CN111158857B - Data encryption method, device, equipment and storage medium - Google Patents
Data encryption method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111158857B CN111158857B CN201911347007.XA CN201911347007A CN111158857B CN 111158857 B CN111158857 B CN 111158857B CN 201911347007 A CN201911347007 A CN 201911347007A CN 111158857 B CN111158857 B CN 111158857B
- Authority
- CN
- China
- Prior art keywords
- encryption
- target data
- strategy
- virtual machine
- virtual desktop
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data encryption method, a device, equipment and a storage medium. Wherein the method comprises the following steps: receiving a data transmission request which is sent by a virtual desktop client and used for exporting target data operated by a virtual machine to mobile storage equipment; acquiring the target data output by the virtual machine based on the data transmission request; determining an encryption strategy of the target data, and encrypting the target data according to the encryption strategy; and transmitting the encrypted target data to a virtual desktop client so that the virtual desktop client can transmit the encrypted target data to the mobile storage device. The embodiment of the invention improves the safety of the data, and simultaneously can reduce the resource occupation of the virtual machine in the data encryption process, thereby improving the user experience of accessing the virtual machine by a user through the virtual desktop client.
Description
Technical Field
The present invention relates to the field of data processing, and in particular, to a data encryption method, apparatus, device, and storage medium.
Background
With the development of communication technology, virtual desktops are gradually replacing traditional personal computers to provide services for users. The virtual desktop can concentrate the scattered physical machines to the data center so as to achieve the purposes of centralized management and centralized operation and maintenance. The Virtual desktop may be implemented based on a Virtual desktop infrastructure (Virtual Desktop Infrastructure, VDI) that may enable a user to use the desktop system and perform desktop operations through a network, not limited to physical space limitations, by centrally arranging servers and running Virtual Machines (VMs) of the desktop system. Meanwhile, in the desktop operation process, only the image of the desktop system is transmitted, and the user cannot touch the actual data of the desktop system, so that the safety of the data is ensured.
In the process of using the virtual desktop, a user inevitably needs to use mobile storage equipment such as a USB flash disk and the like to copy data in the virtual desktop into the mobile storage equipment, so that data circulation is realized. At this time, since the related data leaves the environment of the virtual desktop, the virtual desktop cannot implement security control on the exported data.
Disclosure of Invention
In view of this, the embodiments of the present invention provide a data encryption method, device, apparatus and storage medium, which aim to improve the security of derived data in the environment of a virtual desktop.
The technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides a data encryption method which is applied to a virtual desktop management platform, and comprises the following steps:
Receiving a data transmission request which is sent by a virtual desktop client and used for exporting target data operated by a virtual machine to mobile storage equipment; the mobile storage device is connected with the virtual desktop client;
acquiring the target data output by the virtual machine based on the data transmission request;
determining an encryption strategy of the target data, and encrypting the target data according to the encryption strategy;
And transmitting the encrypted target data to a virtual desktop client so that the virtual desktop client can transmit the encrypted target data to the mobile storage device.
The embodiment of the invention also provides a data encryption device which is applied to the virtual desktop management platform, and the device comprises:
The receiving module is used for receiving a data transmission request which is sent by the virtual desktop client and used for exporting target data operated by the virtual machine to the mobile storage device; the mobile storage device is connected with the virtual desktop client;
The acquisition module is used for acquiring the target data output by the virtual machine based on the data transmission request;
The data encryption module is used for determining an encryption strategy corresponding to the target data and encrypting the target data according to the encryption strategy;
and the sending module is used for transmitting the encrypted target data to the virtual desktop client so that the virtual desktop client can transmit the encrypted target data to the mobile storage device.
The embodiment of the invention also provides a virtual desktop management platform, which comprises: a processor and a memory for storing a computer program capable of running on the processor, wherein the processor is adapted to perform the steps of the method according to any of the embodiments of the invention when the computer program is run.
The embodiment of the invention also provides a storage medium, and the storage medium stores a computer program, and the computer program realizes the steps of the method of any embodiment of the invention when being executed by a processor.
According to the technical scheme provided by the embodiment of the invention, the virtual desktop management platform is used for acquiring the target data output by the virtual machine based on the data transmission request, and encrypting the target data according to the corresponding encryption strategy, so that the data security is improved, and meanwhile, the resource occupation of the virtual machine in the data encryption process can be reduced, and the user experience of a user accessing the virtual machine through the virtual desktop client is improved. In addition, the exported data is encrypted through the virtual desktop management platform, so that encryption failure caused by running loopholes of the virtual machine is avoided, and the security of the exported data is further improved.
Drawings
FIG. 1 is a flow chart of a data encryption method according to an embodiment of the invention;
FIG. 2 is a schematic diagram of the VDI structure of an embodiment of the invention;
FIG. 3 is a flow chart of a data encryption method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a data encryption device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a virtual desktop management platform according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
To facilitate understanding of the present invention, the following terms are explained as follows:
Desktop virtualization refers to the virtualization of a terminal system of a computer, that is, a user can access its own desktop system through a network at any place and any time using any device. Desktop virtualization relies on server virtualization, which is to virtualize a server through a desktop virtualization platform (virtual software) on the server of a data center, generate a large number of independent desktop operating systems (virtual machines or virtual desktops), and send the virtual desktop operating systems to terminal devices according to a proprietary virtual desktop protocol. The user terminal logs on the virtual host through the Ethernet, and can access the own desktop system through the network at any time and any place only by remembering the user name, the password and the gateway information, thereby realizing single-machine multi-user.
The virtual machine virtualizes a server (physical machine) through a virtual desktop management platform, so as to obtain a large number of independent desktop systems, and the virtual machine can create an operating environment for an end user, and the end user operates software based on the operating environment. The terminal may be a smart phone, a tablet computer, a desktop computer, an electronic device (thin terminal) dedicated to access VDI, etc.
In the related art, VDI access is generally initiated by a user from a virtual desktop client, and after user authentication is passed, the virtual desktop management platform grants the virtual desktop to the user for use. In the process, the operation and maintenance manager can set various control functions for the virtual desktop according to actual conditions and needs. Encryption of data copied to the U disk is achieved by installing encryption software in an operating system of the virtual desktop. As the deployment of encryption software is added in the operating system of the virtual desktop, the resource occupation of the virtual machine is increased, and the use experience of a user is reduced.
Based on the above, in various embodiments of the present invention, the virtual machine obtains the target data output by the virtual machine based on the data transmission request through the virtual desktop management platform, encrypts the target data according to the corresponding encryption policy, and can reduce the resource occupation of the virtual machine in the process of data encryption while improving the security of the data, so that the user experience of the user accessing the virtual machine through the virtual desktop client is improved.
The embodiment of the invention provides a data encryption method which is applied to a virtual desktop management platform, as shown in fig. 1, and comprises the following steps:
Step 101, receiving a data transmission request which is sent by a virtual desktop client and used for exporting target data operated by a virtual machine to a mobile storage device; the mobile storage device is connected with the virtual desktop client;
Here, the virtual desktop management platform is a carrier for running the virtual machine. The virtual desktop client is a terminal used by a user side for accessing a virtual desktop, and includes, but is not limited to, windows client, mac client, linux client, or android client, and may be a smart phone, a tablet computer, a desktop computer, an electronic device (thin terminal) specially used for accessing a VDI, and the like. The mobile storage device may be a portable storage device such as a usb disk, a mobile hard disk, etc.
102, Acquiring the target data output by the virtual machine based on the data transmission request;
Step 103, determining an encryption strategy of the target data, and encrypting the target data according to the encryption strategy;
And 104, transmitting the encrypted target data to a virtual desktop client so that the virtual desktop client can transmit the encrypted target data to the mobile storage device.
Here, the virtual desktop management platform obtains the target data output by the virtual machine based on the data transmission request, determines an encryption strategy corresponding to the target data, and encrypts the target data according to the encryption strategy. The method and the device have the advantages that the data security is improved, meanwhile, the occupation of resources of the virtual machine in the data encryption process can be reduced, and therefore the user experience of accessing the virtual machine through the virtual desktop client is improved. In addition, the exported data is encrypted through the virtual desktop management platform, so that encryption failure caused by running loopholes of the virtual machine is avoided, and the security of the exported data is further improved.
In an embodiment, the method further comprises:
the virtual desktop management platform receives an access request for accessing the virtual machine, which is sent by a virtual desktop client;
And the virtual desktop management platform verifies the access request, and if the verification is passed, the virtual desktop client is allowed to access the corresponding virtual machine.
Here, the access request may include a user name and a login password, and the virtual desktop management platform verifies whether the user name exists or not and whether the corresponding login password is correct according to the received access request, if the user name passes the verification, a connection is established between a virtual desktop client that sends the access request and the virtual desktop management platform based on a virtual desktop protocol, and the virtual desktop client can log in to a target virtual machine deployed on the virtual desktop management platform through ethernet, so as to realize logging in a desktop system of the user in a different place, and perform desktop operation.
In practical application, after a user logs in a target virtual machine through a virtual desktop client, the mobile storage device is connected to the virtual desktop client, and desktop operation can be performed on a desktop system, for example, a data transmission request for exporting target data out of the mobile storage device is generated by dragging a file or copying and pasting. The target virtual machine responds to the dragging file or copying and pasting actions, the corresponding target data is exported to a virtual desktop management platform, the virtual desktop management platform determines the encryption strategy of the target data according to the preset encryption strategy, encrypts the target data according to the corresponding encryption strategy, and transmits the encrypted target data to a virtual desktop client so that the virtual desktop client can transmit the encrypted target data to the mobile storage device.
In some embodiments, the operation and maintenance manager presets and stores the encryption policies of each virtual machine on the virtual management platform, so that the virtual desktop management platform can determine the encryption policy corresponding to the target data according to the prestored encryption policies, for example, the encryption policy corresponding to the virtual machine can be selected as the encryption policy corresponding to the target data.
In some embodiments, the virtual desktop management platform may further obtain an encryption policy corresponding to the access request online, and determine an encryption policy corresponding to the target data based on the encryption policy corresponding to the access request. Therefore, the resource consumption of the virtual desktop management platform can be reduced, and the access efficiency of the virtual machine is improved.
In some embodiments, the obtaining the encryption policy of the virtual machine based on the access request includes: and the virtual desktop management platform receives the encryption strategy of the virtual machine, which is sent by the virtual desktop access control platform based on the access request. And the virtual desktop management platform determines the encryption strategy of the target data according to the encryption strategy of the virtual machine.
In practical application, the operation and maintenance manager presets and stores the encryption strategy of each virtual machine on the virtual management platform on the virtual desktop access control platform side. The virtual desktop management platform receives an access request for accessing the virtual machine, which is sent by the virtual desktop client, the virtual desktop management platform sends the access request to the virtual desktop access control platform, the virtual desktop access control platform verifies the access request, and if the verification is passed, the virtual desktop access control platform feeds back a verification passing result to the virtual desktop management platform. And the virtual desktop management platform establishes connection with the virtual desktop client based on a virtual desktop protocol according to the feedback result, and the virtual desktop client can log in a target virtual machine deployed on the virtual desktop management platform through the Ethernet. In addition, the virtual desktop access control platform determines an encryption strategy corresponding to the access request in prestored encryption strategies according to the access request, and sends the encryption strategy corresponding to the access request to the virtual desktop management platform, and the virtual desktop management platform can determine the encryption strategy of the target data according to the encryption strategy corresponding to the access request.
Here, the encryption policy is an encryption algorithm for encrypting the target data. The encryption policy of the virtual machine may include: the method comprises the steps of a first encryption strategy corresponding to a user, a second encryption strategy corresponding to a file type and a third encryption strategy corresponding to file content.
In some embodiments, obtaining the encryption policy of the virtual machine based on the access request includes:
And the virtual desktop management platform receives the encryption strategy of the virtual machine, which is sent by the virtual desktop access control platform based on the access request.
Here, the virtual desktop access control platform may send the first encryption policy corresponding to the user based on the user identification (e.g., user name, user ID, etc.) in the access request.
In this way, the virtual desktop management platform may encrypt the target data based on the first encryption policy corresponding to the user.
To enable encryption management of data under the same user at different security levels, in some embodiments, the encryption policy obtained by the virtual desktop management platform further includes: the determining the encryption policy of the target data includes:
determining whether the target data is matched with a second encryption strategy or not based on a file type identifier corresponding to the target data;
if the target data is matched with the second encryption strategy, taking the second encryption strategy as the encryption strategy of the target data;
if the target data is not matched with the second encryption strategy, determining a first encryption strategy based on a user identifier corresponding to the target data, and taking the first encryption strategy as the encryption strategy of the target data;
the first encryption strategy corresponds to a user of the virtual machine, and the second encryption strategy corresponds to a file type under the virtual machine.
In practical applications, the data of a specific file type may be encrypted at a high security level according to the requirement, so as to be different from the encryption of the common data under the user, for example, a file of a set extension type may be selected as the data needing to perform the second encryption policy. If the target data accords with the set extension type, determining that the target data is matched with the second encryption strategy, and encrypting the target data according to the second encryption strategy. And if the target data does not accord with the set extension type, encrypting the target data according to the first encryption strategy.
In some embodiments, the encryption policy obtained by the virtual desktop management platform further comprises: the determining the encryption policy of the target data includes:
extracting keywords from the target data, and determining whether the target data matches a third encryption strategy based on the extraction result of the keywords;
if the target data is matched with the third encryption strategy, taking the third encryption strategy as the encryption strategy of the target data;
If the target data does not match the third encryption policy, determining a first encryption policy based on a user identifier corresponding to the target data, and taking the first encryption policy as the encryption policy of the target data;
The first encryption strategy corresponds to a user of the virtual machine, and the third encryption strategy corresponds to file content under the virtual machine.
In practical application, the file containing the sensitive content can be encrypted at a high security level according to the requirement, so that the file is different from the encryption of the common data under the user, for example, the contents such as "secret", "internal data", "avoid leakage", and the like can be selected as the sensitive content to set the label of the third encryption policy, the keyword extraction is performed on the target data, whether the target data contains the sensitive content is determined, if yes, the target data is determined to match the third encryption policy, and the target data is encrypted according to the third encryption policy. And if the target data does not have the third encryption strategy, encrypting the target data according to the first encryption strategy.
In some embodiments, the encryption policy obtained by the virtual desktop management platform may include: the first encryption policy, the second encryption policy and the third encryption policy can preferentially judge whether the target data matches the third encryption policy, if yes, encryption is performed according to the third encryption policy; if not, judging whether the target data is matched with the second encryption strategy, and if so, encrypting according to the second encryption strategy; if not, encrypting according to the first encryption strategy. In other embodiments, it may be preferable to determine whether the target data matches the second encryption policy, and if so, encrypt according to the second encryption policy; if not, judging whether the target data is matched with a third encryption strategy, and if so, encrypting according to the third encryption strategy; if not, encrypting according to the first encryption strategy.
Therefore, the encryption strategy for encrypting the target data by the virtual desktop management platform is flexible, and the data encryption requirements of different grades can be met.
The present invention will be described in further detail with reference to examples of application.
Fig. 2 shows a schematic structural diagram of the VDI of the present application embodiment. The VDI comprises: virtual desktop access control platform 201, virtual desktop management platform 202, and virtual desktop client 203. Wherein, virtual desktop access control platform 201 includes: policy group unit 2011, policy group issuing control unit 2012, virtual desktop management platform 202 includes: the plurality of virtual machines (e.g., VM1, VM 2), the data encryption unit 2021, the first data transmission unit 2022, the virtual desktop client 203 includes: a USB (Universal Serial Bus ) control unit 2031, a second data transmission unit 2032.
Here, the policy group unit 2011 is used to store and update encryption policies of each virtual machine. The policy group issuing control unit 2012 is configured to issue a corresponding encryption policy to the data encryption unit 2021 of the desktop management platform 202 according to the access request, where the data encryption unit 2021 is configured to encrypt the target data. The first data transmission unit is configured to transmit the encrypted target data to the virtual desktop client 203. The USB control unit 2031 is configured to manage access requests of the mobile storage device 204 connected to the virtual desktop client 203, and manage the behavior of reading data from the mobile storage device 204 or writing data to the mobile storage device 204.
As shown in fig. 3, in this application embodiment, the method for encrypting data exported to the mobile storage device specifically includes the following steps:
step 301, adding an encryption policy derived from data to a policy group and binding the encryption policy to a virtual machine;
The operation and maintenance manager imports the relevant encryption strategy to the strategy group unit 2011 at the virtual desktop access control platform 201 side, and the strategy group unit binds the encryption strategy to the corresponding virtual machine according to the corresponding relation between the encryption strategy and the virtual machine.
Step 302, the virtual desktop access control platform issues an encryption strategy to the virtual desktop management platform;
A user sends an access request for accessing a target virtual machine to the virtual desktop management platform 202 through the virtual desktop client 203, the virtual desktop management platform 202 forwards the access request to the virtual desktop access control platform 201, the virtual desktop access control platform 201 verifies the access request, and if the verification is passed, connection between the virtual desktop management platform 202 and the virtual desktop client 203 based on a virtual desktop protocol is indicated to be established, so that the virtual desktop client 203 can log in the target virtual machine deployed on the virtual desktop management platform 202 through the Ethernet.
The policy group issuing control unit 2012 in the virtual desktop access control platform 201 further sends the encryption policy corresponding to the access request to the data encryption unit 2021 in the virtual desktop management platform 202 according to the access request.
In step 303, the virtual desktop management platform encrypts the data exported to the mobile storage device according to the encryption policy, and sends the encrypted data to the virtual desktop client.
The data encryption unit 2021 encrypts the target data output by the target virtual machine based on the encryption policy, the first data transmission unit 2022 transfers the encrypted target data to the second data transmission unit 2032 on the virtual desktop client 203 side, and the second data transmission unit 2032 sends the encrypted target data to the mobile storage device 204.
The method for exporting the data in the application embodiment can encrypt the data when exporting the data in the virtual machine to the mobile storage device, and simultaneously provides an encryption strategy management and control function for exporting the data to the mobile storage device. The security of data transmission to the mobile storage device in the virtual desktop of the user is ensured, and meanwhile, flexible policy control of an operation and maintenance manager is also provided. In addition, through the data encryption unit 2021 in the virtual desktop management platform 202, occupation of the virtual desktop resources in the encryption process is reduced, and use experience of a user is guaranteed.
In order to implement the method of the embodiment of the present invention, the embodiment of the present invention further provides a data encryption device, which is disposed on a virtual desktop management platform, as shown in fig. 4, and the device includes: a receiving module 401, an acquiring module 402, a data encrypting module 403 and a transmitting module 404.
Here, the receiving module 401 is configured to receive a data transmission request sent by the virtual desktop client to export target data of the virtual machine operation to the mobile storage device; the mobile storage device is connected with the virtual desktop client. The obtaining module 402 is configured to obtain the target data output by the virtual machine based on the data transmission request. The data encryption module 403 is configured to determine an encryption policy corresponding to the target data, and encrypt the target data according to the encryption policy. The sending module 404 is configured to transfer the encrypted target data to a virtual desktop client, so that the virtual desktop client transfers the encrypted target data to the mobile storage device.
In some embodiments, the receiving module 401 is further configured to: and receiving an access request for accessing the virtual machine, which is sent by the virtual desktop client. The acquisition module 402 is further configured to: and if the access request passes the verification, acquiring the encryption strategy of the virtual machine based on the access request.
In some embodiments, the data encryption module 403 is specifically configured to:
Determining a first encryption strategy based on a user identifier corresponding to the target data, and taking the first encryption strategy as the encryption strategy of the target data; wherein the first encryption policy corresponds to a user of the virtual machine.
In some embodiments, the data encryption module 403 is specifically configured to:
determining whether the target data is matched with a second encryption strategy or not based on a file type identifier corresponding to the target data;
if the target data is matched with the second encryption strategy, taking the second encryption strategy as the encryption strategy of the target data;
if the target data is not matched with the second encryption strategy, determining a first encryption strategy based on a user identifier corresponding to the target data, and taking the first encryption strategy as the encryption strategy of the target data;
the first encryption strategy corresponds to a user of the virtual machine, and the second encryption strategy corresponds to a file type under the virtual machine.
In some embodiments, the data encryption module 403 is specifically configured to:
Extracting a keyword from the target data, and determining whether the target data matches a third encryption policy based on the keyword;
if the target data is matched with the third encryption strategy, taking the third encryption strategy as the encryption strategy of the target data;
If the target data does not match the third encryption policy, determining a first encryption policy based on a user identifier corresponding to the target data, and taking the first encryption policy as the encryption policy of the target data;
The first encryption strategy corresponds to a user of the virtual machine, and the third encryption strategy corresponds to file content under the virtual machine.
In some embodiments, the acquisition module 402 is specifically configured to:
And receiving an encryption strategy of the virtual machine, which is sent by the virtual desktop access control platform based on the access request.
Based on the data encryption device in the above embodiment, the virtual desktop management platform may acquire target data output by the virtual machine based on the data transmission request, determine an encryption policy corresponding to the target data, and encrypt the target data according to the encryption policy. The method and the device have the advantages that the data security is improved, meanwhile, the occupation of resources of the virtual machine in the data encryption process can be reduced, and therefore the user experience of accessing the virtual machine through the virtual desktop client is improved. In addition, the exported data is encrypted through the virtual desktop management platform, so that encryption failure caused by running loopholes of the virtual machine is avoided, and the security of the exported data is further improved. In addition, the encryption strategy for encrypting the target data by the virtual desktop management platform is flexible, and the data encryption requirements of different grades under the same user can be met.
In practical applications, the receiving module 401, the acquiring module 402, the data encrypting module 403 and the transmitting module 404 may be implemented by a processor in the data encrypting device. Of course, the processor needs to run a computer program in memory to implement its functions.
It should be noted that: in the data encryption device provided in the above embodiment, only the division of each program module is used for illustration, and in practical application, the above processing allocation may be performed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules, so as to complete all or part of the processing described above. In addition, the data encryption device and the data encryption method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the data encryption device and the data encryption method are detailed in the method embodiments and are not described herein again.
Based on the hardware implementation of the program modules, and in order to implement the method of the embodiment of the present invention, the embodiment of the present invention further provides a virtual desktop management platform. Fig. 5 illustrates only an exemplary structure of the virtual desktop management platform, and not all structures, and some or all of the structures illustrated in fig. 5 may be implemented as desired.
As shown in fig. 5, a virtual desktop management platform 500 provided in an embodiment of the present invention includes: at least one processor 501, memory 502, a user interface 503, and at least one network interface 504. The various components in virtual desktop management platform 500 are coupled together by bus system 505. It is understood that bus system 505 is used to enable connected communications between these components. The bus system 505 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration the various buses are labeled as bus system 505 in fig. 5.
The user interface 503 may include, among other things, a display, keyboard, mouse, trackball, click wheel, keys, buttons, touch pad, or touch screen, etc.
Memory 502 in embodiments of the present invention is used to store various types of data to support the operation of virtual desktop management platform 500. Examples of such data include: any computer program for operating on virtual desktop management platform 500.
The data encryption method disclosed by the embodiment of the invention can be applied to the processor 501 or realized by the processor 501. The processor 501 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the data encryption method may be performed by integrated logic circuitry of hardware in the processor 501 or instructions in the form of software. The Processor 501 may be a general purpose Processor, a digital signal Processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 501 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the invention can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium, such as memory 502, and the processor 501 reads information in the memory 502, and in combination with its hardware, performs the steps of the data encryption method provided by the embodiments of the present invention.
In an exemplary embodiment, virtual desktop management platform 500 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, programmable logic devices (PLDs, programmable Logic Device), complex programmable logic devices (CPLDs, complex Programmable Logic Device), FPGAs, general purpose processors, controllers, microcontrollers (MCUs, micro Controller Unit), microprocessors, or other electronic components for performing the aforementioned methods.
It is to be appreciated that memory 502 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. The non-volatile Memory may be, among other things, a Read Only Memory (ROM), a programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read-Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read-Only Memory (EEPROM, ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory), Magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk-Only (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory) which acts as external cache memory. By way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), and, Double data rate synchronous dynamic random access memory (DDRSDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), Direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory described by embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
In an exemplary embodiment, the present invention further provides a storage medium, i.e., a computer storage medium, which may be specifically a computer readable storage medium, for example, including a memory 502 storing a computer program, where the computer program may be executed by the processor 501 of the virtual desktop management platform 500 to perform the steps described in the method of the embodiment of the present invention. The computer readable storage medium may be ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
It should be noted that: "first," "second," etc. are used to distinguish similar objects and not necessarily to describe a particular order or sequence.
In addition, the embodiments of the present invention may be arbitrarily combined without any collision.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (10)
1. A data encryption method, applied to a virtual desktop management platform, comprising:
Receiving a data transmission request which is sent by a virtual desktop client and used for exporting target data operated by a virtual machine to mobile storage equipment; the mobile storage device is connected with the virtual desktop client;
acquiring the target data output by the virtual machine based on the data transmission request;
Selecting an encryption strategy matched with the target data from the prestored encryption strategies according to the priority of the prestored encryption strategies, and encrypting the target data according to the encryption strategy; the pre-stored encryption policies comprise a first encryption policy corresponding to a user of the virtual machine, a second encryption policy corresponding to a file type under the virtual machine and a third encryption policy corresponding to file content under the virtual machine, wherein the user, the file type and the file content correspond to the target data; the second encryption policy and the third encryption policy have a higher priority than the first encryption policy; the third encryption strategy is determined according to whether keywords matched with the third encryption strategy exist in the target data or not;
And transmitting the encrypted target data to a virtual desktop client so that the virtual desktop client can transmit the encrypted target data to the mobile storage device.
2. The method according to claim 1, wherein the method further comprises:
receiving an access request for accessing a virtual machine, which is sent by a virtual desktop client;
If the access request passes the verification, acquiring an encryption strategy of the virtual machine based on the access request; the encryption strategy of the virtual machine is used for determining the encryption strategy of the target data.
3. The method of claim 1, wherein selecting an encryption policy matching the target data from among the pre-stored encryption policies according to a priority of the pre-stored encryption policies, comprises:
Determining a first encryption strategy based on a user identifier corresponding to the target data, and taking the first encryption strategy as the encryption strategy of the target data; wherein the first encryption policy corresponds to a user of the virtual machine.
4. The method of claim 1, wherein selecting an encryption policy matching the target data from among the pre-stored encryption policies according to a priority of the pre-stored encryption policies, comprises:
determining whether the target data is matched with a second encryption strategy or not based on a file type identifier corresponding to the target data;
if the target data is matched with the second encryption strategy, taking the second encryption strategy as the encryption strategy of the target data;
if the target data is not matched with the second encryption strategy, determining a first encryption strategy based on a user identifier corresponding to the target data, and taking the first encryption strategy as the encryption strategy of the target data;
the first encryption strategy corresponds to a user of the virtual machine, and the second encryption strategy corresponds to a file type under the virtual machine.
5. The method of claim 1, wherein selecting an encryption policy matching the target data from among the pre-stored encryption policies according to a priority of the pre-stored encryption policies, comprises:
extracting keywords from the target data, and determining whether the target data matches a third encryption strategy based on the extraction result of the keywords;
if the target data is matched with the third encryption strategy, taking the third encryption strategy as the encryption strategy of the target data;
If the target data does not match the third encryption policy, determining a first encryption policy based on a user identifier corresponding to the target data, and taking the first encryption policy as the encryption policy of the target data;
The first encryption strategy corresponds to a user of the virtual machine, and the third encryption strategy corresponds to file content under the virtual machine.
6. The method of claim 2, wherein the obtaining the encryption policy of the virtual machine based on the access request comprises:
And receiving an encryption strategy of the virtual machine, which is sent by the virtual desktop access control platform based on the access request.
7. A data encryption device, applied to a virtual desktop management platform, comprising:
The receiving module is used for receiving a data transmission request which is sent by the virtual desktop client and used for exporting target data operated by the virtual machine to the mobile storage device; the mobile storage device is connected with the virtual desktop client;
The acquisition module is used for acquiring the target data output by the virtual machine based on the data transmission request;
the data encryption module is used for selecting an encryption strategy corresponding to the target data from prestored encryption strategies according to the priority of the prestored encryption strategies, and encrypting the target data according to the encryption strategy; the pre-stored encryption policies comprise a first encryption policy corresponding to a user of the virtual machine, a second encryption policy corresponding to a file type under the virtual machine and a third encryption policy corresponding to file content under the virtual machine, wherein the user, the file type and the file content correspond to the target data; the second encryption policy and the third encryption policy have a higher priority than the first encryption policy; the third encryption strategy is determined according to whether keywords matched with the third encryption strategy exist in the target data or not;
and the sending module is used for transmitting the encrypted target data to the virtual desktop client so that the virtual desktop client can transmit the encrypted target data to the mobile storage device.
8. The apparatus of claim 7, wherein the device comprises a plurality of sensors,
The receiving module is further configured to: receiving an access request for accessing a virtual machine, which is sent by a virtual desktop client;
The acquisition module is further configured to: and if the access request passes the verification, acquiring the encryption strategy of the virtual machine based on the access request.
9. A virtual desktop management platform, comprising: a processor and a memory for storing a computer program capable of running on the processor, wherein,
The processor being adapted to perform the steps of the method of any of claims 1 to 6 when the computer program is run.
10. A storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the method according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911347007.XA CN111158857B (en) | 2019-12-24 | 2019-12-24 | Data encryption method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911347007.XA CN111158857B (en) | 2019-12-24 | 2019-12-24 | Data encryption method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111158857A CN111158857A (en) | 2020-05-15 |
| CN111158857B true CN111158857B (en) | 2024-05-24 |
Family
ID=70558358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911347007.XA Active CN111158857B (en) | 2019-12-24 | 2019-12-24 | Data encryption method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111158857B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112269986B (en) * | 2020-10-29 | 2025-01-17 | 深信服科技股份有限公司 | Process management method, device and storage medium |
| CN112329036B (en) * | 2020-11-03 | 2025-05-30 | 平安信托有限责任公司 | File security processing method, device, equipment and storage medium |
| CN113656817A (en) * | 2021-07-23 | 2021-11-16 | 西安万像电子科技有限公司 | Data encryption method |
| CN113656820B (en) * | 2021-08-20 | 2025-08-12 | 西安万像电子科技有限公司 | Data encryption method and device and remote desktop system |
| CN114900332B (en) * | 2022-04-12 | 2024-05-31 | 深圳市乐凡信息科技有限公司 | Data transmission method, device, equipment and storage medium of virtual environment |
| CN115529348A (en) * | 2022-10-14 | 2022-12-27 | 深信服科技股份有限公司 | Data transmission method, system, equipment and computer readable storage medium |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101034420A (en) * | 2006-03-07 | 2007-09-12 | 陈川舟 | Network game virtual property off line preservation mode and application |
| US8127149B1 (en) * | 2006-06-29 | 2012-02-28 | Symantec Corporation | Method and apparatus for content based encryption |
| CN102739689A (en) * | 2012-07-16 | 2012-10-17 | 四川师范大学 | File data transmission device and method used for cloud storage system |
| US8572370B1 (en) * | 2007-12-21 | 2013-10-29 | Parallels IP Holdings GmbH | Accessing a remote virtual environment without user authentication |
| CN104091129A (en) * | 2014-06-26 | 2014-10-08 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN104104692A (en) * | 2014-08-05 | 2014-10-15 | 山东中孚信息产业股份有限公司 | Virtual machine encryption method, decryption method and encryption-decryption control system |
| CN104219208A (en) * | 2013-06-03 | 2014-12-17 | 华为技术有限公司 | A method and device for data input |
| CN105069362A (en) * | 2015-06-30 | 2015-11-18 | 广东轩辕网络科技股份有限公司 | Storage method and device |
| CN105376216A (en) * | 2015-10-12 | 2016-03-02 | 华为技术有限公司 | Remote access method, agent server and client end |
| CN105389520A (en) * | 2015-11-11 | 2016-03-09 | 中国建设银行股份有限公司 | Data access control method and apparatus and mobile storage medium |
| WO2016154520A1 (en) * | 2015-03-25 | 2016-09-29 | Vera | Access files |
| CN106295367A (en) * | 2016-08-15 | 2017-01-04 | 北京奇虎科技有限公司 | Data ciphering method and device |
| CN107609418A (en) * | 2017-08-31 | 2018-01-19 | 深圳市牛鼎丰科技有限公司 | Desensitization method, device, storage device and the computer equipment of text data |
| CN108021801A (en) * | 2017-11-20 | 2018-05-11 | 深信服科技股份有限公司 | Divulgence prevention method, server and storage medium based on virtual desktop |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9477531B2 (en) * | 2010-01-27 | 2016-10-25 | Vmware, Inc. | Accessing virtual disk content of a virtual machine without running a virtual desktop |
| US9274821B2 (en) * | 2010-01-27 | 2016-03-01 | Vmware, Inc. | Independent access to virtual machine desktop content |
| CN102271124B (en) * | 2010-06-01 | 2015-05-13 | 富士通株式会社 | Data processing equipment and data processing method |
| US9213544B2 (en) * | 2013-04-08 | 2015-12-15 | Vmware, Inc. | Desktop shadowing in a virtual desktop infrastructure environment |
-
2019
- 2019-12-24 CN CN201911347007.XA patent/CN111158857B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101034420A (en) * | 2006-03-07 | 2007-09-12 | 陈川舟 | Network game virtual property off line preservation mode and application |
| US8127149B1 (en) * | 2006-06-29 | 2012-02-28 | Symantec Corporation | Method and apparatus for content based encryption |
| US8572370B1 (en) * | 2007-12-21 | 2013-10-29 | Parallels IP Holdings GmbH | Accessing a remote virtual environment without user authentication |
| CN102739689A (en) * | 2012-07-16 | 2012-10-17 | 四川师范大学 | File data transmission device and method used for cloud storage system |
| CN104219208A (en) * | 2013-06-03 | 2014-12-17 | 华为技术有限公司 | A method and device for data input |
| CN104091129A (en) * | 2014-06-26 | 2014-10-08 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN104104692A (en) * | 2014-08-05 | 2014-10-15 | 山东中孚信息产业股份有限公司 | Virtual machine encryption method, decryption method and encryption-decryption control system |
| WO2016154520A1 (en) * | 2015-03-25 | 2016-09-29 | Vera | Access files |
| CN105069362A (en) * | 2015-06-30 | 2015-11-18 | 广东轩辕网络科技股份有限公司 | Storage method and device |
| CN105376216A (en) * | 2015-10-12 | 2016-03-02 | 华为技术有限公司 | Remote access method, agent server and client end |
| CN105389520A (en) * | 2015-11-11 | 2016-03-09 | 中国建设银行股份有限公司 | Data access control method and apparatus and mobile storage medium |
| CN106295367A (en) * | 2016-08-15 | 2017-01-04 | 北京奇虎科技有限公司 | Data ciphering method and device |
| CN107609418A (en) * | 2017-08-31 | 2018-01-19 | 深圳市牛鼎丰科技有限公司 | Desensitization method, device, storage device and the computer equipment of text data |
| CN108021801A (en) * | 2017-11-20 | 2018-05-11 | 深信服科技股份有限公司 | Divulgence prevention method, server and storage medium based on virtual desktop |
Non-Patent Citations (1)
| Title |
|---|
| 卿昱 等.《云计算安全技术》.2016,第105-109页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111158857A (en) | 2020-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111158857B (en) | Data encryption method, device, equipment and storage medium | |
| CN100555298C (en) | The method and apparatus of virtulizing personal office environment | |
| US9830430B2 (en) | Inherited product activation for virtual machines | |
| KR101608510B1 (en) | System and method for key management for issuer security domain using global platform specifications | |
| US9172724B1 (en) | Licensing and authentication with virtual desktop manager | |
| US20120311575A1 (en) | System and method for enforcing policies for virtual machines | |
| KR102295960B1 (en) | Apparatus and method for security service based virtualization | |
| US20100257578A1 (en) | Data access programming model for occasionally connected applications | |
| CN100437618C (en) | Portable information safety device | |
| US8776057B2 (en) | System and method for providing evidence of the physical presence of virtual machines | |
| CN104252375A (en) | Method and system for sharing USB (Universal Serial Bus) Key by multiple virtual machines positioned in different host computers | |
| WO2023273647A1 (en) | Method for realizing virtualized trusted platform module, and secure processor and storage medium | |
| CN104091102B (en) | A multi-user management method and device based on Android system | |
| CN112507320A (en) | Access control method, device, system, electronic equipment and storage medium | |
| JP2003337736A (en) | Computer, hard disk device, disk device sharing system including a plurality of computers and shared hard disk device, and disk device sharing method used in the shared system | |
| US8006009B2 (en) | Methods and device for implementing multifunction peripheral devices with a single standard peripheral device driver | |
| CN112416525B (en) | Device driver initialization method, direct storage access method and related device | |
| US10652247B2 (en) | System and method for user authorization in a virtual desktop access device using authentication and authorization subsystems of a virtual desktop environment | |
| US12081970B2 (en) | Contextual authentication for secure remote sessions | |
| US12375492B2 (en) | Role-based access control for cloud features | |
| EP4303746A1 (en) | Optimized creation of identity information for provisioned virtual machines | |
| US20240232314A1 (en) | Authenticator to authorize persistent operations | |
| US20250106019A1 (en) | System and method for privately hosting machine learning models and collaborative computations | |
| CN116614241A (en) | Authentication method, computing device and instance management device | |
| CN116644450A (en) | Embedded system and data processing method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |