WO2023000502A1 - Method, apparatus and device for encrypting and decrypting disk data of virtual machine, and storage medium - Google Patents

Method, apparatus and device for encrypting and decrypting disk data of virtual machine, and storage medium Download PDF

Info

Publication number
WO2023000502A1
WO2023000502A1 PCT/CN2021/121911 CN2021121911W WO2023000502A1 WO 2023000502 A1 WO2023000502 A1 WO 2023000502A1 CN 2021121911 W CN2021121911 W CN 2021121911W WO 2023000502 A1 WO2023000502 A1 WO 2023000502A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
data encryption
management server
encryption key
virtual machine
Prior art date
Application number
PCT/CN2021/121911
Other languages
French (fr)
Chinese (zh)
Inventor
刘海伟
Original Assignee
苏州浪潮智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏州浪潮智能科技有限公司 filed Critical 苏州浪潮智能科技有限公司
Publication of WO2023000502A1 publication Critical patent/WO2023000502A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]

Definitions

  • the present application relates to the field of data security, in particular to a method, device, device and storage medium for encrypting and decrypting disk data of a virtual machine.
  • Cloud computing deploys computing, storage, and network resources to cloud servers through virtualization technology, which improves the utilization rate of resources, and also enables dynamic acquisition of resources and convenient expansion.
  • data is stored on remote cloud servers through the network, which also brings many security risks.
  • virtual disks are usually encrypted and stored in remote cloud servers.
  • DEK Data Encryption Key
  • the cloud management platform uses a data encryption key (Data Encryption Key, DEK) to encrypt the input data and save it.
  • DEK Data Encryption Key
  • the cloud management platform uses the data encryption key to decrypt it. In this way, the security protection of the disk data of the virtual machine is realized.
  • the data encryption key is obtained from the Key Management Server (KMS) in real time through the network when the virtual machine disk encryption and decryption task is generated.
  • KMS Key Management Server
  • the purpose of this application is to provide a virtual machine disk data encryption and decryption method, device, device and storage medium, which are used to improve the availability of virtual machine data encryption and decryption on the premise of ensuring the security of the data encryption key.
  • the present application provides a method for encrypting and decrypting virtual machine disk data, including:
  • the ciphertext of the data encryption key is obtained from the local storage, and the ciphertext of the data encryption key is decrypted using the pre-stored key encryption key Obtain the data encryption key;
  • the judging whether the conditions for communicating with the key management server are met specifically includes:
  • the judging whether the conditions for communicating with the key management server are met specifically includes:
  • the estimated time is calculated based on the network connection status with the key management server and the performance parameters of the input/output data encryption/decryption request.
  • the key encryption key is specifically an asymmetric key
  • the encryption and decryption method further includes:
  • the receiving of the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key is specifically:
  • the key encryption key is specifically an SM2-type asymmetric key; the data encryption key is specifically an SM4-type symmetric key.
  • an encryption and decryption device for virtual machine disk data including:
  • the first judging unit is configured to judge whether the condition for communicating with the key management server is satisfied when receiving the input and output data encryption and decryption request of the target virtual machine;
  • a first obtaining unit configured to obtain a data encryption key from the key management server if the conditions for communicating with the key management server are met;
  • the second obtaining unit is configured to obtain the ciphertext of the data encryption key from the local storage if the condition for communicating with the key management server is not satisfied, and encrypt the data using the pre-stored key encryption key decrypting the ciphertext of the key to obtain the data encryption key;
  • the execution unit is configured to use the data encryption key to perform encryption and decryption operations on the data of the target virtual machine.
  • an encryption and decryption device for virtual machine disk data including:
  • a processor for executing the instructions.
  • the present application also provides a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method for encrypting and decrypting virtual machine disk data as described in any one of the above items are implemented.
  • the encryption and decryption method for virtual machine disk data includes: when receiving the input and output data encryption and decryption requests of the target virtual machine, judging whether the conditions for communicating with the key management server are met, and if the conditions are met, then Obtain the data encryption key from the key management server for data encryption and decryption operations; if this condition is not met, obtain the ciphertext of the data encryption key from the local storage, and use the pre-stored key encryption key to encrypt the data encryption key After the ciphertext is decrypted, the data encryption key is obtained for data encryption and decryption operations.
  • the data encryption key can be obtained in time when the key management server is temporarily unavailable or the cloud management platform and the key management server are temporarily unreachable through the network, and through The way of encrypting and storing the data encryption key ensures the security of the data encryption key, thereby improving the usability of virtual machine data encryption and decryption under the premise of ensuring the security of the data encryption key.
  • the present application also provides an encryption and decryption device, device, and storage medium for virtual machine disk data, which have the above-mentioned beneficial effects, and will not be repeated here.
  • FIG. 1 is a flow chart of a method for encrypting and decrypting virtual machine disk data provided by an embodiment of the present application
  • FIG. 2 is a schematic structural diagram of an encryption and decryption device for virtual machine disk data provided by an embodiment of the present application
  • FIG. 3 is a schematic structural diagram of a virtual machine disk data encryption and decryption device provided by an embodiment of the present application.
  • the core of the present application is to provide a virtual machine disk data encryption and decryption method, device, device and storage medium, which are used to improve the usability of virtual machine data encryption and decryption on the premise of ensuring the security of the data encryption key.
  • FIG. 1 is a flowchart of a method for encrypting and decrypting disk data of a virtual machine provided by an embodiment of the present application.
  • the method for encrypting and decrypting virtual machine disk data includes:
  • step S101 When receiving the input and output data encryption and decryption request of the target virtual machine, judge whether the condition for communicating with the key management server is met; if yes, go to step S102; if not, go to step S103.
  • S103 Obtain the ciphertext of the data encryption key from the local storage, and use the prestored key encryption key to decrypt the ciphertext of the data encryption key to obtain the data encryption key.
  • S104 Encrypt and decrypt the data of the target virtual machine by using the data encryption key.
  • the software architecture of the encryption and decryption method for virtual machine disk data may include a key management system, a cloud management platform, a key cache manager, and a disk encryption and decryption module.
  • the key management system is deployed on the key management server, which is used to manage the data encryption keys used for encryption and decryption of virtual machine disk data, including application scenarios such as creation and deletion, and can also be used to verify the identity information of the cloud management platform Then use the key encryption key (Key Encryption Key, KEK) agreed with the cloud management platform to encrypt the data encryption key to generate the ciphertext of the data encryption key.
  • key encryption key Key Encryption Key, KEK
  • the cloud management platform and the key cache manager are usually deployed on the same server node.
  • the cloud management platform is used to manage the life cycle of the virtual machine, interact with the key management system, and also be used to obtain encrypted data sent by the key management server.
  • the ciphertext of the key is distributed to the key cache manager; the key cache manager is used to interact with the cloud management platform to cache the ciphertext of the data encryption key in the local storage, and interact with the disk encryption module to provide data encryption
  • the ciphertext of the key is given to the disk encryption module, and can also be used to provide the key expiration time setting to determine whether the key in the local storage needs to be updated based on the key expiration time.
  • the cloud management platform Before using the cloud management platform to perform virtual machine disk data encryption and decryption tasks, you should ensure that the cloud management platform is a reliable platform. Then before performing the above steps, it also includes: the server node where the cloud management platform is located sends the unique identifier (UUID) of the cloud management platform to the key management server and submits a registration application. After receiving the unique identifier of the cloud management platform, the key management server generates a digital certificate based on the unique identifier and returns a registration request. The server node where the cloud management platform is located records the returned digital certificate, and establishes an SSL channel for subsequent network communication based on the digital certificate.
  • UUID unique identifier
  • the server node where the cloud management platform is located records the returned digital certificate, and establishes an SSL channel for subsequent network communication based on the digital certificate.
  • the disk encryption module can be deployed on the same server node as the cloud management platform, or it can be deployed on a different server node. It is used to generate the key encryption key and send the key encryption key to the cloud management platform.
  • the manager obtains the ciphertext of the data encryption key, uses the key encryption key to decrypt the ciphertext of the data encryption key, obtains the plaintext of the data encryption key, and uses the data encryption key to encrypt the disk data of the virtual machine. decryption operation.
  • the method for encrypting and decrypting virtual machine disk data provided in the embodiment of the present application can be implemented based on the server nodes deployed on the cloud management platform.
  • step S101 judging whether the conditions for communicating with the key management server are met may include:
  • the key management server if the key management server is reachable, the data encryption key is preferentially obtained from the key management server. Specifically, a request for a data encryption key may be sent to the key management server. If the data encryption key sent by the key management server is not received within a certain period of time, the key management server is considered unreachable.
  • step S101 it is judged whether the conditions for communicating with the key management server are met, specifically including:
  • the estimated time is calculated based on the network connection status with the key management server and the performance parameters of the input and output data encryption and decryption requests.
  • the key management server and the server nodes deployed by the cloud management platform may or may not be in the same local area network, and the resources allocated by the server to the virtual machine disk encryption and decryption tasks may also be different, resulting in cloud management It takes different time for the server nodes deployed on the platform to obtain the first key from the key management server, and different users or businesses have different requirements for virtual machine data encryption and decryption services. Therefore, the estimated time for communicating with the key management server can be calculated based on parameters such as the possible network relationship between the key management server and the server nodes deployed on the cloud management platform, and the resources allocated by the server to the virtual machine disk encryption and decryption tasks, and The preset time range is determined based on user or business requirements for virtual machine data encryption and decryption services.
  • Either of the above two methods for judging whether the conditions for communicating with the key management server are met can be selected, or they can be used in combination.
  • the data encryption key provided by the key management server is the ciphertext of the data encryption key.
  • the key management server encrypts the data encryption key with the key encryption key agreed between the key management system and the cloud management platform, generates the ciphertext of the data encryption key, and sends the ciphertext of the data encryption key to the cloud management The node where the platform is located.
  • the cloud management platform receives the ciphertext of the data encryption key, it distributes the ciphertext of the data encryption key to the key cache manager, and the key cache manager caches the ciphertext of the data encryption key in the local memory.
  • step S102 after the node where the cloud management platform is located obtains the ciphertext of the data encryption key, it sends the ciphertext of the data encryption key to the disk encryption module, and the disk encryption module decrypts it to obtain the data encryption key.
  • step S103 the node where the cloud management platform is located takes out the ciphertext of the data encryption key pre-stored in the local memory by the key cache manager, sends the ciphertext of the data encryption key to the disk encryption module, and the disk encryption module decrypts it Then get the data encryption key.
  • the encryption and decryption tasks are executed according to the input and output data encryption and decryption requests of the target virtual machine.
  • Both the data encryption key and the key encryption key may specifically be symmetric keys or asymmetric keys. Since the virtual machine disk encryption and decryption tasks have high requirements on delay and high security requirements on the data encryption key, the data encryption key is preferably a symmetric key, and the key encryption key is preferably an asymmetric key. . In order to meet the relevant policy requirements of the my country Commercial Cryptography Bureau and increase the compliance of the system, the key encryption key adopts the SM2 type asymmetric key, and the data encryption key adopts the SM4 type symmetric key.
  • the method for encrypting and decrypting virtual machine disk data includes: when receiving the input and output data encryption and decryption request of the target virtual machine, judging whether the condition for communicating with the key management server is met; if this condition is met, Obtain the data encryption key from the key management server for data encryption and decryption operations; if this condition is not met, obtain the ciphertext of the data encryption key from the local storage, and use the pre-stored key encryption key to encrypt the data After decrypting the ciphertext of the key, the data encryption key is obtained for data encryption and decryption operations.
  • the data encryption key can be obtained in time even when the key management server is temporarily unavailable or the cloud management platform and the key management server are temporarily unreachable through the network. Moreover, the security of the data encryption key is ensured by encrypting and storing the data encryption key, so that the usability of data encryption and decryption of the virtual machine can be improved under the premise of ensuring the security of the data encryption key.
  • the method for encrypting and decrypting virtual machine disk data provided in the embodiments of the present application further includes:
  • the data encryption key is in one-to-one correspondence with the virtual machine, or even one-to-one with the disk of the virtual machine.
  • the key management server also holds the key encryption key, and the key management server uses the key encryption key to After encrypting the data encryption key, return the ciphertext of the data encryption key to the server node where the cloud management platform is located.
  • the key management server may obtain the key encryption key from the server node where the cloud management platform is located.
  • the encryption key for the key may be a symmetric key or an asymmetric key, and in this case, an asymmetric key is preferred. That is, in the method for encrypting and decrypting virtual machine disk data provided in the embodiment of the present application, after generating the key encryption key corresponding to the target virtual machine, it further includes:
  • the cloud management platform and the key management system can also pre-agree on the generation method of the key encryption key, such as calculating the key encryption key based on time, Then, after the server node where the cloud management platform is located generates the key encryption key corresponding to the target virtual machine, it sends the type and generation time of the target virtual machine to the key management server, and the key management server determines the The key encryption key corresponding to the target virtual machine is generated, and the key encryption key corresponding to the target virtual machine is calculated by itself according to the generation time of the target virtual machine, thereby eliminating the transmission process of the key encryption key, Play a role in protecting the security of the key.
  • the method for encrypting and decrypting virtual machine disk data provided in the embodiments of the present application may further include:
  • the expiration time is set for the ciphertext of the data encryption key to ensure the consistency of the data encryption key of the server node where the cloud management platform is located and the data encryption key of the key management server.
  • the expiration time of the ciphertext of the data encryption key can be calculated based on the agreed valid duration of the ciphertext of each data encryption key and the time when the server node where the cloud management platform is located receives the ciphertext of the data encryption key.
  • the obtained expiration time point may also be in the countdown form, and when the current time reaches the expiration time point or the countdown is zero, it is considered that the expiration time of the ciphertext of the data encryption key has been reached.
  • the storage form of the ciphertext of the data encryption key in the local storage can be shown in Table 1:
  • Cipher_dek Ciphertext of the data encryption key
  • the data encryption key is not used. However, this will result in no data encryption key available for the virtual machine disk data encryption and decryption task.
  • it can also be set to reacquire the ciphertext of the data encryption key from the key management server at a certain point in the valid time of the ciphertext of the data encryption key, which is about to reach the expiration time, instead of When the ciphertext of the key reaches the expiration time, it will go to the key management server to obtain the ciphertext of the data encryption key.
  • FIG. 2 is a schematic structural diagram of an apparatus for encrypting and decrypting disk data of a virtual machine provided by an embodiment of the present application.
  • the encryption and decryption device for virtual machine disk data includes:
  • the first judging unit 201 is configured to judge whether a condition for communicating with the key management server is met when receiving an input/output data encryption/decryption request from the target virtual machine;
  • the first obtaining unit 202 is configured to obtain the data encryption key from the key management server if the condition for communicating with the key management server is met;
  • the second obtaining unit 203 is configured to obtain the ciphertext of the data encryption key from the local storage if the condition for communicating with the key management server is not satisfied, and use the prestored key encryption key to encrypt the ciphertext of the data encryption key Decrypt to obtain the data encryption key;
  • the execution unit 204 is configured to perform encryption and decryption operations on the data of the target virtual machine by using the data encryption key.
  • the first judging unit 201 judges whether the conditions for communicating with the key management server are met, specifically including:
  • the first judging unit 201 judges whether the conditions for communicating with the key management server are met, specifically including: judging whether the estimated time for communicating with the key management server is within a preset time range;
  • the estimated time is calculated based on the network connection status with the key management server and the performance parameters of the input and output data encryption and decryption requests.
  • the device for encrypting and decrypting virtual machine disk data provided in the embodiment of the present application further includes:
  • a generating unit configured to generate a key encryption key corresponding to the target virtual machine when creating the target virtual machine
  • the receiving unit is configured to receive the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key;
  • the storage unit is configured to store the ciphertext of the data encryption key in the local storage.
  • the key encryption key is specifically an asymmetric key
  • the encryption and decryption method further includes:
  • the key encryption key is specifically an SM2 type asymmetric key; the data encryption key is specifically an SM4 type symmetric key.
  • the device for encrypting and decrypting virtual machine disk data provided in the embodiment of the present application further includes:
  • the second judging unit is used to judge whether the expiration time of the ciphertext of the data encryption key has been reached;
  • the third acquisition unit is used to obtain the ciphertext of the data encryption key from the key management server to update the ciphertext of the data encryption key in the local storage if the expiration time of the ciphertext of the data encryption key is reached, and change Expiration time.
  • FIG. 3 is a schematic structural diagram of a virtual machine disk data encryption and decryption device provided by an embodiment of the present application.
  • the encryption and decryption equipment for virtual machine disk data includes:
  • the memory 310 is used to store instructions, and the instructions include the steps of the method for encrypting and decrypting virtual machine disk data described in any one of the above-mentioned embodiments;
  • the processor 320 is configured to execute the instruction.
  • the processor 320 may include one or more processing cores, such as a 3-core processor, an 8-core processor, and the like.
  • the processor 320 can be realized by at least one hardware form of DSP (Digital Signal Processing), Field-Programmable Gate Array (FPGA) and Programmable Logic Array (PLA).
  • Processor 320 may also include a main processor and a coprocessor, the main processor is a processor for processing data in a wake-up state, and is also called a central processing unit CPU (Central Processing Unit); Low-power processor for processing data in standby state.
  • the processor 320 may be integrated with an image processor GPU (Graphics Processing Unit), and the GPU is used for rendering and drawing the content that needs to be displayed on the display screen.
  • the processor 320 may also include an artificial intelligence AI (Artificial Intelligence) processor, which is used to process computing operations related to machine learning.
  • AI Artificial Intelligence
  • Memory 310 may include one or more storage media, which may be non-transitory.
  • the memory 310 may also include high-speed random access memory, and non-volatile memory, such as one or more magnetic disk storage devices and flash memory storage devices.
  • the memory 310 is at least used to store the following computer program 311, wherein, after the computer program 311 is loaded and executed by the processor 320, it can realize the method for encrypting and decrypting virtual machine disk data disclosed in any of the preceding embodiments. related steps.
  • the resources stored in the memory 310 may also include an operating system 312 and data 313, etc., and the storage method may be temporary storage or permanent storage.
  • the operating system 312 can be Windows.
  • the data 313 may include but not limited to the data involved in the above method.
  • the device for encrypting and decrypting virtual machine disk data may further include a display screen 330 , a power supply 340 , a communication interface 350 , an input/output interface 360 , a sensor 370 and a communication bus 380 .
  • FIG. 3 does not constitute a limitation on the device for encrypting and decrypting virtual machine disk data, and may include more or less components than those shown in the figure.
  • the encryption and decryption device for virtual machine disk data provided by the embodiment of the present application includes a memory and a processor.
  • the processor executes a program stored in the memory, it can implement the above-mentioned encryption and decryption method for virtual machine disk data, and the effect is the same as above.
  • the above-described device and device embodiments are only illustrative.
  • the division of modules is only a logical function division.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or modules may be in electrical, mechanical or other forms.
  • a module described as a separate component may or may not be physically separated, and a component shown as a module may or may not be a physical module, that is, it may be located in one place, or may also be distributed to multiple network modules. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional module in each embodiment of the present application may be integrated into one processing module, each module may exist separately physically, or two or more modules may be integrated into one module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules.
  • an integrated module is realized in the form of a software function module and sold or used as an independent product, it can be stored in a storage medium.
  • the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , executing all or part of the steps of the methods described in the various embodiments of the present application.
  • the embodiment of the present application also provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method for encrypting and decrypting disk data of a virtual machine are implemented.
  • the storage medium may include: U disk, mobile hard disk, read-only memory ROM (Read-Only Memory), random access memory RAM (Random Access Memory), magnetic disk or optical disk and other media that can store program codes.
  • the computer program included in the storage medium provided in this embodiment can implement the steps of the method for encrypting and decrypting virtual machine disk data as described above when executed by a processor, and the effect is the same as above.
  • a method, device, device, and storage medium for encrypting and decrypting disk data of a virtual machine provided by the present application have been described above in detail.
  • Each embodiment in the description is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other.
  • the devices, equipment and storage media disclosed in the embodiments since they correspond to the methods disclosed in the embodiments, the description is relatively simple, and for relevant details, please refer to the description of the method part. It should be pointed out that those skilled in the art can make several improvements and modifications to the application without departing from the principles of the application, and these improvements and modifications also fall within the protection scope of the claims of the application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed in the present application are a method, apparatus and device for encrypting and decrypting disk data of a virtual machine, and a storage medium. The method comprises: when an input/output data encryption and decryption request for a target virtual machine is received, determining whether the condition of communicating with a key management server is met; if so, acquiring a data encryption key from the key management server, so as to perform data encryption and decryption operations; and if not, acquiring ciphertext of the data encryption key from a local memory, decrypting the ciphertext of the data encryption key by using a pre-stored key encryption key, and then obtaining the data encryption key to perform data encryption and decryption operations. Therefore, when a key management server is temporarily unavailable or a cloud management platform and a key management server are temporarily unreachable by means of a network, a data encryption key can still be acquired in a timely manner, and the security of the data encryption key is ensured by means of storing the data encryption key in an encrypted manner, thereby improving the availability of data encryption and decryption of a virtual machine while also ensuring the security of the data encryption key.

Description

虚拟机磁盘数据的加解密方法、装置、设备及存储介质Encryption and decryption method, device, equipment and storage medium for virtual machine disk data
本申请要求在2021年7月21日提交中国专利局、申请号为202110822203.9、发明名称为“虚拟机磁盘数据的加解密方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application submitted to the China Patent Office on July 21, 2021, with the application number 202110822203.9, and the title of the invention is "encryption and decryption method, device, equipment and storage medium for virtual machine disk data", all of which The contents are incorporated by reference in this application.
技术领域technical field
本申请涉及数据安全领域,特别是涉及一种虚拟机磁盘数据的加解密方法、装置、设备及存储介质。The present application relates to the field of data security, in particular to a method, device, device and storage medium for encrypting and decrypting disk data of a virtual machine.
背景技术Background technique
云计算通过虚拟化技术,把计算、存储、网络资源部署到云端云服务器中,提高了资源使用率,同时也使得资源能够动态获取、扩展方便等优点。相比较传统的本地计算,数据通过网络存储在远端云服务器,也带来了很多安全隐患。为了降低数据泄露的风险,通常采用虚拟磁盘加密的方式存储在远端云服务器中。在现有技术中,在对虚拟机的输入数据落入磁盘时,云管理平台采用数据加密密钥(Data Encryption Key,DEK)对输入数据进行加密后保存。当需要访问虚拟机的数据时,云管理平台再利用该数据加密密钥进行解密。通过这种方式实现了对虚拟机磁盘数据的安全保护。Cloud computing deploys computing, storage, and network resources to cloud servers through virtualization technology, which improves the utilization rate of resources, and also enables dynamic acquisition of resources and convenient expansion. Compared with traditional local computing, data is stored on remote cloud servers through the network, which also brings many security risks. In order to reduce the risk of data leakage, virtual disks are usually encrypted and stored in remote cloud servers. In the prior art, when the input data of the virtual machine falls into the disk, the cloud management platform uses a data encryption key (Data Encryption Key, DEK) to encrypt the input data and save it. When the data of the virtual machine needs to be accessed, the cloud management platform uses the data encryption key to decrypt it. In this way, the security protection of the disk data of the virtual machine is realized.
而为了保证数据加密密钥的安全,数据加密密钥均为产生虚拟机磁盘加解密任务时通过网络实时向密钥管理服务器(Key Management Server,KMS)索取的。由此带来了新的问题:当密钥管理服务器暂时不可用或云管理平台与密钥管理服务器暂时网络不可达时,云管理平台无法获取数据加密密钥,也就造成了虚拟机数据加解密任务的不可持续进行。这种不可持续的服务无法满足当前许多行业提出的高可用服务要求。In order to ensure the security of the data encryption key, the data encryption key is obtained from the Key Management Server (KMS) in real time through the network when the virtual machine disk encryption and decryption task is generated. This brings about a new problem: when the key management server is temporarily unavailable or the cloud management platform and the key management server are temporarily unreachable through the network, the cloud management platform cannot obtain the data encryption key, which also causes virtual machine data encryption. The unsustainable progress of the decryption task. This unsustainable service cannot meet the high-availability service requirements proposed by many industries today.
发明内容Contents of the invention
本申请的目的是提供一种虚拟机磁盘数据的加解密方法、装置、设备及存储介质,用于在确保数据加密密钥的安全性的前提下提高虚拟机数据加解密的可用性。The purpose of this application is to provide a virtual machine disk data encryption and decryption method, device, device and storage medium, which are used to improve the availability of virtual machine data encryption and decryption on the premise of ensuring the security of the data encryption key.
为解决上述技术问题,本申请提供一种虚拟机磁盘数据的加解密方法,包括:In order to solve the above technical problems, the present application provides a method for encrypting and decrypting virtual machine disk data, including:
当接收到目标虚拟机的输入输出数据加解密请求时,判断是否满足与密钥管理服务器沟通的条件;When receiving the input and output data encryption and decryption requests of the target virtual machine, it is judged whether the conditions for communicating with the key management server are met;
若满足与所述密钥管理服务器沟通的条件,则向所述密钥管理服务器获取数据加密密钥;If the conditions for communicating with the key management server are met, then obtain a data encryption key from the key management server;
若不满足与所述密钥管理服务器沟通的条件,则自本地存储器中获取所述数据加密密钥的密文,利用预存的密钥加密密钥对所述数据加密密钥的密文进行解密得到所述数据加密密钥;If the condition for communicating with the key management server is not met, the ciphertext of the data encryption key is obtained from the local storage, and the ciphertext of the data encryption key is decrypted using the pre-stored key encryption key Obtain the data encryption key;
利用所述数据加密密钥对所述目标虚拟机的数据进行加解密操作。Using the data encryption key to perform encryption and decryption operations on the data of the target virtual machine.
可选的,所述判断是否满足与密钥管理服务器沟通的条件,具体包括:Optionally, the judging whether the conditions for communicating with the key management server are met, specifically includes:
判断是否同时满足与所述密钥管理服务器处于正常网络连接状态且所述密钥管理服务器处于可用状态;Judging whether the key management server is in a normal network connection state and the key management server is in an available state at the same time;
如果是,则确定满足与所述密钥管理服务器沟通的条件;If yes, then determining that the conditions for communicating with the key management server are met;
如果否,则确定不满足与所述密钥管理服务器沟通的条件。If not, it is determined that the condition for communicating with the key management server is not met.
可选的,所述判断是否满足与密钥管理服务器沟通的条件,具体包括:Optionally, the judging whether the conditions for communicating with the key management server are met, specifically includes:
判断与所述密钥管理服务器进行沟通的预计时间是否在预设时间范围内;judging whether the estimated time for communicating with the key management server is within a preset time range;
如果是,则确定满足与所述密钥管理服务器沟通的条件;If yes, then determining that the conditions for communicating with the key management server are met;
如果否,则确定不满足与所述密钥管理服务器沟通的条件;If not, determining that the conditions for communicating with the key management server are not met;
其中,所述预计时间基于与所述密钥管理服务器的网络连接状态和所述输入输出数据加解密请求的性能参数计算得到。Wherein, the estimated time is calculated based on the network connection status with the key management server and the performance parameters of the input/output data encryption/decryption request.
可选的,还包括:Optionally, also include:
在创建所述目标虚拟机时,生成与所述目标虚拟机对应的密钥加密密钥;When creating the target virtual machine, generating a key encryption key corresponding to the target virtual machine;
接收所述密钥管理服务器利用所述密钥加密密钥对所述数据加密密钥进行加密后返回的所述数据加密密钥的密文;receiving the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key;
将所述数据加密密钥的密文存入所述本地存储器。storing the ciphertext of the data encryption key into the local memory.
可选的,所述密钥加密密钥具体为非对称密钥;Optionally, the key encryption key is specifically an asymmetric key;
在所述生成与所述目标虚拟机对应的密钥加密密钥之后,所述加解密方法还包括:After generating the key encryption key corresponding to the target virtual machine, the encryption and decryption method further includes:
将所述非对称密钥中的公钥和所述目标虚拟机的唯一标识发送至所述密钥管理服务器;sending the public key in the asymmetric key and the unique identifier of the target virtual machine to the key management server;
所述接收所述密钥管理服务器利用所述密钥加密密钥对所述数据加密密钥进行加密后返回的所述数据加密密钥的密文,具体为:The receiving of the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key is specifically:
接收所述密钥管理服务器利用所述公钥对所述数据加密密钥进行加密后返回的所述数据加密密钥的密文。receiving the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the public key.
可选的,所述密钥加密密钥具体为SM2类型的非对称密钥;所述数据加密密钥具体为SM4类型的对称密钥。Optionally, the key encryption key is specifically an SM2-type asymmetric key; the data encryption key is specifically an SM4-type symmetric key.
可选的,还包括:Optionally, also include:
判断是否达到所述数据加密密钥的密文的失效时间;Judging whether the expiration time of the ciphertext of the data encryption key has been reached;
如果是,则向所述密钥管理服务器获取所述数据加密密钥的密文以更新所述本地存储器中的所述数据加密密钥的密文,并更改所述失效时间。If yes, obtain the ciphertext of the data encryption key from the key management server to update the ciphertext of the data encryption key in the local storage, and change the expiration time.
为解决上述技术问题,本申请还提供一种虚拟机磁盘数据的加解密装置,包括:In order to solve the above technical problems, the present application also provides an encryption and decryption device for virtual machine disk data, including:
第一判断单元,用于当接收到目标虚拟机的输入输出数据加解密请求时,判断是否满足与密钥管理服务器沟通的条件;The first judging unit is configured to judge whether the condition for communicating with the key management server is satisfied when receiving the input and output data encryption and decryption request of the target virtual machine;
第一获取单元,用于若满足与所述密钥管理服务器沟通的条件,则向所述密钥管理服务器获取数据加密密钥;a first obtaining unit, configured to obtain a data encryption key from the key management server if the conditions for communicating with the key management server are met;
第二获取单元,用于若不满足与所述密钥管理服务器沟通的条件,则自本地存储器中获取所述数据加密密钥的密文,利用预存的密钥加密密钥对所述数据加密密钥的密文进行解密得到所述数据加密密钥;The second obtaining unit is configured to obtain the ciphertext of the data encryption key from the local storage if the condition for communicating with the key management server is not satisfied, and encrypt the data using the pre-stored key encryption key decrypting the ciphertext of the key to obtain the data encryption key;
执行单元,用于利用所述数据加密密钥对所述目标虚拟机的数据进行加解密操作。The execution unit is configured to use the data encryption key to perform encryption and decryption operations on the data of the target virtual machine.
为解决上述技术问题,本申请还提供一种虚拟机磁盘数据的加解密设备,包括:In order to solve the above technical problems, the present application also provides an encryption and decryption device for virtual machine disk data, including:
存储器,用于存储指令,所述指令包括上述任意一项所述虚拟机磁盘数据的加解密方法的步骤;A memory for storing instructions, the instructions including the steps of any one of the methods for encrypting and decrypting virtual machine disk data described above;
处理器,用于执行所述指令。a processor for executing the instructions.
为解决上述技术问题,本申请还提供一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如上述任意一项所述虚拟机磁盘 数据的加解密方法的步骤。In order to solve the above technical problems, the present application also provides a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method for encrypting and decrypting virtual machine disk data as described in any one of the above items are implemented.
本申请所提供的虚拟机磁盘数据的加解密方法,包括:通过在接收到目标虚拟机的输入输出数据加解密请求时,判断是否满足与密钥管理服务器沟通的条件,如果满足此条件,则向密钥管理服务器获取数据加密密钥以进行数据加解密操作;如果不满足此条件,则自本地存储器中获取数据加密密钥的密文,利用预存的密钥加密密钥对数据加密密钥的密文进行解密后得到数据加密密钥以进行数据加解密操作。则应用本申请提供的虚拟机磁盘数据的加解密方法,可以在密钥管理服务器暂时不可用或云管理平台与密钥管理服务器暂时网络不可达时也能及时地获取数据加密密钥,且通过对数据加密密钥加密存储的方式保证了数据加密密钥的安全性,从而实现了在确保数据加密密钥的安全性的前提下提高虚拟机数据加解密的可用性。The encryption and decryption method for virtual machine disk data provided by this application includes: when receiving the input and output data encryption and decryption requests of the target virtual machine, judging whether the conditions for communicating with the key management server are met, and if the conditions are met, then Obtain the data encryption key from the key management server for data encryption and decryption operations; if this condition is not met, obtain the ciphertext of the data encryption key from the local storage, and use the pre-stored key encryption key to encrypt the data encryption key After the ciphertext is decrypted, the data encryption key is obtained for data encryption and decryption operations. Then, by applying the encryption and decryption method of virtual machine disk data provided by this application, the data encryption key can be obtained in time when the key management server is temporarily unavailable or the cloud management platform and the key management server are temporarily unreachable through the network, and through The way of encrypting and storing the data encryption key ensures the security of the data encryption key, thereby improving the usability of virtual machine data encryption and decryption under the premise of ensuring the security of the data encryption key.
本申请还提供一种虚拟机磁盘数据的加解密装置、设备及存储介质,具有上述有益效果,在此不再赘述。The present application also provides an encryption and decryption device, device, and storage medium for virtual machine disk data, which have the above-mentioned beneficial effects, and will not be repeated here.
附图说明Description of drawings
为了更清楚的说明本申请实施例或现有技术的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单的介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application or the prior art, the accompanying drawings that need to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the accompanying drawings in the following description are only For some embodiments of the present application, those of ordinary skill in the art can also obtain other drawings based on these drawings without creative effort.
图1为本申请实施例提供的一种虚拟机磁盘数据的加解密方法的流程图;FIG. 1 is a flow chart of a method for encrypting and decrypting virtual machine disk data provided by an embodiment of the present application;
图2为本申请实施例提供的一种虚拟机磁盘数据的加解密装置的结构示意图;FIG. 2 is a schematic structural diagram of an encryption and decryption device for virtual machine disk data provided by an embodiment of the present application;
图3为本申请实施例提供的一种虚拟机磁盘数据的加解密设备的结构示意图。FIG. 3 is a schematic structural diagram of a virtual machine disk data encryption and decryption device provided by an embodiment of the present application.
具体实施方式detailed description
本申请的核心是提供一种虚拟机磁盘数据的加解密方法、装置、设备及存储介质,用于在确保数据加密密钥的安全性的前提下提高虚拟机数据加解密的可用性。The core of the present application is to provide a virtual machine disk data encryption and decryption method, device, device and storage medium, which are used to improve the usability of virtual machine data encryption and decryption on the premise of ensuring the security of the data encryption key.
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行 清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only part of the embodiments of the present application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.
实施例一Embodiment one
图1为本申请实施例提供的一种虚拟机磁盘数据的加解密方法的流程图。FIG. 1 is a flowchart of a method for encrypting and decrypting disk data of a virtual machine provided by an embodiment of the present application.
如图1所示,本申请实施例提供的虚拟机磁盘数据的加解密方法包括:As shown in Figure 1, the method for encrypting and decrypting virtual machine disk data provided by the embodiment of the present application includes:
S101:当接收到目标虚拟机的输入输出数据加解密请求时,判断是否满足与密钥管理服务器沟通的条件;如果是,则进入步骤S102;如果否,则进入步骤S103。S101: When receiving the input and output data encryption and decryption request of the target virtual machine, judge whether the condition for communicating with the key management server is met; if yes, go to step S102; if not, go to step S103.
S102:向密钥管理服务器获取数据加密密钥。S102: Obtain the data encryption key from the key management server.
S103:自本地存储器中获取数据加密密钥的密文,利用预存的密钥加密密钥对数据加密密钥的密文进行解密得到数据加密密钥。S103: Obtain the ciphertext of the data encryption key from the local storage, and use the prestored key encryption key to decrypt the ciphertext of the data encryption key to obtain the data encryption key.
S104:利用数据加密密钥对目标虚拟机的数据进行加解密操作。S104: Encrypt and decrypt the data of the target virtual machine by using the data encryption key.
在具体实施中,本申请实施例提供的虚拟机磁盘数据的加解密方法软件架构可以包括密钥管理系统、云管理平台、密钥缓存管理器、磁盘加解密模块。In a specific implementation, the software architecture of the encryption and decryption method for virtual machine disk data provided in the embodiment of the present application may include a key management system, a cloud management platform, a key cache manager, and a disk encryption and decryption module.
其中,密钥管理系统部署于密钥管理服务器,用于管理虚拟机磁盘数据加解密所使用的数据加密密钥,包括创建、删除等应用场景,还可以用于在验证云管理平台的身份信息后利用与云管理平台约定的密钥加密密钥(Key Encryption Key,KEK)对数据加密密钥进行加密、生成数据加密密钥的密文。Among them, the key management system is deployed on the key management server, which is used to manage the data encryption keys used for encryption and decryption of virtual machine disk data, including application scenarios such as creation and deletion, and can also be used to verify the identity information of the cloud management platform Then use the key encryption key (Key Encryption Key, KEK) agreed with the cloud management platform to encrypt the data encryption key to generate the ciphertext of the data encryption key.
云管理平台和密钥缓存管理器通常部署于同一服务器节点,云管理平台用于进行虚拟机的生命周期管理,与密钥管理系统进行交互,还可以用于获取密钥管理服务器发送的数据加密密钥的密文后分发给密钥缓存管理器;密钥缓存管理器用于与云管理平台进行消息交互以将数据加密密钥的密文缓存于本地存储器,与磁盘加密模块交互以提供数据加密密钥的密文给磁盘加密模块,还可以用于提供密钥的失效时间设置以基于密钥失效时间来确定本地存储器中的密钥是否需要更新。利用云管理平台执行虚拟机磁盘数据加解密任务之前,应保证云管理平台是可靠的平台。则在执行上述步骤前,还包括:云管理平台所在服务器节点将云管理平台的唯一标识(UUID)发送到密钥管 理服务器并提出注册申请。密钥管理服务器接收到云管理平台的唯一标识后,基于该唯一标识生成数字证书,返回注册请求。云管理平台所在服务器节点记录返回的数字证书,基于该数字证书建立后续网络通讯的SSL通道。The cloud management platform and the key cache manager are usually deployed on the same server node. The cloud management platform is used to manage the life cycle of the virtual machine, interact with the key management system, and also be used to obtain encrypted data sent by the key management server. The ciphertext of the key is distributed to the key cache manager; the key cache manager is used to interact with the cloud management platform to cache the ciphertext of the data encryption key in the local storage, and interact with the disk encryption module to provide data encryption The ciphertext of the key is given to the disk encryption module, and can also be used to provide the key expiration time setting to determine whether the key in the local storage needs to be updated based on the key expiration time. Before using the cloud management platform to perform virtual machine disk data encryption and decryption tasks, you should ensure that the cloud management platform is a reliable platform. Then before performing the above steps, it also includes: the server node where the cloud management platform is located sends the unique identifier (UUID) of the cloud management platform to the key management server and submits a registration application. After receiving the unique identifier of the cloud management platform, the key management server generates a digital certificate based on the unique identifier and returns a registration request. The server node where the cloud management platform is located records the returned digital certificate, and establishes an SSL channel for subsequent network communication based on the digital certificate.
磁盘加密模块可以与云管理平台部署于同一服务器节点,也可以部署于不同服务器节点,用于生成密钥加密密钥并将密钥加密密钥发送至云管理平台,还用于从密钥缓存管理器获取数据加密密钥的密文,利用密钥加密密钥对数据加密密钥的密文进行解密,得到数据加密密钥的明文,以及利用数据加密密钥执行对虚拟机磁盘数据的加解密操作。The disk encryption module can be deployed on the same server node as the cloud management platform, or it can be deployed on a different server node. It is used to generate the key encryption key and send the key encryption key to the cloud management platform. The manager obtains the ciphertext of the data encryption key, uses the key encryption key to decrypt the ciphertext of the data encryption key, obtains the plaintext of the data encryption key, and uses the data encryption key to encrypt the disk data of the virtual machine. decryption operation.
基于上述架构,本申请实施例提供的虚拟机磁盘数据的加解密方法可以基于云管理平台所部署的服务器节点实现。Based on the above architecture, the method for encrypting and decrypting virtual machine disk data provided in the embodiment of the present application can be implemented based on the server nodes deployed on the cloud management platform.
对于步骤S101来说,目标虚拟机的输入输出数据加解密请求,包括对目标虚拟机的输入数据的加密请求和/或访问目标虚拟机时对虚拟机磁盘数据的解密请求。即目标虚拟机的每次数据输入或输出均需要请求数据加密密钥。为保证安全性,数据加密密钥可以与虚拟机一一对应。进一步的,数据加密密钥也可以与虚拟机的各磁盘一一对应。For step S101, the request for encryption and decryption of input and output data of the target virtual machine includes an encryption request for input data of the target virtual machine and/or a decryption request for disk data of the virtual machine when accessing the target virtual machine. That is, each data input or output of the target virtual machine needs to request a data encryption key. To ensure security, data encryption keys can be in one-to-one correspondence with virtual machines. Further, the data encryption key may also be in one-to-one correspondence with each disk of the virtual machine.
而步骤S101中判断是否满足与密钥管理服务器沟通的条件,具体可以包括:In step S101, judging whether the conditions for communicating with the key management server are met may include:
判断是否同时满足与密钥管理服务器处于正常网络连接状态且密钥管理服务器处于可用状态;Judging whether it is in a normal network connection state with the key management server and the key management server is available at the same time;
如果是,则确定满足与密钥管理服务器沟通的条件;If so, determining that the conditions for communicating with the key management server are met;
如果否,则确定不满足与密钥管理服务器沟通的条件。If not, it is determined that the condition for communicating with the key management server is not met.
即,若密钥管理服务器可达,则优先自密钥管理服务器中获取数据加密密钥。具体可以通过向密钥管理服务器发送索要数据加密密钥的请求,若等待一定时间未接收到密钥管理服务器发送的数据加密密钥,则认为密钥管理服务器不可达。That is, if the key management server is reachable, the data encryption key is preferentially obtained from the key management server. Specifically, a request for a data encryption key may be sent to the key management server. If the data encryption key sent by the key management server is not received within a certain period of time, the key management server is considered unreachable.
优选的,步骤S101中判断是否满足与密钥管理服务器沟通的条件,具体包括:Preferably, in step S101, it is judged whether the conditions for communicating with the key management server are met, specifically including:
判断与密钥管理服务器进行沟通的预计时间是否在预设时间范围内;Judging whether the estimated time for communicating with the key management server is within the preset time range;
如果是,则确定满足与密钥管理服务器沟通的条件;If so, determining that the conditions for communicating with the key management server are met;
如果否,则确定不满足与密钥管理服务器沟通的条件;If not, then determining that the conditions for communicating with the key management server are not met;
其中,预计时间基于与密钥管理服务器的网络连接状态和输入输出数据加解密请求的性能参数计算得到。Wherein, the estimated time is calculated based on the network connection status with the key management server and the performance parameters of the input and output data encryption and decryption requests.
由于密钥管理服务器可能与云管理平台所部署的服务器节点处于同一局域网络内,也可能不处于同一局域网络内,而所在服务器分配给虚拟机磁盘加解密任务的资源也可能不同,导致云管理平台所部署的服务器节点向密钥管理服务器获取第一密钥的过程耗时不同,而不同的用户或业务对虚拟机数据加解密服务提出的要求不同。故可以根据密钥管理服务器可能与云管理平台所部署的服务器节点所处的网络关系、服务器分配给虚拟机磁盘加解密任务的资源等参数计算得到与密钥管理服务器进行沟通的预计时间,并基于用户或业务对虚拟机数据加解密服务提出的要求确定预设时间范围。Since the key management server and the server nodes deployed by the cloud management platform may or may not be in the same local area network, and the resources allocated by the server to the virtual machine disk encryption and decryption tasks may also be different, resulting in cloud management It takes different time for the server nodes deployed on the platform to obtain the first key from the key management server, and different users or businesses have different requirements for virtual machine data encryption and decryption services. Therefore, the estimated time for communicating with the key management server can be calculated based on parameters such as the possible network relationship between the key management server and the server nodes deployed on the cloud management platform, and the resources allocated by the server to the virtual machine disk encryption and decryption tasks, and The preset time range is determined based on user or business requirements for virtual machine data encryption and decryption services.
上述两种判断是否满足与密钥管理服务器沟通的条件的办法可以任选其一,也可以结合采用。Either of the above two methods for judging whether the conditions for communicating with the key management server are met can be selected, or they can be used in combination.
对于步骤S102和步骤S103来说,为了保证数据加密密钥的安全性,优选的是,密钥管理服务器提供的数据加密密钥均为数据加密密钥的密文。密钥管理服务器利用密钥管理系统与云管理平台约定的密钥加密密钥对数据加密密钥进行加密、生成数据加密密钥的密文后,将数据加密密钥的密文发送至云管理平台所在节点。云管理平台接收到数据加密密钥的密文后,将数据加密密钥的密文后分发给密钥缓存管理器,密钥缓存管理器将数据加密密钥的密文缓存于本地存储器。For step S102 and step S103, in order to ensure the security of the data encryption key, preferably, the data encryption key provided by the key management server is the ciphertext of the data encryption key. The key management server encrypts the data encryption key with the key encryption key agreed between the key management system and the cloud management platform, generates the ciphertext of the data encryption key, and sends the ciphertext of the data encryption key to the cloud management The node where the platform is located. After the cloud management platform receives the ciphertext of the data encryption key, it distributes the ciphertext of the data encryption key to the key cache manager, and the key cache manager caches the ciphertext of the data encryption key in the local memory.
在步骤S102中,云管理平台所在节点获取数据加密密钥的密文后,将数据加密密钥的密文发送至磁盘加密模块,由磁盘加密模块进行解密后得到数据加密密钥。In step S102, after the node where the cloud management platform is located obtains the ciphertext of the data encryption key, it sends the ciphertext of the data encryption key to the disk encryption module, and the disk encryption module decrypts it to obtain the data encryption key.
在步骤S103中,云管理平台所在节点取出密钥缓存管理器预先存储在本地存储器的数据加密密钥的密文,将数据加密密钥的密文发送至磁盘加密模块,由磁盘加密模块进行解密后得到数据加密密钥。In step S103, the node where the cloud management platform is located takes out the ciphertext of the data encryption key pre-stored in the local memory by the key cache manager, sends the ciphertext of the data encryption key to the disk encryption module, and the disk encryption module decrypts it Then get the data encryption key.
在获取到数据加密密钥后,根据目标虚拟机的输入输出数据加解密请求执行加解密任务。After obtaining the data encryption key, the encryption and decryption tasks are executed according to the input and output data encryption and decryption requests of the target virtual machine.
数据加密密钥和密钥加密密钥均具体可以为对称密钥或非对称密钥。由于虚拟机磁盘加解密任务对时延的要求较高,而对数据加密密钥的安全性要求较高,故数据加密密钥优选采用对称密钥,密钥加密密钥优选采用非对称 密钥。为满足我国商用密码局的相关政策要求、增加系统的合规性,密钥加密密钥采用SM2类型的非对称密钥,数据加密密钥采用SM4类型的对称密钥。Both the data encryption key and the key encryption key may specifically be symmetric keys or asymmetric keys. Since the virtual machine disk encryption and decryption tasks have high requirements on delay and high security requirements on the data encryption key, the data encryption key is preferably a symmetric key, and the key encryption key is preferably an asymmetric key. . In order to meet the relevant policy requirements of the my country Commercial Cryptography Bureau and increase the compliance of the system, the key encryption key adopts the SM2 type asymmetric key, and the data encryption key adopts the SM4 type symmetric key.
本申请实施例提供的虚拟机磁盘数据的加解密方法,包括:通过在接收到目标虚拟机的输入输出数据加解密请求时,判断是否满足与密钥管理服务器沟通的条件,如果满足此条件,则向密钥管理服务器获取数据加密密钥以进行数据加解密操作;如果不满足此条件,则自本地存储器中获取数据加密密钥的密文,利用预存的密钥加密密钥对数据加密密钥的密文进行解密后得到数据加密密钥以进行数据加解密操作。则应用本申请实施例提供的虚拟机磁盘数据的加解密方法,可以在密钥管理服务器暂时不可用或云管理平台与密钥管理服务器暂时网络不可达时也能及时地获取数据加密密钥,且通过对数据加密密钥加密存储的方式保证了数据加密密钥的安全性,从而实现了在确保数据加密密钥的安全性的前提下提高虚拟机数据加解密的可用性。The method for encrypting and decrypting virtual machine disk data provided by the embodiment of the present application includes: when receiving the input and output data encryption and decryption request of the target virtual machine, judging whether the condition for communicating with the key management server is met; if this condition is met, Obtain the data encryption key from the key management server for data encryption and decryption operations; if this condition is not met, obtain the ciphertext of the data encryption key from the local storage, and use the pre-stored key encryption key to encrypt the data After decrypting the ciphertext of the key, the data encryption key is obtained for data encryption and decryption operations. Then, by applying the method for encrypting and decrypting virtual machine disk data provided by the embodiment of the present application, the data encryption key can be obtained in time even when the key management server is temporarily unavailable or the cloud management platform and the key management server are temporarily unreachable through the network. Moreover, the security of the data encryption key is ensured by encrypting and storing the data encryption key, so that the usability of data encryption and decryption of the virtual machine can be improved under the premise of ensuring the security of the data encryption key.
实施例二Embodiment two
在上述实施例的基础上,本申请实施例提供的虚拟机磁盘数据的加解密方法还包括:On the basis of the above-mentioned embodiments, the method for encrypting and decrypting virtual machine disk data provided in the embodiments of the present application further includes:
在创建目标虚拟机时,生成与目标虚拟机对应的密钥加密密钥;When creating the target virtual machine, generate a key encryption key corresponding to the target virtual machine;
接收密钥管理服务器利用密钥加密密钥对数据加密密钥进行加密后返回的数据加密密钥的密文;Receive the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key;
将数据加密密钥的密文存入本地存储器。Store the ciphertext of the data encryption key in the local memory.
在上述实施例中提到,为保证安全性,数据加密密钥与虚拟机一一对应,甚至与虚拟机的磁盘一一对应。同时,为了保证数据加密密钥的安全性,优选地令密钥加密密钥与目标虚拟机对应,且密钥管理服务器也持有密钥加密密钥,由密钥管理服务器利用密钥加密密钥对数据加密密钥进行加密后将数据加密密钥的密文返回云管理平台所在服务器节点。As mentioned in the above embodiments, to ensure security, the data encryption key is in one-to-one correspondence with the virtual machine, or even one-to-one with the disk of the virtual machine. At the same time, in order to ensure the security of the data encryption key, it is preferable to make the key encryption key correspond to the target virtual machine, and the key management server also holds the key encryption key, and the key management server uses the key encryption key to After encrypting the data encryption key, return the ciphertext of the data encryption key to the server node where the cloud management platform is located.
由于密钥加密密钥是由云管理平台所在服务器节点生成的,密钥管理服务器获取密钥加密密钥的方式可以为自云管理平台所在服务器节点获取。密钥加密密钥可以采用对称密钥或非对称密钥,而在此种情况下,优选采用非对称密钥。即在本申请实施例提供的虚拟机磁盘数据的加解密方法中,在生成与目标虚拟机对应的密钥加密密钥之后,还包括:Since the key encryption key is generated by the server node where the cloud management platform is located, the key management server may obtain the key encryption key from the server node where the cloud management platform is located. The encryption key for the key may be a symmetric key or an asymmetric key, and in this case, an asymmetric key is preferred. That is, in the method for encrypting and decrypting virtual machine disk data provided in the embodiment of the present application, after generating the key encryption key corresponding to the target virtual machine, it further includes:
将非对称密钥中的公钥和目标虚拟机的唯一标识发送至密钥管理服务器;Send the public key in the asymmetric key and the unique identifier of the target virtual machine to the key management server;
接收密钥管理服务器利用密钥加密密钥对数据加密密钥进行加密后返回的数据加密密钥的密文,具体为:Receive the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key, specifically:
接收密钥管理服务器利用公钥对数据加密密钥进行加密后返回的数据加密密钥的密文。Receive the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the public key.
除了密钥加密密钥采用非对称密钥来保证安全性外,还可以由云管理平台与密钥管理系统预先约定密钥加密密钥的生成方式,如根据时间计算得到密钥加密密钥,则云管理平台所在服务器节点在生成与目标虚拟机对应的密钥加密密钥之后,将目标虚拟机的类型和生成时间发送至密钥管理服务器,密钥管理服务器根据目标虚拟机的类型确定与目标虚拟机对应的密钥加密密钥的生成方式,并根据目标虚拟机的生成时间自行计算得到与目标虚拟机对应的密钥加密密钥,由此省去密钥加密密钥的传输过程,起到保护密钥安全性的作用。In addition to using an asymmetric key to ensure security for the key encryption key, the cloud management platform and the key management system can also pre-agree on the generation method of the key encryption key, such as calculating the key encryption key based on time, Then, after the server node where the cloud management platform is located generates the key encryption key corresponding to the target virtual machine, it sends the type and generation time of the target virtual machine to the key management server, and the key management server determines the The key encryption key corresponding to the target virtual machine is generated, and the key encryption key corresponding to the target virtual machine is calculated by itself according to the generation time of the target virtual machine, thereby eliminating the transmission process of the key encryption key, Play a role in protecting the security of the key.
实施例三Embodiment three
在上述实施例的基础上,本申请实施例提供的虚拟机磁盘数据的加解密方法还可以包括:On the basis of the above-mentioned embodiments, the method for encrypting and decrypting virtual machine disk data provided in the embodiments of the present application may further include:
判断是否达到数据加密密钥的密文的失效时间;Determine whether the expiration time of the ciphertext of the data encryption key has been reached;
如果是,则向密钥管理服务器获取数据加密密钥的密文以更新本地存储器中的数据加密密钥的密文,并更改失效时间。If so, obtain the ciphertext of the data encryption key from the key management server to update the ciphertext of the data encryption key in the local storage, and change the expiration time.
通过给数据加密密钥的密文设定失效时间,以保证云管理平台所在服务器节点的数据加密密钥与密钥管理服务器的数据加密密钥的一致性。The expiration time is set for the ciphertext of the data encryption key to ensure the consistency of the data encryption key of the server node where the cloud management platform is located and the data encryption key of the key management server.
在具体实施中,数据加密密钥的密文的失效时间可以为根据每个数据加密密钥的密文的约定有效时长和云管理平台所在服务器节点接收到数据加密密钥的密文的时间计算得到的失效时间点,也可以为倒计时形式,则当前时间到达失效时间点或倒计时为零时,认为达到数据加密密钥的密文的失效时间。则数据加密密钥的密文在本地存储器的存储形式可以如表1所示:In a specific implementation, the expiration time of the ciphertext of the data encryption key can be calculated based on the agreed valid duration of the ciphertext of each data encryption key and the time when the server node where the cloud management platform is located receives the ciphertext of the data encryption key The obtained expiration time point may also be in the countdown form, and when the current time reaches the expiration time point or the countdown is zero, it is considered that the expiration time of the ciphertext of the data encryption key has been reached. Then the storage form of the ciphertext of the data encryption key in the local storage can be shown in Table 1:
vm_uuidvm_uuid 虚拟机唯一标识Virtual machine unique identifier
Cipher_dekCipher_dek 数据加密密钥的密文Ciphertext of the data encryption key
Expire_timeExpire_time 数据加密密钥的密文的失效时间The expiration time of the ciphertext of the data encryption key
表1.本地存储器存储数据加密密钥的密文的关键字段Table 1. Key fields of ciphertext for storing data encryption keys in local memory
为避免利用了不一致的数据加密密钥进行了虚拟机磁盘数据加解密操作,在检查本地存储器中的数据加密密钥的密文超出失效时间后,不采用该数据加密密钥。但由此将导致虚拟机磁盘数据加解密任务无数据加密密钥可用。对此,还可以设置在数据加密密钥的密文的有效时间内、即将达到失效时间内的某个时间点向密钥管理服务器重新获取数据加密密钥的密文,而不是在数据加密密钥的密文达到失效时间时再去向密钥管理服务器获取数据加密密钥的密文。In order to avoid using an inconsistent data encryption key to perform virtual machine disk data encryption and decryption operations, after checking the ciphertext of the data encryption key in the local storage beyond the expiration time, the data encryption key is not used. However, this will result in no data encryption key available for the virtual machine disk data encryption and decryption task. In this regard, it can also be set to reacquire the ciphertext of the data encryption key from the key management server at a certain point in the valid time of the ciphertext of the data encryption key, which is about to reach the expiration time, instead of When the ciphertext of the key reaches the expiration time, it will go to the key management server to obtain the ciphertext of the data encryption key.
上文详述了虚拟机磁盘数据的加解密方法对应的各个实施例,在此基础上,本申请还公开了与上述方法对应的虚拟机磁盘数据的加解密装置、设备及存储介质。Various embodiments corresponding to the method for encrypting and decrypting virtual machine disk data are described in detail above. On this basis, the present application also discloses an encryption and decryption device, device, and storage medium for virtual machine disk data corresponding to the above method.
实施例四Embodiment four
图2为本申请实施例提供的一种虚拟机磁盘数据的加解密装置的结构示意图。FIG. 2 is a schematic structural diagram of an apparatus for encrypting and decrypting disk data of a virtual machine provided by an embodiment of the present application.
如图2所示,本申请实施例提供的虚拟机磁盘数据的加解密装置包括:As shown in Figure 2, the encryption and decryption device for virtual machine disk data provided by the embodiment of the present application includes:
第一判断单元201,用于当接收到目标虚拟机的输入输出数据加解密请求时,判断是否满足与密钥管理服务器沟通的条件;The first judging unit 201 is configured to judge whether a condition for communicating with the key management server is met when receiving an input/output data encryption/decryption request from the target virtual machine;
第一获取单元202,用于若满足与密钥管理服务器沟通的条件,则向密钥管理服务器获取数据加密密钥;The first obtaining unit 202 is configured to obtain the data encryption key from the key management server if the condition for communicating with the key management server is met;
第二获取单元203,用于若不满足与密钥管理服务器沟通的条件,则自本地存储器中获取数据加密密钥的密文,利用预存的密钥加密密钥对数据加密密钥的密文进行解密得到数据加密密钥;The second obtaining unit 203 is configured to obtain the ciphertext of the data encryption key from the local storage if the condition for communicating with the key management server is not satisfied, and use the prestored key encryption key to encrypt the ciphertext of the data encryption key Decrypt to obtain the data encryption key;
执行单元204,用于利用数据加密密钥对目标虚拟机的数据进行加解密操作。The execution unit 204 is configured to perform encryption and decryption operations on the data of the target virtual machine by using the data encryption key.
可选的,第一判断单元201判断是否满足与密钥管理服务器沟通的条件,具体包括:Optionally, the first judging unit 201 judges whether the conditions for communicating with the key management server are met, specifically including:
判断是否同时满足与密钥管理服务器处于正常网络连接状态且密钥管理服务器处于可用状态;Judging whether it is in a normal network connection state with the key management server and the key management server is available at the same time;
如果是,则确定满足与密钥管理服务器沟通的条件;If so, determining that the conditions for communicating with the key management server are met;
如果否,则确定不满足与密钥管理服务器沟通的条件。If not, it is determined that the condition for communicating with the key management server is not met.
可选的,第一判断单元201判断是否满足与密钥管理服务器沟通的条件,具体包括:判断与密钥管理服务器进行沟通的预计时间是否在预设时间范围内;Optionally, the first judging unit 201 judges whether the conditions for communicating with the key management server are met, specifically including: judging whether the estimated time for communicating with the key management server is within a preset time range;
如果是,则确定满足与密钥管理服务器沟通的条件;If so, determining that the conditions for communicating with the key management server are met;
如果否,则确定不满足与密钥管理服务器沟通的条件;If not, then determining that the conditions for communicating with the key management server are not met;
其中,预计时间基于与密钥管理服务器的网络连接状态和输入输出数据加解密请求的性能参数计算得到。Wherein, the estimated time is calculated based on the network connection status with the key management server and the performance parameters of the input and output data encryption and decryption requests.
可选的,本申请实施例提供的虚拟机磁盘数据的加解密装置还包括:Optionally, the device for encrypting and decrypting virtual machine disk data provided in the embodiment of the present application further includes:
生成单元,用于在创建目标虚拟机时,生成与目标虚拟机对应的密钥加密密钥;A generating unit, configured to generate a key encryption key corresponding to the target virtual machine when creating the target virtual machine;
接收单元,用于接收密钥管理服务器利用密钥加密密钥对数据加密密钥进行加密后返回的数据加密密钥的密文;The receiving unit is configured to receive the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key;
存储单元,用于将数据加密密钥的密文存入本地存储器。The storage unit is configured to store the ciphertext of the data encryption key in the local storage.
可选的,密钥加密密钥具体为非对称密钥;Optionally, the key encryption key is specifically an asymmetric key;
在生成与目标虚拟机对应的密钥加密密钥之后,加解密方法还包括:After generating the key encryption key corresponding to the target virtual machine, the encryption and decryption method further includes:
将非对称密钥中的公钥和目标虚拟机的唯一标识发送至密钥管理服务器;Send the public key in the asymmetric key and the unique identifier of the target virtual machine to the key management server;
接收密钥管理服务器利用密钥加密密钥对数据加密密钥进行加密后返回的数据加密密钥的密文,具体为:Receive the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key, specifically:
接收密钥管理服务器利用公钥对数据加密密钥进行加密后返回的数据加密密钥的密文。Receive the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the public key.
可选的,密钥加密密钥具体为SM2类型的非对称密钥;数据加密密钥具体为SM4类型的对称密钥。Optionally, the key encryption key is specifically an SM2 type asymmetric key; the data encryption key is specifically an SM4 type symmetric key.
可选的,本申请实施例提供的虚拟机磁盘数据的加解密装置还包括:Optionally, the device for encrypting and decrypting virtual machine disk data provided in the embodiment of the present application further includes:
第二判断单元,用于判断是否达到数据加密密钥的密文的失效时间;The second judging unit is used to judge whether the expiration time of the ciphertext of the data encryption key has been reached;
第三获取单元,用于如果达到数据加密密钥的密文的失效时间,则向密 钥管理服务器获取数据加密密钥的密文以更新本地存储器中的数据加密密钥的密文,并更改失效时间。The third acquisition unit is used to obtain the ciphertext of the data encryption key from the key management server to update the ciphertext of the data encryption key in the local storage if the expiration time of the ciphertext of the data encryption key is reached, and change Expiration time.
由于装置部分的实施例与方法部分的实施例相互对应,因此装置部分的实施例请参见方法部分的实施例的描述,这里暂不赘述。Since the embodiment of the device part corresponds to the embodiment of the method part, please refer to the description of the embodiment of the method part for the embodiment of the device part, and details will not be repeated here.
实施例五Embodiment five
图3为本申请实施例提供的一种虚拟机磁盘数据的加解密设备的结构示意图。FIG. 3 is a schematic structural diagram of a virtual machine disk data encryption and decryption device provided by an embodiment of the present application.
如图3所示,本申请实施例提供的虚拟机磁盘数据的加解密设备包括:As shown in Figure 3, the encryption and decryption equipment for virtual machine disk data provided by the embodiment of the present application includes:
存储器310,用于存储指令,所述指令包括上述任意一项实施例所述的虚拟机磁盘数据的加解密方法的步骤;The memory 310 is used to store instructions, and the instructions include the steps of the method for encrypting and decrypting virtual machine disk data described in any one of the above-mentioned embodiments;
处理器320,用于执行所述指令。The processor 320 is configured to execute the instruction.
其中,处理器320可以包括一个或多个处理核心,比如3核心处理器、8核心处理器等。处理器320可以采用数字信号处理DSP(Digital Signal Processing)、现场可编程门阵列FPGA(Field-Programmable Gate Array)、可编程逻辑阵列PLA(Programmable Logic Array)中的至少一种硬件形式来实现。处理器320也可以包括主处理器和协处理器,主处理器是用于对在唤醒状态下的数据进行处理的处理器,也称中央处理器CPU(Central Processing Unit);协处理器是用于对在待机状态下的数据进行处理的低功耗处理器。在一些实施例中,处理器320可以集成有图像处理器GPU(Graphics Processing Unit),GPU用于负责显示屏所需要显示的内容的渲染和绘制。一些实施例中,处理器320还可以包括人工智能AI(Artificial Intelligence)处理器,该AI处理器用于处理有关机器学习的计算操作。Wherein, the processor 320 may include one or more processing cores, such as a 3-core processor, an 8-core processor, and the like. The processor 320 can be realized by at least one hardware form of DSP (Digital Signal Processing), Field-Programmable Gate Array (FPGA) and Programmable Logic Array (PLA). Processor 320 may also include a main processor and a coprocessor, the main processor is a processor for processing data in a wake-up state, and is also called a central processing unit CPU (Central Processing Unit); Low-power processor for processing data in standby state. In some embodiments, the processor 320 may be integrated with an image processor GPU (Graphics Processing Unit), and the GPU is used for rendering and drawing the content that needs to be displayed on the display screen. In some embodiments, the processor 320 may also include an artificial intelligence AI (Artificial Intelligence) processor, which is used to process computing operations related to machine learning.
存储器310可以包括一个或多个存储介质,该存储介质可以是非暂态的。存储器310还可包括高速随机存取存储器,以及非易失性存储器,比如一个或多个磁盘存储设备、闪存存储设备。本实施例中,存储器310至少用于存储以下计算机程序311,其中,该计算机程序311被处理器320加载并执行之后,能够实现前述任一实施例公开的虚拟机磁盘数据的加解密方法中的相关步骤。另外,存储器310所存储的资源还可以包括操作系统312和数据313等,存储方式可以是短暂存储或者永久存储。其中,操作系统312可以为 Windows。数据313可以包括但不限于上述方法所涉及到的数据。Memory 310 may include one or more storage media, which may be non-transitory. The memory 310 may also include high-speed random access memory, and non-volatile memory, such as one or more magnetic disk storage devices and flash memory storage devices. In this embodiment, the memory 310 is at least used to store the following computer program 311, wherein, after the computer program 311 is loaded and executed by the processor 320, it can realize the method for encrypting and decrypting virtual machine disk data disclosed in any of the preceding embodiments. related steps. In addition, the resources stored in the memory 310 may also include an operating system 312 and data 313, etc., and the storage method may be temporary storage or permanent storage. Wherein, the operating system 312 can be Windows. The data 313 may include but not limited to the data involved in the above method.
在一些实施例中,虚拟机磁盘数据的加解密设备还可包括有显示屏330、电源340、通信接口350、输入输出接口360、传感器370以及通信总线380。In some embodiments, the device for encrypting and decrypting virtual machine disk data may further include a display screen 330 , a power supply 340 , a communication interface 350 , an input/output interface 360 , a sensor 370 and a communication bus 380 .
本领域技术人员可以理解,图3中示出的结构并不构成对虚拟机磁盘数据的加解密设备的限定,可以包括比图示更多或更少的组件。Those skilled in the art can understand that the structure shown in FIG. 3 does not constitute a limitation on the device for encrypting and decrypting virtual machine disk data, and may include more or less components than those shown in the figure.
本申请实施例提供的虚拟机磁盘数据的加解密设备,包括存储器和处理器,处理器在执行存储器存储的程序时,能够实现如上所述的虚拟机磁盘数据的加解密方法,效果同上。The encryption and decryption device for virtual machine disk data provided by the embodiment of the present application includes a memory and a processor. When the processor executes a program stored in the memory, it can implement the above-mentioned encryption and decryption method for virtual machine disk data, and the effect is the same as above.
实施例六Embodiment six
需要说明的是,以上所描述的装置、设备实施例仅仅是示意性的,例如,模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或模块的间接耦合或通信连接,可以是电性,机械或其它的形式。作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。It should be noted that the above-described device and device embodiments are only illustrative. For example, the division of modules is only a logical function division. In actual implementation, there may be other division methods, such as multiple modules or components May be combined or may be integrated into another system, or some features may be omitted, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or modules may be in electrical, mechanical or other forms. A module described as a separate component may or may not be physically separated, and a component shown as a module may or may not be a physical module, that is, it may be located in one place, or may also be distributed to multiple network modules. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。In addition, each functional module in each embodiment of the present application may be integrated into one processing module, each module may exist separately physically, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules.
集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,执行本申请各个实施例所述方法的全部或部分步骤。If an integrated module is realized in the form of a software function module and sold or used as an independent product, it can be stored in a storage medium. Based on this understanding, the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , executing all or part of the steps of the methods described in the various embodiments of the present application.
为此,本申请实施例还提供一种存储介质,该存储介质上存储有计算机程序,计算机程序被处理器执行时实现如虚拟机磁盘数据的加解密方法的步 骤。To this end, the embodiment of the present application also provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method for encrypting and decrypting disk data of a virtual machine are implemented.
该存储介质可以包括:U盘、移动硬盘、只读存储器ROM(Read-Only Memory)、随机存取存储器RAM(Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The storage medium may include: U disk, mobile hard disk, read-only memory ROM (Read-Only Memory), random access memory RAM (Random Access Memory), magnetic disk or optical disk and other media that can store program codes.
本实施例中提供的存储介质所包含的计算机程序能够在被处理器执行时实现如上所述的虚拟机磁盘数据的加解密方法的步骤,效果同上。The computer program included in the storage medium provided in this embodiment can implement the steps of the method for encrypting and decrypting virtual machine disk data as described above when executed by a processor, and the effect is the same as above.
以上对本申请所提供的一种虚拟机磁盘数据的加解密方法、装置、设备及存储介质进行了详细介绍。说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置、设备及存储介质而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以对本申请进行若干改进和修饰,这些改进和修饰也落入本申请权利要求的保护范围内。A method, device, device, and storage medium for encrypting and decrypting disk data of a virtual machine provided by the present application have been described above in detail. Each embodiment in the description is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the devices, equipment and storage media disclosed in the embodiments, since they correspond to the methods disclosed in the embodiments, the description is relatively simple, and for relevant details, please refer to the description of the method part. It should be pointed out that those skilled in the art can make several improvements and modifications to the application without departing from the principles of the application, and these improvements and modifications also fall within the protection scope of the claims of the application.
还需要说明的是,在本说明书中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this specification, relative terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that these entities or operations There is no such actual relationship or order between the operations. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

Claims (10)

  1. 一种虚拟机磁盘数据的加解密方法,其特征在于,包括:A method for encrypting and decrypting disk data of a virtual machine, comprising:
    当接收到目标虚拟机的输入输出数据加解密请求时,判断是否满足与密钥管理服务器沟通的条件;When receiving the input and output data encryption and decryption requests of the target virtual machine, it is judged whether the conditions for communicating with the key management server are met;
    若满足与所述密钥管理服务器沟通的条件,则向所述密钥管理服务器获取数据加密密钥;If the conditions for communicating with the key management server are met, then obtain a data encryption key from the key management server;
    若不满足与所述密钥管理服务器沟通的条件,则自本地存储器中获取所述数据加密密钥的密文,利用预存的密钥加密密钥对所述数据加密密钥的密文进行解密得到所述数据加密密钥;If the condition for communicating with the key management server is not met, the ciphertext of the data encryption key is obtained from the local storage, and the ciphertext of the data encryption key is decrypted using the pre-stored key encryption key Obtain the data encryption key;
    利用所述数据加密密钥对所述目标虚拟机的数据进行加解密操作。Using the data encryption key to perform encryption and decryption operations on the data of the target virtual machine.
  2. 根据权利要求1所述的加解密方法,其特征在于,所述判断是否满足与密钥管理服务器沟通的条件,具体包括:The encryption and decryption method according to claim 1, wherein the judging whether the condition for communicating with the key management server is met specifically includes:
    判断是否同时满足与所述密钥管理服务器处于正常网络连接状态且所述密钥管理服务器处于可用状态;Judging whether the key management server is in a normal network connection state and the key management server is in an available state at the same time;
    如果是,则确定满足与所述密钥管理服务器沟通的条件;If yes, then determining that the conditions for communicating with the key management server are met;
    如果否,则确定不满足与所述密钥管理服务器沟通的条件。If not, it is determined that the condition for communicating with the key management server is not met.
  3. 根据权利要求1所述的加解密方法,其特征在于,所述判断是否满足与密钥管理服务器沟通的条件,具体包括:The encryption and decryption method according to claim 1, wherein the judging whether the condition for communicating with the key management server is met specifically includes:
    判断与所述密钥管理服务器进行沟通的预计时间是否在预设时间范围内;judging whether the estimated time for communicating with the key management server is within a preset time range;
    如果是,则确定满足与所述密钥管理服务器沟通的条件;If yes, then determining that the conditions for communicating with the key management server are met;
    如果否,则确定不满足与所述密钥管理服务器沟通的条件;If not, determining that the conditions for communicating with the key management server are not met;
    其中,所述预计时间基于与所述密钥管理服务器的网络连接状态和所述输入输出数据加解密请求的性能参数计算得到。Wherein, the estimated time is calculated based on the network connection status with the key management server and the performance parameters of the input/output data encryption/decryption request.
  4. 根据权利要求1所述的加解密方法,其特征在于,还包括:The encryption and decryption method according to claim 1, further comprising:
    在创建所述目标虚拟机时,生成与所述目标虚拟机对应的密钥加密密钥;When creating the target virtual machine, generating a key encryption key corresponding to the target virtual machine;
    接收所述密钥管理服务器利用所述密钥加密密钥对所述数据加密密钥进行加密后返回的所述数据加密密钥的密文;receiving the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key;
    将所述数据加密密钥的密文存入所述本地存储器。storing the ciphertext of the data encryption key into the local memory.
  5. 根据权利要求4所述的加解密方法,其特征在于,所述密钥加密密钥 具体为非对称密钥;The encryption and decryption method according to claim 4, wherein the key encryption key is specifically an asymmetric key;
    在所述生成与所述目标虚拟机对应的密钥加密密钥之后,所述加解密方法还包括:After generating the key encryption key corresponding to the target virtual machine, the encryption and decryption method further includes:
    将所述非对称密钥中的公钥和所述目标虚拟机的唯一标识发送至所述密钥管理服务器;sending the public key in the asymmetric key and the unique identifier of the target virtual machine to the key management server;
    所述接收所述密钥管理服务器利用所述密钥加密密钥对所述数据加密密钥进行加密后返回的所述数据加密密钥的密文,具体为:The receiving of the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the key encryption key is specifically:
    接收所述密钥管理服务器利用所述公钥对所述数据加密密钥进行加密后返回的所述数据加密密钥的密文。receiving the ciphertext of the data encryption key returned by the key management server after encrypting the data encryption key with the public key.
  6. 根据权利要求5所述的加解密方法,其特征在于,所述密钥加密密钥具体为SM2类型的非对称密钥;所述数据加密密钥具体为SM4类型的对称密钥。The encryption and decryption method according to claim 5, wherein the key encryption key is specifically an SM2-type asymmetric key; the data encryption key is specifically an SM4-type symmetric key.
  7. 根据权利要求1所述的加解密方法,其特征在于,还包括:The encryption and decryption method according to claim 1, further comprising:
    判断是否达到所述数据加密密钥的密文的失效时间;Judging whether the expiration time of the ciphertext of the data encryption key has been reached;
    如果是,则向所述密钥管理服务器获取所述数据加密密钥的密文以更新所述本地存储器中的所述数据加密密钥的密文,并更改所述失效时间。If yes, obtain the ciphertext of the data encryption key from the key management server to update the ciphertext of the data encryption key in the local storage, and change the expiration time.
  8. 一种虚拟机磁盘数据的加解密装置,其特征在于,包括:An encryption and decryption device for virtual machine disk data, characterized in that it includes:
    第一判断单元,用于当接收到目标虚拟机的输入输出数据加解密请求时,判断是否满足与密钥管理服务器沟通的条件;The first judging unit is configured to judge whether the condition for communicating with the key management server is satisfied when receiving the input and output data encryption and decryption request of the target virtual machine;
    第一获取单元,用于若满足与所述密钥管理服务器沟通的条件,则向所述密钥管理服务器获取数据加密密钥;A first obtaining unit, configured to obtain a data encryption key from the key management server if the conditions for communicating with the key management server are met;
    第二获取单元,用于若不满足与所述密钥管理服务器沟通的条件,则自本地存储器中获取所述数据加密密钥的密文,利用预存的密钥加密密钥对所述数据加密密钥的密文进行解密得到所述数据加密密钥;The second obtaining unit is configured to obtain the ciphertext of the data encryption key from the local storage if the condition for communicating with the key management server is not satisfied, and encrypt the data using the pre-stored key encryption key decrypting the ciphertext of the key to obtain the data encryption key;
    执行单元,用于利用所述数据加密密钥对所述目标虚拟机的数据进行加解密操作。The execution unit is configured to use the data encryption key to perform encryption and decryption operations on the data of the target virtual machine.
  9. 一种虚拟机磁盘数据的加解密设备,其特征在于,包括:An encryption and decryption device for virtual machine disk data, characterized in that it includes:
    存储器,用于存储指令,所述指令包括权利要求1至7任意一项所述虚拟机磁盘数据的加解密方法的步骤;A memory for storing instructions, the instructions including the steps of the method for encrypting and decrypting virtual machine disk data according to any one of claims 1 to 7;
    处理器,用于执行所述指令。a processor for executing the instructions.
  10. 一种存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至7任意一项所述虚拟机磁盘数据的加解密方法的步骤。A storage medium on which a computer program is stored, wherein when the computer program is executed by a processor, the steps of the method for encrypting and decrypting virtual machine disk data according to any one of claims 1 to 7 are implemented.
PCT/CN2021/121911 2021-07-21 2021-09-29 Method, apparatus and device for encrypting and decrypting disk data of virtual machine, and storage medium WO2023000502A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110822203.9 2021-07-21
CN202110822203.9A CN113285804A (en) 2021-07-21 2021-07-21 Encryption and decryption method, device, equipment and storage medium for disk data of virtual machine

Publications (1)

Publication Number Publication Date
WO2023000502A1 true WO2023000502A1 (en) 2023-01-26

Family

ID=77286786

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/121911 WO2023000502A1 (en) 2021-07-21 2021-09-29 Method, apparatus and device for encrypting and decrypting disk data of virtual machine, and storage medium

Country Status (2)

Country Link
CN (1) CN113285804A (en)
WO (1) WO2023000502A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992359A (en) * 2021-09-30 2022-01-28 上海数禾信息科技有限公司 Encryption control method and device for user information, computer equipment and storage medium
CN113609514B (en) * 2021-10-09 2022-02-18 苏州浪潮智能科技有限公司 Cloud hard disk encryption and decryption method, device and system and readable storage medium
CN114584307B (en) * 2022-05-07 2022-09-02 腾讯科技(深圳)有限公司 Trusted key management method and device, electronic equipment and storage medium
CN114944917B (en) * 2022-07-21 2022-10-14 国开启科量子技术(北京)有限公司 Method, apparatus, medium, and device for migrating virtual machines using quantum keys
CN116015767A (en) * 2022-12-07 2023-04-25 浪潮云信息技术股份公司 Data processing method, device, equipment and medium
CN116383858B (en) * 2023-06-05 2023-10-20 中电科网络安全科技股份有限公司 Disk data processing method, device, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140089658A1 (en) * 2012-09-27 2014-03-27 Yeluri Raghuram Method and system to securely migrate and provision virtual machine images and content
CN108133144A (en) * 2017-12-22 2018-06-08 浪潮(北京)电子信息产业有限公司 A kind of virtual disk files guard method, device, equipment and readable storage medium storing program for executing
CN109842506A (en) * 2017-11-27 2019-06-04 财付通支付科技有限公司 Key management system disaster tolerance processing method, device, system and storage medium
CN111464301A (en) * 2020-04-28 2020-07-28 郑州信大捷安信息技术股份有限公司 Key management method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140089658A1 (en) * 2012-09-27 2014-03-27 Yeluri Raghuram Method and system to securely migrate and provision virtual machine images and content
CN109842506A (en) * 2017-11-27 2019-06-04 财付通支付科技有限公司 Key management system disaster tolerance processing method, device, system and storage medium
CN108133144A (en) * 2017-12-22 2018-06-08 浪潮(北京)电子信息产业有限公司 A kind of virtual disk files guard method, device, equipment and readable storage medium storing program for executing
CN111464301A (en) * 2020-04-28 2020-07-28 郑州信大捷安信息技术股份有限公司 Key management method and system

Also Published As

Publication number Publication date
CN113285804A (en) 2021-08-20

Similar Documents

Publication Publication Date Title
WO2023000502A1 (en) Method, apparatus and device for encrypting and decrypting disk data of virtual machine, and storage medium
US10965449B2 (en) Autonomous secrets management for a key distribution service
AU2010338446B2 (en) Secure kerberized access of encrypted file system
US11469903B2 (en) Autonomous signing management operations for a key distribution service
US11949775B2 (en) Network bound encryption for recovery of trusted execution environments
JP2016524742A (en) Secure access to resources using proxies
TWI714270B (en) Method and device for establishing trusted channel between user and trusted computing cluster
CN112953930A (en) Cloud storage data processing method and device and computer system
US11599378B2 (en) Data encryption key management system
US20190222414A1 (en) System and method for controlling usage of cryptographic keys
US20220006787A1 (en) Network bound encryption for orchestrating workloads with sensitive data
CN113609514B (en) Cloud hard disk encryption and decryption method, device and system and readable storage medium
WO2023046207A1 (en) Data transmission method and apparatus, and non-volatile computer-readable storage medium
US10673827B1 (en) Secure access to user data
Jamal et al. Reliable access control for mobile cloud computing (MCC) with cache-aware scheduling
WO2022257411A1 (en) Data processing method and apparatus
WO2023169271A1 (en) Data storage method and data processing device
US11032708B2 (en) Securing public WLAN hotspot network access
CN110463157B (en) System and method for assigning SPI values
JP2022141962A (en) Data query and write method, device, electronic apparatus, readable storage medium, and computer program
CN115688165A (en) Node file processing method, device, equipment and storage medium
CN114154185A (en) Data encryption storage method based on national cryptographic algorithm
CN113468584A (en) Information management method and device, electronic equipment and storage medium
CN113132097A (en) Lightweight certificateless cross-domain authentication method, system and application suitable for Internet of things
US11647013B1 (en) Encryption of data via public key cryptography with certificate verification of target

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21950740

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE