CN111177773B - Full disk encryption and decryption method and system based on network card ROM - Google Patents
Full disk encryption and decryption method and system based on network card ROM Download PDFInfo
- Publication number
- CN111177773B CN111177773B CN201911258554.0A CN201911258554A CN111177773B CN 111177773 B CN111177773 B CN 111177773B CN 201911258554 A CN201911258554 A CN 201911258554A CN 111177773 B CN111177773 B CN 111177773B
- Authority
- CN
- China
- Prior art keywords
- network card
- card rom
- key
- kernel
- rom
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of data encryption and decryption, and discloses a full disk encryption and decryption method based on a network card ROM. Dividing the storage into a bootloader, a kernel and a file system; and storing the key in a network card ROM, automatically acquiring the key from the network card ROM in the boot loader starting process, decrypting the kernel and the file system, and then starting the decrypted kernel. The key of the scheme is to store the secret key in the hardware of the equipment, so as to achieve the purpose of binding with the equipment, maintain the compatibility with the existing equipment and improve the safety of a storage area; in addition, the scheme does not need to make other changes to the existing application, and the usability is strong. In addition, the invention also discloses a full disk encryption and decryption system based on the network card ROM.
Description
Technical Field
The invention relates to the technical field of data encryption and decryption, in particular to a full disk encryption and decryption method and system based on a network card ROM.
Background
With the rapid development of computers and networks, mass data is stored in various devices, wherein a block device is the most important storage device and carries a large amount of confidential documents. If there is a vulnerability in the system that is not used by the user or the block device is stolen or lost, significant economic and mental losses can be incurred by the government, the enterprise or the individual. How to effectively protect the security of confidential documents, especially after a computer is lost or stolen, and prevent the illegal leakage of confidential information, the application requirement provides a new challenge to the ubiquitous storage security at present. In the field of general consumers, the Android smart phone operating system provides a storage encryption function in the version 3.0 thereof, and microsoft Windows also provides a BitLocker function, so that the whole disk can be encrypted. However, these solutions require a large number of user responses (e.g. password input) and are certainly not suitable for devices operating in an industrial environment, which require 7 × 24h operation without human intervention.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: aiming at the problems, a full disk encryption and decryption method and system based on a network card ROM are provided.
The technical scheme adopted by the invention is as follows: a full disk encryption and decryption method based on a network card ROM comprises the following steps:
dividing the storage into a bootloader (boot loader), a kernel and a file system;
and storing the key in a network card ROM, automatically acquiring the key from the network card ROM in the boot loader starting process, decrypting the kernel and the file system, and then starting the decrypted kernel.
Further, the bootloader adopts grub 2.
Further, the grub2 includes an MBR including a partition table and stage1 load code of grub2, a grub2 mirror.
Further, the MBR is located in the first sector of the disk, and the grub2 is mirrored in the MBR sector and in the gap between the kernel and the file partition.
Further, the key is reserved for more than 16 bytes.
Further, the key stored in the network card ROM is processed by using the pbkdf2 algorithm.
Further, the full disk encryption method based on the network card ROM further comprises the following processes of system initialization and encryption: randomly generating a key and writing the key into a network card ROM; calling a cryptstep tool to encrypt the partition needing encryption in the storage, wherein the partition needing encryption comprises a kernel and a file system.
Furthermore, the network card is provided with a PCI interface, the grub2 provides a PCI access interface, and the grub2 obtains a key from the network card ROM through the PCI access interface and the PCI interface for decryption.
Further, when the device in which the storage is located runs to the kernel and is switched to the file system, the key is obtained from the network card ROM to decrypt the encrypted partition again.
The invention also discloses a full disk encryption and decryption system based on the network card ROM, which comprises: a storage unit and a network card ROM unit;
the storage unit is divided into a Bootloader unit, a kernel unit and a file system unit, the network card ROM unit is used for storing a secret key, the Bootloader automatically acquires the secret key from the network card ROM in the starting process and decrypts the kernel and the file, and then the decrypted kernel is started.
Compared with the prior art, the beneficial effects of adopting the technical scheme are as follows:
(1) the technical scheme of the invention stores the secret key in the hardware of the equipment, achieves the purpose of binding with the equipment, and keeps the compatibility with the existing equipment, such as an ARM platform, an X86 platform, a Loongson platform and the like.
(2) The secret key is stored in the network card ROM, and the secret key of each device can be randomly set, so that the situation that all hosts are destroyed after one host is destroyed is avoided, a real 'back door' is formed, and the safety of a storage area is improved.
(3) According to the scheme, the network card ROM for storing the key is accessed through the PCI interface and the storage area, and each stored access is bound with the device where the storage is located, so that the storage is taken out for direct access through a physical method or placed on any other device, and the storage cannot be directly accessed, and the security of encrypted contents is improved.
(4) The scheme can be used for reducing the interference to the existing application as far as possible without changing the existing application, and has strong usability.
(5) According to the scheme, a program is automatically loaded through a Bootloader, a secret key is obtained for decryption operation, and a non-interactive mode is realized; this is advantageous for the requirement of unattended operation of the plant 7 x 24 h.
Drawings
FIG. 1 is a schematic diagram of memory partitioning in an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
A full disk encryption and decryption method based on a network card ROM comprises the following steps:
example 1: as shown in fig. 1, the storage is divided into a bootloader, a kernel, and a file system (as required, there may be other areas on the disk, and the other areas set as required whether to perform encryption processing, and the other areas in this embodiment are encrypted partitions);
based on the design objective, the key needs to be stored in the hardware of the device to achieve the purpose of binding with the device; at the same time, the stored key information must be preserved; in addition, for safety, the key at least needs to be reserved with more than 16Bytes so as to prevent brute force cracking; based on the above consideration, a key (the key in this embodiment is a symmetric key) is stored in the network card ROM, and in the bootloader starting process, the key is automatically obtained from the network card ROM, and the kernel and the file are decrypted, and then the decrypted kernel is started.
The scheme utilizes the existing hardware facilities as much as possible, improves the storage privacy of the equipment by using a software method on the basis of not increasing the hardware cost, and simultaneously realizes seamless connection on the existing application.
Example 2: based on embodiment 1, the bootloader uses grub2 (which is a multi-os launcher from GNU project).
grub2 includes: MBR (master boot record), grub2 mirror, which contains partition tables and stage1 load code of grub 2. Since the device itself has no encryption/decryption facilities, grub2 is unencrypted. While the kernel and file system and other partitions later are all encrypted.
Wherein the MBR is located in the first sector (512bytes) of the disk, and the grub2 image is located in the MBR sector and the gap between the kernel and the file partition.
In another embodiment, the key in embodiment 1 is to store the key in the network card ROM, and on the basis of embodiment 1, multiple transformations can be performed on the information in the network card ROM, and in this embodiment, the key stored in the network card ROM is processed by using a pbkdf2 algorithm, so that the cracking difficulty is increased; other algorithms, such as hash algorithms, etc., may also be used to perform the multiple transformations.
Another embodiment is based on embodiment 1, and needs to perform system initialization before the device is unencrypted. After entering the system: randomly generating a key and writing the key into a network card ROM; calling a cryptetup tool to encrypt the partition needing encryption in the storage, wherein the partition needing encryption comprises a kernel and a file system, and other areas need to be encrypted in the embodiment of fig. 1.
Another embodiment, based on embodiment 2, in grub2, needs to deal with both partition encryption and non-encryption. The most important is the task of obtaining keys and decrypting because the network card is generally connected to the device through the PCI interface, and the grub2 provides a complete PCI access interface to easily access the registers of the PCI device. Therefore, the network card of this embodiment is provided with a PCI interface, the grub2 provides a PCI access interface, and the grub2 obtains a key from the network card ROM through the PCI access interface and the PCI interface for decryption during decryption, where this layer of decryption is to implement operation of the storage device.
In another embodiment, after the storage device runs, when the device in which the storage device is located runs to the kernel and is switched to the file system, the key is obtained from the network card ROM to decrypt the encrypted partition in the storage space, and after the decryption of the layer, other application programs can access the encrypted partition. The decryption process is simple and convenient, and the existing tools are available for obtaining the ROM and decrypting.
The invention is not limited to the foregoing embodiments. The invention extends to any novel feature or any novel combination of features disclosed in this specification and any novel method or process steps or any novel combination of features disclosed. Those skilled in the art should appreciate that they can make insubstantial changes and modifications without departing from the spirit of the invention as claimed.
