CN116094775B - Ceph distributed file system server encryption system - Google Patents
Ceph distributed file system server encryption system Download PDFInfo
- Publication number
- CN116094775B CN116094775B CN202211692733.7A CN202211692733A CN116094775B CN 116094775 B CN116094775 B CN 116094775B CN 202211692733 A CN202211692733 A CN 202211692733A CN 116094775 B CN116094775 B CN 116094775B
- Authority
- CN
- China
- Prior art keywords
- file
- data
- key
- encryption
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 claims abstract description 40
- 238000000034 method Methods 0.000 claims abstract description 27
- 238000013500 data storage Methods 0.000 claims abstract description 13
- 230000005540 biological transmission Effects 0.000 claims abstract description 7
- 238000004590 computer program Methods 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 238000005111 flow chemistry technique Methods 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 230000009191 jumping Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003321 amplification Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention particularly relates to a ceph distributed file system server encryption system. The ceph distributed file system server side encryption system comprises a key management module, a client side encryption and decryption module, an MDS side data key storage module and an OSD data storage module. According to the ceph distributed file system server side encryption system, the file data in the file system are encrypted, so that the requirements of user privacy and data security are met; the security in the key management and transmission process is enhanced by the way of envelope encryption, and the method of combining the envelope encryption and the encryption aiming at each object is more suitable for encrypting a large amount of data.
Description
Technical Field
The invention relates to the technical field of information, in particular to a ceph distributed file system server encryption system.
Background
Ceph is a unified, distributed storage system with high performance, high reliability and scalability, and provides object, block and file storage functions simultaneously in one unified storage system. After years of development, numerous cloud computing vendors have been supported and are widely used.
When the CephFS file system is used, after the client side strips the whole file into RADOS (ReliableAutonomicDistributedObjectStorage, distributed Object storage system) objects with specified sizes, a write request is sent to each Object storage device OSD (Object-basedStorageDevice) to complete data persistence. Data is stored in the clear on disk, and in some cases, such as a loss of a hardware device, may cause the data content to be read, identified, or restored, thereby causing data leakage and privacy security problems. For some usage scenarios with high data security requirements, there is a large security risk. Envelope encryption is an encryption means similar to digital envelope technology. The encrypted data key is sealed in an envelope for storage, transmission and use, and the data is directly encrypted and decrypted without using a simple user master key. The encrypted key can ensure the security in the process of transmission and use, and is more applicable to the encryption of large data volume than the direct encryption by using an asymmetric key.
In some usage scenarios with high data security requirements, the CephFS file system has no mechanism for encrypting files therein, and cannot meet the requirements of users in terms of security and privacy. The invention provides a ceph distributed file system server encryption system.
Disclosure of Invention
The invention provides a simple and efficient ceph distributed file system server encryption system for overcoming the defects of the prior art.
The invention is realized by the following technical scheme:
A ceph distributed file system server encryption system is characterized in that: the system comprises a key management module, a client encryption and decryption module, an MDS end data key storage module and an OSD data storage module;
The key management module is responsible for managing a master key in a file system and responding to a request of the client encryption and decryption module; when the client needs to encrypt, a data key is issued to the client; when the client needs to decrypt, decrypting the encrypted data key sent by the client;
The client encryption and decryption module is positioned at CephFS client and is responsible for obtaining data key in interaction with the key management module, and performing encryption and decryption operations when the client reads and writes file content, and storing the encrypted data key into the MDS data key storage module;
The MDS side data key storage module is responsible for storing the encrypted data key of each file;
the OSD data storage module is responsible for responding to the read-write request of the client and storing the user data.
The ceph distributed file system server side encryption system encrypts the file systems in an envelope encryption mode, and designates a master key for each file system; when encrypting a file in a file system, firstly applying a data key to a key management module aiming at the file, then banding the whole file into RADOS objects with specified sizes, then encrypting each object, and simultaneously storing the encrypted data key into the extension attribute of an index node Inode corresponding to the file.
The ceph distributed file system server encryption system comprises the following steps:
Step S1, designating a master key in a key management module for each file system in an envelope encryption mode;
Step S2, when each file in the file system is written, a master key is used for applying a data key to a key management module; then carrying out striping treatment on the whole file, converting the whole file into RADOS objects with specified size, encrypting the written file data by using a data key, wherein RADOS objects corresponding to the file share the encryption key;
Step S3, storing the encrypted data key in the extension attribute of the index node Inode corresponding to the file;
And the data key of the encrypted data is sealed in the envelope for storage, transmission and use in an envelope encryption mode, and the data is directly encrypted and decrypted without using the user master key.
In the step S1, an encryption process is started for a file under a specified file system, as follows:
s1.1, cephFS a client processes a request for setting a ceph.dir.encrypt attribute;
S1.2, verifying whether a file system with the set attribute is empty, if so, continuing to execute the next step, otherwise, returning an error verification failure;
step S1.3, cephFS, the client sends a request to the key management module, and applies for a master key;
step S1.4, the key management module sends the master key ID to CephFS client, and CephFS client returns application success information after receiving the master key ID;
step S1.5, cephFS the client finds the specified file system in the directory tree of the file system by sending a request to the metadata server MDS;
step S1.6, cephFS the client sends a request to the metadata server MDS, and indicates that the file under the file system needs to be encrypted by setting the ceph.
In the step S2, the writing process of the file data in the file system is as follows:
Step S2.1, cephFS after the client receives the file writing request, judging whether the file to be written needs to be newly created or not;
if the file is needed to be newly built, jumping to the step S2.2;
If so, verifying whether the current file Inode contains ceph.file.encrypt attribute, and if not, directly executing write flow processing without encryption; otherwise, the file needs to be encrypted, and the step S2.5 is skipped;
step S2.2, cephFS, the client backtracks upwards according to the directory tree of the file system until the file system is found to set the ceph.
If the ceph.dir.encrypt attribute is not set up until the root file system, the file does not need encryption, and the write flow process is directly executed; otherwise, finding the file system which is nearest to the current file and is provided with the ceph.dir.encrypt attribute, and acquiring the value of the ceph.dir.encrypt attribute;
Step S2.3, cephFS of the client side sending a request to the key management module, applying for a data key, wherein the data key carries the value of the ceph.dir.encrypt attribute acquired in the step S2.2, and designating a used master key;
Step S2.4, the key management module returns the generated data key and the data key encrypted by using the master key to the CephFS client, jumps to step S2.7, and executes the encryption writing flow;
Step S2.5, aiming at the situation of the file which is created but needs to be encrypted, reading the ceph.file.encryption attribute of the file, and obtaining an encrypted data key for encrypting the original file data;
step S2.6, cephFS of the client side sending a request to the key management module, decrypting the encrypted file data key obtained in step S2.5, and obtaining a data key;
Step S2.7, after the data key is obtained, carrying out striping treatment on file data to be written in a write request according to the logical offset and the length of the file, and mapping the file data to be written into RADOS objects with specified sizes;
step S2.8, encrypting each RADOS objects by using a data key;
During encryption, each RADOS object is split into blocks of 4KiB according to logic offset, and each block is encrypted respectively; after encryption, the ciphertext data is stored in an OSD data storage module.
In the step S2, RADOS objects are designated as 4MB in size, and the object size is modified by modifying the file layout.
In the step S3, for the newly created file, the file stored by the encrypted data key is stored in the ceph.file.encryption attribute of the Inode, so as to be used when writing and reading the subsequent file.
In the step S3, the file data reading process is as follows:
step S3.1, cephFS, the client receives the file read request, and verifies whether the index node Inode of the current file contains ceph.file.encrypt attribute;
If the file does not contain the ceph. File. Encryption attribute, the file is not required to be encrypted, and the read flow process is directly executed;
if the ceph.file.encryption attribute is included, reading the value of the data and acquiring an encrypted data key;
Step S3.2, cephFS client sends request to key management module, decrypts the encrypted data key read in step S3.1, and obtains plaintext data key;
step S3.3, mapping the file data in the read request from the logical offset and the length according to the file to the appointed offset and the length of RADOS objects with appointed sizes after striping treatment;
4K alignment is carried out on the logic offset and the length, and the part with the front end and the rear end of the request less than 4KiB is amplified to 4KiB read request processing; initiating a read request to an OSD data storage module to acquire corresponding RADOS object content;
And step S3.4, decrypting the read RADOS object content by using the obtained plaintext data key, returning to CephFS the file data content required in the client read request, and ending the read request processing.
An apparatus, characterized in that: comprising a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the above method steps when executing the computer program.
A readable storage medium, characterized by: the readable storage medium has stored thereon a computer program which, when executed by a processor, implements the above-described method steps.
The beneficial effects of the invention are as follows: according to the ceph distributed file system server side encryption system, the file data in the file system are encrypted, so that the requirements of user privacy and data security are met; the security in the key management and transmission process is enhanced by the way of envelope encryption, and the method of combining the envelope encryption and the encryption aiming at each object is more suitable for encrypting a large amount of data.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a server-side encryption system for ceph distributed file systems according to the present invention.
FIG. 2 is a schematic diagram of a file data writing process according to the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the technical solution of the present invention, the following description will make clear and complete description of the technical solution of the present invention in combination with the embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
The ceph distributed file system server side encryption system comprises a key management module, a client side encryption and decryption module, an MDS (metadata server) side data key storage module and an OSD data storage module;
The key management module is responsible for managing a master key in a file system and responding to a request of the client encryption and decryption module; when the client needs to encrypt, a data key is issued to the client; when the client needs to decrypt, decrypting the encrypted data key sent by the client;
The client encryption and decryption module is positioned at CephFS client and is responsible for obtaining data key in interaction with the key management module, and performing encryption and decryption operations when the client reads and writes file content, and storing the encrypted data key into the MDS data key storage module;
The MDS side data key storage module is responsible for storing the encrypted data key of each file;
the OSD data storage module is responsible for responding to the read-write request of the client and storing the user data.
The ceph distributed file system server side encryption system encrypts the file systems in an envelope encryption mode, and designates a master key for each file system; when encrypting a file in a file system, firstly applying a data key to a key management module aiming at the file, then banding the whole file into RADOS objects with specified sizes, then encrypting each object, and simultaneously storing the encrypted data key into the extension attribute of an index node Inode corresponding to the file.
The ceph distributed file system server encryption system comprises the following steps:
Step S1, designating a master key in a key management module for each file system in an envelope encryption mode;
Step S2, when each file in the file system is written, a master key is used for applying a data key to a key management module; then carrying out striping treatment on the whole file, converting the whole file into RADOS objects with specified size, encrypting the written file data by using a data key, wherein RADOS objects corresponding to the file share the encryption key;
Step S3, storing the encrypted data key in the extension attribute of the index node Inode corresponding to the file;
And the data key of the encrypted data is sealed in the envelope for storage, transmission and use in an envelope encryption mode, and the data is directly encrypted and decrypted without using the user master key.
When each RADOS object is encrypted, the object is divided into blocks of 4KiB for encryption respectively.
In the step S2, each file selects to apply for a different data key, so as to further ensure the data security under the condition of multiple users;
after the server-side data encryption is carried out, even if the hardware equipment is lost, the effective content in the data can not be identified, so that the safety of the user data is ensured.
In the step S1, an encryption process is started for a file under a specified file system, as follows:
s1.1, cephFS a client processes a request for setting a ceph.dir.encrypt attribute;
S1.2, verifying whether a file system with the set attribute is empty, if so, continuing to execute the next step, otherwise, returning an error verification failure;
step S1.3, cephFS, the client sends a request to the key management module, and applies for a master key;
step S1.4, the key management module sends the master key ID to CephFS client, and CephFS client returns application success information after receiving the master key ID;
step S1.5, cephFS the client finds the specified file system in the directory tree of the file system by sending a request to the metadata server MDS;
Step S1.6, cephFS the client sends a request to the metadata server MDS, and indicates that the file under the file system needs to be encrypted by setting the ceph. Subsequent file writes under the file system all need to be encrypted. Note that the file system for which the encryption attribute has been set cannot be modified and deleted.
In the step S2, the writing process of the file data in the file system is as follows:
Step S2.1, cephFS after the client receives the file writing request, judging whether the file to be written needs to be newly created or not;
if the file is needed to be newly built, jumping to the step S2.2;
If so, verifying whether the current file Inode contains ceph.file.encrypt attribute, and if not, directly executing write flow processing without encryption; otherwise, the file needs to be encrypted, and the step S2.5 is skipped;
step S2.2, cephFS, the client backtracks upwards according to the directory tree of the file system until the file system is found to set the ceph.
If the ceph.dir.encrypt attribute is not set up until the root file system, the file does not need encryption, and the write flow process is directly executed; otherwise, finding the file system which is nearest to the current file and is provided with the ceph.dir.encrypt attribute, and acquiring the value of the ceph.dir.encrypt attribute;
Step S2.3, cephFS of the client side sending a request to the key management module, applying for a data key, wherein the data key carries the value of the ceph.dir.encrypt attribute acquired in the step S2.2, and designating a used master key;
Step S2.4, the key management module returns the generated data key and the data key encrypted by using the master key to the CephFS client, jumps to step S2.7, and executes the encryption writing flow;
Step S2.5, aiming at the situation of the file which is created but needs to be encrypted, reading the ceph.file.encryption attribute of the file, and obtaining an encrypted data key for encrypting the original file data;
step S2.6, cephFS of the client side sending a request to the key management module, decrypting the encrypted file data key obtained in step S2.5, and obtaining a data key;
Step S2.7, after the data key is obtained, carrying out striping treatment on file data to be written in a write request according to the logical offset and the length of the file, and mapping the file data to be written into RADOS objects with specified sizes;
step S2.8, encrypting each RADOS objects by using a data key;
During encryption, each RADOS object is split into blocks of 4KiB according to logic offset, and each block is encrypted respectively; after encryption, the ciphertext data is stored in an OSD data storage module.
In the step S2, RADOS objects are designated as 4MB in size, and the object size is modified by modifying the file layout.
In the step S3, for the newly created file, the file stored by the encrypted data key is stored in the ceph.file.encryption attribute of the Inode, so as to be used when writing and reading the subsequent file.
In the step S3, the file data reading process is as follows:
step S3.1, cephFS, the client receives the file read request, and verifies whether the index node Inode of the current file contains ceph.file.encrypt attribute;
If the file does not contain the ceph. File. Encryption attribute, the file is not required to be encrypted, and the read flow process is directly executed;
if the ceph.file.encryption attribute is included, reading the value of the data and acquiring an encrypted data key;
Step S3.2, cephFS client sends request to key management module, decrypts the encrypted data key read in step S3.1, and obtains plaintext data key;
step S3.3, mapping the file data in the read request from the logical offset and the length according to the file to the appointed offset and the length of RADOS objects with appointed sizes after striping treatment;
4K alignment is carried out on the logic offset and the length, and the part with the front end and the rear end of the request less than 4KiB is amplified to 4KiB read request processing; initiating a read request to an OSD data storage module to acquire corresponding RADOS object content;
And step S3.4, decrypting the read RADOS object content by using the obtained plaintext data key, returning to CephFS the file data content required in the client read request, and ending the read request processing.
The apparatus includes a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the above method steps when executing the computer program.
The readable storage medium has stored thereon a computer program which, when executed by a processor, implements the above-described method steps.
Compared with the prior art, the ceph distributed file system server encryption system has the following characteristics:
Firstly, the server encryption function can be provided for the user, and the scene that the user has higher requirements on data security and privacy is effectively met.
And secondly, the encryption is carried out by using an envelope encryption mode, so that the security in the key management and storage processes is enhanced compared with the direct encryption of data by using a symmetric encryption key, and the encryption method is more applicable to the encryption of large data volume compared with the direct encryption by using an asymmetric key.
Thirdly, the RADOS objects corresponding to the files are respectively encrypted, the single encryption length is set to be 4KiB, compared with data encryption with finer granularity of file level, the file read-write efficiency is improved, and the read-write amplification condition caused by encryption is reduced.
The above examples are only one of the specific embodiments of the present invention, and the ordinary changes and substitutions made by those skilled in the art within the scope of the technical solution of the present invention should be included in the scope of the present invention.
Claims (7)
1. A ceph distributed file system server encryption system is characterized in that: the system comprises a key management module, a client encryption and decryption module, an MDS end data key storage module and an OSD data storage module;
The key management module is responsible for managing a master key in a file system and responding to a request of the client encryption and decryption module; when the client needs to encrypt, a data key is issued to the client; when the client needs to decrypt, decrypting the encrypted data key sent by the client;
The client encryption and decryption module is positioned at CephFS client and is responsible for obtaining data key in interaction with the key management module, and performing encryption and decryption operations when the client reads and writes file content, and storing the encrypted data key into the MDS data key storage module;
The MDS side data key storage module is responsible for storing the encrypted data key of each file;
the OSD data storage module is responsible for responding to the read-write request of the client and storing user data;
Encrypting the file systems in an envelope encryption mode, and designating a master key for each file system; when encrypting a file in a file system, firstly applying a data key to a key management module aiming at the file, then banding the whole file into RADOS objects with specified sizes, then encrypting each object, and simultaneously storing the encrypted data key into the extension attribute of an index node Inode corresponding to the file;
the encryption flow comprises the following steps:
Step S1, designating a master key in a key management module for each file system in an envelope encryption mode;
Step S2, when each file in the file system is written, a master key is used for applying a data key to a key management module; then carrying out striping treatment on the whole file, converting the whole file into RADOS objects with specified size, encrypting the written file data by using a data key, and sharing a corresponding encryption key by RADOS objects corresponding to the encrypted file;
the writing flow of file data in the file system is as follows:
Step S2.1, cephFS after the client receives the file writing request, judging whether the file to be written needs to be newly created or not;
if the file is needed to be newly built, jumping to the step S2.2;
If so, verifying whether the current file Inode contains ceph.file.encrypt attribute, and if not, directly executing write flow processing without encryption; otherwise, the file needs to be encrypted, and the step S2.5 is skipped;
step S2.2, cephFS, the client backtracks upwards according to the directory tree of the file system until the file system is found to set the ceph.
If the ceph.dir.encrypt attribute is not set up until the root file system, the file does not need encryption, and the write flow process is directly executed; otherwise, finding the file system which is nearest to the current file and is provided with the ceph.dir.encrypt attribute, and acquiring the value of the ceph.dir.encrypt attribute;
Step S2.3, cephFS of the client side sending a request to the key management module, applying for a data key, wherein the data key carries the value of the ceph.dir.encrypt attribute acquired in the step S2.2, and designating a used master key;
Step S2.4, the key management module returns the generated data key and the data key encrypted by using the master key to the CephFS client, jumps to step S2.7, and executes the encryption writing flow;
Step S2.5, aiming at the situation of the file which is created but needs to be encrypted, reading the ceph.file.encryption attribute of the file, and obtaining an encrypted data key for encrypting the original file data;
step S2.6, cephFS of the client side sending a request to the key management module, decrypting the encrypted file data key obtained in step S2.5, and obtaining a data key;
Step S2.7, after the data key is obtained, carrying out striping treatment on file data to be written in a write request according to the logical offset and the length of the file, and mapping the file data to be written into RADOS objects with specified sizes;
step S2.8, encrypting each RADOS objects by using a data key;
During encryption, each RADOS object is split into blocks of 4KiB according to logic offset, and each block is encrypted respectively; after encryption, the ciphertext data is stored in an OSD data storage module;
Step S3, storing the encrypted data key in the extension attribute of the index node Inode corresponding to the file;
And the data key of the encrypted data is sealed in the envelope for storage, transmission and use in an envelope encryption mode, and the data is directly encrypted and decrypted without using the user master key.
2. The ceph distributed filesystem server side encryption system as claimed in claim 1, wherein: in the step S1, an encryption process is started for a file under a specified file system, as follows:
s1.1, cephFS a client processes a request for setting a ceph.dir.encrypt attribute;
S1.2, verifying whether a file system with the set attribute is empty, if so, continuing to execute the next step, otherwise, returning an error verification failure;
step S1.3, cephFS, the client sends a request to the key management module, and applies for a master key;
step S1.4, the key management module sends the master key ID to CephFS client, and CephFS client returns application success information after receiving the master key ID;
step S1.5, cephFS the client finds the specified file system in the directory tree of the file system by sending a request to the metadata server MDS;
step S1.6, cephFS the client sends a request to the metadata server MDS, and indicates that the file under the file system needs to be encrypted by setting the ceph.
3. The ceph distributed filesystem server side encryption system as claimed in claim 1, wherein: in the step S2, RADOS objects are designated as 4MB in size, and the object size is modified by modifying the file layout.
4. The ceph distributed filesystem server side encryption system as claimed in claim 1, wherein: in the step S3, for the newly created file, the file stored by the encrypted data key is stored in the ceph.file.encryption attribute of the Inode, so as to be used when writing and reading the subsequent file.
5. The ceph distributed filesystem server side encryption system as claimed in claim 4, wherein: in the step S3, the file data reading process is as follows:
step S3.1, cephFS, the client receives the file read request, and verifies whether the index node Inode of the current file contains ceph.file.encrypt attribute;
If the file does not contain the ceph. File. Encrypt attribute, the file does not need to be decrypted, and the read flow process is directly executed;
if the ceph.file.encryption attribute is included, reading the value of the data and acquiring an encrypted data key;
Step S3.2, cephFS client sends request to key management module, decrypts the encrypted data key read in step S3.1, and obtains plaintext data key;
step S3.3, mapping the file data in the read request from the logical offset and the length according to the file to the appointed offset and the length of RADOS objects with appointed sizes after striping treatment;
4K alignment is carried out on the logic offset and the length, and the part with the front end and the rear end of the request less than 4KiB is amplified to 4KiB read request processing; initiating a read request to an OSD data storage module to acquire corresponding RADOS object content;
And step S3.4, decrypting the read RADOS object content by using the obtained plaintext data key, returning to CephFS the file data content required in the client read request, and ending the read request processing.
6. An apparatus, characterized in that: comprising a memory and a processor; the memory is configured to store a computer program, the processor being configured to implement the system of any one of claims 1 to 5 when the computer program is executed.
7. A readable storage medium, characterized by: the readable storage medium has stored thereon a computer program which, when executed by a processor, implements a system according to any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211692733.7A CN116094775B (en) | 2022-12-28 | 2022-12-28 | Ceph distributed file system server encryption system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211692733.7A CN116094775B (en) | 2022-12-28 | 2022-12-28 | Ceph distributed file system server encryption system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116094775A CN116094775A (en) | 2023-05-09 |
| CN116094775B true CN116094775B (en) | 2024-08-09 |
Family
ID=86186161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211692733.7A Active CN116094775B (en) | 2022-12-28 | 2022-12-28 | Ceph distributed file system server encryption system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116094775B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112733189A (en) * | 2021-01-14 | 2021-04-30 | 浪潮云信息技术股份公司 | System and method for realizing file storage server side encryption |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103595730B (en) * | 2013-11-28 | 2016-06-08 | 中国科学院信息工程研究所 | A kind of ciphertext cloud storage method and system |
| CN107506652A (en) * | 2017-07-13 | 2017-12-22 | 浙江大学 | CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism |
| CN109783438B (en) * | 2018-12-05 | 2021-07-27 | 南京华讯方舟通信设备有限公司 | Distributed NFS system based on librados and construction method thereof |
| CN110120869B (en) * | 2019-03-27 | 2022-09-30 | 上海隔镜信息科技有限公司 | Key management system and key service node |
| CN113407242B (en) * | 2020-03-16 | 2023-04-07 | 中移(苏州)软件技术有限公司 | Cloud hard disk encryption mounting method and device, electronic equipment and storage medium |
| CN113779619B (en) * | 2021-08-11 | 2024-09-13 | 深圳市证通云计算有限公司 | Ceph distributed object storage system encryption and decryption method based on cryptographic algorithm |
| CN113992702B (en) * | 2021-09-16 | 2023-11-03 | 深圳市证通电子股份有限公司 | Ceph distributed file system storage state password reinforcement method and system |
-
2022
- 2022-12-28 CN CN202211692733.7A patent/CN116094775B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112733189A (en) * | 2021-01-14 | 2021-04-30 | 浪潮云信息技术股份公司 | System and method for realizing file storage server side encryption |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116094775A (en) | 2023-05-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11558174B2 (en) | Data storage method, device, related equipment and cloud system for hybrid cloud | |
| US9740639B2 (en) | Map-based rapid data encryption policy compliance | |
| US11238165B2 (en) | File encryption method, file decryption method, electronic device, and storage medium | |
| US8689279B2 (en) | Encrypted chunk-based rapid data encryption policy compliance | |
| US8300823B2 (en) | Encryption and compression of data for storage | |
| US10204235B2 (en) | Content item encryption on mobile devices | |
| WO2017206754A1 (en) | Storage method and storage device for distributed file system | |
| CN107943556B (en) | KMIP and encryption card based virtualized data security method | |
| US20170163413A1 (en) | System and Method for Content Encryption in a Key/Value Store | |
| US20100217977A1 (en) | Systems and methods of security for an object based storage device | |
| US8595493B2 (en) | Multi-phase storage volume transformation | |
| US9749132B1 (en) | System and method for secure deletion of data | |
| US10698940B2 (en) | Method for searching for multimedia file, terminal device, and server | |
| WO2019233259A1 (en) | Method and device for processing information | |
| CN104182418A (en) | Method and device for obtaining node metadata | |
| CN116094775B (en) | Ceph distributed file system server encryption system | |
| CN114491607A (en) | Cloud platform data processing method and device, computer equipment and storage medium | |
| US20180314837A1 (en) | Secure file wrapper for tiff images | |
| US10606985B2 (en) | Secure file wrapper for TIFF images | |
| CN111353152A (en) | Block chain-based document management method, device, system and storage medium | |
| CN117744118B (en) | High-speed encryption storage device and method based on FPGA | |
| CN109660604B (en) | Data access method and equipment | |
| US20240211612A1 (en) | Data Storage Method and Apparatus, Device, and Readable Medium | |
| CN116089973A (en) | Method and device for processing source file, storage medium and electronic device | |
| CN114329607A (en) | Method for realizing transparent encryption and decryption of WAL log in PostgreSQL database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |