CN118013547A - Memory encryption and decryption method, system and related equipment based on user layer - Google Patents

Abstract

The invention discloses a memory encryption and decryption method, a memory encryption and decryption system and related equipment based on a user layer, and under the condition that minifilter is not used, the scheme is innovative in that an original file image in an encryption state is mapped to a designated directory in the user layer, decryption is synchronously carried out in the image mapping process, and all decryption data are stored in a program memory in a user state; on the basis, the access process of the current decrypted file is synchronously monitored, and the untrusted process or the released trusted process is intercepted. The scheme of the invention realizes that all encryption, decryption and data storage operations are completed in a user layer, and all decrypted data are stored in a program memory in a user state, so that the system efficiency can be greatly improved under the scene of needing to access big data.

Description

A user-layer-based memory encryption and decryption method, system, and related equipment

Technical Field

The present invention relates to data security technology, and in particular to data encryption technology.

Background technique

Encryption technology uses technical means to convert data into encrypted data (garbled code) before transmission, and then decrypt it after reaching the destination. Encryption technology is currently widely used, especially in the economic field, e-commerce, etc. The most important thing in encryption technology is the encryption algorithm. Different encryption algorithms have different security levels and encryption effects. Common encryption algorithms are divided into symmetric encryption and asymmetric encryption.

Symmetric encryption uses symmetric cryptographic coding technology, which is characterized by using the same key for encryption and decryption, that is, the encryption key can also be used for decryption. This encryption algorithm is simple to use and has a short key. A common symmetric key encryption system is the International Data Encryption Algorithm (IDEA).

Asymmetric encryption algorithms are designed to solve the problems of information disclosure and key management. In symmetric encryption, the encryption key may be shared with other places. After obtaining the encryption key, the data can be decrypted, which poses certain security risks. Asymmetric encryption algorithms separate the encryption key and the decryption key into public key and private key. The public key encrypts the data and then decrypts it with the private key. The two are symmetrical and complementary. Data encrypted with the private key must be decrypted with the public key, and similarly, data encrypted with the public key must be decrypted with the private key.

Traditional encryption generally means encrypting data and saving it to the hard disk. When users need to view it, they need to decrypt it. Once the data is decrypted, it is in plain text and can be used unlimitedly, that is, it is always in plain text. For example, this operation is similar to viewing an encrypted compressed package. After the compressed package is encrypted, users cannot view or open it, but once the compressed package is decrypted, the data is in plain text and can be used by subsequent users without secondary decryption.

In actual application, some data needs to remain encrypted when not being viewed, that is, the corresponding data needs to be decrypted by a specific program, and the data should automatically change to encrypted mode after the program is decrypted and viewed to prevent malicious reading and transfer by other programs. For example, in some sensitive data in actual business, users have the need to add, delete, check and modify such sensitive data, and at the same time, they need to ensure the security of the data at all times. For this reason, it is necessary to restrict users to only use specific programs for decryption and editing, and other programs cannot access the decrypted data. For this reason, anyone builds a general program to decrypt the encryption program, and the decrypted data is automatically restored to the encrypted mode. The traditional decryption method is generally to decrypt the file through a key or password and save it to the hard disk. Once the file is decrypted, it can be viewed unlimited times, which brings certain security sacrifices. Therefore, the traditional decryption method is single, and the decrypted data may also have problems.

The current technical solutions for automatic encryption and decryption of applications are all based on minifilter to implement file-related protection encryption.

Minifilter is a kernel-driven filter program officially launched by Windows. It provides hook callback operations for the Windows operating system. Users can intercept and release system operations by themselves. Minifilter is divided into user layer and kernel layer. The user layer configures permission files, etc., which are passed to the kernel layer. The kernel layer then operates the file according to the configuration information, such as interception or release. The configuration file can perform certain operations based on the file name, extension name, request process name, request method, etc. At the same time, if file encryption is detected, it will be automatically decrypted. The scheme for judging file encryption or decryption is generally to judge the file header identifier. After the user writes the file information, the written information will be encrypted and appended to the kernel buffer, thereby realizing real-time encrypted storage of the file.

However, in actual application, the existing minifilter-based encryption protection scheme needs to register the Windows kernel driver in advance and then communicate between the user layer and the kernel layer. Since the configuration file encryption and decryption logic needs to be configured, the configuration file needs to be passed to the kernel layer, and the decryption of the file depends on the decryption method of the kernel layer. When the cache to be decrypted is too large, the resources occupied by the kernel layer will increase sharply, causing the system to freeze. The user configuration file of this scheme is defined at the user layer and can be flexibly transformed. Both xml and json can be used to achieve similar functions without considering the data transmission problem between the user layer and the kernel layer.

Furthermore, when the existing minifilter-based encryption protection scheme is actually applied, the program that must rely on the minifiler must add the Windows driver signature before it can be used. If it does not have the official Windows authorized signature, the program will not be able to run on the official version of Windows or will warn, which will greatly increase the application cost of the existing scheme.

Summary of the invention

In view of the problems existing in the existing file-related protection encryption scheme based on minifilter, the purpose of the present invention is to provide a user-layer based memory encryption and decryption scheme, which can implement file encryption protection at the user layer without using minifilter, thereby effectively overcoming the problems existing in the prior art.

In order to achieve the above-mentioned purpose, the present invention provides a memory encryption and decryption method based on the user layer, which maps any original directory image to any specified empty directory at the user layer, and synchronously decrypts all specified files under the original file directory during the image mapping process, monitors the access process of the current decrypted file, intercepts untrusted processes or releases trusted processes.

In some implementations of the present invention, the memory encryption and decryption method mounts and maps any original file in an encrypted state to any other specified empty directory based on dokany at the user layer, decrypts it at the same time, and monitors the access process of the current decrypted file.

In some embodiments of the present invention, the memory encryption and decryption method provides a file operation hook interface during the mount mapping process, and performs file io operation interception, authorization release, and encryption and decryption operations based on the operation hook interface.

In some embodiments of the present invention, when the memory decryption of a file is performed based on the operation hook interface in the memory encryption and decryption method, the file is encrypted in advance by an encryption program; at the same time, decryption is performed by reading the encryption scheme in the configuration file. When the file is opened and the hook callback is triggered, the encryption algorithm of the configuration file is read, and the file content is decrypted using the program's built-in key or the encryption space reading key.

In some embodiments of the present invention, when the memory encryption and decryption method performs permission interception and authorization release based on the operation hook interface, the permission is granted through the user layer configuration; when the file is opened, the file io read callback interface of dokany is actively triggered, and the file io read callback interface determines whether to intercept or release the current operation by judging the configuration information passed by the user layer. When the permission authentication is passed, it will enter the decryption logic to implement the memory decryption of the file and return it to the user layer for opening. When the authorization is not passed, the io operation will be directly intercepted, and the file will remain encrypted.

In some implementations of the present invention, the access permission policy for the decrypted file in the memory encryption and decryption method is generated by the user layer reading the configuration policy file, and then written into the user layer program to perform file permission management.

In order to achieve the above-mentioned purpose, the present invention also provides a memory encryption and decryption system based on dokany, including a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program is loaded by the processor and executes the steps of the above-mentioned memory encryption and decryption method.

In order to achieve the above-mentioned object, the present invention provides a computer-readable storage medium on which a program is stored, and when the program is executed by a processor, the implementation steps of the above-mentioned dokany-based memory encryption and decryption method are implemented.

In order to achieve the above object, the present invention provides a processor, which is used to run a program, and when the program is running, the implementation steps of the above-mentioned dokany-based memory encryption and decryption method are executed.

In order to achieve the above-mentioned purpose, the present invention provides a terminal device, which includes a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program code is loaded and executed by the processor to implement the implementation steps of the above-mentioned dokany-based memory encryption and decryption method.

In order to achieve the above-mentioned object, the present invention provides a computer program product, which, when executed on a data processing device, is suitable for executing the implementation steps of the above-mentioned dokany-based memory encryption and decryption method.

The dokany-based memory encryption and decryption solution provided by the present invention realizes that all encryption, decryption and data storage operations are completed at the user level, and all decrypted data is stored in the program memory of the user state, which can greatly improve the system efficiency in the scenario where big data needs to be accessed; thereby effectively overcoming the problem that the traditional minifilter solution cannot support the reading and analysis of big data because the size of the data file depends on the memory, and cannot provide a decryption solution for a large amount of data due to the small kernel-level memory.

Furthermore, compared with the existing minifilter-based encryption protection scheme, the user configuration file in the scheme of the present invention is defined at the user layer and can be flexibly transformed. Both XML and JSON can be used to implement corresponding functions without considering data transmission issues between the user layer and the kernel layer.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is further described below in conjunction with the accompanying drawings and specific embodiments.

FIG1 is an example diagram of memory encryption and decryption based on dokany in an example of the present invention.

Detailed ways

In order to make the technical means, creative features, objectives and effects achieved by the present invention easy to understand, the present invention is further explained below with reference to specific diagrams.

Name explanation:

Intel's x86 processor uses Ring level to control access, which is divided into 4 levels, from Ring0 to Ring3 (hereinafter referred to as R0, R1, R2, R3). The R0 layer has the highest permissions, and the R3 layer has the lowest permissions. According to Intel's original concept, the application works in the R3 layer and can only access data in the R3 layer; the operating system works in the R0 layer and can access data in all layers; and other driver programs are located in the R1 and R2 layers, and each layer can only access data in the current layer and the layers with lower permissions.

User layer: The operating environment of ordinary applications is the user layer, which can access limited resources and interfaces. For security reasons, the user layer cannot access resources such as drivers and system kernels.

Kernel layer: The operating system works at the R0 layer and can access data in all layers; other drivers are located at the R1 and R2 layers, and each layer can only access data at its own layer and lower layers.

The solution of the present invention innovatively maps the file image of any original directory in the encrypted state to any specified empty directory at the user level without using minifilter, and synchronously decrypts all the specified files in the original file directory during the image mapping process, and saves all the decrypted data in the program memory of the user state; on this basis, synchronously monitors the access process of the current decrypted file, intercepts untrusted processes or releases trusted processes. The original file directory and the specified directory here can be specified by the user, which can be a directory or an entire drive letter.

Specifically, the solution of the present invention is based on dokany to implement encryption protection of files at the user level without using minifilter. The solution of the present invention uses dokany at the user level to mount the original files of any directory in the encrypted state to any other specified empty directory, decrypt them at the same time, and monitor the access process of the current decrypted file, intercept untrusted processes or release trusted processes.

In some embodiments of the present invention, the scheme of the present invention provides an operation hook interface for the file during the mount process, and the operation hook interface for the file can be used to interact with the user layer for data, thereby realizing core functions such as process monitoring and file encryption and decryption.

Accordingly, this solution implements the file's IO operation interception, authorization release, and encryption and decryption operations based on the file's operation hook interface.

In some embodiments of the present invention, when the memory decryption of the file is performed based on the operation hook interface of the file in the scheme of the present invention, the file is encrypted in advance by an encryption program, and the encryption scheme and encryption key here are independently set, and the encryption scheme and encryption key do not rely on the program involved in the scheme of the present invention; at the same time, the scheme of the present invention decrypts by reading the encryption scheme in the configuration file, and when the file is opened to trigger the hook callback, the program reads the encryption algorithm of the configuration file, and uses the program's built-in key or the encryption space to read the key to decrypt the file content. Since the file content is generally a string, it can be adapted to the currently common encryption algorithms, including symmetric and asymmetric encryption, but it must be reversible encryption.

In some embodiments of the present invention, when the permission interception and authorization release are performed based on the operation hook interface in the solution of the present invention, the permission is granted through the user layer configuration, specifically including the black and white lists accessible by the process and the accessible type;

On the basis, when the user opens a file, dokany's file io read callback interface will be actively triggered. At the same time, the file io read callback interface determines whether to intercept or release the current operation by judging the configuration information passed by the user layer:

When the permission authentication is passed, the file will be decrypted in memory and returned to the user layer for opening.

When authorization fails, the IO operation will be directly intercepted and the file will remain encrypted.

As a further preference, when the authorization is not passed, the io operation will be directly intercepted, and it can be further configured to prompt the user that he has no permission to open it.

In some implementations of the present invention, the access permission policy for decrypted files in the solution of the present invention is generated by the user layer reading the configuration policy file, and then written into the user layer program to perform file permission management.

As a further explanation, the file permissions here include delete, edit, access, and rename permissions, which can be freely configured by the user. Different file permissions correspond to one or more callback hook functions. The program reads the configuration file passed from the user layer and intercepts it in the hook callback of a specific permission to implement access control for specific permissions.

Specifically, the interception strategy here can be defined according to a policy file, which contains the configuration of the file name, file extension black and white list, access process name, pid black and white list, access user black and white list, access time and access count.

As a further explanation, in the specific implementation, the interception strategy is defined by the user, and all configurations will be summarized into a piece of json data or xml, ini and other structured data. After the program is started, the corresponding configuration file information is read and passed to the kernel layer for access interception control.

On the basis of this, the scheme of the present invention realizes the migration of all configuration parsing and encryption and decryption parsing operations to the user layer, effectively overcoming the problems of efficiency and occupancy in the existing minifilter scheme that the interception hook operation of the file must be reflected in the kernel layer. The scheme of the present invention realizes the memory decryption of the file based on dokany, and decrypts it in the file information reading interface through the file operation hook interface formed by dokany. The process access policy prevents untrusted processes from accessing the decrypted data, and realizes that all operations on the file are executed at the user layer. The decrypted data is stored in the program memory, and the file interface of the kernel layer is only used for interaction with the user layer, thereby making the implementation of this scheme more flexible, low cost, and rapid development, so that most of the development only needs to be completed in the user state, avoiding the system crash caused by kernel errors, and can effectively realize the encryption and decryption protection of big data. Completely different from the traditional minifilter scheme, all decrypted data is stored in the kernel state, and the file resources that need to be executed or accessed are too large, which will cause the system to crash.

The user-layer-based memory encryption and decryption scheme provided by the present invention can be used to form a corresponding software program in specific applications to form a corresponding user-layer-based memory encryption and decryption system. When the software program is running, it will execute the above-mentioned user-layer-based memory encryption and decryption method and store it in a corresponding storage medium for the processor to retrieve and execute.

The user-level memory encryption and decryption system thus formed can encrypt and protect files, perform permission control, memory decryption, and automatic write back at the user level based on dokany during runtime.

Referring to FIG. 1 , it is a flow chart showing the memory encryption and decryption operation of a file by the memory encryption and decryption system of the present invention.

As can be seen from the figure, when this memory encryption and decryption system performs memory encryption and decryption operations on files, dokany is started in the form of mirror mapping, and the protected encrypted original file is mapped to the mirror directory (that is, the mirror is mapped to any specified empty directory). The user accesses the mirror directory for viewing, and it is automatically decrypted after dokany's mirror mapping, and the access process of the current decrypted file is monitored, intercepting untrusted processes or releasing trusted processes.

Specifically, the corresponding original file is encrypted in advance by the encryption program, and the encryption scheme and encryption key can be encrypted independently of the program, or the encryption scheme provided by the program can be used. After the file is encrypted, its extension or name can be changed to facilitate the program to identify the encrypted file.

Furthermore, the access rights are configured in the program and started. The program decrypts by reading the encryption scheme in the configuration. When the user opens the file and triggers the hook callback, the program reads the configured encryption algorithm and uses the program's built-in key (or the encryption space reading key) to decrypt the file content.

Since file contents are generally strings, this solution can be adapted to currently common encryption algorithms, including symmetric and asymmetric encryption, but it must be reversible encryption.

When the file permissions are released, the file opens normally, but unlike traditional files, the content of the currently opened file is decrypted by the kernel layer and displayed on the file. It does not exist on the hard disk but in the memory, thus greatly increasing the security of the file.

Furthermore, during the implementation of the scheme of the present invention, after the decrypted file is decrypted by dokany mount and the current access program is monitored in real time, the access permission policy of the file is generated by the user layer reading the configuration policy file (json or xml), and then written to the user layer program to implement the file permission management. The permission configuration here is specified by the user. In the scheme of the present invention, the permission configuration is transferred through program internal variables, and can also be transferred through files (security will be reduced because the configuration file will be tampered with). After the user specifies the access policy, the program passes the configuration policy to the dokany kernel through variables. The interaction between the user layer and the kernel layer is implemented at the system level using shared memory, that is, the configuration variables are written to the shared memory and then read by the kernel driver.

Furthermore, in the implementation of the scheme of the present invention, for the file decryption process, a symmetric encryption algorithm is preferably used, and encryption and decryption keys need to be synchronized, and the decryption algorithm and key are already built into the program. Common encryption algorithm classes are preset inside the program here, including encryption and decryption keys, encryption schemes, encryption functions, etc. The program can directly call encryption or encryption algorithms.

Furthermore, during the implementation of the scheme of the present invention, the encryption and decryption logic judgment only involves file decryption, and the default file has been successfully encrypted. After the file is encrypted, a new identifier will be added to the file header. When dokany determines that the file header matches, it will decrypt the file, and the remaining files will not be decrypted and displayed, that is, the decrypted files after mounting only contain the files that need to be decrypted.

As a further explanation, the encryption of the files here can be done by the user, or directly use the preset encryption scheme of this program. After encryption, the program needs to identify the encrypted files and non-encrypted files in the original directory. Therefore, the file header identification will be automatically changed after the file is encrypted in the preset encryption scheme. The program determines which files need to be decrypted by configuring the file header. If the user encrypts it by himself, he can change the file name and file extension to identify it. The program also determines the decryption after the regular matching of the file name or extension.

Furthermore, during the implementation of the scheme of the present invention, for the automatic write-back part of the file, after the user obtains permission to open the decrypted file, when dokany intercepts the user's write operation, the program automatically encrypts the written part and appends it to the buffer, and after the user closes the file, the original encrypted file is refreshed to the latest at the same time. The write-back hook function here is generally the flush file update interface, which reads the data written by the current file, encrypts the data and appends it to the original file, thereby realizing the automatic write-back operation of the file.

Furthermore, during the implementation of the scheme of the present invention, the decryption of the file relies on the decryption program of the scheme, which is an ordinary Windows process. The program uses C# to connect to the dokany interface and can be directly executed after packaging. The program relies on the dokany driver package and can be automatically installed after packaging. Even if the program is accidentally killed, the decrypted file will automatically disappear without affecting the security of the file. Even if the original file is copied, it is ciphertext and cannot be viewed. When the decryption program is started, the system explore operation will be intercepted to prevent users from manually copying the decrypted file.

It should be noted that the solution of the present invention is specifically implemented based on dokany. Under the guidance of the principle of the solution of the present invention, memfs can also be used to implement it.

An embodiment of the present invention further provides a computer-readable storage medium on which a program is stored. When the program is executed by a processor, the implementation steps of the above-mentioned user-layer-based memory encryption and decryption method are implemented.

An embodiment of the present invention further provides a processor, which is used to run a program, wherein when the program is running, the implementation steps of the above-mentioned user-layer-based memory encryption and decryption method are executed.

An embodiment of the present invention also provides a terminal device, which includes a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program code is loaded and executed by the processor to implement the implementation steps of the above-mentioned user-layer-based memory encryption and decryption method.

The present invention also provides a computer program product, which, when executed on a data processing device, is suitable for executing the implementation steps of the above-mentioned user-layer-based memory encryption and decryption method.

In the above embodiments, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, reference can be made to the relevant descriptions of other embodiments.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and modules described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.

Those skilled in the art will appreciate that embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

The present invention is described with reference to the flowchart and/or block diagram of the method, device (system), and computer program product of the embodiment of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the process and/or box in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

In a typical configuration, a computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.

The memory may include non-permanent memory in a computer-readable medium, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash RAM. The memory is an example of a computer-readable medium.

Computer readable media include permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. Information can be computer readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic disk storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device.

It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, commodity or device. In the absence of more restrictions, the elements defined by the sentence "comprises a ..." do not exclude the existence of other identical elements in the process, method, commodity or device including the elements.

It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as methods, systems or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment or an embodiment combining software and hardware. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

The above shows and describes the basic principles, main features and advantages of the present invention. It should be understood by those skilled in the art that the present invention is not limited to the above embodiments. The above embodiments and descriptions are only for explaining the principles of the present invention. Without departing from the spirit and scope of the present invention, the present invention may have various changes and improvements, which fall within the scope of the present invention. The scope of protection of the present invention is defined by the attached claims and their equivalents.

Claims (10)

1. A user-layer-based memory encryption and decryption method, characterized in that the original file in an encrypted state is mirrored to any specified empty directory at the user layer, and all specified files under the original file directory are decrypted synchronously during the mirror mapping process, and the access process of the current decrypted file is monitored to intercept untrusted processes or release trusted processes. 2. According to the user-layer memory encryption and decryption method of claim 1, it is characterized in that the memory encryption and decryption method uses dokany at the user layer to mount and map the original file of any directory in an encrypted state to other specified empty directories, decrypts at the same time, and monitors the access process of the current decrypted file. 3. According to the user layer-based memory encryption and decryption method of claim 2, it is characterized in that the memory encryption and decryption method provides a file operation hook interface during the mount mapping process, and performs file io operation interception, authorization release and encryption and decryption operations based on the operation hook interface. 4. The user-layer-based memory encryption and decryption method according to claim 3 is characterized in that: In the memory encryption and decryption method, when the memory decryption of the file is performed based on the operation hook interface, the file is encrypted in advance by an encryption program; at the same time, decryption is performed by reading the encryption scheme in the configuration file. When the file is opened and the hook callback is triggered, the encryption algorithm of the configuration file is read, and the file content is decrypted using the program's built-in key or the encryption space reading key. 5. According to the user layer-based memory encryption and decryption method of claim 3, it is characterized in that when the memory encryption and decryption method performs permission interception and authorization release based on the operation hook interface, the permission is granted through the user layer configuration; when the file is opened, the file io read callback interface of dokany is actively triggered, and the file io read callback interface determines whether to intercept or release the current operation by judging the configuration information transmitted from the user layer. When the permission authentication is passed, it will enter the decryption logic to realize the memory decryption of the file and return it to the user layer for opening. When the authorization is not passed, the io operation will be directly intercepted, and the file will remain encrypted. 6. According to the user layer-based memory encryption and decryption method of claim 2, it is characterized in that the access permission policy for the decrypted file in the memory encryption and decryption method is generated by the user layer reading the configuration policy file, and then written into the user layer program to perform file permission management. 7. A memory encryption and decryption system based on dokany, comprising a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program is loaded by the processor and executes the steps of the memory encryption and decryption method according to any one of claims 1 to 6. 8. A computer-readable storage medium having a program stored thereon, wherein when the program is executed by a processor, the implementation steps of the dokany-based memory encryption and decryption method according to any one of claims 1 to 6 are implemented. 9. A terminal device, comprising a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program code is loaded and executed by the processor to implement the implementation steps of the dokany-based memory encryption and decryption method described in any one of claims 1 to 6. 10. A computer program product, when executed on a data processing device, is characterized in that it is suitable for executing the implementation steps of the dokany-based memory encryption and decryption method according to any one of claims 1 to 6.