CN117708850A - Data encryption method, data acquisition device and electronic equipment - Google Patents
Data encryption method, data acquisition device and electronic equipment Download PDFInfo
- Publication number
- CN117708850A CN117708850A CN202311704486.2A CN202311704486A CN117708850A CN 117708850 A CN117708850 A CN 117708850A CN 202311704486 A CN202311704486 A CN 202311704486A CN 117708850 A CN117708850 A CN 117708850A
- Authority
- CN
- China
- Prior art keywords
- file system
- encryption
- data
- file
- pipeline
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 230000006870 function Effects 0.000 claims description 63
- 230000008569 process Effects 0.000 claims description 25
- 230000005540 biological transmission Effects 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 7
- 244000035744 Hura crepitans Species 0.000 description 9
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Abstract
The application provides a data encryption method, a data acquisition device and electronic equipment, wherein one specific embodiment of the method comprises the following steps: creating a file system instance through a virtual file system; the file system instance comprises a plurality of files; creating an encryption pipeline in the file system instance through a preset encryption function; and storing the application program data into the target file of the file system instance through the encryption pipeline. The method can improve the security of the application program data.
Description
Technical Field
The present application relates to the field of data security, and in particular, to a data encryption method, a data acquisition device, and an electronic device.
Background
With the rapid development of the mobile internet, application developers can develop various applications using the openness of the android system. However, this openness also provides convenience for malicious applications, enabling the malicious applications to obtain user data using the android device as well as device data.
In the related art, sandboxes may be used to improve the security of data. Specifically, the sandbox may provide an isolated execution environment for each application program, so that each application program can only access the corresponding authorized resources, thereby preventing malicious application programs from accessing unauthorized resources. But malicious applications may escape from the sandbox and thus be able to access other unauthorized resources, reducing the security of the data.
Disclosure of Invention
An embodiment of the application aims to provide a data encryption method, a data acquisition device and electronic equipment, which are used for improving the security of application program data.
In a first aspect, an embodiment of the present application provides a data encryption method, including: creating a file system instance through a virtual file system; the file system instance comprises a plurality of files; creating an encryption pipeline in the file system instance through a preset encryption function; and storing the application program data into the target file of the file system instance through the encryption pipeline.
In the implementation mode, the malicious application program is limited to the file system instance, so that the escape problem existing when the sandbox is utilized is avoided, the leakage risk of the application program data is reduced, and the safety of the application program data is improved. And, the encryption process of storing the application program data by using the encryption pipeline does not involve interaction with the application program, so the encryption process is transparent to the application program, thereby realizing the transparent encryption process.
Furthermore, the virtual file system and the virtual encryption disk library can be integrated into an application program as an independent component, so that the android system is not required to be modified, the influence on the android system is reduced, and the stability and related performance of the android system are improved.
Optionally, the preset encryption function includes an encryption function provided by a virtual encryption disk library; and said creating an encryption conduit in said file system instance by a preset encryption function, comprising performing the following by said preset encryption function: creating a pipeline storage object and a pipeline transmission object; calling a channel creation sub-function to create a channel encryption channel; invoking a data reading sub-function to read the application data from a storage location of the application data using the pipeline encryption channel and store the application data into the pipeline storage object; and storing, by the encryption pipeline, application data into a target file of the file system instance, including: acquiring the application program data from the pipeline storage object through the pipeline transmission object, and transmitting the application program data to the output end of the encryption pipeline; and storing the application program data into the target file of the file system instance from the output end of the encryption pipeline. Thus, an encryption pipeline can be created based on a plurality of sub-functions included in a preset encryption function, so that a transparent encryption and decryption process of application program data can be realized.
Optionally, after the creating an encryption pipe in the file system instance by a preset encryption function, the method further comprises: storing the target file to a real file system through a preset encryption write-back function; and updating the metadata corresponding to the target file in the real file system. In this way, metadata can be automatically updated through a preset encryption function, so that the updating rate is improved to a certain extent, and operations such as data tracing and multi-disc can be conveniently performed later.
Optionally, after the creating of the file system instance by the virtual file system, the method further comprises: generating a standard decryption password corresponding to each of the plurality of files; if an access operation for accessing any file in the real file system is received, determining whether a decryption password input in the execution process of the access operation is identical to a corresponding standard decryption password; and allowing access to the file if the decryption password is the same as the standard decryption password. In this way, a standard decryption password may be generated at the time of creating the file to determine whether the file may be accessed. If the application program does not access the file through the decryption password, the application program can be determined to be a malicious application program, and the application program cannot access the file, so that the leakage risk of the application program data is reduced.
Optionally, after the creating of the file system instance by the virtual file system, the method further comprises: creating a file in a memory; the created file is mounted into the file system instance to obtain a plurality of files included in the file system instance. Thus, each file in the file system instance is created in the memory, so that the execution efficiency of related operations executed on the file is higher, the calculation resources consumed in the file encryption and decryption processes are reduced, and the data access efficiency is improved.
In a second aspect, an embodiment of the present application provides a data acquisition method, including: receiving a data acquisition instruction; the data acquisition instruction comprises identity information of an application program to be operated; acquiring application program data corresponding to the application program to be operated according to the identity information of the application program to be operated; wherein the application data is stored in advance in a file of a file system instance through an encryption pipeline; the file system instance is created through a virtual file system; the encryption pipeline is created in the file system instance through a preset encryption function. In this way, the application data corresponding to the application to be operated can be obtained from the target file stored in the file system instance through the encryption pipeline in advance, and the application to be operated can be operated more safely because the security of the application data is higher.
In a third aspect, an embodiment of the present application provides a data encryption apparatus, including: an instance creation module for creating a file system instance through a virtual file system; the file system instance comprises a plurality of files; the pipeline creation module is used for creating an encryption pipeline in the file system instance through a preset encryption function; and the encryption module is used for storing the application program data into the target file of the file system instance through the encryption pipeline. In this way, the security of the application data can be improved.
In a fourth aspect, an embodiment of the present application provides a data acquisition apparatus, including: the receiving module is used for receiving the data acquisition instruction; the data acquisition instruction comprises identity information of an application program to be operated; the acquisition module is used for acquiring application program data corresponding to the application program to be operated according to the identity information of the application program to be operated; wherein the application data is stored in advance in a file of a file system instance through an encryption pipeline; the file system instance is created through a virtual file system; the encryption pipeline is created in the file system instance through a preset encryption function. In this way, the application program to be run can be run more securely.
In a fifth aspect, embodiments of the present application provide an electronic device comprising a processor and a memory storing computer readable instructions which, when executed by the processor, perform the steps of the method as provided in the first or second aspects above.
In a sixth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method as provided in the first or second aspects above.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a data encryption method provided in an embodiment of the present application;
fig. 2 is a flowchart of a data acquisition method according to an embodiment of the present application;
fig. 3 is a block diagram of a data encryption device according to an embodiment of the present application;
fig. 4 is a block diagram of a data acquisition device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device for executing a data encryption method or a data acquisition method according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
It should be noted that embodiments or technical features of embodiments in the present application may be combined without conflict.
In the related art, a malicious application program may escape from a sandbox, so that the problem of low data security exists; to solve this problem, the present application provides a data encryption method; further, by creating a file system instance, operations related to the application program can only be performed within the file system instance. In this way, malicious application programs are limited in the file system instance, so that escape problems existing when sandboxes are utilized are avoided, and the security of data is improved.
The above related art solutions have drawbacks, which are results obtained by the inventor after practice and careful study, and therefore, the discovery process of the above problems and the solutions proposed by the embodiments of the present invention hereinafter for the above problems should be all contributions of the inventor to the present invention in the process of the present invention.
In some applications, the above data encryption method may be applied to a terminal device such as a computer, a mobile phone, or the like, in which a file system instance may be created, so that the active space of a malicious application is limited by using the file system instance.
Referring to fig. 1, a flowchart of a data encryption method according to an embodiment of the present application is shown. As shown in fig. 1, the data encryption method includes the following steps 101 to 103.
Step 101, creating a file system instance through a virtual file system; the file system instance comprises a plurality of files;
the file system instance described above may be considered a virtual disk. That is, the terminal device may create a file system instance through a virtual file system (Virtual File Systems, VFS for short) to use the file system instance as a virtual disk.
A plurality of files may be included in the file system instance, and different files may include, for example, user data, device-related data, etc. corresponding to different applications. For ease of description, user data, device-related data, and the like are collectively referred to herein as application data.
Further, the file may be a file in which data is not recorded.
In some application scenarios, the plurality of files in the file system instance may be database files. In these application scenarios, the terminal device may create a virtual file system in the android system through a mount function, and then create a file system instance using the virtual file system. For example, the terminal device may first create a database file under the private target of the application to be run, then determine the absolute path of the database file, then create a virtual file system instance (i.e. a file system instance) using the virtual file system () subfunction of the mount function, then set the location information of the container of the virtual file system instance to the absolute path described above using the vfs.setContainerPath (db.getAbsolute Path ()) subfunction, and then mount the database file onto the virtual file system instance using the vfs.mount () subfunction, thereby enabling the virtual file system instance to serve as a virtual disk to store the application to be run.
102, creating an encryption pipeline in the file system instance through a preset encryption function;
in some application scenarios, the preset encryption function may be, for example, an Openfile function provided by an IOCipher library. Specifically, the terminal device may create an encryption pipeline in the file system instance using the Openfile function. The IOCipher library, namely the virtual encryption disk library, can realize an encryption function based on the SQLCip her, and the SQLCip her can encrypt the SQLite database, so that each database file can be encrypted through a preset encryption function provided by the IOCipher library.
And step 103, storing the application program data into the target file of the file system instance through the encryption pipeline.
In the related art, in order to further improve data security, application data may be transparently encrypted inside the sandbox, so that application data stored on the android device is not easily read or modified without authorization. However, the transparent encryption process and the process of defending malicious application programs through the sandboxes can carry out a great deal of modification on the android system, so that the complexity of the android system is increased, and the stability and related performance of the android system can be affected.
In the implementation mode, the malicious application program is limited to the file system instance, so that the escape problem existing when the sandbox is utilized is avoided, the leakage risk of the application program data is reduced, and the safety of the application program data is improved. And, the encryption process of storing the application program data by using the encryption pipeline does not involve interaction with the application program, so the encryption process is transparent to the application program, thereby realizing the transparent encryption process.
Furthermore, the virtual file system and the virtual encryption disk library can be integrated into an application program as an independent component, so that the android system is not required to be modified, the influence on the android system is reduced, and the stability and related performance of the android system are improved.
In some alternative implementations, the predetermined encryption function includes an encryption function provided by a virtual encryption disk library; and creating an encryption pipe in the file system instance by a preset encryption function as described in the step 102, including performing the following operations by the preset encryption function:
sub-step 1021, creating a pipe storage object and a pipe transport object;
in some application scenarios, the terminal device may create a ParcelFileDescriptor pipe using the Openfile function and create a pipe storage object in for storing application data. In some application scenarios, the application data may be stored, for example, in an application file that may be identified by a uniform resource identifier uri. The terminal device may acquire the path portion of the uri by using the Openfile function to create a corresponding File object. The terminal device may then transmit the File object to a FileInputStream (path) sub-function to create a pipe storage object in, i.e. for storing application data in the application File, by the FileInputStream (path) sub-function.
In some application scenarios, pseudocode corresponding to a FileInputStream (new File (path) subfunction may include, for example:
input of the file descriptor fd
Output FileInputStream object
1:function FILEINPUTSTREAM(File file)
2:if fd==null then
3:throw new NullPointerException(”fd==null")
4:end if
5:this.fd←IoBridge.open(file.getAbsolutePath(),O_RDONLY)
6: getChannel ()// initialization pipeline
7:this.shouldClose←true
8:end function
Wherein the FileInputStream object, i.e., the pipe storage object in, is represents the current FileInputStream object, fd represents the file descriptor, and O_RDONLY represents the open mode (read-only).
The terminal device may then create a pipe transport object pipe feed thread using the Openfile function to be able to read application data from the pipe storage object in to the output of the pipe.
Sub-step 1022, calling a channel creation sub-function to create a channel encryption channel;
with continued reference to the pseudocode of the FileInputStream (path) subfunction, the terminal device may open the application File through the iobridge.open (file.getAblutePath (), o_RDONLY) subfunction, and may then call the Getchannel subfunction of the IOCipherFileChannel class to create a pipeline encryption channel corresponding to the application File.
In some application scenarios, before creating the pipe encryption channel, the terminal device may also determine, for example, whether the same pipe encryption channel already exists in the file system instance, so as to avoid repeated creation.
Sub-step 1023, calling a data read sub-function to read the application data from the storage location of the application data using the pipe encryption channel, and storing the application data in the pipe storage object;
the data reading subfunction, i.e., readImpl subfunction, is also provided by the IOCipherFileChannel class. Further, the terminal device may read the application data from its storage location (i.e. the application file) by calling the readImpl sub-function, and store it in the pipe storage object in. Here, it is equivalent to transferring the application data from its storage location into the ParcelFileDescriptor pipeline.
In some application scenarios, the pseudo code of the readImpl subfunction is as follows:
inputting the read data buffer in the original file, and starting the position of the read position
Output of the number of bytes read
1:function READIMPL(buffer,position)
2:if buffer.isReadOnly()then
3: if the buffer is read-only, then the exception is thrown
4:end if
5:checkOpen()
6:checkReadable()
7:if NOT buffer.hasRemaining()then
8:return 0
9:end if
10:bytesRead←0
11:completed←false
12:begin()
13:if position=-1then
14:bytesRead←Libcore.os.read(fd,buffer)
15:else
16:bytesRead←Libcore.ospread(fd,buffer,position)
17:end if
18:if bytesRead=0then
19:bytesRead←-1
20:end if
21:completed←true
22:end(completed and bytesRead≥0)
23:if bytesRead>0then
24:buffer.position(buffer.position()+bytesRead)
25:end if
26:return bytesRead
27:end function
That is, the inputs of the readImpl subfunction are the ByteBuffer buffer and the read location information. The readImpl subfunction may call libcore. Os. Read () or libcore. Os. Pread () by the value determination of the position to be able to retrieve the byte buffer from the file descriptor fd. Here, libcore.os.read () or libcore.os.read () may be regarded as an interface that calls to read a file from the underlying operating system.
Thus, storing application data into the target file of the file system instance through the encryption pipeline as described in step 103 above may include: acquiring the application program data from the pipeline storage object through the pipeline transmission object, and transmitting the application program data to the output end of the encryption pipeline; and storing the application program data into the target file of the file system instance from the output end of the encryption pipeline.
That is, the terminal device may acquire application data from the pipe storage object in through the pipe feed through object and transmit it to the output of the ParcelFileDescriptor pipe. Then, the application data is obtained from the output end of the ParcelFileDescriptor pipeline and stored in the corresponding target file.
In some application scenarios, the terminal device may obtain application data from the target file, so that the application may be run. In these application scenarios, the target file is automatically decrypted after being acquired, and no decryption operation is required separately.
In this implementation manner, an encryption pipeline may be created based on a plurality of sub-functions included in a preset encryption function, so as to implement a transparent encryption and decryption process for application data.
In some alternative implementations, after creating the encryption pipe in the file system instance by the preset encryption function described in step 102 above, the method further includes:
firstly, storing the target file to a real file system through a preset encryption write-back function;
the above-mentioned preset encryption write-back function is the copytophterdb function. The pseudo code of the copytophterdb function may include, for example:
input the file name fleName, input stream is
Output is no
1:function COPYTOCIPHERDB(fleName,is)
2:fos←new FileOutputStream(fileName)
3:sourceFileChannel←newChannel(is)
4:destinationFileChannel←fos.getChannel()
5:destinationFileChannel.transferFrom(sourceFileChannel,
6:0,is.available())
7: if IOException then output abnormal stack information
8:end function
The terminal device can firstly create a FileOutputStream instance which is based on the IOCipher library and points to the target file in a real file system through a FileOutputStream (file Name) sub-function of a copyToCipherDb function. Then, the input stream (i.e., the above-mentioned object file) and the fileoutputstreaminstance are respectively encapsulated as readablebyteconnel instance and IOCipherFileChannel instance. And then, the transfer from method of the IOCipherFileChannel is called to write the application program data in the input stream into the real storage file, so that the purpose of storing the application program data in the target file into the real file system is realized.
And then, updating the metadata corresponding to the target file in the real file system.
The metadata may include, for example, data related to the target file such as file size, modification time, and the like.
Furthermore, metadata can be automatically updated by using a copyToCipherDb function, so that the update rate is improved to a certain extent, and operations such as data tracing and multi-disk can be performed later.
In some alternative implementations, after creating the file system instance through the virtual file system described in step 101 above, the method further includes: generating a standard decryption password corresponding to each of the plurality of files; if an access operation for accessing any file in the real file system is received, determining whether a decryption password input in the execution process of the access operation is identical to a corresponding standard decryption password; and allowing access to the file if the decryption password is the same as the standard decryption password.
In some application scenarios, the terminal device may generate standard decryption passwords corresponding to the respective files randomly or based on preset rules when creating the file system instance. The standard decryption password may comprise, for example, numbers, characters, or letters, etc. The preset rule may be, for example, to generate a standard decryption password according to an operation time, an operation duration, or the like.
Thus, if the terminal device receives the access operation to the file in the real file system, it can check whether the input decryption password is the same as the standard decryption password, and if so, it can allow the access operation to be performed. The access operation described above may include, for example, a view operation, a read operation, and the like.
In this implementation, the standard decryption password may be generated when the file is created to determine whether the file can be accessed, so that if the application program does not access the file through the decryption password, the application program may be determined to be a malicious application program, and the application program cannot access the file, thereby reducing the risk of leakage of application program data.
In some alternative implementations, after creating the file system instance through the virtual file system described in step 101 above, the method further includes: creating a file in a memory; the created file is mounted into the file system instance to obtain a plurality of files included in the file system instance.
In some application scenarios, the terminal device may create a file in the memory, and the creation process and the mounting process of the file may be implemented, for example, by the mount function described above, which is not described herein again.
In the related art, the transparent encryption process of the file consumes a large amount of computing resources, thereby reducing the efficiency of data access.
In the implementation manner, each file in the file system instance is created in the memory, so that the execution efficiency of related operations executed on the file is higher, the calculation resources consumed in the file encryption and decryption processes are reduced, and the data access efficiency is improved.
Referring to fig. 2, a flowchart of a data acquisition method according to an embodiment of the present application is shown. As shown in fig. 2, the data acquisition method includes the following steps 201 to 202:
step 201, receiving a data acquisition instruction; the data acquisition instruction comprises identity information of an application program to be operated;
the identity information of the application program to be executed may include information such as a name, an identification code, an installation location, and the like.
In some application scenarios, the terminal device may, for example, be considered to have received the data acquisition instruction when receiving the execution instruction of the application program.
Step 202, acquiring application program data corresponding to the application program to be operated according to the identity information of the application program to be operated; wherein the application data is stored in advance in a file of a file system instance through an encryption pipeline; the file system instance is created through a virtual file system; the encryption pipeline is created in the file system instance through a preset encryption function.
In some application scenarios, when the terminal device creates a file system instance, the file storing the application program data and the identity information of the corresponding application program can be stored in an associated manner, so that the terminal device can search a plurality of files of the file system instance for a target file identical to the identity information according to the identity information of the application program to be operated, and can acquire the application program data from the target file.
It should be noted that the process of storing the application data in the target file and the technical effects achieved in the process may be the same as or similar to the data encryption method in the embodiment shown in fig. 1, and will not be repeated here.
In some application scenarios, after the terminal device obtains the application program data, the application program data can be transferred to the application program to be operated, so that the application program to be operated can be operated normally.
In the implementation manner, the application program data corresponding to the application program to be operated can be obtained from the target file stored in the file system instance through the encryption pipeline in advance, so that the application program to be operated can be operated more safely due to higher safety of the application program data.
It will be appreciated by those skilled in the art that in the above-described method of the specific embodiment, the written order of steps is not meant to imply a strict order of execution but rather should be construed according to the function and possibly inherent logic of the steps.
Referring to fig. 3, a block diagram of a data encryption device according to an embodiment of the present application is shown, where the data encryption device may be a module, a program segment, or a code on an electronic device. It will be appreciated that the apparatus corresponds to the embodiment of the method of fig. 1 described above and is capable of performing the various steps involved in the embodiment of the method of fig. 1.
Optionally, the data encryption device includes an instance creation module 301, a pipe creation module 302, and an encryption module 303. Wherein, the instance creation module 301 is configured to create a file system instance through a virtual file system; the file system instance comprises a plurality of files; a pipe creation module 302, configured to create an encrypted pipe in the file system instance by using a preset encryption function; and the encryption module 303 is used for storing the application program data into the target file of the file system instance through the encryption pipeline.
Optionally, the preset encryption function includes an encryption function provided by a virtual encryption disk library; and the pipe creation module 302 is further configured to perform the following operations through the preset encryption function: creating a pipeline storage object and a pipeline transmission object; calling a channel creation sub-function to create a channel encryption channel; invoking a data reading sub-function to read the application data from a storage location of the application data using the pipeline encryption channel and store the application data into the pipeline storage object; the decryption model is further for: acquiring the application program data from the pipeline storage object through the pipeline transmission object, and transmitting the application program data to the output end of the encryption pipeline; and storing the application program data into the target file of the file system instance from the output end of the encryption pipeline.
Optionally, the device further includes an update module, where the update module is configured to: after the encryption pipeline is created in the file system instance through a preset encryption function, storing the target file to a real file system through a preset encryption write-back function; and updating the metadata corresponding to the target file in the real file system.
Optionally, the device further includes a decryption module, where the decryption module is configured to: after the file system instance is created through the virtual file system, generating a standard decryption password corresponding to each of the plurality of files; if an access operation for accessing any file in the real file system is received, determining whether a decryption password input in the execution process of the access operation is identical to a corresponding standard decryption password; and allowing access to the file if the decryption password is the same as the standard decryption password.
Optionally, the device further includes a file creation module, where the file creation module is configured to: creating a file in memory after said creating a file system instance by a virtual file system; the created file is mounted into the file system instance to obtain a plurality of files included in the file system instance.
It should be noted that, for convenience and brevity, a person skilled in the art will clearly understand that, for the specific working procedure of the apparatus described above, reference may be made to the corresponding procedure in the foregoing method embodiment, and the description will not be repeated here.
Referring to fig. 4, a block diagram of a data acquisition device according to an embodiment of the present application is shown, where the data acquisition device may be a module, a program segment, or a code on an electronic device. It will be appreciated that the apparatus corresponds to the embodiment of the method of fig. 2 described above and is capable of performing the various steps involved in the embodiment of the method of fig. 2.
Alternatively, the data acquisition device may include a receiving module 401 and an acquisition module 402. Wherein, the receiving module 401 is configured to receive a data acquisition instruction; the data acquisition instruction comprises identity information of an application program to be operated; an acquiring module 402, configured to acquire application data corresponding to the application to be run according to the identity information of the application to be run; wherein the application data is stored in advance in a file of a file system instance through an encryption pipeline; the file system instance is created through a virtual file system; the encryption pipeline is created in the file system instance through a preset encryption function.
It should be noted that, for convenience and brevity, a person skilled in the art will clearly understand that, for the specific working procedure of the apparatus described above, reference may be made to the corresponding procedure in the foregoing method embodiment, and the description will not be repeated here.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device for performing a data encryption method according to an embodiment of the present application, where the electronic device may include: at least one processor 501, such as a CPU, at least one communication interface 502, at least one memory 503, and at least one communication bus 504. Wherein the communication bus 504 is used to enable direct connection communication for these components. The communication interface 502 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The memory 503 may be a high-speed RAM memory or a nonvolatile memory (non-volatile memory), such as at least one magnetic disk memory. The memory 503 may also optionally be at least one storage device located remotely from the aforementioned processor. The memory 503 has stored therein computer readable instructions which, when executed by the processor 501, may cause the electronic device to perform the method processes described above with reference to fig. 1 or 2.
It will be appreciated that the configuration shown in fig. 5 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 5, or have a different configuration than shown in fig. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.
Embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, may perform a method process performed by an electronic device in an embodiment of a method as shown in fig. 1 or fig. 2.
Embodiments of the present application provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the method embodiments described above, for example, the method may comprise: creating a file system instance through a virtual file system; the file system instance comprises a plurality of files; creating an encryption pipeline in the file system instance through a preset encryption function; and storing the application program data into the target file of the file system instance through the encryption pipeline.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.
Claims (10)
1. A data encryption method, comprising:
creating a file system instance through a virtual file system; the file system instance comprises a plurality of files;
creating an encryption pipeline in the file system instance through a preset encryption function;
and storing the application program data into the target file of the file system instance through the encryption pipeline.
2. The method of claim 1, wherein the predetermined encryption function comprises an encryption function provided by a virtual encryption disk library; and
the creating an encryption pipeline in the file system instance through a preset encryption function comprises the following operations through the preset encryption function:
creating a pipeline storage object and a pipeline transmission object;
calling a channel creation sub-function to create a channel encryption channel;
invoking a data reading sub-function to read the application data from a storage location of the application data using the pipeline encryption channel and store the application data into the pipeline storage object; and
the storing, by the encryption pipeline, application data into a target file of the file system instance includes:
acquiring the application program data from the pipeline storage object through the pipeline transmission object, and transmitting the application program data to the output end of the encryption pipeline;
and storing the application program data into the target file of the file system instance from the output end of the encryption pipeline.
3. The method of claim 1, wherein after creating an encryption pipe in the file system instance by a preset encryption function, the method further comprises:
storing the target file to a real file system through a preset encryption write-back function;
and updating the metadata corresponding to the target file in the real file system.
4. A method according to claim 3, wherein after said creating a file system instance by means of a virtual file system, the method further comprises:
generating a standard decryption password corresponding to each of the plurality of files;
if an access operation for accessing any file in the real file system is received, determining whether a decryption password input in the execution process of the access operation is identical to a corresponding standard decryption password; and
if the decryption password is the same as the standard decryption password, access to the file is allowed.
5. The method of claim 1, wherein after the creating of the file system instance by the virtual file system, the method further comprises:
creating a file in a memory;
the created file is mounted into the file system instance to obtain a plurality of files included in the file system instance.
6. A method of data acquisition, the method comprising:
receiving a data acquisition instruction; the data acquisition instruction comprises identity information of an application program to be operated;
acquiring application program data corresponding to the application program to be operated according to the identity information of the application program to be operated; wherein the application data is stored in advance in a file of a file system instance through an encryption pipeline; the file system instance is created through a virtual file system; the encryption pipeline is created in the file system instance through a preset encryption function.
7. A data encryption apparatus, comprising:
an instance creation module for creating a file system instance through a virtual file system; the file system instance comprises a plurality of files;
the pipeline creation module is used for creating an encryption pipeline in the file system instance through a preset encryption function;
and the encryption module is used for storing the application program data into the target file of the file system instance through the encryption pipeline.
8. A data acquisition device, comprising:
the receiving module is used for receiving the data acquisition instruction; the data acquisition instruction comprises identity information of an application program to be operated;
the acquisition module is used for acquiring application program data corresponding to the application program to be operated according to the identity information of the application program to be operated; wherein the application data is stored in advance in a file of a file system instance through an encryption pipeline; the file system instance is created through a virtual file system; the encryption pipeline is created in the file system instance through a preset encryption function.
9. An electronic device comprising a processor and a memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-5 or 6.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, performs the method according to any of claims 1-5 or 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311704486.2A CN117708850A (en) | 2023-12-11 | 2023-12-11 | Data encryption method, data acquisition device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311704486.2A CN117708850A (en) | 2023-12-11 | 2023-12-11 | Data encryption method, data acquisition device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117708850A true CN117708850A (en) | 2024-03-15 |
Family
ID=90152704
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311704486.2A Pending CN117708850A (en) | 2023-12-11 | 2023-12-11 | Data encryption method, data acquisition device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117708850A (en) |
-
2023
- 2023-12-11 CN CN202311704486.2A patent/CN117708850A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105637800B (en) | Key Infrastructures | |
| CN113240519A (en) | Intelligent contract management method and device based on block chain and electronic equipment | |
| CN111143869B (en) | Application package processing method and device, electronic equipment and storage medium | |
| JP2010517424A (en) | Encryption key container on USB token | |
| CN109995523B (en) | Activation code management method and device and activation code generation method and device | |
| CN115378735B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN109784039B (en) | Construction method of safe operation space of mobile terminal, electronic equipment and storage medium | |
| CN112434326B (en) | Trusted computing method and device based on data flow | |
| WO2022078366A1 (en) | Application protection method and apparatus, device and medium | |
| CN110602212A (en) | Application service management method, device and storage medium | |
| CN110070360B (en) | Transaction request processing method, device, equipment and storage medium | |
| CN111459673A (en) | Secure memory expansion and release method and device and electronic equipment | |
| CN108985096B (en) | Security enhancement and security operation method and device for Android SQLite database | |
| US10719456B2 (en) | Method and apparatus for accessing private data in physical memory of electronic device | |
| US20110145596A1 (en) | Secure Data Handling In A Computer System | |
| CN111400760A (en) | Method, device, server and storage medium for web application to access database | |
| CN117708850A (en) | Data encryption method, data acquisition device and electronic equipment | |
| CN111931222B (en) | Application data encryption method, device, terminal and storage medium | |
| JP2023542527A (en) | Software access through heterogeneous encryption | |
| CN113987471A (en) | Executable file execution method and device, electronic equipment and computer readable medium | |
| US11061998B2 (en) | Apparatus and method for providing security and apparatus and method for executing security to protect code of shared object | |
| CN108427559B (en) | Script file generation and calling method and device | |
| KR20210154017A (en) | Method and system for protecting file using class dispersion and sequential memory loading | |
| EP4310710A1 (en) | Local key escrow method and apparatus based on trusted computing, device, and medium | |
| CN117375804B (en) | Key derivation method, related equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240313 Address after: Room 101, 1st Floor, Building 11, West District, No.10 Northwest Wangdong Road, Haidian District, Beijing, 100193 Applicant after: Beijing Topsec Network Security Technology Co.,Ltd. Country or region after: China Address before: Room 7-2, Unit 5, Building 2, No. 39 Bai'an Avenue, Wanzhou District, Chongqing, 404100 Applicant before: Ran Feiang Country or region before: China Applicant before: Beijing Topsec Network Security Technology Co.,Ltd. |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |