[go: up one dir, main page]

CN116094775B - A ceph distributed file system server encryption system - Google Patents

A ceph distributed file system server encryption system Download PDF

Info

Publication number
CN116094775B
CN116094775B CN202211692733.7A CN202211692733A CN116094775B CN 116094775 B CN116094775 B CN 116094775B CN 202211692733 A CN202211692733 A CN 202211692733A CN 116094775 B CN116094775 B CN 116094775B
Authority
CN
China
Prior art keywords
file
key
data
encryption
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211692733.7A
Other languages
Chinese (zh)
Other versions
CN116094775A (en
Inventor
王新雨
蒋方文
李超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Cloud Information Technology Co Ltd
Original Assignee
Inspur Cloud Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Cloud Information Technology Co Ltd filed Critical Inspur Cloud Information Technology Co Ltd
Priority to CN202211692733.7A priority Critical patent/CN116094775B/en
Publication of CN116094775A publication Critical patent/CN116094775A/en
Application granted granted Critical
Publication of CN116094775B publication Critical patent/CN116094775B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

本发明特别涉及一种ceph分布式文件系统服务端加密系统。该ceph分布式文件系统服务端加密系统,包括密钥管理模块,客户端加解密模块,MDS端数据密钥存储模块和OSD数据存储模块。该ceph分布式文件系统服务端加密系统,通过对文件系统中文件数据进行加密,满足了用户隐私和数据安全方面的需求;通过信封加密的方式,加强了密钥管理和传输过程中的安全性,用信封加密和针对每个对象进行加密相结合的方式,更适用于大数据量的加密。

The present invention particularly relates to a ceph distributed file system server-side encryption system. The ceph distributed file system server-side encryption system comprises a key management module, a client encryption and decryption module, an MDS-side data key storage module and an OSD data storage module. The ceph distributed file system server-side encryption system meets the needs of user privacy and data security by encrypting file data in the file system; by means of envelope encryption, the security of key management and transmission process is enhanced; the combination of envelope encryption and encryption for each object is more suitable for encryption of large amounts of data.

Description

Ceph distributed file system server encryption system
Technical Field
The invention relates to the technical field of information, in particular to a ceph distributed file system server encryption system.
Background
Ceph is a unified, distributed storage system with high performance, high reliability and scalability, and provides object, block and file storage functions simultaneously in one unified storage system. After years of development, numerous cloud computing vendors have been supported and are widely used.
When the CephFS file system is used, after the client side strips the whole file into RADOS (ReliableAutonomicDistributedObjectStorage, distributed Object storage system) objects with specified sizes, a write request is sent to each Object storage device OSD (Object-basedStorageDevice) to complete data persistence. Data is stored in the clear on disk, and in some cases, such as a loss of a hardware device, may cause the data content to be read, identified, or restored, thereby causing data leakage and privacy security problems. For some usage scenarios with high data security requirements, there is a large security risk. Envelope encryption is an encryption means similar to digital envelope technology. The encrypted data key is sealed in an envelope for storage, transmission and use, and the data is directly encrypted and decrypted without using a simple user master key. The encrypted key can ensure the security in the process of transmission and use, and is more applicable to the encryption of large data volume than the direct encryption by using an asymmetric key.
In some usage scenarios with high data security requirements, the CephFS file system has no mechanism for encrypting files therein, and cannot meet the requirements of users in terms of security and privacy. The invention provides a ceph distributed file system server encryption system.
Disclosure of Invention
The invention provides a simple and efficient ceph distributed file system server encryption system for overcoming the defects of the prior art.
The invention is realized by the following technical scheme:
A ceph distributed file system server encryption system is characterized in that: the system comprises a key management module, a client encryption and decryption module, an MDS end data key storage module and an OSD data storage module;
The key management module is responsible for managing a master key in a file system and responding to a request of the client encryption and decryption module; when the client needs to encrypt, a data key is issued to the client; when the client needs to decrypt, decrypting the encrypted data key sent by the client;
The client encryption and decryption module is positioned at CephFS client and is responsible for obtaining data key in interaction with the key management module, and performing encryption and decryption operations when the client reads and writes file content, and storing the encrypted data key into the MDS data key storage module;
The MDS side data key storage module is responsible for storing the encrypted data key of each file;
the OSD data storage module is responsible for responding to the read-write request of the client and storing the user data.
The ceph distributed file system server side encryption system encrypts the file systems in an envelope encryption mode, and designates a master key for each file system; when encrypting a file in a file system, firstly applying a data key to a key management module aiming at the file, then banding the whole file into RADOS objects with specified sizes, then encrypting each object, and simultaneously storing the encrypted data key into the extension attribute of an index node Inode corresponding to the file.
The ceph distributed file system server encryption system comprises the following steps:
Step S1, designating a master key in a key management module for each file system in an envelope encryption mode;
Step S2, when each file in the file system is written, a master key is used for applying a data key to a key management module; then carrying out striping treatment on the whole file, converting the whole file into RADOS objects with specified size, encrypting the written file data by using a data key, wherein RADOS objects corresponding to the file share the encryption key;
Step S3, storing the encrypted data key in the extension attribute of the index node Inode corresponding to the file;
And the data key of the encrypted data is sealed in the envelope for storage, transmission and use in an envelope encryption mode, and the data is directly encrypted and decrypted without using the user master key.
In the step S1, an encryption process is started for a file under a specified file system, as follows:
s1.1, cephFS a client processes a request for setting a ceph.dir.encrypt attribute;
S1.2, verifying whether a file system with the set attribute is empty, if so, continuing to execute the next step, otherwise, returning an error verification failure;
step S1.3, cephFS, the client sends a request to the key management module, and applies for a master key;
step S1.4, the key management module sends the master key ID to CephFS client, and CephFS client returns application success information after receiving the master key ID;
step S1.5, cephFS the client finds the specified file system in the directory tree of the file system by sending a request to the metadata server MDS;
step S1.6, cephFS the client sends a request to the metadata server MDS, and indicates that the file under the file system needs to be encrypted by setting the ceph.
In the step S2, the writing process of the file data in the file system is as follows:
Step S2.1, cephFS after the client receives the file writing request, judging whether the file to be written needs to be newly created or not;
if the file is needed to be newly built, jumping to the step S2.2;
If so, verifying whether the current file Inode contains ceph.file.encrypt attribute, and if not, directly executing write flow processing without encryption; otherwise, the file needs to be encrypted, and the step S2.5 is skipped;
step S2.2, cephFS, the client backtracks upwards according to the directory tree of the file system until the file system is found to set the ceph.
If the ceph.dir.encrypt attribute is not set up until the root file system, the file does not need encryption, and the write flow process is directly executed; otherwise, finding the file system which is nearest to the current file and is provided with the ceph.dir.encrypt attribute, and acquiring the value of the ceph.dir.encrypt attribute;
Step S2.3, cephFS of the client side sending a request to the key management module, applying for a data key, wherein the data key carries the value of the ceph.dir.encrypt attribute acquired in the step S2.2, and designating a used master key;
Step S2.4, the key management module returns the generated data key and the data key encrypted by using the master key to the CephFS client, jumps to step S2.7, and executes the encryption writing flow;
Step S2.5, aiming at the situation of the file which is created but needs to be encrypted, reading the ceph.file.encryption attribute of the file, and obtaining an encrypted data key for encrypting the original file data;
step S2.6, cephFS of the client side sending a request to the key management module, decrypting the encrypted file data key obtained in step S2.5, and obtaining a data key;
Step S2.7, after the data key is obtained, carrying out striping treatment on file data to be written in a write request according to the logical offset and the length of the file, and mapping the file data to be written into RADOS objects with specified sizes;
step S2.8, encrypting each RADOS objects by using a data key;
During encryption, each RADOS object is split into blocks of 4KiB according to logic offset, and each block is encrypted respectively; after encryption, the ciphertext data is stored in an OSD data storage module.
In the step S2, RADOS objects are designated as 4MB in size, and the object size is modified by modifying the file layout.
In the step S3, for the newly created file, the file stored by the encrypted data key is stored in the ceph.file.encryption attribute of the Inode, so as to be used when writing and reading the subsequent file.
In the step S3, the file data reading process is as follows:
step S3.1, cephFS, the client receives the file read request, and verifies whether the index node Inode of the current file contains ceph.file.encrypt attribute;
If the file does not contain the ceph. File. Encryption attribute, the file is not required to be encrypted, and the read flow process is directly executed;
if the ceph.file.encryption attribute is included, reading the value of the data and acquiring an encrypted data key;
Step S3.2, cephFS client sends request to key management module, decrypts the encrypted data key read in step S3.1, and obtains plaintext data key;
step S3.3, mapping the file data in the read request from the logical offset and the length according to the file to the appointed offset and the length of RADOS objects with appointed sizes after striping treatment;
4K alignment is carried out on the logic offset and the length, and the part with the front end and the rear end of the request less than 4KiB is amplified to 4KiB read request processing; initiating a read request to an OSD data storage module to acquire corresponding RADOS object content;
And step S3.4, decrypting the read RADOS object content by using the obtained plaintext data key, returning to CephFS the file data content required in the client read request, and ending the read request processing.
An apparatus, characterized in that: comprising a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the above method steps when executing the computer program.
A readable storage medium, characterized by: the readable storage medium has stored thereon a computer program which, when executed by a processor, implements the above-described method steps.
The beneficial effects of the invention are as follows: according to the ceph distributed file system server side encryption system, the file data in the file system are encrypted, so that the requirements of user privacy and data security are met; the security in the key management and transmission process is enhanced by the way of envelope encryption, and the method of combining the envelope encryption and the encryption aiming at each object is more suitable for encrypting a large amount of data.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a server-side encryption system for ceph distributed file systems according to the present invention.
FIG. 2 is a schematic diagram of a file data writing process according to the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the technical solution of the present invention, the following description will make clear and complete description of the technical solution of the present invention in combination with the embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
The ceph distributed file system server side encryption system comprises a key management module, a client side encryption and decryption module, an MDS (metadata server) side data key storage module and an OSD data storage module;
The key management module is responsible for managing a master key in a file system and responding to a request of the client encryption and decryption module; when the client needs to encrypt, a data key is issued to the client; when the client needs to decrypt, decrypting the encrypted data key sent by the client;
The client encryption and decryption module is positioned at CephFS client and is responsible for obtaining data key in interaction with the key management module, and performing encryption and decryption operations when the client reads and writes file content, and storing the encrypted data key into the MDS data key storage module;
The MDS side data key storage module is responsible for storing the encrypted data key of each file;
the OSD data storage module is responsible for responding to the read-write request of the client and storing the user data.
The ceph distributed file system server side encryption system encrypts the file systems in an envelope encryption mode, and designates a master key for each file system; when encrypting a file in a file system, firstly applying a data key to a key management module aiming at the file, then banding the whole file into RADOS objects with specified sizes, then encrypting each object, and simultaneously storing the encrypted data key into the extension attribute of an index node Inode corresponding to the file.
The ceph distributed file system server encryption system comprises the following steps:
Step S1, designating a master key in a key management module for each file system in an envelope encryption mode;
Step S2, when each file in the file system is written, a master key is used for applying a data key to a key management module; then carrying out striping treatment on the whole file, converting the whole file into RADOS objects with specified size, encrypting the written file data by using a data key, wherein RADOS objects corresponding to the file share the encryption key;
Step S3, storing the encrypted data key in the extension attribute of the index node Inode corresponding to the file;
And the data key of the encrypted data is sealed in the envelope for storage, transmission and use in an envelope encryption mode, and the data is directly encrypted and decrypted without using the user master key.
When each RADOS object is encrypted, the object is divided into blocks of 4KiB for encryption respectively.
In the step S2, each file selects to apply for a different data key, so as to further ensure the data security under the condition of multiple users;
after the server-side data encryption is carried out, even if the hardware equipment is lost, the effective content in the data can not be identified, so that the safety of the user data is ensured.
In the step S1, an encryption process is started for a file under a specified file system, as follows:
s1.1, cephFS a client processes a request for setting a ceph.dir.encrypt attribute;
S1.2, verifying whether a file system with the set attribute is empty, if so, continuing to execute the next step, otherwise, returning an error verification failure;
step S1.3, cephFS, the client sends a request to the key management module, and applies for a master key;
step S1.4, the key management module sends the master key ID to CephFS client, and CephFS client returns application success information after receiving the master key ID;
step S1.5, cephFS the client finds the specified file system in the directory tree of the file system by sending a request to the metadata server MDS;
Step S1.6, cephFS the client sends a request to the metadata server MDS, and indicates that the file under the file system needs to be encrypted by setting the ceph. Subsequent file writes under the file system all need to be encrypted. Note that the file system for which the encryption attribute has been set cannot be modified and deleted.
In the step S2, the writing process of the file data in the file system is as follows:
Step S2.1, cephFS after the client receives the file writing request, judging whether the file to be written needs to be newly created or not;
if the file is needed to be newly built, jumping to the step S2.2;
If so, verifying whether the current file Inode contains ceph.file.encrypt attribute, and if not, directly executing write flow processing without encryption; otherwise, the file needs to be encrypted, and the step S2.5 is skipped;
step S2.2, cephFS, the client backtracks upwards according to the directory tree of the file system until the file system is found to set the ceph.
If the ceph.dir.encrypt attribute is not set up until the root file system, the file does not need encryption, and the write flow process is directly executed; otherwise, finding the file system which is nearest to the current file and is provided with the ceph.dir.encrypt attribute, and acquiring the value of the ceph.dir.encrypt attribute;
Step S2.3, cephFS of the client side sending a request to the key management module, applying for a data key, wherein the data key carries the value of the ceph.dir.encrypt attribute acquired in the step S2.2, and designating a used master key;
Step S2.4, the key management module returns the generated data key and the data key encrypted by using the master key to the CephFS client, jumps to step S2.7, and executes the encryption writing flow;
Step S2.5, aiming at the situation of the file which is created but needs to be encrypted, reading the ceph.file.encryption attribute of the file, and obtaining an encrypted data key for encrypting the original file data;
step S2.6, cephFS of the client side sending a request to the key management module, decrypting the encrypted file data key obtained in step S2.5, and obtaining a data key;
Step S2.7, after the data key is obtained, carrying out striping treatment on file data to be written in a write request according to the logical offset and the length of the file, and mapping the file data to be written into RADOS objects with specified sizes;
step S2.8, encrypting each RADOS objects by using a data key;
During encryption, each RADOS object is split into blocks of 4KiB according to logic offset, and each block is encrypted respectively; after encryption, the ciphertext data is stored in an OSD data storage module.
In the step S2, RADOS objects are designated as 4MB in size, and the object size is modified by modifying the file layout.
In the step S3, for the newly created file, the file stored by the encrypted data key is stored in the ceph.file.encryption attribute of the Inode, so as to be used when writing and reading the subsequent file.
In the step S3, the file data reading process is as follows:
step S3.1, cephFS, the client receives the file read request, and verifies whether the index node Inode of the current file contains ceph.file.encrypt attribute;
If the file does not contain the ceph. File. Encryption attribute, the file is not required to be encrypted, and the read flow process is directly executed;
if the ceph.file.encryption attribute is included, reading the value of the data and acquiring an encrypted data key;
Step S3.2, cephFS client sends request to key management module, decrypts the encrypted data key read in step S3.1, and obtains plaintext data key;
step S3.3, mapping the file data in the read request from the logical offset and the length according to the file to the appointed offset and the length of RADOS objects with appointed sizes after striping treatment;
4K alignment is carried out on the logic offset and the length, and the part with the front end and the rear end of the request less than 4KiB is amplified to 4KiB read request processing; initiating a read request to an OSD data storage module to acquire corresponding RADOS object content;
And step S3.4, decrypting the read RADOS object content by using the obtained plaintext data key, returning to CephFS the file data content required in the client read request, and ending the read request processing.
The apparatus includes a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the above method steps when executing the computer program.
The readable storage medium has stored thereon a computer program which, when executed by a processor, implements the above-described method steps.
Compared with the prior art, the ceph distributed file system server encryption system has the following characteristics:
Firstly, the server encryption function can be provided for the user, and the scene that the user has higher requirements on data security and privacy is effectively met.
And secondly, the encryption is carried out by using an envelope encryption mode, so that the security in the key management and storage processes is enhanced compared with the direct encryption of data by using a symmetric encryption key, and the encryption method is more applicable to the encryption of large data volume compared with the direct encryption by using an asymmetric key.
Thirdly, the RADOS objects corresponding to the files are respectively encrypted, the single encryption length is set to be 4KiB, compared with data encryption with finer granularity of file level, the file read-write efficiency is improved, and the read-write amplification condition caused by encryption is reduced.
The above examples are only one of the specific embodiments of the present invention, and the ordinary changes and substitutions made by those skilled in the art within the scope of the technical solution of the present invention should be included in the scope of the present invention.

Claims (7)

1.一种ceph分布式文件系统服务端加密系统,其特征在于:包括密钥管理模块,客户端加解密模块,MDS端数据密钥存储模块和OSD数据存储模块;1. A ceph distributed file system server encryption system, characterized by: comprising a key management module, a client encryption and decryption module, an MDS-side data key storage module and an OSD data storage module; 所述密钥管理模块负责文件系统中主密钥的管理,并响应客户端加解密模块的请求;当客户端需要加密时,给客户端发放数据密钥;当客户端需要解密时,解密客户端发来的加密的数据密钥;The key management module is responsible for the management of the master key in the file system and responds to the request of the client encryption and decryption module; when the client needs encryption, it issues the data key to the client; when the client needs decryption, it decrypts the encrypted data key sent by the client; 所述客户端加解密模块位于CephFS客户端,负责与密钥管理模块交互获取数据密钥,并在客户端读写文件内容时进行加密和解密操作,将加密的数据密钥保存到MDS端数据密钥存储模块中;The client encryption and decryption module is located in the CephFS client and is responsible for interacting with the key management module to obtain the data key, and performs encryption and decryption operations when the client reads and writes file content, and saves the encrypted data key to the MDS-side data key storage module; 所述MDS端数据密钥存储模块负责存储加密每个文件加密后的数据密钥;The MDS-side data key storage module is responsible for storing the encrypted data key of each file; 所述OSD数据存储模块负责响应客户端的读写请求,保存用户数据;The OSD data storage module is responsible for responding to the read and write requests of the client and storing user data; 通过信封加密的方式为文件系统加密,为每个文件系统指定一个主密钥;对文件系统中文件加密时,先针对该文件向密钥管理模块申请数据密钥,然后将整个文件条带化处理为指定大小的RADOS对象,然后对每个对象进行加密,同时将加密后的数据密钥保存到文件对应的索引节点Inode的扩展属性中;Encrypt the file system through envelope encryption, and specify a master key for each file system; when encrypting a file in the file system, first apply for a data key from the key management module for the file, then stripe the entire file into RADOS objects of a specified size, and then encrypt each object, and save the encrypted data key to the extended attribute of the index node Inode corresponding to the file; 加密流程包括以下步骤:The encryption process includes the following steps: 步骤S1、通过信封加密的方式,针对每个文件系统在密钥管理模块中指定一个主密钥;Step S1, specifying a master key in the key management module for each file system by means of envelope encryption; 步骤S2、当文件系统中每个文件进行写入时,使用主密钥向密钥管理模块申请数据密钥;然后对整个文件进行条带化处理,将其转化为指定大小的RADOS对象,并使用数据密钥对写入的文件数据进行加密,加密文件对应的RADOS对象共享对应的加密密钥;Step S2: When each file in the file system is written, the master key is used to apply for a data key from the key management module; then the entire file is striped and converted into a RADOS object of a specified size, and the written file data is encrypted using the data key, and the RADOS object corresponding to the encrypted file shares the corresponding encryption key; 文件系统中文件数据的写入流程,如下:The process of writing file data in the file system is as follows: 步骤S2.1、CephFS客户端收到文件写请求后,先判断要写入的文件是否需要新创建;Step S2.1: After receiving a file write request, the CephFS client first determines whether the file to be written needs to be newly created; 若为需新建文件,则跳转至步骤S2.2;If a new file needs to be created, jump to step S2.2; 若已创建,则验证当前文件Inode是否包含ceph.file.encrypt属性,若不包含则该文件无需加密,直接执行写流程处理;否则,该文件需要加密,跳转至步骤S2.5;If it has been created, verify whether the current file Inode contains the ceph.file.encrypt attribute. If not, the file does not need to be encrypted and the write process is directly executed; otherwise, the file needs to be encrypted and jump to step S2.5; 步骤S2.2、CephFS客户端根据文件系统的目录树向上回溯,直到找到有文件系统设置了ceph.dir.encrypt属性;Step S2.2, the CephFS client traces back upward according to the directory tree of the file system until it finds a file system with the ceph.dir.encrypt attribute set; 如果直到根文件系统都没有设置ceph.dir.encrypt属性,则该文件不需要加密,直接执行写流程处理;否则,找到距当前文件最近的,设置了ceph.dir.encrypt属性的文件系统,并获取ceph.dir.encrypt属性的值;If the ceph.dir.encrypt attribute is not set until the root file system, the file does not need to be encrypted and the write process is directly executed; otherwise, find the file system closest to the current file that has the ceph.dir.encrypt attribute set and obtain the value of the ceph.dir.encrypt attribute; 步骤S2.3、CephFS客户端向密钥管理模块发送请求,申请数据密钥,其中携带步骤S2.2中获取到的ceph.dir.encrypt属性的值,指定使用的主密钥;Step S2.3, the CephFS client sends a request to the key management module to apply for a data key, which carries the value of the ceph.dir.encrypt attribute obtained in step S2.2 and specifies the master key to be used; 步骤S2.4、密钥管理模块向CephFS客户端返回生成的数据密钥以及使用主密钥加密的数据密钥,跳转至步骤S2.7,执行加密写入流程;Step S2.4: The key management module returns the generated data key and the data key encrypted with the master key to the CephFS client, and jumps to step S2.7 to execute the encryption writing process; 步骤S2.5、针对已创建文件,但需加密的文件的情况,读取该文件的ceph.file.encrypt属性,获取加密原有文件数据的加密的数据密钥;Step S2.5: For a file that has been created but needs to be encrypted, read the ceph.file.encrypt attribute of the file to obtain the encrypted data key for encrypting the original file data; 步骤S2.6、CephFS客户端向密钥管理模块发送请求,将步骤S2.5中获取到的加密的文件数据密钥解密,获取数据密钥;Step S2.6, the CephFS client sends a request to the key management module to decrypt the encrypted file data key obtained in step S2.5 to obtain the data key; 步骤S2.7、获取到数据密钥后,将写请求中的要写入的文件数据按照文件的逻辑偏移和长度进行条带化处理后,映射为指定大小的RADOS对象;Step S2.7: After obtaining the data key, the file data to be written in the write request is striped according to the logical offset and length of the file, and then mapped into a RADOS object of a specified size; 步骤S2.8、对于每个RADOS对象,使用数据密钥进行加密;Step S2.8: For each RADOS object, encrypt using the data key; 加密时,将每个RADOS对象按照逻辑偏移拆分为4KiB的块,对每个块分别进行加密;加密后,将密文数据保存到OSD数据存储模块;During encryption, each RADOS object is split into 4KiB blocks according to the logical offset, and each block is encrypted separately; after encryption, the ciphertext data is saved to the OSD data storage module; 步骤S3、将加密后的数据密钥保存在文件对应的索引节点Inode的扩展属性当中;Step S3, save the encrypted data key in the extended attribute of the index node Inode corresponding to the file; 通过信封加密的方式,将加密数据的数据密钥封入信封中进行存储、传递和使用,不再使用用户主密钥直接加解密数据。Through envelope encryption, the data key of the encrypted data is sealed in an envelope for storage, transmission and use, and the user master key is no longer used to directly encrypt and decrypt data. 2.根据权利要求1所述的ceph分布式文件系统服务端加密系统,其特征在于:所述步骤S1中,对指定文件系统下的文件开启加密流程,如下:2. The ceph distributed file system server encryption system according to claim 1, characterized in that: in the step S1, the encryption process is started for the files under the specified file system as follows: 步骤S1.1、CephFS客户端处理设置ceph.dir.encrypt属性请求;Step S1.1, the CephFS client processes the request to set the ceph.dir.encrypt attribute; 步骤S1.2、验证设置属性的文件系统是否为空,若为空则继续执行下一步,否则返回错误验证失败;Step S1.2, verify whether the file system for setting attributes is empty, if it is empty, proceed to the next step, otherwise return an error verification failure; 步骤S1.3、CephFS客户端向密钥管理模块发送请求,申请一个主密钥;Step S1.3, the CephFS client sends a request to the key management module to apply for a master key; 步骤S1.4、密钥管理模块将主密钥ID发送给CephFS客户端,CephFS客户端收到后返回申请成功信息;Step S1.4, the key management module sends the master key ID to the CephFS client, and the CephFS client returns a successful application message after receiving it; 步骤S1.5、CephFS客户端通过向元数据服务器MDS发送请求在文件系统的目录树中找到指定文件系统;Step S1.5, the CephFS client finds the specified file system in the directory tree of the file system by sending a request to the metadata server MDS; 步骤S1.6、CephFS客户端向元数据服务器MDS发送请求,通过设置ceph.dir.encrypt属性表示该文件系统下的文件需要进行加密,对应的主密钥uuid为ceph.dir.encrypt属性的值。Step S1.6, the CephFS client sends a request to the metadata server MDS, and indicates that the files under the file system need to be encrypted by setting the ceph.dir.encrypt attribute. The corresponding master key uuid is the value of the ceph.dir.encrypt attribute. 3.根据权利要求1所述的ceph分布式文件系统服务端加密系统,其特征在于:所述步骤S2中,RADOS对象指定大小为4MB,通过修改文件布局修改对象大小。3. The ceph distributed file system server-side encryption system according to claim 1 is characterized in that: in step S2, the RADOS object specifies a size of 4MB, and the object size is modified by modifying the file layout. 4.根据权利要求1所述的ceph分布式文件系统服务端加密系统,其特征在于:所述步骤S3中,针对新创建的文件,将加密后的数据密钥保存的文件对应索引节点Inode的ceph.file.encrypt属性中,以便后续文件写入及读取时使用。4. The ceph distributed file system server-side encryption system according to claim 1 is characterized in that: in the step S3, for the newly created file, the encrypted data key is saved in the ceph.file.encrypt attribute of the file corresponding to the index node Inode for use in subsequent file writing and reading. 5.根据权利要求4所述的ceph分布式文件系统服务端加密系统,其特征在于:所述步骤S3中,文件数据读取流程,如下:5. The ceph distributed file system server encryption system according to claim 4 is characterized in that: in step S3, the file data reading process is as follows: 步骤S3.1、CephFS客户端收到文件读请求,验证当前文件的索引节点Inode中是否包含ceph.file.encrypt属性;Step S3.1, the CephFS client receives a file read request and verifies whether the index node Inode of the current file contains the ceph.file.encrypt attribute; 若不包含ceph.file.encrypt属性,则该文件无需解密,直接执行读流程处理;If the ceph.file.encrypt attribute is not included, the file does not need to be decrypted and the read process is directly executed; 若包含ceph.file.encrypt属性,则读取该数据的值,并获取到加密的数据密钥;If the ceph.file.encrypt property is included, the value of the data is read and the encrypted data key is obtained; 步骤S3.2、CephFS客户端向密钥管理模块发送请求,将步骤S3.1中读取到的加密的数据密钥解密,获取明文数据密钥;Step S3.2, the CephFS client sends a request to the key management module to decrypt the encrypted data key read in step S3.1 to obtain the plaintext data key; 步骤S3.3、将读请求中的文件数据从按照文件的逻辑偏移和长度映射为进行条带化处理后指定大小的RADOS对象的指定偏移和长度;Step S3.3, mapping the file data in the read request from the logical offset and length of the file to the specified offset and length of the RADOS object of the specified size after striping; 将该逻辑偏移和长度进行4K对齐,请求前后两端不足4KiB的部分,放大到4KiB读请求处理;向OSD数据存储模块发起读请求,获取对应RADOS对象内容;The logical offset and length are aligned to 4K, and the parts less than 4KiB at the front and back ends of the request are enlarged to 4KiB for read request processing; a read request is initiated to the OSD data storage module to obtain the corresponding RADOS object content; 步骤S3.4、使用获取到的明文数据密钥,将读取到的RADOS对象内容解密,返回CephFS客户端读请求中需要的文件数据内容,读请求处理结束。Step S3.4: Use the obtained plaintext data key to decrypt the read RADOS object content and return the file data content required in the CephFS client read request, and the read request processing is completed. 6.一种设备,其特征在于:包括存储器和处理器;所述存储器用于存储计算机程序,所述处理器用于执行所述计算机程序时实现如权利要求1至5任意一项所述的系统。6. A device, characterized in that it comprises a memory and a processor; the memory is used to store a computer program, and the processor is used to implement the system according to any one of claims 1 to 5 when executing the computer program. 7.一种可读存储介质,其特征在于:所述可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至5任意一项所述的系统。7. A readable storage medium, characterized in that: a computer program is stored on the readable storage medium, and when the computer program is executed by a processor, the system according to any one of claims 1 to 5 is implemented.
CN202211692733.7A 2022-12-28 2022-12-28 A ceph distributed file system server encryption system Active CN116094775B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211692733.7A CN116094775B (en) 2022-12-28 2022-12-28 A ceph distributed file system server encryption system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211692733.7A CN116094775B (en) 2022-12-28 2022-12-28 A ceph distributed file system server encryption system

Publications (2)

Publication Number Publication Date
CN116094775A CN116094775A (en) 2023-05-09
CN116094775B true CN116094775B (en) 2024-08-09

Family

ID=86186161

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211692733.7A Active CN116094775B (en) 2022-12-28 2022-12-28 A ceph distributed file system server encryption system

Country Status (1)

Country Link
CN (1) CN116094775B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119203118B (en) * 2024-08-23 2025-09-02 中电信量子科技有限公司 An encryption method and system for Ceph block storage based on quantum key

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112733189A (en) * 2021-01-14 2021-04-30 浪潮云信息技术股份公司 System and method for realizing file storage server side encryption

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103595730B (en) * 2013-11-28 2016-06-08 中国科学院信息工程研究所 A ciphertext cloud storage method and system
CN107506652A (en) * 2017-07-13 2017-12-22 浙江大学 CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism
CN109783438B (en) * 2018-12-05 2021-07-27 南京华讯方舟通信设备有限公司 A distributed NFS system based on librados and its construction method
CN110120869B (en) * 2019-03-27 2022-09-30 上海隔镜信息科技有限公司 Key management system and key service node
CN113407242B (en) * 2020-03-16 2023-04-07 中移(苏州)软件技术有限公司 Cloud hard disk encryption mounting method and device, electronic equipment and storage medium
CN113779619B (en) * 2021-08-11 2024-09-13 深圳市证通云计算有限公司 Ceph distributed object storage system encryption and decryption method based on cryptographic algorithm
CN113992702B (en) * 2021-09-16 2023-11-03 深圳市证通电子股份有限公司 Ceph distributed file system storage state password reinforcement method and system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112733189A (en) * 2021-01-14 2021-04-30 浪潮云信息技术股份公司 System and method for realizing file storage server side encryption

Also Published As

Publication number Publication date
CN116094775A (en) 2023-05-09

Similar Documents

Publication Publication Date Title
US11558174B2 (en) Data storage method, device, related equipment and cloud system for hybrid cloud
US9740639B2 (en) Map-based rapid data encryption policy compliance
JP7044881B2 (en) Distributed storage methods and equipment, computer equipment and storage media
US8689279B2 (en) Encrypted chunk-based rapid data encryption policy compliance
CN103825953B (en) A kind of user model encrypted file system
CN107612683B (en) An encryption and decryption method, apparatus, system, device and storage medium
US11379836B2 (en) Methods and systems for recording data based on plurality of blockchain networks
WO2017206754A1 (en) Storage method and storage device for distributed file system
CN110022558B (en) Method for encrypting and decrypting upgrade package, electronic device and storage medium
US11050550B2 (en) Methods and systems for reading data based on plurality of blockchain networks
CN107562915A (en) Read the method, apparatus and equipment and computer-readable recording medium of small documents
CN107943556A (en) Virtualization Data Security Method Based on KMIP and Encryption Card
CN110650191A (en) Data read-write method of distributed storage system
CN116094775B (en) A ceph distributed file system server encryption system
US20240211612A1 (en) Data Storage Method and Apparatus, Device, and Readable Medium
CN117591016A (en) Encrypted volume migration method, encrypted volume migration device, computer equipment and storage medium
CN104182418A (en) Method and device for obtaining node metadata
US20130061059A1 (en) Information processing apparatus, information processing method, and non-transitory computer readable medium
CN119227112B (en) A bare metal cloud hard drive data encryption device, method, equipment and medium based on national secret algorithm
CN114491607A (en) Cloud platform data processing method and device, computer equipment and storage medium
CN118606969A (en) Data volume encryption and decryption method, device, equipment, storage medium, computer program product and system
CN113268456B (en) File processing method, system, equipment and computer readable storage medium
CN117592068A (en) Encrypted data conversion methods, devices, equipment and storage media
CN117220871A (en) Method, system, equipment and medium for safely storing key realized by software
US11086849B2 (en) Methods and systems for reading data based on plurality of blockchain networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant