CN103825953B - A kind of user model encrypted file system - Google Patents
A kind of user model encrypted file system Download PDFInfo
- Publication number
- CN103825953B CN103825953B CN201410076462.1A CN201410076462A CN103825953B CN 103825953 B CN103825953 B CN 103825953B CN 201410076462 A CN201410076462 A CN 201410076462A CN 103825953 B CN103825953 B CN 103825953B
- Authority
- CN
- China
- Prior art keywords
- file
- encryption
- program
- virtual
- directory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention is a kind of user model encrypted file system that can be automatically obtained cloud storage file encryption, and described system includes encrypting document container, Virtual File System drives and file operation processing routine;Encryption document container has the organizational structure of file and file directory for depositing encryption file and inside;Virtual File System drives a virtual file dish or the virtual file directory that the file in encryption document container and file directory are mapped to together with file operation processing routine computer file system, and application program or system program are changed into for file and the operation of file directory in encryption document container for the operation of file and file directory in virtual file dish or virtual file directory, and the file data read or write trusted program in processing procedure is decrypted or encryption automatically.When file cloud stores, the file data read from virtual file dish or virtual file directory as the cloud storage client of untrusted program is encryption.
Description
Technical field
The invention belongs to field of information security technology, be a kind of user model encrypted file system,
A kind of encrypted file system that can be automatically obtained cloud storage file encryption.
Background technology
The cloud storage system (file cloud storage system) providing file memory function is that one is passed through
The system of network provided data storage service.File cloud storage system is generally by cloud storage client
Forming with cloud storage service end (cloud system) two parts, user will by cloud storage client
Files passe or be synchronized to cloud system preserve, by cloud system preserve file download or with
Step uses to subscriber computer this locality.File cloud storage system is due to easy to use, deeply by user
Welcome;But the data of cloud storage system safety be cloud storage user all the time most concerned about, worry most
Problem, be again the problem solved the most well at present, be also to hinder cloud storage service business
One of obstacle of development.
It is to being stored in high in the clouds that file in cloud storage carries out the maximally effective scheme of safeguard protection
File encryption in system, and the simple encipherment scheme of one therein is: user is by file
Before uploading or be synchronized to the cloud system of file cloud storage system, first oneself manual use instrument pair
The file in high in the clouds to be stored in is encrypted, as used compressing file instrument WinZip, WinRAR
Encryption function, or use special file encryption instrument (this kind of instrument is a lot);Work as handle
File download in cloud system or be synchronized to user's local computing device (such as PC, shifting
Dynamic terminal) after, before using file, the instrument that re-uses is to encrypted file (encryption file)
It is decrypted.But the disadvantage of this scheme be user in-convenience in use, and logical with user
Often use habit is not inconsistent (adding extra encryption, decryption oprerations).
It is automatic by cloud storage client when upper transmitting file to a solution of this problem
File is encrypted;When downloading file, encrypted file is entered by cloud storage client automatically
Row deciphering.But, the most existing substantial amounts of file cloud storage system disposed, these systems
Do not support to upload, file when downloading automatically is encrypted, is deciphered, for this literary composition disposed
How part cloud storage system, realize uploading literary composition in the case of not modifying cloud storage system
Automatically the encryption of part and the deciphering automatically of download file are urgently to be resolved hurrily and masty asking
Topic.This is because file cloud storage system is a huge system, in order to increase encryption function
And original system is modified and the cost of deployment system again will be huge, will not be by cloud
Storage service provider is accepted, and also will not be accepted by user.For this literary composition disposed
The file encryption of part cloud storage system, decryption problems, application for a patent for invention " a kind of cloud storage literary composition
Part encryption system " (number of patent application: 201310466023.7) proposes a kind of based on literary composition
The scheme that part system filters drives, but the skill proposed in patent application 201310466023.7
The problem that art scheme exists: when the carelessness due to user or the event due to computer system
Barrier causes the file system filter driving carrying out file encryption process not start or can not be just
Often work, it is possible to cause not encrypted file be uploaded or be synchronized to cloud system.
User model file system (User Mode File System, FUSE) be initially
In Virtual File System (Virtual File System, the FUSE) technical foundation of Linux
A kind of file system technology of development, this technology is generalized to other operating systems and includes afterwards
FUSE under Windows, Unix(different operating system slightly difference on implementation).
The technical characterstic of user model file system is by a file system driver or file system
Filter drive application program or system program for (virtual) file reel or file
File or the operation requests of file directory in catalogue are forwarded to one and operate in computer system
User model under file operation processing routine, by under this user model file operation process
Program completes the operation for concrete file or file directory.In user model file system,
Concrete file and file directory can leave in Anywhere as required.
For the file cloud storage system disposed, the present invention utilizes user model file system skill
Art realize in the case of file cloud storage system is not modified on transmitting file automatic
Encryption.
Summary of the invention
The purpose of the present invention is to propose to a kind of user's mould that can be automatically obtained cloud storage file encryption
Formula encrypted file system.
To achieve these goals, the technical solution adopted in the present invention is:
A kind of user model encrypted file system, described encrypted file system includes that encrypting file holds
Device, Virtual File System drive and file operation processing routine, wherein:
Encryption document container a: file (being called for short encryption file) depositing encryption also presses calculating
File organization structure (the tree-like recurrence bag being made up of file directory and file of machine file system
File organization structure containing file directory and file) the encryption file of internal storage is organized
The e-file (i.e. encryption document container be an e-file) of computer system or electricity
Subfile storage system (i.e. encryption document container is an e-file storage system);
Virtual File System drives: the literary composition in a computer system being loaded into subscriber computer
Part system drive or the file system driver of a computer system being inserted into subscriber computer
(i.e. file system filter drives the file system driver of the filter type in stack, is called for short literary composition
Part filter drives or file filter device);Described Virtual File System drives by file operation
File and the file directory deposited in described encryption document container are mapped to user by processing routine
In one virtual file dish of the file system of computer or in virtual file directory;Described virtual
File reel is one in the file system of subscriber computer and user and program is revealed as file
Dish also has the file organization structure of single file drive and (is made up of file and file directory
File organization structure), but this document dish does not corresponds to a necessary being of subscriber computer
Disk partition or disc driver or disk volume (Disk Partition or Disk Drive
Or Disk Volume), and it is (described to user with journey to correspond to described encryption document container
Sequence is revealed as file reel and refers to that user passes through file manager or the file system of computer operating system
System " shell " program, such as Windows Explorer, it is seen that be a file reel, and
User and program operate with virtual file dish and virtual literary composition by the mode operating with file reel
File in part dish and file directory);Described virtual file directory is the file of subscriber computer
In system one is revealed as the file organization structure of file directory to user and program, but this article
File and file directory in part catalogue are not to be directly present in permanently storing of subscriber computer
(file and file directory) in described encryption document container it is present in (described on medium
User and program are revealed as file reel and refer to user's file management by computer operating system
Device or file system " shell " program, such as Windows Explorer, it is seen that be one
File directory, and user and program operate with virtual literary composition by the mode operating with file directory
File under part catalogue and virtual file directory and file directory);By mapping, described virtual
A file in file reel or virtual file directory or file directory (virtual file or file
Catalogue) it is mapped to or corresponds to encrypt the encryption file preserved in document container or file
Catalogue;Described Virtual File System drives application program or system program for described virtual literary composition
In part dish or virtual file directory file and file directory operation requests (include create, read-write,
Delete file, read, fileinfo etc. is set) deliver described file operation processing routine and carry out
Process, and result operation processed returns;
File operation processing routine: a computer system user mould operating in subscriber computer
The file in encryption document container and file directory are operated under formula (user mode)
The program (relative with user model is kernel mode, kernel mode) processed;Described literary composition
Part operation processing program receives described Virtual File System and drives the application program or system forwarded
Program pin is to file or the operation of file directory in described virtual file dish or virtual file directory
Request (I/O operation request), and the operation requests of reception is changed into add ciphertext for described
Corresponding (encryption) file or the operation of file directory in part container;If described encryption document container
Being an e-file, the most described file operation processing routine is by accessing and processing computer documents
The mode of the file of system accesses and processes the file and file mesh preserved in encryption document container
Record (such as, access encryption this " special " file of document container by the mode of reading and writing of files,
It is derived from information or the data of " internal " file and " internal " file directory wherein preserved,
And they are carried out operation process), if described encryption document container is an e-file storage
System, access that the most described file operation processing routine is provided by document storage system and operation
Processing mode accesses and operation processes the file in encryption document container and file directory;Described literary composition
Access and operation processing mode that part storage system provides include dynamic base, API
(Application Programming Interface), system calls or interaction protocol (ratio
As, if encryption document container is the personal Database Systems that user calculates this locality, then file
Routine access and operation that operation processing program is provided by individual database system process encryption
The file preserved in document container and file directory;If encryption document container itself is a file
Server, then file operation processing routine presses the access for file server and operation process side
Formula accesses file server and file therein is carried out operation process);
Described file operation processing routine and Virtual File System drive and constitute (present invention's) use
Family schema file system drive;For application program or system program by unencrypted file data
It is saved in the operation in virtual file dish or virtual file directory, described user model file system
Drive and be saved in described encryption document container after file data is encrypted;For application program or
System program is by the document data saving of encryption to virtual file dish or virtual file directory
Operation, document data saving is held by described user model file system driver to described encryption file
No longer file data is encrypted time in device;For trusted program pin to described virtual file dish
Or the fileinfo that carries out of the file in virtual file directory and file data read operation (bag
Include and read file size, the storage size of file distribution), described user model file system
The file after driving by deciphering of uniting returns the result of operation process (such as, for reading number of files
According to operation, the file data of return be deciphering after file data;For reading file size
Operation, return is the length of original document after deciphering);For untrusted program pin pair
Fileinfo that file in described virtual file dish or virtual file directory is carried out and file
Data read operation, described user model file system driver returns operation by the file after encryption
(such as, for reading the operation of file data, the file data of return is to add to the result processed
File data after close;For reading the operation of file size, return is the file after encrypting
Length);The file data that untrusted process reads includes the file data of deciphering encryption
Required key information includes key ID information;Described user model file system driver is to literary composition
Number of packages complete by described file operation processing routine according to the encryption and decryption process that carries out or by
Described Virtual File System has driven;
Described trusted program refers to be allowed to hold at described encryption file with plaintext version reading and saving
The program of the file in device;Described trusted program includes application program and system program;Trusted journey
Other programs outside sequence can only be with ciphertext form reading and saving in described encryption document container
File, referred to as untrusted program;Described trusted program and untrusted program include for encryption
The trusted program of single file type (such as Word, Excel) and untrusted journey in document container
Sequence, is i.e. trusted or untrusted for single file type (All Files), with
And in encryption document container the trusted program of All Files type (file) and non-be subject to
Letter program, i.e. for being trusted for All Files type (file) in encryption document container
Or untrusted;Described trusted program and untrusted program are encrypted file by described user model
The publisher of system sets, or is set by the user using user model encrypted file system,
Or by user model encrypted file system automatic on-line more new settings.
When application program or system program are by document data saving to virtual file dish or virtual literary composition
During part catalogue, described user model file system driver to be protected according to application program or system program
Whether the file data deposited meets predetermined form or whether has predetermined feature and determine
File data to be preserved is the file data of encryption or unencrypted file data.
If the file in described encryption document container and file directory are mapped to a virtual literary composition
Part dish, then obtain the residue free memory of virtual file dish when application program or system program
Or during available allocation unit described user model file system driver will to encrypt document container current
The memory space that can be continuing with is the extra data storage sky increased after deducting a file encryption
Between higher limit return as residue free memory or the available allocation unit of virtual file dish
Return (such as, if encryption document container be an e-file, then residue free memory be
Residue free memory as the file reel at the file place of encryption document container deducts one
After individual file encryption after the higher limit of the extra data space increased;If encryption document container
Be the individual database system of a subscriber computer this locality, then residue free memory is to make
Residue free memory for the data base of encryption document container deducts a file encryption
The higher limit of the rear extra data space increased) (encryption file generally has extra data
Needing to preserve, such as key data, therefore the file after encryption to take than the file before encryption
Bigger data space, but the extra data space increased has higher limit maybe can control
System is in a higher limit).
If the file in described encryption document container and file directory are mapped to a virtual literary composition
Part catalogue, then obtain the surplus of virtual file directory place file reel when application program or system program
When remaining free memory or available allocation unit, described user model file system driver is by void
Real surplus free memory or the available allocation unit of intending file directory place file reel add
The memory space that upper encryption document container currently can be continuing with deducts volume after a file encryption
The higher limit of the data space of outer increase as file reel residue free memory or
Available allocation unit returns;The real surplus of described virtual file directory place file reel can be with depositing
Storage space or available allocation unit refer to (to encrypt file before carrying out virtual file directory mapping
Container mappings is to before virtual file directory) residue of virtual file directory place file reel is available deposits
Storage space or available allocation unit.
If user passes through the cloud storage client of file cloud storage system by described virtual file dish
The file (file in the most described encryption document container) in virtual file directory is uploaded or with
Step is to the cloud system of file cloud storage system, then the cloud storage client of file cloud storage system
It is set to untrusted program.
If the encryption file in encryption document container is to having access control policy or decryption policy,
Then untrusted program is read in encryption document container by virtual file dish or virtual file directory
Encryption file time the file data that read in include the access control policy of encryption file
Or decryption policy.
It is pointed out that program is referred to as process at the postrun example of computer, therefore institute in the present invention
State after file operation processing routine, trusted program and untrusted program are run and correspond respectively to file
Operation treatment progress, trusted process and untrusted process, and corresponding to the behaviour of program in the present invention
Actually correspond to the operation of process, but for convenience, do not make this at this and distinguish (program
The operation that the most corresponding process of operation carried out is carried out, this is the skill of computer realm
Art personnel are well-known).
From above summary of the invention describe it will be seen that be saved in encryption document container file with
Ciphertext form exists and is mapped to a virtual file dish or virtual file directory, when trusted
Application program or system program are by generally using the mode of file to virtual file dish or virtual literary composition
When file in part catalogue is read out or deposits write operation, read or deposited the file data quilt write
Automatically deciphering or encryption, thus to encryption file just do not affect ordinary procedure (trusted program)
Often use;If when carrying out cloud storage file access operations, by the cloud storage visitor of cloud storage system
Family end is set as untrusted program and limits that (or user is apprised of, is required, or program
It is defined) only by the files passe in virtual file dish or virtual file directory or be synchronized to cloud and deposit
The cloud system of storage system, then when cloud storage client is by subscriber computer local virtual file reel
Or files passe in virtual file directory or when being synchronized to cloud system, cloud storage client from
The file read in virtual file dish or virtual file directory is the file of encryption, so that protect
The file of the cloud system that there is cloud storage system be encryption file (user is by this process
Transparent);When cloud storage client will be saved in the encryption file download of cloud system to virtual
When preserving in file reel or virtual file directory, the file of download is saved in ciphertext form automatically
(if user will be saved in the encryption of cloud system by cloud storage client in encryption document container
Alternative document dish that file download is saved in outside virtual file dish or virtual file directory or file
In catalogue, then downloading to the file in alternative document dish or file directory is encryption file, to this
The deciphering of encryption file can be automatic by special file system filter or other technologies means
Deciphering);If file operation processing routine and Virtual File System drive do not start, then cloud is deposited
Storage client cannot be read in encryption document container by virtual file dish or virtual file directory
File, thus avoid because the fault of the carelessness of user or computer system makes that is correlated with to add
Close program does not start or cisco unity malfunction and uploading or being synchronized to cloud system of causing
The not encrypted situation of file occurs.
The user model encrypted file system of the present invention encrypts file system with common user model
The main difference of system is: program be divided in the user model encrypted file system of the present invention
Trusted program and untrusted program, trusted program is read from virtual file dish or virtual file directory
The file data taken is in plain text, and untrusted program is from virtual file dish or virtual file directory
The file data read is ciphertext, and does not has this district at usual user model encrypted file system
Point.This difference just so that the user model encrypted file system of the present invention can realize cloud and deposit
The automatic encryption of storage file.Although being also adopted by distinguishing trusted program and the technical side of untrusted program
Case, but the encrypted file system of the present invention and the transparent file driven based on file system filter
Encryption system is also different (although file system filter drives the virtual literary composition being also to implement the present invention
One of technology of part system drive, but be not unique technical): drive based on file system filter
Dynamic transparent file encryption system is for upper straight at computer permanent storage media (such as hard disk)
Connect the file encryption system that the file of preservation is automatically encrypted, deciphers;And the encryption of the present invention
File system is to add for be mapped to a virtual file dish or virtual file directory one
Encrypted file system (the attention file that file in close document container is automatically encrypted, deciphers
Encryption system and the difference of encrypted file system, the former is to implement to add in existing file system
Close, the latter is equivalent to construct a new file system), and encryption document container here
Both can be an inside of computer file system have file and document directory structure, for
Deposit the special file of encryption file, it is also possible to be that a document storage system (can even is that
One network file storage system).
Accompanying drawing explanation
Fig. 1 is the structure chart of the system of the present invention.
Detailed description of the invention
The invention will be further described with embodiment below in conjunction with the accompanying drawings.
The specific embodiments of described user model encrypted file system and encrypted file system institute
The operating system run is relevant.It is illustrated as a example by Windows operating system below.
Encryption document container can use composite file (Compound File) skill of Windows
Art realizes with file mode, and by the Storage storage organization of composite file corresponding to file mesh
Record, Stream storage organization is used for storing file.
Virtual File System drives and can drive by filter based on Windows file system
(Filter Driver) or micro-filter drive (mini-Filter Driver) technology to open
Send out and realize (rather than based on file system driver technological development).Virtual File System drives (i.e.
Filter drives or micro-filter drives) intercept application program and system program for virtual file
All operations request (I/O operation request) of file in dish or virtual file directory, and deliver
File operation processing routine.
File operation processing routine can use C/C++ development language and development environment exploitation to realize.
File operation processing routine by application program and system program for virtual file dish or virtual literary composition
In part catalogue, the operation in file and file directory changes into for corresponding in encryption document container
File and the operation of file directory.
When untrusted program pin to the fileinfo in virtual file dish or virtual file directory and
When file data is read, Virtual File System drives (i.e. filter driving or micro-mistake
Filter drives) return relevant information sum with file operation processing routine by the file after encryption
According to (including file size, file data etc.);When trusted program pin is to virtual file dish or void
When the fileinfo of the file in plan file directory and file data are read, virtual literary composition
Part system drive and file operation processing routine by the file after deciphering return relevant information and
Data, wherein, have been driven by Virtual File System the decryption processing of the file data read
Or being completed by file operation processing routine can be (but generally complete by file operation processing routine
Become more convenient, because it operates in user model);When application program or system program, no matter
Trusted or untrusted, for virtual file dish or virtual file directory carry out file deposit write time, if
Depositing the file data write is not ciphertext, then driven by Virtual File System or file operation processes journey
Sequence is first encrypted depositing the file data write, and preserves (similarly, to depositing the literary composition write the most again
The encryption of number of packages evidence has been driven by Virtual File System or has been processed journey by file operation
Sequence complete can, but generally completed more convenient by file operation processing routine).For trusted
Program and untrusted program, have a situation to need to handle well, here it is when a trusted program
How to process when opening a file with untrusted program (because trusted program and untrusted simultaneously
Program can share file page read-write data), there is two schemes available to this: one is virtual
File system driver forbids that trusted program and untrusted program open a file simultaneously, and two is empty
Intend file system driver and data encryption, decryption processing are used pair buffers, i.e. read and write at page
All carrying out data buffer storage with non-page when reading and writing, different programs (process) has respective non-page to read
Write data cached, and for respective non-page read-write cache data encryption and decryption.
Mark especially can be had by adding one in the file data at an encryption file
The head of will for distinguishing the file data of encryption and unencrypted file data, and preserve with
Encrypt, decipher relevant information, including key information, cryptography information.
Data encryption can use symmetric key cipher algorithm, as entered with password generated symmetric key
Row encryption, or use asymmetric key cipher algorithm to be encrypted, as RSA, ECC(are ellipse
Circular curve cryptographic algorithm), IBC(based on mark cryptographic algorithm) etc..
File in encryption document container and file directory are mapped to a virtual directory and can lead to
Cross one of the following two kinds mode to realize:
Mode one:
Virtual file directory (name) is an already present literary composition in subscriber computer file system
Part catalogue (name), Virtual File System drives (i.e. filter drives or micro-filter driving)
By file operation processing routine will for this already present file directory and file therein and
The All Files I/O operation of file directory is converted into for adding by file operation processing routine
The file I/O operation of file in close document container and file directory (and it is already present to ignore this
Original file in file directory and file directory).
Mode two:
Virtual file directory (name) is a non-existent literary composition in subscriber computer file system
Part catalogue (name), Virtual File System drives (i.e. filter drives or micro-filter driving)
Assuming that virtual file directory to be mapped is positioned under certain already present file directory, when answering
Called by the I/O of Windows file system with program or system program or user passes through
The file manager of Windows or file system " shell " (SHELL) program (Windows
When Explorer) enumerating the file under this already present file directory and file directory, virtual literary composition
Mapped virtual file directory is listed among the information enumerated by part system drive, when application journey
File under mapped virtual file directory and file directory are grasped by sequence or system program
When making, Virtual File System drives and by file operation processing routine, these operations is converted into pin
To the file in encryption document container and the operation of file directory.
Content (file and file directory) in encryption document container is mapped to a virtual literary composition
After part catalogue, can be by subst [the drive1:[drive2 :] Path of Windows] order
Virtual file directory is mapped further and becomes a virtual file dish (actually by virtual literary composition
The map paths of part catalogue has become a drive).
Virtual File System drives the information between file operation processing routine and data interaction,
The information between inner nuclear layer and the application layer (client layer) that Windows provides and data can be used
Alternately, communication mechanism.
About Windows file system filter drive or micro-filter drive, inner nuclear layer with
Information between application layer (client layer) and data interaction, communication mechanism, at the MSDN of Microsoft
(msdn.microsoft.com) and substantial amounts of open source information is all described.
If the described user model realizing the present invention under a linux operating system encrypts file system
System, then can be on the basis of user model file system (FUSE) technology that Linux provides
Exploitation realizes, and wherein, the Virtual File System of Linux drives the virtual literary composition corresponding to the present invention
Part system drive, file operation processing routine utilize the FUSE dynamic base of Linux and API with
The Virtual File System of Linux drives and interacts;Encryption document container can be at Linux file
On the basis of define a file with internal structure as encryption document container, be used for depositing
Encryption file and constituent act catalogue, or use individual database system to hold as encryption file
Device, is used for depositing encryption file and constituent act catalogue.
Likewise it is possible to have by adding one in the file data at an encryption file
The head of mark is for distinguishing the file data of encryption and unencrypted file data especially, and
Preserve and encrypt, decipher relevant information, including key information, cryptography information.
For the realization under other computer operating systems, can use in respective operations system
The mechanism similar with Windows or linux system.
Other aspects realized for technology, are not for the technology developer of association area
Say self-evident.
Claims (6)
1. a user model encrypted file system, is characterized in that: described encrypted file system includes
Encryption document container, Virtual File System drive and file operation processing routine, wherein:
Encryption document container: a file depositing encryption and by computer file system by file
Internal storage is encrypted the calculating that file is organized by the file organization structure of catalogue and file composition
The e-file of machine system or e-file storage system;
Virtual File System drives: the file in a computer system being loaded into subscriber computer
In the file system driver stack of system drive or a computer system being inserted into subscriber computer
The file system driver of filter type;Described Virtual File System drives and processes by file operation
File and the file directory deposited in described encryption document container are mapped to subscriber computer by program
In one virtual file dish of file system or in virtual file directory;Described virtual file dish is to use
In the file system of family computer one is revealed as file reel and has individually user and program
The file organization structure of file drive, but this document dish does not corresponds to one of subscriber computer very
Real storage disk partition or disc driver or disk volume, and correspond to described encryption file and hold
Device;Described virtual file directory is that in the file system of subscriber computer is to user and program
It is revealed as the file organization structure of file directory, but file in this document catalogue and file directory are not
It is to be directly present on the permanent storage media of subscriber computer to be present in described encryption file appearance
In device;By mapping, a file in described virtual file dish or virtual file directory or file
Catalogue is mapped to or corresponds to encrypt the encryption file preserved in document container or file mesh
Record;Described Virtual File System drives application program or system program for described virtual file dish
Or the operation requests of file and file directory delivers described file operation process journey in virtual file directory
Sequence processes, and result operation processed returns;
File operation processing routine: a computer system user pattern operating in subscriber computer
Under the file in encryption document container and file directory are carried out the program of operation process;Described literary composition
Part operation processing program receives described Virtual File System and drives the application program or system program forwarded
For file or the operation requests of file directory in described virtual file dish or virtual file directory, and
The operation requests of reception is changed into for respective file or file directory in described encryption document container
Operation;If described encryption document container is an e-file, the most described file operation processes journey
Sequence accesses and processes encryption document container by the mode of the file accessing and processing computer file system
The file of middle preservation and file directory, if described encryption document container is an e-file storage be
System, access and operation that the most described file operation processing routine is provided by document storage system process
Mode accesses and operates the file and file directory processed in encryption document container;Described file stores
Access and operation processing mode that system provides include that dynamic base, API, system are called or interaction protocol;
Described file operation processing routine and Virtual File System drive and constitute user model file system
Drive;For application program or system program by unencrypted document data saving to virtual file dish
Or the operation in virtual file directory, file data is encrypted by described user model file system driver
After be saved in described encryption document container;The file that application program or system program will be encrypted
Data are saved in the operation in virtual file dish or virtual file directory, described user model file system
System drives and no longer will add file data time in document data saving to described encryption document container
Close;File in described virtual file dish or virtual file directory is carried out by trusted program pin
Fileinfo and file data read operation, after described user model file system driver is by deciphering
File return operation process result;For untrusted program pin to described virtual file dish or void
Intend fileinfo and file data read operation, described user that the file in file directory is carried out
Schema file system drive returns, by the file after encryption, the result that operation processes;Untrusted process is read
Key information needed for including the file data of deciphering encryption in the file data taken includes key mark
Knowledge information;The encryption and decryption process that file data is carried out by described user model file system driver
Completed by described file operation processing routine or driven by described Virtual File System;
Described trusted program refers to be allowed to plaintext version reading and saving in described encryption document container
The program of file;Described trusted program includes application program and system program;Outside trusted program
Other programs can only with ciphertext form reading and saving file in described encryption document container, claim
For untrusted program;Described trusted program and untrusted program include for single in encryption document container
The trusted program of individual file type and untrusted program, be i.e. trusted for single file type
Or untrusted, and in encryption document container the trusted program of All Files type and non-
Trusted program, i.e. for being trusted or untrusted for All Files type in encryption document container
's;Described trusted program and untrusted program are by the publisher of described user model encrypted file system
Set, or set by the user using user model encrypted file system, or by user model
Encrypted file system automatic on-line more new settings.
User model encrypted file system the most according to claim 1, is characterized in that: when answering
During with program or system program by document data saving to virtual file dish or virtual file directory, institute
Stating user model file system driver according to the file data that application program or system program are to be preserved is
No meet predetermined form or whether there is predetermined feature determine that file data to be preserved is
The file data of encryption or unencrypted file data.
User model encrypted file system the most according to claim 1, is characterized in that: if institute
State the file in encryption document container and file directory is mapped to a virtual file dish, then when answering
The residue free memory of virtual file dish or available allocation unit is obtained with program or system program
Time, the storage that encryption document container currently can be continuing with by described user model file system driver
Space is the higher limit of the extra data space increased after deducting a file encryption, subtracts each other with this
Result returns as residue free memory or the available allocation unit of virtual file dish.
User model encrypted file system the most according to claim 1, is characterized in that: if institute
State the file in encryption document container and file directory be mapped to a virtual file directory, then when
Application program or system program obtain the residue free memory of virtual file directory place file reel
Or during available allocation unit, described user model file system driver is by virtual file directory place literary composition
The real surplus free memory of part dish or available allocation unit, add that encryption document container is current
The memory space that can be continuing with is the extra data space increased after deducting a file encryption
Higher limit subtract each other result, using this addition result as the residue free memory of file reel or can
Return with allocation unit;The real surplus of described virtual file directory place file reel can be with storage sky
Between or available allocation unit refer to carry out virtual file directory map before virtual file directory place file
The residue free memory of dish or available allocation unit.
User model encrypted file system the most according to claim 1, is characterized in that: if using
The cloud storage client of file cloud storage system is passed through by described virtual file dish or virtual file mesh in family
Files passe in record or be synchronized to the cloud system of file cloud storage system, then file cloud storage system
The cloud storage client of system is set to untrusted program.
User model encrypted file system the most according to claim 1, is characterized in that: if adding
Encryption file in close document container is to having access control policy or decryption policy, then untrusted journey
Sequence reads the encryption file time institute in encryption document container by virtual file dish or virtual file directory
The file data read includes access control policy or the decryption policy of encryption file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410076462.1A CN103825953B (en) | 2014-03-04 | 2014-03-04 | A kind of user model encrypted file system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410076462.1A CN103825953B (en) | 2014-03-04 | 2014-03-04 | A kind of user model encrypted file system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103825953A CN103825953A (en) | 2014-05-28 |
| CN103825953B true CN103825953B (en) | 2017-01-04 |
Family
ID=50760777
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410076462.1A Expired - Fee Related CN103825953B (en) | 2014-03-04 | 2014-03-04 | A kind of user model encrypted file system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103825953B (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125069B (en) * | 2014-07-07 | 2017-07-25 | 武汉理工大学 | It is a kind of towards shared secure file catalogue file encryption system |
| US10049228B2 (en) * | 2015-01-20 | 2018-08-14 | Microsoft Technology Licensing, Llc | File encryption support for FAT file systems |
| CN104794072B (en) * | 2015-04-23 | 2018-02-06 | 北京北信源软件股份有限公司 | A kind of drive mapping method based on authenticating user identification |
| CN106528571A (en) * | 2015-09-14 | 2017-03-22 | 北京中质信维科技有限公司 | File management method and system for mobile terminal |
| CN105224882B (en) * | 2015-09-23 | 2018-04-20 | 武汉理工大学 | A kind of file encryption system based on bridge file system |
| CN105426766B (en) * | 2015-10-27 | 2018-05-18 | 武汉理工大学 | A kind of file encryption system based on shadow file |
| CN105574431B (en) * | 2015-12-10 | 2018-08-03 | 武汉理工大学 | It is a kind of based on mostly as the encrypted file system of file |
| CN105590067B (en) * | 2015-12-17 | 2018-06-19 | 武汉理工大学 | A kind of file encryption system based on user's space file system |
| CN105760779B (en) * | 2016-02-18 | 2018-06-22 | 武汉理工大学 | A kind of Two-way File encryption system based on FUSE |
| CN106845252A (en) * | 2016-12-21 | 2017-06-13 | 北京奇虎科技有限公司 | Terminal data access method, device and mobile terminal |
| CN108632206A (en) * | 2017-03-19 | 2018-10-09 | 上海格尔软件股份有限公司 | A kind of system that encryption cloud storage is combined with explorer |
| CN107256360A (en) * | 2017-06-07 | 2017-10-17 | 努比亚技术有限公司 | File encrypting method, mobile terminal and computer-readable recording medium |
| CN107643918B (en) * | 2017-09-19 | 2021-07-02 | 郑州云海信息技术有限公司 | Container management method and device |
| CN107835179B (en) * | 2017-11-14 | 2021-05-04 | 超越科技股份有限公司 | Application program protection method and device based on virtualization container |
| CN108038387B (en) * | 2017-12-21 | 2020-09-04 | 北京亿赛通科技发展有限责任公司 | Outgoing file processing method and system |
| CN109886047B (en) * | 2019-03-21 | 2021-01-15 | 腾讯科技(深圳)有限公司 | File encryption processing method and device |
| CN110232261B (en) * | 2019-06-03 | 2021-05-11 | 浙江大华技术股份有限公司 | Operation method of package file, file processing device and device with storage function |
| CN111339034B (en) * | 2020-05-18 | 2020-08-11 | 湖南天琛信息科技有限公司 | Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method |
| CN111858511B (en) * | 2020-07-17 | 2024-04-09 | 武汉理工大学 | File storage and use method and file storage system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103488954A (en) * | 2013-10-16 | 2014-01-01 | 武汉理工大学 | File encryption system |
| CN103546547A (en) * | 2013-10-08 | 2014-01-29 | 武汉理工大学 | Cryptosystem for cloud storage files |
| CN103561034A (en) * | 2013-11-11 | 2014-02-05 | 武汉理工大学 | Secure file sharing system |
-
2014
- 2014-03-04 CN CN201410076462.1A patent/CN103825953B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103546547A (en) * | 2013-10-08 | 2014-01-29 | 武汉理工大学 | Cryptosystem for cloud storage files |
| CN103488954A (en) * | 2013-10-16 | 2014-01-01 | 武汉理工大学 | File encryption system |
| CN103561034A (en) * | 2013-11-11 | 2014-02-05 | 武汉理工大学 | Secure file sharing system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103825953A (en) | 2014-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103825953B (en) | A kind of user model encrypted file system | |
| CN101853363B (en) | File protection method and system | |
| CN106022155B (en) | Method and server for database security management | |
| US8572757B1 (en) | Seamless secure private collaboration across trust boundaries | |
| US8850593B2 (en) | Data management using a virtual machine-data image | |
| CN101729550B (en) | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof | |
| US10666647B2 (en) | Access to data stored in a cloud | |
| CN103888467B (en) | A kind of towards shared secure file folder encryption system | |
| CN103336929B (en) | Method and system for encrypted file access | |
| CN1889426B (en) | Method and system for realizing network safety storing and accessing | |
| CN103605930A (en) | Double file anti-divulging method and system based on HOOK and filtering driving | |
| CN102394894A (en) | Network virtual disk file safety management method based on cloud computing | |
| CN103745162B (en) | A kind of secure network file storage system | |
| CN104125069B (en) | It is a kind of towards shared secure file catalogue file encryption system | |
| CN101271497A (en) | Electric document anti-disclosure system and its implementing method | |
| CN103413100B (en) | File security protection system | |
| CN103841113A (en) | Safe network file system based on user mode file system | |
| US20180330120A1 (en) | Stacked Encryption | |
| CN104156672B (en) | data encryption protection method and system based on LINUX | |
| CN104462998B (en) | Cloud storage encryption system and its implementation based on domestic commercial cipher algorithm | |
| CN105760779A (en) | Bidirectional file encryption system based on FUSE | |
| CN105373744A (en) | Method for encrypting extended file system based on Linux | |
| CN110892403B (en) | Method for securely accessing data | |
| CN106682521A (en) | File transparent encryption and decryption system and method based on driver layer | |
| CN108833535A (en) | User data storage method based on the storage of cloud platform distributed block |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170104 |