CN-119760767-B - Virtual machine encryption method and system

Abstract

The invention relates to a virtual machine encryption method, which comprises the steps of S1, checking and preparing configuration of a server environment of a virtual machine to be encrypted by an administrator, marking each disk partition in the virtual machine, recording the size of the disk capacity and the partition format, opening a cache area in a server memory for storing encrypted data and encrypted key information, S2, generating an encryption key, independently generating a group of unique encryption keys for each virtual machine disk needing encryption by a key generation module, and extracting characteristic information from a hardware identifier arranged in the server. According to the invention, by adopting an encryption means for all disk data, the data are stored on the server in the form of ciphertext, after being encrypted by the virtual machine, the data disk cannot be mounted on other virtual machines, after being exported by the virtual machine, the data cannot be used on other platforms, so that the sensitive data are prevented from being illegally stolen, and the personal privacy safety of users is ensured.

Inventors

• CHEN WEI
• HUANG HOUKAI
• LIAO KAILIN
• CAI YUKE
• XIAO JIA
• Hu Xueer

Assignees

• 国家能源集团宝庆发电有限公司

Dates

Publication Date

20260508

Application Date

20241126

Claims (10)

1. 1. The virtual machine encryption method is characterized in that the encryption step comprises the following steps: S1, checking and preparing configuration of an administrator aiming at a server environment where a virtual machine to be encrypted is located, marking each disk partition in the virtual machine, recording the size of the disk capacity and the partition format, and opening a cache area in a server memory for storing data in encryption and key information in encryption; s2, generating an encryption key, wherein a key generation module independently generates a group of unique encryption keys for each virtual machine disk needing encryption, extracts characteristic information from a hardware identifier arranged in a server, combines current system environment information with a group of predefined complex random seed data, and generates the encryption key based on a hash operation algorithm; s3, primary encryption is carried out on the encryption key generated in the step S2 by adopting a public key of an asymmetric encryption algorithm, and a corresponding private key is obtained for decryption after an authorization verification process is carried out; s4, encrypting the data in the disk of the virtual machine block by block, sequentially reading the data content in the disk by an encryption module according to the physical sector and the logical data block stored in the disk, encrypting and converting each data block by combining a symmetrical encryption algorithm by using the generated corresponding encryption key, and writing the encrypted ciphertext data back to the original storage position of the disk in real time, covering the original plaintext data, and completing encryption processing; s5, establishing a secure access mechanism based on the secure access module, verifying a user currently accessing, normally allowing subsequent access operation to the encrypted disk if the verification fails, triggering a corresponding alarm mechanism, and preventing illegal access to the disk; S6, marking and setting are carried out on the bottom partition table of the disk and the driving layer of the operating system, so that the data disk cannot be randomly mounted on other virtual machines, and the safety is ensured.
2. 2. The encryption method of virtual machine according to claim 1, wherein in the step S1, the disk partition marking is performed based on a disk management tool in the virtual machine, an administrator checks the overall hardware configuration of the server, checks the processor performance of the server, checks the memory capacity of the server, and performs expansion and optimization adjustment measures if the memory is insufficient.
3. 3. The virtual machine encryption method according to claim 1, wherein in step S2, feature information is collected from a hardware level of a server in advance, system environment information where a current server is located is obtained, after basic information is collected, a set of preset complex random seed data is introduced, the complex random seed data comprises irregularly arranged numbers and character elements, the collected hardware feature information, the system environment information and the set of random seed data are fused and spliced, the collected hardware feature information, the collected system environment information and the collected system environment information are sequentially combined into a new-length data string, and the data string is operated based on a hash algorithm to obtain a key.
4. 4. The virtual machine encryption method according to claim 1, wherein the hash algorithm in step S2 generates an encryption key formula as follows: Wherein the method comprises the steps of The data splicing operation is shown, P, ID, T and R are spliced in sequence and then are input into a hash function H as a whole, an encryption key K is finally obtained through operation, H is shown as operation of the hash function, P is shown as a character string corresponding to characteristic information extracted from a server built-in hardware identifier, ID is shown as a serial number of a virtual machine disk, T is shown as a corresponding timestamp, R is a hexadecimal character string generated randomly, the hexadecimal character string is spliced, and then the hexadecimal character string is sent into the hash function for calculation, and the obtained hash value is the encryption key K.
5. 5. The virtual machine encryption method according to claim 1, wherein the algorithm adopted for the primary encryption in step S3 is an RSA algorithm, two different large primes a and B are selected for the generated key, the product thereof is calculated, i.e., c=a×b, and the euler function value of c is calculated, α (c) = (a-1) ×b-1), an integer d is selected, the value range of which is 1<d < α (c), an integer e is found by extending the euclidean algorithm, such that d×e=1, the public key is (d, c), and the private key is (e, c); When the public key is used for primary encryption of the secret key, the encryption operation formula is f=K d , wherein f is ciphertext obtained after encryption, K is the secret key obtained by the algorithm, and the authorization verification mode is based on the facial recognition and fingerprint recognition mode, and decryption processing can be performed after authorization.
6. 6. The method for encrypting the virtual machine according to claim 1, wherein in the step S4, the reading operation is performed on the data content in the disk according to the physical sector and the logical data block stored in the disk as the reading unit, the physical sector of the disk is the basic physical unit of the disk storage and carries binary data, the logical data block is convenient for managing and reading and writing the data units, the encryption module can locate the position of each data to be read, the encryption module scans the data content contained in the data unit, the encryption module sequentially reads the data content, after the data block is read, the corresponding encryption key is generated, the encryption conversion operation is performed, after the encryption conversion is completed, the corresponding ciphertext data is generated, and the encryption module writes the ciphertext data back to the original storage position of the disk.
7. 7. The virtual machine encryption method according to claim 1, wherein in step S5, the secure access module performs verification by using a quantum key distribution method, the server randomly generates a series of quantum bit sequences, the states of the quantum bits are made into 0 and 1 states under two different bases, the server transmits the quantum bits to a user attempting to access resources through a quantum channel, the user randomly selects a base to measure the received quantum bits without knowing the base used by the server, and a measurement result sequence is obtained after the measurement.
8. 8. The method of claim 7, wherein the user attempting to access the resource informs the server of the selected base sequence through the classical channel when measuring itself, the server compares and filters out the qubit positions of the same base selected by the two parties, the measurement results are consistent, the two parties generate a shared secret key, the user encrypts the specific verification information by using the secret key and sends the encrypted verification information to the server, the server decrypts and verifies by using the stored secret key copy, and if the decryption is successful and the information accords, the user is verified to be a legal user.
9. 9. The encryption method of virtual machines according to claim 1, wherein in the step S6, the mark setting step is performed by a disk editing tool, the corresponding disk is selected, the partition table editing mode is entered, the partition type identification byte corresponding to the data disk partition to be marked is found, the original standard value is modified into a customized hexadecimal value, the setting is saved after modification is completed, at this time, the partition is provided with the mark, and when other virtual machines are mounted according to the conventional process, the current disk refusal to mount is not recognized.
10. 10. The virtual machine encryption system is applied to the virtual machine encryption method of any item, and is characterized by comprising a key generation module, an encryption module, a security access module and a marking module; The key generation module is used for independently generating a unique encryption key for each virtual machine disk needing encryption; the encryption module is used for encrypting the data in the disk of the virtual machine block by block; The security access module is used for establishing a security access mechanism and verifying a currently accessed user; the marking module is used for marking and setting the bottom partition table of the disk and the driving level of the operating system.

Description

Virtual machine encryption method and system Technical Field The invention relates to the technical field of security, in particular to a virtual machine encryption method and system. Background The virtual machine is a complete computer system which is simulated by software and has the function of a complete hardware system and runs in a complete isolation environment, along with the rapid development of information technology, the virtualization technology is widely applied in various fields, the virtual machine can simulate a plurality of independent and mutually isolated computing environments on a physical host by virtue of the characteristic of the virtual machine, and brings convenience to enterprises, scientific research institutions and individual users, for example, in an enterprise data center, the integration of servers can be realized by the virtual machine, the utilization rate of hardware resources is improved, meanwhile, the system management and maintenance are convenient, in a software development and test link, developers can quickly build test environments of different operating systems and configurations by utilizing the virtual machine, the compatibility and quality detection efficiency of software are effectively improved, however, data stored in the virtual machine and data interaction involved in the running process face a serious security challenge, under the current network environment, data leakage and illegal access security event frequently occur, the data and integrity protection means carried by the virtual machine are more important, and at present, the protection and the security protection of the virtual machine is mainly carried by the network access control, the reinforcement of the security system, but the privacy protection of the security system is not provided for the conventional security system, and the privacy protection of the private information is still insufficient for the personal system, and the privacy protection of the security system is still provided for the security system. Disclosure of Invention Aiming at the technical problems in the prior art, the invention provides a virtual machine encryption method and a virtual machine encryption system, which solve the problems of data leakage and illegal access. The technical scheme for solving the technical problems is as follows, the virtual machine encryption method comprises the following encryption steps: S1, checking and preparing configuration of a server environment of a virtual machine to be encrypted by an administrator, marking each disk partition in the virtual machine, recording the size of the disk capacity and the partition format, and opening a cache area in a server memory for storing encrypted data and encrypted key information; S2, generating an encryption key, wherein a key generation module independently generates a group of unique encryption keys for each virtual machine disk needing encryption, extracts characteristic information from a hardware identifier arranged in a server, combines a current system time stamp and a predefined group of complex random seed data, and generates the encryption key based on a hash operation algorithm; S3, the secret key is subjected to primary encryption by adopting a public key of an asymmetric encryption algorithm, and a corresponding private key is obtained for decryption after an authorization verification process is carried out; s4, encrypting the data in the disk of the virtual machine block by block, sequentially reading the data content in the disk by an encryption module according to the physical sector and the logical data block stored in the disk, encrypting and converting each data block by combining a symmetrical encryption algorithm by using the generated corresponding encryption key, and writing the encrypted ciphertext data back to the original storage position of the disk in real time, covering the original plaintext data, and completing encryption processing; s5, establishing a secure access mechanism based on the secure access module, verifying a user currently accessing, normally allowing subsequent access operation to the encrypted disk if the verification fails, triggering a corresponding alarm mechanism, and preventing illegal access to the disk; S6, marking and setting are carried out on the bottom partition table of the disk and the driving layer of the operating system, so that the data disk cannot be randomly mounted on other virtual machines, and the safety is ensured. Preferably, in the step S1, the disk partition marking is performed based on a disk management tool in the virtual machine, the size of the recorded disk capacity and the partition format are recorded by copying information into a text file, an administrator checks the whole hardware configuration of the server, checks the processor performance of the server, checks the memory capacity of the server, and if the memory is insufficient, expansion and optimization a