WO2018099157A1 - Method and device for encrypting file system - Google Patents

Method and device for encrypting file system Download PDF

Info

Publication number
WO2018099157A1
WO2018099157A1 PCT/CN2017/101226 CN2017101226W WO2018099157A1 WO 2018099157 A1 WO2018099157 A1 WO 2018099157A1 CN 2017101226 W CN2017101226 W CN 2017101226W WO 2018099157 A1 WO2018099157 A1 WO 2018099157A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
random number
encrypted data
metadata
target
Prior art date
Application number
PCT/CN2017/101226
Other languages
French (fr)
Chinese (zh)
Inventor
浦世亮
叶敏
林鹏
汪渭春
林起芊
Original Assignee
杭州海康威视数字技术股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杭州海康威视数字技术股份有限公司 filed Critical 杭州海康威视数字技术股份有限公司
Publication of WO2018099157A1 publication Critical patent/WO2018099157A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the present application relates to the field of file system technologies, and in particular, to a file system encryption method and apparatus.
  • file systems such as FAT16 (File Allocation Table) and NTFS (New Technology File System). These file systems manage data on disks and writes to disk.
  • the data may be any type of data such as text or video.
  • a file system including a metadata boot area, a metadata index area, and a data area can be created on the disk by a formatting operation.
  • the metadata boot area is used to store information of the file system itself, that is, file system information, such as version information of the file system, location information of the metadata index area, size information of the data block in the data area, and location information of the data block. Wait.
  • the data area includes a plurality of data blocks for storing the data itself to be stored.
  • the metadata index area is used for storing index data corresponding to each data block in the data area, and each index data record has data attribute information of data stored in the corresponding data block, such as data size information, data owner information, and data occupation. The number information of the data block, etc.
  • the attacker can crack the storage structure of the file system by analyzing the plaintext, and obtain the file in the crack. After the storage structure of the system, the storage location information of the data stored in the file system can be obtained, and the data stored in the file system can be obtained, and the stored data cannot be secured.
  • the purpose of the embodiment of the present application is to provide a file system encryption method and device to improve the text.
  • the embodiment of the present application provides a file system encryption method, where the method may include:
  • the first encrypted data is stored in the metadata index area.
  • the method may further include:
  • the second encrypted data is stored in the metadata boot area.
  • the method may further include:
  • the step of storing the first encrypted data in the metadata index area may include:
  • the method may further include:
  • the step of storing the second encrypted data in the metadata boot area may be include:
  • the step of generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk may include:
  • the method may further include:
  • the I frame in the target video is encrypted to obtain the third encrypted data
  • the method further includes:
  • the formatting operation further creates an alternate metadata boot area and an alternate metadata index area on the target disk;
  • the method may further include:
  • the embodiment of the present application provides a file system encryption device, where the device may include:
  • a formatting module for creating a metadata index area by a formatting operation
  • a random number generating module configured to: when performing a formatting operation on the target disk, generate a first random number corresponding to the metadata index area created by the formatting module formatting operation; wherein the formatting operation is performed Installing a target file system on the target disk;
  • an encryption module configured to encrypt data stored in the metadata index area according to the first random number, to obtain first encrypted data
  • a storage module configured to store the first encrypted data in the metadata index area.
  • the random number generating module is further configured to: when performing a formatting operation on the target disk, generate a second random number corresponding to the metadata boot area created by the formatting module formatting operation ;
  • the encryption module is further configured to: encrypt the data stored in the metadata boot area to obtain second encrypted data based on the second random number; and the storage module is further configured to: The second encrypted data is stored in the metadata boot area.
  • the encryption module is further configured to: encrypt the first random number, and obtain first random number encrypted data;
  • the storage module is configured to: store the first encrypted data and the first random number encrypted data in the metadata index area.
  • the encryption module is further configured to: encrypt the second random number, and obtain second random number encrypted data;
  • the storage module is configured to: store the second encrypted data and the second random number encrypted data in the metadata boot area.
  • the random number generating module is configured to: when performing a formatting operation on the target disk, generate a first random number corresponding to the metadata index area created by the formatting operation;
  • the encryption module is further configured to:
  • the I frame in the target video is encrypted to obtain the third encrypted data
  • the storage module is further configured to: store the third encrypted data, and remaining video frames in the target video, into a data area created by the formatting operation, where the remaining video frames are a video frame other than the I frame in the target video.
  • the apparatus may further include: obtaining a module
  • the obtaining module is used to:
  • the storage module stores the third encrypted data and the remaining video frames in the target video to the data area created by the formatting module formatting operation, obtaining the stored third encrypted data a first number of the data block and a second number of the data block of the remaining video frame;
  • the formatting module is further configured to create an alternate metadata boot area and an alternate metadata index area on the target disk by using the formatting operation;
  • the random number generating module is further configured to: when performing a formatting operation on the target disk, generate a fourth random number corresponding to the spare metadata boot area, and corresponding to the spare metadata index area Fifth random number;
  • the cryptographic module is further configured to: encrypt, according to the fourth random number, data stored in the spare metadata boot area to obtain fourth encrypted data; and based on the fifth random number, the spare metadata index area The stored data is encrypted to obtain a fifth encrypted data;
  • the storage module is further configured to: store the fourth encrypted data into the spare metadata boot area; and store the fifth encrypted data into the spare metadata index area.
  • the embodiment of the present application further provides a storage medium for storing executable program code, where the executable program code is executed to execute the file system encryption method according to the embodiment of the present application.
  • the embodiment of the present application further provides an application program, where the application is used to execute the file system encryption method according to the embodiment of the present application.
  • an embodiment of the present application further provides an electronic device, including: a housing, a processor, a memory, a circuit board, and a power supply circuit, wherein the circuit board is disposed inside the space enclosed by the housing, the processor and the memory Provided on a circuit board; a power supply circuit for supplying power to each circuit or device; a memory for storing executable program code; and a processor for executing the file described in the embodiment of the present application by running executable program code stored in the memory System encryption method.
  • the metadata index area in the process of creating a metadata index area of the target file system by a formatting operation, generating a first random number corresponding to the metadata index area; and based on the first random number, The data stored in the metadata index area is encrypted to obtain first encrypted data; and the first encrypted data is stored in the metadata index area.
  • the metadata index area stores ciphertext data, and the attacker cannot parse the index data corresponding to the ciphertext data, thereby improving the security of the data stored in the data area of the target file system.
  • FIG. 1 is a flowchart of a file system encryption method according to an embodiment of the present application.
  • FIG. 2 is a schematic diagram of a file system according to an embodiment of the present application.
  • FIG. 3 is a flowchart of a method for updating data stored in a metadata index area in an embodiment of the present application
  • FIG. 4 is a schematic structural diagram of a file system encryption apparatus according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
  • the embodiment of the present application provides a file system encryption method and device.
  • a file system encryption method provided by an embodiment of the present application is first described below.
  • the execution subject of the file system encryption method provided by the embodiment of the present application is a terminal.
  • Terminals include, but are not limited to, computers and mobile phones.
  • the function software for implementing the file system encryption method provided by the embodiment of the present application may be: a special file system encryption software set in the terminal, or a function plug-in installed in the file system encryption software in the terminal, which is It is reasonable.
  • the file system encryption method provided by the embodiment of the present application may include the following steps:
  • S101 When performing a formatting operation on the target disk, generating a first random number corresponding to the metadata index area created by the formatting operation; wherein the formatting operation is used to install the target file system on the target disk;
  • a metadata boot area when a target file system needs to be installed on a target disk, a metadata boot area, a metadata index area, and a data area can be created on the target disk by a formatting operation.
  • the first random number corresponding to the metadata index area can be generated. Since the data stored in the metadata index area is often composed of multiple pieces of index data, in one implementation, a random first random number may be generated for each index data, the process including: on the target disk When the formatting operation is performed, the number of index data existing in the metadata index area created by the formatting operation is determined, and the first random number of the target quantity is generated, and the target quantity is the same as the number of the number of the pieces, that is, the generated first number The number of random numbers is the same as the number of index data present in the metadata index area. In another implementation, a first random number may be generated for the created metadata index region, that is, only one first random number is generated for the plurality of index data, thereby reducing the time for generating the first random number.
  • the first random number may be generated by a random number generator in the terminal performing the formatting operation, of course, without being limited thereto.
  • a random number generator in the terminal performing the formatting operation, of course, without being limited thereto.
  • the metadata boot area created by the formatting operation is used to store basic information of the target file system to be installed, such as version information of the target file system, location information of the metadata index area, and data area. Size information of the data block, location information of the data block, and the like.
  • the created metadata index area is used to store data attribute information of data stored in the data area, such as data size information, data owner information, and number information of data blocks occupied by the data.
  • the created data area is used to store the data itself, and the data itself can be pictures, videos, texts, etc., of course, not limited to this.
  • S102 Encrypt data stored in the metadata index area according to the first random number, to obtain first encrypted data.
  • the formatting operation simply erases and overwrites the data in the metadata boot area of the original file system. The data written before the formatting operation and the index data corresponding to the data are not cleared.
  • the attacker can parse the data attribute information (such as the data size information, the data owner information, and the number information of the data block occupied by the data) of the data written before the formatting operation according to the index data that is not cleared. Further, according to the obtained number information of the data block, the storage location of the data can be accurately located, thereby obtaining data under the storage location.
  • the data attribute information such as the data size information, the data owner information, and the number information of the data block occupied by the data
  • the data stored in the metadata index area may be encrypted based on the first random number to obtain the first encrypted data. And storing the first encrypted data in the metadata index area, so that the attacker can only obtain the ciphertext data stored in the metadata index area after finding the metadata index area, that is, the attacker does not know the decryption key.
  • the plaintext data corresponding to the ciphertext data cannot be obtained. In this way, the data attribute information of the data stored in the target file system cannot be obtained, and the security of the stored data is guaranteed.
  • the manner in which the data stored in the metadata index area is encrypted can effectively prevent the first encrypted data from being cracked.
  • the first random number is generated during the formatting process, that is, each formatting process produces a random first random number.
  • the metadata index area in the process of creating a metadata index area of the target file system by a formatting operation, generating a first random number corresponding to the metadata index area; and based on the first random number, the metadata index area
  • the stored data is encrypted to obtain first encrypted data; the first encrypted data is stored in a metadata index area.
  • the first random number may be added to any position of the data stored in the metadata index area, and then the encryption algorithm is utilized. And encrypting the data after adding the first random number to obtain the first encrypted data.
  • the first random number may be XORed with the data stored in the metadata index area, and then the data obtained by the XOR operation is encrypted by using an encryption algorithm to obtain the first encryption. data.
  • the XOR operation can be performed by using INDEX and RAND_IM: INDEX ⁇ RAND_IM, and the result of the exclusive OR operation is performed. Encrypted to obtain the first encrypted data: Enc(INDEX ⁇ RAND_IM).
  • the encryption algorithm involved in the foregoing two implementation manners may adopt a symmetric encryption algorithm or an asymmetric encryption algorithm.
  • the symmetric encryption algorithm includes but is not limited to the DES (Data Encryption Standard) algorithm, the 3DES (Triple Data Encryption) algorithm, and the AES (Advanced Encryption Standard) algorithm.
  • Method; asymmetric encryption algorithms include but are not limited to the RSA algorithm and the Elgamal algorithm.
  • the DES algorithm, the 3DES algorithm, the AES algorithm, the RSA algorithm, and the Elgamal algorithm are all existing algorithms, the process of performing encryption calculation using the above encryption algorithm is not described in detail herein.
  • each of the index data may be encrypted by using the foregoing method, thereby obtaining the first encrypted data, which is not described in detail herein.
  • the formatting operation creates a metadata boot area on the target disk when the target disk is formatted, if the basic information of the obtained target file system is directly written to the metadata boot area, when the attacker obtains When the basic information is used, the location information corresponding to the data area can be known, and the data desired by the attacker can be found from all the data stored in the data area.
  • the basic information has been described above, and will not be described here.
  • the second random corresponding to the metadata boot area created by the formatting operation may be generated when the target disk is formatted.
  • the data stored in the metadata boot area is encrypted based on the second random number to obtain the second encrypted data; and the second encrypted data is stored in the metadata boot area.
  • the created metadata may also be guided for the second random number of the metadata boot area.
  • the data stored in the area is encrypted, so that after the attacker finds the metadata boot area, the attacker cannot obtain the basic information of the target file system according to the ciphertext data stored in the metadata boot area, thereby further ensuring the security of the stored data. .
  • the data stored in the metadata boot area is encrypted, and the second encrypted data is obtained, so that the second encrypted data can also effectively resist the attack of the ciphertext attack mode, thereby improving the attack.
  • the security of the stored data because the second random number is combined, the data stored in the metadata boot area is encrypted, and the second encrypted data is obtained, so that the second encrypted data can also effectively resist the attack of the ciphertext attack mode, thereby improving the attack. The security of the stored data.
  • the data stored in the metadata boot area is encrypted to obtain an implementation manner of the second encrypted data, and an implementation manner of obtaining the first encrypted data may be adopted.
  • the exclusive OR operation may be performed by using SUPER and RAND_MAIN: SUPER ⁇ RAND_MAIN, and the result of the exclusive OR operation is performed. Encrypt to obtain the second encrypted data: Enc(SUPER ⁇ RAND_MAIN).
  • the first encrypted data after the data stored in the metadata index area is encrypted, after obtaining the first encrypted data, in order to facilitate the decryption, and in order to prevent the first random number from being obtained by the attacker, the first Before the step of storing the encrypted data in the metadata index area, encrypting the first random number to obtain the first random number encrypted data;
  • the first encrypted data is RAND_IM
  • the first encrypted data is obtained: Enc(RAND_IM).
  • the step of storing the first encrypted data in the metadata index area may include storing the first encrypted data and the first random number encrypted data in a metadata index area.
  • the step of storing the second encrypted data in the metadata boot area may include storing the second encrypted data and the second random number encrypted data in the metadata boot area.
  • the target file system can still work normally.
  • the formatting operation is also performed. Create an alternate metadata boot area and an alternate metadata index area on the target disk;
  • the method may further include:
  • the data stored in the spare metadata index area is encrypted based on the fifth random number to obtain the fifth encrypted data; and the fifth encrypted data is stored in the spare metadata index area.
  • the encryption method for obtaining the fourth encrypted data and the fifth encrypted data may be an encryption method for obtaining the first encrypted data, and details are not described herein.
  • the target file system installed by the formatting operation may include: a metadata index area, a metadata boot area, a data area, an alternate metadata index area, and an alternate metadata boot area.
  • the metadata index area may be used to store the first encrypted data corresponding to the data to be stored, and the first random number encrypted data.
  • the data to be stored in the metadata index area may include: index data 1 to index data N, The first random number 1 to the first random number N, so that the N pieces of index data can be encrypted based on the first random, thereby obtaining the first encrypted data, so that the metadata index area stores the first encrypted data.
  • the metadata boot area may be used to store second encrypted data corresponding to data to be stored (ie, boot area data), and second random number encrypted data.
  • the data to be stored in the metadata boot area may include: boot area data and a second random number. Therefore, the boot area data can be encrypted based on the second random number to obtain the second encrypted data, so that the metadata boot area stores the second encrypted data.
  • the metadata boot area can be used to store basic information of the target file system, and can also be used to store block bitmap information, and the block bitmap information refers to the usage of each data block (ie, data). Block idle state) information. That is to say, it is reasonable to encrypt the basic information and the block bitmap information based on the second random number to obtain the second encrypted data.
  • the spare metadata index area is different from the first encrypted data to be stored in the metadata index area, but the index data corresponding to the stored first encrypted data is the same. This is because the first random number is randomly generated, that is, since the first random number generated each time is different, the first encrypted data and the metadata stored in the backup metadata index area are backed up in the case where the index data is the same. The first encrypted data stored in the index area is not the same. In the same way, the spare metadata is stored in the boot area. The stored second encrypted data is not the same as the second encrypted data stored in the metadata boot area, and will not be described in detail herein.
  • the data block is used to store the data itself to be stored, and the data stored in the data block includes but is not limited to text, pictures and video.
  • the data stored in the data block is text or picture
  • the text or the picture may be encrypted, and then the encrypted data is encrypted. Stored in the corresponding data block.
  • the method may further include:
  • the I frame in the target video refers to the key frame of the target video.
  • the target video is divided into I frames, B frames, and P frames for storage. Since these frames include specific frame header information, the attacker can determine which frames are key frames by parsing the frame header information of the frames after obtaining the storage location of the video, and then crack the target video according to the key frames.
  • the H264 code stream is an existing video coding format, which is not described in detail herein.
  • the target video cannot be parsed, so only the I frame in the target video can be encrypted to obtain the third encrypted data; and the third encrypted data and the target video are excluded from the I frame.
  • the remaining video frames (such as B frames and P frames) are stored in the data area of the target file system.
  • I frame, the B frame, and the P frame of the video are all existing concepts, and can be identified by the prior art, and will not be described in detail herein.
  • the third encrypted data, and the remaining video frames in the target video are stored in the data area created by the formatting operation in step S2, in order to update the data block storing the data.
  • Corresponding index data as shown in FIG. 3, the method may further include:
  • S4 Decrypt the first encrypted data stored in the metadata index area according to the first random number, to obtain the first decrypted data
  • the corresponding index data in the metadata index area also needs to be changed accordingly.
  • the first encrypted data in the metadata index area is decrypted first, and the first decrypted data is obtained; and the data attribute information corresponding to the target video is replaced by the first decrypted data.
  • Corresponding information; and encrypting the replaced data ie, the new first decrypted data.
  • the third random number is used to encrypt the new first decrypted data, and then the encrypted data is stored.
  • the decrypting operation of the first encrypted data stored in the metadata index area may include: obtaining the first encrypted data stored in the metadata index area: Enc (INDEX ⁇ RAND_IM), and according to the first encrypted data
  • the encryption algorithm corresponding to the encryption algorithm: Dec ⁇ Enc(INDEX ⁇ RAND_IM) ⁇ decrypts the first decrypted data: INDEX ⁇ RAND_IM; obtains the first random number encrypted data: Enc(RAND_IM), and the decryption algorithm corresponding to the encryption algorithm of the first random number encrypted data: Dec ⁇ Enc(RAND_IM), decrypting to get RAND_IM; thus, the decrypted INDEX ⁇ RAND_IM and RAND_IM can be XORed to obtain INDEX.
  • the encrypted data obtained by the encryption may be decrypted by using the above decryption operation, and will not be described in detail herein.
  • the terminal When the terminal receives the instruction to format the target disk, it begins to perform the formatting operation: first, it determines whether the target disk is normal. If it is not normal, the terminal prompts the formatting operation failure message; if it is normal, perform the following operations:
  • a metadata index area an alternate metadata index area, a metadata boot area, an alternate metadata boot area, and a data area are created on the target disk.
  • the first random number, the second random number, the fourth random number, and the fifth random number are generated by the random number generator of the terminal. Further, encrypting data stored in the metadata index area based on the first random number, encrypting data stored in the metadata boot area based on the second random number, and encrypting data stored in the spare metadata index area based on the fourth random number, And encrypting the data stored in the spare metadata boot area based on the fifth random number, so that the formatting operation is completed, and the target file system is obtained.
  • the target text may be encrypted and calculated by using a preset encryption algorithm; and the encrypted data is stored in the Nth data block in the data area; and the decrypted metadata in the index area First encrypting data, obtaining first decrypted data; using number of target texts According to the attribute information, the index data corresponding to the data block N in the first decrypted data is replaced; after the replacement is completed, the new first decrypted data is obtained; and the new first decrypted data is encrypted to obtain a new first encrypted data. Complete the update of the index data.
  • the embodiment of the present application further provides a file system encryption device, where the device may include:
  • a formatting module 401 configured to create a metadata index area by using a formatting operation
  • the random number generating module 402 is configured to generate, when performing a formatting operation on the target disk, a first random number corresponding to the metadata index area created by the formatting operation of the formatting module 401; wherein the formatting operation is used in The target file system is mounted on the target disk;
  • the encryption module 403 is configured to encrypt data stored in the metadata index area based on the first random number to obtain first encrypted data.
  • the storage module 404 is configured to store the first encrypted data in the metadata index area.
  • the metadata index area in the process of creating a metadata index area of the target file system by a formatting operation, generating a first random number corresponding to the metadata index area; and based on the first random number, the metadata index area
  • the stored data is encrypted to obtain first encrypted data; the first encrypted data is stored in a metadata index area.
  • the random number generating module 402 is further configured to: when performing a formatting operation on the target disk, generate a second random number corresponding to the metadata boot area created by the formatting operation of the formatting module 401;
  • the encryption module 403 is further configured to: encrypt the data stored in the metadata boot area to obtain the second encrypted data based on the second random number; and the storage module 304 is further configured to: store the second encrypted data in the metadata. Boot area.
  • the encryption module 403 is further configured to: encrypt the first random number, and obtain the first random number encrypted data;
  • the storage module 404 is specifically configured to: store the first encrypted data and the first random number encrypted data in a metadata index area.
  • the encryption module 403 is further configured to: encrypt the second random number, and obtain the second random number encrypted data;
  • the storage module 404 is specifically configured to: store the second encrypted data and the second random number encrypted data in the metadata boot area.
  • the random number generating module 402 is specifically configured to: when performing a formatting operation on the target disk, generate a first random number corresponding to the metadata index area created by the formatting operation;
  • the target disk when the target disk is formatted, the number of index data existing in the metadata index area created by the formatting operation is determined, and the first random number of the target quantity is generated, and the target quantity is the same as the number of the number of the pieces.
  • the encryption module 403 is further configured to:
  • the I frame in the target video file is encrypted to obtain the third encrypted data
  • the storage module 404 is further configured to: store the third encrypted data, and the remaining video frames in the target video, into a data area created by a formatting operation, where the remaining video frames are videos other than the I frame in the target video. frame.
  • the method further includes: obtaining a module
  • the obtaining module is configured to: after the storage module 404 stores the third encrypted data and the remaining video frames in the target video to the data area created by the formatting operation of the formatting module 401, obtain the data block storing the third encrypted data. The first number, and the second number of the data block of the remaining video frame;
  • the new first decrypted data is encrypted based on the third random number to obtain new first encrypted data.
  • the formatting module 401 is further configured to create an alternate metadata boot area and an alternate metadata index area on the target disk by using a formatting operation;
  • the random number generating module 402 is further configured to: when performing a formatting operation on the target disk, generate a fourth random number corresponding to the spare metadata boot area, and a fifth random number corresponding to the spare metadata index area;
  • the encryption module 403 is further configured to: encrypt the data stored in the spare metadata boot area to obtain the fourth encrypted data based on the fourth random number; and encrypt the data stored in the spare metadata index area based on the fifth random number , obtaining the fifth encrypted data;
  • the storage module 404 is further configured to: store the fourth encrypted data into the spare metadata boot area; and store the fifth encrypted data into the spare metadata index area.
  • the embodiment of the present application further provides a storage medium for storing executable program code, where the executable program code is used to execute at runtime: file system encryption provided by the embodiment of the present application. method.
  • file system encryption method may include the following steps:
  • the first encrypted data is stored in the metadata index area.
  • the method may further include:
  • the second encrypted data is stored in the metadata boot area.
  • the method may further include:
  • the step of storing the first encrypted data in the metadata index area may include:
  • the method may further include:
  • the step of storing the second encrypted data in the metadata boot area may include:
  • the step of generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk may include:
  • the method may further include:
  • the I frame in the target video is encrypted to obtain the third encrypted data
  • the method further includes:
  • the formatting operation further creates an alternate metadata boot area and an alternate metadata index area on the target disk;
  • the method may further include:
  • the embodiment of the present application further provides an application program for performing the file system encryption method provided by the embodiment of the present application.
  • the file system encryption method may include the following steps:
  • the first encrypted data is stored in the metadata index area.
  • the method may further include:
  • the second encrypted data is stored in the metadata boot area.
  • the method may further include:
  • the step of storing the first encrypted data in the metadata index area may include:
  • the method may further include:
  • the step of storing the second encrypted data in the metadata boot area may include:
  • the step of generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk may include:
  • the method may further include:
  • the I frame in the target video is encrypted to obtain the third encrypted data
  • the method further includes:
  • the formatting operation further creates an alternate metadata boot area and an alternate metadata index area on the target disk;
  • the method may further include:
  • the embodiment of the present application further provides an electronic device, including: a housing 510, a processor 520, a memory 530, a circuit board 540, and a power circuit 550, wherein the circuit board 540 is disposed in the housing 510.
  • the processor 520 and the memory 530 are disposed on the circuit board 540; the power supply circuit 540 is used to supply power to the respective circuits or devices; the memory 530 is used to store executable program code; and the processor 520 is stored in the running memory.
  • Executable code to execute this application Please provide the file system encryption method provided in the embodiment.
  • the file system encryption method may include the following steps:
  • the first encrypted data is stored in the metadata index area.
  • the method may further include:
  • the second encrypted data is stored in the metadata boot area.
  • the method may further include:
  • the step of storing the first encrypted data in the metadata index area may include:
  • the method may further include:
  • the step of storing the second encrypted data in the metadata boot area may include:
  • the step of generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk may include:
  • the method may further include:
  • the I frame in the target video is encrypted to obtain the third encrypted data
  • the method further includes:
  • the formatting operation further creates an alternate metadata boot area and an alternate metadata index area on the target disk;
  • the method may further include:

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed are a method and device for encrypting a file system. The method comprises: when carrying out a formatting operation on a target disk, generating a first random number corresponding to a metadata index region created and generated by means of the formatting operation, wherein the formatting operation is used for installing a target file system on the target disk (S101); based on the first random number, encrypting data stored in the metadata index region to obtain first encrypted data (S102); and storing the first encrypted data in the metadata index region (S103). By applying the method and the device, the security of data stored in a file system is improved.

Description

一种文件系统加密方法及装置File system encryption method and device
本申请要求于2016年12月02日提交中国专利局、申请号为201611097134.5申请名称为“一种文件系统加密方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims the priority of the Chinese Patent Application entitled "A File System Encryption Method and Apparatus" filed on Dec. 2, 2016, filed on Dec. 2, 2016, the content of which is hereby incorporated by reference. .
技术领域Technical field
本申请涉及文件系统技术领域,特别是涉及一种文件系统加密方法及装置。The present application relates to the field of file system technologies, and in particular, to a file system encryption method and apparatus.
背景技术Background technique
目前相关技术中存在多种文件系统,例如:FAT16(File Allocation Table,文件分配表)和NTFS(New Technology File System,新技术文件系统)等文件系统。这些文件系统可以对磁盘和写入磁盘的数据进行管理。其中,所述数据可以是文本或者视频等任意类型的数据。Currently, there are various file systems in the related art, such as a file system such as FAT16 (File Allocation Table) and NTFS (New Technology File System). These file systems manage data on disks and writes to disk. The data may be any type of data such as text or video.
通常,当需要在磁盘上安装文件系统时,可以通过格式化操作,在磁盘上创建包括元数据引导区、元数据索引区和数据区等区域的文件系统。其中,元数据引导区用于存储文件系统本身的信息,即文件系统信息,例如文件系统的版本信息、元数据索引区的位置信息、数据区中数据块的大小信息和数据块的位置信息等等。数据区包括多个数据块,数据块用于存储所要存储的数据本身。元数据索引区用于存储数据区中每个数据块所对应的索引数据,每条索引数据记录有对应的数据块中所存数据的数据属性信息,例如数据大小信息、数据所有者信息和数据占用的数据块的编号信息等。Generally, when a file system needs to be mounted on a disk, a file system including a metadata boot area, a metadata index area, and a data area can be created on the disk by a formatting operation. The metadata boot area is used to store information of the file system itself, that is, file system information, such as version information of the file system, location information of the metadata index area, size information of the data block in the data area, and location information of the data block. Wait. The data area includes a plurality of data blocks for storing the data itself to be stored. The metadata index area is used for storing index data corresponding to each data block in the data area, and each index data record has data attribute information of data stored in the corresponding data block, such as data size information, data owner information, and data occupation. The number information of the data block, etc.
但是,由于目前文件系统的元数据引导区、元数据索引区和数据区存储的都是明文数据,因此攻击者可以通过对明文进行分析的方式,破解得到文件系统的存储结构,在破解得到文件系统的存储结构后,可以获得文件系统中存储的数据的存储位置信息,进而可以获得文件系统中所存储的数据,无法保证所存储的数据的安全。However, since the metadata boot area, the metadata index area, and the data area of the current file system are all stored in plaintext data, the attacker can crack the storage structure of the file system by analyzing the plaintext, and obtain the file in the crack. After the storage structure of the system, the storage location information of the data stored in the file system can be obtained, and the data stored in the file system can be obtained, and the stored data cannot be secured.
发明内容Summary of the invention
本申请实施例的目的在于提供一种文件系统加密方法及装置,以提高文 件系统中所存储的数据的安全性。The purpose of the embodiment of the present application is to provide a file system encryption method and device to improve the text. The security of the data stored in the system.
第一方面,本申请实施例提供了一种文件系统加密方法,所述方法可以包括:In a first aspect, the embodiment of the present application provides a file system encryption method, where the method may include:
在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数;其中,所述格式化操作用于在所述目标磁盘上安装目标文件系统;Generating, by the formatting operation of the target disk, a first random number corresponding to the metadata index area created by the formatting operation; wherein the formatting operation is for installing the target file on the target disk system;
基于所述第一随机数,对所述元数据索引区所存储的数据进行加密,得到第一加密数据;And encrypting, according to the first random number, data stored in the metadata index area to obtain first encrypted data;
将所述第一加密数据存储在所述元数据索引区。The first encrypted data is stored in the metadata index area.
可选地,在本申请的一个实施例中,所述方法还可以包括:Optionally, in an embodiment of the present application, the method may further include:
在对所述目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据引导区所对应的第二随机数;Generating a second random number corresponding to the metadata boot area created by the formatting operation when performing a formatting operation on the target disk;
基于所述第二随机数,对所述元数据引导区所存储的数据进行加密,得到第二加密数据;And encrypting data stored in the metadata guiding area to obtain second encrypted data based on the second random number;
将所述第二加密数据存储在所述元数据引导区。The second encrypted data is stored in the metadata boot area.
可选地,在将所述第一加密数据存储在所述元数据索引区的步骤之前,还可以包括:Optionally, before the step of storing the first encrypted data in the metadata index area, the method may further include:
加密所述第一随机数,获得第一随机数加密数据;Encrypting the first random number to obtain first random number encrypted data;
相应地,将所述第一加密数据存储在所述元数据索引区的步骤可以包括:Correspondingly, the step of storing the first encrypted data in the metadata index area may include:
将所述第一加密数据和所述第一随机数加密数据,存储在所述元数据索引区。And storing the first encrypted data and the first random number encrypted data in the metadata index area.
可选地,在将所述第二加密数据存储在所述元数据引导区的步骤之前,还可以包括:Optionally, before the step of storing the second encrypted data in the metadata boot area, the method may further include:
加密所述第二随机数,获得第二随机数加密数据;Encrypting the second random number to obtain second random number encrypted data;
相应地,所述将所述第二加密数据存储在所述元数据引导区的步骤可以 包括:Correspondingly, the step of storing the second encrypted data in the metadata boot area may be include:
将所述第二加密数据和所述第二随机数加密数据,存储在所述元数据引导区。And storing the second encrypted data and the second random number encrypted data in the metadata boot area.
可选地,所述在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数的步骤,可以包括:Optionally, the step of generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk may include:
在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的一个第一随机数;Generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk;
或者,or,
在对目标磁盘进行格式化操作时,确定通过所述格式化操作所创建的元数据索引区中存在的索引数据条数,生成目标数量的第一随机数,所述目标数量与所述条数的数量相同。When performing a formatting operation on the target disk, determining the number of index data existing in the metadata index area created by the formatting operation, generating a target number of first random numbers, the target quantity and the number of the pieces The number is the same.
可选地,在本申请的又一个实施例中,所述方法还可以包括:Optionally, in still another embodiment of the present application, the method may further include:
当需要在所安装的目标文件系统中存储目标视频时,对所述目标视频中的I帧进行加密,得到第三加密数据;When the target video needs to be stored in the installed target file system, the I frame in the target video is encrypted to obtain the third encrypted data;
将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区,所述剩余视频帧为所述目标视频中除所述I帧外的视频帧。And storing the third encrypted data and the remaining video frames in the target video to a data area created by the formatting operation, wherein the remaining video frames are in the target video except the I frame Video frame.
可选地,在将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区后,还包括:Optionally, after storing the third encrypted data and the remaining video frames in the target video to the data area created by the formatting operation, the method further includes:
获得存储所述第三加密数据的数据块的第一编号,以及存储所述剩余视频帧的数据块的第二编号;Obtaining a first number of a data block storing the third encrypted data, and storing a second number of the data block of the remaining video frame;
基于所述第一随机数,对所述元数据索引区所存储的第一加密数据进行解密,获得第一解密数据;Decrypting the first encrypted data stored in the metadata index area based on the first random number to obtain first decrypted data;
确定所述第一解密数据中所述第一编号所对应的第一目标数据,以及所述第二编号所对应的第二目标数据;Determining, by the first decrypted data, first target data corresponding to the first number, and second target data corresponding to the second number;
利用所述I帧所对应的数据属性信息替换所述第一目标数据,并利用所述 剩余视频帧的数据属性信息,替换所述第二目标数据,得到新的第一解密数据;Replacing the first target data with data attribute information corresponding to the I frame, and using the Data attribute information of the remaining video frames, replacing the second target data, to obtain new first decrypted data;
生成所述新的第一解密数据所对应的第三随机数;Generating a third random number corresponding to the new first decrypted data;
基于所述第三随机数,对所述新的第一解密数据进行加密,获得新的第一加密数据。And encrypting the new first decrypted data based on the third random number to obtain new first encrypted data.
可选地,所述格式化操作在目标磁盘上还创建有备用元数据引导区和备用元数据索引区;Optionally, the formatting operation further creates an alternate metadata boot area and an alternate metadata index area on the target disk;
所述方法还可以包括:The method may further include:
在对所述目标磁盘进行格式化操作时,生成所述备用元数据引导区对应的第四随机数,以及所述备用元数据索引区对应的第五随机数;Generating a fourth random number corresponding to the spare metadata boot area and a fifth random number corresponding to the spare metadata index area, when performing a formatting operation on the target disk;
基于所述第四随机数,对备用元数据引导区所存储的数据进行加密,得到第四加密数据;将所述第四加密数据存储到所述备用元数据引导区;And encrypting, according to the fourth random number, data stored in the spare metadata boot area to obtain fourth encrypted data; storing the fourth encrypted data in the spare metadata boot area;
基于所述第五随机数,对备用元数据索引区所存储的数据进行加密,得到第五加密数据;将所述第五加密数据存储到所述备用元数据索引区。And encrypting data stored in the spare metadata index area to obtain fifth encrypted data based on the fifth random number; storing the fifth encrypted data in the spare metadata index area.
第二方面,本申请实施例提供了一种文件系统加密装置,所述装置可以包括:In a second aspect, the embodiment of the present application provides a file system encryption device, where the device may include:
格式化模块,用于通过格式化操作创建元数据索引区;a formatting module for creating a metadata index area by a formatting operation;
随机数生成模块,用于在对目标磁盘进行格式化操作时,生成通过所述格式化模块格式化操作所创建的元数据索引区所对应的第一随机数;其中,所述格式化操作用于在所述目标磁盘上安装目标文件系统;a random number generating module, configured to: when performing a formatting operation on the target disk, generate a first random number corresponding to the metadata index area created by the formatting module formatting operation; wherein the formatting operation is performed Installing a target file system on the target disk;
加密模块,用于基于所述第一随机数,对所述元数据索引区所存储的数据进行加密,得到第一加密数据;And an encryption module, configured to encrypt data stored in the metadata index area according to the first random number, to obtain first encrypted data;
存储模块,用于将所述第一加密数据存储在所述元数据索引区。And a storage module, configured to store the first encrypted data in the metadata index area.
可选地,所述随机数生成模块还用于:在对所述目标磁盘进行格式化操作时,生成通过所述格式化模块格式化操作所创建的元数据引导区所对应的第二随机数; Optionally, the random number generating module is further configured to: when performing a formatting operation on the target disk, generate a second random number corresponding to the metadata boot area created by the formatting module formatting operation ;
相应地,所述加密模块还用于:基于所述第二随机数,对所述元数据引导区所存储的数据进行加密,得到第二加密数据;所述存储模块还用于:将所述第二加密数据存储在所述元数据引导区。Correspondingly, the encryption module is further configured to: encrypt the data stored in the metadata boot area to obtain second encrypted data based on the second random number; and the storage module is further configured to: The second encrypted data is stored in the metadata boot area.
可选地,所述加密模块还用于:加密所述第一随机数,获得第一随机数加密数据;Optionally, the encryption module is further configured to: encrypt the first random number, and obtain first random number encrypted data;
相应地,所述存储模块用于:将所述第一加密数据和所述第一随机数加密数据,存储在所述元数据索引区。Correspondingly, the storage module is configured to: store the first encrypted data and the first random number encrypted data in the metadata index area.
可选地,所述加密模块还用于:加密所述第二随机数,获得第二随机数加密数据;Optionally, the encryption module is further configured to: encrypt the second random number, and obtain second random number encrypted data;
相应地,所述存储模块用于:将所述第二加密数据和所述第二随机数加密数据,存储在所述元数据引导区。Correspondingly, the storage module is configured to: store the second encrypted data and the second random number encrypted data in the metadata boot area.
可选地,所述随机数生成模块具体用于:在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的一个第一随机数;Optionally, the random number generating module is configured to: when performing a formatting operation on the target disk, generate a first random number corresponding to the metadata index area created by the formatting operation;
或者,or,
在对目标磁盘进行格式化操作时,确定通过所述格式化操作所创建的元数据索引区中存在的索引数据条数,生成目标数量的第一随机数,所述目标数量与所述条数的数量相同。When performing a formatting operation on the target disk, determining the number of index data existing in the metadata index area created by the formatting operation, generating a target number of first random numbers, the target quantity and the number of the pieces The number is the same.
可选地,所述加密模块还用于:Optionally, the encryption module is further configured to:
当需要在所安装的目标文件系统中存储目标视频时,对所述目标视频中的I帧进行加密,得到第三加密数据;When the target video needs to be stored in the installed target file system, the I frame in the target video is encrypted to obtain the third encrypted data;
相应地,所述存储模块还用于:将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区,所述剩余视频帧为所述目标视频中除所述I帧外的视频帧。Correspondingly, the storage module is further configured to: store the third encrypted data, and remaining video frames in the target video, into a data area created by the formatting operation, where the remaining video frames are a video frame other than the I frame in the target video.
可选地,在本申请的一个实施例中,所述装置还可以包括:获得模块;Optionally, in an embodiment of the present application, the apparatus may further include: obtaining a module;
所述获得模块用于: The obtaining module is used to:
在所述存储模块将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化模块格式化操作所创建的数据区后,获得存储所述第三加密数据的数据块的第一编号,以及所述剩余视频帧的数据块的第二编号;After the storage module stores the third encrypted data and the remaining video frames in the target video to the data area created by the formatting module formatting operation, obtaining the stored third encrypted data a first number of the data block and a second number of the data block of the remaining video frame;
基于所述第一随机数,对所述元数据索引区所存储的第一加密数据进行解密,获得第一解密数据;Decrypting the first encrypted data stored in the metadata index area based on the first random number to obtain first decrypted data;
确定所述第一解密数据中所述第一编号所对应的第一目标数据,以及所述第二编号所对应的第二目标数据;Determining, by the first decrypted data, first target data corresponding to the first number, and second target data corresponding to the second number;
利用所述I帧所对应的数据属性信息替换所述第一目标数据,并利用所述剩余视频帧的数据属性信息,替换所述第二目标数据,得到新的第一解密数据;Replacing the first target data by using data attribute information corresponding to the I frame, and replacing the second target data by using data attribute information of the remaining video frames to obtain new first decrypted data;
生成所述新的第一解密数据所对应的第三随机数;Generating a third random number corresponding to the new first decrypted data;
基于所述第三随机数,对所述新的第一解密数据进行加密,获得新的第一加密数据。And encrypting the new first decrypted data based on the third random number to obtain new first encrypted data.
可选地,所述格式化模块还用于通过所述格式化操作在目标磁盘上创建备用元数据引导区和备用元数据索引区;Optionally, the formatting module is further configured to create an alternate metadata boot area and an alternate metadata index area on the target disk by using the formatting operation;
相应地,所述随机数生成模块还用于:在对所述目标磁盘进行格式化操作时,生成所述备用元数据引导区对应的第四随机数,以及所述备用元数据索引区对应的第五随机数;Correspondingly, the random number generating module is further configured to: when performing a formatting operation on the target disk, generate a fourth random number corresponding to the spare metadata boot area, and corresponding to the spare metadata index area Fifth random number;
所述加密模块还用于:基于所述第四随机数,对备用元数据引导区所存储的数据进行加密,得到第四加密数据;基于所述第五随机数,对备用元数据索引区所存储的数据进行加密,得到第五加密数据;The cryptographic module is further configured to: encrypt, according to the fourth random number, data stored in the spare metadata boot area to obtain fourth encrypted data; and based on the fifth random number, the spare metadata index area The stored data is encrypted to obtain a fifth encrypted data;
所述存储模块还用于:将所述第四加密数据存储到所述备用元数据引导区;将所述第五加密数据存储到所述备用元数据索引区。The storage module is further configured to: store the fourth encrypted data into the spare metadata boot area; and store the fifth encrypted data into the spare metadata index area.
第三方面,本申请实施例还提供了一种存储介质,用于存储可执行程序代码,所述可执行程序代码被运行以执行:本申请实施例所述的文件系统加密方法。 In a third aspect, the embodiment of the present application further provides a storage medium for storing executable program code, where the executable program code is executed to execute the file system encryption method according to the embodiment of the present application.
第四方面,本申请实施例还提供了一种应用程序,所述应用程序用于在运行时执行:本申请实施例所述的文件系统加密方法。In a fourth aspect, the embodiment of the present application further provides an application program, where the application is used to execute the file system encryption method according to the embodiment of the present application.
第五方面,本申请实施例还提供了一种电子设备,包括:壳体、处理器、存储器、电路板和电源电路,其中,电路板安置在壳体围成的空间内部,处理器和存储器设置在电路板上;电源电路,用于为各个电路或器件供电;存储器用于存储可执行程序代码;处理器通过运行存储器中存储的可执行程序代码,以执行本申请实施例所述的文件系统加密方法。In a fifth aspect, an embodiment of the present application further provides an electronic device, including: a housing, a processor, a memory, a circuit board, and a power supply circuit, wherein the circuit board is disposed inside the space enclosed by the housing, the processor and the memory Provided on a circuit board; a power supply circuit for supplying power to each circuit or device; a memory for storing executable program code; and a processor for executing the file described in the embodiment of the present application by running executable program code stored in the memory System encryption method.
在本申请实施例中,在通过格式化操作创建目标文件系统的元数据索引区的过程中,生成所述元数据索引区所对应的第一随机数;并基于所述第一随机数,对所述元数据索引区所存储的数据进行加密,获得第一加密数据;将所述第一加密数据存储在所述元数据索引区。这样,保证了所述元数据索引区存储的是密文数据,攻击者无法对所述密文数据所对应的索引数据进行解析,提高了目标文件系统数据区中所存储的数据的安全性。In the embodiment of the present application, in the process of creating a metadata index area of the target file system by a formatting operation, generating a first random number corresponding to the metadata index area; and based on the first random number, The data stored in the metadata index area is encrypted to obtain first encrypted data; and the first encrypted data is stored in the metadata index area. In this way, it is ensured that the metadata index area stores ciphertext data, and the attacker cannot parse the index data corresponding to the ciphertext data, thereby improving the security of the data stored in the data area of the target file system.
附图说明DRAWINGS
为了更清楚地说明本申请实施例和相关技术的技术方案,下面对实施例和相关技术中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application and the related art, the drawings used in the embodiments and the related art will be briefly described below. It is obvious that the drawings in the following description are only the present application. For some embodiments, other drawings may be obtained from those of ordinary skill in the art without departing from the drawings.
图1为本申请实施例提供的一种文件系统加密方法的流程图;1 is a flowchart of a file system encryption method according to an embodiment of the present application;
图2为本申请实施例提供的一种文件系统的示意图;2 is a schematic diagram of a file system according to an embodiment of the present application;
图3为本申请实施例中更新元数据索引区所存储的数据的方法流程图;3 is a flowchart of a method for updating data stored in a metadata index area in an embodiment of the present application;
图4为本申请实施例提供的一种文件系统加密装置的结构示意图;FIG. 4 is a schematic structural diagram of a file system encryption apparatus according to an embodiment of the present disclosure;
图5为本申请实施例所提供的一种电子设备的结构示意图。FIG. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
具体实施方式detailed description
为使本申请的目的、技术方案、及优点更加清楚明白,以下参照附图并举实施例,对本申请进一步详细说明。显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通 技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the objects, technical solutions, and advantages of the present application more comprehensible, the present application will be further described in detail below with reference to the accompanying drawings. It is apparent that the described embodiments are only a part of the embodiments of the present application, and not all of them. Based on the embodiments in the present application, common in the art All other embodiments obtained by the skilled person without creative efforts are within the scope of the present application.
为了保证所存储的数据的安全,本申请实施例提供了一种文件系统加密方法及装置。In order to ensure the security of the stored data, the embodiment of the present application provides a file system encryption method and device.
下面首先对本申请实施例提供的一种文件系统加密方法进行说明。A file system encryption method provided by an embodiment of the present application is first described below.
需要说明的是,执行本申请实施例提供的文件系统加密方法的执行主体为终端。终端包括但并不局限于电脑和手机等设备。另外,实现本申请实施例提供的文件系统加密方法的功能软件可以为:设置于终端中专门的文件系统加密软件,也可以为:设置于终端中的文件系统加密软件中的功能插件,这都是合理的。It should be noted that the execution subject of the file system encryption method provided by the embodiment of the present application is a terminal. Terminals include, but are not limited to, computers and mobile phones. In addition, the function software for implementing the file system encryption method provided by the embodiment of the present application may be: a special file system encryption software set in the terminal, or a function plug-in installed in the file system encryption software in the terminal, which is It is reasonable.
参见图1,本申请实施例提供的文件系统加密方法可以包括如下步骤:Referring to FIG. 1, the file system encryption method provided by the embodiment of the present application may include the following steps:
S101:在对目标磁盘进行格式化操作时,生成通过格式化操作所创建的元数据索引区所对应的第一随机数;其中,格式化操作用于在目标磁盘上安装目标文件系统;S101: When performing a formatting operation on the target disk, generating a first random number corresponding to the metadata index area created by the formatting operation; wherein the formatting operation is used to install the target file system on the target disk;
本领域技术人员可以理解的是,当需要在目标磁盘上安装目标文件系统时,通过格式化操作可以在目标磁盘上创建元数据引导区、元数据索引区和数据区。It will be understood by those skilled in the art that when a target file system needs to be installed on a target disk, a metadata boot area, a metadata index area, and a data area can be created on the target disk by a formatting operation.
在通过格式化操作创建元数据索引区后,即可生成针对元数据索引区所对应的第一随机数。由于元数据索引区所存储的数据常常是由多条索引数据组成,因此在一种实现方式中,可以针对每条索引数据对应生成一个随机的第一随机数,该过程包括:在对目标磁盘进行格式化操作时,确定通过格式化操作所创建的元数据索引区中存在的索引数据条数,生成目标数量的第一随机数,目标数量与条数的数量相同,即所生成的第一随机数的数量与元数据索引区中存在的索引数据条数相同。在另一种实现方式中,可以针对所创建的元数据索引区生成一个第一随机数,即针对多条索引数据仅生成一个第一随机数,从而减少生成第一随机数的时间。After the metadata index area is created by the formatting operation, the first random number corresponding to the metadata index area can be generated. Since the data stored in the metadata index area is often composed of multiple pieces of index data, in one implementation, a random first random number may be generated for each index data, the process including: on the target disk When the formatting operation is performed, the number of index data existing in the metadata index area created by the formatting operation is determined, and the first random number of the target quantity is generated, and the target quantity is the same as the number of the number of the pieces, that is, the generated first number The number of random numbers is the same as the number of index data present in the metadata index area. In another implementation, a first random number may be generated for the created metadata index region, that is, only one first random number is generated for the plurality of index data, thereby reducing the time for generating the first random number.
其中,第一随机数可以由执行格式化操作的终端中的随机数发生器所生成,当然并不局限于此。另外,需要强调的是,当在不同的目标磁盘上安装 同一个目标文件系统时,所生成的针对元数据索引区的第一随机数不相同。Wherein, the first random number may be generated by a random number generator in the terminal performing the formatting operation, of course, without being limited thereto. In addition, it is important to emphasize that when installing on different target disks When the same target file system is used, the generated first random number for the metadata index area is different.
此外,需要说明的是,通过格式化操作所创建的元数据引导区用于存储所要安装的目标文件系统的基本信息,例如目标文件系统的版本信息、元数据索引区的位置信息、数据区中数据块的大小信息、数据块的位置信息等。所创建的元数据索引区用于存储数据区所存数据的数据属性信息,例如数据大小信息、数据所有者信息以及数据占用的数据块的编号信息等。所创建的数据区用于存储数据本身,数据本身可以是图片、视频和文本等,当然并不局限于此。In addition, it should be noted that the metadata boot area created by the formatting operation is used to store basic information of the target file system to be installed, such as version information of the target file system, location information of the metadata index area, and data area. Size information of the data block, location information of the data block, and the like. The created metadata index area is used to store data attribute information of data stored in the data area, such as data size information, data owner information, and number information of data blocks occupied by the data. The created data area is used to store the data itself, and the data itself can be pictures, videos, texts, etc., of course, not limited to this.
S102:基于第一随机数,对元数据索引区所存储的数据进行加密,得到第一加密数据;S102: Encrypt data stored in the metadata index area according to the first random number, to obtain first encrypted data.
S103:将第一加密数据存储在元数据索引区。S103: Store the first encrypted data in a metadata index area.
由于当需要对目标磁盘进行格式化操作时,目标磁盘上常常已安装有文件系统,为了提高格式化速度,格式化操作只是将原有文件系统的元数据引导区中的数据进行擦除重写,而在格式化操作之前所写入的数据,以及该数据所对应的索引数据并没有被清除。Since the file system is often installed on the target disk when the target disk needs to be formatted, in order to improve the formatting speed, the formatting operation simply erases and overwrites the data in the metadata boot area of the original file system. The data written before the formatting operation and the index data corresponding to the data are not cleared.
因此,攻击者可以根据未被清除的索引数据,解析得到在格式化操作之前所写入数据的数据属性信息(例如数据大小信息、数据所有者信息和数据占用的数据块的编号信息等),进而可以根据所获得的数据块的编号信息,准确地定位到数据的存储位置,从而获得该存储位置下的数据。Therefore, the attacker can parse the data attribute information (such as the data size information, the data owner information, and the number information of the data block occupied by the data) of the data written before the formatting operation according to the index data that is not cleared. Further, according to the obtained number information of the data block, the storage location of the data can be accurately located, thereby obtaining data under the storage location.
为了保证所存储的数据的安全,在本申请实施例中,可以基于第一随机数,将元数据索引区所存储的数据进行加密,获得第一加密数据。并将第一加密数据存储至元数据索引区,使得攻击者在找到元数据索引区后,只能获得元数据索引区中所存储的密文数据,也就是说,攻击者在不知道解密密钥的情况下,无法获得密文数据所对应的明文数据。也就无法获得在目标文件系统中所存数据的数据属性信息,保证了所存储的数据的安全。In order to ensure the security of the stored data, in the embodiment of the present application, the data stored in the metadata index area may be encrypted based on the first random number to obtain the first encrypted data. And storing the first encrypted data in the metadata index area, so that the attacker can only obtain the ciphertext data stored in the metadata index area after finding the metadata index area, that is, the attacker does not know the decryption key. In the case of a key, the plaintext data corresponding to the ciphertext data cannot be obtained. In this way, the data attribute information of the data stored in the target file system cannot be obtained, and the security of the stored data is guaranteed.
而且,结合第一随机数,对元数据索引区中所存储的数据进行加密的方式,可以有效地防止第一加密数据被破解。这是由于第一随机数是在格式化过程中生成的,也就是说,每个格式化过程都会产生随机的第一随机数。当 攻击者在其他磁盘上破解得到目标文件系统的第一加密数据所对应的明文数据后,无法利用唯密文攻击方式,获得目标磁盘上所安装的目标文件系统中的第一加密数据所对应的明文数据,保证了数据区中所存储的数据的安全。其中,唯密文攻击方式属于现有技术,在此不做详述。Moreover, in combination with the first random number, the manner in which the data stored in the metadata index area is encrypted can effectively prevent the first encrypted data from being cracked. This is because the first random number is generated during the formatting process, that is, each formatting process produces a random first random number. when After the attacker obtains the plaintext data corresponding to the first encrypted data of the target file system on the other disk, the attacker cannot obtain the first encrypted data in the target file system installed on the target disk by using the ciphertext attack mode. The plaintext data ensures the security of the data stored in the data area. The ciphertext attack mode belongs to the prior art and will not be described in detail herein.
在本申请实施例中,在通过格式化操作创建目标文件系统的元数据索引区的过程中,生成元数据索引区所对应的第一随机数;并基于第一随机数,对元数据索引区所存储的数据进行加密,获得第一加密数据;将第一加密数据存储在元数据索引区。这样,保证了元数据索引区存储的是密文数据,攻击者无法对密文数据所对应的索引数据进行解析,提高了目标文件系统数据区中所存储的数据的安全性。In the embodiment of the present application, in the process of creating a metadata index area of the target file system by a formatting operation, generating a first random number corresponding to the metadata index area; and based on the first random number, the metadata index area The stored data is encrypted to obtain first encrypted data; the first encrypted data is stored in a metadata index area. In this way, it is ensured that the metadata index area stores ciphertext data, and the attacker cannot parse the index data corresponding to the ciphertext data, thereby improving the security of the data stored in the data area of the target file system.
下面对基于第一随机数,将元数据索引区所存储的数据进行加密的实现方式进行详细说明。The implementation of encrypting the data stored in the metadata index area based on the first random number will be described in detail below.
当针对元数据索引区所存储的数据仅生成一个第一随机数时,在一种实现方式中,可以将第一随机数添加到元数据索引区所存储的数据的任意位置,然后利用加密算法,对添加第一随机数后的数据进行加密,获得第一加密数据。When only one first random number is generated for the data stored in the metadata index area, in one implementation, the first random number may be added to any position of the data stored in the metadata index area, and then the encryption algorithm is utilized. And encrypting the data after adding the first random number to obtain the first encrypted data.
在另一种实现方式中,可以利用第一随机数与元数据索引区中所存储的数据进行异或运算,然后利用加密算法,对异或运算后所得到的数据进行加密,获得第一加密数据。In another implementation manner, the first random number may be XORed with the data stored in the metadata index area, and then the data obtained by the XOR operation is encrypted by using an encryption algorithm to obtain the first encryption. data.
举例而言,假设元数据索引区中所存储的数据为INDEX,所获得的第一随机数为RAND_IM,则可以利用INDEX和RAND_IM进行异或运算:INDEX⊕RAND_IM,并对该异或运算结果进行加密,获得第一加密数据:Enc(INDEX⊕RAND_IM)。For example, if the data stored in the metadata index area is INDEX and the obtained first random number is RAND_IM, the XOR operation can be performed by using INDEX and RAND_IM: INDEX⊕RAND_IM, and the result of the exclusive OR operation is performed. Encrypted to obtain the first encrypted data: Enc(INDEX⊕RAND_IM).
需要说明的是,上述两种实现方式中所涉及的加密算法可以采用对称加密算法或非对称加密算法。其中,对称加密算法包括但并不局限于DES(Data Encryption Standard,数据加密标准)算法、3DES(Triple Data Encryption,三重数据加密)算法和AES(Advanced Encryption Standard,高级加密标准)算 法;非对称加密算法包括但并不局限于RSA算法和Elgamal算法。并且由于DES算法、3DES算法、AES算法、RSA算法和Elgamal算法均为现有算法,在此不对利用上述加密算法进行加密计算的过程进行详述。It should be noted that the encryption algorithm involved in the foregoing two implementation manners may adopt a symmetric encryption algorithm or an asymmetric encryption algorithm. The symmetric encryption algorithm includes but is not limited to the DES (Data Encryption Standard) algorithm, the 3DES (Triple Data Encryption) algorithm, and the AES (Advanced Encryption Standard) algorithm. Method; asymmetric encryption algorithms include but are not limited to the RSA algorithm and the Elgamal algorithm. Moreover, since the DES algorithm, the 3DES algorithm, the AES algorithm, the RSA algorithm, and the Elgamal algorithm are all existing algorithms, the process of performing encryption calculation using the above encryption algorithm is not described in detail herein.
当针对元数据索引区所存储的数据生成多个随机的第一随机数时,可以采用上述方法对每一条索引数据进行加密,从而获得第一加密数据,在此不做详述。When a plurality of random first random numbers are generated for the data stored in the metadata index area, each of the index data may be encrypted by using the foregoing method, thereby obtaining the first encrypted data, which is not described in detail herein.
由于在对目标磁盘进行格式化操作时,格式化操作会在目标磁盘上创建元数据引导区,如果将所获得的目标文件系统的基本信息直接写入元数据引导区,则当攻击者在获得基本信息时,就可以知道数据区所对应的位置信息,进而可以从数据区所存储的所有数据中查找到攻击者想要的数据。其中,上文已对基本信息进行描述,在此不做赘述。Since the formatting operation creates a metadata boot area on the target disk when the target disk is formatted, if the basic information of the obtained target file system is directly written to the metadata boot area, when the attacker obtains When the basic information is used, the location information corresponding to the data area can be known, and the data desired by the attacker can be found from all the data stored in the data area. The basic information has been described above, and will not be described here.
因此,为了进一步保证所存储的数据的安全性,在本申请一个实施例中,可以在对目标磁盘进行格式化操作时,生成通过格式化操作所创建的元数据引导区所对应的第二随机数;基于第二随机数,对元数据引导区所存储的数据进行加密,得到第二加密数据;将第二加密数据存储在元数据引导区。Therefore, in order to further ensure the security of the stored data, in an embodiment of the present application, the second random corresponding to the metadata boot area created by the formatting operation may be generated when the target disk is formatted. The data stored in the metadata boot area is encrypted based on the second random number to obtain the second encrypted data; and the second encrypted data is stored in the metadata boot area.
可以理解的是,在利用所生成的第一随机数,对所创建的元数据索引区所存储的数据进行加密后,还可以针对元数据引导区的第二随机数,对所创建元数据引导区所存储的数据进行加密,使得攻击者在找到元数据引导区后,无法根据元数据引导区所存储的密文数据,获得目标文件系统的基本信息,进而进一步保证了所存储的数据的安全。It can be understood that, after encrypting the data stored in the created metadata index area by using the generated first random number, the created metadata may also be guided for the second random number of the metadata boot area. The data stored in the area is encrypted, so that after the attacker finds the metadata boot area, the attacker cannot obtain the basic information of the target file system according to the ciphertext data stored in the metadata boot area, thereby further ensuring the security of the stored data. .
需要说明的是,由于结合第二随机数,对元数据引导区所存储的数据进行加密,得到第二加密数据,使得第二加密数据同样可以有效地抵挡唯密文攻击方式的攻击,提高了所存储的数据的安全性。It should be noted that, because the second random number is combined, the data stored in the metadata boot area is encrypted, and the second encrypted data is obtained, so that the second encrypted data can also effectively resist the attack of the ciphertext attack mode, thereby improving the attack. The security of the stored data.
另外,基于第二随机数,对元数据引导区所存储的数据进行加密,得到第二加密数据的实现方式,可以采用获得第一加密数据的实现方式。举例而言,假设元数据引导区中所存储的数据为SUPER,所获得的第一随机数为RAND_MAIN,则可以利用SUPER和RAND_MAIN进行异或运算:SUPER⊕RAND_MAIN,并对该异或运算结果进行加密,获得第二加密数据: Enc(SUPER⊕RAND_MAIN)。In addition, based on the second random number, the data stored in the metadata boot area is encrypted to obtain an implementation manner of the second encrypted data, and an implementation manner of obtaining the first encrypted data may be adopted. For example, if the data stored in the metadata boot area is SUPER and the obtained first random number is RAND_MAIN, the exclusive OR operation may be performed by using SUPER and RAND_MAIN: SUPER ⊕ RAND_MAIN, and the result of the exclusive OR operation is performed. Encrypt to obtain the second encrypted data: Enc(SUPER⊕RAND_MAIN).
在本申请又一实施例中,在对元数据索引区所存储的数据进行加密,获得第一加密数据后,为了解密方便,且为了避免第一随机数被攻击者获得,可以在将第一加密数据存储在元数据索引区的步骤之前,加密第一随机数,获得第一随机数加密数据;In another embodiment of the present application, after the data stored in the metadata index area is encrypted, after obtaining the first encrypted data, in order to facilitate the decryption, and in order to prevent the first random number from being obtained by the attacker, the first Before the step of storing the encrypted data in the metadata index area, encrypting the first random number to obtain the first random number encrypted data;
举例而言,假设第一加密数据为RAND_IM,对RAND_IM进行加密计算后,可获得第一加密数据:Enc(RAND_IM)。For example, assuming that the first encrypted data is RAND_IM, after the RAND_IM is encrypted, the first encrypted data is obtained: Enc(RAND_IM).
相应地,将第一加密数据存储在元数据索引区的步骤可以包括:将第一加密数据和第一随机数加密数据,存储在元数据索引区。Correspondingly, the step of storing the first encrypted data in the metadata index area may include storing the first encrypted data and the first random number encrypted data in a metadata index area.
同理,在本申请又一实施例中,在对元数据引导区所存储的数据进行加密,获得第二加密数据后,为了解密方便,且为了避免第二随机数被攻击者获得,可以在将第二加密数据存储在元数据引导区的步骤之前,加密第二随机数,获得第二随机数加密数据;Similarly, in another embodiment of the present application, after the data stored in the metadata boot area is encrypted, after obtaining the second encrypted data, in order to facilitate the decryption, and in order to prevent the second random number from being obtained by the attacker, Encrypting the second random number to obtain the second random number encrypted data before storing the second encrypted data in the metadata boot area;
相应地,将第二加密数据存储在元数据引导区的步骤可以包括:将第二加密数据和第二随机数加密数据,存储在元数据引导区。Accordingly, the step of storing the second encrypted data in the metadata boot area may include storing the second encrypted data and the second random number encrypted data in the metadata boot area.
另外,为了保证元数据(即元数据索引区和元数据引导区所存储的数据)丢失的情况下,目标文件系统仍能够正常工作,在本申请的又一实施例中,还通过格式化操作在目标磁盘上创建备用元数据引导区和备用元数据索引区;In addition, in order to ensure that the metadata (ie, the data stored in the metadata index area and the metadata boot area) is lost, the target file system can still work normally. In still another embodiment of the present application, the formatting operation is also performed. Create an alternate metadata boot area and an alternate metadata index area on the target disk;
并且,为了提高备用元数据引导区和备用元数据索引区中所存储的数据的安全性,方法还可以包括:Moreover, in order to improve the security of the data stored in the spare metadata boot area and the spare metadata index area, the method may further include:
在对所述目标磁盘进行格式化操作时,生成备用元数据引导区对应的第四随机数,以及备用元数据索引区对应的第五随机数;And performing a format operation on the target disk, generating a fourth random number corresponding to the spare metadata boot area, and a fifth random number corresponding to the spare metadata index area;
基于第四随机数,对备用元数据引导区所存储的数据进行加密,得到第四加密数据;将第四加密数据存储到备用元数据引导区; And encrypting data stored in the spare metadata boot area to obtain fourth encrypted data based on the fourth random number; storing the fourth encrypted data in the spare metadata boot area;
基于第五随机数,对备用元数据索引区所存储的数据进行加密,得到第五加密数据;将第五加密数据存储到备用元数据索引区。The data stored in the spare metadata index area is encrypted based on the fifth random number to obtain the fifth encrypted data; and the fifth encrypted data is stored in the spare metadata index area.
需要说明的是,上述获得第四加密数据和第五加密数据的加密方式,可以采用获得第一加密数据的加密方式,在此不做赘述。It should be noted that the encryption method for obtaining the fourth encrypted data and the fifth encrypted data may be an encryption method for obtaining the first encrypted data, and details are not described herein.
下面结合图2对本申请实施例所创建的文件系统进行说明。The file system created by the embodiment of the present application will be described below with reference to FIG. 2 .
如图2所示,通过格式化操作所安装的目标文件系统中可以包括:元数据索引区、元数据引导区、数据区、备用元数据索引区和备用元数据引导区。As shown in FIG. 2, the target file system installed by the formatting operation may include: a metadata index area, a metadata boot area, a data area, an alternate metadata index area, and an alternate metadata boot area.
其中,元数据索引区可以用于存储所要存储的数据所对应的第一加密数据,以及第一随机数加密数据。其中,当数据区被分为N个数据块时,由于每个数据块对应一条索引数据,所以如图2所示,元数据索引区所要存储的数据可以包括:索引数据1至索引数据N,第一随机数1至第一随机数N,从而可以基于第一随机对N条索引数据进行加密,从而获得第一加密数据,从而元数据索引区存储第一加密数据。The metadata index area may be used to store the first encrypted data corresponding to the data to be stored, and the first random number encrypted data. Wherein, when the data area is divided into N data blocks, since each data block corresponds to one index data, as shown in FIG. 2, the data to be stored in the metadata index area may include: index data 1 to index data N, The first random number 1 to the first random number N, so that the N pieces of index data can be encrypted based on the first random, thereby obtaining the first encrypted data, so that the metadata index area stores the first encrypted data.
元数据引导区可以用于存储所要存储的数据(即引导区数据)所对应的第二加密数据,以及第二随机数加密数据。其中,如图2所示,元数据引导区所要存储的数据可以包括:引导区数据和第二随机数。因此可以基于第二随机数对引导区数据进行加密,获得第二加密数据,从而元数据引导区存储第二加密数据。本领域技术人员可以理解的是,元数据引导区可以用于存储目标文件系统的基本信息外,还可以用于存储块位图信息,块位图信息是指各个数据块的使用情况(即数据块的空闲状态)信息。也就是说,可以基于第二随机数,对基本信息和块位图信息进行加密,从而获得第二加密数据,这是合理的。The metadata boot area may be used to store second encrypted data corresponding to data to be stored (ie, boot area data), and second random number encrypted data. Wherein, as shown in FIG. 2, the data to be stored in the metadata boot area may include: boot area data and a second random number. Therefore, the boot area data can be encrypted based on the second random number to obtain the second encrypted data, so that the metadata boot area stores the second encrypted data. It can be understood by those skilled in the art that the metadata boot area can be used to store basic information of the target file system, and can also be used to store block bitmap information, and the block bitmap information refers to the usage of each data block (ie, data). Block idle state) information. That is to say, it is reasonable to encrypt the basic information and the block bitmap information based on the second random number to obtain the second encrypted data.
需要说明的是,备用元数据索引区与元数据索引区所要存储的第一加密数据不相同,但是所存储的第一加密数据所对应的索引数据是相同的。这是由于第一随机数是随机产生的,即由于每次产生的第一随机数不相同,因此在索引数据相同的情况下,备份元数据索引区所存储的第一加密数据,与元数据索引区所存储的第一加密数据并不相同。同理,备用元数据引导区所存 储的第二加密数据,与元数据引导区所存储的第二加密数据并不相同,在此不做详述。It should be noted that the spare metadata index area is different from the first encrypted data to be stored in the metadata index area, but the index data corresponding to the stored first encrypted data is the same. This is because the first random number is randomly generated, that is, since the first random number generated each time is different, the first encrypted data and the metadata stored in the backup metadata index area are backed up in the case where the index data is the same. The first encrypted data stored in the index area is not the same. In the same way, the spare metadata is stored in the boot area. The stored second encrypted data is not the same as the second encrypted data stored in the metadata boot area, and will not be described in detail herein.
数据块用于存储所要存储的数据本身,数据块所存储的数据包括但并不局限于文本、图片和视频。当数据块所存储的数据是文本或者图片时,由于文本和图片的数据量较小,因此为了进一步保证所存储的文本和图片的安全,可以对文本或图片进行加密,再将加密后的数据存储到相应的数据块中。The data block is used to store the data itself to be stored, and the data stored in the data block includes but is not limited to text, pictures and video. When the data stored in the data block is text or picture, since the data amount of the text and the picture is small, in order to further ensure the security of the stored text and picture, the text or the picture may be encrypted, and then the encrypted data is encrypted. Stored in the corresponding data block.
当数据块所存储的数据是视频时,由于一般情况下,视频的数据量较大,对视频数据进行加密的话,会花费较多的时间。因此为了在保证目标文件系统的存储性能的前提下,进一步提高所要存储的视频的安全性,在本申请又一实施例中,还可以包括:When the data stored in the data block is a video, since the data amount of the video is generally large, it takes a lot of time to encrypt the video data. Therefore, in order to further improve the security of the video to be stored under the premise of ensuring the storage performance of the target file system, in another embodiment of the present application, the method may further include:
S1:当需要在所安装的目标文件系统中存储目标视频时,对目标视频中的I帧进行加密,得到第三加密数据;S1: when the target video needs to be stored in the installed target file system, encrypt the I frame in the target video to obtain the third encrypted data;
S2:将第三加密数据,以及目标视频中的剩余视频帧,存储至通过格式化操作所创建的数据区,剩余视频帧为目标视频中除I帧外的视频帧。S2: storing the third encrypted data, and the remaining video frames in the target video, into a data area created by a formatting operation, and the remaining video frames are video frames other than the I frame in the target video.
举例而言,假设目标视频中的I帧为DATA,利用加密算法对DATA进行加密,获得第三加密数据:Enc(DATA),并将Enc(DATA)存储至通过格式化操作所创建的数据区。For example, suppose the I frame in the target video is DATA, encrypt the DATA with an encryption algorithm, obtain the third encrypted data: Enc(DATA), and store Enc(DATA) to the data area created by the formatting operation. .
本领域技术人员可以理解的是,目标视频中的I帧是指目标视频的关键帧。以H264码流的视频为例,即当需要在目标文件系统中存储H264码流的视频时,会将该目标视频分为I帧、B帧和P帧进行存储。由于这些帧都会包括特定的帧头信息,因此攻击者在获得视频的存储位置后,通过解析这些帧的帧头信息,即可确定哪些帧是关键帧,进而根据关键帧破解该目标视频。其中,H264码流为一种现有的视频编码格式,在此不做详述。Those skilled in the art can understand that the I frame in the target video refers to the key frame of the target video. Taking the video of the H264 code stream as an example, when the video of the H264 code stream needs to be stored in the target file system, the target video is divided into I frames, B frames, and P frames for storage. Since these frames include specific frame header information, the attacker can determine which frames are key frames by parsing the frame header information of the frames after obtaining the storage location of the video, and then crack the target video according to the key frames. The H264 code stream is an existing video coding format, which is not described in detail herein.
而当无法获得关键帧时,就无法解析得到目标视频,因此可以仅对目标视频中的I帧进行加密,获得第三加密数据;并将第三加密数据,以及目标视频中除I帧外的剩余视频帧(例如B帧和P帧)存储到目标文件系统的数据区。 When the key frame cannot be obtained, the target video cannot be parsed, so only the I frame in the target video can be encrypted to obtain the third encrypted data; and the third encrypted data and the target video are excluded from the I frame. The remaining video frames (such as B frames and P frames) are stored in the data area of the target file system.
需要说明的是,视频的I帧、B帧和P帧均为现有概念,且可以通过现有技术进行识别,在此不做详述。It should be noted that the I frame, the B frame, and the P frame of the video are all existing concepts, and can be identified by the prior art, and will not be described in detail herein.
在本申请的又一实施例中,在步骤S2将第三加密数据,以及目标视频中的剩余视频帧,存储至通过格式化操作所创建的数据区后,为了更新存储上述数据的数据块所对应的索引数据,如图3所示,方法还可以包括:In still another embodiment of the present application, the third encrypted data, and the remaining video frames in the target video are stored in the data area created by the formatting operation in step S2, in order to update the data block storing the data. Corresponding index data, as shown in FIG. 3, the method may further include:
S3:获得存储第三加密数据的数据块的第一编号,以及存储剩余视频帧的数据块的第二编号;S3: obtaining a first number of the data block storing the third encrypted data, and storing a second number of the data block of the remaining video frame;
S4:基于第一随机数,对元数据索引区所存储的第一加密数据进行解密,获得第一解密数据;S4: Decrypt the first encrypted data stored in the metadata index area according to the first random number, to obtain the first decrypted data;
S5:确定第一解密数据中第一编号所对应的第一目标数据,以及第二编号所对应的第二目标数据;S5: determining first target data corresponding to the first number in the first decrypted data, and determining second target data corresponding to the second number;
S6:利用I帧所对应的数据属性信息替换第一目标数据,并利用剩余视频帧的数据属性信息,替换第二目标数据,得到新的第一解密数据;S6: replacing the first target data by using the data attribute information corresponding to the I frame, and replacing the second target data by using the data attribute information of the remaining video frame to obtain new first decrypted data;
S7:生成新的第一解密数据所对应的第三随机数;S7: Generate a third random number corresponding to the new first decrypted data;
S8:基于第三随机数,对新的第一解密数据进行加密,获得新的第一加密数据。S8: Encrypt the new first decrypted data based on the third random number to obtain new first encrypted data.
可以理解的是,当在数据区中新写入数据,即写入目标视频时,元数据索引区中相应的索引数据也需要发生相应的变化。其中,改变相应索引数据的过程中,需要先对元数据索引区中的第一加密数据进行解密,获得第一解密数据;并将目标视频所对应的数据属性信息,替换第一解密数据中的相应信息;并对替换得到的数据(即新的第一解密数据)进行加密。其中,为了保证所获得的新的第一解密数据的安全,需要用到第三随机数,对新的第一解密数据进行加密,再对加密后的数据进行存储。It can be understood that when data is newly written in the data area, that is, when the target video is written, the corresponding index data in the metadata index area also needs to be changed accordingly. In the process of changing the corresponding index data, the first encrypted data in the metadata index area is decrypted first, and the first decrypted data is obtained; and the data attribute information corresponding to the target video is replaced by the first decrypted data. Corresponding information; and encrypting the replaced data (ie, the new first decrypted data). In order to ensure the security of the obtained new first decrypted data, the third random number is used to encrypt the new first decrypted data, and then the encrypted data is stored.
举例而言,对元数据索引区所存储的第一加密数据的解密操作可以包括:获得元数据索引区中所存储的第一加密数据:Enc(INDEX⊕RAND_IM),并根据该第一加密数据的加密算法对应的解密算法: Dec{Enc(INDEX⊕RAND_IM)},解密得到第一解密数据:INDEX⊕RAND_IM;获得第一随机数加密数据:Enc(RAND_IM),并根据第一随机数加密数据的加密算法对应的解密算法:Dec{Enc(RAND_IM),解密得到RAND_IM;从而可以对解密得到的INDEX⊕RAND_IM和RAND_IM进行异或逆运算,从而获得INDEX。For example, the decrypting operation of the first encrypted data stored in the metadata index area may include: obtaining the first encrypted data stored in the metadata index area: Enc (INDEX ⊕ RAND_IM), and according to the first encrypted data The encryption algorithm corresponding to the encryption algorithm: Dec{Enc(INDEX⊕RAND_IM)}, decrypts the first decrypted data: INDEX⊕RAND_IM; obtains the first random number encrypted data: Enc(RAND_IM), and the decryption algorithm corresponding to the encryption algorithm of the first random number encrypted data: Dec{Enc(RAND_IM), decrypting to get RAND_IM; thus, the decrypted INDEX⊕RAND_IM and RAND_IM can be XORed to obtain INDEX.
需要说明的是,当通过第一加密数据所对应的加密方式,对数据进行加密时,即通过对数据与随机数进行异或运算,并将异或运算所得到的结果进行加密的方式,均可以采用上述解密操作对加密得到的加密数据进行解密,在此不做详述。It should be noted that when the data is encrypted by the encryption method corresponding to the first encrypted data, that is, by performing an exclusive OR operation on the data and the random number, and encrypting the result obtained by the exclusive OR operation, The encrypted data obtained by the encryption may be decrypted by using the above decryption operation, and will not be described in detail herein.
下面对本申请实施例提供的文件系统加密方法具具体实例进行说明。The file system encryption method provided by the embodiment of the present application is described below with specific examples.
当终端接收到格式化目标磁盘的指令时,开始执行格式化操作:首先判断目标磁盘是否正常,若不正常,在终端提示格式化操作失败信息;若正常,执行下列操作:When the terminal receives the instruction to format the target disk, it begins to perform the formatting operation: first, it determines whether the target disk is normal. If it is not normal, the terminal prompts the formatting operation failure message; if it is normal, perform the following operations:
获得格式化操作所要创建的目标文件系统的基本信息(即格式化参数,例如版本信息、数据块大小、加密算法和元数据存储位置等信息)。基于该格式化参数,在目标磁盘上创建元数据索引区、备用元数据索引区、元数据引导区、备用元数据引导区和数据区。Get the basic information of the target file system to be created by the formatting operation (that is, formatting parameters such as version information, block size, encryption algorithm, and metadata storage location). Based on the formatting parameters, a metadata index area, an alternate metadata index area, a metadata boot area, an alternate metadata boot area, and a data area are created on the target disk.
利用终端的随机数发生器生成第一随机数、第二随机数、第四随机数和第五随机数。进而基于第一随机数对元数据索引区存储的数据进行加密、基于第二随机数对元数据引导区存储的数据进行加密、基于第四随机数对备用元数据索引区存储的数据进行加密,以及基于第五随机数对备用元数据引导区存储的数据进行加密,从而格式化操作完毕,得到目标文件系统。The first random number, the second random number, the fourth random number, and the fifth random number are generated by the random number generator of the terminal. Further, encrypting data stored in the metadata index area based on the first random number, encrypting data stored in the metadata boot area based on the second random number, and encrypting data stored in the spare metadata index area based on the fourth random number, And encrypting the data stored in the spare metadata boot area based on the fifth random number, so that the formatting operation is completed, and the target file system is obtained.
另外,当需要在目标文件系统中存储数据时,下面以所存储的数据为文本为例进行说明。In addition, when it is necessary to store data in the target file system, the following uses the stored data as a text as an example for description.
当需要在目标文件系统中存储目标文本时,可以利用预设的加密算法对目标文本进行加密计算;并将加密后的数据存储在数据区中第N数据块中;解密元数据索引区中的第一加密数据,得到第一解密数据;利用目标文本的数 据属性信息,替换第一解密数据中数据块N所对应的索引数据;替换完毕后,得到新的第一解密数据;并对新的第一解密数据进行加密,得到新的第一加密数据,完成索引数据的更新。When the target text needs to be stored in the target file system, the target text may be encrypted and calculated by using a preset encryption algorithm; and the encrypted data is stored in the Nth data block in the data area; and the decrypted metadata in the index area First encrypting data, obtaining first decrypted data; using number of target texts According to the attribute information, the index data corresponding to the data block N in the first decrypted data is replaced; after the replacement is completed, the new first decrypted data is obtained; and the new first decrypted data is encrypted to obtain a new first encrypted data. Complete the update of the index data.
需要说明的是,更新备用元数据索引区的索引数据的方式于上述方法类似,在此不做赘述。It should be noted that the manner of updating the index data of the spare metadata index area is similar to the above method, and details are not described herein.
相应于上述方法实施例,本申请实施例还提供了一种文件系统加密装置,装置可以包括:Corresponding to the foregoing method embodiment, the embodiment of the present application further provides a file system encryption device, where the device may include:
格式化模块401,用于通过格式化操作创建元数据索引区;a formatting module 401, configured to create a metadata index area by using a formatting operation;
随机数生成模块402,用于在对目标磁盘进行格式化操作时,生成通过格式化模块401格式化操作所创建的元数据索引区所对应的第一随机数;其中,格式化操作用于在目标磁盘上安装目标文件系统;The random number generating module 402 is configured to generate, when performing a formatting operation on the target disk, a first random number corresponding to the metadata index area created by the formatting operation of the formatting module 401; wherein the formatting operation is used in The target file system is mounted on the target disk;
加密模块403,用于基于第一随机数,对元数据索引区所存储的数据进行加密,得到第一加密数据;The encryption module 403 is configured to encrypt data stored in the metadata index area based on the first random number to obtain first encrypted data.
存储模块404,用于将第一加密数据存储在元数据索引区。The storage module 404 is configured to store the first encrypted data in the metadata index area.
在本申请实施例中,在通过格式化操作创建目标文件系统的元数据索引区的过程中,生成元数据索引区所对应的第一随机数;并基于第一随机数,对元数据索引区所存储的数据进行加密,获得第一加密数据;将第一加密数据存储在元数据索引区。这样,保证了元数据索引区存储的是密文数据,攻击者无法对密文数据所对应的索引数据进行解析,提高了目标文件系统数据区中所存储的数据的安全性。In the embodiment of the present application, in the process of creating a metadata index area of the target file system by a formatting operation, generating a first random number corresponding to the metadata index area; and based on the first random number, the metadata index area The stored data is encrypted to obtain first encrypted data; the first encrypted data is stored in a metadata index area. In this way, it is ensured that the metadata index area stores ciphertext data, and the attacker cannot parse the index data corresponding to the ciphertext data, thereby improving the security of the data stored in the data area of the target file system.
可选地,随机数生成模块402还用于:在对目标磁盘进行格式化操作时,生成通过格式化模块401格式化操作所创建的元数据引导区所对应的第二随机数;Optionally, the random number generating module 402 is further configured to: when performing a formatting operation on the target disk, generate a second random number corresponding to the metadata boot area created by the formatting operation of the formatting module 401;
相应地,加密模块403还用于:基于第二随机数,对元数据引导区所存储的数据进行加密,得到第二加密数据;存储模块304还用于:将第二加密数据存储在元数据引导区。 Correspondingly, the encryption module 403 is further configured to: encrypt the data stored in the metadata boot area to obtain the second encrypted data based on the second random number; and the storage module 304 is further configured to: store the second encrypted data in the metadata. Boot area.
可选地,加密模块403还用于:加密第一随机数,获得第一随机数加密数据;Optionally, the encryption module 403 is further configured to: encrypt the first random number, and obtain the first random number encrypted data;
相应地,存储模块404具体用于:将第一加密数据和第一随机数加密数据,存储在元数据索引区。Correspondingly, the storage module 404 is specifically configured to: store the first encrypted data and the first random number encrypted data in a metadata index area.
可选地,加密模块403还用于:加密第二随机数,获得第二随机数加密数据;Optionally, the encryption module 403 is further configured to: encrypt the second random number, and obtain the second random number encrypted data;
相应地,存储模块404具体用于:将第二加密数据和第二随机数加密数据,存储在元数据引导区。Correspondingly, the storage module 404 is specifically configured to: store the second encrypted data and the second random number encrypted data in the metadata boot area.
可选地,随机数生成模块402具体用于:在对目标磁盘进行格式化操作时,生成通过格式化操作所创建的元数据索引区所对应的一个第一随机数;Optionally, the random number generating module 402 is specifically configured to: when performing a formatting operation on the target disk, generate a first random number corresponding to the metadata index area created by the formatting operation;
或者,在对目标磁盘进行格式化操作时,确定通过格式化操作所创建的元数据索引区中存在的索引数据条数,生成目标数量的第一随机数,目标数量与条数的数量相同。Alternatively, when the target disk is formatted, the number of index data existing in the metadata index area created by the formatting operation is determined, and the first random number of the target quantity is generated, and the target quantity is the same as the number of the number of the pieces.
可选地,加密模块403还用于:Optionally, the encryption module 403 is further configured to:
当需要在所安装的目标文件系统中存储目标视频文件时,对目标视频文件中的I帧进行加密,得到第三加密数据;When the target video file needs to be stored in the installed target file system, the I frame in the target video file is encrypted to obtain the third encrypted data;
相应地,存储模块404还用于:将第三加密数据,以及目标视频中的剩余视频帧,存储至通过格式化操作所创建的数据区,剩余视频帧为目标视频中除I帧外的视频帧。Correspondingly, the storage module 404 is further configured to: store the third encrypted data, and the remaining video frames in the target video, into a data area created by a formatting operation, where the remaining video frames are videos other than the I frame in the target video. frame.
可选地,还包括:获得模块;Optionally, the method further includes: obtaining a module;
获得模块用于:在存储模块404将第三加密数据,以及目标视频中的剩余视频帧,存储至通过格式化模块401格式化操作所创建的数据区后,获得存储第三加密数据的数据块的第一编号,以及剩余视频帧的数据块的第二编号;The obtaining module is configured to: after the storage module 404 stores the third encrypted data and the remaining video frames in the target video to the data area created by the formatting operation of the formatting module 401, obtain the data block storing the third encrypted data. The first number, and the second number of the data block of the remaining video frame;
基于第一随机数,对元数据索引区所存储的第一加密数据进行解密,获得第一解密数据;Decrypting the first encrypted data stored in the metadata index area based on the first random number to obtain first decrypted data;
确定第一解密数据中第一编号所对应的第一目标数据,以及第二编号所 对应的第二目标数据;Determining first target data corresponding to the first number in the first decrypted data, and determining the second number Corresponding second target data;
利用I帧所对应的数据属性信息替换第一目标数据,并利用剩余视频帧的数据属性信息,替换第二目标数据,得到新的第一解密数据;Replacing the first target data by using the data attribute information corresponding to the I frame, and replacing the second target data by using the data attribute information of the remaining video frames to obtain new first decrypted data;
生成新的第一解密数据所对应的第三随机数;Generating a third random number corresponding to the new first decrypted data;
基于第三随机数,对新的第一解密数据进行加密,获得新的第一加密数据。The new first decrypted data is encrypted based on the third random number to obtain new first encrypted data.
可选地,格式化模块401还用于通过格式化操作在目标磁盘上创建备用元数据引导区和备用元数据索引区;Optionally, the formatting module 401 is further configured to create an alternate metadata boot area and an alternate metadata index area on the target disk by using a formatting operation;
相应地,随机数生成模块402还用于:在对所述目标磁盘进行格式化操作时,生成备用元数据引导区对应的第四随机数,以及备用元数据索引区对应的第五随机数;Correspondingly, the random number generating module 402 is further configured to: when performing a formatting operation on the target disk, generate a fourth random number corresponding to the spare metadata boot area, and a fifth random number corresponding to the spare metadata index area;
加密模块403还用于:基于第四随机数,对备用元数据引导区所存储的数据进行加密,得到第四加密数据;基于第五随机数,对备用元数据索引区所存储的数据进行加密,得到第五加密数据;The encryption module 403 is further configured to: encrypt the data stored in the spare metadata boot area to obtain the fourth encrypted data based on the fourth random number; and encrypt the data stored in the spare metadata index area based on the fifth random number , obtaining the fifth encrypted data;
存储模块404还用于:将第四加密数据存储到备用元数据引导区;将第五加密数据存储到备用元数据索引区。The storage module 404 is further configured to: store the fourth encrypted data into the spare metadata boot area; and store the fifth encrypted data into the spare metadata index area.
相应于上述方法实施例,本申请实施例还提供了一种存储介质,用于存储可执行程序代码,所述可执行程序代码用于在运行时执行:本申请实施例所提供的文件系统加密方法。具体的,所述文件系统加密方法,可以包括如下步骤:Corresponding to the foregoing method embodiments, the embodiment of the present application further provides a storage medium for storing executable program code, where the executable program code is used to execute at runtime: file system encryption provided by the embodiment of the present application. method. Specifically, the file system encryption method may include the following steps:
在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数;其中,所述格式化操作用于在所述目标磁盘上安装目标文件系统;Generating, by the formatting operation of the target disk, a first random number corresponding to the metadata index area created by the formatting operation; wherein the formatting operation is for installing the target file on the target disk system;
基于所述第一随机数,对所述元数据索引区所存储的数据进行加密,得到第一加密数据; And encrypting, according to the first random number, data stored in the metadata index area to obtain first encrypted data;
将所述第一加密数据存储在所述元数据索引区。The first encrypted data is stored in the metadata index area.
可选地,在本申请的一个实施例中,所述方法还可以包括:Optionally, in an embodiment of the present application, the method may further include:
在对所述目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据引导区所对应的第二随机数;Generating a second random number corresponding to the metadata boot area created by the formatting operation when performing a formatting operation on the target disk;
基于所述第二随机数,对所述元数据引导区所存储的数据进行加密,得到第二加密数据;And encrypting data stored in the metadata guiding area to obtain second encrypted data based on the second random number;
将所述第二加密数据存储在所述元数据引导区。The second encrypted data is stored in the metadata boot area.
可选地,在将所述第一加密数据存储在所述元数据索引区的步骤之前,还可以包括:Optionally, before the step of storing the first encrypted data in the metadata index area, the method may further include:
加密所述第一随机数,获得第一随机数加密数据;Encrypting the first random number to obtain first random number encrypted data;
相应地,将所述第一加密数据存储在所述元数据索引区的步骤可以包括:Correspondingly, the step of storing the first encrypted data in the metadata index area may include:
将所述第一加密数据和所述第一随机数加密数据,存储在所述元数据索引区。And storing the first encrypted data and the first random number encrypted data in the metadata index area.
可选地,在将所述第二加密数据存储在所述元数据引导区的步骤之前,还可以包括:Optionally, before the step of storing the second encrypted data in the metadata boot area, the method may further include:
加密所述第二随机数,获得第二随机数加密数据;Encrypting the second random number to obtain second random number encrypted data;
相应地,所述将所述第二加密数据存储在所述元数据引导区的步骤可以包括:Correspondingly, the step of storing the second encrypted data in the metadata boot area may include:
将所述第二加密数据和所述第二随机数加密数据,存储在所述元数据引导区。And storing the second encrypted data and the second random number encrypted data in the metadata boot area.
可选地,所述在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数的步骤,可以包括:Optionally, the step of generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk may include:
在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的一个第一随机数;Generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk;
或者, Or,
在对目标磁盘进行格式化操作时,确定通过所述格式化操作所创建的元数据索引区中存在的索引数据条数,生成目标数量的第一随机数,所述目标数量与所述条数的数量相同。When performing a formatting operation on the target disk, determining the number of index data existing in the metadata index area created by the formatting operation, generating a target number of first random numbers, the target quantity and the number of the pieces The number is the same.
可选地,在本申请的又一个实施例中,所述方法还可以包括:Optionally, in still another embodiment of the present application, the method may further include:
当需要在所安装的目标文件系统中存储目标视频时,对所述目标视频中的I帧进行加密,得到第三加密数据;When the target video needs to be stored in the installed target file system, the I frame in the target video is encrypted to obtain the third encrypted data;
将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区,所述剩余视频帧为所述目标视频中除所述I帧外的视频帧。And storing the third encrypted data and the remaining video frames in the target video to a data area created by the formatting operation, wherein the remaining video frames are in the target video except the I frame Video frame.
可选地,在将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区后,还包括:Optionally, after storing the third encrypted data and the remaining video frames in the target video to the data area created by the formatting operation, the method further includes:
获得存储所述第三加密数据的数据块的第一编号,以及存储所述剩余视频帧的数据块的第二编号;Obtaining a first number of a data block storing the third encrypted data, and storing a second number of the data block of the remaining video frame;
基于所述第一随机数,对所述元数据索引区所存储的第一加密数据进行解密,获得第一解密数据;Decrypting the first encrypted data stored in the metadata index area based on the first random number to obtain first decrypted data;
确定所述第一解密数据中所述第一编号所对应的第一目标数据,以及所述第二编号所对应的第二目标数据;Determining, by the first decrypted data, first target data corresponding to the first number, and second target data corresponding to the second number;
利用所述I帧所对应的数据属性信息替换所述第一目标数据,并利用所述剩余视频帧的数据属性信息,替换所述第二目标数据,得到新的第一解密数据;Replacing the first target data by using data attribute information corresponding to the I frame, and replacing the second target data by using data attribute information of the remaining video frames to obtain new first decrypted data;
生成所述新的第一解密数据所对应的第三随机数;Generating a third random number corresponding to the new first decrypted data;
基于所述第三随机数,对所述新的第一解密数据进行加密,获得新的第一加密数据。And encrypting the new first decrypted data based on the third random number to obtain new first encrypted data.
可选地,所述格式化操作在目标磁盘上还创建有备用元数据引导区和备用元数据索引区;Optionally, the formatting operation further creates an alternate metadata boot area and an alternate metadata index area on the target disk;
所述方法还可以包括: The method may further include:
在对所述目标磁盘进行格式化操作时,生成所述备用元数据引导区对应的第四随机数,以及所述备用元数据索引区对应的第五随机数;Generating a fourth random number corresponding to the spare metadata boot area and a fifth random number corresponding to the spare metadata index area, when performing a formatting operation on the target disk;
基于所述第四随机数,对备用元数据引导区所存储的数据进行加密,得到第四加密数据;将所述第四加密数据存储到所述备用元数据引导区;And encrypting, according to the fourth random number, data stored in the spare metadata boot area to obtain fourth encrypted data; storing the fourth encrypted data in the spare metadata boot area;
基于所述第五随机数,对备用元数据索引区所存储的数据进行加密,得到第五加密数据;将所述第五加密数据存储到所述备用元数据索引区。And encrypting data stored in the spare metadata index area to obtain fifth encrypted data based on the fifth random number; storing the fifth encrypted data in the spare metadata index area.
相应于上述方法实施例,本申请实施例还提供了一种应用程序,用于在运行时执行:本申请实施例所提供的文件系统加密方法。具体的,所述文件系统加密方法,可以包括如下步骤:Corresponding to the above method embodiment, the embodiment of the present application further provides an application program for performing the file system encryption method provided by the embodiment of the present application. Specifically, the file system encryption method may include the following steps:
在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数;其中,所述格式化操作用于在所述目标磁盘上安装目标文件系统;Generating, by the formatting operation of the target disk, a first random number corresponding to the metadata index area created by the formatting operation; wherein the formatting operation is for installing the target file on the target disk system;
基于所述第一随机数,对所述元数据索引区所存储的数据进行加密,得到第一加密数据;And encrypting, according to the first random number, data stored in the metadata index area to obtain first encrypted data;
将所述第一加密数据存储在所述元数据索引区。The first encrypted data is stored in the metadata index area.
可选地,在本申请的一个实施例中,所述方法还可以包括:Optionally, in an embodiment of the present application, the method may further include:
在对所述目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据引导区所对应的第二随机数;Generating a second random number corresponding to the metadata boot area created by the formatting operation when performing a formatting operation on the target disk;
基于所述第二随机数,对所述元数据引导区所存储的数据进行加密,得到第二加密数据;And encrypting data stored in the metadata guiding area to obtain second encrypted data based on the second random number;
将所述第二加密数据存储在所述元数据引导区。The second encrypted data is stored in the metadata boot area.
可选地,在将所述第一加密数据存储在所述元数据索引区的步骤之前,还可以包括:Optionally, before the step of storing the first encrypted data in the metadata index area, the method may further include:
加密所述第一随机数,获得第一随机数加密数据;Encrypting the first random number to obtain first random number encrypted data;
相应地,将所述第一加密数据存储在所述元数据索引区的步骤可以包括: Correspondingly, the step of storing the first encrypted data in the metadata index area may include:
将所述第一加密数据和所述第一随机数加密数据,存储在所述元数据索引区。And storing the first encrypted data and the first random number encrypted data in the metadata index area.
可选地,在将所述第二加密数据存储在所述元数据引导区的步骤之前,还可以包括:Optionally, before the step of storing the second encrypted data in the metadata boot area, the method may further include:
加密所述第二随机数,获得第二随机数加密数据;Encrypting the second random number to obtain second random number encrypted data;
相应地,所述将所述第二加密数据存储在所述元数据引导区的步骤可以包括:Correspondingly, the step of storing the second encrypted data in the metadata boot area may include:
将所述第二加密数据和所述第二随机数加密数据,存储在所述元数据引导区。And storing the second encrypted data and the second random number encrypted data in the metadata boot area.
可选地,所述在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数的步骤,可以包括:Optionally, the step of generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk may include:
在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的一个第一随机数;Generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk;
或者,or,
在对目标磁盘进行格式化操作时,确定通过所述格式化操作所创建的元数据索引区中存在的索引数据条数,生成目标数量的第一随机数,所述目标数量与所述条数的数量相同。When performing a formatting operation on the target disk, determining the number of index data existing in the metadata index area created by the formatting operation, generating a target number of first random numbers, the target quantity and the number of the pieces The number is the same.
可选地,在本申请的又一个实施例中,所述方法还可以包括:Optionally, in still another embodiment of the present application, the method may further include:
当需要在所安装的目标文件系统中存储目标视频时,对所述目标视频中的I帧进行加密,得到第三加密数据;When the target video needs to be stored in the installed target file system, the I frame in the target video is encrypted to obtain the third encrypted data;
将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区,所述剩余视频帧为所述目标视频中除所述I帧外的视频帧。And storing the third encrypted data and the remaining video frames in the target video to a data area created by the formatting operation, wherein the remaining video frames are in the target video except the I frame Video frame.
可选地,在将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区后,还包括:Optionally, after storing the third encrypted data and the remaining video frames in the target video to the data area created by the formatting operation, the method further includes:
获得存储所述第三加密数据的数据块的第一编号,以及存储所述剩余视 频帧的数据块的第二编号;Obtaining a first number of the data block storing the third encrypted data, and storing the remaining view The second number of the data block of the frequency frame;
基于所述第一随机数,对所述元数据索引区所存储的第一加密数据进行解密,获得第一解密数据;Decrypting the first encrypted data stored in the metadata index area based on the first random number to obtain first decrypted data;
确定所述第一解密数据中所述第一编号所对应的第一目标数据,以及所述第二编号所对应的第二目标数据;Determining, by the first decrypted data, first target data corresponding to the first number, and second target data corresponding to the second number;
利用所述I帧所对应的数据属性信息替换所述第一目标数据,并利用所述剩余视频帧的数据属性信息,替换所述第二目标数据,得到新的第一解密数据;Replacing the first target data by using data attribute information corresponding to the I frame, and replacing the second target data by using data attribute information of the remaining video frames to obtain new first decrypted data;
生成所述新的第一解密数据所对应的第三随机数;Generating a third random number corresponding to the new first decrypted data;
基于所述第三随机数,对所述新的第一解密数据进行加密,获得新的第一加密数据。And encrypting the new first decrypted data based on the third random number to obtain new first encrypted data.
可选地,所述格式化操作在目标磁盘上还创建有备用元数据引导区和备用元数据索引区;Optionally, the formatting operation further creates an alternate metadata boot area and an alternate metadata index area on the target disk;
所述方法还可以包括:The method may further include:
在对所述目标磁盘进行格式化操作时,生成所述备用元数据引导区对应的第四随机数,以及所述备用元数据索引区对应的第五随机数;Generating a fourth random number corresponding to the spare metadata boot area and a fifth random number corresponding to the spare metadata index area, when performing a formatting operation on the target disk;
基于所述第四随机数,对备用元数据引导区所存储的数据进行加密,得到第四加密数据;将所述第四加密数据存储到所述备用元数据引导区;And encrypting, according to the fourth random number, data stored in the spare metadata boot area to obtain fourth encrypted data; storing the fourth encrypted data in the spare metadata boot area;
基于所述第五随机数,对备用元数据索引区所存储的数据进行加密,得到第五加密数据;将所述第五加密数据存储到所述备用元数据索引区。And encrypting data stored in the spare metadata index area to obtain fifth encrypted data based on the fifth random number; storing the fifth encrypted data in the spare metadata index area.
相应于上述方法实施例,本申请实施例还提供了一种电子设备,包括:壳体510、处理器520、存储器530、电路板540和电源电路550,其中,电路板540安置在壳体510围成的空间内部,处理器520和存储器530设置在电路板540上;电源电路540,用于为各个电路或器件供电;存储器530用于存储可执行程序代码;处理器520通过运行存储器中存储的可执行程序代码,以执行本申 请实施例所提供的文件系统加密方法。其中,所述文件系统加密方法,可以包括如下步骤:Corresponding to the above method embodiment, the embodiment of the present application further provides an electronic device, including: a housing 510, a processor 520, a memory 530, a circuit board 540, and a power circuit 550, wherein the circuit board 540 is disposed in the housing 510. Inside the enclosed space, the processor 520 and the memory 530 are disposed on the circuit board 540; the power supply circuit 540 is used to supply power to the respective circuits or devices; the memory 530 is used to store executable program code; and the processor 520 is stored in the running memory. Executable code to execute this application Please provide the file system encryption method provided in the embodiment. The file system encryption method may include the following steps:
在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数;其中,所述格式化操作用于在所述目标磁盘上安装目标文件系统;Generating, by the formatting operation of the target disk, a first random number corresponding to the metadata index area created by the formatting operation; wherein the formatting operation is for installing the target file on the target disk system;
基于所述第一随机数,对所述元数据索引区所存储的数据进行加密,得到第一加密数据;And encrypting, according to the first random number, data stored in the metadata index area to obtain first encrypted data;
将所述第一加密数据存储在所述元数据索引区。The first encrypted data is stored in the metadata index area.
可选地,在本申请的一个实施例中,所述方法还可以包括:Optionally, in an embodiment of the present application, the method may further include:
在对所述目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据引导区所对应的第二随机数;Generating a second random number corresponding to the metadata boot area created by the formatting operation when performing a formatting operation on the target disk;
基于所述第二随机数,对所述元数据引导区所存储的数据进行加密,得到第二加密数据;And encrypting data stored in the metadata guiding area to obtain second encrypted data based on the second random number;
将所述第二加密数据存储在所述元数据引导区。The second encrypted data is stored in the metadata boot area.
可选地,在将所述第一加密数据存储在所述元数据索引区的步骤之前,还可以包括:Optionally, before the step of storing the first encrypted data in the metadata index area, the method may further include:
加密所述第一随机数,获得第一随机数加密数据;Encrypting the first random number to obtain first random number encrypted data;
相应地,将所述第一加密数据存储在所述元数据索引区的步骤可以包括:Correspondingly, the step of storing the first encrypted data in the metadata index area may include:
将所述第一加密数据和所述第一随机数加密数据,存储在所述元数据索引区。And storing the first encrypted data and the first random number encrypted data in the metadata index area.
可选地,在将所述第二加密数据存储在所述元数据引导区的步骤之前,还可以包括:Optionally, before the step of storing the second encrypted data in the metadata boot area, the method may further include:
加密所述第二随机数,获得第二随机数加密数据;Encrypting the second random number to obtain second random number encrypted data;
相应地,所述将所述第二加密数据存储在所述元数据引导区的步骤可以包括: Correspondingly, the step of storing the second encrypted data in the metadata boot area may include:
将所述第二加密数据和所述第二随机数加密数据,存储在所述元数据引导区。And storing the second encrypted data and the second random number encrypted data in the metadata boot area.
可选地,所述在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数的步骤,可以包括:Optionally, the step of generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk may include:
在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的一个第一随机数;Generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk;
或者,or,
在对目标磁盘进行格式化操作时,确定通过所述格式化操作所创建的元数据索引区中存在的索引数据条数,生成目标数量的第一随机数,所述目标数量与所述条数的数量相同。When performing a formatting operation on the target disk, determining the number of index data existing in the metadata index area created by the formatting operation, generating a target number of first random numbers, the target quantity and the number of the pieces The number is the same.
可选地,在本申请的又一个实施例中,所述方法还可以包括:Optionally, in still another embodiment of the present application, the method may further include:
当需要在所安装的目标文件系统中存储目标视频时,对所述目标视频中的I帧进行加密,得到第三加密数据;When the target video needs to be stored in the installed target file system, the I frame in the target video is encrypted to obtain the third encrypted data;
将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区,所述剩余视频帧为所述目标视频中除所述I帧外的视频帧。And storing the third encrypted data and the remaining video frames in the target video to a data area created by the formatting operation, wherein the remaining video frames are in the target video except the I frame Video frame.
可选地,在将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区后,还包括:Optionally, after storing the third encrypted data and the remaining video frames in the target video to the data area created by the formatting operation, the method further includes:
获得存储所述第三加密数据的数据块的第一编号,以及存储所述剩余视频帧的数据块的第二编号;Obtaining a first number of a data block storing the third encrypted data, and storing a second number of the data block of the remaining video frame;
基于所述第一随机数,对所述元数据索引区所存储的第一加密数据进行解密,获得第一解密数据;Decrypting the first encrypted data stored in the metadata index area based on the first random number to obtain first decrypted data;
确定所述第一解密数据中所述第一编号所对应的第一目标数据,以及所述第二编号所对应的第二目标数据;Determining, by the first decrypted data, first target data corresponding to the first number, and second target data corresponding to the second number;
利用所述I帧所对应的数据属性信息替换所述第一目标数据,并利用所述剩余视频帧的数据属性信息,替换所述第二目标数据,得到新的第一解密数 据;Replacing the first target data by using data attribute information corresponding to the I frame, and replacing the second target data by using data attribute information of the remaining video frame to obtain a new first decrypted number according to;
生成所述新的第一解密数据所对应的第三随机数;Generating a third random number corresponding to the new first decrypted data;
基于所述第三随机数,对所述新的第一解密数据进行加密,获得新的第一加密数据。And encrypting the new first decrypted data based on the third random number to obtain new first encrypted data.
可选地,所述格式化操作在目标磁盘上还创建有备用元数据引导区和备用元数据索引区;Optionally, the formatting operation further creates an alternate metadata boot area and an alternate metadata index area on the target disk;
所述方法还可以包括:The method may further include:
在对所述目标磁盘进行格式化操作时,生成所述备用元数据引导区对应的第四随机数,以及所述备用元数据索引区对应的第五随机数;Generating a fourth random number corresponding to the spare metadata boot area and a fifth random number corresponding to the spare metadata index area, when performing a formatting operation on the target disk;
基于所述第四随机数,对备用元数据引导区所存储的数据进行加密,得到第四加密数据;将所述第四加密数据存储到所述备用元数据引导区;And encrypting, according to the fourth random number, data stored in the spare metadata boot area to obtain fourth encrypted data; storing the fourth encrypted data in the spare metadata boot area;
基于所述第五随机数,对备用元数据索引区所存储的数据进行加密,得到第五加密数据;将所述第五加密数据存储到所述备用元数据索引区。And encrypting data stored in the spare metadata index area to obtain fifth encrypted data based on the fifth random number; storing the fifth encrypted data in the spare metadata index area.
需要强调的是,对于电子设备、应用程序以及存储介质实施例而言,由于其所涉及的方法内容基本相似于前述的方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。It should be emphasized that, for the electronic device, the application, and the storage medium embodiment, since the method content involved is basically similar to the foregoing method embodiment, the description is relatively simple, and the relevant parts are referred to the part of the method embodiment. Description can be.
需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that, in this context, relational terms such as first and second are used merely to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply such entities or operations. There is any such actual relationship or order between them. Furthermore, the term "comprises" or "comprises" or "comprises" or any other variations thereof is intended to encompass a non-exclusive inclusion, such that a process, method, article, or device that comprises a plurality of elements includes not only those elements but also Other elements, or elements that are inherent to such a process, method, item, or device. An element defined by the phrase "comprising a ..." without further limitation does not exclude the presence of additional identical elements in the process, method, article, or device that comprises the element.
本说明书中的各个实施例均采用相关的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同 之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。The various embodiments in the specification are described in a related manner, and the same similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from other embodiments. Where. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
以上仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。凡在本申请的精神和原则之内所作的任何修改、等同替换、改进等,均包含在本申请的保护范围内。 The above is only the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present application are included in the scope of the present application.

Claims (19)

  1. 一种文件系统加密方法,其特征在于,包括:A file system encryption method, comprising:
    在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数;其中,所述格式化操作用于在所述目标磁盘上安装目标文件系统;Generating, by the formatting operation of the target disk, a first random number corresponding to the metadata index area created by the formatting operation; wherein the formatting operation is for installing the target file on the target disk system;
    基于所述第一随机数,对所述元数据索引区所存储的数据进行加密,得到第一加密数据;And encrypting, according to the first random number, data stored in the metadata index area to obtain first encrypted data;
    将所述第一加密数据存储在所述元数据索引区。The first encrypted data is stored in the metadata index area.
  2. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    在对所述目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据引导区所对应的第二随机数;Generating a second random number corresponding to the metadata boot area created by the formatting operation when performing a formatting operation on the target disk;
    基于所述第二随机数,对所述元数据引导区所存储的数据进行加密,得到第二加密数据;And encrypting data stored in the metadata guiding area to obtain second encrypted data based on the second random number;
    将所述第二加密数据存储在所述元数据引导区。The second encrypted data is stored in the metadata boot area.
  3. 根据权利要求1所述的方法,其特征在于,在将所述第一加密数据存储在所述元数据索引区的步骤之前,还包括:The method according to claim 1, wherein before the step of storing the first encrypted data in the metadata index area, the method further comprises:
    加密所述第一随机数,获得第一随机数加密数据;Encrypting the first random number to obtain first random number encrypted data;
    相应地,将所述第一加密数据存储在所述元数据索引区的步骤包括:Correspondingly, the step of storing the first encrypted data in the metadata index area comprises:
    将所述第一加密数据和所述第一随机数加密数据,存储在所述元数据索引区。And storing the first encrypted data and the first random number encrypted data in the metadata index area.
  4. 根据权利要求2或3所述的方法,其特征在于,在将所述第二加密数据存储在所述元数据引导区的步骤之前,还包括:The method according to claim 2 or 3, wherein before the step of storing the second encrypted data in the metadata boot area, the method further comprises:
    加密所述第二随机数,获得第二随机数加密数据;Encrypting the second random number to obtain second random number encrypted data;
    相应地,所述将所述第二加密数据存储在所述元数据引导区的步骤包括:Correspondingly, the step of storing the second encrypted data in the metadata boot area comprises:
    将所述第二加密数据和所述第二随机数加密数据,存储在所述元数据引导区。And storing the second encrypted data and the second random number encrypted data in the metadata boot area.
  5. 根据权利要求1所述的方法,其特征在于,所述在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的第一随机数的步骤,包括: The method according to claim 1, wherein the step of generating a first random number corresponding to the metadata index area created by the formatting operation when the formatting operation is performed on the target disk includes :
    在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的一个第一随机数;Generating a first random number corresponding to the metadata index area created by the formatting operation when performing a formatting operation on the target disk;
    或者,or,
    在对目标磁盘进行格式化操作时,确定通过所述格式化操作所创建的元数据索引区中存在的索引数据条数,生成目标数量的第一随机数,所述目标数量与所述条数的数量相同。When performing a formatting operation on the target disk, determining the number of index data existing in the metadata index area created by the formatting operation, generating a target number of first random numbers, the target quantity and the number of the pieces The number is the same.
  6. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    当需要在所安装的目标文件系统中存储目标视频时,对所述目标视频中的I帧进行加密,得到第三加密数据;When the target video needs to be stored in the installed target file system, the I frame in the target video is encrypted to obtain the third encrypted data;
    将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区,所述剩余视频帧为所述目标视频中除所述I帧外的视频帧。And storing the third encrypted data and the remaining video frames in the target video to a data area created by the formatting operation, wherein the remaining video frames are in the target video except the I frame Video frame.
  7. 根据权利要求6所述的方法,其特征在于,在将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区后,还包括:The method according to claim 6, wherein after storing the third encrypted data and the remaining video frames in the target video to the data area created by the formatting operation, :
    获得存储所述第三加密数据的数据块的第一编号,以及存储所述剩余视频帧的数据块的第二编号;Obtaining a first number of a data block storing the third encrypted data, and storing a second number of the data block of the remaining video frame;
    基于所述第一随机数,对所述元数据索引区所存储的第一加密数据进行解密,获得第一解密数据;Decrypting the first encrypted data stored in the metadata index area based on the first random number to obtain first decrypted data;
    确定所述第一解密数据中所述第一编号所对应的第一目标数据,以及所述第二编号所对应的第二目标数据;Determining, by the first decrypted data, first target data corresponding to the first number, and second target data corresponding to the second number;
    利用所述I帧所对应的数据属性信息替换所述第一目标数据,并利用所述剩余视频帧的数据属性信息,替换所述第二目标数据,得到新的第一解密数据;Replacing the first target data by using data attribute information corresponding to the I frame, and replacing the second target data by using data attribute information of the remaining video frames to obtain new first decrypted data;
    生成所述新的第一解密数据所对应的第三随机数;Generating a third random number corresponding to the new first decrypted data;
    基于所述第三随机数,对所述新的第一解密数据进行加密,获得新的第一加密数据。And encrypting the new first decrypted data based on the third random number to obtain new first encrypted data.
  8. 根据权利要求1所述的方法,其特征在于,所述格式化操作在目标磁盘上还创建有备用元数据引导区和备用元数据索引区; The method according to claim 1, wherein said formatting operation further creates an alternate metadata boot area and a spare metadata index area on the target disk;
    所述方法还包括:The method further includes:
    在对所述目标磁盘进行格式化操作时,生成所述备用元数据引导区对应的第四随机数,以及所述备用元数据索引区对应的第五随机数;Generating a fourth random number corresponding to the spare metadata boot area and a fifth random number corresponding to the spare metadata index area, when performing a formatting operation on the target disk;
    基于所述第四随机数,对备用元数据引导区所存储的数据进行加密,得到第四加密数据;将所述第四加密数据存储到所述备用元数据引导区;And encrypting, according to the fourth random number, data stored in the spare metadata boot area to obtain fourth encrypted data; storing the fourth encrypted data in the spare metadata boot area;
    基于所述第五随机数,对备用元数据索引区所存储的数据进行加密,得到第五加密数据;将所述第五加密数据存储到所述备用元数据索引区。And encrypting data stored in the spare metadata index area to obtain fifth encrypted data based on the fifth random number; storing the fifth encrypted data in the spare metadata index area.
  9. 一种文件系统加密装置,其特征在于,包括:A file system encryption device, comprising:
    格式化模块,用于通过格式化操作创建元数据索引区;a formatting module for creating a metadata index area by a formatting operation;
    随机数生成模块,用于在对目标磁盘进行格式化操作时,生成通过所述格式化模块格式化操作所创建的元数据索引区所对应的第一随机数;其中,所述格式化操作用于在所述目标磁盘上安装目标文件系统;a random number generating module, configured to: when performing a formatting operation on the target disk, generate a first random number corresponding to the metadata index area created by the formatting module formatting operation; wherein the formatting operation is performed Installing a target file system on the target disk;
    加密模块,用于基于所述第一随机数,对所述元数据索引区所存储的数据进行加密,得到第一加密数据;And an encryption module, configured to encrypt data stored in the metadata index area according to the first random number, to obtain first encrypted data;
    存储模块,用于将所述第一加密数据存储在所述元数据索引区。And a storage module, configured to store the first encrypted data in the metadata index area.
  10. 根据权利要求9所述的装置,其特征在于,所述随机数生成模块还用于:在对所述目标磁盘进行格式化操作时,生成通过所述格式化模块格式化操作所创建的元数据引导区所对应的第二随机数;The apparatus according to claim 9, wherein the random number generating module is further configured to: generate metadata created by the formatting module formatting operation when performing a formatting operation on the target disk a second random number corresponding to the boot area;
    相应地,所述加密模块还用于:基于所述第二随机数,对所述元数据引导区所存储的数据进行加密,得到第二加密数据;所述存储模块还用于:将所述第二加密数据存储在所述元数据引导区。Correspondingly, the encryption module is further configured to: encrypt the data stored in the metadata boot area to obtain second encrypted data based on the second random number; and the storage module is further configured to: The second encrypted data is stored in the metadata boot area.
  11. 根据权利要求9所述的装置,其特征在于,所述加密模块还用于:加密所述第一随机数,获得第一随机数加密数据;The apparatus according to claim 9, wherein the encryption module is further configured to: encrypt the first random number to obtain first random number encrypted data;
    相应地,所述存储模块具体用于:将所述第一加密数据和所述第一随机数加密数据,存储在所述元数据索引区。Correspondingly, the storage module is specifically configured to: store the first encrypted data and the first random number encrypted data in the metadata index area.
  12. 根据权利要求10或11所述的装置,其特征在于,所述加密模块还用于:加密所述第二随机数,获得第二随机数加密数据;The apparatus according to claim 10 or 11, wherein the encryption module is further configured to: encrypt the second random number to obtain second random number encrypted data;
    相应地,所述存储模块具体用于:将所述第二加密数据和所述第二随机数加密数据,存储在所述元数据引导区。 Correspondingly, the storage module is specifically configured to: store the second encrypted data and the second random number encrypted data in the metadata boot area.
  13. 根据权利要求9所述的装置,其特征在于,所述随机数生成模块具体用于:在对目标磁盘进行格式化操作时,生成通过所述格式化操作所创建的元数据索引区所对应的一个第一随机数;The device according to claim 9, wherein the random number generating module is specifically configured to: when performing a formatting operation on the target disk, generate a metadata index area created by the formatting operation a first random number;
    或者,or,
    在对目标磁盘进行格式化操作时,确定通过所述格式化操作所创建的元数据索引区中存在的索引数据条数,生成目标数量的第一随机数,所述目标数量与所述条数的数量相同。When performing a formatting operation on the target disk, determining the number of index data existing in the metadata index area created by the formatting operation, generating a target number of first random numbers, the target quantity and the number of the pieces The number is the same.
  14. 根据权利要求9所述的装置,其特征在于,所述加密模块还用于:The device according to claim 9, wherein the encryption module is further configured to:
    当需要在所安装的目标文件系统中存储目标视频时,对所述目标视频中的I帧进行加密,得到第三加密数据;When the target video needs to be stored in the installed target file system, the I frame in the target video is encrypted to obtain the third encrypted data;
    相应地,所述存储模块还用于:将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化操作所创建的数据区,所述剩余视频帧为所述目标视频中除所述I帧外的视频帧。Correspondingly, the storage module is further configured to: store the third encrypted data, and remaining video frames in the target video, into a data area created by the formatting operation, where the remaining video frames are a video frame other than the I frame in the target video.
  15. 根据权利要求14所述的装置,其特征在于,还包括:获得模块;The device according to claim 14, further comprising: obtaining a module;
    所述获得模块用于:The obtaining module is used to:
    在所述存储模块将所述第三加密数据,以及所述目标视频中的剩余视频帧,存储至通过所述格式化模块格式化操作所创建的数据区后,获得存储所述第三加密数据的数据块的第一编号,以及所述剩余视频帧的数据块的第二编号;After the storage module stores the third encrypted data and the remaining video frames in the target video to the data area created by the formatting module formatting operation, obtaining the stored third encrypted data a first number of the data block and a second number of the data block of the remaining video frame;
    基于所述第一随机数,对所述元数据索引区所存储的第一加密数据进行解密,获得第一解密数据;Decrypting the first encrypted data stored in the metadata index area based on the first random number to obtain first decrypted data;
    确定所述第一解密数据中所述第一编号所对应的第一目标数据,以及所述第二编号所对应的第二目标数据;Determining, by the first decrypted data, first target data corresponding to the first number, and second target data corresponding to the second number;
    利用所述I帧所对应的数据属性信息替换所述第一目标数据,并利用所述剩余视频帧的数据属性信息,替换所述第二目标数据,得到新的第一解密数据;Replacing the first target data by using data attribute information corresponding to the I frame, and replacing the second target data by using data attribute information of the remaining video frames to obtain new first decrypted data;
    生成所述新的第一解密数据所对应的第三随机数;Generating a third random number corresponding to the new first decrypted data;
    基于所述第三随机数,对所述新的第一解密数据进行加密,获得新的第一加密数据。 And encrypting the new first decrypted data based on the third random number to obtain new first encrypted data.
  16. 根据权利要求9所述的装置,其特征在于,所述格式化模块还用于通过所述格式化操作在目标磁盘上创建备用元数据引导区和备用元数据索引区;The apparatus according to claim 9, wherein the formatting module is further configured to create an alternate metadata boot area and an alternate metadata index area on the target disk by the formatting operation;
    相应地,所述随机数生成模块还用于:在对所述目标磁盘进行格式化操作时,生成所述备用元数据引导区对应的第四随机数,以及所述备用元数据索引区对应的第五随机数;Correspondingly, the random number generating module is further configured to: when performing a formatting operation on the target disk, generate a fourth random number corresponding to the spare metadata boot area, and corresponding to the spare metadata index area Fifth random number;
    所述加密模块还用于:基于所述第四随机数,对备用元数据引导区所存储的数据进行加密,得到第四加密数据;基于所述第五随机数,对备用元数据索引区所存储的数据进行加密,得到第五加密数据;The cryptographic module is further configured to: encrypt, according to the fourth random number, data stored in the spare metadata boot area to obtain fourth encrypted data; and based on the fifth random number, the spare metadata index area The stored data is encrypted to obtain a fifth encrypted data;
    所述存储模块还用于:将所述第四加密数据存储到所述备用元数据引导区;将所述第五加密数据存储到所述备用元数据索引区。The storage module is further configured to: store the fourth encrypted data into the spare metadata boot area; and store the fifth encrypted data into the spare metadata index area.
  17. 一种存储介质,其特征在于,用于存储可执行程序代码,所述可执行程序代码被运行以执行权利要求1-8任一项所述的文件系统加密方法。A storage medium for storing executable program code, the executable program code being operative to perform the file system encryption method of any one of claims 1-8.
  18. 一种应用程序,其特征在于,所述应用程序用于在运行时执行权利要求1-8任一项所述的文件系统加密方法。An application, the application being operative to perform the file system encryption method of any one of claims 1-8 at runtime.
  19. 一种电子设备,其特征在于,包括:壳体、处理器、存储器、电路板和电源电路,其中,电路板安置在壳体围成的空间内部,处理器和存储器设置在电路板上;电源电路,用于为各个电路或器件供电;存储器用于存储可执行程序代码;处理器通过运行存储器中存储的可执行程序代码,以执行权利要求1-8任一项所述的文件系统加密方法。 An electronic device, comprising: a housing, a processor, a memory, a circuit board, and a power supply circuit, wherein the circuit board is disposed inside the space enclosed by the housing, and the processor and the memory are disposed on the circuit board; a circuit for powering each circuit or device; a memory for storing executable program code; the processor executing the file system encryption method of any one of claims 1-8 by running executable program code stored in the memory .
PCT/CN2017/101226 2016-12-02 2017-09-11 Method and device for encrypting file system WO2018099157A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611097134.5A CN108154042B (en) 2016-12-02 2016-12-02 File system encryption method and device
CN201611097134.5 2016-12-02

Publications (1)

Publication Number Publication Date
WO2018099157A1 true WO2018099157A1 (en) 2018-06-07

Family

ID=62241068

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/101226 WO2018099157A1 (en) 2016-12-02 2017-09-11 Method and device for encrypting file system

Country Status (2)

Country Link
CN (1) CN108154042B (en)
WO (1) WO2018099157A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116095331A (en) * 2023-03-03 2023-05-09 浙江大华技术股份有限公司 Encoding method and decoding method

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768649A (en) * 2018-06-26 2018-11-06 苏州蜗牛数字科技股份有限公司 A kind of method and storage medium of dynamic encryption network data
CN113742289B (en) * 2021-09-02 2023-10-31 中金金融认证中心有限公司 Device for file system and method for operating file system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102446140A (en) * 2011-09-02 2012-05-09 中国联合网络通信集团有限公司 Data processing method and mobile storage equipment
CN105183401A (en) * 2015-10-30 2015-12-23 深圳市泽云科技有限公司 Method, device and system for recovering data in solid state disk
CN106162226A (en) * 2016-08-31 2016-11-23 珠海迈科智能科技股份有限公司 The transmission method of a kind of TS stream and system
US20160350535A1 (en) * 2013-10-28 2016-12-01 Cloudera, Inc. Virtual machine image encryption

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102446140A (en) * 2011-09-02 2012-05-09 中国联合网络通信集团有限公司 Data processing method and mobile storage equipment
US20160350535A1 (en) * 2013-10-28 2016-12-01 Cloudera, Inc. Virtual machine image encryption
CN105183401A (en) * 2015-10-30 2015-12-23 深圳市泽云科技有限公司 Method, device and system for recovering data in solid state disk
CN106162226A (en) * 2016-08-31 2016-11-23 珠海迈科智能科技股份有限公司 The transmission method of a kind of TS stream and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116095331A (en) * 2023-03-03 2023-05-09 浙江大华技术股份有限公司 Encoding method and decoding method

Also Published As

Publication number Publication date
CN108154042B (en) 2020-07-03
CN108154042A (en) 2018-06-12

Similar Documents

Publication Publication Date Title
US8924739B2 (en) System and method for in-place encryption
CN103440209B (en) A kind of solid state hard disc data encryption/decryption method and solid state hard disk system
US9798677B2 (en) Hybrid cryptographic key derivation
EP3103048B1 (en) Content item encryption on mobile devices
US20190245686A1 (en) Secure crypto system attributes
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
US9762548B2 (en) Controlling encrypted data stored on a remote storage device
US10255450B2 (en) Customer load of field programmable gate arrays
AU2012204448A1 (en) System and method for in-place encryption
EP2722787A1 (en) Method and apparatus for writing and reading encrypted hard disk data
US20170359175A1 (en) Support for changing encryption classes of files
US9384355B2 (en) Information processing apparatus with hibernation function, control method therefor, and storage medium storing control program therefor
US20080016352A1 (en) Method and apparatus for maintaining ephemeral keys in limited space
WO2018099157A1 (en) Method and device for encrypting file system
CN106682521B (en) File transparent encryption and decryption system and method based on driver layer
US20110107109A1 (en) Storage system and method for managing data security thereof
CN107066346A (en) A kind of data back up method, data reconstruction method and device
CN107563228B (en) Memory data encryption and decryption method
TW201942788A (en) Application program information storing method and apparatus, and application program information processing method and apparatus
CN111125791B (en) Memory data encryption method and device, CPU chip and server
CN110909318B (en) Operating system anti-theft method and device for user equipment and terminal
JP2013255161A (en) Encryption key update system and key update program
CN109933994B (en) Data hierarchical storage method and device and computing equipment
CN112632572A (en) Method, device and storage medium for encrypting and decrypting commands in script
KR101758233B1 (en) Method and apparatus that perform encryption for data of external storage using asymmetric characteristic

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17876387

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17876387

Country of ref document: EP

Kind code of ref document: A1