blocks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0643Management of files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0644Management of space entities, e.g. partitions, extents, pools
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0662Virtualisation aspects
    • G06F3/0664Virtualisation aspects at device level, e.g. emulation of a storage device or system

Abstract

The invention relates to a virtual disk safe storage method, which comprises the following steps: a qemu-img tool is used for creating a group of partitioned virtual disk files, and the partitioned information of the virtual disk files is written into the file header of the mirror image of the first virtual disk file; starting a virtual machine, appointing a first virtual disk file of a virtual disk image through a qemu-kvm program, reading the blocking information, and finding out images of other virtual disk files; opening a qcow2 virtual disk at qemu, and establishing block meta information through block information; and respectively sending the corresponding read-write requests to the virtual disk files of the corresponding virtual disk images for processing according to the range of the blocks of the corresponding read-write requests. The invention provides a method for storing data in different virtual disk files, which can not recover the content of a complete mirror image under the condition that a part of mirror images are stolen, thereby ensuring the security of the data in the virtual disk mirror images.

Description

Virtual disk safe storage method
Technical Field
The invention relates to the technical field of information security, in particular to a virtual disk secure storage method.
Background
In the cloud computing era, processing and storage of mass data cannot be avoided, the storage of the mass data usually needs a safe disk image storage method, and once a disk image has a problem, the data security of a cloud computing center is seriously influenced. In order to improve the data security of the disk mirror image of the mass virtual machine, encryption is often required during data storage, and decryption is often required during use.
In principle, the problems to be solved by secure storage are two:
1. how to ensure the completeness, reliability and no secret leakage of file data.
2. How to ensure that only legitimate users can access the relevant files.
To solve the two problems, data encryption and authentication authorization management technology are required, which is also the core technology of secure storage. In the safe storage, the files are changed into messy codes (encrypted) by technical means for storage, and when the files are used, the files are restored (decrypted) by the same or different means. Thus, the file is stored and used in a ciphertext state and a plaintext state. Not only ensures the safety, but also can be conveniently used. The encryption includes two elements: algorithms and keys techniques for encrypting data fall into two categories, namely symmetric encryption (private key encryption) and asymmetric encryption (public key encryption). Symmetric Encryption is typified by the Data Encryption Standard (DES) algorithm, and asymmetric Encryption is typically typified by the RSA (Rivest Shamir Ad1 eman) algorithm. Symmetric encryption has the same encryption key and decryption key, while asymmetric encryption has different encryption and decryption keys, the encryption key can be public and the decryption key needs to be secret.
Generally, an asymmetric key is mainly used for identity authentication, or to protect a symmetric key. The daily data encryption generally uses a symmetric key.
Modern mature encryption and decryption algorithms have reliable encryption strength and are difficult to break forcibly unless the correct key can be held. When the safe storage product is actually deployed, if higher-strength identity authentication is required, U-key can be used, and the authentication equipment is widely applied to online banking.
By adopting encryption and identity authentication technology, the storage has reliable guarantee.
The encryption method used as the most common virtual machine image storage is as follows: processing is done where the block device reads and writes functions. The data is encrypted in write, decrypted in read, the key can be dynamically transmitted in or stored on a key card, and a specific encryption algorithm can be selected according to the use scene of a user.
The secure storage is also storage in nature, and can be used as a remote distributed storage center for files and data. Compared with the common storage, the distributed storage is safer and more reliable, and can be competent for the fields needing confidentiality. If the data is placed in one place, all the data can be obtained by cracking once, and if the data is placed in different places, the complete data can be completely recovered only by cracking a plurality of places at the same time, and a plurality of remote storage centers are required to be cracked at the same time. Therefore, the scheme is that the disk mirror image is composed of a plurality of blocks, data are dispersed in each mirror image file, and each mirror image file can be stored in different data centers. Therefore, even if one of the 1 data centers is cracked, the mirror image content of the disk cannot be restored. Therefore, the virtual disk file is required to support the block storage, and different storage blocks are placed in different storage positions. The patent aims at that the disk image file in the qcow2 format can be stored into different files in blocks, and the previously stored data can be read from each storage block during operation. Therefore, the data of the virtual machine is stored to different positions, and the purpose of safe storage is achieved.
The invention patent of China 'a method for creating disk image file encryption snapshot, a method for using the disk image file encryption snapshot and a storage medium' (patent number: CN 109376119A). The embodiment of the invention discloses a method for creating an encrypted snapshot of a disk image file, a method for using the encrypted snapshot and a storage medium, and belongs to the field of virtualization. The method for creating the disk image file encrypted snapshot comprises the following steps: analyzing the key parameters to generate cipher information of the cipher for the encryption and decryption files; copying the cipher information of the cipher to a source file operation option; opening the source file according to the operation option of the source file; and judging whether the source file is opened successfully, if so, creating a snapshot and setting the encryption information of the snapshot. When the snapshot is operated, the embodiment of the invention can decrypt the source file by using the snapshot key, thereby changing the problem that the keys cannot be simultaneously transmitted to the source file and the snapshot in the existing function and realizing the encryption function and the snapshot function at the same time. The method realizes the creation of the disk image file encrypted snapshot of Qemu Qcow2. This does not improve the security of the encryption, mainly the encryption and snapshot functions are implemented simultaneously.
Chinese invention patent 'method and system for protecting trusted virtual machine vTPM private information based on tenant identity information' (patent number: CN 111683052A). The invention discloses a method and a system for protecting private information of a trusted virtual machine vTPM based on tenant identity information, wherein the method comprises the following steps: establishing two non-migratable keys RSA _ local and RSA _ mig of a physical trusted platform module, and generating a corresponding digital Certificate _ mig for the RSA _ mig key; generating and storing identity authentication information on a local host by a cloud tenant; when a trusted virtual machine is created, respectively creating a vTPM label for a vTPM instance of each virtual machine; acquiring identity authentication information of identity _ info, vTPM labels and content _ info, and checking integrity, timeliness, legality and consistency; and similarly, in the running stage and the migration stage of the trusted virtual machine, in the exiting stage, the destroying stage, the suspending stage and the snapshot stage, the integrity, the timeliness, the legality and the consistency of the corresponding fields are checked. The invention can perform safety protection of the whole life cycle of the vTPM based on libtpms software simulation added to the IaaS cloud platform based on the KVM virtualization technology, and prevent the leakage of private information. The patent utilizes the TPM module to carry out the availability verification, and the disk safety is not protected under the shutdown condition.
The invention discloses a Chinese patent of virtual machine data protection system and method (patent number: CN 103902884A). The patent discloses a virtual machine data protection system and method, and relates to the technical field of cloud computing virtualization data security. The aim of safely accessing the data of the virtual machine is fulfilled by verifying, marking and network controlling the request for accessing the data of the virtual machine in the Domain0 and combining the data behavior and flow direction monitoring in the virtual machine. The problem that under the environment of a multi-tenant virtual machine, due to the fact that service deployed by the virtual machine has a bug or configuration errors and the fact that an application or a kernel of the virtual machine has a bug, the virtual machine is illegally accessed by other out-of-cloud or other virtual machines is solved. The patent is primarily directed to data security at runtime.
The invention of China is a method for safely storing and quickly calling data and a mobile terminal (patent number: CN 109829324A). The invention discloses a method for safely storing and quickly calling data and a mobile terminal, comprising the following steps: encrypting data which needs to be stored in an open public path by a system; storing the encrypted data under the open public path; decrypting the data under the open public path, storing the decrypted data into a virtual memory, and forming a path after mapping according to a storage address; and modifying the system calling interface of which the access path defaults to the open public path, and modifying the access path of the system calling interface to the mapped path, so that the system can call the decrypted data from the virtual memory for use. The invention not only can solve the problem of safe storage of data under the default path of the system, but also can improve the calling speed of the data, avoid the phenomena of system jamming, no response and the like, and well solve the contradiction between the data storage safety problem and the data calling rapidity problem. This patent only encrypts data stored under an open public path.
Chinese invention patent 'mobile terminal data safety storage method based on virtual disk' (patent number: CN 109325355A). The invention provides a mobile terminal data safe storage method based on a virtual disk, and belongs to the field of information safety. The working mode of the invention is that firstly, an independent disk partition is created in the hard disk, a file simulation disk partition with fixed size is created, and then the file content is formatted into a self-defined file system, so that the file simulation disk can be simulated into a disk, namely a virtual disk. And finally, by combining a real-time encryption technology and adding an encryption and decryption method in the process of reading and writing the disk, the safety of data can be ensured. The invention customizes an encryption file system for the independent disk partition, constructs encryption and decryption pipelines of plaintext in the memory and ciphertext on the disk, avoids the disk from leaving plaintext traces, and provides transparent data protection. The invention has higher security and flexibility, provides powerful protection for data in the mobile terminal, can customize an encrypted file system and an identity verification mechanism, and can also provide various encryption algorithms and working modes. The encryption mode implemented by this patent is that qemu already supports the encryption of data segments of the disk.
The invention discloses a Chinese patent of 'a differential virtual disk linking method' (the patent number is CN 108228108A). The patent discloses a method for linking differential virtual disks, which comprises the following steps: 1) The file format of the differential virtual disk is improved, and recorded path information of the original virtual disk is modified into URL path information which can be accessed through a network from the current absolute path or relative path in the physical machine system; 2) Improving virtual disk drive, reading and writing a differential virtual disk, depending on the virtual disk drive, and accessing an original virtual disk file on a server by the virtual disk drive through an IP network according to network path information recorded by the differential virtual disk; 3) The virtual disk access service comprises a host for storing original virtual disk files, a network service for providing original virtual disk access, a host for monitoring access requests from a differential virtual disk, and a host for completing read-write operation of an original virtual disk according to the requests; the method has the characteristics that the differential virtual disk and the original virtual disk are separately deployed and cross-host access is realized, the rapid deployment is facilitated, and the data security and the access rate are both considered. The patent is realized by the characteristic of 'backing file' in a qcow2 format, a certain mirror image is used as a reference disk (the most basic OS file and data are generally installed), other disks needing the base can designate the mirror image as the backing file, the contents written in the following difference can be written into respective virtual disks, if multi-stage backing files are created, data redundancy can be caused by modifying the previous data, and the cost of the partitioned disk space is very high.
Disclosure of Invention
In order to solve the defects of the prior art, the invention provides a virtual disk safe storage method, which comprises the following steps:
step S1: creating a group of partitioned virtual disk files by using a qemu-img tool, wherein the partitioned information of the virtual disk files is written into a file header of a first virtual disk file;
step S2: starting a virtual machine, appointing a first virtual disk file of a virtual disk image through a qemu-kvm program, reading the blocking information, and finding out images of other virtual disk files;
and step S3: opening a qcow2 virtual disk mirror image at qemu, and establishing block meta information through block information;
and step S4: and respectively sending the corresponding read-write requests to the virtual disk files of the corresponding virtual disk images for processing according to the range of the blocks of the corresponding read-write requests.
In step S1, a set of partitioned virtual disk files is created by the following command lines:
qemu-img create-f qcow 2-d parameter 1 xxxx. Qcow2 parameter 2;
wherein, the parameter 1 is the size of each created virtual disk file, and the parameter 2 is the size of the whole virtual disk mirror image.
In the step S1, an image positioning layer is added to a source code of the qcow2_ co _ create _ opt function, so as to determine an addressing range for each created virtual disk file;
in the step S2, a mirror image positioning layer is added to the source code of the qcow2_ open function, so as to read the block information in the first virtual disk file and find out the mirror images of other virtual disk files;
in the step S4, a mirror image positioning layer is added to the source code of the qcow2_ co _ preadv and the qcow2_ co _ pwritev functions, so that the virtual disk file of the corresponding virtual disk mirror image is determined when the read-write request is processed.
In step S4, the mirror positioning layer added to the source code of the qcow2_ co _ preadv and qcow2_ co _ pwritev functions includes an offset parameter and a bytes parameter, where the offset parameter is used to determine an offset position of the virtual disk image, and the bytes parameter is used to determine a requested content size.
In step S1, adding a field div _ img _ size to a file header of an image of the first virtual disk file to save the blocking information of the virtual disk file.
In step S1, the block information of the virtual disk file is stored in the following directory of the file header of the first virtual disk file: uint64_ t div _ img _ size//.
According to the method for safely storing the virtual disk, provided by the invention, the data is stored in different virtual disk files, and the content of the complete mirror image cannot be recovered under the condition that a part of the mirror image is stolen, so that the safety of the data in the virtual disk mirror image is ensured.
Drawings
FIG. 1: the basic technology of the invention conceives a logic diagram.
FIG. 2: a prior art virtual disk image IO addressing flow chart.
FIG. 3: the invention relates to an IO addressing flow chart based on qcow2 virtual disk image blocking.
Detailed Description
In order to further understand the technical scheme and the advantages of the present invention, the following detailed description of the technical scheme and the advantages thereof is provided in conjunction with the accompanying drawings.
FIG. 1 is a logic diagram of the basic concept of the present invention: at present, the qcow2 virtual disk image used in most cases is stored in a file, and if the backing file function is used, a gold image may be also used. If information leakage occurs at the place where the virtual disk image file is stored, all data stored in the virtual machine can be easily acquired by a thief. However, if the virtual disk image can be composed of a plurality of files together, and then each blocked image is placed at a different position, it is better than that "eggs are placed in different baskets", and if a thief only takes a part of the image, the content in the complete image cannot be recovered at all. Therefore, the safety of the data in the virtual disk image is improved by storing the virtual disk image in different positions in blocks.
In order to achieve the above object, the following problems need to be solved:
1. how to divide into blocks
In order to avoid increasing the addressing complexity, a blocking strategy can specify the addressable range of each block when a virtual disk image (qemu-img create) is manufactured, the operating range automatically creates the next block image, each block is in a qcow2 format, the storage space occupied by the block is small during creation, and the qcow2 best characteristic is kept as continuous data is written into the image and is slowly expanded.
2. Block storage of storage mirror image is realized by intercepting read-write request of virtual machine at which layer
The source codes of qcow2_ co _ create _ opt/qcow2_ open/qcow2_ co _ preadv/qcow2_ co _ pwritev in qemu source codes are modified, and a mirror positioning layer (to which mirror read and write are allocated to read and write requests) is added to the modified source codes to realize the block storage of the mirror.
3. Where block information is stored
The partition size is recorded by the div _ img _ size field in the qcow2 header of the first virtual disk file. This also distinguishes who is the first mirror. The next time the switch is turned on, the block information is read out.
Aiming at the technical problem to be solved, the invention mainly analyzes from the principle of the qcow2 format, optimizes the code of the qcow2 format mirror image in the qemu source code, and adds the mirror image positioning layer code by modifying the qcow2 series interface method to realize the block storage of the mirror image without influencing the original using interface and habit.
Fig. 2 is a flowchart of the IO addressing process of the virtual disk image in the prior art, where the qcow2 general addressing process is as follows: and positioning to the position of the Level1 table in the virtual disk image by reading the qcow2_ header, searching the position of the corresponding Level2 table by addressing in the Level1 table, and searching the offset corresponding to the cluster for storing data specifically.
After the qcow2 block design of the present invention is added, the flow chart is shown in fig. 3, based on which, the secure storage method of the virtual disk of the present invention is formed:
1. creating a partitioned virtual disk image using a qemu-img tool
Assuming that an 80G virtual disk image needs to be blocked into 8 virtual disk files, the following command lines are used: qemu-img create-f qcow 2-d 10g xxxx. Qcow2 80G, which can automatically create a group of blocked virtual disk files according to the specified virtual disk image size, and when creating, an image positioning layer is added into a source code of a qcow2_ co _ create _ opt function to determine an addressing range for each created virtual disk file; the information of the block size, etc. can be written into the header of the first virtual disk file. Specifically, a field (div _ img _ size) is added at the end of the QCowHeader to save the "chunk size" information to the first virtual disk file.
[0-10G]: xxxx.qcow2
[10-20G]: xxxx.qcow2.div1
[20-30G]: xxxx.qcow2.div2
[30-40G]: xxxx.qcow2.div3
[40-50G]: xxxx.qcow2.div4
[50-60G]: xxxx.qcow2.div5
[60-70G]: xxxx.qcow2.div6
[70-80G]: xxxx.qcow2.div7。
Therefore, the partitioned virtual disk image is already created, and then the virtual machine needs to know that the created virtual disk image is the partitioned virtual disk image, that is, the partition information needs to be read when the virtual machine is started.
2. Starting a virtual machine, designating a first partitioned virtual disk file of a virtual disk image through a qemu-kvm program, reading the size of a partition, finding partitioned images of other virtual disk files, and determining the range of each virtual disk file responsible for storage; specifically, a mirror image positioning layer is added into a source code of the qcow2_ open function, the blocking information in the first virtual disk file is read, and the mirror images of other virtual disk files are found.
3. And opening a qcow2 virtual disk image at qemu, and establishing block meta information through block information. Specifically, after reading the block information of the first virtual disk file, the virtual machine knows the block images of all the virtual disk files, and then enables the program to embody data on the block information through meta information, that is, the block information of the virtual disk image is loaded into a memory after being subjected to data description through the meta information, so as to form a data model, so that the program can be addressed through the meta information, and when performing corresponding read-write operation, the program does not need to repeatedly read the block information from the file header of the first virtual disk file.
At this point, the blocking operation of the virtual disk image is completed, and then the read-write operation for the virtual disk image can be performed.
When the virtual disk mirror image is read and written, the file system layer can automatically manage the virtual disk mirror image, automatically divides the new file from which position to write, and the program addresses according to the information fed back by the file system layer and completes reading and writing.
4. Read request operation
When qcow2 of qemu processes a read request, the request is respectively sent to the virtual disk files partitioned by the corresponding virtual disk images according to the partition range for processing. Adding an image positioning layer into a source code of a qcow2_ co _ preadv function to ensure that a virtual disk file of a corresponding virtual disk image is addressed when a read request is processed, and the method specifically comprises the following steps:
(1) Parameters of the qcow2_ co _ preadv function include offset (virtual disk offset position) and bytes (content size of the request), and the request is divided according to the range of the virtual disk file responsible for the block partitioned by the virtual disk image.
(2) And constructing an environment context according to the divided virtual disk file to be dispatched according to the request.
(3) And dispatching the divided request queue to execute according to the mirror image of the virtual disk file.
5. Write request operations
When qcow2 of qemu processes the write request, the request is respectively sent to the virtual disk files blocked by the corresponding virtual disk images according to the blocking range to be processed. Adding a mirror image positioning layer in a source code of a qcow2_ co _ pwritev function to realize that a virtual disk file of a corresponding virtual disk mirror image is addressed when a write request is processed, and the method specifically comprises the following steps:
(1) Parameters of the qcow2_ co _ pwritev function include offset (virtual disk offset position) and bytes (content size of the request), and the request is divided according to the range of the virtual disk file responsible for the blocks divided by the virtual disk image, so that the IO request queue is divided.
(2) And constructing an environment context according to the virtual disk file to be dispatched according to the segmented request.
(3) And dispatching the divided request queue to execute according to the mirror image of the virtual disk file.
In the invention, the virtual disk file is a storage mode which simulates hard disk equipment by using a file and is used for a virtual machine. The disk of the virtual machine viewed from Host is a file, and the disk of the virtual machine viewed from Guest is not different from a common hard disk.
In the invention, the so-called 'QCOW 2 format' is fully called Qemu copy on write format, the Qemu virtual machine dynamically increases the virtual disk image format when the 'write' operation occurs, and the corresponding maximum characteristic of the original image format (RAW) is that the space is allocated only when data is really required to be stored, so that the disk space on the Host is saved. The qcow2 mirror format is organized by a number of fixed-size units, called cluster. Both the actual user data (guest data) and the mirrored metadata (metadata) are stored in one cluster unit.
Compared with the prior art, the invention has the advantages that:
1. the invention scatters the previous disk image file into different image files, thereby avoiding the problem that one disk image is stolen and all data in the whole virtual disk can be cracked.
2. The strategy of disk blocking can also have more safety designs, and the safety encryption strategy can be customized according to the use scene without using the blocking strategy in a fixed range.
3. The invention can be realized on the basis of not changing the use interface and the use habit of the original virtual machine, and has good compatibility to upper-layer libvirt and the like.
Although the present invention has been described with reference to the preferred embodiments, it should be understood that various changes and modifications can be made therein by those skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (6)

1. A method for safely storing a virtual disk is characterized by comprising the following steps:
step S1: creating a group of partitioned virtual disk files by using a qemu-img tool, wherein the partitioned information of the virtual disk files is written into a file header of a first virtual disk file;
step S2: starting a virtual machine, appointing a first virtual disk file of a virtual disk image through a qemu-kvm program, reading the blocking information, and finding out images of other virtual disk files;
and step S3: opening a qcow2 virtual disk mirror image at qemu, and establishing block meta information through block information;
and step S4: and respectively sending the corresponding read-write requests to the virtual disk files of the corresponding virtual disk images for processing according to the range of the blocks of the corresponding read-write requests.
2. The method for virtual disk secure storage according to claim 1, wherein in step S1, a set of blocked virtual disk files is created through the following command lines:
qemu-img create-f qcow 2-d parameter 1 xxxx. Qcow2 parameter 2;
wherein, the parameter 1 is the size of each created virtual disk file, and the parameter 2 is the size of the whole virtual disk mirror image.
3. The secure storage method of a virtual disk according to claim 1, wherein in step S1, an addressing range is determined for each created virtual disk file by adding a mirror image positioning layer to a source code of a qcow2_ co _ create _ opt function;
in the step S2, a mirror image positioning layer is added to the source code of the qcow2_ open function, so as to read the block information in the first virtual disk file and find out the mirror images of other virtual disk files;
in the step S4, a mirror image positioning layer is added to the source code of the qcow2_ co _ preadv and the qcow2_ co _ pwritev functions, so that the virtual disk file of the corresponding virtual disk mirror image is determined when the read-write request is processed.
4. The method for virtual disk secure storage according to claim 3, wherein in step S4, the image location layer added to the source code of the qcow2_ co _ preadv and qcow2_ co _ pwritev functions includes an offset parameter and bytes parameter, wherein the offset parameter is used for determining the offset position of the virtual disk image, and the bytes parameter is used for determining the requested content size.
5. The method for securely storing a virtual disk according to claim 1, wherein in step S1, the block information of the virtual disk file is saved by adding a field div _ img _ size to a file header of the image of the first virtual disk file.
6. The method for securely storing a virtual disk according to claim 5, wherein in step S1, the block information of the virtual disk file is stored in the following directory of the file header of the first virtual disk file: u int64_ t div _ img _ size//.
CN202211068135.2A 2022-09-02 2022-09-02 Virtual disk safe storage method Active CN115146318B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202211068135.2A CN115146318B (en) 2022-09-02 2022-09-02 Virtual disk safe storage method
PCT/CN2022/137630 WO2024045407A1 (en) 2022-09-02 2022-12-08 Virtual disk-based secure storage method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211068135.2A CN115146318B (en) 2022-09-02 2022-09-02 Virtual disk safe storage method

Publications (2)

Publication Number Publication Date
CN115146318A CN115146318A (en) 2022-10-04
CN115146318B true CN115146318B (en) 2022-11-29

Family

ID=83415825

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211068135.2A Active CN115146318B (en) 2022-09-02 2022-09-02 Virtual disk safe storage method

Country Status (2)

Country Link
CN (1) CN115146318B (en)
WO (1) WO2024045407A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115146318B (en) * 2022-09-02 2022-11-29 麒麟软件有限公司 Virtual disk safe storage method
CN115629716B (en) * 2022-12-07 2023-04-11 广东睿江云计算股份有限公司 Defragmentation method and defragmentation system based on disk mirror image file

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373441A (en) * 2008-09-19 2009-02-25 苏州壹世通科技有限公司 Virtual platform system based on firmware
CN102891876A (en) * 2011-07-22 2013-01-23 中兴通讯股份有限公司 Method and system for distributed data encryption under cloud computing environment
CN103563278A (en) * 2011-05-20 2014-02-05 西里克斯系统公司 Securing encrypted virtual hard disks
CN109032499A (en) * 2018-06-09 2018-12-18 西安电子科技大学 A kind of data access method of Distributed Storage, information data processing terminal
CN109376119A (en) * 2018-10-30 2019-02-22 郑州云海信息技术有限公司 It is a kind of to create disk mirroring file encryption snapshot, the method used and storage medium
CN110058813A (en) * 2019-03-15 2019-07-26 启迪云计算有限公司 It is a kind of that management method is locally stored based on the storage of cloud platform block
CN113641467A (en) * 2021-10-19 2021-11-12 杭州优云科技有限公司 Distributed block storage implementation method of virtual machine
CN113821170A (en) * 2021-08-31 2021-12-21 济南浪潮数据技术有限公司 Distributed storage system, access method and component
CN113961892A (en) * 2021-11-04 2022-01-21 杭州安恒信息技术股份有限公司 Account security control method and system, readable storage medium and computer equipment
CN114201755A (en) * 2021-12-15 2022-03-18 电子科技大学广东电子信息工程研究院 Out-of-domain security detection method for file system of virtual machine
CN114491421A (en) * 2022-01-21 2022-05-13 北京字跳网络技术有限公司 File encryption method, file processing method, file encryption device, file processing device, readable medium and electronic equipment
CN114968128A (en) * 2022-07-28 2022-08-30 云宏信息科技股份有限公司 Qcow 2-based virtual disk mapping method, system and medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103516755B (en) * 2012-06-27 2017-07-14 华为技术有限公司 Virtual memory method and equipment
US10719346B2 (en) * 2016-01-29 2020-07-21 British Telecommunications Public Limited Company Disk encryption
CN108664523B (en) * 2017-03-31 2021-08-13 华为技术有限公司 Virtual disk file format conversion method and device
CN109933278A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 For realizing the method and apparatus of block device carry access
CN115146318B (en) * 2022-09-02 2022-11-29 麒麟软件有限公司 Virtual disk safe storage method

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373441A (en) * 2008-09-19 2009-02-25 苏州壹世通科技有限公司 Virtual platform system based on firmware
CN103563278A (en) * 2011-05-20 2014-02-05 西里克斯系统公司 Securing encrypted virtual hard disks
CN102891876A (en) * 2011-07-22 2013-01-23 中兴通讯股份有限公司 Method and system for distributed data encryption under cloud computing environment
CN109032499A (en) * 2018-06-09 2018-12-18 西安电子科技大学 A kind of data access method of Distributed Storage, information data processing terminal
CN109376119A (en) * 2018-10-30 2019-02-22 郑州云海信息技术有限公司 It is a kind of to create disk mirroring file encryption snapshot, the method used and storage medium
CN110058813A (en) * 2019-03-15 2019-07-26 启迪云计算有限公司 It is a kind of that management method is locally stored based on the storage of cloud platform block
CN113821170A (en) * 2021-08-31 2021-12-21 济南浪潮数据技术有限公司 Distributed storage system, access method and component
CN113641467A (en) * 2021-10-19 2021-11-12 杭州优云科技有限公司 Distributed block storage implementation method of virtual machine
CN113961892A (en) * 2021-11-04 2022-01-21 杭州安恒信息技术股份有限公司 Account security control method and system, readable storage medium and computer equipment
CN114201755A (en) * 2021-12-15 2022-03-18 电子科技大学广东电子信息工程研究院 Out-of-domain security detection method for file system of virtual machine
CN114491421A (en) * 2022-01-21 2022-05-13 北京字跳网络技术有限公司 File encryption method, file processing method, file encryption device, file processing device, readable medium and electronic equipment
CN114968128A (en) * 2022-07-28 2022-08-30 云宏信息科技股份有限公司 Qcow 2-based virtual disk mapping method, system and medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
VMware服务器虚拟化在企业管理中的应用;罗爱玲等;《科技创新与应用》;20140118(第02期);全文 *
基于qcow2镜像格式的快照技术;陈春媛;《信息与电脑(理论版)》;20170108(第01期);全文 *
数据库服务器(SQL SERVER)安全机制与磁盘镜像的初探;曹瑛;《航空精密制造技术》;20001015(第05期);全文 *

Also Published As

Publication number Publication date
WO2024045407A1 (en) 2024-03-07
CN115146318A (en) 2022-10-04

Similar Documents

Publication Publication Date Title
CN115146318B (en) Virtual disk safe storage method
US20220006617A1 (en) Method and apparatus for data storage and verification
CN100378689C (en) Enciphered protection and read write control method for computer data
US20060174352A1 (en) Method and apparatus for providing versatile services on storage devices
KR950029930A (en) Method and device for securing file access
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
JP2005527019A (en) Multi-token seal and seal release
KR20050085678A (en) Attestation using both fixed token and portable token
CN101853363A (en) File protection method and system
US11755499B2 (en) Locally-stored remote block data integrity
JPH10312335A (en) Data processing method and processor therefor
CN110955901B (en) Storage method and server for virtual machine image file of cloud computing platform
CN106682521B (en) File transparent encryption and decryption system and method based on driver layer
US20220366030A1 (en) Password Management Method and Related Apparatus
CN110569651A (en) file transparent encryption and decryption method and system based on domestic operating system
CN115758420B (en) File access control method, device, equipment and medium
WO2023010834A1 (en) Method and apparatus for starting embedded linux system, and storage medium
CN109376119B (en) Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium
CN101447013A (en) Method, device and system for running software
CN101447009A (en) Method, device and system for installing software
CN108229190A (en) Control method, device, program, storage medium and the electronic equipment of transparent encryption and decryption
CN114491607A (en) Cloud platform data processing method and device, computer equipment and storage medium
CN116663030A (en) Desensitization processing method and device for interactive data
CN210691364U (en) Encrypted USB flash disk
CN111190695A (en) Virtual machine protection method and device based on Roc chip

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant