CN117527193B - Encryption method and device based on CEPH object storage - Google Patents
Encryption method and device based on CEPH object storage Download PDFInfo
- Publication number
- CN117527193B CN117527193B CN202311373479.9A CN202311373479A CN117527193B CN 117527193 B CN117527193 B CN 117527193B CN 202311373479 A CN202311373479 A CN 202311373479A CN 117527193 B CN117527193 B CN 117527193B
- Authority
- CN
- China
- Prior art keywords
- encryption
- key
- domestic
- length
- library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- WGZDBVOTUVNQFP-UHFFFAOYSA-N N-(1-phthalazinylamino)carbamic acid ethyl ester Chemical compound C1=CC=C2C(NNC(=O)OCC)=NN=CC2=C1 WGZDBVOTUVNQFP-UHFFFAOYSA-N 0.000 title claims abstract description 160
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000006870 function Effects 0.000 claims description 26
- 230000015654 memory Effects 0.000 claims description 24
- 238000012795 verification Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 abstract description 10
- 238000013500 data storage Methods 0.000 abstract description 6
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000001133 acceleration Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Abstract
The invention relates to the technical field of data storage encryption, and discloses an encryption method and device based on CEPH object storage, wherein the method comprises the following steps: performing a domestic encryption algorithm and a domestic encryption library deployment on the CEPH object storage system; acquiring file data and corresponding metadata in a CEPH object gateway; acquiring the length of a first encryption key in metadata and judging whether the length of the first encryption key is the preset key length, if not, calculating the first encryption key through a hash algorithm to obtain a second encryption key with the length of the preset key length; and calling the domestic encryption library and carrying out data on the file through the second encryption key. The encryption algorithm and the encryption library are used, so that the encryption process of the data can be ensured to meet the national encryption standard, the foreign encryption standard is not required to be adapted, the data in the CEPH object storage system is effectively protected, the data is prevented from being potentially threatened, and the data security is improved.
Description
Technical Field
The invention relates to the technical field of data storage encryption, in particular to an encryption method and device based on national cipher CEPH object storage.
Background
With the rapid development of internet technology, the demand for mass data storage is rapidly increasing. In such an environment, CEPH (distributed storage system) has been developed and has received attention by providing various data storage forms and advantages in terms of stability, high availability, mass data storage, and the like.
With increasing importance of users for data security, CEPH introduces a data encryption function in part of storage branches (e.g., object storage and block storage), however, an encryption algorithm used by the data encryption function in CEPH is an AES encryption standard (advanced encryption standard) proposed by other countries. Although AES encryption standard is widely accepted, in enterprise-level applications in China, there is a potential security threat depending on the encryption function of CEPH proposed by other countries, and data security cannot be fully ensured.
Disclosure of Invention
In view of this, the invention provides an encryption method and device based on CEPH object storage of national cipher, so as to solve the problem of low data security when using CEPH encryption function in China.
In a first aspect, the present invention provides an encryption method based on CEPH object storage, the method comprising: carrying out a domestic encryption algorithm and deployment of a domestic encryption library on the CEPH object storage system; acquiring file data and corresponding metadata which are uploaded to a CEPH object gateway of a CEPH object storage system; acquiring the length of a first encryption key in metadata and judging whether the length is a preset key length, if not, calculating the first encryption key through a hash algorithm to obtain a second encryption key with the length being the preset key length, wherein the preset key length is the key length corresponding to a domestic encryption algorithm; and calling a domestic encryption library and encrypting the file data through a second encryption key.
The embodiment of the invention ensures that the encryption algorithm and the encryption library which meet the national standard are used by deploying the domestic encryption algorithm and the encryption library. And acquiring the length of the first encryption key in the metadata, and judging whether the length of the first encryption key is the same as the length of the preset key. If the first encryption key is different, calculating the first encryption key through a hash algorithm to obtain a second encryption key with the length being the length of the preset key, and ensuring that the key is the key corresponding to the domestic encryption algorithm. And calling a domestic encryption library, and encrypting the file data by using a second encryption key. The encryption algorithm and the encryption library are used in China, so that the encryption process of the data can be ensured to meet the national encryption standard, the foreign encryption standard is not required to be applied, the data in the CEPH object storage system is effectively protected, the data is prevented from being potentially threatened, and the data security is improved.
In an alternative embodiment, the deploying a domestic encryption algorithm and a domestic encryption library on the CEPH object storage system includes: setting a source code encryption algorithm of the CEPH object gateway as a national encryption algorithm; setting a default encryption library in an encryption plug-in a source code of a CEPH object gateway as a domestic encryption library; compiling CEPH object gateway source code, and performing basic deployment on the CEPH object storage system after successful compiling.
The algorithm in the CEPH object gateway source code is set as a domestic encryption algorithm, the default encryption library is modified into a domestic encryption library, the data in the CEPH object storage system is ensured to be safer, the cryptographic symmetric encryption algorithm stored by using the domestic encryption algorithm as an object replaces the original foreign standard algorithm, the domestic encryption regulation and legal requirements are met, and the confidentiality and the integrity of the data are improved.
In an alternative embodiment, the setting the default encryption library in the encryption plug-in the source code of the CEPH object gateway as the domestic encryption library includes: modifying an encryption function of a default encryption library in a source code of the CEPH object gateway into an encryption function corresponding to a domestic encryption library; and modifying the naming of the default encryption library in the module of the CEPH object gateway into the naming of the domestic encryption library.
The default encryption library of the encryption plug-in the source code of the CEPH object gateway is set as the domestic encryption library, including encryption function modification and naming adjustment, so that the encryption plug-in is more convenient and quicker to update, smooth and compatible, all codes are not required to be modified, and meanwhile, the dependence on the foreign encryption library is reduced by using the domestic encryption library.
In an alternative embodiment, the method further comprises: if yes, the first encryption key is directly set as the second encryption key.
And if the length of the first encryption key in the metadata reaches the preset key length, the first encryption key accords with the encryption standard, and a data basis is provided for subsequent encryption operation.
In an optional implementation manner, before the calling the domestic encryption library and encrypting the file data by the second encryption key, the method further includes: and carrying out format processing on the original file data based on the format supported by the CEPH object storage system to obtain the processed file data.
The original file data is processed based on the format supported by the CEPH object storage system, so that the uniformity of the format of the data is ensured, and the readability and operability of the data are improved.
In an alternative embodiment, the calling the domestic encryption library and encrypting the file data by the second encryption key includes: acquiring configuration information based on a configuration file of the CEPH object storage system; judging whether an external encryption engine is configured in the configuration information under the specified path, and if so, calling an external encryption card to encrypt file data by using an external encryption engine interface through a domestic encryption library; and if the file data does not exist, calling a domestic encryption library to encrypt the file data by using a CEPH object storage system built-in algorithm.
By calling the domestic encryption library and judging whether to use the external encryption engine according to the configuration information, flexible encryption mode selection is realized. If the external encryption engine exists in the configuration, the external encryption card is called by the domestic encryption library to encrypt the file data, so that the encryption efficiency is improved, and if the external encryption engine does not exist, the internal algorithm of the CEPH object storage system is used for encryption, so that the security of the data is ensured. The function and the implementation scheme of the external cryptographic card are provided, so that the computing power and the credibility of data encryption in the system are greatly improved.
In an optional implementation manner, after the calling the domestic encryption library and encrypting the file data by the second encryption key, the method further includes: acquiring generated ciphertext data and verifying the ciphertext data; and creating a CEPH object encryption storage bucket, and storing the ciphertext data which passes the verification into the CEPH object encryption storage bucket.
And acquiring the generated ciphertext data, verifying, creating a CEPH object encryption storage bucket, and storing the verified ciphertext data, so that the encrypted data is stored in a centralized manner, and the integrity of the encrypted data is ensured.
In a second aspect, the present invention provides an encryption apparatus based on a national cryptographic CEPH object store, the apparatus comprising:
The configuration and deployment module is used for carrying out a domestic encryption algorithm on the CEPH object storage system and deploying a domestic encryption library;
The data acquisition module is used for acquiring file data and corresponding metadata in the CEPH object gateway uploaded to the CEPH object storage system;
The key calculation module is used for obtaining the length of a first encryption key in the metadata and judging whether the length is a preset key length, if not, the first encryption key is calculated through a hash algorithm to obtain a second encryption key with the length being the preset key length, and the preset key length is the key length corresponding to the domestic encryption algorithm;
And the domestic encryption module is used for calling the domestic encryption library and encrypting the file data through the second encryption key.
In a third aspect, the present invention provides a computer device comprising: the encryption method based on the national encryption CEPH object storage in the first aspect or any corresponding implementation mode of the first aspect is implemented by the processor.
In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon computer instructions for causing a computer to perform the encryption method based on the national encryption CEPH object storage according to the first aspect or any one of its corresponding embodiments.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an encryption method based on a national secret CEPH object store according to an embodiment of the invention;
FIG. 2 is a flow chart of another encryption method based on a national cryptographic CEPH object store according to an embodiment of the invention;
FIG. 3 is a flow chart of another encryption method based on a national cryptographic CEPH object store according to an embodiment of the invention;
FIG. 4 is a flow chart of another encryption method based on a national cryptographic CEPH object store according to an embodiment of the invention;
FIG. 5 is a flow chart of another encryption method based on a national cryptographic CEPH object store in accordance with an embodiment of the invention;
FIG. 6 is a schematic block diagram of an encryption device based on a CEPH object store in accordance with an embodiment of the present invention;
Fig. 7 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention.
All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In accordance with an embodiment of the present invention, there is provided an embodiment of an encryption method based on a national cryptographic CEPH object store, it being noted that the steps illustrated in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and that, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
In this embodiment, an encryption method based on a CEPH object storage of the present invention is provided, which can be used in the above-mentioned computer device and is applied to a CEPH object storage system, and fig. 1 is a flowchart of an encryption method based on a CEPH object storage of the present invention, and as shown in fig. 1, the flowchart includes the following steps:
And step S101, performing a domestic encryption algorithm and deployment of a domestic encryption library on the CEPH object storage system.
In the embodiment of the invention, the CEPH object storage system refers to a distributed storage system which is used for storing and managing large-scale data and consists of an object gateway, a storage cluster and a management node. The deployment of the domestic encryption algorithm refers to integrating the domestic developed encryption algorithm into the CEPH object storage system for encrypting and decrypting the stored data. The deployment of the domestic encryption library refers to the integration of the domestic developed encryption library into the CEPH object storage system. Therefore, the encryption library to the encryption algorithm are ensured to all adopt domestic technology, and the dependence on foreign encryption technology is reduced.
In a specific implementation, a domestic encryption algorithm is configured in a configuration file of a CEPH object storage system, a package of a domestic encryption library is obtained, installation is performed through an installation instruction, a config file is compiled, an encryption configuration item is set to use the domestic encryption library, and after CEPH service is started again, the encryption library and the encryption algorithm are changed effectively.
Step S102, file data and corresponding metadata uploaded to a CEPH object gateway of a CEPH object storage system are obtained.
In the embodiment of the invention, the file data in the CEPH object gateway refers to the file content, such as a document, a picture and the like, which is uploaded to the CEPH object storage system by a user, and the corresponding metadata is description information related to the file, such as a file name, a storage position, a file size, a file type, creation time and the like, so that the file data in the CEPH object gateway and the corresponding metadata can be conveniently encrypted by using a cryptographic algorithm.
It can be understood that, when the client uses the object storage protocol to establish a connection with the CEPH object storage gateway and wants to upload a txt file (file data) and encrypt the txt file, the client needs to perform a slicing process on the txt file to be uploaded, and upload the slices to the CEPH object storage gateway according to a specified sequence, and the relevant information (metadata) has a corresponding encryption flag and key. At this time, the CEPH object gateway already contains file data and corresponding metadata.
Step S103, the length of the first encryption key in the metadata is obtained, whether the length of the first encryption key is the preset key length is judged, if not, the first encryption key is calculated through a hash algorithm to obtain a second encryption key with the length of the preset key length, and the preset key length is the key length corresponding to the domestic encryption algorithm.
In the embodiment of the present invention, the first encryption key refers to an original key in metadata. The preset key length refers to a key length capable of meeting the requirements of the encryption algorithm, and the second encryption key refers to a key capable of meeting the requirements of the encryption algorithm.
In a specific implementation, if the length of the first encryption key is 256 bits, and the preset key length is 128 bits (corresponding to SM4 algorithm). And judging that the key length is 256 bits and does not accord with the preset key length. The first encryption key is calculated using a hash algorithm to obtain a second encryption key-2 of 128 bits in length. The calculation method may be to calculate 256-bit hash value obtained by hash algorithm (such as SHA-256), and starting from index position 0, intercept substring with length of 16 as new 128-bit key-2; or extracting the value of every other index position of the 256-bit hash value obtained by the calculation of the hash algorithm, and forming a new 128-bit key-2 by the extracted 16 characters.
Step S104, the domestic encryption library is called, and the file data is encrypted through the second encryption key.
In the embodiment of the invention, it can be understood that the file data is encrypted so as to check whether the data is tampered or not during decryption, thereby providing complete verification of the data. If the decrypted data does not match the data prior to encryption, it is indicated that the data may have been tampered with. The encryption algorithm can be ensured to accord with the national standard by calling the domestic encryption library, and the security of data is ensured by national security audit and authentication without depending on the foreign encryption library.
The embodiment of the invention ensures that the encryption algorithm and the encryption library which meet the national standard are used by deploying the domestic encryption algorithm and the encryption library. And acquiring the length of the first encryption key in the metadata, and judging whether the length of the first encryption key is the same as the length of the preset key. If the first encryption key is different, calculating the first encryption key through a hash algorithm to obtain a second encryption key with the length being the length of the preset key, and ensuring that the key is the key corresponding to the domestic encryption algorithm. And calling a domestic encryption library, and encrypting the file data by using a second encryption key. The encryption algorithm and the encryption library are used in China, so that the encryption process of the data can be ensured to meet the national encryption standard, the foreign encryption standard is not required to be applied, the data in the CEPH object storage system is effectively protected, the data is prevented from being potentially threatened, and the data security is improved.
In this embodiment, an encryption method based on a CEPH object store of the present invention is provided, which may be used in the above-mentioned computer, etc., and fig. 2 is a flowchart of an encryption method based on a CEPH object store of the present invention, and as shown in fig. 2, the flowchart includes the following steps:
Step S201, a domestic encryption algorithm and a domestic encryption library are deployed on the CEPH object storage system. Specifically, the step S201 includes:
in step S2011, the encryption algorithm of the source code of the CEPH object gateway is set as a cryptographic algorithm.
Illustratively, in the source code of the CEPH object gateway, a module or function responsible for encryption is found, and the original encryption algorithm is replaced by an algorithm conforming to the national cryptographic standard (for example, SM4 algorithm). The code logic of the SM4 algorithm is modified to ensure that the encryption process uses the cryptographic algorithm to perform encryption operations.
Step S2012, setting a default encryption library in the encryption plug-in the source code of the CEPH object gateway as a domestic encryption library.
In this embodiment, in the source code of the CEPH object gateway, a related module or function responsible for the encryption plug-in is found, and the original default encryption library (for example, openSSL library) is replaced with a domestic encryption library (for example, gmSSL).
Further, step S2012 includes:
a1: and modifying the encryption function of the default encryption library in the source code of the CEPH object gateway into the encryption function corresponding to the domestic encryption library.
Illustratively, the encryption function OpenSSL () of OpenSSL is used in the native CEPH object storage system for data encryption. These places are changed to encryption function gmssl (), which uses GmSSL.
A2: and modifying the naming of the default encryption library in the module of the CEPH object gateway into the naming of the domestic encryption library.
Illustratively, one module of the original CEPH relies on the names libssl.so and libcrypto.so of the OpenSSL library, and the embodiment of the present invention modifies the library names GmSSL compiled into libgmssl.so and libgmcrypto.so.
And S2013, compiling CEPH object gateway source codes, and performing basic deployment on the CEPH object storage system after successful compiling.
Illustratively, after the source code directory is saved, a compiling command is executed to compile the CEPH object gateway source code, the compiling process is waited for to be completed, and if no error or warning information exists, the compiling is successful. After success, the CEPH object storage system is deployed, referring to official deployment guidelines such as configuring and starting CEPH clusters, creating storage pools, etc.
For the embodiment, the default encryption library of the encryption plug-in the source code of the CEPH object gateway is set as the domestic encryption library, which comprises the modification of the encryption function and the naming adjustment, so that the encryption plug-in is more convenient and quicker in updating, smooth and compatible, all codes are not required to be modified, and meanwhile, the dependence on the foreign encryption library is reduced by using the domestic encryption library.
Step S202, file data and corresponding metadata uploaded to a CEPH object gateway of a CEPH object storage system are obtained. Please refer to step S102 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S203, the length of the first encryption key in the metadata is obtained and whether the length of the first encryption key is the preset key length is judged, if not, the first encryption key is calculated by a hash algorithm to obtain a second encryption key with the length of the preset key length, and the preset key length is the key length corresponding to the domestic encryption algorithm. Please refer to step S103 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S204, the domestic encryption library is called and the file data is encrypted through the second encryption key. Please refer to step S104 in the embodiment shown in fig. 1 in detail, which is not described herein.
For the embodiment, the algorithm in the CEPH object gateway source code is set as the domestic encryption algorithm, the default encryption library is modified into the domestic encryption library, the data in the CEPH object storage system is ensured to be safer, the cryptographic symmetric encryption algorithm stored by taking the national encryption algorithm as the object is used for replacing the original foreign standard algorithm, the domestic encryption regulation and legal requirements are met, and the confidentiality and the integrity of the data are improved.
In this embodiment, an encryption method based on a CEPH object store of the present invention is provided, which may be used in the above-mentioned computer, etc., and fig. 3 is a flowchart of an encryption method based on a CEPH object store of the present invention, and as shown in fig. 3, the flowchart includes the following steps:
Step S301, a domestic encryption algorithm and a domestic encryption library are deployed on the CEPH object storage system. Please refer to step S101 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S302, file data and corresponding metadata uploaded to a CEPH object gateway of a CEPH object storage system are obtained. Please refer to step S102 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S303, the length of the first encryption key in the metadata is obtained and whether the length of the first encryption key is the preset key length is judged, if not, the first encryption key is calculated through a hash algorithm to obtain a second encryption key with the length of the preset key length, and the preset key length is the key length corresponding to the domestic encryption algorithm. Please refer to step S103 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S304, format processing is carried out on the original file data based on the format supported by the CEPH object storage system, and the processed file data is obtained.
In the embodiment of the invention, it can be understood that the original file data is processed to adapt to the requirement of the CEPH object storage system, so as to meet the support of the CEPH object storage system, for example, the text file is converted into JSON format.
For the embodiment, the original file data is processed based on the format supported by the CEPH object storage system, and the metadata is converted based on the path supported by the CEPH object storage system, so that the metadata is matched with the path rule of the system, and the unification of the format of the data is ensured. Thereby improving the readability and operability of the data.
Step S305, calling a domestic encryption library and encrypting the file data through a second encryption key. Please refer to step S104 in the embodiment shown in fig. 1 in detail, which is not described herein.
Specifically, the step S305 includes:
In step S3051, configuration information is obtained based on the configuration file of the CEPH object storage system.
It will be appreciated that in the configuration file of the CEPH object storage system, configuration information, such as the path of the encryption engine, the choice of encryption algorithm, etc., is predefined. By reading the configuration file, the configuration information is obtained and used in subsequent steps.
Step S3052, judging whether an external encryption engine is configured under a specified path in the configuration information, and if so, calling an external encryption card to encrypt file data by using an external encryption engine interface through a domestic encryption library; and if the file data does not exist, calling a domestic encryption library to encrypt the file data by using a CEPH object storage system built-in algorithm.
It should be noted that the external encryption engine refers to an encryption function interface provided by the external encryption card, and is used for communicating with the encryption library and performing encryption operation. The external encryption card refers to a hardware device, can enable a plug-in card or a module to be used for encryption and decryption operations, provides high-level encryption algorithm and performance acceleration, has independent key management and encryption engines, and can be integrated with an encryption library. By using an external encryption card and an external encryption engine, confidentiality and security are ensured while higher encryption performance and performance acceleration are provided
Illustratively, the configuration file is searched for whether there is a configuration of the external encryption engine under the specified path. If the configuration of the external encryption engine exists, the user is expected to use the external encryption card to carry out encryption operation; if there is no configuration of the external encryption engine, it is indicated that the user wishes to perform an encryption operation using an encryption algorithm built in the CEPH object storage system.
For the embodiment, flexible encryption mode selection is realized by calling a domestic encryption library and judging whether to use an external encryption engine according to configuration information. If the external encryption engine exists in the configuration, the external encryption card is called by the domestic encryption library to encrypt the file data, so that the encryption efficiency is improved, and if the external encryption engine does not exist, the internal algorithm of the CEPH object storage system is used for encryption, so that the security of the data is ensured. The function and the implementation scheme of the external cryptographic card are provided, so that the computing power and the credibility of data encryption in the system are greatly improved.
In this embodiment, an encryption method based on a CEPH object store of the present invention is provided, which may be used in the above-mentioned computer, etc., and fig. 4 is a flowchart of an encryption method based on a CEPH object store of the present invention, and as shown in fig. 4, the flowchart includes the following steps:
And S401, performing a domestic encryption algorithm and deploying a domestic encryption library on the CEPH object storage system. Please refer to step S101 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S402, file data and corresponding metadata uploaded to a CEPH object gateway of a CEPH object storage system are obtained. Please refer to step S102 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S403, the length of the first encryption key in the metadata is obtained and whether the length of the first encryption key is the preset key length is judged, if not, the first encryption key is calculated by a hash algorithm to obtain a second encryption key with the length of the preset key length, and the preset key length is the key length corresponding to the domestic encryption algorithm. Please refer to step S103 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S404, calling a domestic encryption library and encrypting the file data through a second encryption key. Please refer to step S104 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S405, the generated ciphertext data is obtained, and the ciphertext data is verified.
In the embodiment of the present invention, it can be understood that, in the encryption process, the domestic encryption library generates ciphertext data (i.e., file data that has been encrypted by an encryption algorithm). The generated ciphertext data is obtained from the encryption library, and the ciphertext data is verified by using a verification algorithm or function, such as comparing the generated hash values or performing digital signature verification. If the verification is passed, the ciphertext data is not tampered or damaged, and the subsequent step operation is carried out. If the verification fails, it may indicate that the ciphertext data is disturbed or tampered during transmission or storage, and the data needs to be encrypted again.
In step S406, a CEPH object encryption bucket is created, and ciphertext data after passing the verification is stored in the CEPH object encryption bucket.
Illustratively, an encrypted bucket is created by executing a command or calling a corresponding API, and upon creation of the bucket, relevant parameters such as bucket name, access rights, etc., are specified, and then authenticated ciphertext data is uploaded or copied into the created encrypted bucket by using an upload interface, command provided by the CEPH.
For the embodiment, the generated ciphertext data is acquired and verified, and a CEPH object encryption storage bucket is created to store the verified ciphertext data, so that the encrypted data is stored in a centralized manner, and the integrity of the encrypted data is ensured.
In a specific embodiment, referring to fig. 5, after the client software uploads the data and related information to the CEPH object storage gateway, the CEPH object storage system will determine the key length in the information, determine whether the key is directly available, if the key is directly available (i.e. the key length meets the requirements of the cryptographic algorithm of the national encryption), directly import the preprocessed data and information to the cryptographic module of the CEPH, the cryptographic module starts the cryptographic function, and determine whether an external engine of the cryptographic module is configured, if yes, gmSSL (domestic cryptographic library) will call an internal agreement engine interface to implement data butt-joint encryption with an external cryptographic card; if not, gmSSL (domestic encryption library) directly uses local system resources to encrypt data. After encryption is completed, the data can enter other CEPH processing modules, and the encrypted data can be stored in a data barrel.
In this embodiment, an encryption device based on CEPH object storage is further provided, and the device is used to implement the foregoing embodiments and preferred embodiments, which have been described and will not be repeated. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides an encryption device based on CEPH object storage, as shown in fig. 6, including:
The configuration and deployment module 601 is configured to perform a domestic encryption algorithm and deployment of a domestic encryption library on the CEPH object storage system;
the data obtaining module 602 is configured to obtain file data and corresponding metadata in a CEPH object gateway uploaded to a CEPH object storage system;
The key calculation module 603 is configured to obtain a length of a first encryption key in the metadata and determine whether the length is a preset key length, if not, calculate the first encryption key by a hash algorithm to obtain a second encryption key with a length being the length of the preset key, where the length of the preset key is a key length corresponding to a domestic encryption algorithm;
The domestic encryption module 604 is configured to invoke a domestic encryption library and encrypt the file data with the second encryption key.
In an alternative embodiment, the configuration and deployment module 601 includes:
Setting a source code encryption algorithm of the CEPH object gateway as a national encryption algorithm;
setting a default encryption library in an encryption plug-in a source code of a CEPH object gateway as a domestic encryption library; compiling CEPH object gateway source code, and performing basic deployment on the CEPH object storage system after successful compiling.
In an alternative embodiment, the configuration and deployment module 601 includes:
Modifying an encryption function of a default encryption library in a source code of the CEPH object gateway into an encryption function corresponding to a domestic encryption library;
And modifying the naming of the default encryption library in the module of the CEPH object gateway into the naming of the domestic encryption library.
In some alternative embodiments, the key calculation module 603 further includes: if yes, the first encryption key is directly set as the second encryption key.
In some optional embodiments, the apparatus further comprises a file processing module configured to:
And carrying out format processing on the original file data based on the format supported by the CEPH object storage system to obtain the processed file data.
In some alternative embodiments, the home cryptographic module 604 includes: acquiring configuration information based on a configuration file of the CEPH object storage system;
Judging whether an external encryption engine is configured in the configuration information under the specified path, if so, calling an external encryption card to encrypt file data by using an external encryption engine interface through a domestic encryption library; and if the file data does not exist, calling a domestic encryption library to encrypt the file data by using a CEPH object storage system built-in algorithm.
In some alternative embodiments, the apparatus further comprises a data storage module for:
acquiring generated ciphertext data and verifying the ciphertext data;
And creating a CEPH object encryption storage bucket, and storing the ciphertext data which passes the verification into the CEPH object encryption storage bucket.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The embodiment of the invention ensures that the encryption algorithm and the encryption library which meet the national standard are used by deploying the domestic encryption algorithm and the encryption library. And acquiring the length of the first encryption key in the metadata, and judging whether the length of the first encryption key is the same as the length of the preset key. If the first encryption key is different, calculating the first encryption key through a hash algorithm to obtain a second encryption key with the length being the length of the preset key, and ensuring that the key is the key corresponding to the domestic encryption algorithm. And calling a domestic encryption library, and encrypting the file data by using a second encryption key. The encryption algorithm and the encryption library are used in China, so that the encryption process of the data can be ensured to meet the national encryption standard, the foreign encryption standard is not required to be applied, the data in the CEPH object storage system is effectively protected, the data is prevented from being potentially threatened, and the data security is improved.
The encryption device based on the CEPH object storage of the present embodiment is presented as a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or firmware, and/or other devices that can provide the above functions.
The embodiment of the invention also provides a computer device which is provided with the encryption device based on the CEPH object storage of the national cipher shown in the figure 6.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, as shown in fig. 7, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 7.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (10)
1. An encryption method based on CEPH object storage of China secret, which is applied to a CEPH object storage system, is characterized in that the method comprises the following steps:
carrying out a domestic encryption algorithm and deployment of a domestic encryption library on the CEPH object storage system;
acquiring file data and corresponding metadata which are uploaded to a CEPH object gateway of a CEPH object storage system;
Acquiring the length of a first encryption key in metadata and judging whether the length is a preset key length, if not, calculating the first encryption key through a hash algorithm to obtain a second encryption key with the length being the preset key length, wherein the preset key length is the key length corresponding to a domestic encryption algorithm; the step of calculating the first encryption key through a hash algorithm to obtain a second encryption key with the length being the length of a preset key comprises the following steps: intercepting substrings with the length of the preset number from the index position of zero to serve as new keys, namely second encryption keys, of the hash values of the preset number obtained by the first encryption keys through the hash algorithm, or extracting every other value of the index position from the index position of zero to obtain substrings with the preset number to serve as new keys, namely second encryption keys;
And calling a domestic encryption library and encrypting the file data through a second encryption key.
2. The method of claim 1, wherein the deploying the CEPH object storage system for the domestic encryption algorithm and the domestic encryption library comprises:
Setting a source code encryption algorithm of the CEPH object gateway as a national encryption algorithm;
setting a default encryption library in an encryption plug-in a source code of a CEPH object gateway as a domestic encryption library;
compiling CEPH object gateway source code, and performing basic deployment on the CEPH object storage system after successful compiling.
3. The method according to claim 2, wherein setting the default encryption library in the encryption plug-in the source code of the CEPH object gateway as the domestic encryption library comprises:
Modifying an encryption function of a default encryption library in a source code of the CEPH object gateway into an encryption function corresponding to a domestic encryption library;
And modifying the naming of the default encryption library in the module of the CEPH object gateway into the naming of the domestic encryption library.
4. The method according to claim 1, characterized in that the method further comprises:
if yes, the first encryption key is directly set as the second encryption key.
5. The method of claim 1, wherein before invoking the domestic encryption library and encrypting the file data with the second encryption key, further comprising:
And carrying out format processing on the original file data based on the format supported by the CEPH object storage system to obtain the processed file data.
6. The method of claim 5, wherein the invoking the domestic encryption library and encrypting the file data with the second encryption key comprises:
acquiring configuration information based on a configuration file of the CEPH object storage system;
Judging whether an external encryption engine is configured in the configuration information under the specified path, and if so, calling an external encryption card to encrypt file data by using an external encryption engine interface through a domestic encryption library; and if the file data does not exist, calling a domestic encryption library to encrypt the file data by using a CEPH object storage system built-in algorithm.
7. The method according to any one of claims 1 to 6, further comprising, after the calling the domestic encryption library and encrypting the file data with the second encryption key:
Acquiring generated ciphertext data and verifying the ciphertext data;
and creating a CEPH object encryption storage bucket, and storing the ciphertext data which passes the verification into the CEPH object encryption storage bucket.
8. An encryption device based on a national secret CEPH object store, the device comprising:
The configuration and deployment module is used for carrying out a domestic encryption algorithm on the CEPH object storage system and deploying a domestic encryption library;
The data acquisition module is used for acquiring file data and corresponding metadata in the CEPH object gateway uploaded to the CEPH object storage system;
the key calculation module is used for obtaining the length of a first encryption key in the metadata and judging whether the length is a preset key length, if not, the first encryption key is calculated through a hash algorithm to obtain a second encryption key with the length being the preset key length, and the preset key length is the key length corresponding to the domestic encryption algorithm; the step of calculating the first encryption key through a hash algorithm to obtain a second encryption key with the length being the length of a preset key comprises the following steps: intercepting substrings with the length of the preset number from the index position of zero to serve as new keys, namely second encryption keys, of the hash values of the preset number obtained by the first encryption keys through the hash algorithm, or extracting every other value of the index position from the index position of zero to obtain substrings with the preset number to serve as new keys, namely second encryption keys;
And the domestic encryption module is used for calling the domestic encryption library and encrypting the file data through the second encryption key.
9. A computer device, comprising:
A memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the cryptographic method of any one of claims 1 to 7 based on the national cipher CEPH object store.
10. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the encryption method of any one of claims 1 to 7 based on the national secret CEPH object store.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311373479.9A CN117527193B (en) | 2023-10-20 | Encryption method and device based on CEPH object storage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311373479.9A CN117527193B (en) | 2023-10-20 | Encryption method and device based on CEPH object storage |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117527193A CN117527193A (en) | 2024-02-06 |
| CN117527193B true CN117527193B (en) | 2024-07-16 |
Family
ID=
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113779619A (en) * | 2021-08-11 | 2021-12-10 | 深圳市证通云计算有限公司 | Encryption and decryption method for ceph distributed object storage system based on state cryptographic algorithm |
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113779619A (en) * | 2021-08-11 | 2021-12-10 | 深圳市证通云计算有限公司 | Encryption and decryption method for ceph distributed object storage system based on state cryptographic algorithm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10116645B1 (en) | Controlling use of encryption keys | |
| US8693690B2 (en) | Organizing an extensible table for storing cryptographic objects | |
| CN111191286A (en) | HyperLegger Fabric block chain private data storage and access system and method thereof | |
| CN111475824B (en) | Data access method, device, equipment and storage medium | |
| US10075301B2 (en) | Relational encryption for password verification | |
| US20130290733A1 (en) | Systems and methods for caching security information | |
| CN112398826B (en) | Data processing method and device based on national secret, storage medium and electronic equipment | |
| CN111884986B (en) | Data encryption processing method and device and storage medium | |
| US10003467B1 (en) | Controlling digital certificate use | |
| US20130290734A1 (en) | Systems and methods for caching security information | |
| US20130290731A1 (en) | Systems and methods for storing and verifying security information | |
| US20200213331A1 (en) | Data service system | |
| WO2021114614A1 (en) | Application program secure startup method and apparatus, computer device, and storage medium | |
| US10630722B2 (en) | System and method for sharing information in a private ecosystem | |
| US8953786B2 (en) | User input based data encryption | |
| CN111753320A (en) | Data encryption method and device based on interceptor and computer equipment | |
| CN111475543A (en) | Fuzzy search method and device, computer equipment and storage medium | |
| CN110795747A (en) | Data encryption storage method, device, equipment and readable storage medium | |
| CA3086236A1 (en) | Encrypted storage of data | |
| WO2020257123A1 (en) | Systems and methods for blockchain-based authentication | |
| CN113784354B (en) | Request conversion method and device based on gateway | |
| CN110602132A (en) | Data encryption and decryption processing method | |
| US20130290732A1 (en) | Systems and methods for storing and verifying security information | |
| CN111147235B (en) | Object access method and device, electronic equipment and machine-readable storage medium | |
| CN112311528A (en) | Data secure transmission method based on state cryptographic algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |