CN111737709A - Data protection method, device, equipment and medium - Google Patents
Data protection method, device, equipment and medium Download PDFInfo
- Publication number
- CN111737709A CN111737709A CN202010490307.XA CN202010490307A CN111737709A CN 111737709 A CN111737709 A CN 111737709A CN 202010490307 A CN202010490307 A CN 202010490307A CN 111737709 A CN111737709 A CN 111737709A
- Authority
- CN
- China
- Prior art keywords
- key
- tenant database
- instance
- data
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000004590 computer program Methods 0.000 claims description 8
- 230000002123 temporal effect Effects 0.000 claims 1
- 238000005336 cracking Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The disclosed embodiments relate to a data protection method, apparatus, device and medium, wherein the method comprises: acquiring a data encryption request of target data; generating a target object key based on a tenant database key of a tenant database where target data are located, wherein the tenant database key is encrypted through an instance key; the target data is encrypted based on the target object key. By adopting the technical scheme, on the basis of two-layer keys of the instance key and the object key, the tenant database key encrypted by the instance key is added, a three-layer key system is formed, the situation that data in the tenant database can be obtained only by cracking the instance key is avoided, the encryption strength is improved, and the data security is further improved.
Description
Technical Field
The present disclosure relates to the field of database technologies, and in particular, to a data protection method, apparatus, device, and medium.
Background
Encrypting data is a common security management measure for protecting data security in a database. The data encryption mode can include two types: the user is responsible for encrypting the data and storing the encrypted data in the database; the transparent encryption of the database is adopted, a user only needs to define the database object as needing the transparent encryption, the database is responsible for encrypting the data included by the database object, and the method is basically transparent to the user access.
The encryption processing in the transparent encryption relates to an encryption algorithm and a secret key, and a two-layer secret key system is adopted in a non-multi-tenant database for data encryption, wherein the two-layer secret key system comprises an instance secret key and an object secret key. However, for the multi-tenant database, when the two-layer key system is adopted, the instance key of each tenant database is the same, and if the instance key is cracked, all tenant databases are simultaneously divulged, and the encryption strength is weak.
Disclosure of Invention
To solve the above technical problem or at least partially solve the above technical problem, the present disclosure provides a data protection method, apparatus, device, and medium.
The embodiment of the disclosure provides a data protection method, which comprises the following steps:
acquiring a data encryption request of target data;
generating a target object key based on a tenant database key of a tenant database where the target data is located, wherein the tenant database key is encrypted through an instance key;
encrypting the target data based on the target object key.
The embodiment of the present disclosure further provides a data protection apparatus configured in a tenant database, where the apparatus includes:
the request acquisition module is used for acquiring a data encryption request of target data;
the object key generation module is used for generating a target object key based on a tenant database key of a tenant database where the target data is located, wherein the tenant database key is encrypted through an instance key;
and the encryption module is used for encrypting the target data based on the target object key. An embodiment of the present disclosure further provides an electronic device, which includes: a processor; a memory for storing the processor-executable instructions; the processor is used for reading the executable instructions from the memory and executing the instructions to realize the data protection method provided by the embodiment of the disclosure.
The embodiment of the present disclosure also provides a computer-readable storage medium, which stores a computer program for executing the data protection method provided by the embodiment of the present disclosure.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages: according to the data protection scheme provided by the embodiment of the disclosure, a data encryption request of target data is obtained, a target object key is generated based on a tenant database key of a tenant database where the target data is located, wherein the tenant database key is encrypted through an instance key, and the target data is encrypted based on the target object key. By adopting the technical scheme, on the basis of two-layer keys of the instance key and the object key, the tenant database key encrypted by the instance key is added, a three-layer key system is formed, the situation that data in the tenant database can be obtained only by cracking the instance key is avoided, the encryption strength is improved, and the data security is further improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
FIG. 1 is a schematic diagram of a two-layer key architecture;
fig. 2 is a schematic flow chart of a data protection method according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of a three-tier key architecture provided by embodiments of the present disclosure;
fig. 4 is a schematic flow chart of another data protection method provided in the embodiment of the present disclosure;
fig. 5 is a schematic flowchart of a load operation of a tenant database according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a data protection apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
At present, a two-layer key system is adopted as a data protection method of a main Database to a tenant Database, referring to fig. 1, where fig. 1 is a schematic diagram of the two-layer key system, a Database Administrator (DBA) of the main Database generates an instance key, and then may allocate a respective object key to each Database object to be encrypted, where the object key is stored after being encrypted by the instance key. In the figure, a database object takes a table space as an example, an object key is a table space key, three table space keys are respectively a table space key 1, a table space key 2 and a table space key 3, and data in the table space is encrypted by using the corresponding table space keys. The two-layer key system is under the multi-tenant framework, the instance keys used by each tenant database are the same, if the instance keys are cracked, the data in all the tenant databases are simultaneously divulged, the encryption strength is weak, and the data cannot be effectively protected. In order to solve the above problem, an embodiment of the present disclosure provides a data protection method, which improves encryption strength of data.
Fig. 2 is a flowchart of a data protection method provided by an embodiment of the present disclosure, where the method may be executed by a data protection apparatus, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 2, the method includes:
The target data may be data in a tenant Database, and the tenant Database may be understood as a Database capable of utilizing part of resources in a main Database, where the main Database refers to a multi-Container Database (CDB), and one main Database may include multiple tenant databases. The data encryption request is a request for carrying out encryption protection on data in the tenant database.
In the embodiment of the disclosure, when target data is added to the tenant database, a data encryption request for the target data may be initiated at the same time. Then, in the embodiment of the present disclosure, the master database may encrypt the target data, or the tenant database may encrypt the target data, and the master database is taken as an example for description in the present solution.
And 102, generating a target object key based on a tenant database key of a tenant database where the target data is located, wherein the tenant database key is encrypted through an instance key.
The tenant database key is a key created corresponding to the tenant database in the embodiment of the disclosure, and the tenant database key is encrypted and protected by an instance key. When the master database is initialized, an instance key at the database instance level can be created, and the instance key can be encrypted by a key file designated by a database administrator or can be obtained from the outside for encryption. When the main database creates the tenant database, a tenant database key of the tenant database level can be created, and the tenant database key is encrypted by adopting the instance key and then can be stored in the tenant database directory. It is understood that the tenant database key corresponding to different tenant databases may be different.
In the embodiment of the disclosure, the target object key, the tenant database key and the instance key may be separately stored in the external memory, that is, each key is separately stored, so as to improve security. In addition, the key algorithms adopted by the three layers of keys, namely the target object key, the tenant database key and the instance key, are not limited, the same key algorithm or different key algorithms can be adopted, and the setting can be performed according to the actual situation.
Specifically, generating the target object key based on the target tenant database key of the tenant database where the target data is located includes: when a target object of target data is created in a tenant database, an initial object key is created; and encrypting the initial object key by adopting the target tenant database key to obtain a target object key. The target object is a database object corresponding to the target data, and the specific database object is not limited in the embodiment of the present disclosure, for example, the database object may include a tablespace, a sequence, a storage process, and the like. When a database object to be encrypted is created for target data, for example, when a table space is created, an initial object key may be created first, and the initial object key is encrypted based on a tenant database key created in advance to obtain a target object key.
And 103, encrypting the target data based on the target object key.
Specifically, after the target object key is determined, the target data may be encrypted based on the target object key and the target object key may be stored.
Illustratively, referring to fig. 3, fig. 3 is a schematic diagram of a three-tier key system provided in the embodiment of the present disclosure, in which an example of the three-tier key system is shown, the three-tier key system includes an instance key, 3 tenant database keys, and 5 object keys, a tenant database key 1, a tenant database key 2, and a tenant database key 3 are all encrypted by the instance key, an object key 1 and an object key 2 are encrypted by the tenant database key 1, an object key 3 is encrypted by the tenant database key 2, and an object key 4 and an object key 5 are encrypted by the tenant database key 3. The number of tenant database keys and the number of object keys are merely examples, and may be set according to actual situations.
According to the data protection scheme provided by the embodiment of the disclosure, a data encryption request of target data is obtained, a target object key is generated based on a tenant database key of a tenant database where the target data is located, wherein the tenant database key is encrypted through an instance key, and the target data is encrypted based on the target object key. By adopting the technical scheme, on the basis of two-layer keys of the instance key and the object key, the tenant database key encrypted by the instance key is added, a three-layer key system is formed, the situation that data in the tenant database can be obtained only by cracking the instance key is avoided, the encryption strength is improved, and the data security is further improved.
In some embodiments, after encrypting the target data based on the target object key, the method may further include: and carrying out encryption management on the unloading operation and/or the loading operation of the tenant database based on the temporary key at the instance level. The temporary key can be understood as an instance-level key used for temporarily encrypting the tenant database key in the loading and unloading operation of the tenant database. In the embodiment of the disclosure, the unloading operation and the loading operation of the tenant database are executed by the main database.
In some embodiments, cryptographically managing offload operations of a tenant database based on instance-level temporary keys includes: and when the uninstalling operation of the tenant database is executed, decrypting the target tenant database key through the instance key, and re-encrypting the tenant database key based on the temporary key.
And when the main database unloads the encrypted tenant database, the temporary key supporting the user to specify the instance level encrypts the tenant database key. In the implementation process, the instance key is firstly used for decrypting the tenant database key, the temporary key is used for replacing the instance key to carry out encryption protection on the tenant database key, and the temporary key is stored in the external memory. The process does not need to update the object keys of all database objects in the tenant database, and the efficiency is high.
In some embodiments, the cryptographically managing the load operation of the tenant database based on the instance-level temporary key may include: and when loading operation after unloading operation of the tenant database is executed, decrypting the tenant database key based on the temporary key, and encrypting the tenant database key through a new instance key to be loaded.
In some embodiments, the cryptographically managing the load operation of the tenant database based on the instance-level temporary key may include: when loading operation after unloading operation of the tenant database is executed, after the tenant database key is decrypted based on the temporary key and corresponding object keys are decrypted based on the tenant database key, the object keys are encrypted through the newly created tenant database key and the newly created tenant database key is encrypted through a new instance key to be loaded.
And the unloaded tenant database can be loaded to the original main database or the new main database. If the key is loaded into a new main database and the encryption algorithm is the same, the original tenant database key can be selected to be used, and a new tenant database key can be created again.
At present, after a tenant database based on a two-layer key system is unloaded from one main database, if the tenant database is loaded into another main database, after a plurality of object keys are required to be decrypted one by one through an instance key, the object keys are created again, and the new object keys are encrypted through the new instance key, so that the workload is huge, and the performance is low.
In the embodiment of the disclosure, on the basis of a three-layer key system, the temporary key is created to carry out encryption management of loading and unloading of the tenant database, and only the key at the tenant database level needs to be decrypted and encrypted, so that the operation of the object key of the database object in the tenant database is avoided, the workload is greatly reduced, and the loading and unloading performance of the tenant database is improved.
Fig. 4 is a schematic flow chart of another data protection method provided in the embodiment of the present disclosure, and the embodiment further optimizes the data protection method on the basis of the above embodiment.
As shown in fig. 4, the method includes:
Wherein the tenant database key is encrypted by an instance key.
And step 204, carrying out encryption management on the unloading operation and/or the loading operation of the tenant database based on the temporary key at the instance level.
Optionally, the performing encryption management on the uninstalling operation of the tenant database based on the instance-level temporary key includes: and when the uninstalling operation of the tenant database is executed, decrypting the target tenant database key through the instance key, and re-encrypting the tenant database key based on the temporary key.
Optionally, the cryptographic management of the load operation of the tenant database based on the instance-level temporary key may include: and when loading operation after unloading operation of the tenant database is executed, decrypting the tenant database key based on the temporary key, and encrypting the tenant database key through a new instance key to be loaded.
Optionally, the cryptographic management of the load operation of the tenant database based on the instance-level temporary key may include: when loading operation after unloading operation of the tenant database is executed, after the tenant database key is decrypted based on the temporary key and corresponding object keys are decrypted based on the tenant database key, the object keys are encrypted through the newly created tenant database key and the newly created tenant database key is encrypted through a new instance key to be loaded.
For example, fig. 5 is a schematic flowchart of a loading operation of a tenant database provided in an embodiment of the present disclosure, where a process of reloading after tenant database is unloaded may include: and 21, loading the tenant database. The tenant database is reloaded after being unloaded. Step 22, determining whether a tenant database key is reserved, and if so, executing step 23; otherwise, step 24-step 27 are performed. And step 23, decrypting the tenant database key based on the temporary key, and re-encrypting the tenant database key by adopting the new instance key to be loaded. And step 24, decrypting the tenant database key based on the temporary key. And 25, decrypting each object key by using the tenant database key. The number of object keys may be plural. And 26, re-encrypting each object key by using the re-created tenant database key. And 27, re-encrypting the newly established tenant database key by using the new instance key to be loaded.
For the tenant database reloaded after unloading, a user can select to reserve the original tenant database key and carry out encryption protection on the tenant database key base again according to the new instance key; the user may also choose to recreate a new tenant database key, and then need to use the original tenant database key to decrypt all the corresponding object keys and then re-encrypt the object keys using the recreated tenant database key, and use the new instance key to re-encrypt the recreated tenant database key.
In the embodiment of the disclosure, when the tenant database is unloaded, a user is supported to create a temporary key for encrypting the tenant database key, so that the unloading can be realized without modifying an object key of a database object in the tenant database; when the tenant database is reloaded after being unloaded, the tenant database key is firstly decrypted based on the temporary key, and then the tenant database key is re-encrypted by adopting the new instance key, so that the tenant data can be efficiently reloaded into another main database.
According to the data protection method, the encryption framework is modified, and the secondary key of the tenant database key is introduced, so that each tenant database can be encrypted by adopting different tenant database keys, and the security of the database is reinforced; meanwhile, efficient unloading of one tenant database and reloading into another master database are supported.
According to the data protection scheme provided by the embodiment of the disclosure, a data encryption request of target data is obtained, a target object key is generated based on a tenant database key of a tenant database where the target data is located, the target data is encrypted based on the target object key, and the unloading operation and/or the loading operation of the tenant database are/is encrypted and managed based on an instance-level temporary key. By adopting the technical scheme, on the basis of two-layer keys of the instance key and the object key, the tenant database key encrypted by the instance key is added, a three-layer key system is formed, the situation that data in the tenant database can be obtained only by cracking the instance key is avoided, and the data security is improved.
Fig. 6 is a schematic structural diagram of a data protection apparatus provided in an embodiment of the present disclosure, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device, and may perform data protection in a database by performing a data protection method. As shown in fig. 6, the apparatus is disposed in a tenant database, and includes:
a request obtaining module 301, configured to obtain a data encryption request of target data;
an object key generation module 302, configured to generate a target object key based on a tenant database key of a tenant database where the target data is located, where the tenant database key is encrypted by an instance key;
an encryption module 303, configured to encrypt the target data based on the target object key.
According to the data protection scheme provided by the embodiment of the disclosure, a data encryption request of target data is obtained, a target object key is generated based on a tenant database key of a tenant database where the target data is located, wherein the tenant database key is encrypted through an instance key, and the target data is encrypted based on the target object key. By adopting the technical scheme, on the basis of two-layer keys of the instance key and the object key, the tenant database key encrypted by the instance key is added, a three-layer key system is formed, the situation that data in the tenant database can be obtained only by cracking the instance key is avoided, and the data security is improved.
Optionally, the object key generating module 302 is specifically configured to:
when the tenant database creates a target object of the target data, an initial object key is created;
and encrypting the initial object key by adopting the target tenant database key to obtain the target object key.
Optionally, the apparatus further includes a tenant database handling encryption module, specifically configured to: after encrypting the target data based on the target object key,
and carrying out encryption management on the unloading operation and/or the loading operation of the tenant database based on the temporary key at the instance level.
Optionally, the tenant database handling encryption module includes an uninstalling unit, and the uninstalling unit is specifically configured to:
when the uninstalling operation of the tenant database is executed, decrypting a target tenant database key through the instance key, and re-encrypting the tenant database key based on the temporary key.
Optionally, the tenant database handling encryption module includes a loading unit, and the loading unit is specifically configured to:
and when the loading operation after the unloading operation of the tenant database is executed, decrypting the tenant database key based on the temporary key, and encrypting the tenant database key through a new instance key to be loaded.
Optionally, the loading unit is specifically configured to:
when the loading operation after the unloading operation of the tenant database is executed, after the tenant database key is decrypted based on the temporary key and corresponding object keys are decrypted based on the tenant database key, the object keys are encrypted through the newly created tenant database key and the newly created tenant database key is encrypted through a new instance key to be loaded.
Optionally, the target object key, the tenant database key, and the instance key are stored separately in an external memory, the instance key being encrypted by a key file specified by a database administrator.
The data protection device provided by the embodiment of the disclosure can execute the data protection method provided by any embodiment of the disclosure, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 7, the electronic device 400 includes one or more processors 401 and memory 402.
The processor 401 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 400 to perform desired functions.
In one example, the electronic device 400 may further include: an input device 403 and an output device 404, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
The input device 403 may also include, for example, a keyboard, a mouse, and the like.
The output device 404 may output various information to the outside, including the determined distance information, direction information, and the like. The output devices 404 may include, for example, a display, speakers, a printer, and a communication network and its connected remote output devices, among others.
Of course, for simplicity, only some of the components of the electronic device 400 relevant to the present disclosure are shown in fig. 7, omitting components such as buses, input/output interfaces, and the like. In addition, electronic device 400 may include any other suitable components depending on the particular application.
In addition to the above methods and apparatus, embodiments of the present disclosure may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the data protection methods provided by embodiments of the present disclosure.
The computer program product may write program code for carrying out operations for embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform the data protection methods provided by embodiments of the present disclosure.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for data protection, the method comprising:
acquiring a data encryption request of target data;
generating a target object key based on a tenant database key of a tenant database where the target data is located, wherein the tenant database key is encrypted through an instance key;
encrypting the target data based on the target object key.
2. The method of claim 1, wherein generating a target object key based on a tenant database key of a tenant database where the target data is located comprises:
when the tenant database creates a target object of the target data, an initial object key is created;
and encrypting the initial object key by adopting the tenant database key to obtain the target object key.
3. The method of claim 1, wherein after encrypting the target data based on the target object key, further comprising:
and carrying out encryption management on the unloading operation and/or the loading operation of the tenant database based on the temporary key at the instance level.
4. The method of claim 3, wherein the instance-level based temporal key cryptographically manages offload operations of the tenant database, comprising:
when the uninstalling operation of the tenant database is executed, the tenant database key is decrypted through the instance key, and the tenant database key is encrypted again based on the temporary key.
5. The method of claim 3, wherein the instance-level-based temporary key cryptographically manages load operations of the tenant database, comprising:
and when the loading operation after the unloading operation of the tenant database is executed, decrypting the tenant database key based on the temporary key, and encrypting the tenant database key through a new instance key to be loaded.
6. The method of claim 3, wherein the instance-level-based temporary key cryptographically manages load operations of the tenant database, comprising:
when the loading operation after the unloading operation of the tenant database is executed, after the tenant database key is decrypted based on the temporary key and corresponding object keys are decrypted based on the tenant database key, the object keys are encrypted through the newly created tenant database key and the newly created tenant database key is encrypted through a new instance key to be loaded.
7. The method of any of claims 1-6, wherein the target object key, the tenant database key, and the instance key are stored separately in external memory, the instance key being encrypted by a key file specified by a database administrator.
8. A data protection device, the device comprising:
the request acquisition module is used for acquiring a data encryption request of target data;
the object key generation module is used for generating a target object key based on a tenant database key of a tenant database where the target data is located, wherein the tenant database key is encrypted through an instance key;
and the encryption module is used for encrypting the target data based on the target object key.
9. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing the processor-executable instructions;
the processor is used for reading the executable instructions from the memory and executing the instructions to realize the data protection method of any one of the claims 1 to 7.
10. A computer-readable storage medium, characterized in that the storage medium stores a computer program for executing the data protection method of any of the preceding claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010490307.XA CN111737709A (en) | 2020-06-02 | 2020-06-02 | Data protection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010490307.XA CN111737709A (en) | 2020-06-02 | 2020-06-02 | Data protection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111737709A true CN111737709A (en) | 2020-10-02 |
Family
ID=72646647
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010490307.XA Pending CN111737709A (en) | 2020-06-02 | 2020-06-02 | Data protection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111737709A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120072716A1 (en) * | 2010-09-16 | 2012-03-22 | Microsoft Corporation | Multitenant-aware protection service |
| CN109104273A (en) * | 2018-07-04 | 2018-12-28 | 华为技术有限公司 | Message processing method and receiving end server |
| CN109711175A (en) * | 2018-12-11 | 2019-05-03 | 武汉达梦数据库有限公司 | A kind of database encryption method and device |
-
2020
- 2020-06-02 CN CN202010490307.XA patent/CN111737709A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120072716A1 (en) * | 2010-09-16 | 2012-03-22 | Microsoft Corporation | Multitenant-aware protection service |
| CN109104273A (en) * | 2018-07-04 | 2018-12-28 | 华为技术有限公司 | Message processing method and receiving end server |
| CN109711175A (en) * | 2018-12-11 | 2019-05-03 | 武汉达梦数据库有限公司 | A kind of database encryption method and device |
Non-Patent Citations (1)
| Title |
|---|
| 王永贵 等: "《Oracle数据库管理与应用-基于Oracle12c版本(第二版)》", 中国矿业大学出版社, pages: 158 - 162 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111539813B (en) | Method, device, equipment and system for backtracking processing of business behaviors | |
| US9875370B2 (en) | Database server and client for query processing on encrypted data | |
| US10931651B2 (en) | Key management | |
| US8565422B2 (en) | Method and system for enryption key versioning and key rotation in a multi-tenant environment | |
| US10922117B2 (en) | VTPM-based virtual machine security protection method and system | |
| EP1698991B1 (en) | Method and computer-readable medium for generating usage rights for an item based upon access rights | |
| CN103765429B (en) | The platform secret that digital signature mechanism is relevant | |
| US20200372183A1 (en) | Digitally Signing Software Packages With Hash Values | |
| WO2017129138A1 (en) | Data protection method and apparatus in data warehouse | |
| US20060218649A1 (en) | Method for conditional disclosure of identity information | |
| Shetty et al. | Data security in Hadoop distributed file system | |
| US11349822B2 (en) | Runtime encryption plugin for a key management system | |
| US20120257743A1 (en) | Multiple independent encryption domains | |
| US11394546B2 (en) | Encrypted data key management | |
| EP3537328B1 (en) | Data access authentication | |
| US20150242630A1 (en) | Systems and methods for securing bios variables | |
| CN110635908B (en) | Management method for supporting billions of keys for electronic contract | |
| US11163902B1 (en) | Systems and methods for encrypted container image management, deployment, and execution | |
| US11310035B2 (en) | Securing data at rest utilizing cloud provider service agnostic encrypted data transportability | |
| WO2018020451A1 (en) | Method and system for encrypting files and storing the encrypted files in a storage file system | |
| US11366893B1 (en) | Systems and methods for secure processing of data streams having differing security level classifications | |
| CN111737709A (en) | Data protection method, device, equipment and medium | |
| JP2022141962A (en) | Data query and write method, device, electronic apparatus, readable storage medium, and computer program | |
| KR20190087720A (en) | Data backup management apparatus that can prevent hacking of storage for data backup and operating method thereof | |
| Vishal Reddy et al. | SecHDFS-AWS: A Novel Approach to Design Efficient and Secure Data Storage Model Over HDFS Enabled Amazon Cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201002 |
|
| RJ01 | Rejection of invention patent application after publication |