CN117786721A - File data protection method, device, system and storage equipment - Google Patents
File data protection method, device, system and storage equipment Download PDFInfo
- Publication number
- CN117786721A CN117786721A CN202311825437.4A CN202311825437A CN117786721A CN 117786721 A CN117786721 A CN 117786721A CN 202311825437 A CN202311825437 A CN 202311825437A CN 117786721 A CN117786721 A CN 117786721A
- Authority
- CN
- China
- Prior art keywords
- target
- file data
- logical address
- data
- target file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000013507 mapping Methods 0.000 claims abstract description 18
- 238000012546 transfer Methods 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 11
- 241000700605 Viruses Species 0.000 description 6
- 238000005336 cracking Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 239000007787 solid Substances 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a file data protection method, device, system and storage equipment, and belongs to the technical field of information security. The file data protection method comprises the following steps: receiving a locking instruction sent by a security configuration module, and analyzing the locking instruction to obtain a target logical address corresponding to target file data; setting the state of a target physical address corresponding to the target logical address to a locking state according to an address mapping table so as to lock the access right of the target physical address; and storing the target file data into the hidden area, and deleting the target file data in the user storage area. The method and the device can provide reliable protection for the file data and improve the data security.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a method, an apparatus, a system, and a storage device for protecting file data.
Background
In order to secure information, it is generally necessary to encrypt data to secure the data. In the related art, data is generally encrypted at a software level such as a file system or an operating system, but a root key used in the encryption method is easily queried and cracked, so that data security cannot be ensured.
Therefore, how to provide reliable protection for file data and improve data security is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the application is to provide a file data protection method, a file data protection device, a file data protection system and storage equipment, which can provide reliable protection for file data and improve data security.
In order to solve the above technical problems, the present application provides a file data protection method, which is applied to a storage device of a host, where the storage device includes a user storage area and a hidden area, and the file data protection method includes:
receiving a locking instruction sent by a security configuration module, and analyzing the locking instruction to obtain a target logical address corresponding to target file data; the target file data are data contained in files and/or folders, and the target file data are stored in the user storage area;
setting the state of a target physical address corresponding to the target logical address to a locking state according to an address mapping table so as to lock the access right of the target physical address;
and storing the target file data into the hidden area, and deleting the target file data in the user storage area.
Optionally, after receiving the locking instruction sent by the security configuration module, the method further includes:
analyzing the locking instruction to obtain an index node number corresponding to the target file data, and returning a successful receiving instruction to the security configuration module so that the security configuration module deletes the target index node corresponding to the target file data in a file index table of a file system according to the index node number.
Optionally, before storing the target file data in the hidden area, the method further includes:
judging whether a data backup instruction sent by the security configuration module is received or not;
if yes, entering a step of storing the target file data into the hidden area;
if not, the step of judging whether the data backup instruction sent by the security configuration module is received or not is entered after the delay of the preset time length.
Optionally, after receiving the locking instruction sent by the security configuration module, the method further includes:
analyzing the locking instruction to obtain a target key corresponding to the target file data, and storing the target key into the hidden area;
correspondingly, after deleting the target file data in the user storage area, the method further comprises:
Receiving an unlocking instruction sent by the security configuration module, and analyzing the unlocking instruction to obtain a reference logical address and a reference key;
judging whether the target logical address is matched with the reference logical address or not to obtain a first judging result;
judging whether the target key is matched with the reference key or not to obtain a second judging result;
and if the first judging result and the second judging result are both yes, recovering the target file data from the hidden area to the target physical address of the user storage area, and setting the state of the target physical address to be an unlocking state so as to recover the access right to the target physical address.
Optionally, after setting the state of the target physical address to the unlock state, the method further includes:
reading the index node number corresponding to the target file data from the hidden area;
and returning an unlocking success instruction carrying the index node number to the security configuration module so that the security configuration module recovers the corresponding target index node in the file index table according to the index node number.
The application also provides a file data protection method, which is applied to the security configuration module of the host, and comprises the following steps:
Receiving a file protection request, and according to target file data corresponding to the file protection request; the target file data are data contained in files and/or folders;
and acquiring a target logical address corresponding to the target file data, and sending a locking instruction carrying the target logical address to a storage device so that the storage device locks the access right of a target physical logical address where the target file data is located and transfers the target file data from a user storage area to a hidden area.
Optionally, after sending the locking instruction carrying the target logical address to the storage device, the method further includes:
if a file unlocking request is received, the file unlocking request is analyzed to obtain a reference logical address and a reference key;
generating an unlocking instruction carrying the reference logical address and the reference key, and sending the unlocking instruction to the storage device so that the storage device can execute unlocking operation on file data corresponding to the unlocking instruction.
The application also provides a storage device comprising:
the instruction analysis unit is used for receiving the locking instruction sent by the security configuration module and analyzing the locking instruction to obtain a target logical address corresponding to the target file data; the target file data are data contained in files and/or folders, and the target file data are stored in the user storage area;
The locking unit is used for setting the state of the target physical address corresponding to the target logical address into a locking state according to the address mapping table so as to lock the access right to the target physical address;
and the hiding unit is used for storing the target file data into the hiding area and deleting the target file data in the user storage area.
The application also provides a file data protection device, which comprises:
the request processing unit is used for receiving a file protection request and according to target file data corresponding to the file protection request; the target file data are data contained in files and/or folders;
and the locking control unit is used for acquiring the target logical address corresponding to the target file data, and sending a locking instruction carrying the target logical address to the storage device so as to lock the access right of the target physical logical address where the target file data is located by the storage device and transfer the target file data from the user storage area to the hidden area.
The application also provides a file data protection system which comprises the storage device and the file data protection device.
The application provides a file data protection method, which is applied to storage equipment of a host, wherein the storage equipment comprises a user storage area and a hidden area, and the file data protection method comprises the following steps: receiving a locking instruction sent by a security configuration module, and analyzing the locking instruction to obtain a target logical address corresponding to target file data; the target file data are data contained in files and/or folders, and the target file data are stored in the user storage area; setting the state of a target physical address corresponding to the target logical address to a locking state according to an address mapping table so as to lock the access right of the target physical address; and storing the target file data into the hidden area, and deleting the target file data in the user storage area.
After the storage device receives the locking instruction sent by the security configuration module, the target logical address corresponding to the target file data to be protected is determined. According to the address mapping table, the state of the target physical address corresponding to the target logical address is set to be a locking state, so that the read-write operation of the target physical address is prevented. The method also stores the target file data in the target physical address into the hidden area, and deletes the target file data in the target physical address in the user storage area. The method can realize data protection at the file level and/or the folder level, and improves the cracking difficulty of target file data through locking operation. Because the hidden area is not presented to the user, the method and the device for backing up the target file data from the user storage area to the hidden layer, and the hidden property of the file data is improved. Therefore, the method and the device can provide reliable protection for the file data and improve the data security. The application also provides a storage device, a file data protection device and a file data protection system, which have the beneficial effects and are not described herein.
Drawings
For a clearer description of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for protecting file data according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of a security and anti-virus solution for files and folders according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of an instruction format according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Referring to fig. 1, fig. 1 is a flowchart of a method for protecting file data according to an embodiment of the present application.
The specific steps may include:
s101: receiving a locking instruction sent by a security configuration module, and analyzing the locking instruction to obtain a target logical address corresponding to target file data;
the embodiment can be applied to a storage device of a host, wherein a data storage area of the storage device comprises a user storage area and a hidden area, data in the user storage area can be presented to a user, and data in the hidden area is not presented to the user. The storage device may include a hard disk and a memory chip firmware, and the scheme shown in this embodiment may be implemented based on the memory chip firmware. The host computer where the storage device is located is also provided with a security configuration module which can realize the function of security configuration software.
If a locking instruction sent by the security configuration module is received, the logic address of the file data to be protected, namely the target logic address corresponding to the target file data, can be obtained by analyzing the locking instruction.
The target file data may be data contained in a file, data contained in a folder, or data contained in a file and a folder. The target file data is stored in the user storage area. The file or data may be of the type document, picture or video, etc.
S102: setting the state of a target physical address corresponding to the target logical address to a locking state according to an address mapping table so as to lock the access right of the target physical address;
after the target logical address is obtained, the embodiment can obtain the target physical address corresponding to the target logical address, that is, the physical address where the target file data is actually stored, by querying an address mapping table in the storage device. The address mapping table stores the corresponding relation between the logical address and the physical address, so that the state of the target physical address corresponding to the target logical address can be set to be a locking state according to the address mapping table so as to lock the access right to the target physical address. In this embodiment, the access right of the upper layer application to the target physical address is locked in the above manner, and the target physical address in the locked state cannot be read and written.
Specifically, the process of locking the access right of the target physical address may be: the memory chip firmware establishes a secure address space inside the firmware to manage entries corresponding to the target physical address, and removes entries corresponding to the target physical address from the normal address space mapping of the disc. After the operation is executed, all commands accessing the target physical address need to be routed to a secure address space for access and read-write permission is verified, the read-write operation can be performed on the target physical address after the read-write permission is verified, and the read-write operation is not allowed on the target physical address after the read-write permission is not verified.
S103: and storing the target file data into the hidden area, and deleting the target file data in the user storage area.
In the step, the target file data in the target physical address is stored in the hidden area to realize the backup of the target file data, and after the backup is finished, the target file data corresponding to the target physical address can be deleted in the user storage area, so that the target file data is protected by the hidden area. It is understood that deleting the target file data in the user storage area refers to deleting an entity file of the target file data stored in the user storage area.
As a possible implementation manner, the data security may also be improved by encrypting the target file data. Specifically, in this embodiment, the target key may be used to encrypt data in the target physical address, so as to obtain encrypted target file data; and storing the encrypted target file data into the hidden area, and deleting the encrypted target file data stored in the target physical address in the user storage area. The target key may be a key set in the storage device, or may be a key issued by the security configuration module. It can be seen that this embodiment can protect confidential data of a user by individually locking and encrypting and hiding target file data at the bottom layer of the storage device.
In this embodiment, after receiving a locking instruction sent by the security configuration module, the storage device determines a target logical address corresponding to target file data to be protected. According to the embodiment, the state of the target physical address corresponding to the target logical address is set to be a locking state according to the address mapping table, so that the read-write operation of the target physical address is prevented. The embodiment also stores the target file data in the target physical address to the hidden area, and deletes the target file data in the target physical address in the user storage area. The method can realize data protection at the file level and/or the folder level, and improves the cracking difficulty of target file data through locking operation. Because the hidden area is not presented to the user, the embodiment backs up the target file data from the user storage area to the hidden layer, thereby improving the concealment of the file data. Therefore, the embodiment can provide reliable protection for the file data and improve the data security.
As a further introduction to the corresponding embodiment of FIG. 1, after receiving the locking instruction sent by the security configuration module, the locking instruction may also be parsed to obtain a target key corresponding to the target file data, and the target key may be stored in the hidden area. After storing the target file data in the hidden area, the association relationship among the target key, the target logical address, the target physical address and the target file data can be established in the hidden area so as to realize data unlocking based on the association relationship.
Specifically, after deleting the target file data from the user storage area, the security configuration module may issue an unlock instruction to release the protection of the target file data, which includes the following steps: receiving an unlocking instruction sent by the security configuration module, and analyzing the unlocking instruction to obtain a reference logical address and a reference key; and reading the association relation among the target key, the target logical address, the target physical address and the target file data from the hidden area, and judging the reference logical address and the reference key by using the target key and the target logical address corresponding to the same target file data. For example, whether the target logical address is matched with the reference logical address or not can be judged, and a first judgment result is obtained; judging whether the target key is matched with the reference key or not to obtain a second judging result; and if the first judging result and the second judging result are both yes, recovering the target file data from the hidden area to the target physical address of the user storage area based on the association relation, and setting the state of the target physical address to be an unlocking state so as to recover the access right to the target physical address. And if the first judgment result and the second judgment result are not equal, outputting prompt information of unlocking instruction errors.
If the reference logical address is identical to the target logical address or the reference logical address completely contains the target logical address (i.e., the range corresponding to the reference logical address is greater than or equal to the range corresponding to the target logical address), then the target logical address is determined to match the reference logical address. For example, the range of the interval corresponding to the target logical address is [ A0, B0], the reference logical address is [ A1, B1], and if A0 is more than or equal to A1 and B0 is less than or equal to B1, the target logical address is judged to be matched with the reference logical address.
If the target key is the same as or corresponding to the reference key, judging that the target key is matched with the reference key; specifically, if the target key and the reference key are the same key in the symmetric encryption algorithm, judging that the target key is matched with the reference key; and if the target key and the reference key are a pair of corresponding public key and private key in the asymmetric encryption algorithm, judging that the target key and the reference key are matched.
If the target key is used to encrypt the target file data in the process of protecting the target file data, the target key may be used to perform the unlocking operation after the target file data is restored to the target physical address.
As a possible implementation, after restoring the target file data from the hidden area to the physical address of the user storage area, the target file data in the hidden area may also be deleted, so as to release the storage space in the hidden area.
As a possible implementation manner, after receiving the locking instruction sent by the security configuration module, the locking instruction may be further parsed to obtain an index node number corresponding to the target file data, and a success receiving instruction is returned to the security configuration module, so that the security configuration module deletes the target index node corresponding to the target file data in a file index table of the file system according to the index node number. The received success instruction may carry an inode number.
After storing the target file data in the hidden area, the embodiment may further record the association relationship between the index node number and the target file data in the hidden area, so as to recover the target index node after the target file data is unlocked. Specifically, after the state of the target physical address is set to the unlock state, the index node number corresponding to the target file data may also be read from the hidden area; and returning an unlocking success instruction carrying the index node number to the security configuration module so that the security configuration module recovers the corresponding target index node in the file index table according to the index node number. By the method, the file index table can be quickly restored without reassigning the index node number to the target file data by the security configuration module.
As a possible implementation manner, before storing the target file data in the hidden area, it may also be determined whether a data backup instruction sent by the security configuration module is received; if yes, entering a step of storing target file data into the hidden area; if not, the step of judging whether the data backup instruction sent by the security configuration module is received or not is entered after the delay of the preset time length. Specifically, the security configuration module may send a data backup instruction to the storage device after deleting the target inode corresponding to the target file data.
The embodiment of the application also provides a file data protection method applied to the security configuration module of the host, which comprises the following steps: receiving a file protection request, and according to target file data corresponding to the file protection request; the target file data are data contained in files and/or folders; and acquiring a target logical address corresponding to the target file data, and sending a locking instruction carrying the target logical address to a storage device so that the storage device locks the access right of a target physical logical address where the target file data is located and transfers the target file data from a user storage area to a hidden area.
The storage device may be a storage device including a user storage area and a hidden area described in the corresponding embodiment of fig. 1, where the storage device may implement file data protection by locking access rights of a target physical logical address where target file data is located and migrating the target file data from the user storage area to the hidden area. The specific process of the storage device for protecting file data can be as follows: receiving a locking instruction sent by a security configuration module, and analyzing the locking instruction to obtain a target logical address corresponding to target file data stored in a user storage area; setting the state of a target physical address corresponding to the target logical address to a locking state according to an address mapping table so as to lock the access right of the target physical address; and storing the target file data into the hidden area, and deleting the target file data in the user storage area.
According to the embodiment, the data protection at the file level and/or the folder level can be realized, the cracking difficulty of the target file data is improved through locking operation, and the concealment of the file data is improved through backing up the data to the concealment layer. Therefore, the embodiment can provide reliable protection for the file data and improve the data security.
As a possible implementation manner, after sending the locking instruction carrying the target logical address to the storage device, it may also be determined whether a receiving success instruction returned by the storage device is received; if yes, deleting the target index node corresponding to the target file data in a file index table of the file system.
As a possible implementation manner, after a locking instruction carrying the target logical address is sent to a storage device, if a file unlocking request sent by a user is received, the file unlocking request is analyzed to obtain a reference logical address and a reference key; generating an unlocking instruction carrying the reference logical address and the reference key, and sending the unlocking instruction to the storage device so that the storage device can execute unlocking operation on file data corresponding to the unlocking instruction.
The process of the storage device performing the unlocking operation may be: receiving an unlocking instruction sent by the security configuration module, and analyzing the unlocking instruction to obtain a reference logical address and a reference key; judging whether the target logical address is matched with the reference logical address or not to obtain a first judging result; judging whether the target key is matched with the reference key or not to obtain a second judging result; and if the first judging result and the second judging result are both yes, recovering the target file data from the hidden area to the target physical address of the user storage area, and setting the state of the target physical address to be an unlocking state so as to recover the access right to the target physical address.
The flow described in the above embodiment is explained below by way of an embodiment in practical application.
In order to achieve data protection, related art mainly encrypts file data at a software layer such as a file system or an operating system OS. Encrypting data by a password of a word document, for example, wherein the password is configured by software into the document data or a windows operating system; for the encryption mode, an attacker can find the data position through a tracking interface; although password encryption exists in the scheme, the root key of the password encryption is also stored in the system to decrypt the word document, so that an attacker can search and find related files along the line to crack; in addition, the virus can destroy the encrypted file, so that the safety of the file cannot be effectively ensured.
In the related art, a scheme for encrypting data by using windows bitlocker (a data protection function) also exists, the encryption method is to perform soft encryption at the system level, a data key is required to be stored by a TPM module (Trusted Platform Module, a trusted platform module) or a USB flash disk, the security of the data key can be ensured under the supporting conditions of BIOS, UEFI (unified extensible firmware interface) security start and the like, otherwise, the security of bitlock is very low, the storage of the whole key is ensured by a trust root chain in the disc, the same security of the TPM can be achieved, and the scheme needs to rely on additional media and cannot provide reliable protection for file data.
Therefore, related technologies encrypt related data through software layers such as a file system or an operating system, the security and confidentiality are low, the related data are easy to crack, and viruses can also crack the related data.
In view of the above-mentioned drawbacks of the related art data encryption schemes, the present embodiment provides a secure and anti-virus solution for files and folders. Referring to fig. 2, fig. 2 is a schematic diagram of a security and anti-virus solution of a file and a folder provided in an embodiment of the present application, where a security configuration module inputs a start logical address LBA start and an end logical address LBA end of the file or the folder into a hard disk, and uses a chip storage firmware to realize file data hiding. In this embodiment, original data stored on the SSD of the hard disk is locked and encrypted in a manner of storing the chip firmware, and data on the file system layer is hidden in cooperation with the memory chip firmware. Under the condition of normal unlocking, the file or the folder to be protected is not visible, and any host software such as network virus, operating system, drive and the like cannot acquire the read-write execution authority of the file; after a user unlocks a decrypted file or a folder, if the data is required to be modified and stored, the user locking information is required to be checked, and the legal user is ensured to modify the data, so that viruses such as luxury and the like are well prevented, and the data security and the data privacy are improved.
The process of implementing file hiding in this embodiment includes the following steps:
step A1: and the security configuration module calls and acquires a target logic address corresponding to the file or the folder through the file system layer interface, and then issues a locking instruction to the memory chip firmware.
Step A2: after receiving the locking instruction, the memory chip firmware returns a successful receiving instruction.
Step A3: the storage chip firmware obtains a target logic address of target file data corresponding to a corresponding file/folder by analyzing a locking instruction, obtains a target physical address of the target file data by inquiring an address mapping table in a hard disk, locks the access right of the target physical address by changing the state of the target physical address into a locking state (namely a non-readable and writable state) according to the address mapping table, and enables an internal key to target file data stored in the target physical address or obtains a key distributed by a host through a command to encrypt; and simultaneously, storing the target logical address, the key and the index node number obtained by analysis into the hidden area.
The hidden area is not presented to the user, and it is difficult for the user to perceive and manipulate the data or files in the hidden area.
Step A4: after receiving a successful receiving instruction returned by the memory chip firmware, the security configuration module modifies a file index table of a file system where the file or the folder is located so as to delete a target index node where the file or the folder is located from the file system from the file index table, and notifies the memory chip firmware to backup the encrypted target file data.
Step A5: after receiving the file backup instruction, the storage chip firmware backs up the encrypted target file data to the hidden area, and deletes the encrypted target file data in the user storage area, thereby completing the hiding operation of the file/folder.
The scheme of the embodiment realizes the encryption of bottom hardware and the locking of equipment firmware, and the hiding and the protection of file data are realized at the bottom of the storage chip, so that the security level of the file is improved, and meanwhile, the privacy of the file data is also improved through the hiding of the bottom. Meanwhile, the data is locked at the bottom layer, so that the file data cannot be read by viruses, various destructive operations such as alignment tampering and encryption are ensured, and the scheme also has the virus-proof capability.
The process of recovering files in this embodiment includes the following steps:
step B1: the user requests unlocking (the specific form is not limited, such as a right click menu of a mouse requests unlocking or cmd command prompt) under any folder path of the host, and the security configuration module acquires the logical address range of the current folder and issues an unlocking instruction after the configuration software interface inputs a key.
Step B2: after receiving the unlocking instruction, the memory chip firmware analyzes the obtained logical address range and the secret key, checks the logical address range and the secret key stored in the hidden area respectively, if the pre-stored logical address range of the hidden area is completely contained in the analyzed logical address range and the pre-stored secret key of the hidden area is successfully matched with the analyzed secret key, the verification is passed, the memory chip firmware restores the encrypted target file data in the hidden area to the original address range and decrypts the target file data, and meanwhile deletes the encrypted target file data in the hidden area, returns an unlocking success instruction and informs the host configuration software to restore the file index table.
In the process, if the logical address matching is successful but the key matching is failed, outputting prompting information of the key error; if the key matching is successful but the logical address matching is failed, outputting prompt information that the file and/or the folder are not hidden; if the logical address and the secret key are both matched with each other, outputting prompt information that the unlocking object and the secret key are both wrong. Or if the key matching is successful but the logical address matching is failed, outputting prompt information that the file and/or the folder are not hidden; if the key matching fails, outputting prompt information of unlocking failure.
And B3, the security configuration module analyzes the unlocking success instruction to obtain an index node number, and the index table of the file system where the file is located is restored according to the index node number so as to complete the file restoration process.
Referring to fig. 3, fig. 3 is a schematic instruction format provided in the embodiment of the present application, in which an instruction format of a locking instruction 301, a data backup instruction 302, an unlocking instruction 303 and an unlocking success instruction 304 is shown, OPC (Opcode) represents a command operation code, LBA start (8 BYTE) represents a start logical address, LBA end (8 BYTE) represents an end logical address, KEY (8 BYTE) represents a KEY, sub-bcmd represents sub-commands subdivided under the OPC command, and if the format of the above instruction does not include a corresponding operation, the instruction is a null pointer (8 BYTE). The instruction format described above may be applicable to NVME, SATA protocols. The scheme of this embodiment is not limited to the format shown in fig. 3, and can be implemented by issuing a command by a protocol if there is a protocol support.
According to the method, the key confidential file data of the user is protected by directly locking, encrypting and hiding the related data under the key files or folders in the storage device from the device chip side, so that the problem that the key confidential file data is infringed by viruses and illegally accessed is solved, and the security and confidentiality of the confidential data of the whole user are improved. The scheme is applied to SSD, and plays a good role in protecting user data.
The embodiment of the application also provides a storage device, which comprises:
the instruction analysis unit is used for receiving the locking instruction sent by the security configuration module and analyzing the locking instruction to obtain a target logical address corresponding to the target file data; the target file data are data contained in files and/or folders, and the target file data are stored in the user storage area;
the locking unit is used for setting the state of the target physical address corresponding to the target logical address into a locking state according to the address mapping table so as to lock the access right to the target physical address;
and the hiding unit is used for storing the target file data into the hiding area and deleting the target file data in the user storage area.
In this embodiment, after receiving a locking instruction sent by the security configuration module, the storage device determines a target logical address corresponding to target file data to be protected. According to the embodiment, the state of the target physical address corresponding to the target logical address is set to be a locking state according to the address mapping table, so that the read-write operation of the target physical address is prevented. The embodiment also stores the target file data in the target physical address to the hidden area, and deletes the target file data in the target physical address in the user storage area. The method can realize data protection at the file level and/or the folder level, and improves the cracking difficulty of target file data through locking operation. Because the hidden area is not presented to the user, the embodiment backs up the target file data from the user storage area to the hidden layer, thereby improving the concealment of the file data. Therefore, the embodiment can provide reliable protection for the file data and improve the data security. The storage device is typically a solid state storage device including, but not limited to, a solid state drive, a portable solid state storage device, and the like.
Further, the method further comprises the following steps:
and the receiving feedback unit is used for analyzing the locking instruction to obtain the index node number corresponding to the target file data after receiving the locking instruction sent by the security configuration module, and returning a receiving success instruction to the security configuration module so that the security configuration module deletes the target index node corresponding to the target file data in a file index table of a file system according to the index node number.
Further, the method further comprises the following steps:
the delay unit is used for judging whether a data backup instruction sent by the security configuration module is received or not before the target file data is stored in the hidden area; if yes, entering a step of storing the target file data into the hidden area; if not, the step of judging whether the data backup instruction sent by the security configuration module is received or not is entered after the delay of the preset time length. The data backup instruction is an instruction generated by the security configuration module after deleting the target index node corresponding to the target file data.
Further, the method further comprises the following steps:
the key storage unit is used for analyzing the locking instruction to obtain a target key corresponding to the target file data after receiving the locking instruction sent by the security configuration module, and storing the target key into the hidden area;
correspondingly, the method further comprises the steps of:
the data recovery unit is used for receiving an unlocking instruction sent by the security configuration module after deleting the target file data in the user storage area, and analyzing the unlocking instruction to obtain a reference logical address and a reference key; the method is also used for judging whether the target logical address is matched with the reference logical address or not to obtain a first judgment result; the method is also used for judging whether the target key is matched with the reference key or not to obtain a second judging result; and if the first judgment result and the second judgment result are both yes, restoring the target file data from the hidden area to the target physical address of the user storage area, and setting the state of the target physical address to be an unlocking state so as to restore the access right to the target physical address.
Further, the method further comprises the following steps:
an index table recovery unit, configured to read an index node number corresponding to the target file data from the hidden area after setting the state of the target physical address to an unlocked state; and the security configuration module is further used for returning an unlocking success instruction carrying the index node number to the security configuration module so as to enable the security configuration module to recover the corresponding target index node in the file index table according to the index node number.
The embodiment of the application also provides a file data protection device, which comprises:
the request processing unit is used for receiving a file protection request and according to target file data corresponding to the file protection request; the target file data are data contained in files and/or folders;
and the locking control unit is used for acquiring the target logical address corresponding to the target file data, and sending a locking instruction carrying the target logical address to the storage device so as to lock the access right of the target physical logical address where the target file data is located by the storage device and transfer the target file data from the user storage area to the hidden area.
Further, the method further comprises the following steps:
The index node management unit is used for judging whether a receiving success instruction returned by the storage equipment is received or not after a locking instruction carrying the target logical address is sent to the storage equipment;
if yes, deleting the target index node corresponding to the target file data in a file index table of the file system.
Further, the method further comprises the following steps:
the unlocking unit is used for analyzing the file unlocking request to obtain a reference logical address and a reference key if the file unlocking request is received after the locking instruction carrying the target logical address is sent to the storage equipment; and the unlocking instruction carrying the reference logical address and the reference key is generated, and the unlocking instruction is sent to the storage equipment, so that the storage equipment executes unlocking operation on file data corresponding to the unlocking instruction.
The application also provides a file data protection system which can comprise any one of the storage devices and any one of the file data protection devices.
Since the embodiments of the system portion and the embodiments of the method portion correspond to each other, the embodiments of the system portion refer to the description of the embodiments of the method portion, which is not repeated herein.
The present application also provides a storage medium having stored thereon a computer program which, when executed, performs the steps provided by the above embodiments. The storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section. It should be noted that it would be obvious to those skilled in the art that various improvements and modifications can be made to the present application without departing from the principles of the present application, and such improvements and modifications fall within the scope of the claims of the present application.
It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A file data protection method, characterized by being applied to a storage device of a host, the storage device including a user storage area and a hidden area, the file data protection method comprising:
receiving a locking instruction sent by a security configuration module, and analyzing the locking instruction to obtain a target logical address corresponding to target file data; the target file data are data contained in files and/or folders, and the target file data are stored in the user storage area;
setting the state of a target physical address corresponding to the target logical address to a locking state according to an address mapping table so as to lock the access right of the target physical address;
and storing the target file data into the hidden area, and deleting the target file data in the user storage area.
2. The method for protecting file data according to claim 1, further comprising, after receiving a locking instruction sent by the security configuration module:
analyzing the locking instruction to obtain an index node number corresponding to the target file data, and returning a successful receiving instruction to the security configuration module so that the security configuration module deletes the target index node corresponding to the target file data in a file index table of a file system according to the index node number.
3. The file data protection method according to claim 1, further comprising, before storing the target file data to the hidden area:
judging whether a data backup instruction sent by the security configuration module is received or not;
if yes, entering a step of storing the target file data into the hidden area;
if not, the step of judging whether the data backup instruction sent by the security configuration module is received or not is entered after the delay of the preset time length.
4. The method for protecting file data according to claim 1, further comprising, after receiving a locking instruction sent by the security configuration module:
analyzing the locking instruction to obtain a target key corresponding to the target file data, and storing the target key into the hidden area;
correspondingly, after deleting the target file data in the user storage area, the method further comprises:
receiving an unlocking instruction sent by the security configuration module, and analyzing the unlocking instruction to obtain a reference logical address and a reference key;
judging whether the target logical address is matched with the reference logical address or not to obtain a first judging result;
Judging whether the target key is matched with the reference key or not to obtain a second judging result;
and if the first judging result and the second judging result are both yes, recovering the target file data from the hidden area to the target physical address of the user storage area, and setting the state of the target physical address to be an unlocking state so as to recover the access right to the target physical address.
5. The method according to claim 4, further comprising, after setting the state of the target physical address to the unlock state:
reading the index node number corresponding to the target file data from the hidden area;
and returning an unlocking success instruction carrying the index node number to the security configuration module so that the security configuration module recovers the corresponding target index node in the file index table according to the index node number.
6. A method for protecting file data, characterized by being applied to a security configuration module of a host, the method comprising:
receiving a file protection request, and according to target file data corresponding to the file protection request; the target file data are data contained in files and/or folders;
And acquiring a target logical address corresponding to the target file data, and sending a locking instruction carrying the target logical address to a storage device so that the storage device locks the access right of a target physical logical address where the target file data is located and transfers the target file data from a user storage area to a hidden area.
7. The method of claim 6, further comprising, after sending a lock instruction carrying the target logical address to a storage device:
if a file unlocking request is received, the file unlocking request is analyzed to obtain a reference logical address and a reference key;
generating an unlocking instruction carrying the reference logical address and the reference key, and sending the unlocking instruction to the storage device so that the storage device can execute unlocking operation on file data corresponding to the unlocking instruction.
8. A memory device, comprising:
the instruction analysis unit is used for receiving the locking instruction sent by the security configuration module and analyzing the locking instruction to obtain a target logical address corresponding to the target file data; the target file data are data contained in files and/or folders, and the target file data are stored in the user storage area;
The locking unit is used for setting the state of the target physical address corresponding to the target logical address into a locking state according to the address mapping table so as to lock the access right to the target physical address;
and the hiding unit is used for storing the target file data into the hiding area and deleting the target file data in the user storage area.
9. A file data protection apparatus, comprising:
the request processing unit is used for receiving a file protection request and according to target file data corresponding to the file protection request; the target file data are data contained in files and/or folders;
and the locking control unit is used for acquiring the target logical address corresponding to the target file data, and sending a locking instruction carrying the target logical address to the storage device so as to lock the access right of the target physical logical address where the target file data is located by the storage device and transfer the target file data from the user storage area to the hidden area.
10. A file data protection system comprising the storage device of claim 8 and the file data protection apparatus of claim 9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311825437.4A CN117786721A (en) | 2023-12-26 | 2023-12-26 | File data protection method, device, system and storage equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311825437.4A CN117786721A (en) | 2023-12-26 | 2023-12-26 | File data protection method, device, system and storage equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117786721A true CN117786721A (en) | 2024-03-29 |
Family
ID=90379535
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311825437.4A Pending CN117786721A (en) | 2023-12-26 | 2023-12-26 | File data protection method, device, system and storage equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117786721A (en) |
-
2023
- 2023-12-26 CN CN202311825437.4A patent/CN117786721A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Halcrow | eCryptfs: An enterprise-class encrypted filesystem for linux | |
JP4880029B2 (en) | Enforcing the use of chipset key management services for encrypted storage devices | |
US8352735B2 (en) | Method and system for encrypted file access | |
US8832458B2 (en) | Data transcription in a data storage device | |
US7900061B2 (en) | Method and system for maintaining backup of portable storage devices | |
US6249866B1 (en) | Encrypting file system and method | |
US8892905B2 (en) | Method and apparatus for performing selective encryption/decryption in a data storage system | |
KR100861822B1 (en) | Data management method | |
US20080077807A1 (en) | Computer Hard Disk Security | |
KR20080071528A (en) | System and method of storage device data encryption and data access | |
US20030221115A1 (en) | Data protection system | |
US20080016127A1 (en) | Utilizing software for backing up and recovering data | |
US10110383B1 (en) | Managing embedded and remote encryption keys on data storage systems | |
CN102948114A (en) | Single-use authentication method for accessing encrypted data | |
JP7489672B2 (en) | Method and system for blocking ransomware or phishing attacks | |
US20100180335A1 (en) | Self-protecting storage | |
CN114662164A (en) | Identity authentication and access control system, method and equipment based on encrypted hard disk | |
CN117786721A (en) | File data protection method, device, system and storage equipment | |
Dell | ||
CN111737722B (en) | Method and device for safely ferrying data between intranet terminals | |
JPS63127334A (en) | Withdrawal and conditioning execution right from software protection mechanism in safety | |
CN117113394A (en) | Software encryption method based on solid state disk | |
CN115114087A (en) | Method for recovering EFS encrypted file in Windows operating system | |
JP2018169740A (en) | File system and file management method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |