CN111190695A - Virtual machine protection method and device based on Roc chip - Google Patents
Virtual machine protection method and device based on Roc chip Download PDFInfo
- Publication number
- CN111190695A CN111190695A CN201911379746.7A CN201911379746A CN111190695A CN 111190695 A CN111190695 A CN 111190695A CN 201911379746 A CN201911379746 A CN 201911379746A CN 111190695 A CN111190695 A CN 111190695A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- disk
- data
- secret key
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 230000005012 migration Effects 0.000 claims description 16
- 238000013508 migration Methods 0.000 claims description 16
- 238000012217 deletion Methods 0.000 claims description 5
- 230000037430 deletion Effects 0.000 claims description 5
- 238000007726 management method Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 2
- 230000006870 function Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241000109539 Conchita Species 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000001228 spectrum Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses virtual machine protection method and device based on a spread-penny chip, which are applied to a spread-penny system, wherein the spread-penny system comprises: the management center and the multiple hosts are provided with a spread chip in each host, and an encryption module is arranged in the spread chip, and the method comprises the following steps: creating a virtual machine in a host; generating a secret key through an encryption module and storing the secret key; receiving read operation request information related to reading data in a magnetic disk; and decrypting the data corresponding to the operation request information in the disk through the secret key so as to execute the operation request information. When a user normally uses the virtual machine to read data in the disk, the data can be read after being decrypted by the secret key stored in the encryption module. However, if the disk is illegally copied, because the secret key is stored in the encryption module, an illegal copier cannot obtain the secret key, and cannot read the encrypted data in the disk, so that the security of the data in the disk of the virtual machine is ensured.
Description
Technical Field
The application relates to the field of virtual machines, in particular to a method and a device for protecting a virtual machine based on a spread chip.
Background
A Virtual Machine (VM) refers to a complete computer system that is simulated by corresponding software and has complete hardware system functions and operates in a completely isolated environment. The work that can be done in a physical computer can be implemented in a virtual machine.
The virtual machine can play the roles of demonstrating the environment, researching and developing the test program and the like, and is very convenient. Therefore, the virtual machine often stores important data in each enterprise. However, in the prior art, if the disk of the virtual machine is illegally copied, data loss is caused, and the benefit of an enterprise is seriously affected.
Disclosure of Invention
In order to solve the above problem, the present application provides a method for protecting a virtual machine based on a spread chip, where the method is applied to a spread system, and the spread system includes: the management method comprises a management center and a plurality of hosts managed by the management center, wherein each host is provided with a spread chip, and each spread chip is provided with an encryption module, and the method comprises the following steps: the host machine creates a virtual machine in the host machine according to a creation instruction sent by the management center; generating a secret key used for encrypting data in a disk corresponding to the virtual machine through the encryption module, and storing the secret key in the encryption module; receiving operation request information related to data in the disk; and decrypting the data corresponding to the operation request information in the disk through the secret key so as to execute the operation request information.
In one example, receiving information indicating an operation request related to data in the disk includes: receiving a mirror image generation instruction, wherein the mirror image generation instruction is used for indicating generation of a mirror image of the virtual machine; after the data corresponding to the operation request information in the disk is decrypted by the key, the method further includes: and generating an image file corresponding to the virtual machine according to the image generation instruction and the secret key.
In one example, receiving information indicating an operation request related to data in the disk includes: receiving a template generation instruction, wherein the template generation instruction is used for instructing generation of a template corresponding to the virtual machine; after the data corresponding to the operation request information in the disk is decrypted by the key, the method further includes: and generating a secret key corresponding to the template through the encryption module so as to encrypt the data in the template according to the secret key corresponding to the template.
In one example, each of the plurality of hosts is provided with a public key and a private key corresponding to a cryptographic module, the method further comprising: encrypting information to be sent through a public key of the target host; and sending the encrypted information to the target host so that the target host decrypts the information through a private key thereof and reads the decrypted information.
In one example, receiving information indicating an operation request related to data in the disk includes: receiving a virtual machine migration instruction; encrypting information to be sent through the public key of the target host, including: encrypting migration information and the secret key when the virtual machine is migrated through the public key of the target host; sending the encrypted information to the target host, including: sending the encrypted migration information and the encrypted secret key to the target host; receiving feedback information which is returned by the target host and represents that the migration is successful; deleting the virtual machine and the key stored in the encryption module.
In one example, after storing the key in the encryption module, the method further comprises: receiving a virtual machine deleting instruction; judging whether to delete the data stored in the disk by the virtual machine according to the virtual machine deletion instruction; if the virtual machine is deleted, deleting the secret key from the encryption module when the virtual machine is deleted; and if not, keeping the secret key when the virtual machine is deleted.
In one example, after creating a virtual machine in the host, the method further comprises: in an operating system of the virtual machine, creating an account number different from a default super user name of the operating system; adding the created account into a super user group of the operating system; modifying parameters of a local login module and a remote login module to prohibit a user from logging locally or remotely into the operating system through the default super username.
In one example, the method further comprises: monitoring a user logging in the operating system; and if the user logs in the operating system through the default super user name exists, recording login information corresponding to the user in a log.
In one example, the operating system is a Linux system; the default supervisor name is root.
On the other hand, this application has still provided a virtual machine protection device based on spread penny chip, the device is applied in spread penny system, spread penny system includes: management center, through a plurality of host computers of management center management, every be provided with the spread chip in the host computer, be provided with encryption module in the spread chip, the device includes: the host machine creates a virtual machine in the host machine according to a creation instruction sent by the management center; the generating module is used for generating a secret key used for encrypting data in a disk corresponding to the virtual machine through the encryption module and storing the secret key in the encryption module; the receiving module is used for receiving operation request information related to the data in the disk; and the processing module decrypts the data corresponding to the operation request information in the disk through the secret key so as to execute the operation request information.
The protection method provided by the application can bring the following beneficial effects:
when a user normally uses the virtual machine to read data in the disk, the data can be read after being decrypted by the secret key stored in the encryption module. However, if the disk is illegally copied, because the secret key is stored in the encryption module, an illegal copier cannot obtain the secret key, and cannot read the encrypted data in the disk, so that the security of the data in the disk of the virtual machine is ensured.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart of a method for protecting a virtual machine based on a spread chip according to an embodiment of the present application;
fig. 2 is a schematic block diagram of a virtual machine protection device based on a spread chip according to an embodiment of the present application;
fig. 3 is a schematic diagram of a spread system in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
The embodiment of the application provides a spread-spectrum chip-based virtual machine protection method, which is applied to a spread-spectrum system. As shown in fig. 3, the spread system includes a management center and a plurality of hosts managed by the management center. The management center can monitor and manage the plurality of hosts in a wired or wireless mode. For example, the operation state of each host is monitored, and data of each host is backed up. The spread chip is arranged in each host, and the encryption module is arranged in the spread chip. The chip of kunpeng refers to a chip of kunpeng series, including, for example, kunpeng 920.
As shown in fig. 1, the method includes:
s101, the host machine creates a virtual machine in the host machine according to a creation instruction sent by the management center.
In general, a user controls a host to create a virtual machine on a management center through a corresponding operation. At this time, the host receives a creation instruction sent by the management center, and then the host creates the virtual machine. Specifically, in the process of creating by the user, the Virtual machine may be created by corresponding software, such as Vmware or Virtual PC, or by a corresponding program, which is not described herein again. In the process of creating the virtual machine, the user can set various data such as the corresponding operating system, the disk space, the disk position, the language, the user name and the like according to the own needs, which are not described herein again. Of course, the number of virtual machines that can be created in each host may be determined according to the actual needs of the user, and is not limited herein.
S102, generating a secret key used for encrypting data in a disk corresponding to the virtual machine through the encryption module, and storing the secret key in the encryption module.
As shown in fig. 3, each host corresponds to a corresponding disk, so when a virtual machine is created, a corresponding disk space is also allocated to the virtual machine to become a disk corresponding to the virtual machine, and corresponding data in the virtual machine can be stored in the corresponding disk. In addition, as shown in fig. 3, each host and the disk may be separately arranged, or may be assembled into an integral arrangement, which is not limited herein; the disks corresponding to the virtual machines may exist as a whole or may exist individually, and are not limited herein.
After the virtual machine is created, a secret key for encrypting data in a disk corresponding to the virtual machine can be generated by an encryption module in the spread chip, and then the secret key is stored in the encryption module. In general, keys generated by the encryption module correspond to the virtual machines one to one, and if a plurality of virtual machines correspond to the same key, the confidentiality of data of the virtual machines is also reduced. Therefore, the secret key can be generated by the management center or reported to the management center after being generated by the encryption module, and the management center stores and determines that the secret key is unique. The key may be a random number generated by an encryption mode. Any software design may trap the possibility of pseudo-random numbers, which can be avoided by the encryption module as hardware.
S103, receiving operation request information related to the data in the disk.
S104, decrypting the data corresponding to the operation request information in the disk through the secret key so as to execute the operation request information conveniently.
And the host or the virtual machine receives the operation request information related to the data in the disk, and the operation request information indicates that a program exists or a user wants to perform corresponding operation according to the data in the disk. At this time, the data to be read needs to be decrypted by the key, and then the data can be read by the corresponding program or the user, so as to perform the corresponding operation. When a user normally uses the virtual machine to read data in the disk, the data can be read after being decrypted by the secret key stored in the encryption module. However, if the disk is illegally copied, because the secret key is stored in the encryption module, an illegal copier cannot obtain the secret key, and cannot read the encrypted data in the disk, so that the security of the data in the disk of the virtual machine is ensured.
Similarly, when the host or virtual machine receives a write request indicating that data is to be written to the disk, it indicates that there is a user or program that wants to write data to the disk. At this time, the data to be written needs to be encrypted by the key, and then the encrypted data is written into the disk.
When the disk performs input and output actions, encryption or decryption is required, which usually results in a long time. However, the embodiment in the application is based on the spread chip, and the encryption module is arranged in the spread chip, so that a large amount of encryption hardware does not need to be extrapolated, the time delay caused by encryption and decryption can be effectively reduced, and the user experience is guaranteed.
Specifically, when the operation request information is an image generation instruction, it indicates that a user or a corresponding program wants to generate an image file for the virtual machine. Since the image file is the same data as the source file, i.e., the virtual machine file, and can be updated synchronously. Therefore, when the image file is generated, the image file can be generated according to the image command and the key without changing the key.
When the operation request information is a template generation instruction, it indicates that a user or a corresponding program wants to generate a template according to the virtual machine. Since the data between the template and the virtual machine are not completely consistent and different places exist, the data in the disk can be decrypted by the key first, and then the key corresponding to one template can be regenerated. When the template is generated, the data in the disk may be encrypted according to the key corresponding to the template. Of course, when a new virtual machine is generated through the template, a corresponding key may also be generated for each newly generated virtual machine, which is not described herein again.
And when the operation request information is a deletion instruction, indicating that the user wants to delete the virtual machine. At this time, it may be determined according to the deletion instruction whether the disk corresponding to the virtual machine needs to be deleted in the current deletion process. If the data needs to be deleted, the data in the disk does not exist because the disk is deleted, so that the secret key stored in the encryption module does not need to be reserved, and the secret key can be deleted. If the disk is not deleted when the virtual machine is deleted, the data in the disk is still encrypted and stored in the disk, and at this time, the key needs to be retained so as to read the corresponding data in the disk subsequently.
In one embodiment, each host may be provided with a corresponding public key and private key. The public key and the private key of the encryption module can be generated by the encryption module, and can also be generated by a management center. Of course, the public key and private key of each host are in one-to-one correspondence. In transmitting information between hosts, the host sending the information may first encrypt the information based on the public key of the target host receiving the information. And then sending the encrypted information to the target host, and after receiving the information, the target host can decrypt the information through the private key of the target host and then read the decrypted information.
Further, when the received operation request information is a virtual machine migration instruction, it indicates that a user or a corresponding program wants to migrate the virtual machine to another host. The migration information and the key may be first encrypted by the public key of the target host and then sent to the target host. The migration information includes related data when the virtual machine is migrated, so that migration of the virtual machine is facilitated. Since the key of each virtual machine is stored in the encryption module of the chip spread in the host, the key needs to be sent to the target host together during migration, so that the target host stores the key in the encryption module. After receiving the feedback information of successful migration returned by the target host, the locally created virtual machine and the key stored in the encryption module may be deleted. Of course, if the feedback information indicates that the migration has failed, the migration may be performed again, which is not described herein again.
In one embodiment, after a user creates a virtual machine, an operating system also needs to be created. Typically, there will be a supervisor in the operating system. The supervisor, i.e., user administrator, typically has the highest privilege level in the operating system. Also in the operating system, the default names of the superusers are all the same. For example, in a Linux system, the default supervisor name is root; in the Windows system, the default super user name is administeror. Therefore, certain convenience is provided for hacker intrusion, and the safety of data stored in the virtual machine by a user is not facilitated.
A user with a different username from the default hyperusername can be first created in the operating system at this point. For example, for a Linux system, the username may be set to substtate _ root. And then adding the subordinate _ root user to a super user group of the operating system, so that the user can obtain the authority of the super user. Then, the user is prohibited from remotely logging in the operating system at the local goods by the default super user name by modifying the local login module and the remote login module. At this time, when a hacker invades the computer, the hacker cannot log in the operating system through the default super user name, so that the security of the data stored in the disk is increased.
Specifically, a centros (Community Enterprise Operating System) System is taken as an example for explanation. The centros system is one of the releases of the Linux system.
When creating a user with a user name of substtate _ root, setting the initial password of the substtate _ root user as adminadminadmin, which can be realized by the following statements:
among them, in the kickstart, the following sentence can be added:
rootpw-lock # note: locking root users
When the user is installed, the root user cannot be configured, and other users cannot be added. Wherein, the kickstart is an automatic installation script.
When the substtate _ root user is added to the super user group of the operating system, the/etc/subdoes configuration file can be modified, a common user named substtate _ root is changed into a super user, and the user name is used for login in the following operation instead of the root. The above functions may be implemented by the following statements:
usermod-G wheel substitute_root
echo"%wheel ALL=(ALL)NOPASSWD:ALL">>/etc/sudoers
when the local login module is modified, the following line of statements can be added to the/etc/pam.d/login file:
auth required pam_succeed_if.so user!=root quiet;
ssh telnet needs to be disabled when modifying the telnet module. This function can be implemented in the/etc/ssh/sshd _ config file by changing # permitlootlogic yes to permitlootlomino. Other remote login modes can close the root user in a similar mode, or other remote login modes can be closed uniformly, and further description is omitted here.
In addition, a sudorer configuration file can be modified by adding a script into a kickstart file, so that a root user cannot log in remotely through ssh:
furthermore, the user logging in the operating system can be monitored. If the user logging in the operating system through the default super user name is found, logging information corresponding to the user is recorded in a log. Such as login time, login address, etc., to facilitate subsequent follow-up. The login event of the root can be monitored through a last command or third-party software, and details are not repeated here.
As shown in fig. 2, an embodiment of the present application further provides a protection device for a virtual machine based on a spread chip, where the protection device is applied in a spread system, and the spread system includes: management center, through a plurality of host computers of management center management, every be provided with the spread chip in the host computer, be provided with encryption module in the spread chip, the device includes:
a creating module 201, wherein the host creates a virtual machine in the host according to a creating instruction sent by the management center;
a generating module 202, configured to generate, by the encryption module, a key used for encrypting data in a disk corresponding to the virtual machine, and store the key in the encryption module;
a receiving module 203, which receives operation request information related to the data in the disk;
the processing module 204 decrypts, by using the key, data corresponding to the operation request information in the disk, so as to execute the operation request information.
The above description is merely one or more embodiments of the present disclosure and is not intended to limit the present disclosure. Various modifications and alterations to one or more embodiments of the present description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of one or more embodiments of the present specification should be included in the scope of the claims of the present specification.
Claims (10)
1. The method for protecting the virtual machine based on the Roc chip is applied to a Roc system, and the Roc system comprises: the management method comprises a management center and a plurality of hosts managed by the management center, wherein each host is provided with a spread chip, and each spread chip is provided with an encryption module, and the method comprises the following steps:
the host machine creates a virtual machine in the host machine according to a creation instruction sent by the management center;
generating a secret key used for encrypting data in a disk corresponding to the virtual machine through the encryption module, and storing the secret key in the encryption module;
receiving operation request information related to data in the disk;
and decrypting the data corresponding to the operation request information in the disk through the secret key so as to execute the operation request information.
2. The method of claim 1, wherein receiving information indicative of an operation request associated with data in the disk comprises:
receiving a mirror image generation instruction, wherein the mirror image generation instruction is used for indicating generation of a mirror image of the virtual machine;
after the data corresponding to the operation request information in the disk is decrypted by the key, the method further includes:
and generating an image file corresponding to the virtual machine according to the image generation instruction and the secret key.
3. The method of claim 1, wherein receiving information indicative of an operation request associated with data in the disk comprises:
receiving a template generation instruction, wherein the template generation instruction is used for instructing generation of a template corresponding to the virtual machine;
after the data corresponding to the operation request information in the disk is decrypted by the key, the method further includes:
and generating a secret key corresponding to the template through the encryption module so as to encrypt the data in the template according to the secret key corresponding to the template.
4. The method of claim 1, wherein each of the plurality of hosts is provided with a public key and a private key corresponding to a cryptographic module, the method further comprising:
encrypting information to be sent through a public key of the target host;
and sending the encrypted information to the target host so that the target host decrypts the information through a private key thereof and reads the decrypted information.
5. The method of claim 4, wherein receiving information indicative of an operation request associated with data in the disk comprises:
receiving a virtual machine migration instruction;
encrypting information to be sent through the public key of the target host, including:
encrypting migration information and the secret key when the virtual machine is migrated through the public key of the target host;
sending the encrypted information to the target host, including:
sending the encrypted migration information and the encrypted secret key to the target host;
receiving feedback information which is returned by the target host and represents that the migration is successful;
deleting the virtual machine and the key stored in the encryption module.
6. The method of claim 1, wherein after storing the key in the encryption module, the method further comprises:
receiving a virtual machine deleting instruction;
judging whether to delete the data stored in the disk by the virtual machine according to the virtual machine deletion instruction;
if the virtual machine is deleted, deleting the secret key from the encryption module when the virtual machine is deleted;
and if not, keeping the secret key when the virtual machine is deleted.
7. The method of claim 1, wherein after creating a virtual machine in the host, the method further comprises:
in an operating system of the virtual machine, creating an account number different from a default super user name of the operating system;
adding the created account into a super user group of the operating system;
modifying parameters of a local login module and a remote login module to prohibit a user from logging locally or remotely into the operating system through the default super username.
8. The method of claim 7, further comprising:
monitoring a user logging in the operating system;
and if the user logs in the operating system through the default super user name exists, recording login information corresponding to the user in a log.
9. The method of claim 7, wherein the operating system is a Linux system; the default supervisor name is root.
10. The utility model provides a virtual machine protection device based on spread penny chip which characterized in that, the device is used in spread penny system, spread penny system includes: management center, through a plurality of host computers of management center management, every be provided with the spread chip in the host computer, be provided with encryption module in the spread chip, the device includes:
the host machine creates a virtual machine in the host machine according to a creation instruction sent by the management center;
the generating module is used for generating a secret key used for encrypting data in a disk corresponding to the virtual machine through the encryption module and storing the secret key in the encryption module;
the receiving module is used for receiving operation request information related to the data in the disk;
and the processing module decrypts the data corresponding to the operation request information in the disk through the secret key so as to execute the operation request information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911379746.7A CN111190695A (en) | 2019-12-27 | 2019-12-27 | Virtual machine protection method and device based on Roc chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911379746.7A CN111190695A (en) | 2019-12-27 | 2019-12-27 | Virtual machine protection method and device based on Roc chip |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111190695A true CN111190695A (en) | 2020-05-22 |
Family
ID=70710575
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911379746.7A Pending CN111190695A (en) | 2019-12-27 | 2019-12-27 | Virtual machine protection method and device based on Roc chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111190695A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113468563A (en) * | 2021-06-24 | 2021-10-01 | 曙光信息产业股份有限公司 | Virtual machine data encryption method and device, computer equipment and storage medium |
| CN114491607A (en) * | 2022-02-14 | 2022-05-13 | 苏州浪潮智能科技有限公司 | Cloud platform data processing method and device, computer equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110202916A1 (en) * | 2010-02-17 | 2011-08-18 | Microsoft Corporation | Distribution control and tracking mechanism of virtual machine appliances |
| CN103020543A (en) * | 2012-12-31 | 2013-04-03 | 北京启明星辰信息技术股份有限公司 | System and method for image encryption management of virtual disk |
| CN103227804A (en) * | 2012-01-30 | 2013-07-31 | 联发科技股份有限公司 | How to use the account proxy module to connect to the superuser account shell |
| CN104618096A (en) * | 2014-12-30 | 2015-05-13 | 华为技术有限公司 | Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center |
-
2019
- 2019-12-27 CN CN201911379746.7A patent/CN111190695A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110202916A1 (en) * | 2010-02-17 | 2011-08-18 | Microsoft Corporation | Distribution control and tracking mechanism of virtual machine appliances |
| CN103227804A (en) * | 2012-01-30 | 2013-07-31 | 联发科技股份有限公司 | How to use the account proxy module to connect to the superuser account shell |
| CN103020543A (en) * | 2012-12-31 | 2013-04-03 | 北京启明星辰信息技术股份有限公司 | System and method for image encryption management of virtual disk |
| CN104618096A (en) * | 2014-12-30 | 2015-05-13 | 华为技术有限公司 | Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center |
Non-Patent Citations (5)
| Title |
|---|
| 刘坤: "《网络攻防与实践》", 31 July 2018, 北京理工大学出版社, pages: 317 - 319 * |
| 杜方冬 等: "《个人电脑安装维护36计》", 31 January 2004, 国防工业出版社, pages: 163 * |
| 温翠玲,王金嵩: "《计算机网络信息安全与防护策略研究》", 31 March 2019, 天津科学技术出版社, pages: 114 * |
| 老男孩: "《Linux/Unix技术丛书 跟老男孩学Linux运维 核心基础篇 上 第2版》", 机械工业出版社, pages: 415 - 416 * |
| 老男孩: "《跟老男孩学Linux运维 核心基础篇 上 第2版》", 31 August 2019, 机械工业出版社, pages: 415 - 416 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113468563A (en) * | 2021-06-24 | 2021-10-01 | 曙光信息产业股份有限公司 | Virtual machine data encryption method and device, computer equipment and storage medium |
| CN114491607A (en) * | 2022-02-14 | 2022-05-13 | 苏州浪潮智能科技有限公司 | Cloud platform data processing method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2495681B1 (en) | Remote pre-boot authentication | |
| JP4902207B2 (en) | System and method for managing multiple keys for file encryption and decryption | |
| EP2474932A1 (en) | Efficient volume encryption | |
| US20170277898A1 (en) | Key management for secure memory address spaces | |
| US10303888B2 (en) | Copy protection for secured files | |
| JP2008187718A (en) | System and method of data encryption and data access of storage device via hardware key | |
| US20090046858A1 (en) | System and Method of Data Encryption and Data Access of a Set of Storage Devices via a Hardware Key | |
| JP2008257691A (en) | System and method for storage device data encryption and data access | |
| US10922117B2 (en) | VTPM-based virtual machine security protection method and system | |
| CN107003866A (en) | The safety establishment of encrypted virtual machine from encrypted template | |
| KR20160138450A (en) | Rapid data protection for storage devices | |
| JP2008219871A (en) | System and method of storage device data encryption and data access via hardware key | |
| JP2011048661A (en) | Virtual server encryption system | |
| CN105528553A (en) | A method and a device for secure sharing of data and a terminal | |
| JP2021519564A (en) | Secure computer system | |
| US9355259B1 (en) | Method and apparatus for accessing sensitive information on-demand | |
| US11068607B2 (en) | Protecting cognitive code and client data in a public cloud via deployment of data and executables into a secure partition with persistent data | |
| CN111190695A (en) | Virtual machine protection method and device based on Roc chip | |
| EP4075313A1 (en) | Systems and methods for purging data from memory | |
| US10685106B2 (en) | Protecting cognitive code and client data in a public cloud via deployment of data and executables into a stateless secure partition | |
| US10261920B2 (en) | Static image RAM drive | |
| JPH09204360A (en) | Method for protecting confidential data | |
| KR101469803B1 (en) | Security Apparatus for Data, Terminal having the Same and Security Method for Data, and Computer Readable Record Medium | |
| CN112784321B (en) | Disk security system | |
| KR102305680B1 (en) | System for storing security information using a plurality of storages |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200522 |
|
| RJ01 | Rejection of invention patent application after publication |