CN107018208A - A kind of data ciphering method of the SAN storage system with function extending transversely - Google Patents

A kind of data ciphering method of the SAN storage system with function extending transversely Download PDF

Info

Publication number
CN107018208A
CN107018208A CN201710421889.4A CN201710421889A CN107018208A CN 107018208 A CN107018208 A CN 107018208A CN 201710421889 A CN201710421889 A CN 201710421889A CN 107018208 A CN107018208 A CN 107018208A
Authority
CN
China
Prior art keywords
data
server
encryption
data encryption
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710421889.4A
Other languages
Chinese (zh)
Other versions
CN107018208B (en
Inventor
何凯
申锟铠
李广辉
龚溪东
吴强
刘文清
杨涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Qilin Xin'an Technology Co., Ltd
Original Assignee
Hunan Kylin Xin'an Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Kylin Xin'an Technology Co Ltd filed Critical Hunan Kylin Xin'an Technology Co Ltd
Priority to CN201710421889.4A priority Critical patent/CN107018208B/en
Publication of CN107018208A publication Critical patent/CN107018208A/en
Application granted granted Critical
Publication of CN107018208B publication Critical patent/CN107018208B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of data ciphering method of the SAN storage system with function extending transversely, implementation steps include:Installation data encryption protection system is disposed in advance, and keeper marks off the subregion A of free time by configuration management server in the memory space of SAN storage system;Data encryption services device uses the key obtained from Key Management server that subregion A is initialized as into corresponding encrypted volume B respectivelyi;Data encryption guard system is based on encrypted volume B of each number of units according to encryption serveriSAN storage services are externally provided, the encryption data after encryption is transmitted between clear data and SAN storage system that unencryption is transmitted between data encryption services device and application server.The present invention have the advantages that can extending transversely, high-performance, highly reliable, disclosure satisfy that and improve low time delay to encrypted stored data, the requirement of high reliability.

Description

A kind of data ciphering method of the SAN storage system with function extending transversely
Technical field
The present invention relates to safe field of storage, and in particular to a kind of high-performance, highly reliable has function extending transversely The data ciphering method of SAN storage system.
Background technology
Currently, memory technology constantly improve, based on storage area network(SAN)Framework SAN storage system turn into enterprise The main flow selection of industry level storage.SAN storage system mainly uses optical-fibre channel(FC-SAN)Or Ethernet(IP-SAN)Connection Server host, it is centrally stored to data progress, user's IT system efficiency can be lifted, data O&M cost is reduced.
As shown in figure 1, in current SAN storage system, application server is plaintext for the access of SAN storage system Form, the hidden danger that will necessarily so have security.Therefore, while SAN storage system extensive use, in order to ensure data The security of storage, presently, there are the method that data storage is encrypted, but existing method can not be extending transversely, causes Data encryption protection server can only the serial operation of separate unit or many so that encryption and decryption performance is low, delay is high, poor user experience, And there is the risk of encryption data damage.
The content of the invention
The technical problem to be solved in the present invention:Above mentioned problem for prior art can extending transversely, Gao Xing there is provided one kind Can, it is highly reliable, disclosure satisfy that and improves low time delay to encrypted stored data, the requirement of high reliability with work(extending transversely The data ciphering method of the SAN storage system of energy.
In order to solve the above-mentioned technical problem, the technical solution adopted by the present invention is:
A kind of data ciphering method of the SAN storage system with function extending transversely, implementation steps include:
1)Deployment installation data encryption protection system in advance, the data encryption guard system includes configuration management server, close Key management server and data encryption server group, the data encryption services device group include N number of units according to encryption server, described Configuration management server, data encryption services device are connected with SAN storage system respectively, and the Key Management server and configuration are managed Server is managed to be connected;
2)Keeper marks off the subregion A of free time by configuration management server in the memory space of SAN storage system;Configuration Management server obtains key according to subregion A partition id from Key Management server, and key is distributed into each data encryption Server, and subregion A is initialized as corresponding encrypted volume B by N number of units using key respectively according to encryption serveri
3)The data encryption guard system is based on encrypted volume B of each number of units according to encryption serveriSAN storage clothes are externally provided The plaintext number of unencryption is transmitted between business, and the application server of data encryption services device and access data encryption guard system According between SAN storage system transmission be encrypted by key after encryption data.
Preferably, step 3)Detailed step include:
3.1)Keeper configures N number of units according to the corresponding encrypted volume B of encryption server by configuration management serveriIt is mapped to respectively The application server of data encryption guard system is accessed, the application server for accessing data encryption guard system adds each number of units evidence The encrypted volume B of close server mappingsiA disk unit is aggregated into by multi-path software to use;
3.2)When application server sends write request to disk unit, execution step 3.3 is redirected);When application server is to magnetic When disc apparatus sends read request, execution step 3.4 is redirected);
3.3)The write request of clear data with unencryption is decomposed into many sub- write requests and by poll by application server Mode be sent to free time data encryption services device, then each number of units according to encryption server respectively by corresponding sub- write request The clear data of unencryption writes corresponding encrypted volume B after being encrypted by keyi, and implementing result is returned to using clothes Business device, redirects execution step 3.2);
3.4)Read request is decomposed into many sub- read requests and the data of free time is sent to by way of poll by application server Encryption server, then each number of units perform corresponding sub- read request respectively according to encryption server from corresponding encrypted volume BiIt is middle to read Encryption data after being encrypted by key simultaneously returns to application server after being decrypted by key, redirects execution step 3.2).
Preferably, the SAN storage system is Fibre Channel-SAN storage system, the configuration management server, number It is connected respectively by optical fiber and optical fiber switch with SAN storage system according to encryption server.
The data ciphering method tool of SAN storage system of the present invention with function extending transversely has the advantage that:The present invention The data ciphering method of SAN storage system with function extending transversely on existing SAN storage architectures by increasing the present invention Described data encryption guard system, it is possible to achieve protection is encrypted to the SAN data stored, and due to this data encryption Multiple data encryption protection nodes can externally provide service parallel in guard system, on the one hand improve data storage encryption and decryption Performance, the fault-tolerance of data transfer path is on the other hand added, even if partial data encryption server failure or path Error, application server still can read and write data storage by normal path, with can extending transversely, high-performance, Gao Ke The advantage leaned on, disclosure satisfy that and improve low time delay to encrypted stored data, the requirement of high reliability.
Brief description of the drawings
Fig. 1 is existing SAN storage system application principle schematic diagram.
Fig. 2 is the basic procedure schematic diagram of present invention method.
Fig. 3 is the data encryption guard system topological structure schematic diagram in the embodiment of the present invention.
Fig. 4 is the internal data encryption flow schematic diagram of present invention method.
Embodiment
SAN of the present invention with function extending transversely will hereafter be stored by taking Fibre Channel-SAN storage system as an example The data ciphering method of system is described in further detail.
As shown in Fig. 2 the implementation that the present embodiment has the data ciphering method of the SAN storage system of function extending transversely is walked Suddenly include:
1)Installation data encryption protection system is disposed in advance, as shown in figure 3, data encryption guard system includes configuration admin service Device, Key Management server and data encryption server group, data encryption services device group, according to encryption server, are matched somebody with somebody comprising N number of units Put management server, data encryption services device respectively with SAN storage system to be connected, Key Management server and configuration admin service Device is connected;
2)Keeper marks off the subregion A of free time by configuration management server in the memory space of SAN storage system;Configuration Management server obtains key according to subregion A partition id from Key Management server, and key is distributed into each data encryption Server, and subregion A is initialized as corresponding encrypted volume B by N number of units using key respectively according to encryption serveri
3)Data encryption guard system is based on encrypted volume B of each number of units according to encryption serveriSAN storage services are externally provided, and Data encryption services device and access data encryption guard system application server between transmission unencryption clear data, with Encryption data after transmission is encrypted by key between SAN storage system.
As shown in figure 3, SAN storage system is Fibre Channel-SAN storage system, configuration admin service in the present embodiment Device, data encryption services device are connected by optical fiber and optical fiber switch with SAN storage system respectively.As shown in figure 3, this implementation Data encryption services device group is comprising two number of units according to encryption server in example, and their object machine end passes through optical fiber and FC interchangers 1 Connection, FC interchangers 1 are connected by optical fiber with application server;Handed over by optical fiber and FC at the starter end of data encryption services device Change planes 2 connections, FC interchangers 2 are connected by optical fiber with disk array.Configuration management server is connected by optical fiber with FC interchangers 2 Connect, be connected by Ethernet with data encryption services device, Key Management server.Configuration management server, key management clothes Business device and data encryption server group collectively constitute the high-performance of one, highly reliable data encryption guard system.
Configuration management server is used to manage to need encryption protection in each data encryption services device and SAN storage system Disk, encrypted volume is set to by configuration management server by disk, and distributes to data encryption services device the key of encrypted volume Information, notifies data encryption services device that volume initialization is encrypted, configuration management server is also by based on { encrypted volume, number According to encryption server, application server } triple realize to the access control of encrypted volume, prevent unwarranted application service Device accesses encrypted volume, and configuration management server is connected to SAN by FC optical fiber or Ethernet and stored, and passes through Ethernet and institute There is the connection of data encryption services device, it can also be arranged in same server with a data encryption server.
Key Management server, which is used to generate, to be supplied to configuration admin service applied to the key of various AESs Device, and the management operation such as it is updated, backs up, destroying to key;Key Management server passes through wired and configuration admin service Device is connected, and can also set it with configuration management server in same server.
Data encryption services device is connected between SAN storage system and application server by FC optical fiber or Ethernet, Re-map for the disk of SAN storage system to be converted into encrypted volume and used to application server.Application server and data add What is transmitted between close server is clear data, and what is transmitted between data encryption services device and SAN storage system is ciphertext data. Data encryption services utensil has extending transversely(scale-out)Multiple data encryption services devices can be parallel to SAN and deposited by characteristic Between storage system and application server, multiple data encryption services devices concurrently can carry out encryption and decryption to same memory space, Then encrypted volume is mapped away to application server respectively.
In the present embodiment, step 3)Detailed step include:
3.1)Keeper configures N number of units according to the corresponding encrypted volume B of encryption server by configuration management serveriIt is mapped to respectively The application server of data encryption guard system is accessed, the application server for accessing data encryption guard system adds each number of units evidence The encrypted volume B of close server mappingsiA disk unit is aggregated into by multi-path software to use;When a number of units is according to encryption protection It is 1 paths failure on multipath during server fail, for application server, from an other server 1 paths be normal, do not influence application server to use.Further, since encryption/decryption module performance reason causes by number When turning into bottleneck according to the I/O performances of encryption protection server, it can be increased by way of increasing data encryption and protecting server Data link, the I/O performances of encrypted volume can be close to linear lifting;
3.2)When application server sends write request to disk unit, execution step 3.3 is redirected);When application server is to magnetic When disc apparatus sends read request, execution step 3.4 is redirected);
A certain moment, user writes clear data by application server to disk unit, i.e., initiated to data encryption services device Write data requests, data encryption services device is write data requests according to request type, redirects execution step 3.3);The a certain moment, User initiates read data request by the data of application server reading disk equipment to data encryption services device, and data add Close server is read data request according to request type, redirects execution step 3.4);
3.3)The write request of clear data with unencryption is decomposed into many sub- write requests and by poll by application server Mode be sent to free time data encryption services device, then each number of units according to encryption server respectively by corresponding sub- write request The clear data of unencryption writes corresponding encrypted volume B after being encrypted by keyi, and implementing result is returned to using clothes Business device, redirects execution step 3.2);
3.4)Read request is decomposed into many sub- read requests and the data of free time is sent to by way of poll by application server Encryption server, then each number of units perform corresponding sub- read request respectively according to encryption server from corresponding encrypted volume BiIt is middle to read Encryption data after being encrypted by key simultaneously returns to application server after being decrypted by key, redirects execution step 3.2).
As shown in figure 4, being respectively equipped with encryption/decryption module, encryption and decryption in data encryption services device 1 and data encryption server 2 Module obtains key by configuration management server from Key Management server, so as to passing through the sum of data encryption services device 1 Encryption and decryption is carried out according to the data of encryption server 2.
The FC object machines of data encryption services device 1 and data encryption server 2 are based in FC agreements and application server FC starters are connected, and the FC starters of data encryption services device 1 and data encryption server 2 are based respectively on FC agreements and optical fiber is logical Road FC-SAN storage systems are connected.In the present embodiment, keeper is empty in the storage of SAN storage system by configuration management server Between in mark off subregion A;Configuration management server obtains key according to partition id from Key Management server, and key is distributed to Data encryption services device 1 and data encryption server 2, data encryption services device 1 and data encryption server 2 are close using identical Subregion A is initialized as encrypted volume B by key1With encrypted volume B2.For application server, its disk unit encrypted volume B accessed It is essentially encrypted volume B1With encrypted volume B2The set of the disk unit of composition, realizes the linear lifting of encryption performance, improves System encryption and decryption performance.
Data encryption guard system in the present embodiment supports two kinds of agreements of FC-SAN and IP-SAN, is adopted during using IP-SAN With Ethernet and Ethernet switch.
With reference to described above, it can be seen that the data encryption side of SAN storage system of the present invention with function extending transversely The data encryption services device of method supports parallel way deployment, and many number of units externally provide service simultaneously according to encryption server, realizes high Reliability, data encryption services device carries out encryption and decryption to same encrypted volume using identical key, therefore can be with concurrent efforts Backup each other again, realize the linear lifting of encryption performance, improve system encryption and decryption performance.
Described above is only the preferred embodiment of the present invention, and protection scope of the present invention is not limited merely to above-mentioned implementation Example, all technical schemes belonged under thinking of the present invention belong to protection scope of the present invention.It should be pointed out that for the art Those of ordinary skill for, some improvements and modifications without departing from the principles of the present invention, these improvements and modifications It should be regarded as protection scope of the present invention.

Claims (2)

1. a kind of data ciphering method of the SAN storage system with function extending transversely, it is characterised in that implementation steps include:
1)Deployment installation data encryption protection system in advance, the data encryption guard system includes configuration management server, close Key management server and data encryption server group, the data encryption services device group include N number of units according to encryption server, described Configuration management server, data encryption services device are connected with SAN storage system respectively, and the Key Management server and configuration are managed Server is managed to be connected;
2)Keeper marks off the subregion A of free time by configuration management server in the memory space of SAN storage system;Configuration Management server obtains key according to subregion A partition id from Key Management server, and key is distributed into each data encryption Server, and subregion A is initialized as corresponding encrypted volume B by N number of units using key respectively according to encryption serveri
3)The data encryption guard system is based on encrypted volume B of each number of units according to encryption serveriSAN storage services are externally provided, And data encryption services device and access data encryption guard system application server between transmission unencryption clear data, with Encryption data after transmission is encrypted by key between SAN storage system.
2. the data ciphering method of the SAN storage system according to claim 1 with function extending transversely, its feature exists In step 3)Detailed step include:
3.1)Keeper configures N number of units according to the corresponding encrypted volume B of encryption server by configuration management serveriIt is mapped to respectively The application server of data encryption guard system is accessed, the application server for accessing data encryption guard system adds each number of units evidence The encrypted volume B of close server mappingsiA disk unit is aggregated into by multi-path software to use;
3.2)When application server sends write request to disk unit, execution step 3.3 is redirected);When application server is to magnetic When disc apparatus sends read request, execution step 3.4 is redirected);
3.3)The write request of clear data with unencryption is decomposed into many sub- write requests and by poll by application server Mode be sent to free time data encryption services device, then each number of units according to encryption server respectively by corresponding sub- write request The clear data of unencryption writes corresponding encrypted volume B after being encrypted by keyi, and implementing result is returned to using clothes Business device, redirects execution step 3.2);
3.4)Read request is decomposed into many sub- read requests and the data of free time is sent to by way of poll by application server Encryption server, then each number of units perform corresponding sub- read request respectively according to encryption server from corresponding encrypted volume BiIt is middle to read Encryption data after being encrypted by key simultaneously returns to application server after being decrypted by key, redirects execution step 3.2).
CN201710421889.4A 2017-06-07 2017-06-07 A kind of data ciphering method of the SAN storage system with function extending transversely Active CN107018208B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710421889.4A CN107018208B (en) 2017-06-07 2017-06-07 A kind of data ciphering method of the SAN storage system with function extending transversely

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710421889.4A CN107018208B (en) 2017-06-07 2017-06-07 A kind of data ciphering method of the SAN storage system with function extending transversely

Publications (2)

Publication Number Publication Date
CN107018208A true CN107018208A (en) 2017-08-04
CN107018208B CN107018208B (en) 2019-07-16

Family

ID=59452326

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710421889.4A Active CN107018208B (en) 2017-06-07 2017-06-07 A kind of data ciphering method of the SAN storage system with function extending transversely

Country Status (1)

Country Link
CN (1) CN107018208B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616537A (en) * 2018-04-28 2018-10-02 湖南麒麟信安科技有限公司 A kind of conventional data encryption and decryption method and system of lower coupling
CN110650008A (en) * 2019-08-30 2020-01-03 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Multi-port FC encryption method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841412A (en) * 2010-04-09 2010-09-22 兰州韦尔斯信息科技有限公司 Method and device for encrypting network environment of storage domain
CN102158558A (en) * 2011-04-13 2011-08-17 阮晓迅 SAN (Storage Area Networking) storage encryption system and method
CN106712943A (en) * 2017-01-20 2017-05-24 郑州云海信息技术有限公司 Secure storage system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841412A (en) * 2010-04-09 2010-09-22 兰州韦尔斯信息科技有限公司 Method and device for encrypting network environment of storage domain
CN102158558A (en) * 2011-04-13 2011-08-17 阮晓迅 SAN (Storage Area Networking) storage encryption system and method
CN106712943A (en) * 2017-01-20 2017-05-24 郑州云海信息技术有限公司 Secure storage system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616537A (en) * 2018-04-28 2018-10-02 湖南麒麟信安科技有限公司 A kind of conventional data encryption and decryption method and system of lower coupling
CN108616537B (en) * 2018-04-28 2021-11-30 湖南麒麟信安科技股份有限公司 Low-coupling general data encryption and decryption method and system
CN110650008A (en) * 2019-08-30 2020-01-03 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Multi-port FC encryption method and device

Also Published As

Publication number Publication date
CN107018208B (en) 2019-07-16

Similar Documents

Publication Publication Date Title
JP5331880B2 (en) Safe and high performance multi-level security database system and method
US8422677B2 (en) Storage virtualization apparatus comprising encryption functions
US8656100B1 (en) System and method for managing provisioning of storage resources in a network with virtualization of resources in such a network
US7315914B1 (en) Systems and methods for managing virtualized logical units using vendor specific storage array commands
US8285747B1 (en) Incorporation of client storage into a storage system
AU2016203740B2 (en) Simultaneous state-based cryptographic splitting in a secure storage appliance
US20060095705A1 (en) Systems and methods for data storage management
US8782245B1 (en) System and method for managing provisioning of storage resources in a network with virtualization of resources in such a network
US10007807B2 (en) Simultaneous state-based cryptographic splitting in a secure storage appliance
US20100125730A1 (en) Block-level data storage security system
US20100162002A1 (en) Virtual tape backup arrangement using cryptographically split storage
US20080022120A1 (en) System, Method and Computer Program Product for Secure Access Control to a Storage Device
US9384149B2 (en) Block-level data storage security system
US20140108797A1 (en) Storage communities of interest using cryptographic splitting
US20110188651A1 (en) Key rotation for encrypted storage media using a mirrored volume revive operation
US20090327758A1 (en) Storage apparatus and data processing method for storage apparatus
US20100161981A1 (en) Storage communities of interest using cryptographic splitting
WO2010057196A2 (en) Secure storage availability using cryptographic splitting
US20100162001A1 (en) Secure network attached storage device using cryptographic settings
US7581056B2 (en) Load balancing using distributed front end and back end virtualization engines
US20100169662A1 (en) Simultaneous state-based cryptographic splitting in a secure storage appliance
US8713307B2 (en) Computer system and volume migration control method using the same
CN107018208B (en) A kind of data ciphering method of the SAN storage system with function extending transversely
US9417812B1 (en) Methods and apparatus for minimally disruptive data migration
CN110633125A (en) Integrated management platform and management method based on cloud platform storage

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 410000 4th floor, Gongmei building, 156 Sany Avenue, Kaifu District, Changsha City, Hunan Province

Patentee after: Hunan Qilin Xin'an Technology Co., Ltd

Address before: 410000 4th floor, Gongmei building, 156 Sany Avenue, Kaifu District, Changsha City, Hunan Province

Patentee before: HUNAN KYLIN XINAN TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder