CN214281412U - Storage gateway and storage system - Google Patents
Storage gateway and storage system Download PDFInfo
- Publication number
- CN214281412U CN214281412U CN202120344363.2U CN202120344363U CN214281412U CN 214281412 U CN214281412 U CN 214281412U CN 202120344363 U CN202120344363 U CN 202120344363U CN 214281412 U CN214281412 U CN 214281412U
- Authority
- CN
- China
- Prior art keywords
- target data
- gateway
- server
- switch
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Telephonic Communication Services (AREA)
Abstract
The utility model provides a storage gateway and storage system can solve the compatible problem of the heterogeneous system of server that SAN environment lower data encryption and decryption leads to improve the security of storage data. The storage gateway is used for receiving target data to be stored of the server through the server interface; the gateway is used for receiving encrypted target data of the storage equipment through the switch interface; a processor connected to the gateway; a quantum random number generator connected to the processor; the processor is used for calling the quantum random number generated by the quantum random number generator, encrypting the target data to be stored and sending the encrypted target data to the storage device through the switch interface; the processor is further configured to call a quantum random number generated by the quantum random number generator, decrypt the encrypted target data, and send the decrypted target data to the server through the server interface.
Description
Technical Field
The present application relates to the field of storage, and in particular, to a storage gateway and a storage system.
Background
Once, data centers have been treated as safe estuaries for data, so some users consider safe and store "well water does not make a break in river water". Many data tape loss events have raised a great deal of security concerns over the past few years. With the continuous investment of manufacturers on storage security, nowadays, multi-field and multi-level storage security solutions are becoming more mature.
In the related art, there are two main solutions, one of which is data storage encryption and decryption based on file granularity. The file-level encryption can be realized on a host computer, and can also be realized in a layer of embedded Storage Area Network (SAN). Under the Windows system environment, the capture of data can be realized at a file system filter driver layer; under the environment of a Linux system, data capture can be achieved by intercepting system calls. The file to be encrypted and stored is configured before encryption and decryption, and after data is intercepted, decryption during reading and encryption during writing are realized according to a matched file encryption strategy. The solution is closely related to the operating system and requires different implementations under different operating systems.
Another solution is database level encryption. Database-level encryption enables encryption of data fields when the data is stored in a database. This solution requires support from the database vendor, and different databases require different implementations. Users who use multiple databases have to require support from multiple vendors.
SUMMERY OF THE UTILITY MODEL
The embodiment of the application provides a storage gateway and a storage system, which can solve the problem of compatibility of server heterogeneous systems caused by data encryption and decryption in an SAN (storage area network) environment, thereby improving the security of stored data
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, a storage gateway is provided. The storage gateway includes: the gateway is provided with a server interface and a switch interface; the gateway is used for receiving target data to be stored of the server through the server interface; the gateway is used for receiving encrypted target data of the storage equipment through the switch interface; a processor connected to the gateway; a quantum random number generator connected to the processor; the processor is used for calling quantum random numbers generated by the quantum random number generator, encrypting the target data to be stored, and sending the encrypted target data to the storage device through the switch interface; the processor is further configured to call a quantum random number generated by the quantum random number generator, decrypt the encrypted target data, and send the decrypted target data to the server through the server interface.
This application is through setting up the gateway between storage device and server, and the gateway is through carrying out encryption and decryption to the data that needs are relevant with storage device, and data just only just deposits in storage device after encrypting through the gateway to data in the storage device only can read after just decrypting through the gateway, and then even storage device loses and also can not cause data to reveal. Meanwhile, the heterogeneous problem of the system can be solved, and the host server system can be an operating system such as Windows and Linux, and can also be any file system. And moreover, the gateway is deployed, so that the current SAN environment can be seamlessly accessed, and the cost for modifying the existing network environment is greatly reduced.
Optionally, the switch interface comprises a fabric switch interface and/or an ethernet switch interface.
In a second aspect, there is provided a storage system comprising: the gateway is provided with a server interface and a switch interface; the gateway is used for receiving target data to be stored of the server through the server interface; a processor connected to the gateway; a quantum random number generator connected to the processor; a switch connected to the switch interface; a storage device connected to the switch; the switch is used for sending the encrypted target data of the storage device to the gateway; the processor is configured to call a quantum random number generated by the quantum random number generator, encrypt the target data to be stored, and send the encrypted target data to the switch through the switch interface, where the switch is configured to send the encrypted target data to be stored to the storage device; the processor is further configured to call a quantum random number generated by the quantum random number generator, decrypt the encrypted target data, and send the decrypted target data to the server through the server interface.
Optionally, the switch comprises a fabric switch and/or an ethernet switch.
Optionally, the storage device comprises a disk array.
Drawings
Fig. 1 is a schematic structural diagram of a storage system according to an embodiment of the present application.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
The technical solution of the embodiment of the present application may be applied to various communication systems, for example, a wireless fidelity (WiFi) system, a vehicle to any object (V2X) communication system, a device-to-device (D2D) communication system, an internet of vehicles communication system, a 4th generation (4G) mobile communication system, such as a Long Term Evolution (LTE) system, a Worldwide Interoperability for Microwave Access (WiMAX) communication system, a fifth generation (5G) mobile communication system, such as a new radio, NR) system, and a future communication system, such as a sixth generation (6G) mobile communication system.
This application is intended to present various aspects, embodiments or features around a system that may include a number of devices, components, modules, and the like. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. Furthermore, a combination of these schemes may also be used.
In addition, in the embodiments of the present application, words such as "exemplarily", "for example", etc. are used for indicating as examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term using examples is intended to present concepts in a concrete fashion.
In the embodiment of the present invention, "information", "signal", "message", "channel", "signaling" may be used in combination, and it should be noted that the meaning to be expressed is consistent when the difference is not emphasized. "of", "corresponding", and "corresponding" may sometimes be used in combination, it being noted that the intended meaning is consistent when no distinction is made.
The network architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not form a limitation on the technical solution provided in the embodiment of the present application, and as a person of ordinary skill in the art knows that along with the evolution of the network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
For the convenience of understanding the embodiments of the present application, a storage system applicable to the embodiments of the present application will be first described in detail by taking the storage system shown in fig. 1 as an example. Fig. 1 is a schematic structural diagram of a storage system to which the data processing method provided in the embodiment of the present application is applied. It should be noted that the storage system in fig. 1 includes a storage gateway.
As shown in fig. 1, the storage gateway includes a gateway 21, a processor 22 connected to the gateway 21, and a quantum random number generator 23 connected to the processor 22. The processor 22 is provided with a server interface and a switch interface, and the gateway 21 is configured to receive target data to be stored of the server 11 through the server interface.
The processor 22 is configured to, when the gateway 21 receives target data to be stored, invoke a quantum random number generated by the quantum random number generator 23, encrypt the target data to be stored by using the quantum random number as a key, and send the encrypted target data to be stored to the switch 31 connected to the storage device 32 through the switch interface, so that the switch 31 forwards the encrypted target data to be stored to the storage device 32.
Optionally, the processor 22 is further configured to, when the gateway 21 receives a request for reading the encrypted target data from the server 11 through the server interface, obtain the target data in the storage device 32 through the switch interface, call a quantum random number corresponding to the target data to decrypt the target data, and send the decrypted target data to the server 11 through the server interface.
Optionally, the switch interface comprises a fabric switch interface and/or an ethernet switch interface. That is, switch 31 may comprise a fabric switch that is connected to a gateway via a fabric switch interface and/or an ethernet switch that is connected to a gateway via an ethernet switch interface.
The memory system shown in fig. 1 includes a memory gateway, and therefore, as shown in fig. 1, the memory system includes a gateway 21, a processor 22, a quantum random number generator 23, a switch 31, and a memory device 32. The storage device 32 may be a disk array, hard disk, or the like.
The gateway 21 is disposed between the server 11 and the storage device 32. The gateway 21 is provided with a server interface (not shown in the figure) through which the gateway 21 is connected to the server 11 and a switch interface (not shown in the figure) through which the gateway 21 is connected to the switch 31. The processor 22 is connected to the gateway 21 and the quantum random number generator 23.
The terminal device 12 is provided with a client that can log in the server 11 via the network. The server may be one or more of a file server, an email server, a database server, an FTP server. The terminal device 12 may be a mobile phone (mobile phone), a tablet (Pad), a computer with a wireless transceiving function, a Virtual Reality (VR) terminal device, an Augmented Reality (AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in unmanned driving (self driving), a wireless terminal in remote medical treatment (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in home (smart home), a vehicle-mounted terminal, an RSU with a terminal function, and the like.
The processor 22 is a control center of the gateway 21, and may be a single processor or a collective term for multiple processing elements. For example, the processor 22 is one or more Central Processing Units (CPUs), or may be an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application, such as: one or more microprocessors (digital signal processors, DSPs), or one or more Field Programmable Gate Arrays (FPGAs).
Optionally, the processor 22 may be configured to perform various functions of the gateway 21 by running or executing software programs stored within the gateway 21, as well as invoking data stored within the gateway 21.
In particular implementations, processor 22 may include one or more CPUs, as one embodiment. The gateway 23 may also include multiple processors. Each of these processors may be a single-Core Processor (CPU) or a multi-Core Processor (CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
When the client login server 11 on the terminal device 12 stores data in the storage device 32 or reads or modifies data in the storage device 32, the gateway 23 is needed to operate on the data to be stored in the storage device 32 or the data in the storage device 32.
It should be noted that the data processing method provided in this embodiment of the present application may be applicable to any terminal and storage device that need to access a storage device, such as between terminal devices, between network devices, and between a terminal device and a network device, and for specific implementation, reference may be made to the following method embodiment, which is not described herein again.
It should be noted that the scheme in the embodiment of the present application may also be applied to other communication systems, and the corresponding names may also be replaced with names of corresponding functions in other communication systems.
It should be appreciated that fig. 1 is a simplified schematic diagram of an example for ease of understanding only, and that other network devices, and/or other terminal devices, not shown in fig. 1, may also be included in the storage system.
The following describes a data processing method based on the storage gateway or the storage system of the present application in detail.
Illustratively, the data processing method based on the storage gateway or the storage system of the application can comprise the following steps:
s201, receiving target data to be stored of a server.
When the user operates the client installed on the terminal device 12, if the client needs to store data in the storage device 32, the server 11 sends target data to be stored to the gateway 23 through the server interface. The processor 22 executes step S202 after the gateway 23 receives the target data to be stored.
S202, controlling the quantum random number generator to generate a quantum random number, and encrypting the target data to be stored by taking the quantum random number as a key corresponding to the target data to be stored.
The processor 22 encrypts the data to be stored using a preset encryption algorithm after the gateway 23 receives the data to be stored. As an embodiment, an encryption chip may be disposed in the gateway 23, and an encryption algorithm is disposed in the encryption chip, and the processor 22 encrypts the data to be stored through the encryption chip. The key for the encryption algorithm preset in the cryptographic chip can be generated by the quantum random number generator 23. After the processor 22 encrypts the target data to be stored, step S203 is executed.
S203, sending the encrypted target data to be stored to the storage device.
After encrypting the target data to be stored, the processor 22 sends the encrypted target data to be stored to the switch 31 through the switch interface. After receiving the encrypted target data to be stored, the switch 31 sends the encrypted target data to be stored to the storage device 32, so that the storage device 32 stores the encrypted target data to be stored.
The server 11 may also read or modify the target data stored in the storage device 32. When a user operates a client installed on the terminal device 12, if the client needs to read or modify target data of the storage device 32, the client logs in the server 11 through the terminal device 12 in a networked manner, and the server 11 sends an information reading request to the gateway 23 through the server interface. Wherein the information read request is for requesting reading of the encrypted target data in the storage device 32. The processor 22 obtains the encrypted target data in the storage device 32 after the gateway 23 receives the information reading request.
The information reading request may include feature information of target data to be read, and the processor 22 obtains the target data of the storage device 32 through the switch 31 according to the feature information of the target data. For one embodiment, processor 22 may send a call instruction to switch 31 via a switch interface, where the call instruction is used to call target data in storage device 32. The switch 31 may be a fiber switch and/or an ethernet switch. After the switch 31 obtains the call instruction, it forwards the target data in the storage device 32 to the gateway 23.
The processor 22 decrypts the target data after the gateway 23 receives the target data. Since the target data is encrypted using the quantum random number as a key, the processor 22 needs to decrypt the target data after the gateway 23 receives the target data. As an embodiment, the gateway 23 may store a quantum random number used in encrypting the target data, and when the processor 22 decrypts the target data, the quantum random number corresponding to the target data is first obtained, and then the target data is decrypted by the corresponding quantum random number.
The processor 22 decrypts the target data, and transmits the decrypted target data to the server 11 through the server interface on the gateway 23. The server 11 receives the decrypted target data, and can perform operations such as reading and modifying on the data.
This application is through setting up the gateway between storage device and server, only can carry out the encryption and decryption to the data in the storage device through the gateway, even storage device loses and also can not cause data to reveal. Meanwhile, the heterogeneous problem of the system can be solved, and the host server system can be an operating system such as Windows and Linux, and can also be any file system. And moreover, the gateway is deployed, the current SAN environment can be seamlessly accessed, the existing SAN storage framework does not need to be changed, and the cost and expense for modifying the existing network environment are greatly reduced. In addition, the user does not sense the data encryption and decryption process, and the use habit of the user is not influenced.
Furthermore, the method and the system can support multiple services, and one gateway can simultaneously support the FC SAN and the IP SAN.
The above embodiments may be implemented in whole or in part by software, hardware (e.g., circuitry), firmware, or any combination thereof. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. The procedures or functions according to the embodiments of the present application are wholly or partially generated when the computer instructions or the computer program are loaded or executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that the term "and/or" herein is merely one type of association relationship that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. In addition, the "/" in this document generally indicates that the former and latter associated objects are in an "or" relationship, but may also indicate an "and/or" relationship, which may be understood with particular reference to the former and latter text.
In the present application, "at least one" means one or more, "a plurality" means two or more. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (5)
1. A storage gateway, comprising:
the gateway is provided with a server interface and a switch interface; the gateway is used for receiving target data to be stored of the server through the server interface; the gateway is used for receiving encrypted target data of the storage equipment through the switch interface;
a processor connected to the gateway;
a quantum random number generator connected to the processor;
the processor is used for calling quantum random numbers generated by the quantum random number generator, encrypting the target data to be stored, and sending the encrypted target data to the storage device through the switch interface;
the processor is further configured to call a quantum random number generated by the quantum random number generator, decrypt the encrypted target data, and send the decrypted target data to the server through the server interface.
2. The storage gateway of claim 1, wherein the switch interface comprises a fabric switch interface and/or an ethernet switch interface.
3. A storage system, comprising:
the gateway is provided with a server interface and a switch interface; the gateway is used for receiving target data to be stored of the server through the server interface;
a processor connected to the gateway;
a quantum random number generator connected to the processor;
a switch connected to the switch interface;
a storage device connected to the switch; the switch is used for sending the encrypted target data of the storage device to the gateway;
the processor is configured to call a quantum random number generated by the quantum random number generator, encrypt the target data to be stored, and send the encrypted target data to the switch through the switch interface, where the switch is configured to send the encrypted target data to be stored to the storage device;
the processor is further configured to call a quantum random number generated by the quantum random number generator, decrypt the encrypted target data, and send the decrypted target data to the server through the server interface.
4. The storage system of claim 3, wherein the switch comprises a fabric switch and/or an Ethernet switch.
5. The storage system of claim 3 or 4, wherein the storage device comprises a disk array.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202120344363.2U CN214281412U (en) | 2021-02-07 | 2021-02-07 | Storage gateway and storage system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202120344363.2U CN214281412U (en) | 2021-02-07 | 2021-02-07 | Storage gateway and storage system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN214281412U true CN214281412U (en) | 2021-09-24 |
Family
ID=77789982
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202120344363.2U Active CN214281412U (en) | 2021-02-07 | 2021-02-07 | Storage gateway and storage system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN214281412U (en) |
-
2021
- 2021-02-07 CN CN202120344363.2U patent/CN214281412U/en active Active
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104520873A (en) | Systems and methods for securing and restoring virtual machines | |
| CN110661748B (en) | Log encryption method, log decryption method and log encryption device | |
| CN107818265B (en) | Encryption method, device and system | |
| CN112632521B (en) | Request response method and device, electronic equipment and storage medium | |
| CN112291268B (en) | Information transmission method, device, equipment and storage medium | |
| CN107026730B (en) | Data processing method, device and system | |
| CN114422237B (en) | Data transmission method and device, electronic equipment and medium | |
| CN111427860B (en) | Distributed storage system and data processing method thereof | |
| CN111008400A (en) | Data processing method, device and system | |
| CN114172719A (en) | Encryption and decryption method, device, equipment and computer readable storage medium | |
| CN214281412U (en) | Storage gateway and storage system | |
| CN116366364A (en) | Terminal data processing method and system for cloud computer | |
| US9135449B2 (en) | Apparatus and method for managing USIM data using mobile trusted module | |
| CN114912123A (en) | Data processing method and device and computer readable storage medium | |
| CN114915520A (en) | Storage gateway and storage system | |
| CN113392062B (en) | Data storage method and device, electronic equipment and computer readable storage medium | |
| CN114915635A (en) | Data processing method and device and computer readable storage medium | |
| CN110166452B (en) | Access control method and system based on JavaCard shared interface | |
| CN108769989B (en) | Wireless network connection method, wireless access device and equipment | |
| KR20160128170A (en) | Device, server and method for providing a secret key encryption and restore | |
| KR101757563B1 (en) | Apparatus and method for managing secret key in IoT environment | |
| JP6394322B2 (en) | Key data generation system and key data generation method | |
| CN111079165B (en) | Data processing method, data processing device, equipment and storage medium | |
| CN115913794B (en) | Data security transmission method, device and medium | |
| CN115001716B (en) | Network data processing method and system of education all-in-one machine and education all-in-one machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR01 | Patent grant | ||
| GR01 | Patent grant |