CN-122020741-A - Safe U disk system and method based on sector-level encryption and strategy linkage

Abstract

The invention discloses a safe U disk system and method based on sector-level encryption and strategy linkage, wherein the system comprises a manufacturing tool layer, an encryption kernel layer, a client management layer and a background service layer, the manufacturing tool layer is used for U disk medium detection, partition and encryption parameter configuration, key seed configuration and strategy template configuration so as to realize the manufacturing of a safe U disk, the encryption kernel layer is used for providing a sector-level encryption and custom file system so as to support volume management, key derivation and cross-platform driving, the client management layer is used for completing user authentication, volume mounting, security strategy synchronization, file operation and local log recording so as to realize security login and strategy linkage, the security strategy is issued through a matched client, and the background service layer is used for centralized management of strategies, authorization, log receiving and alarm and audit.

Inventors

• CHEN FENG
• WU HAIBING
• LI ZHUO
• HUANG JIE
• WANG ZHI

Assignees

• 深圳市联软科技股份有限公司

Dates

Publication Date

20260512

Application Date

20251208

Claims (10)

1. 1. The safe U disk system based on sector-level encryption and strategy linkage is characterized by comprising a manufacturing tool layer, an encryption kernel layer, a client management layer and a background service layer; The manufacturing tool layer is used for detecting the USB flash disk medium, configuring partition and encryption parameters, configuring key seeds and strategy templates and generating a manufacturing log to realize the manufacturing of the safe USB flash disk, wherein the strategy templates comprise authority and control, and the parameters are written into a sector; the encryption kernel layer is used for providing sector-level encryption and a custom file system to support volume management, key derivation and cross-platform driving; the client management layer is used for completing user authentication, volume mounting, security policy synchronization, file operation and local log recording so as to realize security login and policy linkage, wherein the security policy is issued through a matched client; the background service layer is used for centrally managing strategies, issuing authorizations, receiving logs and providing alarms and audits.
2. 2. The system of claim 1, wherein the encryption kernel layer combines a user password, a device unique identification, a sector index, and a random factor to generate a sector key through a dynamic key derivation algorithm to achieve fine-grained encryption.
3. 3. The system of claim 2, wherein the client management layer comprises a login and daemon module, a security file management module, and a policy and audit module; The login and daemon module is used for completing user identity verification, single instance control, background daemon and automatic volume mounting; the security file management module is used for providing an adaptive file operation interface, and executing policy judgment, result prompt and operation mark; the strategy and audit module is used for loading and caching the security strategy, executing keyword identification, authority verification, log reporting and event tracking, and automatically blocking access when abnormality occurs.
4. 4. The system of claim 2, wherein the background service layer is further configured to aggregate the uploaded logs and support real-time alarms, approval forwarding, compliance reporting and history tracking.
5. 5. The system of any of claims 1 to 4, wherein the client management layer further comprises a support tool module to: Cipher conversion, medium health detection, dependent release and signature tool, ensuring safe USB flash disk life cycle operation and maintenance, and When the user forgets the password, a temporary rescue password is generated through a password conversion tool and is used after approval, and the mark is left in the whole process to be checked.
6. 6. The system of claim 5, wherein the system cooperates with the policy server through a secure channel to enable device registration, policy synchronization, and log back; the configuration file is tamper-proof by a checking mechanism, policy data is distributed through a shared memory and a message queue, and logs are doubly stored locally and in a server and support digital signatures.
7. 7. The system of claim 6, wherein the policy linkage includes refining to read, write, copy and export file operations in combination with identity permissions, file attributes, key hits, time-place and approval status condition comprehensive decisions.
8. 8. A method based on sector-level encryption and policy linkage, which is applied to the secure U disk system based on sector-level encryption and policy linkage as claimed in claim 2, and comprises the following steps: manufacturing a safe U disk; Constructing a sector-level encryption layer in an encryption area of the safe USB flash disk, and realizing volume management, key derivation and cross-platform driving by combining a custom file system; executing identity authentication, loading a security policy and mounting an encryption volume; and executing file operation and audit record according to the strategy, reporting the log to the background and carrying out alarm treatment.
9. 9. The method of claim 8, wherein executing the file operations and audit records according to the policies, specifically comprises: And the user operates on the file management interface, identifies a source/target area, decides encryption or release according to a strategy, performs keyword identification on sensitive content, releases, blocks or initiates approval according to an identification result, and writes an audit log.
10. 10. The method of claim 9, wherein the keyword recognition comprises: support multi-template, multi-language keyword matching, and provide advanced configurations including sensitivity classification, hit threshold, and context analysis.

Description

Safe U disk system and method based on sector-level encryption and strategy linkage Technical Field The invention belongs to the technical field of data security, and particularly relates to a safe U disk system and method based on sector-level encryption and strategy linkage. Background With the continuous popularization of mobile offices, a USB flash disk is still a main medium for enterprise data exchange. However, conventional solutions suffer from the following disadvantages: 1. The hardware cost is high, the customized encrypted USB flash disk depends on a special chip, and the purchasing and operation maintenance cost is high; 2. The cross-platform capability is weak, namely the encryption scheme provided by the main stream operating system has poor compatibility in platforms such as Linux, macOS and the like; 3. The strategy linkage is insufficient, namely the existing product pays attention to static encryption, and lacks the cooperative capability with terminal security strategy, keyword identification and log audit; 4. the operation and maintenance means are missing, and the whole life cycle supporting tools such as manufacturing, health detection, password recovery and the like are missing. Therefore, in the security practice of large enterprises and government institutions, a unified solution is needed that can be rapidly deployed on a common USB flash disk, support multi-terminal policy linkage, and provide perfect audit capability. Disclosure of Invention Aiming at the technical defects mentioned in the background art, the embodiment of the invention aims to provide a safe U disk system and a method based on sector-level encryption and strategy linkage, which aim to solve one of the technical problems in the related art at least to a certain extent. In order to achieve the above objective, in a first aspect, an embodiment of the present invention provides a secure U disk system based on sector-level encryption and policy linkage, where the system includes a manufacturing tool layer, an encryption kernel layer, a client management layer, and a background service layer; The manufacturing tool layer is used for detecting the USB flash disk medium, configuring partition and encryption parameters, configuring key seeds and strategy templates and generating a manufacturing log to realize the manufacturing of the safe USB flash disk, wherein the strategy templates comprise authority and control, and the parameters are written into a sector; the encryption kernel layer is used for providing sector-level encryption and a custom file system to support volume management, key derivation and cross-platform driving; the client management layer is used for completing user authentication, volume mounting, security policy synchronization, file operation and local log recording so as to realize security login and policy linkage, wherein the security policy is issued through a matched client; the background service layer is used for centrally managing strategies, issuing authorizations, receiving logs and providing alarms and audits. As a specific implementation mode of the application, the encryption kernel layer combines the user password, the unique device identifier, the sector index and the random factor to generate the sector key through a dynamic key derivation algorithm, so as to realize fine-granularity encryption. As a specific implementation mode of the application, the client management layer comprises a login and daemon module, a security file management module and a strategy and audit module; The login and daemon module is used for completing user identity verification, single instance control, background daemon and automatic volume mounting; the security file management module is used for providing an adaptive file operation interface, and executing policy judgment, result prompt and operation mark; the strategy and audit module is used for loading and caching the security strategy, executing keyword identification, authority verification, log reporting and event tracking, and automatically blocking access when abnormality occurs. As a specific implementation mode of the application, the background service layer is also used for carrying out aggregation analysis on the uploading logs and supporting real-time alarming, approval forwarding, compliance report forms and history tracing. As a specific implementation mode of the application, the client management layer also comprises a supporting tool module, wherein the supporting tool module is used for password conversion, medium health detection, dependent release and signature tools and guaranteeing the life cycle operation and maintenance of the safe U disk, and When the user forgets the password, a temporary rescue password is generated through a password conversion tool and is used after approval, and the mark is left in the whole process to be checked. As a specific implementation mode of the application, the system cooperates with the strateg