Claims (9)
1. A full disk encryption and decryption method based on a network card ROM is characterized by comprising the following steps:
dividing the storage into a bootloader (boot loader), a kernel and a file system;
storing the key in a network card ROM, automatically acquiring the key from the network card ROM in the boot loader starting process, decrypting the kernel and the file system, and then starting the decrypted kernel;
the method also comprises the following processes of system initialization and encryption: randomly generating a key and writing the key into a network card ROM; and calling a cryptetup tool to encrypt the partition needing to be encrypted in the storage, wherein the partition needing to be encrypted comprises a kernel and a file system.
2. The full disk encryption and decryption method based on the network card ROM of claim 1, wherein the bootloader adopts grub 2.
3. The full disk encryption and decryption method based on the network card ROM of claim 2, wherein the grub2 comprises MBR, grub2 mirror image, and the MBR contains partition table and stage1 loading code of grub 2.
4. The full disk encryption and decryption method based on the network card ROM of claim 3, wherein the MBR is located in the first sector of the disk, and the grub2 mirror image is located in the MBR sector and the gap between the kernel and the file partition.
5. The full disk encryption and decryption method based on the network card ROM of claim 1, wherein the key is reserved for more than 16 bytes.
6. The full disk encryption and decryption method based on the network card ROM of claim 1, wherein the key stored in the network card ROM is processed by using pbkdf2 algorithm.
7. The full disk encryption and decryption method based on the network card ROM of claim 2, wherein the network card is provided with a PCI interface, the grub2 provides a PCI access interface, and the grub2 obtains the key from the network card ROM through the PCI access interface and the PCI interface for decryption.
8. The full disk encryption and decryption method based on the network card ROM of claim 7, wherein after the device where the memory is located runs to the kernel and switches to the file system, the key is obtained from the network card ROM to decrypt the encrypted partition again.
9. A full disk encryption and decryption system based on a network card ROM is characterized by comprising: a storage unit and a network card ROM unit;
the storage unit is divided into a Bootloader unit, a kernel unit and a file system unit, the network card ROM unit is used for storing a secret key, the Bootloader automatically acquires the secret key from the network card ROM in the starting process and decrypts the kernel and the file, and then the decrypted kernel is started;
the system initialization and encryption process comprises the following steps: randomly generating a key and writing the key into a network card ROM; and calling a cryptetup tool to encrypt the partition needing to be encrypted in the storage, wherein the partition needing to be encrypted comprises a kernel and a file system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911258554.0A CN111177773B (en) | 2019-12-10 | 2019-12-10 | Full disk encryption and decryption method and system based on network card ROM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911258554.0A CN111177773B (en) | 2019-12-10 | 2019-12-10 | Full disk encryption and decryption method and system based on network card ROM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111177773A CN111177773A (en) | 2020-05-19 |
| CN111177773B true CN111177773B (en) | 2022-09-13 |
Family
ID=70655438
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911258554.0A Active CN111177773B (en) | 2019-12-10 | 2019-12-10 | Full disk encryption and decryption method and system based on network card ROM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111177773B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112270002B (en) * | 2020-10-26 | 2024-03-22 | 北京指掌易科技有限公司 | Full-disc encryption method, system operation method and electronic equipment |
| CN112231779B (en) * | 2020-12-11 | 2021-02-19 | 成都艾勃科技有限公司 | Cross-platform data security protection method compatible with BitLocker encrypted disk |
| CN113342425A (en) * | 2021-08-06 | 2021-09-03 | 苏州浪潮智能科技有限公司 | Starting method, device and storage medium of Linux embedded system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103617399A (en) * | 2013-11-06 | 2014-03-05 | 北京深思数盾科技有限公司 | Data file protecting method and device |
| CN107590402A (en) * | 2017-09-26 | 2018-01-16 | 杭州中天微系统有限公司 | A kind of data storage ciphering and deciphering device and method |
| CN109543435A (en) * | 2018-11-29 | 2019-03-29 | 郑州云海信息技术有限公司 | A kind of FPGA encryption protecting method, system and server |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN2490640Y (en) * | 2001-04-08 | 2002-05-08 | 王春华 | Extended ROM card for computer |
| CN103166952B (en) * | 2012-11-16 | 2016-04-27 | 太原科技大学 | A kind of embedded onboard data collection station |
| CN105138930A (en) * | 2015-08-12 | 2015-12-09 | 山东超越数控电子有限公司 | Encryption system and encryption method based on TrustZone |
| US9858187B2 (en) * | 2015-10-26 | 2018-01-02 | Salesforce.Com, Inc. | Buffering request data for in-memory cache |
| CN106127059B (en) * | 2016-06-30 | 2019-03-29 | 中国船舶重工集团公司第七0九研究所 | The realization of credible password module and method of servicing on a kind of ARM platform |
| CN106100853B (en) * | 2016-07-29 | 2019-05-03 | 深圳兆日科技股份有限公司 | Mobile terminal safety authentication method and device |
| CN106599714B (en) * | 2016-11-15 | 2019-05-24 | 厦门市美亚柏科信息股份有限公司 | The restoring method and device of Android terminal full disk encryption data |
| CN108599930B (en) * | 2018-04-02 | 2021-05-14 | 湖南国科微电子股份有限公司 | Firmware encryption and decryption system and method |
-
2019
- 2019-12-10 CN CN201911258554.0A patent/CN111177773B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103617399A (en) * | 2013-11-06 | 2014-03-05 | 北京深思数盾科技有限公司 | Data file protecting method and device |
| CN107590402A (en) * | 2017-09-26 | 2018-01-16 | 杭州中天微系统有限公司 | A kind of data storage ciphering and deciphering device and method |
| CN109543435A (en) * | 2018-11-29 | 2019-03-29 | 郑州云海信息技术有限公司 | A kind of FPGA encryption protecting method, system and server |
Non-Patent Citations (3)
| Title |
|---|
| 《保密系统中的密钥管理》;丁文霞等;《信息安全与通信保密》;20051031(第10期);第61-63页 * |
| 《基于对象的虚拟外存管理》;郭玉东等;《信息工程大学学报》;20110131;第12卷(第1期);第119-124页 * |
| 《密钥的存储和控制机制》;fisec;《http:s//www.fisec.cn/1203.html》;20190108;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111177773A (en) | 2020-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11263020B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| AU2006205315B2 (en) | Method and portable storage device for allocating secure area in insecure area | |
| US8412934B2 (en) | System and method for backing up and restoring files encrypted with file-level content protection | |
| US8589680B2 (en) | System and method for synchronizing encrypted data on a device having file-level content protection | |
| US8433901B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| US8839000B2 (en) | System and method for securely storing data in an electronic device | |
| US8347114B2 (en) | Method and apparatus for enforcing a predetermined memory mapping | |
| US8539250B2 (en) | Secure, two-stage storage system | |
| US20110131418A1 (en) | Method of password management and authentication suitable for trusted platform module | |
| CN111177773B (en) | Full disk encryption and decryption method and system based on network card ROM | |
| KR20090061636A (en) | Computer-implemented methods, information processing systems, and computer readable recording media for restoring secured programs | |
| US9256756B2 (en) | Method of encryption and decryption for shared library in open operating system | |
| US20100095132A1 (en) | Protecting secrets in an untrusted recipient | |
| CN104361291B (en) | Data processing method and device | |
| US11735319B2 (en) | Method and system for processing medical data | |
| Chang et al. | User-friendly deniable storage for mobile devices | |
| CN111159726B (en) | UEFI (unified extensible firmware interface) environment variable-based full-disk encryption and decryption method and system | |
| CN100378689C (en) | Enciphered protection and read write control method for computer data | |
| CN106326782A (en) | Information processing method and electronic device | |
| US9122504B2 (en) | Apparatus and method for encryption in virtualized environment using auxiliary medium | |
| CN114996725B (en) | Method for protecting development program and processor | |
| CN110020533A (en) | A kind of method for security protection and terminal of VR resource | |
| CN107688729B (en) | Application program protection system and method based on trusted host | |
| KR20200082187A (en) | Secure usb dongle for usb memory without security | |
| EP2336942A1 (en) | Computer readable medium storing a program for password management and user authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |