WO2015176394A1 - File encryption method and device, and encrypted file reading method, device and terminal - Google Patents

File encryption method and device, and encrypted file reading method, device and terminal Download PDF

Info

Publication number
WO2015176394A1
WO2015176394A1 PCT/CN2014/083921 CN2014083921W WO2015176394A1 WO 2015176394 A1 WO2015176394 A1 WO 2015176394A1 CN 2014083921 W CN2014083921 W CN 2014083921W WO 2015176394 A1 WO2015176394 A1 WO 2015176394A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
key
saved
encrypted
encryption
Prior art date
Application number
PCT/CN2014/083921
Other languages
French (fr)
Chinese (zh)
Inventor
周志军
惠文武
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015176394A1 publication Critical patent/WO2015176394A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Definitions

  • the present invention relates to the field of information security, and in particular, to a file encryption method and apparatus, a method, device, and terminal for reading an encrypted file.
  • BACKGROUND Some valuable documents are the hard work of the authors, such as online courseware, including files in various formats (word, exceK ppt, etc.) and audio and video files, all of which need to be protected by encryption to prevent illegal access. and use.
  • the usual file encryption and decryption methods and systems are inefficient, especially for large audio and video files in the field of online education.
  • the encryption and decryption takes a long time and the user experience is very poor.
  • the transparent file encryption and decryption method based on the underlying operating system is mostly based on windows hooks or filter drivers.
  • the present invention provides a file encryption method, a device, a method, a device, and a terminal for encrypting a file, which can automatically perform encryption and decryption of a file without deploying a server, and support encryption and decryption for offline use. method.
  • an embodiment of the present invention provides a file encryption method for encrypting a file stored on a device, where the encryption method includes: a key generation step: generating a first key for the file to be saved; a first encryption step: performing encryption processing on the first key according to a preset second key; a second encryption step: performing encryption processing on the file to be saved according to the first key, according to a preset
  • the first key encrypted by the second key is saved in the header of the encrypted file to be saved.
  • the method further includes: a first determining step: determining, according to the stored file protection policy, whether to perform encryption processing on the file to be saved, where the file protection policy is required for the encrypted file to be satisfied a set of conditions; when the file to be saved needs to be encrypted, the key generation step is entered.
  • the method before the first determining step, the method further includes: configuring the step: configuring the file protection policy according to the first user operation instruction and storing the file protection policy.
  • the key generation step includes generating a first key for the to-be-save file according to the hardware information of the device, the time information, and/or the attribute information of the file to be saved.
  • the above-mentioned encryption method wherein the attribute information of the file to be saved includes: directory information to which the file to be saved belongs, a file type of the file to be saved, and/or a file name of the file to be saved.
  • the above encryption method wherein the file header of the file to be saved stores a key for encrypting the file to be saved, and the key generation step is specifically: from a file header of the file to be saved Obtaining a key used to encrypt the file to be saved as a first key of the file to be saved.
  • the embodiment of the present invention further provides a method for reading an encrypted file, where the file header of the encrypted file stores a first key of the encrypted file after encryption, and the reading method includes: obtaining the step: Obtaining the first key of the encrypted encrypted file in a file header of the encrypted file; first decrypting step: decrypting the encrypted first key according to the pre-stored second key, and obtaining the decrypted first a second decrypting step: decrypting the encrypted file according to the decrypted first key, and obtaining the decrypted file for reading.
  • the reading method wherein the second decrypting step further comprises: a second determining step: receiving a second user operation instruction, determining whether the second user operation instruction belongs to a preset rejection operation instruction set; When the second user operation instruction belongs to the preset rejection operation instruction set, a prompt message is issued indicating that the second user operation instruction is not allowed to be executed.
  • the embodiment of the present invention further provides a file encryption device, configured to encrypt a file stored on a device, where the encryption device includes: a key generation module, configured to generate a first key for the file to be saved; The encryption module is configured to perform encryption processing on the first key according to the preset second key; the second encryption module is configured to perform encryption processing on the to-be-stored file according to the first key, The first key encrypted by the preset second key is saved in the header of the encrypted file to be saved.
  • a key generation module configured to generate a first key for the file to be saved
  • the encryption module is configured to perform encryption processing on the first key according to the preset second key
  • the second encryption module is configured to perform encryption processing on the to-be-stored file according to the first key
  • the first key encrypted by the preset second key is saved in the header of the encrypted file to be saved.
  • the above-mentioned encryption device further comprising: a first determining module, configured to determine, according to the stored file protection policy, whether to perform encryption processing on the file to be saved, where the file protection policy is a set of conditions that the encrypted file needs to satisfy; When the file to be saved needs to be encrypted, the key generation module is accessed.
  • the above encryption device further includes: a configuration module, configured to configure a file protection policy according to the first user operation instruction and store the file protection policy.
  • the key generation module is further configured to generate a first key for the to-be-save file according to the hardware information of the device, the time information, and/or the attribute information of the file to be saved.
  • the above-mentioned encryption device wherein the attribute information of the file to be saved includes: directory information to which the file to be saved belongs, file type of the file to be saved, and/or file name of the file to be saved.
  • the above-mentioned encryption device wherein a key for encrypting the file to be saved is stored in a file header of the file to be saved, and the key generation module is further configured to be from a file header of the file to be saved. Obtaining a key used to encrypt the file to be saved as a first key of the file to be saved.
  • the embodiment of the present invention further provides an apparatus for reading an encrypted file, where the header of the encrypted file stores the first key of the encrypted file, and the reading apparatus includes: an acquiring module, and setting Obtaining, from the header of the encrypted file, a first key of the encrypted encrypted file; the first decrypting module is configured to decrypt the encrypted first key according to the pre-stored second key, Obtaining the decrypted first key; the second decrypting module is configured to decrypt the encrypted file according to the decrypted first key, and obtain the decrypted file for reading.
  • the above-mentioned reading device further comprising: a second determining module, configured to receive a second user operation instruction, determine whether the second user operation instruction belongs to a preset rejection operation instruction set; and the prompting module is set to be When the second user operation instruction belongs to the preset rejection operation instruction set, a prompt message is issued indicating that the second user operation instruction is not allowed to be executed.
  • a further embodiment of the present invention provides a terminal comprising the apparatus as described above.
  • FIG. 1 is a schematic flowchart of a file encryption method according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic flowchart of a method for reading an encrypted file according to Embodiment 1 of the present invention.
  • FIG. 3 is a schematic flowchart of a file encryption method according to Embodiment 2 of the present invention.
  • 4 is a schematic flowchart of a method for reading an encrypted file according to Embodiment 2 of the present invention.
  • FIG. 5 is a schematic flowchart of a file encryption method according to Embodiment 3 of the present invention.
  • FIG. 1 is a schematic flowchart of a file encryption method according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic flowchart of a method for reading an encrypted file according to Embodiment 1 of the present invention.
  • FIG. 3 is a schematic flowchart of a file encryption method according to Embodiment 2 of the present invention.
  • FIG. 5 is a schematic
  • FIG. 6 is a schematic structural diagram of a system for realizing automatic encryption and decryption by using the file encryption method and the method for reading an encrypted file provided by the present invention.
  • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to make the technical problems, technical solutions, and advantages of the present invention more comprehensible, the following detailed description will be made in conjunction with the accompanying drawings and specific embodiments.
  • the embodiment of the present invention is directed to the prior art, when a file is transparently encrypted and decrypted, a server needs to be deployed, and an offline use problem is not supported, and a file encryption method, a device, a method, a device, and a terminal for reading an encrypted file are provided.
  • the file encryption method provided in Embodiment 1 of the present invention is used to encrypt a file stored on a device. As shown in FIG. 1 , the method includes: Step S100: Generate a first key for a file to be saved; Step S102, Encrypting the first key according to the preset second key; Step S104, performing encryption processing on the file to be saved according to the first key, and encrypting according to the preset second key The first key is saved to the header of the encrypted file to be saved.
  • the method for reading the encrypted file specifically includes: Step S200: Obtaining the encrypted encrypted file from the file header of the encrypted file a key; step S202, decrypting the encrypted first key according to the pre-stored second key to obtain the decrypted first key; Step S204, according to the decrypted first key pair
  • the encrypted file is decrypted, and the decrypted file is obtained for reading.
  • a file encryption key can be automatically generated for the file to encrypt the file, and the generated file encryption key is re-encrypted according to the preset second key, and the encrypted file is encrypted.
  • the key is stored in the file header of the encrypted file, and when the encrypted file is read, the file is obtained from the header.
  • the encrypted file encryption key can be decrypted according to the pre-stored key, the decrypted file encryption key is obtained, and the file is decrypted according to the decrypted file encryption key.
  • the file to be saved may be a file to be saved after being generated for the first time, or may be a file to be saved after performing a related operation on the previously generated file.
  • the encryption and decryption process of the file is non-perceived and transparent to the user, and does not need to deploy a network server, and can be used offline, thereby achieving the purpose of convenient use and efficient file protection by the user.
  • a symmetric encryption algorithm may be used.
  • the encryption key at this time is the password of the file is recorded as the first password, and then the password of the file is determined according to the second key.
  • the second key can be recorded as a second password, and the encrypted first password is stored in the file header; when the file encrypted by the encryption method is read, only The stored second password decrypts the encrypted first password, and after obtaining the first password, the file can be read by decrypting the file.
  • other encryption algorithms may also be used, such as an asymmetric encryption algorithm.
  • the encrypted first encryption key needs to be decrypted according to the pre-stored second decryption key corresponding to the second encryption key to obtain the first encryption key, and then according to the asymmetric encryption used in the encryption.
  • the algorithm obtains the first decryption key corresponding to the first encryption key to decrypt the file to read the file.
  • the first key may be generated according to the hardware information of the device, where the hardware information may be one-to-one corresponding to the device, that is, one device corresponds to one hardware information, and the hardware information of different devices is different, and the hardware information should be difficult to obtain.
  • it may be MAC address information; at the same time, the first key may be generated by combining the time information, that is, the current storage time of the file and the attribute information of the file, so that each file corresponds to a first key, and different The first key of the file is different.
  • the attribute information of the file to be saved includes: directory information to which the file to be saved belongs, file type of the file to be saved, and/or file name of the file to be saved.
  • the file header of the file to be saved is stored in the file header of the file to be saved.
  • the key generating step is: acquiring a key for encrypting the to-be-save file as a first key of the to-be-save file from a file header of the file to be saved .
  • the purpose of the above operation is to obtain a key for encrypting the file to be saved from the file header of the file to be saved, and directly use the key as the first key to encrypt the file to be saved, without generating the first secret. key.
  • the encryption method of the above wherein the encryption method includes: the first determining step: determining, according to the stored file protection policy, whether the file to be saved is encrypted.
  • the file protection policy is a set of conditions that the encrypted file needs to meet; when the file to be saved needs to be encrypted, the key generation step is entered.
  • the purpose of the above operation is to determine whether to encrypt the saved file by using a pre-stored file protection policy, thereby controlling whether the file needs to be encrypted.
  • the file protection policy is a set of conditions that the encrypted file needs to meet, that is, the file protection policy may include multiple conditions, and if a file satisfies any of the multiple conditions, the file needs to be encrypted, such as the file.
  • the protection policy includes the following conditions: files belonging to directory 1; files with word type and "encrypted" files, if a file belongs to directory 1, the file needs to be encrypted, or a word file.
  • the name is "Measurement Report Data - Encryption" and the file also needs to be encrypted.
  • file protection policies can take many forms. Only one of them can be listed here. Any other condition that can filter files can be used as a file protection policy.
  • the first determining step further includes: configuring the step: according to the first user operation instruction, the configuration file Protect the policy and store it.
  • the purpose of the above operation is to configure the file protection policy according to the user's instructions to adapt to different needs of users.
  • the reading method wherein the second decrypting step further comprises: a second determining step: receiving a second user operation instruction, determining whether the second user operation instruction belongs to a preset The refusal operation instruction set; the prompting step: when the second user operation instruction belongs to the preset refusal operation instruction set, issue a prompt message indicating that the second user operation instruction is not allowed to be executed.
  • the purpose of the above operation is to avoid the execution of some operations by monitoring the user's operation instructions. If the encrypted file is opened, the copy, paste, and screenshot operations of the encrypted file should be prohibited. It is not allowed to send the contents of the file to other processes through pipes, networks, shared memory, clipboard, etc. other devices.
  • Step S300 Generate a file key for a file to be encrypted according to device hardware information
  • Step S302 Perform a file encryption using a file key Encryption
  • Step S304 encrypting the file key, and saving the encrypted file key to the file header of the encrypted file
  • Step S306 saving the encrypted file by the file system.
  • 4 is a schematic flowchart of a method for reading an encrypted file according to Embodiment 2 of the present invention.
  • Step S400 An application reads a file; Step S402, intercepting a file content of the file, to prevent the application directly acquiring The content of the file is displayed; step S404, determining whether the file needs to be decrypted, if yes, proceeding to step S406, otherwise proceeding to step S414; step S406, obtaining the encrypted file key from the file header, decrypting the file key a file key; step S408, decrypting the file by using the file key; step S410, the application presents the obtained decrypted file content; step S412, monitoring an operation instruction of the file, prohibiting performing an unallowed operation on the file Instruction; step S414, the application directly presents the obtained file content.
  • Step S500 An application saves a file; Step S502, intercepting a file content of the file, to prevent the file system directly acquiring the file content for saving Step S504, determining whether the file needs to be encrypted, if yes, proceeding to step S506, otherwise proceeding to step S516; step S506, determining whether the file is an encrypted file, and if yes, proceeding to step S508, otherwise proceeding to step S510; Obtaining the encrypted file key from the file header, decrypting it, and obtaining the file key; Step S510, generating a file key for the file to be encrypted according to the device hardware information; Step S512, encrypting the file after the file content is written by using the file key; Step S514, encrypting the file key, and encrypting the file file The key is saved to the file header of the encrypted file; in step S516, the file is saved by the file system.
  • the embodiment of the present invention further provides a file encryption device, configured to encrypt a file stored on a device, where the encryption device includes: a key generation module, configured to generate a first key for the file to be saved; The encryption module is configured to perform encryption processing on the first key according to the preset second key; the second encryption module is configured to perform encryption processing on the to-be-stored file according to the first key, The first key encrypted by the preset second key is saved in the header of the encrypted file to be saved.
  • a key generation module configured to generate a first key for the file to be saved
  • the encryption module is configured to perform encryption processing on the first key according to the preset second key
  • the second encryption module is configured to perform encryption processing on the to-be-stored file according to the first key
  • the first key encrypted by the preset second key is saved in the header of the encrypted file to be saved.
  • the above-mentioned encryption device further comprising: a first determining module, configured to determine, according to the stored file protection policy, whether to perform encryption processing on the file to be saved, where the file protection policy is a set of conditions that the encrypted file needs to satisfy; When the file to be saved needs to be encrypted, the key generation module is accessed.
  • the above encryption device further includes: a configuration module, configured to configure a file protection policy according to the first user operation instruction and store the file protection policy.
  • the key generation module is further configured to generate a first key for the to-be-save file according to the hardware information of the device, the time information, and/or the attribute information of the file to be saved.
  • the above-mentioned encryption device wherein the attribute information of the file to be saved includes: directory information to which the file to be saved belongs, file type of the file to be saved, and/or file name of the file to be saved.
  • the above-mentioned encryption device wherein a key for encrypting the file to be saved is stored in a file header of the file to be saved, and the key generation module is further configured to be from a file header of the file to be saved. Obtaining a key used to encrypt the file to be saved as a first key of the file to be saved.
  • the present invention also provides an apparatus for reading an encrypted file, wherein a header of the encrypted file is stored in a header of the encrypted file, and the reading apparatus includes: an acquiring module, configured to be Obtaining, by the file header of the encrypted file, the first key of the encrypted encrypted file; the first decrypting module is configured to decrypt the encrypted first key according to the pre-stored second key, to obtain decryption The first decryption module is configured to decrypt the encrypted file according to the decrypted first key, and obtain the decrypted file for reading.
  • the above-mentioned reading device further comprising: a second determining module, configured to receive a second user operation instruction, determine whether the second user operation instruction belongs to a preset rejection operation instruction set; and the prompting module is set to be When the second user operation instruction belongs to the preset rejection operation instruction set, a prompt message is issued indicating that the second user operation instruction is not allowed to be executed.
  • a second determining module configured to receive a second user operation instruction, determine whether the second user operation instruction belongs to a preset rejection operation instruction set
  • the prompting module is set to be
  • a prompt message is issued indicating that the second user operation instruction is not allowed to be executed.
  • Embodiments of the present invention also provide a terminal, including the apparatus as described above. 6 is a schematic structural diagram of a system for implementing automatic encryption and decryption by using the file encryption method and the encrypted file reading method provided by the present invention.
  • the method includes: a file system 60 configured to manage files in the system, including
  • the file encryption/decryption module 61 is configured to implement the functions of the first encryption module, the second encryption module, the first decryption module, and the second decryption module of the foregoing apparatus, and encrypt and decrypt the content to be encrypted and decrypted according to the key;
  • the key generation module 62 is configured to generate a file key.
  • the configuration module 63 is configured to configure the stored file protection policy.
  • the file filtering driver module 64 is configured to implement the function of the acquiring module of the device, and is used for intercepting the application.
  • the file interaction between the program and the file system can intercept the file data, that is, the module needs to go through the module for reading and saving the file; the application 65 is set to operate on the file stored in the file system, Read, modify, save the file; monitor module 66, set to implement The function of the second judging module and the prompting module of the device monitors the operation instruction issued by the user, prohibits execution of the impermissible operation instruction, and does not allow the clear text content to be sent to other processes through the pipeline, the network, the shared memory, the clipboard, and the like. Or other machines, screen shots are also not allowed.
  • the process of encrypting and decrypting files is based on the underlying driver of the system, running in kernel mode, so the efficiency is very high.
  • the above is a preferred embodiment of the present invention, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present invention. It should be considered as the scope of protection of the present invention.
  • Industrial applicability The encryption and decryption scheme provided by the embodiment of the invention can automatically complete the encryption and decryption of the file and does not need to deploy the service to support offline use.

Abstract

Provided are a file encryption method and device, and encrypted file reading method, device and terminal. The file encryption method is used to encrypt a file stored on a device, and comprises: a key generation step of generating a first key for a file to be stored; a first encryption step of encrypting the first key according to a preset second key; and a second encryption step of encrypting the file to be stored according to the first key, and according to the preset second key, storing the encrypted first key in the file header of the encrypted file to be stored. The technical solution of the present invention automatically encrypts and decrypts the file without deploying a server, and supports an off line encryption and decryption method.

Description

文件加密方法、 装置、 加密文件的读取方法、 装置及终端 技术领域 本发明涉及信息安全领域, 尤其涉及一种文件加密方法、 装置、 加密文件的读取 方法、 装置及终端。 背景技术 一些很有价值文件是作者的辛苦劳动成果, 如在线教育领域的课件, 包括各种格 式的文件 (word、 exceK ppt等) 和音视频文件, 都需要使用加密技术加以保护, 以 防止非法访问和使用。 目前通常的文件加解密方法和系统, 效率较低, 特别针对是在线教育领域的大音 视频文件, 加解密耗时很长, 用户体验很差。 而目前基于操作系统底层的透明文件加 解密方法, 大部分是基于 windows的钩子 (hook) 或过滤驱动程序的, 为了获取密钥 文件等信息, 需要进行联网认证, 因此都需要部署联网的服务器, 对用户使用不方便, 由于还涉及网络传输, 效率不高, 特别是不支持离线使用。 发明内容 为了解决上述技术问题, 本发明提供了一种文件加密方法、 装置、 加密文件的读 取方法、 装置及终端, 能够自动完成对文件的加解密且无需部署服务器, 支持离线使 用的加解密方法。 为了实现上述目的, 本发明实施例提供了一种文件加密方法, 用于对存储在设备 上的文件进行加密, 所述加密方法包括: 密钥生成步骤: 为待保存文件生成第一密钥; 第一加密步骤: 根据预设的第二密钥对所述第一密钥进行加密处理; 第二加密步骤: 根据所述第一密钥对所述待保存文件进行加密处理, 将根据预设的第二密钥加密后的 第一密钥保存至加密后的所述待保存文件的文件头中。 上述的加密方法, 其中, 所述密钥生成步骤之前还包括: 第一判断步骤: 根据存 储的文件保护策略, 判断是否需要对待保存文件进行加密处理, 所述文件保护策略为 加密文件需要满足的条件的集合; 当需要对所述待保存文件进行加密时, 进入密钥生 成步骤。 上述的加密方法, 其中, 所述第一判断步骤之前还包括: 配置步骤: 根据第一用 户操作指令, 配置文件保护策略并存储。 上述的加密方法, 其中, 所述密钥生成步骤包括根据所述设备的硬件信息、 时间 信息和 /或所述待保存文件的属性信息, 为所述待保存文件生成第一密钥。 上述的加密方法, 其中, 所述待保存文件的属性信息包括: 所述待保存文件所属 的目录信息、 所述待保存文件的文件类型和 /或所述待保存文件的文件名称。 上述的加密方法, 其中, 所述待保存文件的文件头中存储有用于对所述待保存文 件进行加密的密钥, 所述密钥生成步骤具体为: 从所述待保存文件的文件头中获取用 于对所述待保存文件进行加密的密钥作为所述待保存文件的第一密钥。 本发明实施例还提供了一种加密文件的读取方法, 所述加密文件的文件头中存储 有加密后所述加密文件的第一密钥, 所述读取方法包括: 获取步骤: 从所述加密文件 的文件头中获取加密后的所述加密文件的第一密钥; 第一解密步骤: 根据预存储的第 二密钥对加密后的第一密钥进行解密, 得到解密后的第一密钥; 第二解密步骤: 根据 所述解密后的第一密钥对所述加密文件进行解密, 得到解密后的文件进行读取。 上述的读取方法, 其中, 所述第二解密步骤之后还包括: 第二判断步骤: 接收第 二用户操作指令, 判断所述第二用户操作指令是否属于预设的拒绝操作指令集; 提示 步骤: 当所述第二用户操作指令属于预设的拒绝操作指令集时, 发出提示消息, 表明 不允许执行所述第二用户操作指令。 本发明实施例还提供了一种文件加密装置,用于对存储在设备上的文件进行加密, 所述加密装置包括: 密钥生成模块, 设置为为待保存文件生成第一密钥; 第一加密模 块, 设置为根据预设的第二密钥对所述第一密钥进行加密处理; 第二加密模块, 设置 为根据所述第一密钥对所述待保存文件进行加密处理, 将根据预设的第二密钥加密后 的第一密钥保存至加密后的所述待保存文件的文件头中。 上述的加密装置, 其中, 还包括: 第一判断模块, 设置为根据存储的文件保护策 略, 判断是否需要对待保存文件进行加密处理, 所述文件保护策略为加密文件需要满 足的条件的集合; 当需要对所述待保存文件进行加密时, 进入密钥生成模块。 上述的加密装置, 其中, 还包括: 配置模块, 设置为根据第一用户操作指令, 配 置文件保护策略并存储。 上述的加密装置,其中,所述密钥生成模块进一步用于根据所述设备的硬件信息、 时间信息和 /或所述待保存文件的属性信息, 为所述待保存文件生成第一密钥。 上述的加密装置, 其中, 所述待保存文件的属性信息包括: 所述待保存文件所属 的目录信息、 所述待保存文件的文件类型和 /或所述待保存文件的文件名称。 上述的加密装置, 其中, 所述待保存文件的文件头中存储有用于对所述待保存文 件进行加密的密钥, 所述密钥生成模块进一步设置为从所述待保存文件的文件头中获 取用于对所述待保存文件进行加密的密钥作为所述待保存文件的第一密钥。 本发明实施例还提供了一种加密文件的读取装置, 所述加密文件的文件头中存储 有加密后的所述加密文件的第一密钥, 所述读取装置包括: 获取模块, 设置为从所述 加密文件的文件头中获取加密后的所述加密文件的第一密钥; 第一解密模块, 设置为 根据预存储的第二密钥对加密后的第一密钥进行解密, 得到解密后的第一密钥; 第二 解密模块, 设置为根据所述解密后的第一密钥对所述加密文件进行解密, 得到解密后 的文件进行读取。 上述的读取装置, 其中, 还包括: 第二判断模块, 设置为接收第二用户操作指令, 判断所述第二用户操作指令是否属于预设的拒绝操作指令集; 提示模块, 设置为当所 述第二用户操作指令属于预设的拒绝操作指令集时, 发出提示消息, 表明不允许执行 所述第二用户操作指令。 本发明还实施例提供了一种终端, 包括如上所述的装置。 本发明实施例的上述技术方案的有益效果如下: 本发明实施例提供了一种文件加密方法、 装置、 加密文件的读取方法、 装置及终 端, 能够自动完成对文件的加解密且无需部署服务器, 支持离线使用的加解密方法。 附图说明 图 1为本发明实施例 1提供的文件加密方法流程示意图。 图 2为本发明实施例 1提供的加密文件的读取方法流程示意图。 图 3为本发明实施例 2提供的文件加密方法流程示意图。 图 4为本发明实施例 2提供的加密文件的读取方法流程示意图。 图 5为本发明实施例 3提供的文件加密方法的流程示意图。 图 6为使用本发明提供的文件加密方法及加密文件的读取方法实现自动加解密的 系统的结构示意图。 具体实施方式 为使本发明要解决的技术问题、 技术方案和优点更加清楚, 下面将结合附图及具 体实施例进行详细描述。 本发明实施例针对现有技术中, 针对文件进行透明加解密时, 需要部署服务器, 不支持离线使用的问题, 提供了一种文件加密方法、 装置、 加密文件的读取方法、 装 置及终端, 能够自动完成对文件的加解密且无需部署服务器, 支持离线使用的加解密 方法。 本发明实施例 1提供的文件加密方法, 用于对存储在设备上的文件进行加密, 如 图 1所示, 所述方法包括: 步骤 S100, 为待保存文件生成第一密钥; 步骤 S102, 根据预设的第二密钥对所述第一密钥进行加密处理; 步骤 S104, 根据所述第一密钥对所述待保存文件进行加密处理, 将根据预设的第 二密钥加密后的第一密钥保存至加密后的所述待保存文件的文件头中。 而对于采用上述加密方法加密后的文件进行读取时, 对应一种加密文件的读取方 法, 具体包括: 步骤 S200, 从所述加密文件的文件头中获取加密后的所述加密文件的第一密钥; 步骤 S202, 根据预存储的第二密钥对加密后的第一密钥进行解密, 得到解密后的 第一密钥; 步骤 S204, 根据所述解密后的第一密钥对所述加密文件进行解密, 得到解密后的 文件进行读取。 本发明实施例中, 能够为文件自动生成文件加密密钥用于对文件进行加密, 而对 于生成的文件加密密钥根据预设的第二密钥再次加密, 并将对加密后的文件加密密钥 保存在加密后的文件的文件头中, 在对该加密文件进行读取时, 从文件头中获取到加 密后的文件加密密钥后, 能够根据预存储的密钥对加密后的文件加密密钥解密, 得到 解密后的文件加密密钥, 并根据解密后的文件加密密钥对文件进行解密。 其中, 所述 待保存文件可以为第一次生成后要保存的文件, 也可以为对之前生成的文件执行了相 关操作后要保存的文件。 文件的加解密过程对用户是无感知的、 透明的, 也不需要部 署网络服务器, 可以离线使用, 从而达到用户方便使用和高效保护文件的目的。 其中,在加密时可以采用对称加密算法, 当使用对称加密算法对文件进行加密时, 则此时的加密密钥即为文件的密码记为第一密码, 然后根据第二密钥对文件的密码使 用对称加密算法进行加密, 则该第二密钥可记为第二密码, 加密后的第一密码保存在 文件头中; 在对采用该加密方法加密的文件进行读取时, 只需根据预存储的第二密码 对加密后的第一密码进行解密, 得到第一密码后, 对文件进行解密即可读取文件。 当然, 也可以采用其他加密算法, 如可以采用非对称加密算法, 当采用非对称加 密算法使用第一加密密钥对文件进行加密并使用第二加密密钥对第一加密密钥加密 后, 在读取文件时, 需要根据预存储的与第二加密密钥对应的第二解密密钥对加密后 的第一加密密钥解密, 得到第一加密密钥, 然后根据加密时采用的非对称加密算法, 得到与第一加密密钥对应的第一解密密钥对文件进行解密即可读取文件。 上述的加密方法, 其中, 所述密钥生成步骤进一步根据所述设备的硬件信息、 时 间信息和 /或所述待保存文件的属性信息, 为所述待保存文件生成第一密钥。 第一密钥可以根据设备的硬件信息生成, 该硬件信息可以为与设备一一对应的信 息, 即一个设备对应一个硬件信息, 不同设备的该硬件信息不同, 且该硬件信息应该 为不易获取到的, 例如可以为 MAC地址信息; 同时, 还可以结合时间信息, 即文件 当前的保存时间及文件的属性信息来生成第一密钥, 从而可以使得每个文件都对应一 个第一密钥, 不同文件的第一密钥是不同的。 其中, 所述待保存文件的属性信息包括: 所述待保存文件所属的目录信息、 所述 待保存文件的文件类型和 /或所述待保存文件的文件名称。 如果待保存文件之前曾经被加密过, 则无需为该待保存文件重新生成一个加密密 钥用于加密该待保存文件, 可以直接使用之前的加密密钥, 即有一个文件本来为加密 的文件, 后经过编辑, 需要重新保存, 则再次保存时, 还可以复用之前的加密密钥, 因此, 上述的加密方法, 其中, 所述待保存文件的文件头中存储有用于对所述待保存 文件进行加密的密钥, 所述密钥生成步骤具体为: 从所述待保存文件的文件头中获取 用于对所述待保存文件进行加密的密钥作为所述待保存文件的第一密钥。 上述操作的目的是, 从待保存文件的文件头中获取到用于对该待保存文件进行加 密的密钥,直接使用该密钥作为第一密钥对待保存文件进行加密,无需生成第一密钥。 由于并非所有的文件都需要加密, 因此, 上述的加密方法, 其中, 所述密钥生成 步骤之前还包括: 第一判断步骤: 根据存储的文件保护策略, 判断是否需要对待保存 文件进行加密处理, 所述文件保护策略为加密文件需要满足的条件的集合; 当需要对 所述待保存文件进行加密时, 进入密钥生成步骤。 上述操作的目的是, 通过预存储的文件保护策略决定是否对待保存的文件进行加 密, 从而, 可以控制是否需要对文件的加密。 其中, 文件保护策略为加密文件需要满足的条件的集合, 即该文件保护策略中可 以包括多种条件, 一个文件只要满足该多种条件的任意一种即表明该文件需要进行加 密, 如该文件保护策略中包括下述条件: 属于目录 1下的文件; 文件类型为 word且文 件名称中包括 "加密 "的文件, 则一个文件如果属于目录 1, 该文件就需要进行加密, 或者一个 word文件, 名称为 "测量报告数据-加密", 该文件也需要进行加密。 当然, 文件保护策略可以有多种形式, 此处只列举了一种, 其他任何形式的能够实现对文件 进行过滤的条件均可作为文件保护策略。 对于预存储的文件保护策略, 应该能够进行修改, 以适应不同的需求, 因此, 上 述的加密方法, 其中, 所述第一判断步骤之前还包括: 配置步骤: 根据第一用户操作 指令, 配置文件保护策略并存储。 上述操作的目的是, 可以根据用户的指令来对文件保护策略进行配置, 以适应用 户的不同需求。 在对加密的文件进行读取后, 由于该文件为加密的文件, 意味着该文件的内容不 能够被轻易泄露, 因此, 当打开该加密的文件进行读取后, 应该避免用户的一些操作 使得文件的内容被泄露, 因此, 上述的读取方法, 其中, 所述第二解密步骤之后还包 括: 第二判断步骤: 接收第二用户操作指令, 判断所述第二用户操作指令是否属于预 设的拒绝操作指令集; 提示步骤: 当所述第二用户操作指令属于预设的拒绝操作指令 集时, 发出提示消息, 表明不允许执行所述第二用户操作指令。 上述操作的目的是, 通过对用户操作指令的监控, 避免一些操作的执行。 如在打 开了加密的文件后, 应该禁止对于该加密文件的内容的复制、粘贴、截图的相关操作, 不允许通过管道、 网络、 共享内存、 剪贴板等方式将文件的内容发送到其他进程或其 他设备。 图 3为本发明实施例 2提供的文件加密方法流程示意图, 如图所示, 包括: 步骤 S300, 根据设备硬件信息为待加密文件生成文件密钥; 步骤 S302, 使用文件密钥对待加密文件进行加密; 步骤 S304,对文件密钥进行加密,加密后的文件密钥保存至加密文件的文件头中; 步骤 S306, 通过文件系统保存加密后的文件。 图 4为本发明实施例 2提供的加密文件的读取方法流程示意图, 如图所示,包括: 步骤 S400, 应用程序读取文件; 步骤 S402, 截获文件的文件内容, 避免应用程序直接获取到文件内容进行显示; 步骤 S404, 判断是否需要对该文件进行解密, 如果是, 进入步骤 S406, 否则进 入步骤 S414; 步骤 S406, 从文件头中获取加密后的文件密钥, 对其进行解密, 得到文件密钥; 步骤 S408, 使用文件密钥对文件进行解密; 步骤 S410, 应用程序呈现得到的解密后的文件内容; 步骤 S412, 监控对该文件的操作指令, 禁止对该文件执行不允许的操作指令; 步骤 S414, 应用程序直接呈现得到的文件内容。 图 5为本发明实施例 3提供的文件加密方法的流程示意图, 如图所示, 包括: 步骤 S500, 应用程序保存文件; 步骤 S502, 截获文件的文件内容, 避免文件系统直接获取文件内容进行保存; 步骤 S504, 判断是否需要对该文件进行加密, 如果是, 进入步骤 S506, 否则进 入步骤 S516; 步骤 S506, 判断该文件是否为加密文件, 如果是, 进入步骤 S508, 否则进入步 骤 S510; 步骤 S508, 从文件头中获取加密后的文件密钥, 对其进行解密, 得到文件密钥; 步骤 S510, 根据设备硬件信息为待加密文件生成文件密钥; 步骤 S512, 使用文件密钥对写入了文件内容后的文件进行加密; 步骤 S514,对文件密钥进行加密,加密后的文件密钥保存至加密文件的文件头中; 步骤 S516, 通过文件系统保存文件。 本发明实施例还提供了一种文件加密装置,用于对存储在设备上的文件进行加密, 所述加密装置包括: 密钥生成模块, 设置为为待保存文件生成第一密钥; 第一加密模 块, 设置为根据预设的第二密钥对所述第一密钥进行加密处理; 第二加密模块, 设置 为根据所述第一密钥对所述待保存文件进行加密处理, 将根据预设的第二密钥加密后 的第一密钥保存至加密后的所述待保存文件的文件头中。 上述的加密装置, 其中, 还包括: 第一判断模块, 设置为根据存储的文件保护策 略, 判断是否需要对待保存文件进行加密处理, 所述文件保护策略为加密文件需要满 足的条件的集合; 当需要对所述待保存文件进行加密时, 进入密钥生成模块。 上述的加密装置, 其中, 还包括: 配置模块, 设置为根据第一用户操作指令, 配 置文件保护策略并存储。 上述的加密装置, 其中, 所述密钥生成模块进一步设置为根据所述设备的硬件信 息、 时间信息和 /或所述待保存文件的属性信息, 为所述待保存文件生成第一密钥。 上述的加密装置, 其中, 所述待保存文件的属性信息包括: 所述待保存文件所属 的目录信息、 所述待保存文件的文件类型和 /或所述待保存文件的文件名称。 上述的加密装置, 其中, 所述待保存文件的文件头中存储有用于对所述待保存文 件进行加密的密钥, 所述密钥生成模块进一步设置为从所述待保存文件的文件头中获 取用于对所述待保存文件进行加密的密钥作为所述待保存文件的第一密钥。 本发明还提供了一种加密文件的读取装置, 所述加密文件的文件头中存储有加密 后的所述加密文件的第一密钥, 所述读取装置包括: 获取模块, 设置为从所述加密文 件的文件头中获取加密后的所述加密文件的第一密钥; 第一解密模块, 设置为根据预 存储的第二密钥对加密后的第一密钥进行解密, 得到解密后的第一密钥; 第二解密模 块, 设置为根据所述解密后的第一密钥对所述加密文件进行解密, 得到解密后的文件 进行读取。 上述的读取装置, 其中, 还包括: 第二判断模块, 设置为接收第二用户操作指令, 判断所述第二用户操作指令是否属于预设的拒绝操作指令集; 提示模块, 设置为当所 述第二用户操作指令属于预设的拒绝操作指令集时, 发出提示消息, 表明不允许执行 所述第二用户操作指令。 本发明实施例还提供了一种终端, 包括如上所述的装置。 图 6为使用本发明提供的文件加密方法及加密文件的读取方法实现自动加解密的 系统的结构示意图, 如图所示, 包括: 文件系统 60, 设置为对系统中的文件进行管理, 包括对文件的存储; 文件加解密模块 61, 设置为实现上述装置的第一加密模块、 第二加密模块、 第一 解密模块及第二解密模块的功能, 根据密钥对待加解密内容进行加解密; 密钥生成模块 62, 设置为生成文件密钥; 配置模块 63, 设置为对存储的文件保护策略进行配置; 文件过滤驱动模块 64, 设置为实现上述装置的获取模块的功能, 同时用于截获应 用程序与文件系统之间的文件交互内容, 能够对文件数据进行截获即对于文件的读取 及保存操作都需要经过该模块; 应用程序 65, 设置为对文件系统中的存储的文件进行操作, 能够读取、 修改、 保 存文件; 监控模块 66, 设置为实现上述装置的第二判断模块及提示模块的功能, 对用户发 出的操作指令进行监控, 禁止执行不允许的操作指令, 不允许通过管道、 网络、 共享 内存、 剪贴板等将明文内容发送到其他进程或其他机器, 也不允许截屏。 对文件的加解密过程是基于系统底层驱动程序的, 运行在内核态, 因此效率非常 高。 以上所述是本发明的优选实施方式, 应当指出, 对于本技术领域的普通技术人员 来说, 在不脱离本发明所述原理的前提下, 还可以作出若干改进和润饰, 这些改进和 润饰也应视为本发明的保护范围。 工业实用性 本发明实施例提供的加解密方案, 能够自动完成对文件的加解密且无需部署服务 支持离线使用。 The present invention relates to the field of information security, and in particular, to a file encryption method and apparatus, a method, device, and terminal for reading an encrypted file. BACKGROUND Some valuable documents are the hard work of the authors, such as online courseware, including files in various formats (word, exceK ppt, etc.) and audio and video files, all of which need to be protected by encryption to prevent illegal access. and use. At present, the usual file encryption and decryption methods and systems are inefficient, especially for large audio and video files in the field of online education. The encryption and decryption takes a long time and the user experience is very poor. At present, the transparent file encryption and decryption method based on the underlying operating system is mostly based on windows hooks or filter drivers. In order to obtain information such as key files, network authentication is required, so it is necessary to deploy a networked server. It is inconvenient for users to use, because it involves network transmission, it is not efficient, especially it does not support offline use. SUMMARY OF THE INVENTION In order to solve the above problems, the present invention provides a file encryption method, a device, a method, a device, and a terminal for encrypting a file, which can automatically perform encryption and decryption of a file without deploying a server, and support encryption and decryption for offline use. method. In order to achieve the above object, an embodiment of the present invention provides a file encryption method for encrypting a file stored on a device, where the encryption method includes: a key generation step: generating a first key for the file to be saved; a first encryption step: performing encryption processing on the first key according to a preset second key; a second encryption step: performing encryption processing on the file to be saved according to the first key, according to a preset The first key encrypted by the second key is saved in the header of the encrypted file to be saved. In the above encryption method, the method further includes: a first determining step: determining, according to the stored file protection policy, whether to perform encryption processing on the file to be saved, where the file protection policy is required for the encrypted file to be satisfied a set of conditions; when the file to be saved needs to be encrypted, the key generation step is entered. In the above encryption method, before the first determining step, the method further includes: configuring the step: configuring the file protection policy according to the first user operation instruction and storing the file protection policy. The above-mentioned encryption method, wherein the key generation step includes generating a first key for the to-be-save file according to the hardware information of the device, the time information, and/or the attribute information of the file to be saved. The above-mentioned encryption method, wherein the attribute information of the file to be saved includes: directory information to which the file to be saved belongs, a file type of the file to be saved, and/or a file name of the file to be saved. The above encryption method, wherein the file header of the file to be saved stores a key for encrypting the file to be saved, and the key generation step is specifically: from a file header of the file to be saved Obtaining a key used to encrypt the file to be saved as a first key of the file to be saved. The embodiment of the present invention further provides a method for reading an encrypted file, where the file header of the encrypted file stores a first key of the encrypted file after encryption, and the reading method includes: obtaining the step: Obtaining the first key of the encrypted encrypted file in a file header of the encrypted file; first decrypting step: decrypting the encrypted first key according to the pre-stored second key, and obtaining the decrypted first a second decrypting step: decrypting the encrypted file according to the decrypted first key, and obtaining the decrypted file for reading. The reading method, wherein the second decrypting step further comprises: a second determining step: receiving a second user operation instruction, determining whether the second user operation instruction belongs to a preset rejection operation instruction set; When the second user operation instruction belongs to the preset rejection operation instruction set, a prompt message is issued indicating that the second user operation instruction is not allowed to be executed. The embodiment of the present invention further provides a file encryption device, configured to encrypt a file stored on a device, where the encryption device includes: a key generation module, configured to generate a first key for the file to be saved; The encryption module is configured to perform encryption processing on the first key according to the preset second key; the second encryption module is configured to perform encryption processing on the to-be-stored file according to the first key, The first key encrypted by the preset second key is saved in the header of the encrypted file to be saved. The above-mentioned encryption device, further comprising: a first determining module, configured to determine, according to the stored file protection policy, whether to perform encryption processing on the file to be saved, where the file protection policy is a set of conditions that the encrypted file needs to satisfy; When the file to be saved needs to be encrypted, the key generation module is accessed. The above encryption device further includes: a configuration module, configured to configure a file protection policy according to the first user operation instruction and store the file protection policy. The above-mentioned encryption device, wherein the key generation module is further configured to generate a first key for the to-be-save file according to the hardware information of the device, the time information, and/or the attribute information of the file to be saved. The above-mentioned encryption device, wherein the attribute information of the file to be saved includes: directory information to which the file to be saved belongs, file type of the file to be saved, and/or file name of the file to be saved. The above-mentioned encryption device, wherein a key for encrypting the file to be saved is stored in a file header of the file to be saved, and the key generation module is further configured to be from a file header of the file to be saved. Obtaining a key used to encrypt the file to be saved as a first key of the file to be saved. The embodiment of the present invention further provides an apparatus for reading an encrypted file, where the header of the encrypted file stores the first key of the encrypted file, and the reading apparatus includes: an acquiring module, and setting Obtaining, from the header of the encrypted file, a first key of the encrypted encrypted file; the first decrypting module is configured to decrypt the encrypted first key according to the pre-stored second key, Obtaining the decrypted first key; the second decrypting module is configured to decrypt the encrypted file according to the decrypted first key, and obtain the decrypted file for reading. The above-mentioned reading device, further comprising: a second determining module, configured to receive a second user operation instruction, determine whether the second user operation instruction belongs to a preset rejection operation instruction set; and the prompting module is set to be When the second user operation instruction belongs to the preset rejection operation instruction set, a prompt message is issued indicating that the second user operation instruction is not allowed to be executed. A further embodiment of the present invention provides a terminal comprising the apparatus as described above. The beneficial effects of the foregoing technical solutions of the embodiments of the present invention are as follows: The embodiment of the present invention provides a file encryption method, a device, a method, a device, and a terminal for reading an encrypted file, which can automatically complete encryption and decryption of a file without deploying a server. , Supports offline encryption and decryption methods. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a schematic flowchart of a file encryption method according to Embodiment 1 of the present invention. FIG. 2 is a schematic flowchart of a method for reading an encrypted file according to Embodiment 1 of the present invention. FIG. 3 is a schematic flowchart of a file encryption method according to Embodiment 2 of the present invention. 4 is a schematic flowchart of a method for reading an encrypted file according to Embodiment 2 of the present invention. FIG. 5 is a schematic flowchart of a file encryption method according to Embodiment 3 of the present invention. FIG. 6 is a schematic structural diagram of a system for realizing automatic encryption and decryption by using the file encryption method and the method for reading an encrypted file provided by the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to make the technical problems, technical solutions, and advantages of the present invention more comprehensible, the following detailed description will be made in conjunction with the accompanying drawings and specific embodiments. The embodiment of the present invention is directed to the prior art, when a file is transparently encrypted and decrypted, a server needs to be deployed, and an offline use problem is not supported, and a file encryption method, a device, a method, a device, and a terminal for reading an encrypted file are provided. It can automatically encrypt and decrypt files without deploying a server, and supports encryption and decryption methods for offline use. The file encryption method provided in Embodiment 1 of the present invention is used to encrypt a file stored on a device. As shown in FIG. 1 , the method includes: Step S100: Generate a first key for a file to be saved; Step S102, Encrypting the first key according to the preset second key; Step S104, performing encryption processing on the file to be saved according to the first key, and encrypting according to the preset second key The first key is saved to the header of the encrypted file to be saved. When the file encrypted by the encryption method is used for reading, the method for reading the encrypted file specifically includes: Step S200: Obtaining the encrypted encrypted file from the file header of the encrypted file a key; step S202, decrypting the encrypted first key according to the pre-stored second key to obtain the decrypted first key; Step S204, according to the decrypted first key pair The encrypted file is decrypted, and the decrypted file is obtained for reading. In the embodiment of the present invention, a file encryption key can be automatically generated for the file to encrypt the file, and the generated file encryption key is re-encrypted according to the preset second key, and the encrypted file is encrypted. The key is stored in the file header of the encrypted file, and when the encrypted file is read, the file is obtained from the header. After the encrypted file encryption key, the encrypted file encryption key can be decrypted according to the pre-stored key, the decrypted file encryption key is obtained, and the file is decrypted according to the decrypted file encryption key. The file to be saved may be a file to be saved after being generated for the first time, or may be a file to be saved after performing a related operation on the previously generated file. The encryption and decryption process of the file is non-perceived and transparent to the user, and does not need to deploy a network server, and can be used offline, thereby achieving the purpose of convenient use and efficient file protection by the user. In the encryption, a symmetric encryption algorithm may be used. When a file is encrypted using a symmetric encryption algorithm, the encryption key at this time is the password of the file is recorded as the first password, and then the password of the file is determined according to the second key. If the encryption is performed using a symmetric encryption algorithm, the second key can be recorded as a second password, and the encrypted first password is stored in the file header; when the file encrypted by the encryption method is read, only The stored second password decrypts the encrypted first password, and after obtaining the first password, the file can be read by decrypting the file. Of course, other encryption algorithms may also be used, such as an asymmetric encryption algorithm. When an asymmetric encryption algorithm is used to encrypt a file using the first encryption key and the second encryption key is used to encrypt the first encryption key, When the file is read, the encrypted first encryption key needs to be decrypted according to the pre-stored second decryption key corresponding to the second encryption key to obtain the first encryption key, and then according to the asymmetric encryption used in the encryption. The algorithm obtains the first decryption key corresponding to the first encryption key to decrypt the file to read the file. The above-mentioned encryption method, wherein the key generation step further generates a first key for the to-be-save file according to the hardware information of the device, the time information, and/or the attribute information of the file to be saved. The first key may be generated according to the hardware information of the device, where the hardware information may be one-to-one corresponding to the device, that is, one device corresponds to one hardware information, and the hardware information of different devices is different, and the hardware information should be difficult to obtain. For example, it may be MAC address information; at the same time, the first key may be generated by combining the time information, that is, the current storage time of the file and the attribute information of the file, so that each file corresponds to a first key, and different The first key of the file is different. The attribute information of the file to be saved includes: directory information to which the file to be saved belongs, file type of the file to be saved, and/or file name of the file to be saved. If the file to be saved has been encrypted before, it is not necessary to regenerate an encryption key for the file to be saved for encrypting the file to be saved, and the previous encryption key can be directly used, that is, one file is originally an encrypted file. After the editing, the data needs to be saved again. When the data is saved again, the previous encryption key can be reused. Therefore, in the above encryption method, the file header of the file to be saved is stored in the file header of the file to be saved. Encrypting the key, the key generating step is: acquiring a key for encrypting the to-be-save file as a first key of the to-be-save file from a file header of the file to be saved . The purpose of the above operation is to obtain a key for encrypting the file to be saved from the file header of the file to be saved, and directly use the key as the first key to encrypt the file to be saved, without generating the first secret. key. The encryption method of the above, wherein the encryption method includes: the first determining step: determining, according to the stored file protection policy, whether the file to be saved is encrypted. The file protection policy is a set of conditions that the encrypted file needs to meet; when the file to be saved needs to be encrypted, the key generation step is entered. The purpose of the above operation is to determine whether to encrypt the saved file by using a pre-stored file protection policy, thereby controlling whether the file needs to be encrypted. The file protection policy is a set of conditions that the encrypted file needs to meet, that is, the file protection policy may include multiple conditions, and if a file satisfies any of the multiple conditions, the file needs to be encrypted, such as the file. The protection policy includes the following conditions: files belonging to directory 1; files with word type and "encrypted" files, if a file belongs to directory 1, the file needs to be encrypted, or a word file. The name is "Measurement Report Data - Encryption" and the file also needs to be encrypted. Of course, file protection policies can take many forms. Only one of them can be listed here. Any other condition that can filter files can be used as a file protection policy. For the pre-stored file protection policy, it should be able to be modified to adapt to different requirements. Therefore, in the above encryption method, the first determining step further includes: configuring the step: according to the first user operation instruction, the configuration file Protect the policy and store it. The purpose of the above operation is to configure the file protection policy according to the user's instructions to adapt to different needs of users. After the encrypted file is read, since the file is an encrypted file, it means that the content of the file cannot be easily leaked. Therefore, when the encrypted file is opened for reading, some operations of the user should be avoided. The content of the file is leaked. Therefore, the reading method, wherein the second decrypting step further comprises: a second determining step: receiving a second user operation instruction, determining whether the second user operation instruction belongs to a preset The refusal operation instruction set; the prompting step: when the second user operation instruction belongs to the preset refusal operation instruction set, issue a prompt message indicating that the second user operation instruction is not allowed to be executed. The purpose of the above operation is to avoid the execution of some operations by monitoring the user's operation instructions. If the encrypted file is opened, the copy, paste, and screenshot operations of the encrypted file should be prohibited. It is not allowed to send the contents of the file to other processes through pipes, networks, shared memory, clipboard, etc. other devices. 3 is a schematic flowchart of a file encryption method according to Embodiment 2 of the present invention. As shown in the figure, the method includes: Step S300: Generate a file key for a file to be encrypted according to device hardware information; Step S302: Perform a file encryption using a file key Encryption; Step S304, encrypting the file key, and saving the encrypted file key to the file header of the encrypted file; Step S306, saving the encrypted file by the file system. 4 is a schematic flowchart of a method for reading an encrypted file according to Embodiment 2 of the present invention. As shown in the figure, the method includes: Step S400: An application reads a file; Step S402, intercepting a file content of the file, to prevent the application directly acquiring The content of the file is displayed; step S404, determining whether the file needs to be decrypted, if yes, proceeding to step S406, otherwise proceeding to step S414; step S406, obtaining the encrypted file key from the file header, decrypting the file key a file key; step S408, decrypting the file by using the file key; step S410, the application presents the obtained decrypted file content; step S412, monitoring an operation instruction of the file, prohibiting performing an unallowed operation on the file Instruction; step S414, the application directly presents the obtained file content. FIG. 5 is a schematic flowchart of a file encryption method according to Embodiment 3 of the present invention. As shown in the figure, the method includes: Step S500: An application saves a file; Step S502, intercepting a file content of the file, to prevent the file system directly acquiring the file content for saving Step S504, determining whether the file needs to be encrypted, if yes, proceeding to step S506, otherwise proceeding to step S516; step S506, determining whether the file is an encrypted file, and if yes, proceeding to step S508, otherwise proceeding to step S510; Obtaining the encrypted file key from the file header, decrypting it, and obtaining the file key; Step S510, generating a file key for the file to be encrypted according to the device hardware information; Step S512, encrypting the file after the file content is written by using the file key; Step S514, encrypting the file key, and encrypting the file file The key is saved to the file header of the encrypted file; in step S516, the file is saved by the file system. The embodiment of the present invention further provides a file encryption device, configured to encrypt a file stored on a device, where the encryption device includes: a key generation module, configured to generate a first key for the file to be saved; The encryption module is configured to perform encryption processing on the first key according to the preset second key; the second encryption module is configured to perform encryption processing on the to-be-stored file according to the first key, The first key encrypted by the preset second key is saved in the header of the encrypted file to be saved. The above-mentioned encryption device, further comprising: a first determining module, configured to determine, according to the stored file protection policy, whether to perform encryption processing on the file to be saved, where the file protection policy is a set of conditions that the encrypted file needs to satisfy; When the file to be saved needs to be encrypted, the key generation module is accessed. The above encryption device further includes: a configuration module, configured to configure a file protection policy according to the first user operation instruction and store the file protection policy. The above-mentioned encryption device, wherein the key generation module is further configured to generate a first key for the to-be-save file according to the hardware information of the device, the time information, and/or the attribute information of the file to be saved. The above-mentioned encryption device, wherein the attribute information of the file to be saved includes: directory information to which the file to be saved belongs, file type of the file to be saved, and/or file name of the file to be saved. The above-mentioned encryption device, wherein a key for encrypting the file to be saved is stored in a file header of the file to be saved, and the key generation module is further configured to be from a file header of the file to be saved. Obtaining a key used to encrypt the file to be saved as a first key of the file to be saved. The present invention also provides an apparatus for reading an encrypted file, wherein a header of the encrypted file is stored in a header of the encrypted file, and the reading apparatus includes: an acquiring module, configured to be Obtaining, by the file header of the encrypted file, the first key of the encrypted encrypted file; the first decrypting module is configured to decrypt the encrypted first key according to the pre-stored second key, to obtain decryption The first decryption module is configured to decrypt the encrypted file according to the decrypted first key, and obtain the decrypted file for reading. The above-mentioned reading device, further comprising: a second determining module, configured to receive a second user operation instruction, determine whether the second user operation instruction belongs to a preset rejection operation instruction set; and the prompting module is set to be When the second user operation instruction belongs to the preset rejection operation instruction set, a prompt message is issued indicating that the second user operation instruction is not allowed to be executed. Embodiments of the present invention also provide a terminal, including the apparatus as described above. 6 is a schematic structural diagram of a system for implementing automatic encryption and decryption by using the file encryption method and the encrypted file reading method provided by the present invention. As shown in the figure, the method includes: a file system 60 configured to manage files in the system, including The file encryption/decryption module 61 is configured to implement the functions of the first encryption module, the second encryption module, the first decryption module, and the second decryption module of the foregoing apparatus, and encrypt and decrypt the content to be encrypted and decrypted according to the key; The key generation module 62 is configured to generate a file key. The configuration module 63 is configured to configure the stored file protection policy. The file filtering driver module 64 is configured to implement the function of the acquiring module of the device, and is used for intercepting the application. The file interaction between the program and the file system can intercept the file data, that is, the module needs to go through the module for reading and saving the file; the application 65 is set to operate on the file stored in the file system, Read, modify, save the file; monitor module 66, set to implement The function of the second judging module and the prompting module of the device monitors the operation instruction issued by the user, prohibits execution of the impermissible operation instruction, and does not allow the clear text content to be sent to other processes through the pipeline, the network, the shared memory, the clipboard, and the like. Or other machines, screen shots are also not allowed. The process of encrypting and decrypting files is based on the underlying driver of the system, running in kernel mode, so the efficiency is very high. The above is a preferred embodiment of the present invention, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present invention. It should be considered as the scope of protection of the present invention. Industrial applicability The encryption and decryption scheme provided by the embodiment of the invention can automatically complete the encryption and decryption of the file and does not need to deploy the service to support offline use.

Claims

权 利 要 求 书 Claim
1 . 一种文件加密方法,用于对存储在设备上的文件进行加密,所述加密方法包括: 密钥生成步骤: 为待保存文件生成第一密钥; A file encryption method for encrypting a file stored on a device, the encryption method comprising: a key generation step: generating a first key for a file to be saved;
第一加密步骤: 根据预设的第二密钥对所述第一密钥进行加密处理; 第二加密步骤: 根据所述第一密钥对所述待保存文件进行加密处理, 将根 据预设的第二密钥加密后的第一密钥保存至加密后的所述待保存文件的文件头 中。  a first encryption step: performing encryption processing on the first key according to a preset second key; a second encryption step: performing encryption processing on the file to be saved according to the first key, according to a preset The first key encrypted by the second key is saved in the header of the encrypted file to be saved.
2. 如权利要求 1所述的加密方法, 其中, 所述密钥生成步骤之前还包括: 第一判断步骤: 根据存储的文件保护策略, 判断是否需要对待保存文件进 行加密处理, 所述文件保护策略为加密文件需要满足的条件的集合; 当需要对所述待保存文件进行加密时, 进入密钥生成步骤。 The encryption method according to claim 1, further comprising: a first determining step: determining, according to the stored file protection policy, whether to encrypt the file to be saved, the file protection The policy is a set of conditions that the encrypted file needs to satisfy; when the file to be saved needs to be encrypted, the key generation step is entered.
3. 如权利要求 2所述的加密方法, 其中, 所述第一判断步骤之前还包括: 配置步骤: 根据第一用户操作指令, 配置文件保护策略并存储。 The encryption method according to claim 2, wherein before the first determining step, the method further comprises: configuring the step of: configuring a file protection policy according to the first user operation instruction and storing.
4. 如权利要求 1所述的加密方法, 其中, 所述密钥生成步骤包括根据所述设备的 硬件信息、 时间信息和 /或所述待保存文件的属性信息, 为所述待保存文件生成 第一密钥。 The encryption method according to claim 1, wherein the key generation step includes generating, for the file to be saved, the hardware information, the time information, and/or the attribute information of the file to be saved. The first key.
5. 如权利要求 4所述的加密方法, 其中, 所述待保存文件的属性信息包括: 所述 待保存文件所属的目录信息、所述待保存文件的文件类型和 /或所述待保存文件 的文件名称。 The encryption method according to claim 4, wherein the attribute information of the file to be saved includes: directory information to which the file to be saved belongs, file type of the file to be saved, and/or the file to be saved The file name.
6. 如权利要求 1所述的加密方法, 其中, 所述待保存文件的文件头中存储有用于 对所述待保存文件进行加密的密钥, 所述密钥生成步骤具体为: The encryption method according to claim 1, wherein the file header of the file to be saved stores a key for encrypting the file to be saved, and the key generation step is specifically:
从所述待保存文件的文件头中获取用于对所述待保存文件进行加密的密钥 作为所述待保存文件的第一密钥。  And obtaining, by the file header of the file to be saved, a key used to encrypt the file to be saved as a first key of the file to be saved.
7. 一种加密文件的读取方法, 所述加密文件的文件头中存储有加密后的所述加密 文件的第一密钥, 所述读取方法包括: 获取步骤: 从所述加密文件的文件头中获取加密后的所述加密文件的第一 密钥; A method for reading an encrypted file, wherein a header of the encrypted file is stored in a header of the encrypted file, and the reading method includes: Obtaining step: obtaining, from a file header of the encrypted file, a first key of the encrypted encrypted file;
第一解密步骤: 根据预存储的第二密钥对加密后的第一密钥进行解密, 得 到解密后的第一密钥; 第二解密步骤: 根据所述解密后的第一密钥对所述加密文件进行解密, 得 到解密后的文件进行读取。  a first decrypting step: decrypting the encrypted first key according to the pre-stored second key to obtain the decrypted first key; and second decrypting step: according to the decrypted first key pair The encrypted file is decrypted, and the decrypted file is obtained for reading.
8. 如权利要求 7所述的读取方法, 其中, 所述第二解密步骤之后还包括: 第二判断步骤: 接收第二用户操作指令, 判断所述第二用户操作指令是否 属于预设的拒绝操作指令集; The reading method according to claim 7, wherein the second decrypting step further comprises: a second determining step: receiving a second user operation instruction, determining whether the second user operation instruction belongs to a preset Reject the instruction set;
提示步骤: 当所述第二用户操作指令属于预设的拒绝操作指令集时, 发出 提示消息, 表明不允许执行所述第二用户操作指令。  Prompting step: When the second user operation instruction belongs to a preset set of reject operation instructions, a prompt message is issued indicating that the second user operation instruction is not allowed to be executed.
9. 一种文件加密装置,用于对存储在设备上的文件进行加密,所述加密装置包括: 密钥生成模块, 设置为为待保存文件生成第一密钥; 第一加密模块,设置为根据预设的第二密钥对所述第一密钥进行加密处理; 第二加密模块,设置为根据所述第一密钥对所述待保存文件进行加密处理, 将根据预设的第二密钥加密后的第一密钥保存至加密后的所述待保存文件的文 件头中。 A file encryption device, configured to encrypt a file stored on a device, the encryption device comprising: a key generation module configured to generate a first key for a file to be saved; and a first encryption module configured to Encrypting the first key according to the preset second key; the second encryption module is configured to perform encryption processing on the file to be saved according to the first key, and according to the preset second The first key after the key is encrypted is saved in the header of the encrypted file to be saved.
10. 如权利要求 9所述的加密装置, 其中, 还包括: 第一判断模块, 设置为根据存储的文件保护策略, 判断是否需要对待保存 文件进行加密处理, 所述文件保护策略为加密文件需要满足的条件的集合; 当需要对所述待保存文件进行加密时, 进入密钥生成模块。 The encryption device according to claim 9, further comprising: a first determining module, configured to determine, according to the stored file protection policy, whether to perform encryption processing on the file to be saved, where the file protection policy is required for encrypting the file a set of satisfied conditions; when the file to be saved needs to be encrypted, the key generation module is entered.
11 . 如权利要求 10所述的加密装置, 其中, 还包括: 配置模块, 设置为根据第一用户操作指令, 配置文件保护策略并存储。 11. The encryption device of claim 10, further comprising: a configuration module configured to configure a file protection policy and store according to the first user operation instruction.
12. 如权利要求 9所述的加密装置, 其中, 所述密钥生成模块设置为根据所述设备 的硬件信息、 时间信息和 /或所述待保存文件的属性信息, 为所述待保存文件生 成第一密钥。 The encryption device according to claim 9, wherein the key generation module is configured to be the file to be saved according to hardware information of the device, time information, and/or attribute information of the file to be saved. Generate the first key.
13. 如权利要求 12所述的加密装置, 其中, 所述待保存文件的属性信息包括: 所述 待保存文件所属的目录信息、所述待保存文件的文件类型和 /或所述待保存文件 的文件名称。 The encryption device according to claim 12, wherein the attribute information of the file to be saved includes: directory information to which the file to be saved belongs, file type of the file to be saved, and/or the file to be saved The file name.
14. 如权利要求 9所述的加密装置, 其中, 所述待保存文件的文件头中存储有用于 对所述待保存文件进行加密的密钥, 所述密钥生成模块设置为从所述待保存文 件的文件头中获取用于对所述待保存文件进行加密的密钥作为所述待保存文件 的第一密钥。 The encryption device according to claim 9, wherein a file for encrypting the file to be saved is stored in a file header of the file to be saved, and the key generation module is configured to be from the A key used to encrypt the file to be saved is obtained as a first key of the file to be saved.
15. 一种加密文件的读取装置, 所述加密文件的文件头中存储有加密后的所述加密 文件的第一密钥, 所述读取装置包括: 获取模块, 设置为从所述加密文件的文件头中获取加密后的所述加密文件 的第一密钥; 第一解密模块, 设置为根据预存储的第二密钥对加密后的第一密钥进行解 密, 得到解密后的第一密钥; 第二解密模块, 设置为根据所述解密后的第一密钥对所述加密文件进行解 密, 得到解密后的文件进行读取。 An apparatus for reading an encrypted file, wherein a header of the encrypted file is stored in a header of the encrypted file, the reading apparatus comprising: an acquiring module, configured to be encrypted from the Obtaining a first key of the encrypted encrypted file in a file header of the file; the first decrypting module is configured to decrypt the encrypted first key according to the pre-stored second key, to obtain the decrypted first a second decryption module is configured to decrypt the encrypted file according to the decrypted first key, and obtain the decrypted file for reading.
16. 如权利要求 15所述的读取装置, 其中, 还包括: 第二判断模块, 设置为接收第二用户操作指令, 判断所述第二用户操作指 令是否属于预设的拒绝操作指令集; The reading device according to claim 15, further comprising: a second determining module, configured to receive a second user operation instruction, and determine whether the second user operation instruction belongs to a preset set of reject operation instructions;
提示模块,设置为当所述第二用户操作指令属于预设的拒绝操作指令集时, 发出提示消息, 表明不允许执行所述第二用户操作指令。  The prompting module is configured to issue a prompt message when the second user operation instruction belongs to the preset set of the reject operation instruction, indicating that the second user operation instruction is not allowed to be executed.
17. 一种终端, 包括如权利要求 9-16任一项所述的装置。 17. A terminal comprising the apparatus of any of claims 9-16.
PCT/CN2014/083921 2014-05-20 2014-08-07 File encryption method and device, and encrypted file reading method, device and terminal WO2015176394A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410214555.6A CN105095783A (en) 2014-05-20 2014-05-20 File encryption method and apparatus, encrypted file reading method and apparatus and terminal
CN201410214555.6 2014-05-20

Publications (1)

Publication Number Publication Date
WO2015176394A1 true WO2015176394A1 (en) 2015-11-26

Family

ID=54553297

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/083921 WO2015176394A1 (en) 2014-05-20 2014-08-07 File encryption method and device, and encrypted file reading method, device and terminal

Country Status (2)

Country Link
CN (1) CN105095783A (en)
WO (1) WO2015176394A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108875403A (en) * 2018-05-04 2018-11-23 北京明朝万达科技股份有限公司 A kind of file management method and device
WO2019037411A1 (en) * 2017-08-22 2019-02-28 深圳光启智能光子技术有限公司 Data transmission method, device, storage medium, and processor

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102016210788B4 (en) * 2016-02-18 2023-06-07 Volkswagen Aktiengesellschaft Component for processing data worthy of protection and method for implementing a security function for protecting data worthy of protection in such a component
CN106060614B (en) * 2016-07-07 2019-08-27 四川长虹电器股份有限公司 File Encrypt and Decrypt method based on high peace chip in DTV
CN107483432A (en) * 2017-08-10 2017-12-15 广州杰之良软件有限公司 File encryption processing method and processing device
CN112257115A (en) * 2020-12-21 2021-01-22 北京联想协同科技有限公司 File processing method and device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1633070A (en) * 2004-10-29 2005-06-29 徐子杰 A data encryption/decryption method and encryption/decryption apparatus
CN102088352A (en) * 2009-12-08 2011-06-08 北京大学 Data encryption transmission method and system for message-oriented middleware
CN102142072A (en) * 2010-11-15 2011-08-03 华为软件技术有限公司 Encryption processing and decryption processing method and device of electronic files

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102355463B (en) * 2011-10-10 2015-07-15 厦门简帛信息科技有限公司 Digital document encryption method
CN103220293B (en) * 2013-04-23 2016-05-11 福建伊时代信息科技股份有限公司 A kind of document protection method and device
CN103246850A (en) * 2013-05-23 2013-08-14 福建伊时代信息科技股份有限公司 Method and device for processing file

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1633070A (en) * 2004-10-29 2005-06-29 徐子杰 A data encryption/decryption method and encryption/decryption apparatus
CN102088352A (en) * 2009-12-08 2011-06-08 北京大学 Data encryption transmission method and system for message-oriented middleware
CN102142072A (en) * 2010-11-15 2011-08-03 华为软件技术有限公司 Encryption processing and decryption processing method and device of electronic files

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019037411A1 (en) * 2017-08-22 2019-02-28 深圳光启智能光子技术有限公司 Data transmission method, device, storage medium, and processor
CN108875403A (en) * 2018-05-04 2018-11-23 北京明朝万达科技股份有限公司 A kind of file management method and device

Also Published As

Publication number Publication date
CN105095783A (en) 2015-11-25

Similar Documents

Publication Publication Date Title
US10110571B2 (en) Securing internet of things communications across multiple vendors
TWI756439B (en) Network access authentication method, device and system
KR102113440B1 (en) Dynamic group membership for devices
WO2019105290A1 (en) Data processing method, and application method and apparatus of trusted user interface resource data
WO2015176394A1 (en) File encryption method and device, and encrypted file reading method, device and terminal
US9356994B2 (en) Method of operating a computing device, computing device and computer program
EP2820585B1 (en) Method of operating a computing device, computing device and computer program
US11140547B2 (en) Method for securely controlling smart home, and terminal device
CA2929173A1 (en) Key configuration method, system, and apparatus
US20160269367A1 (en) Controlling encrypted data stored on a remote storage device
CN102932350B (en) A kind of method and apparatus of TLS scanning
JP2014089644A (en) Processor, processor control method and information processing apparatus
WO2018177394A1 (en) Method and device for protecting android so file
WO2020155812A1 (en) Data storage method and device, and apparatus
US20170093816A1 (en) Remote encryption method and cryptographic center
TW202009773A (en) Method and apparatus for activating trusted execution environment
CN114189337A (en) Firmware burning method, device, equipment and storage medium
US10326588B2 (en) Ensuring information security in data transfers by dividing and encrypting data blocks
JP6919484B2 (en) Cryptographic communication method, cryptographic communication system, key issuing device, program
CN114329574B (en) Encrypted partition access control method and system based on domain management platform and computing equipment
JP6492832B2 (en) ENCRYPTION DEVICE, ENCRYPTION METHOD, ENCRYPTION PROGRAM, DATA STRUCTURE, AND ENCRYPTION SYSTEM
JPWO2017104060A1 (en) Encryption method and encryption apparatus
TWI449443B (en) Method and apparatus for encrypting and decrypting a document for a mobile device
JP2020046977A (en) Distribution management system, distribution management program and distribution management method
CN116962022A (en) Outgoing file encryption and decryption method and device, computer equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14892427

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14892427

Country of ref document: EP

Kind code of ref document: A1