CN117786722A - Hierarchical encryption and decryption processing method, device and medium for container mirror image - Google Patents
Hierarchical encryption and decryption processing method, device and medium for container mirror image Download PDFInfo
- Publication number
- CN117786722A CN117786722A CN202311833829.5A CN202311833829A CN117786722A CN 117786722 A CN117786722 A CN 117786722A CN 202311833829 A CN202311833829 A CN 202311833829A CN 117786722 A CN117786722 A CN 117786722A
- Authority
- CN
- China
- Prior art keywords
- layer
- image
- container
- encryption
- mirror image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 19
- 238000000034 method Methods 0.000 claims abstract description 60
- 238000004364 calculation method Methods 0.000 abstract description 4
- 238000013478 data encryption standard Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000009286 beneficial effect Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 241000962514 Alosa chrysochloris Species 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The application provides a hierarchical encryption and decryption processing method, device and medium for a container mirror image. The method comprises the following steps: obtaining an encryption request, the encryption request comprising: the method comprises the steps of (1) mirroring a container to be encrypted and identifying a mirror layer to be selected for encryption; and according to the encryption request, acquiring a plurality of image layers of the container image to be encrypted and layer files of each image layer, and generating a symmetric encryption key to encrypt the layer files in the image layer to be encrypted corresponding to the identification of the image layer to be selected for encryption so as to acquire the encrypted container image. The method avoids the excessive calculation amount caused by the excessive encryption of the image file, and improves the speed and efficiency of the image encryption and decryption.
Description
Technical Field
The present invention relates to the field of container mirroring technologies, and in particular, to a method, an apparatus, and a medium for hierarchical encryption and decryption processing of a container mirror.
Background
Docker is a lightweight virtualization technology, which can enable an developer to package various applications and application dependent files required by the developer into a Docker image file, and then install and run on any physical device (Linux device or Window device and the like) to realize virtualization. The Docker image is used as a template for the operation of the Docker container, and contains a file system and contents thereof required for starting the Docker container, and the Docker image file and the configuration file of the Docker container together form a Docker container image file system operation environment RootFS. In the open container plan (Open Container Initiative; abbreviated: OCI) container mirror Specification: the container Image consists of an Image index (Image index), an Image manifest (Image manifest), an Image configuration (Image Configuration), and a file system layer (Filesystem layers). However, sensitive information and confidential data may be contained in the container image file, such as database connection strings, API keys, and the like. In order to protect such sensitive information against unauthorized access and potential hacking, encryption of the container image is an important requirement.
In the prior art, an encryption algorithm is generally adopted to encrypt the whole image layer, so that excessive encryption of the image of the container may be caused, a great amount of extra computing resources and time are consumed when encryption or decryption is performed, and the load of the container during operation may be affected, so that the performance of the container is reduced, and further the speed and efficiency of image encryption and decryption are affected.
Disclosure of Invention
The application provides a hierarchical encryption and decryption processing method, device and medium for container mirror images, which are used for solving the technical problem of excessive encryption of mirror image files in the prior art.
In a first aspect, the present application provides a hierarchical encryption method for container mirroring, including:
obtaining an encryption request, the encryption request comprising: the method comprises the steps of (1) mirroring a container to be encrypted and identifying a mirror layer to be selected for encryption;
and according to the encryption request, acquiring a plurality of image layers of the container image to be encrypted and layer files of each image layer, and generating a symmetric encryption key to encrypt the layer files in the image layer to be encrypted corresponding to the identification of the image layer to be selected for encryption so as to acquire the encrypted container image.
Optionally, according to the method described above, the obtaining, according to the encryption request, a multi-layer mirror layer of the container mirror image to be encrypted, and a layer file of each layer mirror layer includes:
and acquiring the multi-layer mirror image layer to be encrypted and the layer files of each mirror image layer by adopting a preconfigured OCI container mirror image specification file according to the encryption request.
Optionally, the method as described above further comprises:
acquiring mirror image information in the mirror image layer to be selected corresponding to the identification of the mirror image layer to be selected for encryption in the preconfigured OCI container mirror image specification file; the mirror information includes: the format of the layer file, the abstract of the layer file, and the annotation of the layer file;
and converting the format of the layer file into an encryption format, encrypting the layer file, obtaining a hash value, writing the hash value into a summary of the layer file, and writing the symmetric encryption key into an annotation of the layer file so as to update the mirror image information.
Optionally, in the method described above, the obtaining, in the preconfigured OCI container image specification file, image information in an image layer to be selected for encryption corresponding to an identifier of the image layer to be selected includes:
acquiring the code position of the identification of the mirror layer to be selected in the preconfigured OCI container mirror specification file;
and obtaining mirror image information corresponding to the code position.
Optionally, in the method as described above, the identification of the mirror layer to be encrypted includes one or more of the following: an operating system layer, a middleware layer, and an application layer.
In a second aspect, the present application provides a hierarchical decryption processing method for a container image, including:
obtaining a decryption request, the decryption request comprising: the method comprises the steps of (1) a container mirror image to be decrypted and an identification of a mirror image layer to be decrypted;
obtaining mirror image information in a mirror image layer to be decrypted corresponding to the identification of the mirror image layer to be decrypted from a preset OCI container mirror image specification file;
and decrypting the layer file of the mirror image layer to be decrypted according to the symmetric encryption key in the mirror image information so as to obtain the decrypted container mirror image.
In a third aspect, the present application provides a hierarchical encryption processing apparatus for container mirroring, including:
the acquisition module is used for acquiring an encryption request, and the encryption request comprises: the method comprises the steps of (1) mirroring a container to be encrypted and identifying a mirror layer to be selected for encryption;
the processing module is used for acquiring the multi-layer mirror image layer of the container mirror image to be encrypted and the layer files of each layer mirror image layer according to the encryption request, generating a symmetrical encryption key, and carrying out encryption processing on the layer files in the mirror image layer to be selected and encrypted corresponding to the identification of the mirror image layer to be selected and encrypted so as to acquire the encrypted container mirror image.
In a fourth aspect, the present application provides a hierarchical decryption processing apparatus for container mirroring, including:
the acquisition module is used for acquiring a decryption request, and the decryption request comprises: the method comprises the steps of (1) a container mirror image to be decrypted and an identification of a mirror image layer to be decrypted;
the processing module is used for acquiring the mirror image information in the mirror image layer to be decrypted corresponding to the identification of the mirror image layer to be decrypted from the preset OCI container mirror image specification file;
and the processing module is also used for decrypting the layer file of the mirror image layer to be decrypted according to the symmetric encryption key in the mirror image information so as to obtain the decrypted container mirror image.
In a fifth aspect, the present application provides an electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored in the memory to implement the hierarchical encryption processing method of the container image and the hierarchical decryption processing method of the container image according to any one of the above embodiments.
In a sixth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions that, when executed by a processor, are configured to implement the hierarchical encryption processing method for container mirroring and the hierarchical decryption processing method for container mirroring according to any one of the above embodiments.
The application provides a hierarchical encryption and decryption processing method, device and medium for a container mirror image, wherein an encryption request is obtained, and the encryption request comprises: the method comprises the steps of (1) mirroring a container to be encrypted and identifying a mirror layer to be selected for encryption; according to the encryption request, the image layer of the container image to be encrypted and the layer files corresponding to each image layer are obtained, and the symmetrical encryption key is generated to encrypt the layer files in the container image to be encrypted, so that the encrypted container image is obtained.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
FIG. 1 is a schematic flow chart of an embodiment of a hierarchical encryption processing method for container mirroring provided in the present application;
FIG. 2 is a flow chart of another embodiment of a hierarchical encryption processing method for container mirroring provided in the present application;
FIG. 3 is a flowchart illustrating a hierarchical encryption processing method for a container image according to another embodiment of the present disclosure;
FIG. 4 is a flowchart illustrating an embodiment of a hierarchical decryption method for a container image provided in the present application;
FIG. 5 is a schematic diagram illustrating the structure of an embodiment of a hierarchical encryption processing apparatus for container mirroring provided herein;
FIG. 6 is a schematic diagram illustrating the structure of an embodiment of a hierarchical decryption processing apparatus for container mirroring provided in the present application;
fig. 7 is a schematic structural diagram of an embodiment of an electronic device provided in the present application.
Specific embodiments thereof have been shown by way of example in the drawings and will herein be described in more detail. These drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but to illustrate the concepts of the present application to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
Docker container mirroring is a reusable template used to create Docker containers. The file system and the content thereof needed by starting the Docker container are contained, a static file system running environment RootFS of the Docker container is formed by the Docker image file and the configuration file of the Docker container, the image is a static view angle of the container, and the container is an image running state. The container image may also contain some sensitive information, such as passwords, keys, etc., that need to be encrypted or hidden during the build process. To protect this sensitive information, some tools and techniques may be used to encrypt the sensitive information layer in the container image.
The container mirror image has the following characteristics:
a) Hierarchical storage: the Docker images adopt a layered storage mode, each image is composed of a series of Layer files (layers), the files are arranged according to a certain sequence, and different image layers can share the files of the bottom Layer image Layer, so that the aim of saving storage space is achieved.
b) Copy-on-write: when the image file is not changed, all containers share the same image file, and when the content of the container needs to be modified, only the image file at the uppermost layer needs to be modified. The modified file is stored in the read-write layer of the container, and the copy-on-write is the same as the layered storage, so that the storage space is saved.
c) Content addressing: the content addressing refers to indexing the image position by the system according to the Hash value of the image content, and when pull, push, load, save and other operations are executed on the image, the integrity of the image data can be verified through the Hash value, so that the security of the image is improved and the possibility of image name collision is reduced by the content addressing.
d) And (3) joint mounting: the Docker mirror image realizes superposition of multi-layer files through a joint mounting technology, such as AUFS, overlayFS and the like. The overlay fs merges the 2 directories on the Linux host into 1 directory, providing a unified view to the outside. The lower directory is a read-only mirror layer. The upper directory is a writable container layer. Merging the externally presented unified views is called merge layer, and in the merged views, the upper layer directory can cover the content of the lower layer directory. When a file needs to be modified, the file is copied from the read-only lowerdir to the writable upperdir through the copy-on-write technology, and the file is stored in the upperdir layer after being modified.
In the prior art, the conventional method for encrypting the image of the dock container generally needs to obtain an original file of the image, and an encryption tool is adopted to generate a secret key for encrypting and decrypting the image of the container; then encrypting the original file of the whole container mirror image by using the generated secret key through an encryption tool to generate an encrypted container mirror image file; the same key is used to decrypt the image file and generate the original image file.
The traditional encryption method for the Docker container image needs to uniformly encrypt an operating system layer, a middleware layer and an application layer of the Docker container image. Although the method can protect sensitive information from leakage, in most cases, sensitive data only exist in the uppermost application layer, and a lower operating system and a middleware layer at the bottom layer do not store sensitive files, encryption is not needed, so that the traditional container image encryption method has the problem of excessive image encryption, great calculation workload is caused, and the speed and efficiency of image encryption and decryption are reduced.
In order to solve the technical problems, the invention concept of the application is as follows: how to encrypt and decrypt the image file of the container according to the user's demands, solves the technical problems of large calculation workload, low encryption speed and efficiency caused by excessive encryption in the encryption process.
The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 1 is a flow chart of an embodiment of a hierarchical encryption processing method for container mirroring provided in the present application. As shown in fig. 1, the method includes:
step 101: an encryption request is obtained.
Wherein the encryption request includes: the method comprises the steps of (1) mirroring a container to be encrypted and identifying a mirror layer to be selected for encryption; the identification of the mirror image layer to be selected for encryption comprises an operating system layer, a middleware layer and an application layer.
In this embodiment, a container image that a user needs to encrypt and an identifier corresponding to one or more image layers that need to encrypt in the container image are obtained; for example, the obtained encryption request includes: the container image to be encrypted is an image nginx, 1.24.0, and the image layer to be selected is an image layer corresponding to a file with the name 3726de4affbbf690e81d792226518fe ddaba53dcb5e785f1a5f97a707e1a99f2.
Step 102: according to the encryption request, acquiring a plurality of image layers of the container image to be encrypted and layer files of each image layer, and generating a symmetric encryption key to encrypt the layer files in the image layers to be encrypted corresponding to the identification of the image layers to be encrypted so as to acquire the encrypted container image.
In this embodiment, the encryption request includes an identifier of one or more image layers in the container image to be encrypted required by the user; acquiring a layer file in a corresponding mirror layer according to the acquired mirror layer identifier to be encrypted; and encrypting the layer files in the image layer to be encrypted selected in a mode of generating or creating the key file randomly by OpenSSL, so as to obtain the encrypted container image.
In this embodiment, for example, the layer file in the image layer to be encrypted is encrypted by creating a key file: the first generation is to support the encryption key file key.txt, with the file content being 123456. Through an AES symmetric encryption algorithm in OpenSSL, the selected mirror image layer mirror image is encrypted, and the encrypted mirror image file can be named as follows: 3726de4affbbf690e81d792226518feddaba53dcb5e785f1a5f97a707e1a99f2-enc.
It should be noted that, when the layer file in the mirror layer to be encrypted is encrypted, the encryption key is generated by OpenSSL randomly generating or creating the key file and encrypted by AES symmetric encryption algorithm, but the encryption method is not limited to the above encryption algorithm, and any one or more of the following encryption algorithms may be used for encryption.
DES (Data Encryption Standard): the data encryption standard has high speed and is suitable for occasions of encrypting a large amount of data.
3DES (Triple DES): based on DES, a piece of data is encrypted three times by three different keys, and the intensity is higher.
DESede (Data Encryption Standard with DESede): is an upgrade version of the DES algorithm, adding a more powerful security measure.
IDEA (Initialization Vector): also referred to as the "initial vector", is a fixed length vector that is commonly used in symmetric encryption algorithms.
RC2 (Rivest circuit 2): is a symmetric encryption algorithm, and is considered as one of the earlier symmetric encryption algorithms.
RC4 (Rivest circuit 4): is a symmetric encryption algorithm that is widely used and is considered one of the safest symmetric encryption algorithms.
SKIPJACK (Skipjack): is a symmetric encryption algorithm, which is considered to be one of the fastest symmetric encryption algorithms, but is also less secure because of its speed.
CBC (Cipher Block Chaining): a symmetric encryption algorithm whose security is based on encryption round functions in cryptography.
CFB (Cipher Feedback): a symmetric encryption algorithm whose security is based on an encryption round function and a random number generator in cryptography.
OFB (Output Feedback): a symmetric encryption algorithm whose security is based on an encryption round function and a random number generator in cryptography.
National cryptographic algorithm (SM 2, SM3, SM4, etc.): the encryption algorithm standard issued by the China national password administration has higher security.
In the present embodiment, by acquiring an encryption request, the encryption request includes: the method comprises the steps of (1) mirroring a container to be encrypted and identifying a mirror layer to be selected for encryption; according to the encryption request, the image layer of the container image to be encrypted and the layer files corresponding to each image layer are obtained, and the symmetrical encryption key is generated to encrypt the layer files in the container image to be encrypted, so that the encrypted container image is obtained.
Fig. 2 is a flow chart of another embodiment of a hierarchical encryption processing method for container mirroring provided in the present application. As shown in fig. 2, in the above embodiment, in step 102, a specific implementation manner of "obtaining a multi-layer image layer of a container image to be encrypted according to an encryption request, and a layer file of each layer image layer" includes:
step 201: and acquiring a plurality of mirror image layers to be encrypted and layer files of each mirror image layer by adopting a preconfigured OCI container mirror image specification file according to the encryption request.
In this embodiment, for example, a preconfigured OCI container image specification file corresponding to a container image is read according to the container image to be encrypted, data information of an image layer corresponding to an identifier of the image layer to be encrypted in the container image to be encrypted is obtained according to an identifier of the image layer to be encrypted, and a layer file corresponding to the image layer is obtained according to the data information of each image layer, so as to be used for encrypting a layer file in the following process.
Further, the method may further include:
step 202: and acquiring the mirror image information in the mirror image layer to be selected corresponding to the identification of the mirror image layer to be selected for encryption in the preconfigured OCI container mirror image specification file.
Wherein the mirror image information includes: the format of the layer file, the abstract of the layer file, and the annotation of the layer file.
In this embodiment, for example, according to the preconfigured OCI container mirror image specification file content, mirror image layer information corresponding to the identifier of the mirror image layer to be selected for encryption by the user is obtained, and media format, summary information and annotation information corresponding to the layer file in the mirror image layer to be selected for encryption are obtained.
Wherein the format is specifically a file format for storing media information; the abstract information contains SHA256 hash value of the layer file; the annotation information includes other remark information in the layer of file.
Step 203: and converting the format of the layer file into an encryption format, encrypting the layer file, obtaining a hash value, writing the hash value into the abstract of the layer file, and writing the symmetric encryption key into the annotation of the layer file so as to update the mirror image information.
In this embodiment, for example, the format of the layer file to be encrypted is "tar+gzip"; converting the format type into an encrypted format, namely 'tar+gzip+encrypted'; calculating the hash value of the encrypted layer file through an SHA256 algorithm, and writing the hash value into the abstract of the layer file; and saving the symmetric encryption key generated when the layer file is encrypted into the annotation of the corresponding layer file, and finishing the data update of the mirror image information, so that other users can acquire the mirror image information of the encrypted container mirror image according to the OCI container mirror image standard file preconfigured by the container mirror image.
For example, one attribute in the OCI may be "org.opencontainers.image.enc.keys.jwe" for specifying a JSON Web Encryption (JWE) key for use by the container image. The Base64 encoded JWE key may be: "ey Jwcm90ZWN0ZWQi … U0VETTkxa3Z2 YutnIn0=". This key is used to encrypt and decrypt the container image.
It should be noted that, when the multi-layer mirror image layer to be encrypted and the layer files of each layer mirror image layer are obtained, a method of reading the preconfigured OCI container mirror image specification file is not limited to the above-mentioned obtaining method, and may be obtained by sampling more other methods.
In this embodiment, through the obtained encryption request, an OCI container image specification file preconfigured by the container image to be encrypted is read, and image information in the image layer to be selected corresponding to the identifier of the image layer to be selected for encryption is obtained therefrom; after the encryption of the corresponding layer file is completed, the format, the abstract and the annotation of the layer file of the encrypted layer file in the OCI container mirror image standard file are updated correspondingly according to the format, the hash value and the generated symmetric encryption key of the encrypted layer file. Compared with the prior art, the method of the invention realizes more accurate description of the encrypted container mirror image, and improves the safety and data accuracy of the encrypted container mirror image.
Fig. 3 is a flow chart of still another embodiment of a hierarchical encryption processing method for container mirroring provided in the present application. As shown in fig. 3, in the foregoing embodiment, in step 202, a specific implementation manner of "obtaining, in a preconfigured OCI container image specification file, image information in an image layer to be selected for encryption corresponding to an identifier of the image layer to be selected" includes:
step 301: and acquiring the code position of the identification of the image layer to be selected for encryption in the preconfigured OCI container image specification file.
In this embodiment, for example, after reading a preconfigured OCI container image specification file of the container image, a relevant code position of an image layer is obtained, and a specific position of image layer file image information corresponding to one or more image layer files corresponding to an identifier of an image layer to be selected for encryption is located in the code position.
The image layer related code position contains the image information of each image layer in the container image.
Step 302: and acquiring mirror image information corresponding to the code position.
In this embodiment, specific image information of an image layer is obtained according to a code position of an image layer identifier to be selected in a preconfigured OCI container image specification file.
In this embodiment, specific image information of the image layer to be encrypted is obtained by obtaining a specific code position of an identifier of the image layer to be selected for encryption in a preconfigured OCI container image specification file of the container image. Compared with the prior art, the method can obtain the specific mirror image information of the mirror image layer simply by reading the mirror image specification file of the pre-configured OCI container, improves the speed of obtaining the mirror image information of the mirror image layer, and simplifies the step of obtaining the mirror image information.
Fig. 4 is a flowchart of an embodiment of a hierarchical decryption processing method for a container image provided in the present application. As shown in fig. 4, the method includes:
step 401: obtaining a decryption request;
wherein the decryption request includes: a container image to be decrypted, and an identification of the image layer to be decrypted.
In this embodiment, a container image that needs to be decrypted by a user and an identifier corresponding to one or more image layers that need to be decrypted in the container image are obtained.
Step 402: and acquiring the mirror image information in the mirror image layer to be decrypted corresponding to the identification of the mirror image layer to be decrypted from the preconfigured OCI container mirror image specification file.
In this embodiment, the corresponding preconfigured OCI container image specification file is read according to the container image to be decrypted, and the image information in the image layer to be decrypted is obtained according to the identifier of the image layer to be decrypted.
Wherein the mirror image information includes: the format of the layer file, the abstract of the layer file, and the annotation of the layer file; the format is a file format for storing media information, namely, the file format is an encryption format and indicates that the file is encrypted; the abstract information contains the hash value of the encrypted file; the annotation information comprises other remark information in the layer of file; specifically, the symmetric encryption key content corresponding to the encrypted image layer file is included.
Step 403: and according to the symmetric encryption key in the mirror image information, decrypting the layer file of the mirror image layer to be decrypted so as to obtain the decrypted container mirror image.
In this embodiment, according to the symmetric encryption key obtained in the preconfigured OCI container image specification file, the layer file of the image layer to be decrypted is decrypted by using OpenSSL through a symmetric decryption algorithm, so as to obtain the decrypted container image.
In this embodiment, for example, the key is used to decrypt the selected mirror image layer by using the AES symmetric encryption algorithm of OpenSSL, and rename the decrypted mirror image layer file, where the file name may be: 3726de4affbbf690e81d792226518feddaba53dcb5e785f1a5f97a707e1a99f2-enc-d.
In this embodiment, by acquiring a decryption request, determining a container image that a user needs to decrypt and an identifier of an image layer to be decrypted; obtaining a preconfigured OCI container image specification file in the container image to be decrypted, obtaining image information in the image layer to be decrypted corresponding to the identification of the image layer to be decrypted from the specification file, obtaining a symmetric encryption key corresponding to the image layer file to be decrypted from the image information, and decrypting the layer file through a symmetric decryption algorithm according to the obtained symmetric encryption key. Compared with the prior art, the method has the advantages that the decrypted container mirror image can be obtained by decrypting one or more encrypted layer files, so that the decryption speed and efficiency are improved, and the calculation amount of the decryption process is reduced.
Fig. 5 is a schematic structural diagram of an embodiment of a hierarchical encryption processing apparatus for container mirroring provided in the present application. As shown in fig. 5, the apparatus 50 includes: an acquisition module 51 and a processing module 52. Wherein, the obtaining module 51 is configured to obtain an encryption request; wherein the encryption request includes: the method comprises the steps of (1) mirroring a container to be encrypted and identifying a mirror layer to be selected for encryption; the processing module 52 is configured to obtain, according to the encryption request, a plurality of image layers of the container image to be encrypted, and layer files of each image layer, and generate a symmetric encryption key, so as to encrypt the layer files in the image layer to be encrypted corresponding to the identifier of the image layer to be encrypted, so as to obtain an encrypted container image.
The layered encryption processing device for the container mirror image provided by the embodiment of the application can execute the technical scheme shown in the embodiment of the method, and the implementation principle and the beneficial effects are similar, and are not repeated here.
In one implementation, the processing module 52 is specifically configured to: and acquiring a plurality of mirror image layers to be encrypted and layer files of each mirror image layer by adopting a preconfigured OCI container mirror image specification file according to the encryption request.
The layered encryption processing device for the container mirror image provided by the embodiment of the application can execute the technical scheme shown in the embodiment of the method, and the implementation principle and the beneficial effects are similar, and are not repeated here.
In one implementation, the processing module 52 is specifically configured to: obtaining mirror image information in a mirror image layer to be selected corresponding to the identification of the mirror image layer to be selected for encryption in a preconfigured OCI container mirror image specification file; the mirror image information includes: the format of the layer file, the abstract of the layer file, and the annotation of the layer file; and converting the format of the layer file into an encryption format, encrypting the layer file, obtaining a hash value, writing the hash value into the abstract of the layer file, and writing the symmetric encryption key into the annotation of the layer file so as to update the mirror image information.
The layered encryption processing device for the container mirror image provided by the embodiment of the application can execute the technical scheme shown in the embodiment of the method, and the implementation principle and the beneficial effects are similar, and are not repeated here.
In one implementation, the processing module 52 is specifically configured to: acquiring a code position of an identification of a mirror layer to be selected for encryption in a preconfigured OCI container mirror specification file; and obtaining mirror image information corresponding to the code position.
The layered encryption processing device for the container mirror image provided by the embodiment of the application can execute the technical scheme shown in the embodiment of the method, and the implementation principle and the beneficial effects are similar, and are not repeated here.
Fig. 6 is a schematic structural diagram of an embodiment of a hierarchical decryption processing apparatus for container mirroring provided in the present application. As shown in fig. 6, the apparatus 60 includes: an acquisition module 61 and a processing module 62. Wherein, the obtaining module 61 is configured to obtain a decryption request; wherein the decryption request includes: the method comprises the steps of (1) a container mirror image to be decrypted and an identification of a mirror image layer to be decrypted; the obtaining module 61 is further configured to obtain, from a preconfigured OCI container image specification file, image information in an image layer to be decrypted corresponding to an identifier of the image layer to be decrypted; and the processing module 62 is configured to decrypt the layer file of the mirror layer to be decrypted according to the symmetric encryption key in the mirror information, so as to obtain the decrypted container mirror image.
The layered decryption processing device for the container mirror image provided by the embodiment of the application can execute the technical scheme shown in the embodiment of the method, and the implementation principle and the beneficial effects are similar, and are not repeated here.
Fig. 7 is a schematic structural diagram of an embodiment of an electronic device provided in the present application. As shown in fig. 7, the electronic device 70 may include: a processor 71 and a memory 72.
Wherein the processor 71 is communicatively coupled to a memory 72, the memory 72 for storing computer-executable instructions; the processor 71 is configured to execute the technical solutions of any of the method embodiments described above via computer-executable instructions stored in the execution memory 72.
Alternatively, the memory 72 may be separate or integrated with the processor 71. Optionally, when the memory 72 is a device separate from the processor 71, the electronic device 70 may further include: and a bus for connecting the devices.
The electronic device is configured to execute the technical scheme in any of the foregoing method embodiments, and its implementation principle and technical effects are similar, and are not described herein again.
The embodiment of the application further provides a computer readable storage medium, in which computer executable instructions are stored, and the computer executable instructions are used for implementing the above method when being executed by a processor, and the implementation principle and technical effects are similar, and are not described herein again.
In particular, the computer-readable storage medium may include: various media capable of storing computer execution instructions, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RAM, a magnetic disk, or an optical disc, etc., specifically, the computer execution instructions are stored in the computer readable storage medium, and when the computer execution instructions are executed by a computer, the technical scheme shown in the foregoing method embodiment is executed, and specific implementation manner and technical effects are similar and are not repeated herein.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required in the present application.
It should be further noted that, although the steps in the flowchart are sequentially shown as indicated by arrows, the steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a portion of the steps in the flowcharts may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order in which the sub-steps or stages are performed is not necessarily sequential, and may be performed in turn or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
It should be understood that the above-described device embodiments are merely illustrative, and that the device of the present application may be implemented in other ways. For example, the division of the units/modules in the above embodiments is merely a logic function division, and there may be another division manner in actual implementation. For example, multiple units, modules, or components may be combined, or may be integrated into another system, or some features may be omitted or not performed.
In addition, each functional unit/module in each embodiment of the present application may be integrated into one unit/module, or each unit/module may exist alone physically, or two or more units/modules may be integrated together, unless otherwise specified. The integrated units/modules described above may be implemented either in hardware or in software program modules.
The integrated units/modules, if implemented in hardware, may be digital circuits, analog circuits, etc. Physical implementations of hardware structures include, but are not limited to, transistors, memristors, and the like. The processor may be any suitable hardware processor, such as CPU, GPU, FPGA, DSP and ASIC, etc., unless otherwise specified. Unless otherwise indicated, the storage elements may be any suitable magnetic or magneto-optical storage medium, such as resistive Random Access Memory RRAM (Resistive Random Access Memory), dynamic Random Access Memory DRAM (Dynamic Random Access Memory), static Random Access Memory SRAM (Static Random-Access Memory), enhanced dynamic Random Access Memory EDRAM (Enhanced Dynamic Random Access Memory), high-Bandwidth Memory HBM (High-Bandwidth Memory), hybrid Memory cube HMC (Hybrid Memory Cube), etc.
The integrated units/modules may be stored in a computer readable memory if implemented in the form of software program modules and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a memory, including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned memory includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments. The technical features of the foregoing embodiments may be arbitrarily combined, and for brevity, all of the possible combinations of the technical features of the foregoing embodiments are not described, however, all of the combinations of the technical features should be considered as being within the scope of the disclosure.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (10)
1. A hierarchical encryption processing method for a container image, comprising:
obtaining an encryption request, the encryption request comprising: the method comprises the steps of (1) mirroring a container to be encrypted and identifying a mirror layer to be selected for encryption;
and according to the encryption request, acquiring a plurality of image layers of the container image to be encrypted and layer files of each image layer, and generating a symmetric encryption key to encrypt the layer files in the image layer to be encrypted corresponding to the identification of the image layer to be selected for encryption so as to acquire the encrypted container image.
2. The method according to claim 1, wherein the obtaining, according to the encryption request, the multiple mirror layers of the container mirror to be encrypted, and the layer file of each mirror layer, includes:
and acquiring the multi-layer mirror image layer to be encrypted and the layer files of each mirror image layer by adopting a preconfigured OCI container mirror image specification file according to the encryption request.
3. The method as recited in claim 2, further comprising:
acquiring mirror image information in the mirror image layer to be selected corresponding to the identification of the mirror image layer to be selected for encryption in the preconfigured OCI container mirror image specification file; the mirror information includes: the format of the layer file, the abstract of the layer file, and the annotation of the layer file;
and converting the format of the layer file into an encryption format, encrypting the layer file, obtaining a hash value, writing the hash value into a summary of the layer file, and writing the symmetric encryption key into an annotation of the layer file so as to update the mirror image information.
4. The method of claim 3, wherein the obtaining, in the preconfigured OCI container image specification file, image information in the image layer to be selected corresponding to the identifier of the image layer to be selected for encryption includes:
acquiring the code position of the identification of the mirror layer to be selected in the pre-configuration OCI container mirror specification file;
and obtaining mirror image information corresponding to the code position.
5. The method according to any of claims 1 to 4, wherein the identification of the image layer to be encrypted comprises one or more of the following: an operating system layer, a middleware layer, and an application layer.
6. A hierarchical decryption processing method for a container image, comprising:
obtaining a decryption request, the decryption request comprising: the method comprises the steps of (1) a container mirror image to be decrypted and an identification of a mirror image layer to be decrypted;
obtaining mirror image information in a mirror image layer to be decrypted corresponding to the identification of the mirror image layer to be decrypted from a preset OCI container mirror image specification file;
and decrypting the layer file of the mirror image layer to be decrypted according to the symmetric encryption key in the mirror image information so as to obtain the decrypted container mirror image.
7. A hierarchical encryption processing apparatus for container mirroring, comprising:
the acquisition module is used for acquiring an encryption request, and the encryption request comprises: the method comprises the steps of (1) mirroring a container to be encrypted and identifying a mirror layer to be selected for encryption;
the processing module is used for acquiring the multi-layer mirror image layer of the container mirror image to be encrypted and the layer files of each layer mirror image layer according to the encryption request, generating a symmetrical encryption key, and carrying out encryption processing on the layer files in the mirror image layer to be selected and encrypted corresponding to the identification of the mirror image layer to be selected and encrypted so as to acquire the encrypted container mirror image.
8. A layered decryption processing apparatus for a container image, comprising:
the acquisition module is used for acquiring a decryption request, and the decryption request comprises: the method comprises the steps of (1) a container mirror image to be decrypted and an identification of a mirror image layer to be decrypted;
the obtaining module is further configured to obtain, from a preconfigured OCI container image specification file, image information in an image layer to be decrypted corresponding to an identifier of the image layer to be decrypted;
and the processing module is used for decrypting the layer file of the mirror image layer to be decrypted according to the symmetric encryption key in the mirror image information so as to obtain the decrypted container mirror image.
9. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 6.
10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311833829.5A CN117786722A (en) | 2023-12-27 | 2023-12-27 | Hierarchical encryption and decryption processing method, device and medium for container mirror image |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311833829.5A CN117786722A (en) | 2023-12-27 | 2023-12-27 | Hierarchical encryption and decryption processing method, device and medium for container mirror image |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117786722A true CN117786722A (en) | 2024-03-29 |
Family
ID=90381577
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311833829.5A Pending CN117786722A (en) | 2023-12-27 | 2023-12-27 | Hierarchical encryption and decryption processing method, device and medium for container mirror image |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117786722A (en) |
-
2023
- 2023-12-27 CN CN202311833829.5A patent/CN117786722A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113656806B (en) | Trusted starting method and device of block chain all-in-one machine | |
| CN110199287B (en) | Data decapsulation using sealed enclosure | |
| US20220027492A1 (en) | Systems and methods for efficient and secure processing, accessing and transmission of data via a blockchain network | |
| US7792300B1 (en) | Method and apparatus for re-encrypting data in a transaction-based secure storage system | |
| US7320076B2 (en) | Method and apparatus for a transaction-based secure storage file system | |
| JP5281074B2 (en) | Information security apparatus and information security system | |
| CN110226167B (en) | Abstract enclave identity | |
| CN110855430B (en) | Computing system and method for managing a secure object store in a computing system | |
| US20080229115A1 (en) | Provision of functionality via obfuscated software | |
| Shetty et al. | Data security in Hadoop distributed file system | |
| CN116070216A (en) | Subordinate bounding region binary file | |
| EP3044900A1 (en) | Security processing unit with configurable access control | |
| CN110214321B (en) | Nested enclave identity | |
| US10284534B1 (en) | Storage system with controller key wrapping of data encryption key in metadata of stored data item | |
| CN111967065B (en) | Data protection method, processor and electronic equipment | |
| EP4020265A1 (en) | Method and device for storing encrypted data | |
| US20190171841A1 (en) | Method and system for encrypting files and storing the encrypted files in a storage file system | |
| US20230093105A1 (en) | Method of dynamically loading encryption engine | |
| JP6755539B2 (en) | Methods and equipment for publishing copyrighted works on networks | |
| CN117786722A (en) | Hierarchical encryption and decryption processing method, device and medium for container mirror image | |
| Kumar et al. | Data security and encryption technique for cloud storage | |
| CN114995949A (en) | Container mirror image construction method and device | |
| JP2024500822A (en) | Key installation methods, systems, devices, equipment and computer programs | |
| Bhargavi et al. | Securing BIG data: a comparative study across RSA, AES, DES, EC and ECDH | |
| US20240064130A1 (en) | Authenticating key-value data pairs for protecting node related data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |