CN114168983B - A transparent encryption and decryption method - Google Patents
A transparent encryption and decryption method Download PDFInfo
- Publication number
- CN114168983B CN114168983B CN202111450298.2A CN202111450298A CN114168983B CN 114168983 B CN114168983 B CN 114168983B CN 202111450298 A CN202111450298 A CN 202111450298A CN 114168983 B CN114168983 B CN 114168983B
- Authority
- CN
- China
- Prior art keywords
- file
- decryption
- chain table
- hash chain
- secret
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
一种透明加解密方法,所述方法包括步骤:配置管理层;设置透明加解密层;获取保密文件;利用所述透明加解密层对所述保密文件进行透明加解密。本申请提供的一种透明加解密方法,填补了需要依赖具体文件系统才能进行透明加解密的问题,方案流程中产生的kernel object文件具有可重用性,支持Linux平台下的二次开发。
A transparent encryption and decryption method, the method comprising the steps of: configuring a management layer; setting a transparent encryption and decryption layer; obtaining a confidential file; and transparently encrypting and decrypting the confidential file using the transparent encryption and decryption layer. The transparent encryption and decryption method provided by the present application fills the problem of relying on a specific file system for transparent encryption and decryption. The kernel object file generated in the solution process is reusable and supports secondary development under the Linux platform.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a transparent encryption and decryption method.
Background
With the rapid development of information technology, various technical means such as closed control, interception and encryption are adopted in order to pursue the safety and reliability of information and prevent confidential information from being leaked, and the means are effective and reliable, but each time of use, users are required to carry out encryption and decryption operations, so that the use experience and the work efficiency of the users are greatly influenced.
In order to improve efficiency, a plurality of encryption file systems appear at present, so that good encryption and decryption experience is provided for users, but the freedom of storing file information by the users is limited, and the file information can only be stored in the current file system directory.
In order to get rid of the limitations and realize free and safe and reliable information storage, transparent encryption and decryption are generated. In short, transparent encryption and decryption are that the encryption and decryption process is not perceived by the user, and when the user opens or edits the protected file, the system will automatically encrypt the unencrypted file and decrypt the encrypted file. The file is stored in a ciphertext form on a hard disk, and the file is in a plaintext form in a memory. Once the use environment is changed, the file cannot be opened because the automatic decryption service cannot be obtained, so that the purpose of protecting the file content is achieved.
The transparent encryption and decryption schemes in the prior art are mostly wrapfs-based schemes, and the schemes are realized by mounting the wrapfs file system to a specific file system. And mounting wrapfs a file system on a specific file system during initialization, adding a decryption unit in a wrapfs-layer read function and adding an encryption unit in a write function, so that transparent encryption and decryption of the file are realized.
In the prior art, although transparent encryption and decryption of data can be realized, only some schemes based on wrapfs need to have an underlying file system directory which is already mounted through other file systems, and then the existing and mounted directory needs to be mounted to the/mnt/wrapfs directory again for use.
Disclosure of Invention
In order to solve the problems, the invention provides a transparent encryption and decryption method, which comprises the following steps:
A configuration management layer;
Setting a transparent encryption and decryption layer;
obtaining a secret file;
And carrying out transparent encryption and decryption on the secret file by using the transparent encryption and decryption layer.
Preferably, the configuration management layer includes the steps of:
installing configuration management software;
Using the configuration management software to open a secret file;
Acquiring a current process in a VFS layer;
Judging whether the current process is a configuration management process or not;
if yes, judging whether the confidential file needs to be subjected to confidential treatment or not;
if not, returning to the step of installing configuration management software;
if yes, carrying out confidentiality treatment on the confidentiality file;
if not, continuing to open the secret file.
Preferably, the security processing of the security document includes the steps of:
Initializing a hash chain table node;
acquiring a file structure body of the secret file;
Calculating a key value of the hash chain table node according to the structural body;
inserting node information of the structural body and the hash chain table nodes into a hash chain table;
filling security level information in the hash chain table;
and writing the hash chain table into the head part of the security file.
Preferably, the setting the transparent encryption and decryption layer includes the steps of:
Opening any file;
Reading a header secret field of the open file;
judging whether the header security field has a security level field or not;
if yes, encrypting the opened file;
if not, continuing to open the opened file.
Preferably, the encrypting the open file includes the steps of:
Initializing a hash chain table node;
acquiring a structure body of the opening file;
Calculating a key value of the hash chain table node according to the structural body;
inserting the file structure body and the hash chain table node into a hash chain table;
and generating key values required by encryption and decryption through the file structure body.
Preferably, the transparent encrypting and decrypting the secret document by using the transparent encrypting and decrypting layer includes the steps of:
Performing a write security operation on the security file;
performing a read security operation on the security document;
And executing closing operation on the secret file.
The transparent encryption and decryption method provided by the application solves the problem that the transparent encryption and decryption can be carried out only by relying on a specific file system, and the kernel object file generated in the scheme flow has reusability and supports secondary development under a Linux platform.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a schematic diagram of a transparent encryption and decryption method provided by the invention;
FIG. 2 is a schematic diagram of a transparent encryption and decryption method provided by the invention;
FIG. 3 is a schematic diagram of a transparent encryption and decryption method provided by the invention;
FIG. 4 is a schematic diagram of a transparent encryption and decryption method provided by the invention;
FIG. 5 is a schematic diagram of a transparent encryption and decryption method provided by the invention;
Fig. 6 is a schematic diagram of a transparent encryption and decryption method provided by the invention.
Detailed Description
The objects, technical solutions and advantages of the present invention will become more apparent by the following detailed description of the present invention with reference to the accompanying drawings. It should be understood that the description is only illustrative and is not intended to limit the scope of the invention. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present invention.
In the embodiment of the present application, as shown in fig. 1, the present application provides a transparent encryption and decryption method, which includes the steps of:
s1, configuring a management layer;
In an embodiment of the present application, the configuration management layer includes the steps of:
installing configuration management software;
Using the configuration management software to open a secret file;
Acquiring a current process in a VFS layer;
Judging whether the current process is a configuration management process or not;
if yes, judging whether the confidential file needs to be subjected to confidential treatment or not;
if not, returning to the step of installing configuration management software;
if yes, carrying out confidentiality treatment on the confidentiality file;
if not, continuing to open the secret file.
In the embodiment of the present application, as shown in fig. 2 and 3, the configuration and creation of the security file under the Linux platform includes a plurality of detailed steps, and the specific flow is as follows:
When a new security document is created:
(1) Opening user configuration management software;
(2) The user configuration management software open a new secret file, select whether to create the secret file;
(3) Step (2) entering into the VFS layer through system call, judging whether the current process is a user configuration management process in the do_sys_open function of the VFS layer, if so, judging whether to carry out security treatment on the file, if so, entering into step (4), otherwise, entering into step (5);
(4) Performing security treatment:
(5) Executing an open follow-up action;
And (5) ending.
In an embodiment of the present application, the performing security processing on the security document includes the steps of:
Initializing a hash chain table node;
acquiring a file structure body of the secret file;
Calculating a key value of the hash chain table node according to the structural body;
inserting node information of the structural body and the hash chain table nodes into a hash chain table;
filling security level information in the hash chain table;
and writing the hash chain table into the head part of the security file.
In the embodiment of the application, the specific steps of carrying out the security treatment on the security document are as follows:
a. Initializing a hash chain table node;
b. calculating a hash key value through an address of a file structure body of the opened file;
c. inserting the file structure body and initialized node information into a hash chain table;
d. Filling corresponding security level information, and writing the information into the file header.
S2, setting a transparent encryption and decryption layer;
In the embodiment of the application, the setting of the transparent encryption and decryption layer comprises the following steps:
Opening any file;
Reading a header secret field of the open file;
judging whether the header security field has a security level field or not;
if yes, encrypting the opened file;
if not, continuing to open the opened file.
In the embodiment of the application, the specific steps of setting the transparent encryption and decryption layer are as follows:
When an existing file is opened:
(1) The user reads an existing file through any file reading software open;
(2) Step (1), entering a VFS layer through system call, reading a file header secret field in a do_sys_open function of the VFS layer, judging whether the field has a secret level field, and entering step (3) when the field is a secret file, and entering step (4) when the field is a non-secret file;
(3) When the file is judged to be a secret file, encrypting the opened file;
(4) An open follow-up action is performed.
In an embodiment of the present application, the encrypting the open file includes the steps of:
Initializing a hash chain table node;
acquiring a structure body of the opening file;
Calculating a key value of the hash chain table node according to the structural body;
inserting the file structure body and the hash chain table node into a hash chain table;
and generating key values required by encryption and decryption through the file structure body.
In the embodiment of the application, the encryption processing of the open file specifically comprises the following steps:
a. Initializing a hash chain table node;
b. calculating a hash key value through an address of a file structure body of the opened file;
c. Inserting the file structure body and the initialized buffer area into a hash chain table;
d. and generating key values required by encryption and decryption.
S3, acquiring a secret file;
s4, carrying out transparent encryption and decryption on the secret file by utilizing the transparent encryption and decryption layer.
In the embodiment of the present application, the transparent encrypting and decrypting the secret document by using the transparent encrypting and decrypting layer includes the steps of:
Performing a write security operation on the security file;
performing a read security operation on the security document;
And executing closing operation on the secret file.
In the embodiment of the present application, as shown in fig. 4, the specific steps of performing the write security operation on the security document are as follows:
(1) The user performs write operation on an open file;
(2) Step (1) entering a VFS layer through system call, calculating a hash value through a file structure address in a vfs_write function of the VFS layer, searching whether corresponding secret node information is stored in a hash chain table through the hash value, entering step (3) when the node exists, and entering step (4) when the secret node information is not found;
(3) And (3) encrypting the secret file:
a, judging whether the length of the written data is smaller than the length of the buffer zone, if so, entering the step (b), and if so, entering the step (c);
b, putting the data into a buffer area, and entering a step c when a user executes a closing action or when the buffer area is full;
c, encrypting the data;
(4) Executing a write follow-up action;
And (5) ending.
In the embodiment of the present application, as shown in fig. 5, the specific steps of performing the read security operation on the security document are as follows:
(1) The user performs read reading operation on an open file;
(2) Step (1) entering a VFS layer through system call, calculating a hash value through a file structure address in a vfs_read function of the VFS layer, searching whether corresponding secret node information is stored in a hash chain table through the hash value, entering step (3) when the node exists, and entering step (4) when the secret node information is not found;
(3) And (3) performing read reading operation on the confidential file:
a, checking whether data exists in the buffer area, and entering the step (d) when the buffer area has no data, and entering the step (b) when the buffer area has data;
b, checking whether the data in the buffer area meets the length of the data to be read, and entering the step (c) when the length to be read is met, and entering the step (d) when the length to be read is not met;
c, acquiring data of a buffer area, and entering a step f;
Reading out the data of the buffer area;
reading data from a specific file system, putting the data into a buffer area, calling a decryption unit, and decrypting the data in the buffer area;
f, returning the decrypted data to the user;
(4) Executing read follow-up actions;
(5) And (5) ending.
In fig. 6, in the embodiment of the present application, the specific steps of executing the closing operation on the security document are as follows:
(1) The user performs close closing operation on an open file;
(2) Step (1) entering a VFS layer through system call, calculating a hash value through a file structure body address in a filp _close function of the VFS layer, searching whether corresponding secret node information is stored in a hash chain table through the hash value, and entering step (3) when the node exists;
(3) Closing the confidential file:
a, judging whether data exists in a buffer area in a node, and calling an encryption unit to encrypt the data when the data exists;
b, writing the encrypted data into a file system;
(4) And executing a close follow-up action.
(5) And (5) ending.
The transparent encryption and decryption method provided by the application solves the problem that the transparent encryption and decryption can be carried out only by relying on a specific file system, and the kernel object file generated in the scheme flow has reusability and supports secondary development under a Linux platform.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explanation of the principles of the present invention and are in no way limiting of the invention. Accordingly, any modification, equivalent replacement, improvement, etc. made without departing from the spirit and scope of the present invention should be included in the scope of the present invention. Furthermore, the appended claims are intended to cover all such changes and modifications that fall within the scope and boundary of the appended claims, or equivalents of such scope and boundary.
Claims (2)
1. A transparent encryption and decryption method, the method comprising the steps of:
A configuration management layer;
Setting a transparent encryption and decryption layer;
obtaining a secret file;
using the transparent encryption and decryption layer to carry out transparent encryption and decryption on the secret file;
The configuration management layer comprises the following steps:
installing configuration management software;
Using the configuration management software to open a secret file;
Acquiring a current process in a VFS layer;
Judging whether the current process is a configuration management process or not;
if yes, judging whether the confidential file needs to be subjected to confidential treatment or not;
if not, returning to the step of installing configuration management software;
if yes, carrying out confidentiality treatment on the confidentiality file;
if not, continuing to open the secret file;
the step of carrying out security treatment on the security document comprises the following steps:
Initializing a hash chain table node;
acquiring a file structure body of the secret file;
Calculating a key value of the hash chain table node according to the file structure;
Inserting the file structure body and the node information of the hash chain table nodes into a hash chain table;
filling security level information in the hash chain table;
writing the hash chain table into the head of the secret file;
the transparent encryption and decryption layer setting comprises the following steps:
Opening any file;
Reading a header secret field of the open file;
judging whether the header security field has a security level field or not;
if yes, encrypting the opened file;
If not, continuing to open the opened file;
The encryption processing of the open file comprises the following steps:
Initializing a hash chain table node;
Acquiring a file structure body of the opening file;
Calculating a key value of the hash chain table node according to the file structure;
inserting the file structure body and the hash chain table node into a hash chain table;
and generating key values required by encryption and decryption through the file structure body.
2. The transparent encryption and decryption method according to claim 1, wherein the transparent encryption and decryption of the secret document by using the transparent encryption and decryption layer comprises the steps of:
Performing a write security operation on the security file;
performing a read security operation on the security document;
And executing closing operation on the secret file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111450298.2A CN114168983B (en) | 2021-11-30 | 2021-11-30 | A transparent encryption and decryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111450298.2A CN114168983B (en) | 2021-11-30 | 2021-11-30 | A transparent encryption and decryption method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114168983A CN114168983A (en) | 2022-03-11 |
| CN114168983B true CN114168983B (en) | 2025-02-14 |
Family
ID=80481907
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111450298.2A Active CN114168983B (en) | 2021-11-30 | 2021-11-30 | A transparent encryption and decryption method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114168983B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103530570A (en) * | 2013-09-24 | 2014-01-22 | 国家电网公司 | Electronic document safety management system and method |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2435945B (en) * | 2006-03-04 | 2008-10-29 | Ahmed Eltigani | Transparent encryption and zipping file management system that tunnels ntfs functionality to other file system formats |
| US9076003B2 (en) * | 2013-08-20 | 2015-07-07 | Janus Technologies, Inc. | Method and apparatus for transparently encrypting and decrypting computer interface data |
| CN104252605B (en) * | 2014-09-17 | 2017-03-15 | 南京信息工程大学 | A kind of file transparent encrypting and deciphering system of Android platform and method |
| CN112182611A (en) * | 2020-09-27 | 2021-01-05 | 中孚安全技术有限公司 | File transparent encryption and decryption method and system based on Linux kernel layer |
| CN113536369A (en) * | 2021-06-29 | 2021-10-22 | 上海浩霖汇信息科技有限公司 | Electronic file real-time transparent storage encryption and decryption method and system and related products |
-
2021
- 2021-11-30 CN CN202111450298.2A patent/CN114168983B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103530570A (en) * | 2013-09-24 | 2014-01-22 | 国家电网公司 | Electronic document safety management system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114168983A (en) | 2022-03-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113240519B (en) | Intelligent contract management method and device based on block chain and electronic equipment | |
| CN101853363B (en) | File protection method and system | |
| CN1535411B (en) | Method and system for increasing security in computer systems using attached storage devices | |
| US12052356B2 (en) | Method and apparatus for data storage and verification | |
| CN104951409B (en) | A hardware-based full disk encryption system and encryption method | |
| CN103106372B (en) | For lightweight privacy data encryption method and the system of android system | |
| EP3667535B1 (en) | Storage data encryption and decryption device and method | |
| KR101303278B1 (en) | FPGA apparatus and method for protecting bitstream | |
| CN104834868A (en) | Electronic data protection method, device and terminal equipment | |
| JP2020535693A (en) | Storage data encryption / decryption device and method | |
| CN109190401A (en) | A kind of date storage method, device and the associated component of Qemu virtual credible root | |
| CN106682521B (en) | File transparent encryption and decryption system and method based on driver layer | |
| CN108573176B (en) | A method and system for safely deleting mobile terminal data with key derivation and encryption | |
| CN116886356B (en) | Chip-level transparent file encryption storage system, method and equipment | |
| CN106845261A (en) | A kind of method and device of destruction SSD hard disc datas | |
| WO2023240866A1 (en) | Cipher card and root key protection method therefor, and computer readable storage medium | |
| CN115982761A (en) | Sensitive information processing method, device, electronic device and storage medium | |
| CN107305606A (en) | The processing method and processing device of application file and the access method of file and device | |
| US20170262640A1 (en) | Database operation method and device | |
| CN114168983B (en) | A transparent encryption and decryption method | |
| CN109697366A (en) | A kind of Android file transparent encipher-decipher method based on hook | |
| Braga et al. | Adding secure deletion to an encrypted file system on Android smartphones | |
| CN107563228A (en) | A kind of method of internal storage data encryption and decryption | |
| CN111523129A (en) | TPM-based data leakage protection method | |
| CN112532380A (en) | Cloud storage data deterministic deletion method based on SGX technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |