CN116738511A - Disk block encryption method - Google Patents
Disk block encryption method Download PDFInfo
- Publication number
- CN116738511A CN116738511A CN202310556544.5A CN202310556544A CN116738511A CN 116738511 A CN116738511 A CN 116738511A CN 202310556544 A CN202310556544 A CN 202310556544A CN 116738511 A CN116738511 A CN 116738511A
- Authority
- CN
- China
- Prior art keywords
- disk
- block
- encryption
- disk partition
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 14
- 238000005192 partition Methods 0.000 claims abstract description 68
- 238000013507 mapping Methods 0.000 claims abstract description 21
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a disk block encryption method, which comprises the following steps: obtaining the type of a disk partition file system and the use condition of a disk space; determining whether block encryption is needed according to the type of the file system of the disk partition and the use condition of the disk space: if so, creating mapping equipment of the disk partition, setting an encryption key, obtaining a block usage bitmap of the disk partition, obtaining a block to be encrypted, sequentially writing block data to be encrypted to corresponding positions of the mapping equipment, and completing encryption of data in the block; if not, creating mapping equipment of the disk partition, setting an encryption key, reading all sectors in the disk partition, writing sector data to corresponding positions of the mapping equipment, and completing encryption of the data in the sectors. The invention provides a Linux efficient disk encryption method, and a user can select different encryption modes according to the use condition of a disk partition. If the utilization rate of the disk partition is lower, the encryption efficiency of the disk is greatly improved, the encryption time is shortened, and the user experience is improved.
Description
Technical Field
The invention relates to the technical field of disk encryption, in particular to a disk block encryption method.
Background
In the age of rapid development of information technology, data security is more and more important, enterprises pay more and more attention, and the key for ensuring data security is a disk data encryption technology.
LUKS (Linux Unified Key Setup) is a popular disk encryption technology under Linux. The method is a block device encryption technology of a dm-crypt module based on a Linux kernel device mapping subsystem. The device mapping subsystem is a framework mechanism provided in the Linux kernel for mapping the physical block device to the virtual (logical) block device, under which a developer can conveniently formulate a management strategy for realizing storage resources according to own needs, such as dm-cryptopt disk encryption. dm-crypt is a module in the device mapping framework for block device encryption. dm-crypt is implemented by mapping a virtual block device through the device, and encrypting and storing data at the time of bio (a core data structure of a general block layer in a Linux kernel for data transmission) forwarding, which is transparent to an application layer. That is, encryption can be achieved by writing data read by the block device to the virtual device to which the block device maps.
Block device encryption is the encryption of all data on a block device under a file system, including file metadata (e.g., file size, file data volume, directory tree layout, etc.), available space, hard disk partition table information, etc. After the block device is encrypted, all data on the disk are ciphertext, so the data are safer.
The LUKS encrypts the disk based on the block device, and under the file system, although the data is safer, the disk encryption needs to read and write the whole block device no matter how many files are stored on the disk. The time to encrypt the entire disk partition is proportional to the disk partition size, with the larger disk partition, the longer the encryption time, regardless of how much user data the disk partition stores. Therefore, when a disk partition stores only a small amount of user data, encryption efficiency is very low.
Therefore, how to improve the encryption efficiency of the disk and improve the user experience are technical problems that those skilled in the art need to solve at present.
Disclosure of Invention
In order to solve the defects existing in the prior art, the invention provides a disk block encryption method, which comprises the following steps:
step S1: obtaining the type of a disk partition file system and the use condition of a disk space;
step S2: determining whether block encryption is needed according to the type of the file system of the disk partition and the use condition of the disk space: if so, executing the step S3, and if not, executing the step S4;
step S3: creating mapping equipment of a disk partition, setting an encryption key, obtaining a block usage bitmap of the disk partition, obtaining blocks to be encrypted, sequentially writing block data to be encrypted to corresponding positions of the mapping equipment, completing encryption of data in the blocks, writing the encrypted data back to corresponding positions in the disk partition, and completing encryption of all the blocks to be encrypted;
step S4: creating mapping equipment of a disk partition, setting an encryption key, reading all sectors in the disk partition, writing sector data to corresponding positions of the mapping equipment, completing encryption of data in the sectors, writing the encrypted data back to corresponding positions in the disk partition, and completing encryption of the data in the disk.
In the steps S1 to S2, when the disk space usage is greater than a predetermined value and the disk partition file system type belongs to the resolvable type, it is determined that the disk needs to be encrypted in blocks.
In the step S3, the block bitmap of the disk partition is obtained through the block bitmap of the disk, so as to obtain the block to be encrypted in the disk.
The invention provides a Linux efficient disk encryption method, and a user can select different encryption modes according to the use condition of a disk partition. If the utilization rate of the disk partition is lower, the encryption efficiency of the disk is greatly improved, the encryption time is shortened, and the user experience is improved.
Drawings
Fig. 1: the invention discloses a realization flow chart of a disk block encryption method.
Detailed Description
In order to further understand the technical scheme and beneficial effects of the present invention, the technical scheme and beneficial effects thereof will be described in detail with reference to the accompanying drawings.
The invention solves the problem that the encryption of the LUKS block device needs to read and write the whole block device and has very low encryption efficiency by analyzing the bitmap used by the file system.
Specifically, the invention obtains the bitmap of the use condition of the disk partition according to the file system type of the encrypted disk partition. And scanning the use condition bitmap of the disk blocks to find out which disk blocks store data, including file system information and stored data. When encrypting, only the disk block of the stored data is read for encrypting, so that the whole disk partition does not need to be encrypted. Therefore, the aim of encrypting the whole disk partition is achieved, and the disk encryption efficiency can be greatly improved under the condition that the utilization rate of the disk partition is low.
The invention takes an ext4 file system as an example to realize an efficient disk partition encryption method under Linux.
1. And obtaining the type of the file system of the disk partition and the use condition of the disk space.
2. Judging whether to use a fast encryption mode based on the file system type and the disk space use condition: the file system type can be checked by using a command blkid, and in the implementation, the disk partition is in an ext4 format, so that the analysis of the file system type is supported; if the disk space usage is less than 30%, the fast encryption mode is recommended, otherwise, the normal encryption mode is recommended.
The fast encryption mode is based on analysis of the disk partition file system:
3. ext4 is a fourth generation extended file system, and is a file system for managing files in a block (block) manner under a Linux system. First, a description will be given of storing several concepts:
sector (sector): the smallest unit of storage of a disk is known by the size of the sector (typically 512 bytes) through the command line fdisk-l.
block (block): is the smallest unit of storage for the file system ext4, etc. The default operating system is to have a size of 4k (4096 bytes) per block, with one block consisting of consecutive sectors. The blocks of a file in the file system are not necessarily contiguous.
inode (inode): recording the authority, attribute and number of the block where the data are.
4. The ext4 file system is arranged, the ext4 file system divides the whole partition into a plurality of block groups, disk management is carried out through the block groups, each block group consists of superblock, block descriptor (block group description), block bitmap, inode table and data block.
superblock: the overall information of the file system is recorded, including the total amount, usage, remaining amount, size of the inode/block, and format and related information of the file system.
group descriptor (block group description): block numbers describing the beginning and ending of each block group (block group) and specifying which block numbers each block group (inode bitmap, block bitmap, inode table) is interposed between, respectively.
block bitmap (block bitmap): the method is used for describing the use states of the blocks in the block group (namely the corresponding block group), one bit is used for correspondingly identifying one block, if the bit is 0, the corresponding block is in an idle state, and otherwise, the corresponding block is in the use state or otherwise.
data block (data block): the blocks storing the file contents, that is, the blocks in each block group actually used for storing the file data.
5. And reading the super block of the ext4 file system from the disk partition according to the layout of the ext4 file system, wherein the super block contains information such as the size of the disk partition block and the total block number.
6. A disk partition use bitmap is allocated, where each bit indicates whether a block is used, and therefore (the total number of disk partition blocks/8) byte space is required for storing the block use bitmap.
7. Each block group of the ext4 file system is scanned, and a block group description of each block group is read from the disk partition, wherein the block group description comprises a block where a block bitmap is located. And reading the block bitmap of each block group from the disk partition, scanning each bit of the block bitmap, and setting the corresponding bit of the block bitmap of the disk partition to be 1 if the bit is 1, namely the corresponding block is in a use state.
8. After all the block groups of the ext4 file system are scanned, a block use bitmap of the whole disk partition is obtained, and then, which blocks on the disk partition store data is obtained.
9. The dm-crypt is used to create a mapping device for disk partitions and set encryption keys.
10. And reading the used block from the disk partition according to the block use bitmap of the disk partition, writing the block data to the corresponding position of the mapping equipment, and completing encryption when the data is written into the mapping equipment, namely writing the encrypted data back to the corresponding position in the disk partition, thereby completing encryption of the block.
After all used blocks are encrypted, the encryption of the existing data of the whole disk partition is completed.
11. If the disk usage space is greater than 30%, the whole disk partition is encrypted using the normal encryption mode.
12. Whether or not there is data in the disk sector, n sectors (the number of sectors read by one encryption) are read from the disk partition, then the data of the n sectors are written to the corresponding position of the mapping device, i.e. the encrypted data are written back to the corresponding position of the disk partition, and the encryption of the n sectors is completed.
13. And circularly encrypting all the sectors, and after the encryption of all the sectors is completed, the encryption of all the data of the whole disk partition is completed.
After the disk partition encryption is completed by using the fast encryption, only the used sector data on the disk is the ciphertext. After the disk partition encryption is completed by using the common encryption, all sector data on the disk are ciphertext. Although the two encryption modes are different in data display on the disk, the effect of disk partition encryption is achieved. And under the condition of lower utilization rate of the disk partition, the encryption efficiency can be greatly improved.
Although the present invention has been described with reference to the above preferred embodiments, it should be understood that the present invention is not limited to the above embodiments, and that various changes and modifications can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (3)
1. The disk block encryption method is characterized by comprising the following steps:
step S1: obtaining the type of a disk partition file system and the use condition of a disk space;
step S2: determining whether block encryption is needed according to the type of the file system of the disk partition and the use condition of the disk space: if so, executing the step S3, and if not, executing the step S4;
step S3: creating mapping equipment of a disk partition, setting an encryption key, obtaining a block usage bitmap of the disk partition, obtaining blocks to be encrypted, sequentially writing block data to be encrypted to corresponding positions of the mapping equipment, completing encryption of data in the blocks, writing the encrypted data back to corresponding positions in the disk partition, and completing encryption of all the blocks to be encrypted;
step S4: creating mapping equipment of a disk partition, setting an encryption key, reading all sectors in the disk partition, writing sector data to corresponding positions of the mapping equipment, completing encryption of data in the sectors, writing the encrypted data back to corresponding positions in the disk partition, and completing encryption of the data in the disk.
2. The disk block encryption method of claim 1, wherein: in the steps S1 to S2, when the disk space usage is greater than a predetermined value and the disk partition file system type belongs to the resolvable type, it is determined that the disk needs to be encrypted in blocks.
3. The disk block encryption method of claim 1, wherein: in the step S3, the block bitmap of the disk partition is obtained through the block bitmap of the disk, so as to obtain the block to be encrypted in the disk.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310556544.5A CN116738511A (en) | 2023-05-17 | 2023-05-17 | Disk block encryption method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310556544.5A CN116738511A (en) | 2023-05-17 | 2023-05-17 | Disk block encryption method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116738511A true CN116738511A (en) | 2023-09-12 |
Family
ID=87912352
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310556544.5A Pending CN116738511A (en) | 2023-05-17 | 2023-05-17 | Disk block encryption method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116738511A (en) |
-
2023
- 2023-05-17 CN CN202310556544.5A patent/CN116738511A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11385840B2 (en) | Multi-tiered data storage with archival blockchains | |
CN102096644B (en) | system and method for permanently deleting file data | |
CN100578470C (en) | Audio/video data access method and device based on raw device | |
JP6178859B2 (en) | Database storage system based on optical disk and method of using the same | |
US8095728B2 (en) | Method and system for power aware I/O scheduling | |
CN110287044A (en) | Without lock shared drive processing method, device, electronic equipment and readable storage medium storing program for executing | |
KR100533682B1 (en) | Data managing device and method for flash memory | |
CN105824879B (en) | A kind of moving method based on PostgreSQL block storage equipment | |
CN103838853B (en) | Mixed file system based on different storage media | |
US10296250B2 (en) | Method and apparatus for improving performance of sequential logging in a storage device | |
CN101464901B (en) | Object search method in object storage device | |
CN104239234B (en) | The management of a kind of local cache efficiently and reading/writing method | |
CN104065906B (en) | Video recording method and device of digital video recording equipment | |
CN105630879B (en) | A kind of PostgreSQL block storage equipment module for reading and writing | |
US11200159B2 (en) | System and method for facilitating efficient utilization of NAND flash memory | |
CN107817946A (en) | For mixing the method and device of storage device read-write data | |
US20210124517A1 (en) | Method, device and computer program product for storing data | |
CN110147203A (en) | A kind of file management method, device, electronic equipment and storage medium | |
CN109976664A (en) | The daily record data tissue of solid storage device | |
CN103500226A (en) | Method and device for removing sensitivity of sensitive data | |
CN107423425A (en) | A kind of data quick storage and querying method to K/V forms | |
CN107798063A (en) | Snap processing method and snapshot processing unit | |
CN105573678B (en) | A kind of PostgreSQL blocks | |
CN106844229B (en) | Organization method, system and device of solid state disk firmware mapping table | |
WO2023082902A1 (en) | Index creation method, computing device, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |