[go: up one dir, main page]

CN103530572A - Method for protecting virtual machine files and user terminal - Google Patents

Method for protecting virtual machine files and user terminal Download PDF

Info

Publication number
CN103530572A
CN103530572A CN201310500662.0A CN201310500662A CN103530572A CN 103530572 A CN103530572 A CN 103530572A CN 201310500662 A CN201310500662 A CN 201310500662A CN 103530572 A CN103530572 A CN 103530572A
Authority
CN
China
Prior art keywords
file
virtual machine
key
user
operating system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310500662.0A
Other languages
Chinese (zh)
Inventor
田新雪
马书惠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201310500662.0A priority Critical patent/CN103530572A/en
Publication of CN103530572A publication Critical patent/CN103530572A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供一种虚拟机文件保护方法和用户终端,其中,该方法包括:用户终端在运行虚拟机的操作系统内核文件的过程中获取密钥,其中,所述密钥是对所述虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理所用的密钥;根据所述密钥验证用户发送的解密密钥是否合法,若是,则对所述操作系统主文件和所述用户文件进行解密处理。通过本发明提供的虚拟机文件保护方法和用户终端,实现了通过对虚拟机中的操作系统文件和用户文件进行了绑定保护,避免恶意用户从其他可控的操作系统破译攻击虚拟机中的用户文件,提高了用户文件的安全性。

Figure 201310500662

The present invention provides a virtual machine file protection method and a user terminal, wherein the method includes: the user terminal obtains a key during the process of running the operating system kernel file of the virtual machine, wherein the key is for the virtual machine The operating system main file and the user file stored in the virtual machine are encrypted using the key; verify whether the decryption key sent by the user is legal according to the key, and if so, the operating system main file and The user files are decrypted. Through the virtual machine file protection method and the user terminal provided by the present invention, the operating system files and user files in the virtual machine are bound and protected, preventing malicious users from deciphering and attacking the virtual machine from other controllable operating systems. User files, improving the security of user files.

Figure 201310500662

Description

虚拟机文件保护方法和用户终端Virtual machine file protection method and user terminal

技术领域technical field

本发明实施例涉及计算机技术领域,尤其涉及一种虚拟机文件保护方法和用户终端。The embodiment of the present invention relates to the field of computer technology, and in particular to a virtual machine file protection method and a user terminal.

背景技术Background technique

随着云计算时代的到来,越来越多的企业把员工的计算机通过虚拟机的方式移到云中,员工通过一个很便宜的客户机来访问远程虚拟机的桌面,这样可以大大的降低对于员工计算机的维护成本。With the advent of the era of cloud computing, more and more enterprises move their employees' computers to the cloud through virtual machines, and employees access the desktops of remote virtual machines through a very cheap client computer, which can greatly reduce the cost of Maintenance costs for employee computers.

虚拟机的虚拟硬盘以文件的形式存在云中,特别是对于保存敏感数据的员工的虚拟机,存在很大的信息安全威胁,恶意用户很容易就可以从客户机访问虚拟机,获取存储在虚拟硬盘中的文件或者任意修改里面的文件。而现有的解决方法是用户仅对虚拟机中的用户文件进行加密,无法避免恶意用户从其他操作系统进入该虚拟机破译攻击该虚拟机中的用户文件。The virtual hard disk of the virtual machine exists in the cloud in the form of files, especially for the virtual machines of employees who store sensitive data, which poses a great threat to information security. Malicious users can easily access the virtual machine from the client and obtain information stored in the virtual machine. The files in the hard disk or arbitrarily modify the files in it. And the existing solution is that the user only encrypts the user files in the virtual machine, which cannot prevent malicious users from entering the virtual machine from other operating systems to decipher and attack the user files in the virtual machine.

发明内容Contents of the invention

针对现有技术的上述缺陷,本发明实施例提供一种虚拟机文件保护方法和用户终端。In view of the above-mentioned defects in the prior art, embodiments of the present invention provide a virtual machine file protection method and a user terminal.

本发明一方面提供一种虚拟机文件保护方法,包括:One aspect of the present invention provides a virtual machine file protection method, including:

用户终端在运行虚拟机的操作系统内核文件的过程中获取密钥,其中,所述密钥是对所述虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理所用的密钥;The user terminal obtains the key during the process of running the operating system kernel file of the virtual machine, wherein the key is used for encrypting the main operating system file of the virtual machine and user files stored in the virtual machine the key;

所述用户终端根据所述密钥验证用户发送的解密密钥是否合法,若是,则对所述操作系统主文件和所述用户文件进行解密处理。The user terminal verifies whether the decryption key sent by the user is legal according to the key, and if so, decrypts the operating system main file and the user file.

本发明另一方面提供一种用户终端,包括:Another aspect of the present invention provides a user terminal, including:

获取模块,用于在运行虚拟机的操作系统内核文件的过程中获取密钥,其中,所述密钥是对所述虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理所用的密钥;An acquisition module, configured to acquire a key during the process of running the operating system kernel file of the virtual machine, wherein the key is to perform a key operation on the main operating system file of the virtual machine and user files stored in the virtual machine keys used for encryption processing;

处理模块,用于根据所述密钥验证用户发送的解密密钥是否合法,若是,则对所述操作系统主文件和所述用户文件进行解密处理。A processing module, configured to verify whether the decryption key sent by the user is legal according to the key, and if so, decrypt the operating system main file and the user file.

本发明实施例提供的虚拟机文件保护方法和用户终端,通过用户终端在运行虚拟机的操作系统内核文件的过程中获取对虚拟机的操作系统主文件和存储在虚拟机中的用户文件进行加密处理所用的密钥,若根据该密钥验证用户发送的解密密钥合法,则对操作系统主文件和用户文件进行解密处理,实现了通过对虚拟机中的操作系统文件和用户文件进行了绑定保护,避免恶意用户从其他可控的操作系统破译攻击虚拟机中的用户文件,提高了用户文件的安全性。The virtual machine file protection method and the user terminal provided by the embodiment of the present invention obtain and encrypt the main file of the operating system of the virtual machine and the user files stored in the virtual machine through the user terminal in the process of running the operating system kernel file of the virtual machine The key used for processing, if the decryption key sent by the user is verified according to the key, the main file of the operating system and the user file will be decrypted. Provides certain protection to prevent malicious users from deciphering and attacking user files in the virtual machine from other controllable operating systems, improving the security of user files.

附图说明Description of drawings

图1为本发明实施例提供的一个虚拟机文件保护方法的流程图;Fig. 1 is a flowchart of a virtual machine file protection method provided by an embodiment of the present invention;

图2为本发明实施例提供的另一个虚拟机文件保护方法的流程图;FIG. 2 is a flow chart of another virtual machine file protection method provided by an embodiment of the present invention;

图3为本发明实施例提供的一个用户终端的结构示意图。FIG. 3 is a schematic structural diagram of a user terminal provided by an embodiment of the present invention.

具体实施方式Detailed ways

图1为本发明实施例提供的一个虚拟机文件保护方法的流程图,如图1所示,该方法包括:Fig. 1 is a flowchart of a virtual machine file protection method provided by the embodiment of the present invention, as shown in Fig. 1, the method includes:

步骤100,用户终端在运行虚拟机的操作系统内核文件的过程中获取密钥,其中,所述密钥是对所述虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理所用的密钥;Step 100, the user terminal obtains the key during the process of running the operating system kernel file of the virtual machine, wherein the key is the key of the main file of the operating system of the virtual machine and the user file stored in the virtual machine keys used for encryption processing;

存储在云端的虚拟机中存储有操作系统主文件和用户文件,为了避免恶意用户很容易地从其他可控制的操作系统访问虚拟机,获取存储在虚拟机中的文件或者任意修改里面的文件,需要对虚拟机中存储的操作系统主文件和用户文件进行整体加密处理,并将加密处理所用的密钥嵌入在操作系统内核文件中,并将虚拟机操作系统的入口地址修改为操作系统的内核文件。其中,需要说明的是,可以根据实际应用需要通过多种方式将用于对虚拟机的操作系统主文件和存储在虚拟机中的用户文件进行加密处理所用的密钥嵌入在操作系统内核文件中,比如通过用户终端或者虚拟机管理平台,以用户终端举例说明如下:当合法用户通过用户终端访问相应的虚拟机完成用户文件处理工作之后,向用户终端发送包括密钥的加密操作,当用户终端接收用户发送的包括密钥的加密操作后,调用预设的磁盘加密程序,应用该密钥对虚拟机的操作系统主文件和用户文件进行加密处理,且将密钥嵌入在虚拟机的操作系统内核文件中,并对处理后的操作系统主文件、用户文件和操作系统内核文件进行云存储。The virtual machine stored in the cloud stores the main file of the operating system and user files. In order to prevent malicious users from easily accessing the virtual machine from other controllable operating systems, obtaining files stored in the virtual machine or arbitrarily modifying the files inside, It is necessary to encrypt the main operating system files and user files stored in the virtual machine as a whole, and embed the encryption key in the operating system kernel file, and modify the entry address of the operating system of the virtual machine to the kernel of the operating system document. Wherein, it should be noted that the key used for encrypting the operating system main file of the virtual machine and the user files stored in the virtual machine can be embedded in the operating system kernel file in various ways according to actual application needs , such as through a user terminal or a virtual machine management platform, the user terminal is used as an example to illustrate the following: when a legitimate user accesses the corresponding virtual machine through the user terminal to complete the user file processing work, an encryption operation including a key is sent to the user terminal, and when the user terminal After receiving the encryption operation including the key sent by the user, call the preset disk encryption program, apply the key to encrypt the main file of the operating system of the virtual machine and the user file, and embed the key in the operating system of the virtual machine In the kernel file, the processed operating system main file, user file and operating system kernel file are stored in the cloud.

用户通过客户机来访问经过上述加密处理的虚拟机的过程如下,用户终端根据虚拟机操作系统的入口地址将虚拟机的操作系统内核文件加载到内存中,然后运行该操作系统内核文件并获取密钥,该密钥是预先对虚拟机中的操作系统主文件和存储在虚拟机中的用户文件进行加密处理所用的密钥。The process for the user to access the above-mentioned encrypted virtual machine through the client computer is as follows. The user terminal loads the operating system kernel file of the virtual machine into the memory according to the entry address of the virtual machine operating system, and then runs the operating system kernel file to obtain the encrypted password. key, which is used to encrypt the main file of the operating system in the virtual machine and the user files stored in the virtual machine in advance.

步骤101,所述用户终端根据所述密钥验证用户发送的解密密钥是否合法,若是,则对所述操作系统主文件和所述用户文件进行解密处理。Step 101, the user terminal verifies whether the decryption key sent by the user is legal according to the key, and if so, decrypts the operating system main file and the user file.

当用户终端运行完该操作系统内核文件后,会通过界面提示用户输入解密密钥,用户根据提示信息通过用户终端输入解密密钥,从而用户终端接收用户通过用户终端发送的包括解密密钥的解密指令,该解密指令用于对预先经过加密处理的操作系统主文件和用户文件进行解密处理。用户终端将通过运行操作系统内核文件获取的密钥与用户发送的解密指令中的解密密钥进行比较以验证解密密钥是否合法,若比较结果一致,则说明解密密钥合法,用户终端对操作系统主文件和用户文件进行解密处理,从而用户终端加载虚拟机的操作系统主文件到内存,然后运行操作系统主文件从而启动虚拟机的操作系统,操作系统启动后,用户可以正常访问虚拟机根据自身的需求获取用户文件。After the user terminal finishes running the operating system kernel file, the user will be prompted to enter the decryption key through the interface, and the user will input the decryption key through the user terminal according to the prompt information, so that the user terminal receives the decryption key sent by the user through the user terminal, including the decryption key. instruction, the decryption instruction is used to decrypt the pre-encrypted operating system main file and user file. The user terminal compares the key obtained by running the operating system kernel file with the decryption key in the decryption command sent by the user to verify whether the decryption key is legal. If the comparison results are consistent, it means that the decryption key is legal. The main file of the system and the user file are decrypted, so that the user terminal loads the main file of the operating system of the virtual machine into the memory, and then runs the main file of the operating system to start the operating system of the virtual machine. After the operating system is started, the user can normally access the virtual machine according to Obtain user files according to your own needs.

本实施例提供的虚拟机文件保护方法,通过用户终端在运行虚拟机的操作系统内核文件的过程中获取对虚拟机的操作系统主文件和存储在虚拟机中的用户文件进行加密处理所用的密钥,若根据该密钥验证用户发送的解密密钥合法,则对操作系统主文件和用户文件进行解密处理,实现了通过对虚拟机中的操作系统文件和用户文件进行了绑定保护,避免恶意用户从其他可控的操作系统破译攻击虚拟机中的用户文件,提高了用户文件的安全性。In the virtual machine file protection method provided in this embodiment, the user terminal obtains the encryption key used for encrypting the main file of the operating system of the virtual machine and the user files stored in the virtual machine during the process of running the operating system kernel file of the virtual machine. key, if it is verified that the decryption key sent by the user is legal according to the key, the main file of the operating system and the user file will be decrypted, realizing the binding protection of the operating system file and user file in the virtual machine, avoiding Malicious users decipher and attack user files in virtual machines from other controllable operating systems, improving the security of user files.

基于上述实施例,本领域技术人员可以理解的是,根据不同的操作系统程序设计将用于对虚拟机的操作系统主文件和存储在虚拟机中的用户文件进行加密处理所用的密钥嵌入在操作系统内核文件中的具体表现形式不局限于一种,比如:分层调用、壳程序调用等,下面通过以壳程序调用的方式为例,通过图2所示实施例具体说明,图2为本发明实施例提供的另一个虚拟机文件保护方法的流程图,如图2所示,本实施例中通过虚拟机管理平台将用于对虚拟机的操作系统主文件和存储在虚拟机中的用户文件进行加密处理所用的密钥嵌入在操作系统内核文件中,该方法包括:Based on the above embodiments, those skilled in the art can understand that, according to different operating system programming, the key used for encrypting the operating system main file of the virtual machine and the user files stored in the virtual machine is embedded in the The specific form of expression in the operating system kernel file is not limited to one, such as: layered call, shell program call, etc., the following uses the way of shell program call as an example, and uses the embodiment shown in Figure 2 to illustrate in detail, Figure 2 is The flow chart of another virtual machine file protection method provided by the embodiment of the present invention is shown in FIG. The key used for encrypting user files is embedded in the kernel file of the operating system, and the method includes:

步骤200,用户终端向虚拟机管理平台发送包括虚拟机标识信息的加密操作,以供所述虚拟机管理平台根据本地预先存储的用户注册信息获取与所述虚拟机标识信息对应的密钥,应用所述密钥对云存储中与所述虚拟机标识信息对应的虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理,并将所述密钥嵌入在所述虚拟机的操作系统内核文件中;Step 200, the user terminal sends an encryption operation including virtual machine identification information to the virtual machine management platform, so that the virtual machine management platform can obtain a key corresponding to the virtual machine identification information according to the locally pre-stored user registration information, and apply The key encrypts the operating system master file of the virtual machine corresponding to the virtual machine identification information in the cloud storage and the user files stored in the virtual machine, and embeds the key in the virtual machine. In the kernel file of the operating system of the machine;

当合法用户通过用户终端访问相应的虚拟机完成用户文件处理工作之后,向虚拟机管理平台发送包括虚拟机标识信息的加密操作,虚拟机管理平台对获取的加密操作进行解析获取虚拟机标识信息,然后根据本地预先存储的用户注册信息获取与用户终端发送的虚拟机标识信息对应的密钥,应用该密钥通过添加壳程序对云存储中与该虚拟机标识信息对应的虚拟机的操作系统主文件和存储在虚拟机中的用户文件进行加密处理,并将该壳程序嵌入在操作系统内核文件中,并将操作系统第一扇区的信息修改为壳程序的入口地址,其中,该壳程序包括获取密钥的子程序、解密子程序和加密子程序,其中,获取密钥的子程序用于获取对操作系统主文件和用户文件进行加密处理所用的密钥;解密子程序用于对操作系统主文件和用户文件进行解密的解密子程序;加密子程序用于应用对操作系统主文件和用户文件进行加密处理所用的密钥对待存储到虚拟机中的用户文件进行加密处理的加密子程序。After the legal user accesses the corresponding virtual machine through the user terminal and completes the user file processing work, it sends an encryption operation including the identification information of the virtual machine to the virtual machine management platform, and the virtual machine management platform parses the obtained encryption operation to obtain the identification information of the virtual machine. Then obtain the key corresponding to the virtual machine identification information sent by the user terminal according to the user registration information stored in advance locally, apply the key to host the operating system of the virtual machine corresponding to the virtual machine identification information in the cloud storage by adding a shell program Files and user files stored in the virtual machine are encrypted, and the shell program is embedded in the kernel file of the operating system, and the information of the first sector of the operating system is modified to the entry address of the shell program, wherein the shell program Including the subroutine for obtaining the key, the subroutine for decrypting and the subroutine for encrypting, wherein the subroutine for obtaining the key is used to obtain the key used for encrypting the main file of the operating system and the user file; the subroutine for decrypting is used for operating Decryption subroutine for decrypting system main files and user files; encryption subroutine for encrypting user files to be stored in the virtual machine using the key used to encrypt operating system main files and user files .

步骤201,所述用户终端在运行所述操作系统内核文件的过程中跳转到预设的所述壳程序的入口点,调用密钥获取子程序获取所述密钥;Step 201, the user terminal jumps to the preset entry point of the shell program during running the operating system kernel file, and calls the key acquisition subroutine to acquire the key;

用户终端将虚拟机中的操作系统内核文件加载到内存中,然后运行该操作系统内核文件,在运行该操作系统内核文件的过程中跳转到预设的壳程序的入口点,并运行壳程序中获取密钥的子程序获取密钥,所获取的密钥是虚拟机管理平台预先对虚拟机中的操作系统主文件和用户文件进行加密处理所用的密钥。The user terminal loads the operating system kernel file in the virtual machine into the memory, then runs the operating system kernel file, jumps to the preset entry point of the shell program during the running of the operating system kernel file, and runs the shell program The subroutine for obtaining the key in the key obtains the key, and the obtained key is the key used by the virtual machine management platform to encrypt the operating system main file and user file in the virtual machine in advance.

步骤202,所述用户终端根据所述密钥验证用户发送的解密密钥是否合法,若是,则运行用于对所述操作系统主文件和所述用户文件进行解密的解密子程序;Step 202, the user terminal verifies whether the decryption key sent by the user is legal according to the key, and if so, runs a decryption subroutine for decrypting the operating system main file and the user file;

当用户终端运行完该操作系统内核文件后,会通过界面提示用户输入解密密钥,用户根据提示信息通过用户终端输入解密密钥,从而用户终端接收用户终端发送的包括解密密钥的解密指令,用户终端将通过运行密钥获取子程序获取的密钥与解密指令中的解密密钥进行比较以验证解密密钥是否合法,若比较结果一致,则说明解密密钥合法,用户终端运行用于对操作系统主文件和用户文件进行解密的解密子程序,从而用户终端加载操作系统主文件到内存,然后运行操作系统主文件从而启动操作系统,操作系统启动后,用户可以正常访问虚拟机根据自身的需求获取用户文件。After the user terminal finishes running the operating system kernel file, the user will be prompted to input the decryption key through the interface, and the user will input the decryption key through the user terminal according to the prompt information, so that the user terminal receives the decryption instruction including the decryption key sent by the user terminal, The user terminal compares the key obtained by running the key acquisition subroutine with the decryption key in the decryption command to verify whether the decryption key is legal. If the comparison results are consistent, it means that the decryption key is legal. The decryption subroutine for decrypting the main file of the operating system and the user file, so that the user terminal loads the main file of the operating system into the memory, and then runs the main file of the operating system to start the operating system. After the operating system is started, the user can normally access the virtual machine according to its own Requires access to user files.

步骤203,用户终端在所述操作系统启动之后,根据用户通过用户终端发送的存储指令,调用所述加密子程序应用所述密钥对待存储到所述虚拟机中的用户文件进行加密处理。Step 203, after the operating system is started, the user terminal invokes the encryption subroutine and applies the key to encrypt the user file to be stored in the virtual machine according to the storage instruction sent by the user through the user terminal.

用户终端加载完操作系统主文件并启动操作系统后,用户可以通过用户终端进行文件处理,当用户终端接收到用户发送的存储指令,则运行壳程序中的加密子程序,从而应用之前对操作系统主文件和用户文件进行加密处理所用的密钥对待存储到虚拟机中的用户文件进行加密处理后再存储到虚拟机中。After the user terminal loads the main file of the operating system and starts the operating system, the user can process the file through the user terminal. When the user terminal receives the storage command sent by the user, it runs the encryption subroutine in the shell program, so as to apply the previous encryption of the operating system. The user file to be stored in the virtual machine is encrypted with a key used for encryption of the main file and the user file before being stored in the virtual machine.

本实施例提供的虚拟机文件保护方法,通过预先对虚拟机中的操作系统主文件和用户文件添加壳程序进行加密处理,并且把壳程序嵌入在操作系统内核文件中,用户终端通过运行操作系统内核文件中的壳程序获取密钥,若根据密钥验证用户通过用户终端发送的解密密钥合法,则通过运行壳程序中的解密子程序进行解密,并且可以通过运行壳程序中的加密子程序对待存储到虚拟机中的文件进行加密处理。实现了通过对虚拟机中的操作系统文件和用户文件进行了绑定保护,避免恶意用户从其他可控的操作系统破译攻击虚拟机中的用户文件,提高了用户文件的安全性。In the virtual machine file protection method provided in this embodiment, by adding a shell program to the operating system main file and user files in the virtual machine in advance for encryption, and embedding the shell program in the operating system kernel file, the user terminal runs the operating system The shell program in the kernel file obtains the key. If the decryption key sent by the user through the user terminal is verified according to the key, it can be decrypted by running the decryption subroutine in the shell program, and can be decrypted by running the encryption subroutine in the shell program. Encrypt the files to be stored in the virtual machine. The binding protection of operating system files and user files in the virtual machine is realized, preventing malicious users from deciphering and attacking user files in the virtual machine from other controllable operating systems, and improving the security of user files.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一用户终端可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps to realize the above method embodiments can be completed by program instructions related hardware, the aforementioned program can be stored in a user terminal readable storage medium, and when the program is executed, Execution includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

图3为本发明实施例提供的一个用户终端的结构示意图,如图3所示,该用户终端包括:获取模块11和处理模块12,其中,获取模块11用于在运行虚拟机的操作系统内核文件的过程中获取密钥,其中,所述密钥是对所述虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理所用的密钥;处理模块12用于根据所述密钥验证用户发送的解密密钥是否合法,若是,则对所述操作系统主文件和所述用户文件进行解密处理。FIG. 3 is a schematic structural diagram of a user terminal provided by an embodiment of the present invention. As shown in FIG. 3 , the user terminal includes: an acquisition module 11 and a processing module 12, wherein the acquisition module 11 is used to run the operating system kernel of the virtual machine In the process of obtaining the key, the key is the key used to encrypt the operating system master file of the virtual machine and the user file stored in the virtual machine; the processing module 12 is used to The key verifies whether the decryption key sent by the user is legal, and if so, decrypts the operating system main file and the user file.

本实施例提供的用户终端中各模块的功能和处理流程,可以参见上述图1所示的方法实施例,其实现原理和技术效果类似,此处不再赘述。For the functions and processing flow of each module in the user terminal provided in this embodiment, refer to the method embodiment shown in FIG. 1 above. The implementation principles and technical effects are similar, and will not be repeated here.

需要说明的是,可以根据实际应用需要通过多种方式将用于对虚拟机的操作系统主文件和存储在虚拟机中的用户文件进行加密处理所用的密钥嵌入在操作系统内核文件中,举例说明如下:It should be noted that the key used for encrypting the main file of the operating system of the virtual machine and the user files stored in the virtual machine can be embedded in the kernel file of the operating system in various ways according to actual application needs. described as follows:

情况一:当执行主体为虚拟机管理平台时,合法用户通过用户终端访问相应的虚拟机完成用户文件处理工作之后,处理模块12还用于:向虚拟机管理平台发送包括虚拟机标识信息的加密操作,以供所述虚拟机管理平台根据本地预先存储的用户注册信息获取与所述虚拟机标识信息对应的密钥,应用所述密钥对云存储中与所述虚拟机标识信息对应的虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理,并将所述密钥嵌入在所述虚拟机的操作系统内核文件中。Situation 1: When the execution subject is a virtual machine management platform, after the legal user accesses the corresponding virtual machine through the user terminal and completes the user file processing work, the processing module 12 is also used to: send the encrypted file including the identification information of the virtual machine to the virtual machine management platform. Operation, so that the virtual machine management platform obtains the key corresponding to the virtual machine identification information according to the local pre-stored user registration information, and applies the key to the virtual machine corresponding to the virtual machine identification information in the cloud storage. The main file of the operating system of the computer and the user file stored in the virtual machine are encrypted, and the key is embedded in the kernel file of the operating system of the virtual machine.

情况二:当执行主体为用户终端时,合法用户通过用户终端访问相应的虚拟机完成用户文件处理工作之后,处理模块12还用于:接收用户发送的包括密钥的加密操作;调用预设的磁盘加密程序,应用所述密钥对所述操作系统主文件和所述用户文件进行加密处理,且将所述密钥嵌入在所述虚拟机的操作系统内核文件中,并对处理后的所述操作系统主文件、所述用户文件和所述操作系统内核文件进行云存储。Situation 2: When the execution subject is the user terminal, after the legitimate user accesses the corresponding virtual machine through the user terminal to complete the user file processing work, the processing module 12 is also used to: receive the encryption operation including the key sent by the user; call the preset A disk encryption program that applies the key to encrypt the operating system main file and the user file, and embeds the key in the operating system kernel file of the virtual machine, and encrypts all processed files The operating system main file, the user file and the operating system kernel file are stored in the cloud.

基于上述实施例,本领域技术人员可以理解的是,根据不同的操作系统程序设计将用于对虚拟机的操作系统主文件和存储在虚拟机中的用户文件进行加密处理所用的密钥嵌入在操作系统内核文件中的具体表现形式不局限于一种,比如:分层调用、壳程序调用等,下面通过以壳程序调用的方式为例具体说明:即操作系统内核文件中包括壳程序,所述壳程序中包括:密钥获取子程序和解密子程序,则获取模块11具体用于:Based on the above embodiments, those skilled in the art can understand that, according to different operating system programming, the key used for encrypting the operating system main file of the virtual machine and the user files stored in the virtual machine is embedded in the The specific form of expression in the operating system kernel file is not limited to one, such as: layered call, shell program call, etc., the following uses the way of shell program call as an example to illustrate: that is, the operating system kernel file includes shell programs, so Include in the shell program: key acquisition subroutine and decryption subroutine, then acquisition module 11 is specifically used for:

在运行所述操作系统内核文件的过程中跳转到预设的所述壳程序的入口点;Jumping to the preset entry point of the shell program during the process of running the operating system kernel file;

调用所述密钥获取子程序获取所述密钥;calling the key acquisition subroutine to acquire the key;

处理模块12具体用于:The processing module 12 is specifically used for:

若根据所述密钥验证所述解密密钥合法,则调用所述解密子程序对所述操作系统主文件和所述用户文件进行解密处理。If it is verified according to the key that the decryption key is legal, the decryption subroutine is invoked to decrypt the operating system main file and the user file.

进一步地,所述壳程序中还包括:加密子程序;Further, the shell program also includes: an encryption subroutine;

在所述对所述操作系统主文件和所述用户文件进行解密处理之后,处理模块12还用于:根据所述用户发送的存储指令调用所述加密子程序,应用所述密钥对待存储的用户文件进行加密处理后存储到所述虚拟机中。After the decryption processing of the operating system main file and the user file, the processing module 12 is further configured to: call the encryption subroutine according to the storage instruction sent by the user, apply the key to the file to be stored The user files are encrypted and stored in the virtual machine.

本实施例提供的用户终端中各模块的功能和处理流程,可以参见上述图2所示的方法实施例,其实现原理和技术效果类似,此处不再赘述。For the functions and processing flow of each module in the user terminal provided in this embodiment, refer to the method embodiment shown in FIG. 2 above. The implementation principles and technical effects are similar, and will not be repeated here.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (10)

1.一种虚拟机文件保护方法,其特征在于,包括:1. A virtual machine file protection method, characterized in that, comprising: 用户终端在运行虚拟机的操作系统内核文件的过程中获取密钥,其中,所述密钥是对所述虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理所用的密钥;The user terminal obtains the key during the process of running the operating system kernel file of the virtual machine, wherein the key is used for encrypting the main operating system file of the virtual machine and user files stored in the virtual machine the key; 所述用户终端根据所述密钥验证用户发送的解密密钥是否合法,若是,则对所述操作系统主文件和所述用户文件进行解密处理。The user terminal verifies whether the decryption key sent by the user is legal according to the key, and if so, decrypts the operating system main file and the user file. 2.根据权利要求1所述的虚拟机文件保护方法,其特征在于,在所述获取密钥之前,所述方法还包括:2. The virtual machine file protection method according to claim 1, wherein, before the obtaining the key, the method further comprises: 所述用户终端向虚拟机管理平台发送包括虚拟机标识信息的加密操作,以供所述虚拟机管理平台根据本地预先存储的用户注册信息获取与所述虚拟机标识信息对应的密钥,应用所述密钥对云存储中与所述虚拟机标识信息对应的虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理,并将所述密钥嵌入在所述虚拟机的操作系统内核文件中。The user terminal sends an encryption operation including virtual machine identification information to the virtual machine management platform, so that the virtual machine management platform obtains a key corresponding to the virtual machine identification information according to the locally pre-stored user registration information, and applies the The key encrypts the operating system master file of the virtual machine corresponding to the virtual machine identification information in the cloud storage and the user file stored in the virtual machine, and embeds the key in the virtual machine in the kernel file of the operating system. 3.根据权利要求1所述的虚拟机文件保护方法,其特征在于,在所述获取密钥之前,所述方法还包括:3. The virtual machine file protection method according to claim 1, wherein, before the obtaining the key, the method further comprises: 所述用户终端接收用户发送的包括密钥的加密操作;The user terminal receives the encryption operation including the key sent by the user; 所述用户终端调用预设的磁盘加密程序,应用所述密钥对所述操作系统主文件和所述用户文件进行加密处理,且将所述密钥嵌入在所述虚拟机的操作系统内核文件中,并对处理后的所述操作系统主文件、所述用户文件和所述操作系统内核文件进行云存储。The user terminal invokes a preset disk encryption program, applies the key to encrypt the operating system main file and the user file, and embeds the key in the operating system kernel file of the virtual machine , and perform cloud storage on the processed operating system main file, the user file and the operating system kernel file. 4.根据权利要求1-3任一所述的虚拟机文件保护方法,其特征在于,所述操作系统内核文件中包括壳程序,所述壳程序中包括:密钥获取子程序和解密子程序;4. The virtual machine file protection method according to any one of claims 1-3, wherein the operating system kernel file includes a shell program, and the shell program includes: a key acquisition subroutine and a decryption subroutine ; 所述用户终端在运行虚拟机的操作系统内核文件的过程中获取密钥具体包括:The user terminal obtaining the key during the process of running the operating system kernel file of the virtual machine specifically includes: 所述用户终端在运行所述操作系统内核文件的过程中跳转到预设的所述壳程序的入口点;The user terminal jumps to the preset entry point of the shell program during the process of running the operating system kernel file; 所述用户终端调用所述密钥获取子程序获取所述密钥;The user terminal calls the key acquisition subroutine to acquire the key; 所述进行解密处理包括:The decryption process includes: 所述用户终端若根据所述密钥验证所述解密密钥合法,则调用所述解密子程序对所述操作系统主文件和所述用户文件进行解密处理。If the user terminal verifies that the decryption key is legal according to the key, it calls the decryption subroutine to decrypt the operating system main file and the user file. 5.根据权利要求4所述的虚拟机文件保护方法,其特征在于,所述壳程序中还包括:加密子程序;5. The virtual machine file protection method according to claim 4, wherein the shell program further comprises: an encryption subroutine; 在所述对所述操作系统主文件和所述用户文件进行解密处理之后,所述方法还包括:After the decryption processing of the operating system main file and the user file, the method further includes: 所述用户终端根据所述用户发送的存储指令调用所述加密子程序,应用所述密钥对待存储的用户文件进行加密处理后存储到所述虚拟机中。The user terminal invokes the encryption subroutine according to the storage instruction sent by the user, applies the key to encrypt the user file to be stored, and stores it in the virtual machine. 6.一种用户终端,其特征在于,包括:6. A user terminal, characterized in that, comprising: 获取模块,用于在运行虚拟机的操作系统内核文件的过程中获取密钥,其中,所述密钥是对所述虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理所用的密钥;An acquisition module, configured to acquire a key during the process of running the operating system kernel file of the virtual machine, wherein the key is to perform a key operation on the main operating system file of the virtual machine and user files stored in the virtual machine keys used for encryption processing; 处理模块,用于根据所述密钥验证用户发送的解密密钥是否合法,若是,则对所述操作系统主文件和所述用户文件进行解密处理。A processing module, configured to verify whether the decryption key sent by the user is legal according to the key, and if so, decrypt the operating system main file and the user file. 7.根据权利要求6所述的用户终端,其特征在于,在所述获取密钥之前,所述处理模块还用于:7. The user terminal according to claim 6, wherein, before said obtaining the key, said processing module is further configured to: 向虚拟机管理平台发送包括虚拟机标识信息的加密操作,以供所述虚拟机管理平台根据本地预先存储的用户注册信息获取与所述虚拟机标识信息对应的密钥,应用所述密钥对云存储中与所述虚拟机标识信息对应的虚拟机的操作系统主文件和存储在所述虚拟机中的用户文件进行加密处理,并将所述密钥嵌入在所述虚拟机的操作系统内核文件中。sending an encryption operation including the virtual machine identification information to the virtual machine management platform, so that the virtual machine management platform obtains a key corresponding to the virtual machine identification information according to the local pre-stored user registration information, and applies the key pair The operating system master file of the virtual machine corresponding to the virtual machine identification information in the cloud storage and the user file stored in the virtual machine are encrypted, and the key is embedded in the operating system kernel of the virtual machine in the file. 8.根据权利要求6所述的用户终端,其特征在于,在所述获取密钥之前,所述处理模块还用于:8. The user terminal according to claim 6, wherein, before said acquiring the key, said processing module is further configured to: 接收用户发送的包括密钥的加密操作;Receive the encryption operation including the key sent by the user; 调用预设的磁盘加密程序,应用所述密钥对所述操作系统主文件和所述用户文件进行加密处理,且将所述密钥嵌入在所述虚拟机的操作系统内核文件中,并对处理后的所述操作系统主文件、所述用户文件和所述操作系统内核文件进行云存储。Invoke a preset disk encryption program, apply the key to encrypt the operating system main file and the user file, and embed the key in the operating system kernel file of the virtual machine, and The processed operating system main file, the user file and the operating system kernel file are stored in the cloud. 9.根据权利要求6-8任一所述的用户终端,其特征在于,所述操作系统内核文件中包括壳程序,所述壳程序中包括:密钥获取子程序和解密子程序,所述获取模块具体用于:9. The user terminal according to any one of claims 6-8, wherein the operating system kernel file includes a shell program, and the shell program includes: a key acquisition subroutine and a decryption subroutine, the Get modules specifically for: 在运行所述操作系统内核文件的过程中跳转到预设的所述壳程序的入口点;Jumping to the preset entry point of the shell program during the process of running the operating system kernel file; 调用所述密钥获取子程序获取所述密钥;calling the key acquisition subroutine to acquire the key; 所述处理模块具体用于:The processing module is specifically used for: 若根据所述密钥验证所述解密密钥合法,则调用所述解密子程序对所述操作系统主文件和所述用户文件进行解密处理。If it is verified according to the key that the decryption key is legal, the decryption subroutine is invoked to decrypt the operating system main file and the user file. 10.根据权利要求9所述的用户终端,其特征在于,所述壳程序中还包括:加密子程序;10. The user terminal according to claim 9, wherein the shell program further comprises: an encryption subroutine; 在所述对所述操作系统主文件和所述用户文件进行解密处理之后,所述处理模块还用于:After decrypting the operating system main file and the user file, the processing module is further configured to: 根据所述用户发送的存储指令调用所述加密子程序,应用所述密钥对待存储的用户文件进行加密处理后存储到所述虚拟机中。The encryption subroutine is invoked according to the storage instruction sent by the user, and the user file to be stored is encrypted by applying the key and stored in the virtual machine.
CN201310500662.0A 2013-10-22 2013-10-22 Method for protecting virtual machine files and user terminal Pending CN103530572A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310500662.0A CN103530572A (en) 2013-10-22 2013-10-22 Method for protecting virtual machine files and user terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310500662.0A CN103530572A (en) 2013-10-22 2013-10-22 Method for protecting virtual machine files and user terminal

Publications (1)

Publication Number Publication Date
CN103530572A true CN103530572A (en) 2014-01-22

Family

ID=49932574

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310500662.0A Pending CN103530572A (en) 2013-10-22 2013-10-22 Method for protecting virtual machine files and user terminal

Country Status (1)

Country Link
CN (1) CN103530572A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474418A (en) * 2019-01-22 2019-03-15 网易(杭州)网络有限公司 File enciphering method, document decryption method, device, medium and calculating equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070124600A1 (en) * 2005-11-29 2007-05-31 Lite-On Semiconductor Corporation Work system with an automatic OS login function and method for using the same
US20080065952A1 (en) * 1998-01-23 2008-03-13 Mustafa Eroz Forward error correction scheme for data channels using universal turbo codes
CN101989196A (en) * 2009-08-04 2011-03-23 张济政 Mobile storage equipment-based parasitic operation system
CN102722670A (en) * 2012-05-29 2012-10-10 中国联合网络通信集团有限公司 Mobile storage equipment-based file protection method, equipment and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080065952A1 (en) * 1998-01-23 2008-03-13 Mustafa Eroz Forward error correction scheme for data channels using universal turbo codes
US20070124600A1 (en) * 2005-11-29 2007-05-31 Lite-On Semiconductor Corporation Work system with an automatic OS login function and method for using the same
CN101989196A (en) * 2009-08-04 2011-03-23 张济政 Mobile storage equipment-based parasitic operation system
CN102722670A (en) * 2012-05-29 2012-10-10 中国联合网络通信集团有限公司 Mobile storage equipment-based file protection method, equipment and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474418A (en) * 2019-01-22 2019-03-15 网易(杭州)网络有限公司 File enciphering method, document decryption method, device, medium and calculating equipment

Similar Documents

Publication Publication Date Title
CN112513857B (en) Personalized cryptographic secure access control in trusted execution environments
EP2913956B1 (en) Management control method and device for virtual machines
EP3804213B1 (en) Shared secret establishment
US8954758B2 (en) Password-less security and protection of online digital assets
US10454902B2 (en) Techniques for secure data extraction in a virtual or cloud environment
JP6227772B2 (en) Method and apparatus for protecting a dynamic library
CN104318135B (en) A kind of Java code Safety actuality loading method based on credible performing environment
CN102722670B (en) Mobile storage equipment-based file protection method, equipment and system
EP3198498B1 (en) A challenge-response method and associated computing device
CN106063185A (en) Methods and apparatus to securely share data
CN105827574B (en) A kind of file access system, method and device
CN104200176A (en) System and method for carrying out transparent encryption and decryption on file in intelligent mobile terminal
CN110096849A (en) A kind of License authorization and authentication method, device, equipment and readable storage medium storing program for executing
CN104794388A (en) Application program access protection method and application program access protection device
CN103971034A (en) Method and device for protecting Java software
CN103530169B (en) Method for protecting virtual machine files and user terminal
CN108599959B (en) Authorization certificate verification method, device, readable storage medium, and application device
CN109246062B (en) Authentication method and system based on browser plug-in
CN111177773B (en) Full disk encryption and decryption method and system based on network card ROM
KR101107056B1 (en) How to process security information for virtual machines in a cloud computing environment
WO2015154469A1 (en) Database operation method and device
CN111542050B (en) A TEE-based method for ensuring the security of remote initialization of virtual SIM cards
CN104866736A (en) Anti-spreading digital copyright management system and method
CN114520735A (en) User identity authentication method, system and medium based on trusted execution environment
CN107483187A (en) A data protection method and device based on a trusted cryptographic module

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20140122