WO2016106566A1 - 虚拟化系统中加解密的方法、装置和系统 - Google Patents
虚拟化系统中加解密的方法、装置和系统 Download PDFInfo
- Publication number
- WO2016106566A1 WO2016106566A1 PCT/CN2014/095598 CN2014095598W WO2016106566A1 WO 2016106566 A1 WO2016106566 A1 WO 2016106566A1 CN 2014095598 W CN2014095598 W CN 2014095598W WO 2016106566 A1 WO2016106566 A1 WO 2016106566A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- virtual machine
- hard disk
- disk image
- identifier
- encryption
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45575—Starting, stopping, suspending or resuming virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Definitions
- the present invention relates to the field of computing, and in particular, to a method, apparatus and system for encryption and decryption in a virtualization system.
- the cloud computing platform can effectively provide large-scale computing resources to users in the form of virtual machines (VMs) by effectively integrating various interconnected computing resources and implementing multi-level virtualization and abstraction.
- the virtualization software deployed in the cloud computing host constitutes an environment in which the virtual machine runs, and provides services such as network and storage for the virtual machine.
- the user's data is stored in the virtual hard disk of the virtual machine.
- the actual physical storage space of the virtual hard disk is in the hard disk array of the storage server.
- the storage server organizes the storage space of the virtual hard disk into a large file or a large data block.
- the data block is called a hard disk image.
- a hard disk image is a storage entity of virtual machine data, and represents a storage form in which the contents of a virtual machine's disk or hard disk are organized in units of sectors.
- the cloud computing platform needs to provide reliable security technology to ensure the security of user data in the hard disk image and avoid the leakage of user privacy data containing trade secrets.
- FIG. 1 a schematic diagram of the structure of the existing virtualization system encryption and decryption technology is implemented.
- the device mapping and encryption module is included in a virtual machine monitor (VMM) for Map the hard disk image to a virtual block device.
- the hard disk image is invisible to the user VM.
- the virtualization software connects the block device to the user VM.
- the device mapping and encryption module can sense the access of the user VM to the device and encrypt the accessed data in the disk image. Thereby achieving protection of user data.
- Device mapping and encryption modules need to be separately identified and processed, resulting in complex implementation of the device mapping and encryption module, which has a great impact on the operating system and stability of the cloud computing.
- the object of the present invention is to provide a method, a device and a system for encrypting and decrypting in a virtualization system, so as to solve the complex implementation and the stability of the system caused by the device mapping and encryption module in the VMM. And other issues.
- an embodiment of the present invention provides a virtualization system, including a virtual machine monitor VMM and an encryption and decryption virtual machine, where the VMM includes a control module, and the encryption and decryption virtual machine records a hard disk image identifier and a key.
- the first association relationship, the key includes an encryption key, and the second association relationship between the hard disk image identifier and the hard disk image attribute is recorded in the virtualization system.
- the control module is configured to obtain data to be written by the user virtual machine, and determine, according to the second association relationship, a hard disk image attribute of the hard disk image of the user virtual machine to be written, if the hard disk image is determined Sending the identifier of the hard disk image to be written and the data to be written to the encryption and decryption virtual machine;
- the encryption/decryption virtual machine is configured to determine an encryption key corresponding to the identifier of the hard disk image to be written according to the first association relationship, and encrypt the data to be written by using the encryption key. Obtaining encrypted data, and transmitting the encrypted data to the control module;
- the control module is further configured to write the encrypted data into the hard disk image to be written.
- the first associated relationship further includes a user virtual machine identifier
- the control module is specifically configured to send, to the encryption and decryption virtual machine, an identifier of the user virtual machine, an identifier of the hard disk image to be written, and data to be written;
- the cryptographic virtual machine is configured to obtain the identifier of the user virtual machine and the hard disk image identifier to be written, and determine whether the identifier of the user virtual machine and the Corresponding relationship between the written hard disk image identifiers, if not, returning an encryption failure indication to the control module, and if yes, using the determined encryption key corresponding to the hard disk image identifier to be written to the to-be-written
- the incoming data is encrypted.
- the key further includes a decryption key
- the control module is further configured to obtain a read request triggered by the user virtual machine, read data from the hard disk image to be read, determine that the read data is encrypted data, and send the data to the encryption and decryption virtual machine.
- a decryption request where the decryption request carries an identifier of the user virtual machine, the encrypted data read, and an identifier of the hard disk image;
- the encryption and decryption virtual machine is further configured to receive the decryption request, and determine whether the first association relationship includes a correspondence between an identifier of the user virtual machine that sends the read request and an identifier of the hard disk image. If yes, the decryption key corresponding to the identifier of the hard disk image is obtained from the first association relationship, the encrypted data is decrypted by using the decryption key, and the obtained decrypted data is sent to the Control module
- the control module is further configured to return the decrypted data to the user virtual machine.
- the control module is further configured to: when the read data is unencrypted data, return the read non-encrypted data to the user virtual machine.
- system further includes a system management module and a virtual machine management module,
- the system management module is configured to send a virtual machine startup request to the virtual machine management module, where the virtual machine starts Requesting to carry the identifier of the user virtual machine to be started;
- the virtual machine management module is configured to receive the virtual machine startup request, start the user virtual machine to be started according to the virtual machine startup request, and send the hard disk image identifier of the activated user virtual machine and its hard disk image attribute Giving the control module;
- the control module is further configured to receive and record a hard disk image identifier of the activated user virtual machine and a hard disk mirroring attribute thereof, and establish the second association relationship.
- system further includes a system management module and a virtual machine management module,
- the system management module is further configured to send a virtual machine creation request to the virtual machine management module, where the virtual machine creation request carries an attribute of a hard disk image of the user virtual machine to be created;
- the virtual machine management module is further configured to receive the virtual machine creation request, create a user virtual machine, create a hard disk image for the created user virtual machine, allocate a hard disk image identifier, and determine the allocated according to the virtual machine creation request.
- the hard disk image identifier corresponding to the hard disk image is configured to send a virtual machine creation indication message to the encryption and decryption virtual machine, where the virtual machine creation indication message carries the created user virtual machine identifier, the allocated hard disk image identifier, and The assigned hard disk image identifier corresponding to the hard disk image attribute;
- the encryption and decryption virtual machine is further configured to receive the virtual machine creation indication message, allocate a key for the created hard disk image, establish an identifier of the created user virtual machine, the allocated hard disk image identifier, and the secret The first association relationship between the keys.
- the encryption and decryption virtual machine is further configured to send a virtual machine creation response message to the system management module, where the virtual machine creation response message includes the identifier of the created user virtual machine.
- the system management module is further configured to send a hard disk image addition request message to the virtual machine management module, where the hard disk image increase request message carries the attribute of the user virtual machine identifier and the newly added disk image;
- the virtual machine management module is further configured to receive the hard disk image addition request message, create a new hard disk image for the user virtual machine, and determine a hard disk image attribute of the new hard disk image according to the hard disk image addition request message. And sending, to the encryption and decryption virtual machine, the user virtual machine identifier, the identifier of the new hard disk image, and the hard disk image attribute of the new hard disk image;
- the encryption and decryption virtual machine is further configured to allocate a key for the new hard disk image and update the first association relationship.
- control module is specifically configured to acquire, by the device driver, a write request triggered by the user virtual machine, where the write request carries the to-be-written The data.
- the key further includes a decryption key
- the control module is further configured to obtain a read request triggered by the user virtual machine, read data from the hard disk image to be read, determine that the read data is encrypted data, and send the data to the encryption and decryption virtual machine.
- a decryption request where the decryption request carries an identifier of the user virtual machine, the encrypted data read, and an identifier of the hard disk image;
- the encryption and decryption virtual machine is further configured to receive the decryption request, determine a decryption key corresponding to the identifier of the hard disk image according to the first association relationship, and decrypt the encrypted data by using the decryption key, The obtained decrypted data is sent to the control module;
- the control module is further configured to return the decrypted data to the user virtual machine.
- system further includes a system management module and a virtual machine management module,
- the system management module is configured to send a virtual machine startup request to the virtual machine management module, where the virtual machine startup request carries an identifier of the user virtual machine to be started;
- the virtual machine management module is configured to receive the virtual machine startup request, start the user virtual machine to be started according to the virtual machine startup request, and send the hard disk image identifier of the activated user virtual machine and its hard disk image attribute Giving the control module;
- the control module is further configured to receive and record a hard disk image identifier of the activated user virtual machine and a hard disk mirroring attribute thereof, and establish the second association relationship.
- the system further includes a system management module and a virtual machine management module ,
- the system management module is further configured to send a virtual machine creation request to the virtual machine management module, where the virtual machine creation request carries an attribute of a hard disk image of the user virtual machine to be created;
- the virtual machine management module is further configured to receive the virtual machine creation request, create a user virtual machine, create a hard disk image for the created user virtual machine, allocate a hard disk image identifier, and determine the allocated according to the virtual machine creation request.
- the hard disk image identifier corresponding to the hard disk image attribute, and the virtual machine creation indication message is sent to the encryption and decryption virtual machine, where the virtual machine creation indication message carries the allocated hard disk image identifier and the allocated hard disk image Identify the corresponding hard disk image attribute;
- the encryption and decryption virtual machine is further configured to receive the virtual machine creation indication message, allocate a key for the hard disk image identifier, and establish the first association relationship between the hard disk image identifier and the key.
- the system management module is further configured to send a hard disk image addition request message to the virtual machine management module, where the hard disk image increase request message carries the attribute of the user virtual machine identifier and the newly added disk image;
- the virtual machine management module is further configured to receive the hard disk image addition request message, create a new hard disk image for the user virtual machine, determine a hard disk image attribute of the new hard disk image, and mirror the new hard disk image. And the hard disk mirroring attribute of the new hard disk image is sent to the encryption and decryption virtual machine;
- the encryption and decryption virtual machine is further configured to allocate a key for the new hard disk image and update the first association relationship.
- an embodiment of the present invention provides a method for encrypting and decrypting in a virtualization system, which is applied to a virtualization system, where the virtualization system includes a virtual machine monitor VMM and an encryption and decryption virtual machine, and the VMM includes a control module.
- the encryption/decryption virtual machine records a first association relationship between the hard disk image identifier and the key, the key includes an encryption key, and the virtualized system records a hard disk image identifier and a hard disk image attribute.
- the control module acquires the data to be written of the user virtual machine, and determines the hard disk image attribute of the hard disk image of the user virtual machine to be written according to the second association relationship, if the determined hard disk image attribute is encrypted Sending, to the encryption and decryption virtual machine, the identifier of the hard disk image to be written and the data to be written;
- the control module receives the encrypted data obtained by encrypting the data to be written by using the encryption key by the encryption and decryption virtual machine, wherein the encryption key is the encryption/decryption virtual machine according to the first An encryption key corresponding to the identifier of the hard disk image to be written determined by an association relationship;
- the control module writes the encrypted data into the hard disk image to be written.
- the first associated relationship further includes a user virtual machine identifier
- the key further includes a decryption key
- the method further includes:
- the control module acquires a read request triggered by the user virtual machine, reads data from the hard disk image to be read, determines that the read data is encrypted data, and sends a decryption request to the encryption and decryption virtual machine.
- the identifier of the user virtual machine, the encrypted data read, and the identifier of the hard disk image are carried in the decryption request;
- the control module receives the decrypted data returned by the encryption and decryption virtual machine, wherein the decrypted data is an identifier of the user virtual machine in the determining the first association relationship by the encryption/decryption virtual machine. After the corresponding relationship between the identifier of the hard disk image and the identifier of the hard disk image is obtained, the encrypted data is decrypted by using a decryption key corresponding to the hard disk image identifier determined according to the first association relationship;
- the control module returns the decrypted data to the user virtual machine.
- the control module returns the read non-encrypted data to the user virtual machine when it is determined that the read data is non-encrypted data.
- system further includes a virtual machine management module
- method further includes:
- the control module receives a virtual machine startup indication message sent by the virtual machine management module, where the virtual machine startup indication message carries an identifier of the activated user virtual machine, a hard disk image identifier of the activated user virtual machine, and a hard disk mirroring attribute thereof;
- the control module records the hard disk image identifier of the activated user virtual machine and its hard disk image attribute, and updates the second association relationship.
- the acquiring, by the control module, the data to be written by the user virtual machine includes:
- the control module acquires a write request triggered by the user virtual machine from a device driver, and the write request carries the data to be written.
- an embodiment of the present invention provides a method for creating a user virtual machine, which is applied to a virtualization system, where the virtualization system includes a VMM, a system management module, and an encryption and decryption virtual machine, where the VMM includes a virtual machine management module.
- the method includes:
- the cryptographic virtual machine receives the virtual machine creation indication message sent by the virtual machine management module, where the virtual machine creation indication message carries the identifier of the created user virtual machine, and the hard disk image allocated for the created user virtual machine. And the hard disk mirroring attribute corresponding to the hard disk image identifier that is allocated, where the virtual machine creation indication message is specifically that the virtual machine management module creates a user virtual machine and a hard disk according to the virtual machine creation request sent by the system management module. Sent after mirroring;
- the encryption/decryption virtual machine allocates a key for the created hard disk image, and establishes an identifier of the created user virtual machine, the allocated hard disk image identifier, and a first association relationship between the keys;
- the cryptographic virtual machine sends a virtual machine creation response message to the system management module, where the virtual machine creation response message includes the identifier of the created user virtual machine.
- the cryptographic virtual machine receives the hard disk image addition indication message sent by the virtual machine management module, where the hard disk image addition indication message carries the user virtual machine identifier, and the virtual machine management module is the user virtual machine new The hard disk mirroring identifier and the hard disk mirroring attribute thereof, wherein the hard disk mirroring instruction message is specifically configured by the virtual machine management module to create a new hard disk image for the user virtual machine according to the hard disk image adding request sent by the system management module.
- the encryption/decryption virtual machine allocates a key to the newly added hard disk image, and updates the user virtual machine identifier, the newly added hard disk image identifier, and a key allocated for the newly added hard disk image to the The first relationship.
- the VMM includes a control module, and the method further includes:
- the encryption/decryption virtual machine receives an encryption request sent by the control module, where the encryption request carries an identifier of the user virtual machine, an identifier of the hard disk image to be written, and the data to be written, and determines the first Whether the relationship between the identifier of the user virtual machine and the identifier of the hard disk image to be written is included in an association relationship, and if not, returning an encryption failure indication to the control module, and if yes, according to the first association Determining an encryption key corresponding to the identifier of the hard disk image to be written, encrypting the data to be written by using the encryption key, obtaining encrypted data, and transmitting the encrypted data to the control module So that the control module writes the encrypted data into the hard disk image to be written.
- the method further includes: the encryption/decryption virtual machine receiving a decryption request sent by the control module, where the decryption request carries Determining, by the identifier of the user virtual machine, the encrypted data that is read, and the identifier of the hard disk image, determining whether the first association relationship includes the correspondence between the identifier of the user virtual machine and the identifier of the hard disk image.
- the decryption key corresponding to the identifier of the hard disk image is obtained from the first association relationship, the encrypted data is decrypted by using the decryption key, and the obtained decrypted data is sent to the
- the control module is configured to cause the control module to return the decrypted data to the user virtual machine.
- an embodiment of the present invention provides a control device in a virtualization system, where the control device is located in a VMM of a virtualization system, where the virtualization system further includes an encryption and decryption virtual machine, and the encryption and decryption virtual machine A first association relationship between the hard disk image identifier and the key is recorded, the key includes an encryption key, and the second association relationship between the hard disk image identifier and the hard disk image attribute is recorded in the virtualization system,
- the control device includes:
- An obtaining unit configured to acquire data to be written by the user virtual machine
- a processing unit configured to determine, according to the second association relationship, a hard disk mirroring attribute of the hard disk image of the user virtual machine to be written;
- a sending unit configured to send the identifier of the hard disk image to be written and the data to be written to the encryption and decryption virtual machine when the hard disk image attribute determined by the determining unit is encrypted;
- the obtaining unit is further configured to receive the encrypted data obtained by encrypting, by using the encryption key, the data to be written by the encryption/decryption virtual machine, where the encryption key is the encryption and decryption virtual machine An encryption key corresponding to the identifier of the hard disk image to be written determined according to the first association relationship;
- a writing unit configured to write the encrypted data received by the acquiring unit into the hard disk image to be written.
- the key further includes a decryption key
- the obtaining unit is further configured to acquire a read request triggered by the user virtual machine
- the processing unit is further configured to read data from the hard disk image to be read, and determine that the read data is encrypted data;
- the sending unit is further configured to: when the processing unit determines that the read data is encrypted data, send a decryption request to the encryption and decryption virtual machine, where the decryption request carries an identifier of the user virtual machine, Reading the encrypted data and the identifier of the hard disk image;
- the obtaining unit is further configured to receive the decrypted data returned by the encryption/decryption virtual machine, where the decrypted data is the encryption/decryption virtual machine includes the user in determining the first association relationship After the corresponding relationship between the identifier of the virtual machine and the identifier of the hard disk image is obtained, the encrypted data is decrypted by using a decryption key corresponding to the hard disk image identifier determined according to the first association relationship;
- the sending unit is further configured to return the decrypted data received by the acquiring unit to the user virtual machine.
- the sending unit is further configured to: when the processing unit determines that the read data is non-encrypted data And returning the read unencrypted data to the user virtual machine.
- the acquiring unit is further configured to receive a virtual machine startup indication message sent by the virtual machine management module, where the virtual machine startup indication message carries the identifier of the activated user virtual machine, the hard disk image identifier of the activated user virtual machine, and Hard disk mirroring attribute;
- the processing unit is further configured to record a hard disk image identifier of the activated user virtual machine and a hard disk image attribute thereof, and update the second association relationship.
- the acquiring module is configured to obtain, by a device driver, a write request triggered by the user virtual machine, where the write request carries the to-be-written The data.
- an embodiment of the present invention provides an encryption and decryption apparatus in a virtualization system, which is applied to a virtualization system, where the virtualization system includes the encryption and decryption apparatus, a VMM, and a system management module, where the VMM includes a virtual
- the machine management module, the encryption and decryption device includes:
- a receiving unit configured to receive a virtual machine creation indication message sent by the virtual machine management module, where the virtual machine creation indication message carries an identifier of the created user virtual machine, and a hard disk image identifier allocated to the created user virtual machine And the hard disk mirroring attribute corresponding to the allocated hard disk image identifier, where the virtual machine creation indication message is specifically that the virtual machine management module creates a user virtual machine and a hard disk image according to the virtual machine creation request sent by the system management module.
- An execution unit configured to: after the receiving unit receives the virtual machine creation indication message, assign a key to the created hard disk image, establish an identifier of the created user virtual machine, the allocated hard disk image identifier, and the secret The first association between the keys;
- a message returning unit configured to send a virtual machine creation response message to the system management module, where the virtual machine creation response message includes an identifier of the created user virtual machine.
- the receiving unit is further configured to receive a hard disk image adding indication message sent by the virtual machine management module, where the hard disk image adding indication message carries the user virtual machine identifier, and the virtual machine management module is the user virtual The hard disk mirroring identifier and the hard disk mirroring attribute of the machine, wherein the hard disk mirroring instruction message is that the virtual machine management module creates a new hard disk for the user virtual machine according to the hard disk image adding request sent by the system management module. Sent after mirroring;
- the execution unit is further configured to: after the receiving unit receives the hard disk image adding indication message, assign a key to the newly added hard disk image, and set the user virtual machine identifier and the newly added hard disk image identifier. And updating a key assigned to the newly added hard disk image to the first association relationship.
- the receiving unit is further configured to receive an encryption request sent by the control module, where the encryption request carries an identifier of the user virtual machine, an identifier of a hard disk image to be written, and the data to be written;
- the execution unit is further configured to determine whether the first association relationship includes a correspondence between the identifier of the user virtual machine and the identifier of the hard disk image to be written received by the receiving unit, and if yes, according to the execution relationship
- the first association relationship determines an encryption key corresponding to the identifier of the hard disk image to be written, and encrypts the data to be written by using the encryption key to obtain encrypted data.
- the message returning unit is further configured to: when the executing unit determines that the first association relationship does not include the correspondence between the identifier of the user virtual machine and the identifier of the hard disk image to be written, to the control module Returning an encryption failure indication, and when the execution unit determines that the first association relationship includes a correspondence between an identifier of the user virtual machine and an identifier of a hard disk image to be written, sending the encrypted data to the control Module.
- the receiving unit is further configured to receive a decryption request sent by the control module, where the decryption request carries an identifier of the user virtual machine, the encrypted data that is read, and an identifier of the hard disk image;
- the execution unit is further configured to determine whether the first association relationship includes a correspondence between the identifier of the user virtual machine and the identifier of the hard disk image received by the receiving unit, and if yes, from the Acquiring a decryption key corresponding to the identifier of the hard disk image in the first association relationship, and decrypting the read encrypted data by using the decryption key to obtain a solution Confidential data;
- the message returning unit is further configured to send the obtained decrypted data to the control module.
- an embodiment of the present invention provides a control device in a virtualization system, where the device includes a processor, a memory, a bus, and a communication interface.
- the memory is configured to store a computer execution instruction
- the processor is coupled to the memory via the bus, and when the path management device is running, the processor executes the computer execution instruction stored by the memory, To enable the control device in the virtualization system to perform the method of any of the second or third aspect.
- the embodiment of the present invention provides a computer readable medium, comprising: computer execution instructions, when the processor of the computer executes the computer execution instruction, the computer performs any of the second aspect or the third aspect Said method.
- a control module for encryption and decryption is added to the VMM.
- the control module obtains data to be written by the user virtual machine, the control module determines according to the attribute of the hard disk image to be written. Whether to encrypt the data to be written, when the encryption is needed, the control module sends the data to be written to the encryption and decryption virtual machine, and the encryption and decryption virtual machine processes the data to be encrypted, and returns the encrypted data to The control module writes the encrypted data into the corresponding hard disk image to implement encrypted storage of the user data.
- the control module in the VMM is used to determine whether the data to be written needs to be encrypted and to forward the data to be written, and the function is simple to implement, and the system complexity of the VMM is reduced, and at the same time, in the embodiment of the present invention,
- the encryption and decryption processing is implemented by a special encryption and decryption virtual machine, which does not need to occupy resources in the VMM, avoids resource conflicts, and improves system stability; on the other hand, the encryption and decryption virtual machine can be directed to different user virtual machine hard disks.
- the mirror allocates different keys, and provides or does not provide encryption and decryption services for data streams of different sources, thereby implementing access control of the user virtual machine.
- 1 is a schematic diagram showing the structure of an encryption and decryption technology in an existing virtualization system
- FIG. 2 is a schematic structural diagram of a virtual machine system according to an embodiment of the present invention.
- FIG. 3 is a schematic structural diagram of another virtual machine system according to an embodiment of the present invention.
- FIG. 4 is a schematic flowchart of a method for encrypting and decrypting in a virtual machine system according to an embodiment of the present invention
- FIG. 5 is a schematic flowchart of a method for encrypting and decrypting in another virtual machine system according to an embodiment of the present invention
- FIG. 6 is a schematic flowchart of a method for creating a user virtual machine according to an embodiment of the present invention.
- FIG. 7 is a schematic structural diagram of a control device in a virtual machine system according to an embodiment of the present invention.
- FIG. 8 is a schematic structural diagram of an encryption and decryption apparatus in a virtualization system according to an embodiment of the present invention.
- FIG. 9 is a schematic diagram showing the hardware configuration of a control device in a virtual machine system according to an embodiment of the present invention.
- FIG. 2 is a schematic structural diagram of a virtualization system according to an embodiment of the present invention, including a VMM 11 and an encryption/decryption virtual machine 13, where the encryption and decryption virtual machine 13 records a first image between a hard disk image identifier and a key.
- the association relationship, the key includes an encryption key, and the VMM 11 includes a control module 110, where the second association relationship between the hard disk image identifier and the hard disk image attribute is recorded in the virtualization system.
- the user virtual machine 12 of Figure 2 writes data to the underlying hard disk image.
- the control module 110 is configured to acquire data to be written by the user virtual machine 12, and determine, according to the second association relationship, a hard disk image attribute of the hard disk image to be written by the user virtual machine 12, if the determined location Sending the identifier of the hard disk image to be written and the data to be written to the encryption/decryption virtual machine 13;
- the encryption/decryption virtual machine 13 is configured to determine an encryption key corresponding to the identifier of the hard disk image to be written according to the first association relationship, and encrypt the data to be written by using the encryption key. Obtaining encrypted data, and transmitting the encrypted data to the control module 110;
- the control module 110 is further configured to write the encrypted data into the hard disk image to be written.
- a control module for encryption and decryption is added to the VMM.
- the control module obtains data to be written by the user virtual machine, the control module determines according to the attribute of the hard disk image to be written. Whether to encrypt the data to be written, when the encryption is needed, the control module sends the data to be written to the encryption and decryption virtual machine, and the encryption and decryption virtual machine processes the data to be encrypted, and returns the encrypted data to The control module writes the encrypted data into the corresponding hard disk image to implement encrypted storage of the user data.
- the control module in the VMM is used.
- the function is simple to implement, and the system complexity of the VMM is reduced.
- the encryption and decryption processing in the embodiment of the present invention is specifically added. Decrypting the virtual machine to achieve the resources of the VMM, avoiding resource conflicts and improving system stability; on the other hand, the encryption and decryption virtual machine can allocate different keys for different user virtual machine hard disk mirrors, for different The source data stream, with or without encryption and decryption services, enables access control of the user's virtual machine.
- the virtualized system further includes a system management module 14, in the VMM11.
- a virtual machine management module 112 is further included.
- the encryption and decryption virtual machine 13 is first established.
- the specific encryption and decryption virtual machine 13 can be established by using the existing virtual machine.
- the encryption and decryption processing shown includes key distribution and data encryption and decryption.
- the encryption and decryption virtual machine 13 may be installed with various programs related to the encryption and decryption service, such as a rights management program, a key management program, and an encryption and decryption program, so that the encryption/decryption virtual machine 13 is dedicated to
- the specific implementation form of the present invention is not limited.
- the embodiment of the present invention further provides a process for the user virtual machine 12 to read data, and the key allocated by the encryption/decryption virtual machine 13 to the hard disk image of the user virtual machine 12 includes an encryption key and a decryption key.
- the specific type of the key is not limited in the embodiment of the present invention.
- the data is read from the hard disk image, triggering a read request, and the read request carries the data identifier to be read.
- the device driver acquires the read request, and the device driver invokes the control module 110 to process the read request;
- the control module 110 is further configured to acquire a read request triggered by the user virtual machine, read data from the hard disk image to be read, determine that the read data is encrypted data, and send and decrypt the virtual machine to the encrypted virtual machine. 13 sending a decryption request, where the decryption request carries the identifier of the user virtual machine, the encrypted data read, and the identifier of the hard disk image;
- the encryption/decryption virtual machine 13 is further configured to receive the decryption request, and determine whether the first association relationship includes the identifier of the user virtual machine that sends the read request and the identifier of the hard disk image. And if yes, obtaining a decryption key corresponding to the identifier of the hard disk image from the first association relationship, decrypting the read encrypted data by using the decryption key, and sending the obtained decrypted data to The control module 110;
- the control module 110 is further configured to return the decrypted data to the user virtual machine 12.
- control module 110 is further configured to: when the read data is unencrypted data, return the read unencrypted data to the user virtual machine 12.
- the encryption/decryption virtual machine 13 records the user virtual machine identifier, the hard disk image identifier, and the virtual machine 12 assigned to the user.
- the first association relationship between the keys of the hard disk image, in the read flow and the write flow, the encryption/decryption virtual machine 13 may determine, according to the received encryption request or the decryption request, the encryption request or the decryption request.
- the key of the hard disk image thus providing encryption and decryption processing.
- the embodiment of the present invention further provides a manner of recording the first association relationship in the process of creating the user virtual machine 12: the system management module 14 is further configured to send to the virtual machine management module 112.
- the virtual machine creation request carries the attribute of the hard disk image of the user virtual machine 12 to be created; the virtual machine management module 112 is further configured to receive the virtual machine creation request and create the user virtual machine 12 Creating a hard disk image for the created user virtual machine 12, assigning a hard disk image identifier, determining a hard disk image attribute corresponding to the allocated hard disk image identifier according to the virtual machine creation request, and sending a virtual to the encryption/decryption virtual machine 13
- the machine creates an indication message, where the virtual machine creation indication message carries the identifier of the created user virtual machine 12, the allocated hard disk image identifier, and the hard disk image attribute corresponding to the allocated hard disk image identifier;
- the virtual machine 13 is further configured to receive the virtual machine creation indication message, allocate a key for the created hard disk image, and establish The created identifier of the user virtual machine 12, the assigned hard disk image identifier, and the first association relationship between the keys.
- the encryption and decryption virtual machine 13 is further configured to send a virtual machine creation response message to the system management module 14, where the virtual machine creation response message includes the identifier of the created user virtual machine 12.
- control module 110 When the control module 110 provided by the embodiment of the present invention processes the write request or the read request initiated by the user virtual machine 12, it is necessary to determine whether the read/write operation involves data encryption and decryption processing, and when the data needs to be encrypted and decrypted, The data involved is sent to the encryption/decryption virtual machine 13.
- the control module 110 determines, according to the foregoing second association relationship, whether the data needs to be encrypted and decrypted for the read/write operation.
- the control module 110 may establish the foregoing second association relationship during the startup process of the user virtual machine 12, where the specific process includes: the system management module 14 is configured to send a virtual machine startup request to the virtual machine management module 112,
- the virtual machine startup request carries the identifier of the user virtual machine 12 to be started.
- the virtual machine management module 112 is configured to receive the virtual machine startup request, and start the user virtual machine 12 to be started according to the virtual machine startup request.
- the hard disk image identifier of the user VM 12 and the hard disk image attribute of the user VM 12 are sent to the control module 110.
- the control module 110 is further configured to receive and record the hard disk image identifier of the activated user virtual machine 12 and The hard disk mirroring attribute establishes the second association relationship.
- system management module may be a cloud computing operating system management module.
- a schematic flowchart of a method for encrypting and decrypting in a virtualization system includes:
- Step 401 The system management module sends a virtual machine creation request to the virtual machine management module, where the virtual machine creation request is used to request to create a user virtual machine.
- the system administrator sets the hard disk image attribute of the user VM to be created through the management interface, when the system manages
- the module carries the hard disk image attribute of the user VM to be created when the virtual machine creation request is sent.
- the system management module indicates, in the virtual machine creation request, that three hard disk images are created for the user virtual machine, and the hard disk image attribute of one hard disk image is encrypted.
- Step 402 The virtual machine management module receives the virtual machine creation request, creates a user virtual machine, creates a hard disk image for the created user virtual machine, allocates a hard disk image identifier, and determines the allocated hard disk according to the virtual machine creation request.
- the virtual machine management module allocates a virtual machine identifier to the user virtual machine, and configures information such as a memory, a CPU, and a network card.
- the virtual machine management module allocates a hard disk image identifier for the created hard disk image, determines the hard disk image attribute of the created hard disk image according to the information carried in the virtual machine creation request, and connects the hard disk image to the user virtual machine.
- the virtual machine management module creates three hard disk images for the created user virtual machine, and determines that the hard disk image attribute of one of the hard disk images is encrypted according to the creation request message.
- Step 403 The virtual machine management module sends a virtual machine creation indication message to the encryption and decryption virtual machine, where the virtual machine creation indication message carries the identifier of the created user virtual machine, and the hard disk image identifier assigned to the created user virtual machine. Its hard disk mirroring attribute;
- Step 404 The encryption and decryption virtual machine receives the virtual machine creation indication message, and allocates a key for the hard disk image of the user virtual machine, and records the user virtual machine identifier, the hard disk image identifier, and the key between the keys.
- First association relationship
- Step 405 The encryption and decryption virtual machine returns a virtual machine creation response message to the system management module, where the virtual machine creation response message carries the identifier of the created user virtual machine.
- Step 406 When the system management module determines that the hard disk image is to be added to the user virtual machine, the system management module sends a hard disk image increase request to the virtual machine management module, where the hard disk image increase request message carries the user The attributes of the virtual machine ID and the newly added disk image;
- the disk image addition request carries a disk image attribute, which is used to indicate whether the newly added disk image needs to be encrypted.
- Step 407 The virtual machine management module receives the hard disk image addition request message, creates a new hard disk image for the user virtual machine, allocates a hard disk image identifier for the new hard disk image, and adds a request message setting according to the hard disk image. Describe the hard disk image attribute of the new hard disk image, and connect the new hard disk image to the user virtual machine as an additional hard disk image of the user virtual machine;
- Step 408 The virtual machine management module sends the user virtual machine identifier, the identifier of the new hard disk image, and the hard disk image attribute of the new hard disk image to the encryption and decryption virtual machine.
- Step 409 The encryption and decryption virtual machine allocates a key for the newly allocated hard disk image identifier, and updates the first association relationship to record the identifier of the user virtual machine and the hard disk image identifier of the new hard disk image. And the key Correspondence.
- Step 410 The encryption and decryption virtual machine returns a hard disk image adding response message to the system management module, and carries the identifier of the user virtual machine and the identifier of the hard disk image added for the user virtual machine.
- Step 411 The system management module sends a virtual machine startup request to the virtual machine management module, where the virtual machine startup request carries the identifier of the user virtual machine to be started.
- Step 412 The virtual machine management module starts the user virtual machine, and connects the user virtual machine to the hard disk image.
- Step 413 The virtual machine management module sends a virtual machine startup indication message to the control module, and sends the identifier of the activated user virtual machine, the identifier of the hard disk image belonging to the user virtual machine, and the corresponding hard disk mirroring attribute to the control.
- Step 414 The control module records the identifier of the hard disk image and the hard disk mirroring attribute of the user virtual machine to be started, and establishes the second association relationship.
- the identifier of the user VM to be started may also be included in the second association relationship.
- Step 415 The control module sends a virtual machine startup response message to the system management module, and carries an identifier of the user virtual machine and an identifier of the hard disk image.
- Step 416 The user virtual machine writes data to the hard disk image to trigger a write request, where the write request carries data to be written.
- the device driver acquires the write request, and the device driver invokes the control module to process the write request.
- the process of writing data to the hard disk image by the user virtual machine may be in the manner of the prior art, which is not limited by the embodiment of the present invention. It should be noted that, in the foregoing process of writing data, the device driver invokes the control module, so that the control module can determine the attribute of the hard disk image to be written, so that when the data to be written is encrypted.
- the data to be written is forwarded to the encryption and decryption virtual machine to complete the encryption process of the data to be written. Specifically, as described in the following process.
- Step 417 The control module acquires the write request, searches for the second association relationship, and determines, according to the second association relationship, a hard disk image attribute of the hard disk image to be written by the user virtual machine, if the determined location If the hard disk image attribute is encrypted, step 418 is performed. If the determined hard disk image attribute is not encrypted, the control module writes the data to be written by the device driver to the user virtual machine. In the hard disk image to be written.
- Step 418 The control module sends an encryption request to the encryption and decryption virtual machine, where the encryption request carries the data to be written and an identifier, and the identifier is used to distinguish the data to be written.
- the identifier includes an identifier of the hard disk image to be written and a hard disk mirroring attribute, and the identifier may further include an identifier of the user virtual machine to which the hard disk image belongs;
- Step 419 The encryption/decryption virtual machine receives the encryption request, and determines the to-be-written according to the first association relationship. An encryption key corresponding to the identifier of the hard disk image, and the data to be written is encrypted by using the encryption key to obtain encrypted data;
- the encryption/decryption virtual machine may perform rights management on the user virtual machine that initiates the write request, specifically, the encryption and decryption
- the virtual machine queries the first association relationship, and determines whether the correspondence between the identifier of the virtual machine and the hard disk image identifier in the received identifier is recorded in the first association relationship, and if yes, the authentication is passed. Obtaining an encryption key corresponding to the hard disk image identifier. If not, the user virtual machine does not match the hard disk image, and the user virtual machine does not have the right to write data to the hard disk image.
- the encryption and decryption virtual machine may include a key management module, and the key management module controls the key in the first association relationship.
- Step 420 The encryption/decryption virtual machine returns encrypted data obtained by encrypting the data to be written to the control module.
- Step 421 The control module invokes the device driver to write the encrypted data to a hard disk image of the user virtual machine.
- Step 422 The user virtual machine reads data from the hard disk image, and triggers a read request, where the read request carries the data identifier to be read.
- a read request is triggered, the device driver acquires the read request, and the device driver invokes the control module to process the read request.
- Step 423 The control module invokes the function of the device driver to read data from the hard disk image of the user virtual machine. If the read data is encrypted data, step 424 is performed.
- the device driver including the control module is loaded, and the control module is initialized at the same time.
- the control module invokes an existing device driver function to address, reads the required data from the disk, and the device driver reads the required data from the disk.
- the control module may have a device driving function calling capability.
- the control module may determine whether the read data is encrypted data by determining whether the hard disk image attribute is encrypted. Specifically, if the attribute of the hard disk image to be read is encrypted, indicating that the data read by the control module is encrypted data, step 424 is performed to enable the encryption and decryption virtual machine to decrypt the read encrypted data; No, it indicates that the data read by the control module is non-encrypted data, and the control module directly returns the read data to the user virtual machine without decrypting.
- Step 424 The control module sends a decryption request to the encryption and decryption virtual machine, where the decryption request carries the encrypted data, the identifier of the user virtual machine, and the identifier of the hard disk image;
- Step 425 The encryption and decryption virtual machine queries the user virtual machine identifier and the hard disk image identifier according to the received The first association relationship acquires a decryption key of the hard disk image of the user virtual machine, and decrypts the encrypted data by using the decryption key to obtain a plaintext.
- the encryption/decryption virtual machine searches for the corresponding relationship between the user virtual machine identifier and the hard disk image identifier, and determines whether the identifier of the hard disk image and the identifier of the virtual machine to which the hard disk image belongs are saved in the corresponding relationship. If yes, obtaining the decryption key corresponding to the recorded hard disk image identifier;
- the key management module in the encryption and decryption virtual machine is configured to manage a decryption key corresponding to a hard disk image of each user virtual machine.
- Step 426 The encryption and decryption virtual machine carries the decrypted plaintext in the decryption response and returns it to the control module.
- Step 427 The control module returns the received plaintext obtained by the decryption to the user virtual machine.
- steps 401-410 a process is created for the user virtual machine.
- the encryption and decryption virtual machine records the first association relationship; and the steps 411-415 are a user virtual machine startup process.
- the virtual machine management module sends the hard disk image identifier of the activated user virtual machine and the hard disk mirroring attribute to the control module, where the control module records the second association relationship; the steps 416-421 are the writing process, and the control module obtains When the data to be written of the user virtual machine is determined, the corresponding hard disk image attribute to be written is determined.
- Steps 421-427 are read processes.
- the control module acquires the read request triggered by the user virtual machine, if the read data is encrypted data, the encrypted data is forwarded to the encryption and decryption virtual machine for decryption, thereby obtaining the plaintext.
- the embodiment of the present invention provides a method for performing data encryption and decryption in a virtual machine system.
- the encryption and decryption process is performed by a dedicated encryption and decryption virtual machine, and the user virtual machine does not need to be changed or Install other auxiliary software; on the other hand, the encryption and decryption virtual machine is located outside the user's virtual machine, and can encrypt the non-system disk of the user virtual machine or the system disk of the user virtual machine.
- the memory, CPU and other resources required for the encryption and decryption virtual machine can be dynamically allocated, thereby avoiding resource conflicts with the host operating system and the virtualization software, and improving the reliability of the host.
- Sex. The open and defined ports on the encryption and decryption virtual machine limit the installation of other applications, and also help to further improve system security.
- the watchdog technology, the dual-process technology, the hot standby technology to improve the reliability of the encryption and decryption virtual machine, and install anti-virus and anti-virus. Trojans, firewalls and other software improve security.
- control module provided by the embodiment of the present invention can be installed in a device driver of the VMM, and the control module can invoke the function of the device driver, and can effectively provide encryption and decryption services for various types of hard disk images, and at the same time, Affects the construction, release, installation, or startup of a host software system.
- control module can also be driven independently of the device. At this time, the control module has the capability of calling the device driving function.
- the key allocated for the hard disk image can be stored in the encryption and decryption virtual machine, so that the key is not known to the host and the virtualization system, and the confidentiality is good.
- the encryption and decryption virtual machine the user virtual machine identifier, the hard disk image identifier, and related user information are saved, and different keys can be assigned to the hard disk images of different user virtual machines, and the data streams are generated for different sources. Provide or not provide encryption and decryption services to achieve access control of user virtual machines.
- the hard disk image may be a large file, a local partition, a local block device, a network block device provided by an internet small computer system interface (iSCSI) protocol, and a general Internet file system.
- iSCSI internet small computer system interface
- CIFS Common Internet File System
- NFS Net File System
- a schematic flowchart of a method for encrypting and decrypting in another virtualization system is applied to a virtualization system, where the virtualization system includes a virtual machine monitor VMM and an encryption and decryption virtual machine.
- the VMM includes a control module, and the encryption and decryption virtual machine records a hard disk image identifier and a first association relationship between the keys, the key includes an encryption key, and the virtualized system records a hard disk image identifier and A second association relationship between the hard disk mirroring attributes, where the method includes:
- Step 501 The control module acquires data to be written by the user virtual machine, and determines, according to the second association relationship, a hard disk image attribute of the hard disk image of the user virtual machine to be written, if the hard disk image is determined. Sending the identifier of the hard disk image to be written and the data to be written to the encryption and decryption virtual machine;
- Step 502 The control module receives the encrypted data obtained by encrypting the data to be written by using the encryption key by the encryption and decryption virtual machine, where the encryption key is the encryption and decryption virtual machine according to the encryption and decryption virtual machine.
- An encryption key corresponding to the identifier of the hard disk image to be written determined by the first association relationship;
- Step 503 The control module writes the encrypted data into the hard disk image to be written.
- a control module for adding and decrypting is added to the VMM.
- the control module obtains data to be written by the user virtual machine, the control module determines whether the hard disk mirroring attribute is to be written. The data to be written needs to be encrypted.
- the control module sends the data to be written to the encryption and decryption virtual machine, and the encryption and decryption virtual machine processes the data to be encrypted, and returns the encrypted data to the office.
- the control module writes the encrypted data into the corresponding hard disk image to implement encrypted storage of the user data.
- the control module in the VMM is used to determine whether the data to be written needs to be encrypted and to forward the data to be written, and the function is simple to implement, and the system complexity of the VMM is reduced, and at the same time, in the embodiment of the present invention,
- the encryption and decryption processing is implemented by a special encryption and decryption virtual machine, which does not need to occupy resources in the VMM, avoids resource conflicts, and improves system stability; on the other hand, the encryption and decryption virtual machine can be directed to different user virtual machine hard disks. Mirrors assign different keys, for different streams of data, offer or The user does not provide encryption and decryption services, thereby achieving access control of the user virtual machine.
- FIG. 6 a schematic flowchart of a method for creating a user virtual machine according to an embodiment of the present invention is applied to a virtualization system, where the virtualization system includes a VMM, a system management module, and an encryption and decryption virtual machine.
- the virtual machine management module is included, and the method includes:
- Step 601 The cryptographic virtual machine receives the virtual machine creation indication message sent by the virtual machine management module, where the virtual machine creation indication message carries the identifier of the created user virtual machine, and is allocated for the created user virtual machine.
- Step 602 The encryption/decryption virtual machine allocates a key for the created hard disk image, and establishes an identifier of the created user virtual machine, the allocated hard disk image identifier, and a first association relationship between the keys.
- Step 603 The encryption and decryption virtual machine sends a virtual machine creation response message to the system management module, where the virtual machine creation response message includes the identifier of the created user virtual machine.
- the cryptographic virtual machine receives the hard disk image addition indication message sent by the virtual machine management module, where the hard disk image addition indication message carries the user virtual machine identifier, and the virtual machine management module is the user virtual machine new The hard disk mirroring identifier and the hard disk mirroring attribute thereof, wherein the hard disk mirroring instruction message is specifically configured by the virtual machine management module to create a new hard disk image for the user virtual machine according to the hard disk image adding request sent by the system management module.
- the encryption/decryption virtual machine allocates a key to the newly added hard disk image, and updates the user virtual machine identifier, the newly added hard disk image identifier, and a key allocated for the newly added hard disk image to the The first relationship.
- the virtual machine management module identifies the hard disk image that needs to provide the encryption and decryption service, and sends the user virtual machine identifier and the hard disk image identifier to the encryption and decryption virtual machine, and the encryption and decryption virtual machine allocates the confidentiality to the hard disk image. Key, and recording the first association relationship, so that the decryption virtual machine can perform encryption and decryption processing on the read and write data of the hard disk image by the user virtual machine.
- FIG. 7 a schematic structural diagram of a control device in a virtual machine system according to an embodiment of the present invention, where the control device is located in a VMM of a virtualization system, the virtual
- the encryption system further includes an encryption and decryption virtual machine, wherein the encryption and decryption virtual machine records a hard disk image identifier and a first association relationship between the keys, the key includes an encryption key, and the hard disk image is recorded in the virtualization system.
- the control device includes:
- the obtaining unit 701 is configured to acquire data to be written by the user virtual machine.
- the processing unit 702 is configured to determine, according to the second association relationship, a hard disk image attribute of the hard disk image of the user virtual machine to be written;
- the sending unit 703 is configured to: when the hard disk mirroring attribute determined by the processing unit 702 is encrypted, send the identifier of the hard disk image to be written and the data to be written to the encryption and decryption virtual machine;
- the obtaining unit 701 is further configured to receive, by the encryption/decryption virtual machine, the encrypted data obtained by encrypting the data to be written by using the encryption key, where the encryption key is the encryption and decryption virtual An encryption key corresponding to the identifier of the hard disk image to be written determined by the first association relationship;
- the writing unit 704 is configured to write the encrypted data received by the obtaining unit 701 into the hard disk image to be written.
- the key further includes a decryption key
- the obtaining unit 701 is further configured to acquire a read request triggered by the user virtual machine
- the processing unit 702 is further configured to: read data from the hard disk image to be read, and determine that the read data is encrypted data;
- the sending unit 703 is further configured to: when the processing unit 702 determines that the read data is encrypted data, send a decryption request to the encryption/decryption virtual machine, where the decryption request carries the user virtual machine Identifying, reading the encrypted data and the identifier of the hard disk image;
- the obtaining unit 701 is further configured to receive the decrypted data returned by the encryption/decryption virtual machine, where the decrypted data is included in the first association relationship by the encryption/decryption virtual machine. After the corresponding relationship between the identifier of the user virtual machine and the identifier of the hard disk image is obtained, the encrypted data is decrypted by using a decryption key corresponding to the hard disk image identifier determined according to the first association relationship;
- the sending unit 703 is further configured to return the decrypted data received by the acquiring unit 701 to the user virtual machine.
- the sending unit 703 is further configured to: when the processing unit 702 determines that the read data is non-encrypted data, return the read non-encrypted data to the user virtual machine.
- the obtaining unit 701 is further configured to receive a virtual machine startup indication message sent by the virtual machine management module, where the virtual machine startup indication message carries an identifier of the activated user virtual machine, a hard disk image identifier of the activated user virtual machine, and Its hard disk mirroring attribute;
- the processing unit 702 is further configured to record a hard disk image identifier of the activated user virtual machine and a hard disk image attribute thereof, and update the second association relationship.
- the obtaining module 701 is specifically configured to acquire, by the device driver, a write request triggered by the user virtual machine, where the write request carries the data to be written.
- an embodiment of the present invention further provides a schematic structural diagram of an encryption and decryption apparatus in a virtualization system, which is applied to a virtualization system, where the virtualization system includes the a decryption device, a VMM, and a system management module, the VMM includes a virtual machine management module, and the encryption and decryption device includes:
- the receiving unit 801 is configured to receive a virtual machine creation indication message sent by the virtual machine management module, where the virtual machine creation indication message carries the identifier of the created user virtual machine, and the hard disk image allocated for the created user virtual machine. And the hard disk mirroring attribute corresponding to the hard disk image identifier that is allocated, where the virtual machine creation indication message is specifically that the virtual machine management module creates a user virtual machine and a hard disk according to the virtual machine creation request sent by the system management module. Sent after mirroring;
- the executing unit 802 is configured to: after the receiving unit 801 receives the virtual machine creation indication message, assign a key to the created hard disk image, establish an identifier of the created user virtual machine, the allocated hard disk image identifier, and the Determining a first association relationship between keys;
- the message returning unit 803 is configured to send a virtual machine creation response message to the system management module, where the virtual machine creation response message includes the identifier of the created user virtual machine.
- the receiving unit 801 is further configured to receive a hard disk image addition indication message sent by the virtual machine management module, where the hard disk image addition indication message carries the user virtual machine identifier, and the virtual machine management module is The hard disk mirroring identifier and the hard disk mirroring attribute of the user virtual machine are newly created by the virtual machine management module according to the hard disk image adding request sent by the system management module. Sent after the new hard disk image is sent;
- the executing unit 802 is further configured to: after the receiving unit 701 receives the hard disk image adding indication message, assign a key to the newly added hard disk image, and identify the user virtual machine and the newly added hard disk.
- the image identifier and the key assigned to the newly added hard disk image are updated to the first association relationship.
- the VMM includes a control module
- the receiving unit 801 is further configured to receive an encryption request sent by the control module, where the encryption request carries an identifier of the user virtual machine, an identifier of a hard disk image to be written, and the data to be written;
- the execution unit 802 is further configured to determine whether the first association relationship includes the correspondence between the identifier of the user virtual machine received by the receiving unit 801 and the identifier of the hard disk image to be written, and if so, And determining, according to the first association relationship, an encryption key corresponding to the identifier of the hard disk image to be written, and encrypting the data to be written by using the encryption key to obtain encrypted data;
- the message returning unit 803 is further configured to: when the executing unit 802 determines that the first association relationship does not include the correspondence between the identifier of the user virtual machine and the identifier of the hard disk image to be written,
- the control module returns an encryption failure indication, and the execution unit determines that the first association relationship includes the identifier of the user virtual machine and the hard to be written
- the encrypted data is sent to the control module when the correspondence of the identifiers of the disk images is performed.
- the receiving unit 801 is further configured to receive a decryption request sent by the control module, where the decryption request carries an identifier of the user virtual machine, the encrypted data that is read, and an identifier of the hard disk image;
- the execution unit 802 is further configured to determine whether the first association relationship includes a correspondence between the identifier of the user virtual machine and the identifier of the hard disk image received by the receiving unit 801, and if yes, Obtaining, in the first association relationship, a decryption key corresponding to the identifier of the hard disk image, and decrypting the read encrypted data by using the decryption key to obtain decrypted data;
- the message returning unit is further configured to send the obtained decrypted data to the control module.
- a control module for adding and decrypting is added to the VMM.
- the control module obtains data to be written by the user virtual machine, the control module determines whether the hard disk mirroring attribute is to be written. The data to be written needs to be encrypted.
- the control module sends the data to be written to the encryption and decryption virtual machine, and the encryption and decryption virtual machine processes the data to be encrypted, and returns the encrypted data to the office.
- the control module writes the encrypted data into the corresponding hard disk image to implement encrypted storage of the user data.
- the control module in the VMM is used to determine whether the data to be written needs to be encrypted and to forward the data to be written, and the function is simple to implement, and the system complexity of the VMM is reduced, and at the same time, in the embodiment of the present invention,
- the encryption and decryption processing is implemented by a special encryption and decryption virtual machine, which does not need to occupy resources in the VMM, avoids resource conflicts, and improves system stability; on the other hand, the encryption and decryption virtual machine can be directed to different user virtual machine hard disks.
- the mirror allocates different keys, and provides or does not provide encryption and decryption services for data streams of different sources, thereby implementing access control of the user virtual machine.
- the control device includes at least one processor (eg, a CPU), at least one network interface. Or other communication interface, memory, and at least one communication bus for implementing connection communication between the various components of these above-described embodiments.
- the processor is configured to execute an executable module stored in the memory to implement the functions of the components in the control module in the above embodiments.
- the memory may include a high speed random access memory (RAM), and may also include a non-volatile memory such as at least one disk memory.
- the communication connection between the control module and at least one other network element is implemented by at least one network interface (which may be wired or wireless), and an Internet, a wide area network, a local network, a metropolitan area network, or the like may be used.
- program instructions are stored in a computer readable medium, including computer executed instructions, for execution by the processor of a computer, executing the instructions as described in any of the above embodiments
- the method of encryption and decryption in a virtualized system may include the components indicated in the foregoing embodiments of the present invention. For the specific implementation of the components, reference may be made to the corresponding content in the foregoing embodiments of the present invention, and details are not described herein again.
Abstract
Description
Claims (29)
- 一种虚拟化系统,其特征在于,包括虚拟机监视器VMM和加解密虚拟机,所述VMM包括控制模块,所述加解密虚拟机记录有硬盘镜像标识以及密钥之间的第一关联关系,所述密钥包括加密密钥,所述虚拟化系统中记录有硬盘镜像标识以及硬盘镜像属性之间的第二关联关系,所述控制模块,用于获取用户虚拟机的待写入的数据,根据所述第二关联关系确定所述用户虚拟机的待写入的硬盘镜像的硬盘镜像属性,如果确定的所述硬盘镜像属性为加密,则向所述加解密虚拟机发送所述待写入的硬盘镜像的标识以及所述待写入的数据;所述加解密虚拟机,用于根据所述第一关联关系确定所述待写入的硬盘镜像的标识对应的加密密钥,使用所述加密密钥对所述待写入的数据进行加密,获得加密数据,将所述加密数据发送给所述控制模块;所述控制模块,还用于将所述加密数据写入到所述待写入的硬盘镜像中。
- 如权利要求1所述的系统,其特征在于,所述第一关联关系还包括用户虚拟机标识,所述控制模块,具体用于向所述加解密虚拟机发送所述用户虚拟机的标识、所述待写入的硬盘镜像的标识,以及待写入的数据;所述加解密虚拟机,具体用于获取所述用户虚拟机的标识以及所述待写入的硬盘镜像标识,确定所述第一关联关系中是否包括所述用户虚拟机的标识与所述待写入的硬盘镜像标识的对应关系,如果否,则向所述控制模块返回加密失败指示,如果是,则使用确定的所述待写入的硬盘镜像标识对应的加密密钥对所述待写入的数据进行加密。
- 如权利要求2所述的系统,其特征在于,所述密钥还包括解密密钥,所述控制模块,还用于获取所述用户虚拟机触发的读请求,从待读取的硬盘镜像中读取数据,确定读取的所述数据为加密数据,向所述加解密虚拟机发送解密请求,所述解密请求中携带所述用户虚拟机的标识、读取的所述加密数据以及所述硬盘镜像的标识;所述加解密虚拟机,还用于接收所述解密请求,确定所述第一关联关系中是否包括所述发送所述读请求的用户虚拟机的标识和所述硬盘镜像的标识的对应关系,如果是,则从所述第一关联关系中获取所述硬盘镜像的标识对应的解密密钥,使用所述解密密钥解密读取的所述加密数据,将获得的解密后的数据发送给所述控制模块;所述控制模块,还用于将所述解密后的数据返回给所述用户虚拟机。
- 如权利要求3所述的系统,其特征在于,所述控制模块,还用于确定读取的所述数据为非加密数据时,将读取的所述非加密数据 返回给所述用户虚拟机。
- 如权利要求2-4中任一所述的系统,其特征在于,所述系统还包括系统管理模块以及虚拟机管理模块,所述系统管理模块,用于向所述虚拟机管理模块发送虚拟机启动请求,所述虚拟机启动请求携带待启动的用户虚拟机的标识;所述虚拟机管理模块,用于接收所述虚拟机启动请求,根据所述虚拟机启动请求启动所述待启动的用户虚拟机,将启动的用户虚拟机的硬盘镜像标识及其硬盘镜像属性发送给所述控制模块;所述控制模块,还用于接收并记录所述启动的用户虚拟机的硬盘镜像标识及其硬盘镜像属性,建立所述第二关联关系。
- 如权利要求2-5中任一所述的系统,其特征在于,所述系统还包括系统管理模块以及虚拟机管理模块,所述系统管理模块,还用于向所述虚拟机管理模块发送虚拟机创建请求,所述虚拟机创建请求中携带待创建的用户虚拟机的硬盘镜像的属性;所述虚拟机管理模块,还用于接收所述虚拟机创建请求,创建用户虚拟机,为创建的所述用户虚拟机创建硬盘镜像,分配硬盘镜像标识,根据所述虚拟机创建请求确定分配的所述硬盘镜像标识对应的硬盘镜像属性,向所述加解密虚拟机发送虚拟机创建指示消息,所述虚拟机创建指示消息中携带创建的用户虚拟机的标识、所述分配的硬盘镜像标识以及所述分配的所述硬盘镜像标识对应的硬盘镜像属性;所述加解密虚拟机,还用于接收所述虚拟机创建指示消息,为创建的硬盘镜像分配密钥,建立所述创建的用户虚拟机的标识、所述分配的硬盘镜像标识以及所述密钥之间的所述第一关联关系。
- 如权利要求6所述的系统,其特征在于,所述加解密虚拟机,还用于向所述系统管理模块发送虚拟机创建响应消息,所述虚拟机创建响应消息中包括所述创建的用户虚拟机的标识。
- 如权利要求6所述的系统,其特征在于,所述系统管理模块,还用于向所述虚拟机管理模块发送硬盘镜像增加请求消息,所述硬盘镜像增加请求消息中携带所述用户虚拟机标识和新增的盘镜像的属性;所述虚拟机管理模块,还用于接收所述硬盘镜像增加请求消息,为所述用户虚拟机创建新的硬盘镜像,根据所述硬盘镜像增加请求消息确定所述新的硬盘镜像的硬盘镜像属性,将所述用户虚拟机标识、所述新的硬盘镜像的标识以及所述新的硬盘镜像的硬盘镜像属性发送 给所述加解密虚拟机;所述加解密虚拟机,还用于为所述新的硬盘镜像分配密钥,更新所述第一关联关系。
- 如权利要求1所述的系统,其特征在于,所述控制模块,具体用于从设备驱动获取所述用户虚拟机触发的写请求,所述写请求携带所述待写入的数据。
- 一种虚拟化系统中加解密的方法,其特征在于,应用于虚拟化系统,所述虚拟化系统包括虚拟机监视器VMM和加解密虚拟机,所述VMM包括控制模块,所述加解密虚拟机记录有硬盘镜像标识以及密钥之间的第一关联关系,所述密钥包括加密密钥,所述虚拟化系统中记录有硬盘镜像标识以及硬盘镜像属性之间的第二关联关系,所述方法包括:所述控制模块获取用户虚拟机的待写入的数据,根据所述第二关联关系确定所述用户虚拟机的待写入的硬盘镜像的硬盘镜像属性,如果确定的所述硬盘镜像属性为加密,则向所述加解密虚拟机发送所述待写入的硬盘镜像的标识以及所述待写入的数据;所述控制模块接收所述加解密虚拟机使用所述加密密钥对所述待写入的数据进行加密获得的加密数据,其中,所述加密密钥为所述加解密虚拟机根据所述第一关联关系确定的所述待写入的硬盘镜像的标识对应的加密密钥;所述控制模块将所述加密数据写入到所述待写入的硬盘镜像中。
- 如权利要求10所述的方法,其特征在于,所述第一关联关系中还包括用户虚拟机标识,所述密钥还包括解密密钥,所述方法还包括:所述控制模块获取所述用户虚拟机触发的读请求,从待读取的硬盘镜像中读取数据,确定读取的所述数据为加密数据,向所述加解密虚拟机发送解密请求,所述解密请求中携带所述用户虚拟机的标识、读取的所述加密数据以及所述硬盘镜像的标识;所述控制模块接收所述加解密虚拟机返回的解密后的数据,其中,所述解密后的数据为所述加解密虚拟机在确定所述第一关联关系中包括所述用户虚拟机的标识和所述硬盘镜像的标识的对应关系后,使用根据所述第一关联关系确定的所述硬盘镜像标识对应的解密密钥对所述加密数据进行解密获得的;所述控制模块将所述解密后的数据返回给所述用户虚拟机。
- 如权利要求11所述的方法,其特征在于,还包括:所述控制模块在确定读取的所述数据为非加密数据时,将读取的所述非加密数据返回给所述用户虚拟机。
- 如权利要求10所述的方法,其特征在于,所述系统还包括虚拟机管理模块,所述方法还包括:所述控制模块接收虚拟机管理模块发送的虚拟机启动指示消息,所述虚拟机启动指示消息携带启动的用户虚拟机的标识、所述启动的用户虚拟机的硬盘镜像标识及其硬盘镜像属性;所述控制模块记录所述启动的用户虚拟机的硬盘镜像标识及其硬盘镜像属性,更新所述第二关联关系。
- 如权利要求10所述的方法,其特征在于,所述控制模块获取用户虚拟机的待写入的数据包括:所述控制模块从设备驱动获取所述用户虚拟机触发的写请求,所述写请求携带所述待写入的数据。
- 一种用户虚拟机的创建方法,其特征在于,应用于虚拟化系统,所述虚拟化系统包括VMM、系统管理模块以及加解密虚拟机,所述VMM包括虚拟机管理模块,所述方法包括:所述加解密虚拟机接收所述虚拟机管理模块发送的虚拟机创建指示消息,所述虚拟机创建指示消息中携带创建的用户虚拟机的标识、为所述创建的用户虚拟机分配的硬盘镜像标识以及所述分配的所述硬盘镜像标识对应的硬盘镜像属性,所述虚拟机创建指示消息具体为所述虚拟机管理模块根据所述系统管理模块发送的虚拟机创建请求创建用户虚拟机以及硬盘镜像后发送的;所述加解密虚拟机为创建的硬盘镜像分配密钥,建立所述创建的用户虚拟机的标识、所述分配的硬盘镜像标识以及所述密钥之间的第一关联关系;所述加解密虚拟机向所述系统管理模块发送虚拟机创建响应消息,所述虚拟机创建响应消息中包括所述创建的用户虚拟机的标识。
- 如权利要求15所述的方法,其特征在于,还包括:所述加解密虚拟机接收所述虚拟机管理模块发送的硬盘镜像增加指示消息,所述硬盘镜像增加指示消息中携带所述用户虚拟机标识、所述虚拟机管理模块为所述用户虚拟机新增的硬盘镜像标识及其硬盘镜像属性,所述硬盘镜像指示消息具体为所述虚拟机管理模块根据所述系统管理模块发送的硬盘镜像增加请求为所述用户虚拟机创建新增的硬盘镜像后发送的;所述加解密虚拟机为所述新增的硬盘镜像分配密钥,将所述用户虚拟机标识、新增的硬盘镜像标识,以及为所述新增的硬盘镜像分配的密钥更新至所述第一关联关系。
- 如权利要求15所述的方法、其特征在于,所述VMM中包括控制模块,所述方法还包括:所述加解密虚拟机接收所述控制模块发送的加密请求,所述加密请求携带所述用户虚拟 机的标识、待写入的硬盘镜像的标识以及所述待写入的数据,确定所述第一关联关系中是否包括所述用户虚拟机的标识和待写入的硬盘镜像的标识的对应关系,如果否,则向所述控制模块返回加密失败指示,如果是,则根据所述第一关联关系确定所述待写入的硬盘镜像的标识对应的加密密钥,使用所述加密密钥对所述待写入的数据进行加密,获得加密数据,将所述加密数据发送给所述控制模块,以使得所述控制模块将所述加密数据写入到所述待写入的硬盘镜像中。
- 如权利要求17所述的方法,其特征在于,还包括:所述加解密虚拟机接收所述控制模块发送的解密请求,所述解密请求携带所述用户虚拟机的标识、读取的所述加密数据以及所述硬盘镜像的标识,确定所述第一关联关系中是否包括所述用户虚拟机的标识和所述硬盘镜像的标识的对应关系,如果是,则从所述第一关联关系中获取所述硬盘镜像的标识对应的解密密钥,使用所述解密密钥解密读取的所述加密数据,将获得的解密后的数据发送给所述控制模块,以使得所述控制模块将所述解密后的数据返回给所述用户虚拟机。
- 一种虚拟化系统中的控制装置,其特征在于,所述控制装置位于虚拟化系统的VMM中,所述虚拟化系统还包括加解密虚拟机,所述加解密虚拟机记录有硬盘镜像标识以及密钥之间的第一关联关系,所述密钥包括加密密钥,所述虚拟化系统中记录有硬盘镜像标识以及硬盘镜像属性之间的第二关联关系,所述控制装置包括:获取单元,用于获取用户虚拟机的待写入的数据;处理单元,用于根据所述第二关联关系确定所述用户虚拟机的待写入的硬盘镜像的硬盘镜像属性;发送单元,用于当所述确定单元确定的所述硬盘镜像属性为加密时,向所述加解密虚拟机发送所述待写入的硬盘镜像的标识以及所述待写入的数据;所述获取单元,还用于接收所述加解密虚拟机使用所述加密密钥对所述待写入的数据进行加密获得的加密数据,其中,所述加密密钥为所述加解密虚拟机根据所述第一关联关系确定的所述待写入的硬盘镜像的标识对应的加密密钥;写入单元,用于将所述获取单元接收到的所述加密数据写入到所述待写入的硬盘镜像中。
- 如权利要求19所述的装置,其特征在于,所述密钥还包括解密密钥,所述获取单元,还用于获取所述用户虚拟机触发的读请求;所述处理单元,还用于从待读取的硬盘镜像中读取数据,确定读取的所述数据为加密数据;所述发送单元,还用于在所述处理单元确定读取的所述数据为加密数据时,向所述加解密虚拟机发送解密请求,所述解密请求中携带所述用户虚拟机的标识、读取的所述加密数据以及所述硬盘镜像的标识;所述获取单元,还用于接收所述加解密虚拟机返回的解密后的数据,其中,所述解密后的数据为所述加解密虚拟机在确定所述第一关联关系中包括所述用户虚拟机的标识和所述硬盘镜像的标识的对应关系后,使用根据所述第一关联关系确定的所述硬盘镜像标识对应的解密密钥对所述加密数据进行解密获得的;所述发送单元,还用于将所述获取单元接收到的所述解密后的数据返回给所述用户虚拟机。
- 如权利要求20所述的装置,其特征在于,所述发送单元,还用于在所述处理单元确定读取的所述数据为非加密数据时,将读取的所述非加密数据返回给所述用户虚拟机。
- 如权利要求19所述的装置,其特征在于,所述获取单元,还用于接收虚拟机管理模块发送的虚拟机启动指示消息,所述虚拟机启动指示消息携带启动的用户虚拟机的标识、所述启动的用户虚拟机的硬盘镜像标识及其硬盘镜像属性;所述处理单元,还用于记录所述启动的用户虚拟机的硬盘镜像标识及其硬盘镜像属性,更新所述第二关联关系。
- 如权利要求19所述的装置,其特征在于,所述获取模块,具体用于从设备驱动获取所述用户虚拟机触发的写请求,所述写请求携带所述待写入的数据。
- 一种虚拟化系统中的加解密装置,其特征在于,应用于虚拟化系统,所述虚拟化系统包括所述加解密装置、VMM以及系统管理模块,所述VMM包括虚拟机管理模块,所述加解密装置包括:接收单元,用于接收所述虚拟机管理模块发送的虚拟机创建指示消息,所述虚拟机创建指示消息中携带创建的用户虚拟机的标识、为所述创建的用户虚拟机分配的硬盘镜像标识以及所述分配的所述硬盘镜像标识对应的硬盘镜像属性,所述虚拟机创建指示消息具体为所述虚拟机管理模块根据所述系统管理模块发送的虚拟机创建请求创建用户虚拟机以及硬盘镜像后发送的;执行单元,用于在接收单元接收到所述虚拟机创建指示消息后,为创建的硬盘镜像分配密钥,建立所述创建的用户虚拟机的标识、所述分配的硬盘镜像标识以及所述密钥之间的第 一关联关系;消息返回单元,用于向所述系统管理模块发送虚拟机创建响应消息,所述虚拟机创建响应消息中包括所述创建的用户虚拟机的标识。
- 如权利要求24所述的装置,其特征在于,所述接收单元,还用于接收所述虚拟机管理模块发送的硬盘镜像增加指示消息,所述硬盘镜像增加指示消息中携带所述用户虚拟机标识、所述虚拟机管理模块为所述用户虚拟机新增的硬盘镜像标识及其硬盘镜像属性,所述硬盘镜像指示消息具体为所述虚拟机管理模块根据所述系统管理模块发送的硬盘镜像增加请求为所述用户虚拟机创建新增的硬盘镜像后发送的;所述执行单元,还用于在所述接收单元接收到所述硬盘镜像增加指示消息后,为所述新增的硬盘镜像分配密钥,将所述用户虚拟机标识、新增的硬盘镜像标识,以及为所述新增的硬盘镜像分配的密钥更新至所述第一关联关系。
- 如权利要求24所述的装置,其特征在于,所述VMM中包括控制模块,所述接收单元,还用于接收所述控制模块发送的加密请求,所述加密请求携带所述用户虚拟机的标识、待写入的硬盘镜像的标识以及所述待写入的数据;所述执行单元,还用于确定所述第一关联关系中是否包括所述接收单元接收到的所述用户虚拟机的标识和待写入的硬盘镜像的标识的对应关系,如果是,则根据所述第一关联关系确定所述待写入的硬盘镜像的标识对应的加密密钥,使用所述加密密钥对所述待写入的数据进行加密,获得加密数据;所述消息返回单元,还用于在所述执行单元确定所述第一关联关系中不包括所述用户虚拟机的标识和待写入的硬盘镜像的标识的对应关系时,向所述控制模块返回加密失败指示,在所述执行单元确定所述第一关联关系中包括所述用户虚拟机的标识和待写入的硬盘镜像的标识的对应关系时,将所述加密数据发送给所述控制模块。
- 如权利要求26所述的装置,其特征在于,所述接收单元,还用于接收所述控制模块发送的解密请求,所述解密请求携带所述用户虚拟机的标识、读取的所述加密数据以及所述硬盘镜像的标识;所述执行单元,还用于确定所述第一关联关系中是否包括所述接收单元接收到的所述用户虚拟机的标识和所述硬盘镜像的标识的对应关系,如果是,则从所述第一关联关系中获取所述硬盘镜像的标识对应的解密密钥,使用所述解密密钥解密读取的所述加密数据,获得解密后的数据;所述消息返回单元,还用于将获得的解密后的数据发送给所述控制模块。
- 一种虚拟化系统中的控制装置,其特征在于,所述装置包括处理器、存储器、总线和通信接口,所述存储器用于存储计算机执行指令,所述处理器与所述存储器通过所述总线连接,当所述路径管理的装置运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述虚拟化系统中的控制装置执行如权利要求10-18中任一所述的方法。
- 一种计算机可读介质,其特征在于,包括计算机执行指令,以供计算机的处理器执行所述计算机执行指令时,所述计算机执行如权利要求10-18中任一所述的方法。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2017504166A JP6414863B2 (ja) | 2014-12-30 | 2014-12-30 | 仮想化システムにおける暗号復号方法および装置、およびシステム |
CN201480056793.7A CN106063218B (zh) | 2014-12-30 | 2014-12-30 | 虚拟化系统中加解密的方法、装置和系统 |
EP14909378.3A EP3160103B1 (en) | 2014-12-30 | 2014-12-30 | Method, apparatus and system for encryption/decryption in virtualization system |
PCT/CN2014/095598 WO2016106566A1 (zh) | 2014-12-30 | 2014-12-30 | 虚拟化系统中加解密的方法、装置和系统 |
US15/637,091 US9959410B2 (en) | 2014-12-30 | 2017-06-29 | Encryption and decryption method and apparatus in virtualization system, and system |
US15/935,744 US10409990B2 (en) | 2014-12-30 | 2018-03-26 | Encryption and decryption method and apparatus in virtualization system, and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2014/095598 WO2016106566A1 (zh) | 2014-12-30 | 2014-12-30 | 虚拟化系统中加解密的方法、装置和系统 |
Related Child Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15637091 A-371-Of-International | 2014-12-30 | ||
US15/637,091 Continuation US9959410B2 (en) | 2014-12-30 | 2017-06-29 | Encryption and decryption method and apparatus in virtualization system, and system |
US15/935,744 Continuation US10409990B2 (en) | 2014-12-30 | 2018-03-26 | Encryption and decryption method and apparatus in virtualization system, and system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016106566A1 true WO2016106566A1 (zh) | 2016-07-07 |
Family
ID=56283847
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2014/095598 WO2016106566A1 (zh) | 2014-12-30 | 2014-12-30 | 虚拟化系统中加解密的方法、装置和系统 |
Country Status (5)
Country | Link |
---|---|
US (2) | US9959410B2 (zh) |
EP (1) | EP3160103B1 (zh) |
JP (1) | JP6414863B2 (zh) |
CN (1) | CN106063218B (zh) |
WO (1) | WO2016106566A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110297687A (zh) * | 2018-03-21 | 2019-10-01 | 阿里巴巴集团控股有限公司 | 基于虚拟主机的数据交互方法、装置及系统 |
CN110971656A (zh) * | 2018-10-01 | 2020-04-07 | 施耐德电器工业公司 | 区块链中的数据的安全存储 |
CN111741068A (zh) * | 2020-05-20 | 2020-10-02 | 中国电子科技网络信息安全有限公司 | 一种虚拟机镜像链密钥模型及其数据加密密钥传输方法 |
CN110971656B (zh) * | 2018-10-01 | 2024-04-26 | 施耐德电器工业公司 | 区块链中的数据的安全存储 |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9892265B1 (en) * | 2015-03-31 | 2018-02-13 | Veritas Technologies Llc | Protecting virtual machine data in cloud environments |
US9767318B1 (en) * | 2015-08-28 | 2017-09-19 | Frank Dropps | Secure controller systems and associated methods thereof |
CN105184154B (zh) * | 2015-09-15 | 2017-06-20 | 中国科学院信息工程研究所 | 一种在虚拟化环境中提供密码运算服务的系统和方法 |
US10303899B2 (en) * | 2016-08-11 | 2019-05-28 | Intel Corporation | Secure public cloud with protected guest-verified host control |
CN106775924B (zh) * | 2016-11-07 | 2018-08-07 | 北京百度网讯科技有限公司 | 虚拟机启动方法和装置 |
US11687654B2 (en) * | 2017-09-15 | 2023-06-27 | Intel Corporation | Providing isolation in virtualized systems using trust domains |
CN109190386B (zh) * | 2018-04-04 | 2021-11-12 | 中国电子科技网络信息安全有限公司 | 基于Device Mapper的容器镜像分层加密存储方法 |
CN109639424B (zh) * | 2018-12-25 | 2022-06-17 | 超越科技股份有限公司 | 一种基于不同密钥的虚拟机镜像加密方法及装置 |
US11537421B1 (en) * | 2019-06-07 | 2022-12-27 | Amazon Technologies, Inc. | Virtual machine monitor providing secure cryptographic operations |
CN110334531B (zh) * | 2019-07-01 | 2023-07-11 | 深信服科技股份有限公司 | 虚拟机密钥的管理方法、主节点、系统、存储介质及装置 |
KR102179185B1 (ko) * | 2020-07-02 | 2020-11-17 | 굿모닝아이텍(주) | 서버 관리 시스템 |
KR102175317B1 (ko) * | 2020-07-02 | 2020-11-06 | 굿모닝아이텍(주) | 데스크톱 가상화 |
US11936791B2 (en) * | 2020-09-21 | 2024-03-19 | Jason Burt | Verification of the reliability of software and devices against assertions and guarantees |
CN112748984B (zh) * | 2020-12-28 | 2022-12-06 | 海光信息技术股份有限公司 | 虚拟机数据处理、控制方法、处理器、芯片、装置及介质 |
CN114553478A (zh) * | 2022-01-13 | 2022-05-27 | 成都储迅科技有限责任公司 | 一种基于国密的云服务器访问固态硬盘的安全系统和方法 |
CN114285675B (zh) * | 2022-03-07 | 2022-07-12 | 杭州优云科技有限公司 | 一种报文转发方法及设备 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101976317A (zh) * | 2010-11-05 | 2011-02-16 | 北京世纪互联工程技术服务有限公司 | 一种私有云计算应用中虚拟机镜像安全方法 |
CN103107994A (zh) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | 一种虚拟化环境数据安全隔离方法和系统 |
CN103457919A (zh) * | 2012-06-04 | 2013-12-18 | 中兴通讯股份有限公司 | 虚拟机镜像的安全验证方法和装置 |
CN103563278A (zh) * | 2011-05-20 | 2014-02-05 | 西里克斯系统公司 | 保护加密的虚拟硬盘 |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005096120A1 (ja) * | 2004-04-02 | 2005-10-13 | Matsushita Electric Industrial Co., Ltd. | 実行装置 |
JP4782871B2 (ja) * | 2007-10-03 | 2011-09-28 | 富士通株式会社 | デバイスアクセス制御プログラム、デバイスアクセス制御方法および情報処理装置 |
US8364983B2 (en) * | 2008-05-08 | 2013-01-29 | Microsoft Corporation | Corralling virtual machines with encryption keys |
CN101587524B (zh) | 2009-06-23 | 2015-02-11 | 宏碁电脑(上海)有限公司 | 一种基于虚拟系统的数据存储设备加密方法 |
US9367341B2 (en) * | 2010-03-30 | 2016-06-14 | Red Hat Israel, Ltd. | Encrypting and decrypting virtual disk content using a single user sign-on |
WO2011150346A2 (en) * | 2010-05-28 | 2011-12-01 | Laurich Lawrence A | Accelerator system for use with secure data storage |
JP5552942B2 (ja) * | 2010-07-28 | 2014-07-16 | 富士通株式会社 | 情報送信装置、ネットワークシステム、情報送信方法および情報送信プログラム |
CN102034046B (zh) * | 2010-12-10 | 2012-10-03 | 北京世纪互联工程技术服务有限公司 | 云计算环境中基于磁盘驱动的数据底层加密方法 |
US8495356B2 (en) * | 2010-12-31 | 2013-07-23 | International Business Machines Corporation | System for securing virtual machine disks on a remote shared storage subsystem |
US9021264B2 (en) * | 2011-02-03 | 2015-04-28 | Cloudlink Technologies Inc. | Method and system for cloud based storage |
JP5786611B2 (ja) * | 2011-09-30 | 2015-09-30 | 富士通株式会社 | ストレージ装置およびストレージシステム |
CN103067425B (zh) * | 2011-10-20 | 2016-04-27 | 中国移动通信集团公司 | 虚拟机创建方法、虚拟机管理系统及相关设备 |
CN102609643A (zh) * | 2012-01-10 | 2012-07-25 | 道里云信息技术(北京)有限公司 | 一种对虚拟机作动态密码学保护与所需的密钥管理方法 |
US9250945B2 (en) * | 2012-03-27 | 2016-02-02 | Microsoft Technology Licensing, Llc | Detecting a repeating execution time sequence in a virtual machine |
CN103634339A (zh) | 2012-08-22 | 2014-03-12 | 中国银联股份有限公司 | 虚拟加密机装置、金融加密机及加密报文的方法 |
CN104756127B (zh) * | 2012-10-12 | 2018-03-27 | 皇家飞利浦有限公司 | 通过虚拟机进行安全数据处理 |
US9215067B2 (en) * | 2013-04-05 | 2015-12-15 | International Business Machines Corporation | Achieving storage efficiency in presence of end-to-end encryption using downstream decrypters |
US10671545B2 (en) * | 2014-06-28 | 2020-06-02 | Vmware, Inc. | Asynchronous encryption and decryption of virtual machine memory for live migration |
CN104104692B (zh) * | 2014-08-05 | 2017-03-08 | 中孚信息股份有限公司 | 一种虚拟机加密方法、解密方法及加解密控制系统 |
-
2014
- 2014-12-30 JP JP2017504166A patent/JP6414863B2/ja active Active
- 2014-12-30 CN CN201480056793.7A patent/CN106063218B/zh active Active
- 2014-12-30 WO PCT/CN2014/095598 patent/WO2016106566A1/zh active Application Filing
- 2014-12-30 EP EP14909378.3A patent/EP3160103B1/en active Active
-
2017
- 2017-06-29 US US15/637,091 patent/US9959410B2/en active Active
-
2018
- 2018-03-26 US US15/935,744 patent/US10409990B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101976317A (zh) * | 2010-11-05 | 2011-02-16 | 北京世纪互联工程技术服务有限公司 | 一种私有云计算应用中虚拟机镜像安全方法 |
CN103563278A (zh) * | 2011-05-20 | 2014-02-05 | 西里克斯系统公司 | 保护加密的虚拟硬盘 |
CN103457919A (zh) * | 2012-06-04 | 2013-12-18 | 中兴通讯股份有限公司 | 虚拟机镜像的安全验证方法和装置 |
CN103107994A (zh) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | 一种虚拟化环境数据安全隔离方法和系统 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3160103A4 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110297687A (zh) * | 2018-03-21 | 2019-10-01 | 阿里巴巴集团控股有限公司 | 基于虚拟主机的数据交互方法、装置及系统 |
CN110297687B (zh) * | 2018-03-21 | 2023-05-30 | 阿里巴巴集团控股有限公司 | 基于虚拟主机的数据交互方法、装置及系统 |
CN110971656A (zh) * | 2018-10-01 | 2020-04-07 | 施耐德电器工业公司 | 区块链中的数据的安全存储 |
CN110971656B (zh) * | 2018-10-01 | 2024-04-26 | 施耐德电器工业公司 | 区块链中的数据的安全存储 |
CN111741068A (zh) * | 2020-05-20 | 2020-10-02 | 中国电子科技网络信息安全有限公司 | 一种虚拟机镜像链密钥模型及其数据加密密钥传输方法 |
CN111741068B (zh) * | 2020-05-20 | 2022-03-18 | 中国电子科技网络信息安全有限公司 | 一种数据加密密钥传输方法 |
Also Published As
Publication number | Publication date |
---|---|
US10409990B2 (en) | 2019-09-10 |
EP3160103B1 (en) | 2019-11-20 |
EP3160103A4 (en) | 2017-10-18 |
EP3160103A1 (en) | 2017-04-26 |
CN106063218B (zh) | 2018-06-05 |
US20180218156A1 (en) | 2018-08-02 |
JP2017535091A (ja) | 2017-11-24 |
US20170300695A1 (en) | 2017-10-19 |
JP6414863B2 (ja) | 2018-10-31 |
US9959410B2 (en) | 2018-05-01 |
CN106063218A (zh) | 2016-10-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2016106566A1 (zh) | 虚拟化系统中加解密的方法、装置和系统 | |
US11200327B1 (en) | Protecting virtual machine data in cloud environments | |
US9461819B2 (en) | Information sharing system, computer, project managing server, and information sharing method used in them | |
US10262130B2 (en) | System and method for providing cryptographic operation service in virtualization environment | |
US9317316B2 (en) | Host virtual machine assisting booting of a fully-encrypted user virtual machine on a cloud environment | |
US9300640B2 (en) | Secure virtual machine | |
US8977842B1 (en) | Hypervisor enabled secure inter-container communications | |
US11675914B2 (en) | Secure information storage | |
KR20160097892A (ko) | 가상화 기반의 보안 서비스 제공 장치 및 제공 방법 | |
JP2011048661A (ja) | 仮想サーバ暗号化システム | |
US11327782B2 (en) | Supporting migration of virtual machines containing enclaves | |
JP5524355B2 (ja) | 仮想計算機管理方法、計算機システム及び計算機 | |
TWI786373B (zh) | 用於安全介面控制之安全執行客體所有者控制之電腦實施方法、電腦系統及電腦程式產品 | |
WO2023273647A1 (zh) | 虚拟化可信平台模块实现方法、安全处理器及存储介质 | |
JP2023511834A (ja) | セキュア・ゲストへのセキュリティ・モジュールのセキュア・オブジェクトのバインディング | |
US20140189235A1 (en) | Stealth appliance between a storage controller and a disk array | |
US20220326975A1 (en) | Transparent data reduction in private/public cloud environments for host encrypted data | |
JP2013003612A (ja) | 仮想サーバ利用時のデータを秘匿するシステム及び方法 | |
KR20040020175A (ko) | 공개키 암호화 알고리즘을 적용하여 콘텐츠 파일을커널모드에서 복호화하는 방법, 이를 이용하여뷰어프로그램의 plug-in 지원에 비종속적인 DRM클라이언트 프로그램 | |
JP2020043493A (ja) | ネットワーク装置及びプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14909378 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2014909378 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2014909378 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2017504166 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |