KR102766152B1 - Apparatus and Method for Disk Encryption - Google Patents

Abstract

A disk encryption device and method are disclosed. A disk encryption device according to an embodiment of the present invention includes a memory having at least one program recorded therein, and a processor executing the program, wherein the program communicates with a key management device to receive an encryption key necessary for encryption of each of at least one encryption target, and encrypts data of the encryption target using the received encryption key, and encrypts and writes data input to the encryption target according to a request from a user, or reads data from the encryption target, decrypts it, and outputs it to the user, wherein the encryption target includes a data sector in which encrypted data is recorded and a metadata sector in which metadata, which is information related to an encryption key, is recorded, and the metadata may include a first value, which is information related to an encryption key used when the most recent write is performed, and a second value, which is information related to an encryption key used when the immediately preceding write is performed.

Description

Disk encryption device and method {Apparatus and Method for Disk Encryption}

The described embodiments relate to techniques for efficiently changing disk encryption keys without interrupting a full disk encryption (FDE) service.

Full Disk Encryption is a technology often abbreviated as disk encryption, and is a technology that encrypts the entire disk, not individual files or objects.

This encryption typically sits between the file system and the partition (or physical disk) within the disk, allowing data to be stored encrypted on the physical device but accessed by the user as if it were in plaintext.

Typically, disk encryption encrypts and decrypts a partition sector by sector (typically 512 bytes or 4 KB) with a single key.

At this time, the key used for this encryption is usually a symmetric key encryption key, and if this is exposed to an attacker, the attacker can decrypt all data inside the disk, so it is important to store it safely. Currently, most disk encryptions store the encryption key in a key management server (KMS), a trusted platform module (TPM), etc., or use it by deriving it from a password.

Disk encryption was mainly used to protect data stored on devices owned by individuals. However, recently, it is also increasingly used to encrypt and store data on remote disks to prevent plaintext from being exposed to third parties when storing data in remote cloud storage. Encrypting on a file-by-file basis can be efficient, but when encrypting access-related metadata or logs/DBMS that are difficult to process on a file-by-file basis, it may be more efficient to use full disk encryption.

In general, in a cloud environment, it is assumed that the Cloud Service Provider (CSP) can be completely trusted. However, in reality, since the cloud service provider can gain more profit by stealing the user's data than by providing the service to the user, the user should assume that the cloud service provider provides only partial trust. In an environment where only partial trust is given, it is assumed that attacks are not performed through behavior control (CPU/memory, etc.) that can recognize changes in the virtualized environment, such as performance degradation or power cuts, and that attacks are only performed on targets where performance deviations occur even in general environments, such as storage devices and networks.

In a partially trusted environment where it is assumed that the virtual CPU/memory of a cloud computing node is secure (except for side-channel attacks) but the storage device may not be secure, a model can be designed in which disk encryption is applied to protect the data in the storage device and the key used for disk encryption is stored and used in a separate, trusted device. In this model, even if the cloud service provider or an external attacker steals all the encrypted sectors stored in the cloud, they cannot obtain the plaintext data.

Meanwhile, XTS mode, a symmetric key encryption operation mode mainly used for disk encryption, places a limit on the amount of data that can be encrypted with a single key because security is reduced when IVs are reused. In addition, if a single key is used for a long period of time, the possibility of the key being exposed to an attacker increases. Therefore, if a disk encryption service is applied in a server or cloud operating environment that requires the use of a large disk for a long period of time, the ability to change the disk encryption key is essential.

When a typical disk encryption service attempts to change the key used for encryption, it temporarily suspends the disk encryption service, decrypts the entire disk with the old key, and then re-encrypts it with the new key.

During this process, the problem arises that the user cannot access the disk while the key is being changed. And the disk encryption service performs re-encryption in one of the two ways below during the key change process.

The first method is to decrypt the entire disk with the existing key and then re-encrypt it with the new key. In this case, if the disk capacity is large, the plaintext cannot be stored in memory, so the plaintext must be written to the disk, which is vulnerable to theft, and there is a problem that an opportunity to access the plaintext is created from the outside.

The second is to prepare additional storage space to store the re-encrypted data, decrypt it sector by sector, re-encrypt it, and store it in the additional storage space. This method reduces the threat of theft because the plaintext is not written to the disk, but requires additional storage space equivalent to the capacity of the disk to be encrypted, so there is a problem that additional costs arise due to the increase in storage devices for re-encryption.

In addition, server users who wish to operate final services using these disk encryption services will face the problem of needing to either suspend their services when the disk encryption services are suspended, or reinforcing the structure, such as through duplication, to ensure that their services are not suspended even when the disk encryption services are suspended.

Therefore, to effectively solve this problem, a method is needed that can change disk encryption keys immediately without interrupting the disk encryption service, without storing plaintext on disk, and without requiring a large amount of additional storage space.

The disclosed embodiments aim to provide a secure and efficient disk encryption method that provides dynamic changing of disk encryption keys in a partially trusted environment.

A disk encryption write method according to an embodiment comprises: an encryption target including a data sector in which encrypted data is recorded; and a metadata sector in which metadata which is encryption key related information is recorded, wherein the metadata includes a first value which is encryption key related information used in the most recent write operation; and a second value which is encryption key related information used in the immediately preceding write operation; wherein the method may include: a step of reading a metadata sector of an encryption target; a step of replacing the second value with the first value of the read metadata; a step of recording encryption key related information as the first value of the metadata as data is encrypted; a step of writing the generated metadata to the encryption target; a step of writing encrypted data to the encryption target; and a step of outputting an encryption write completion notification.

At this time, the disk encryption writing method according to the embodiment may further include a step of deleting a second value from metadata of an encryption target, and a step of writing metadata including the first value to the encryption target.

At this time, the step of writing the generated metadata to the encryption target can be performed simultaneously with outputting the generated metadata to the cache manager.

At this time, the step of writing metadata including the first value to the encryption target may further include a step of outputting metadata including the first value to the cache manager prior to that.

A disk encryption reading method according to an embodiment comprises: an encryption target includes a data sector in which encrypted data is recorded; and a metadata sector in which metadata, which is information related to an encryption key, is recorded; and the metadata includes a first value, which is information related to an encryption key used in a recent write operation; and a second value, which is information related to an encryption key used in a previous write operation; and the method may include a step of reading a metadata sector and a data sector from the encryption target; a step of decrypting the read data with the first value of the metadata; and a step of returning decrypted plaintext data if the decryption is successful.

At this time, the disk encryption reading method according to the embodiment may further include a step of deleting the second value of the metadata from the encryption target if the second value of the metadata exists.

At this time, the disk encryption reading method according to the embodiment may further include a step of decrypting the read data with the second value of the metadata if decryption is not successful, a step of returning the decrypted plaintext data if decryption is successful, and a step of replacing the first value of the metadata with the second value in the encryption target and deleting the second value.

At this time, the disk encryption reading method according to the embodiment may further include a step of outputting a decryption failure notification if the read data is not successfully decrypted with the second value of the metadata.

At this time, the disk encryption reading method according to the embodiment may further include a step of re-encrypting data identified based on the validity period of an encryption key among data recorded in a data sector with a latest or new encryption key and recording the data in an encryption target when an update of a first value of metadata is required.

A disk encryption device according to an embodiment includes a memory having at least one program recorded therein, and a processor executing the program, wherein the program communicates with a key management device to receive an encryption key necessary for encryption of each of at least one encryption target, and encrypts data of the encryption target using the received encryption key, and encrypts and writes data input to the encryption target according to a request from a user, or reads data from the encryption target, decrypts it, and outputs it to the user, wherein the encryption target includes a data sector in which encrypted data is recorded and a metadata sector in which metadata that is information related to an encryption key is recorded, wherein the metadata may include a first value that is information related to an encryption key used when the most recent write is performed, and a second value that is information related to an encryption key used when the immediately preceding write is performed.

At this time, the program can request an encryption key by transmitting an identifier for the new encryption target to the key management device, and perform initialization for the new encryption target by receiving a unique ID, disk encryption key, and key number of the new encryption target from the key management device.

At this time, the program can perform at least one of an encryption target addition service, a disk encryption key disposal service, a partition removal service, a disk encryption service startup service, a disk encryption key request service, and a partition encryption information configuration service in conjunction with a key management device.

At this time, the program can read a metadata sector of an encryption target, replace a second value with a first value of the read metadata, record encryption key-related information as the first value of the metadata as data is encrypted, write the generated metadata to the encryption target, write the encrypted data to the encryption target, output an encryption write completion notification, delete the second value from the metadata of the encryption target, and write metadata including the first value to the encryption target.

At this time, the program may be executed simultaneously with outputting the generated metadata to the cache manager when writing the generated metadata to the encryption target, and may output the metadata including the first value to the cache manager before writing the metadata including the first value to the encryption target.

At this time, the program can read the metadata sector and data sector from the encryption target, decrypt the read data into the first value of the metadata, and, if the decryption is successful, return the decrypted plaintext data.

At this time, the program can delete the second value of the metadata from the encryption target if the second value of the metadata exists.

At this time, the program can decrypt the read data with the second value of the metadata if the decryption is not successful, return the decrypted plaintext data if the decryption is successful, replace the first value of the metadata with the second value in the decryption target, and delete the second value.

At this time, the program may output a decryption failure notification if it fails to successfully decrypt the read data into the second value of the metadata.

At this time, if the first value of the metadata needs to be updated, the program can re-encrypt the data identified based on the validity period of the encryption key among the data recorded in the data sector with the latest or new encryption key and record it in the encryption target.

According to the described embodiment, the key used for encryption (disk encryption key) can be changed without interruption of the disk encryption service.

According to the described embodiment, plaintext data may not be stored on disk during the encryption key change process.

According to the described embodiment, the encryption key changing process does not require a large amount of additional storage space.

According to the described embodiment, a normal disk encryption service can be provided even if an error occurs in any writing process, including an encryption key change process.

Figure 1 is a schematic block diagram of a disk encryption service system according to an embodiment.
FIG. 2 is a signal flow diagram for explaining a partition addition service according to an embodiment.
FIG. 3 is a signal flow diagram for explaining a disk encryption key renewal service according to an embodiment.
FIG. 4 is a signal flow diagram for explaining a disk encryption key disposal service according to an embodiment.
FIG. 5 is a signal flow diagram for explaining a partition removal service according to an embodiment.
Figure 6 is a signal flow diagram for explaining a disk encryption service startup service according to an embodiment.
FIG. 7 is a signal flow diagram for explaining a disk encryption key request service according to an embodiment.
FIG. 8 is an example diagram of a disk encryption key bundle for an alternative configuration service without a key management device according to an embodiment.
Figure 9 is an example diagram of a disk encryption data structure according to an embodiment.
FIG. 10 is a flowchart illustrating a disk encryption writing method using two metadata according to an embodiment.
FIG. 11 is a flowchart illustrating a disk encryption reading method using two metadata according to an embodiment.
Figures 12 to 15 are flowcharts for explaining a disk encryption writing method in safe mode according to an embodiment.
Figure 16 is a flowchart for explaining a disk encryption writing method in an optimization mode according to an embodiment.
Figure 17 is a flowchart for explaining the process of executing the Discard operation in safe mode and optimized mode according to an embodiment.
Figure 18 is a flowchart for explaining a metadata cache reflection process according to an embodiment.
FIGS. 19 and 20 are flowcharts for explaining a disk encryption reading method according to an embodiment.
Figure 21 is a flowchart for explaining a re-encryption method according to an embodiment.
Figure 22 is a diagram showing a computer system configuration according to an embodiment.

The advantages and features of the present invention, and the methods for achieving them, will become clearer with reference to the embodiments described in detail below together with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various different forms, and these embodiments are provided only to make the disclosure of the present invention complete and to fully inform those skilled in the art of the scope of the invention, and the present invention is defined only by the scope of the claims. Like reference numerals refer to like elements throughout the specification.

Although "first" or "second" and the like are used to describe various components, these components are not limited by such terms. Such terms may only be used to distinguish one component from another. Accordingly, a first component referred to below may also be a second component within the technical concept of the present invention.

The terminology used herein is for the purpose of describing embodiments only and is not intended to limit the invention. In this specification, the singular also includes the plural unless specifically stated otherwise. The terms "comprises" or "comprising" as used in the specification imply that the presence or addition of one or more other elements or steps is not excluded.

Unless otherwise defined, all terms used in this specification may be interpreted as having a meaning commonly understood by a person of ordinary skill in the art to which the present invention belongs. In addition, terms defined in commonly used dictionaries shall not be interpreted ideally or excessively unless explicitly specifically defined.

Figure 1 is a schematic block diagram of a disk encryption service system according to an embodiment.

Referring to FIG. 1, a disk encryption service system according to an embodiment can provide a disk encryption service for an encryption target (hereinafter referred to as a 'partition') (20-1, 20-2) by interlocking a key management device (10) and a disk encryption device (hereinafter referred to as a 'server') (100).

The key management device (10) may be a separate device for safely managing keys required for performing cryptographic functions such as encryption and electronic signature. This is also called a key management server, and may generally be configured using a physical device such as a hardware security module (HSM) or a trusted platform module (TPM).

Since the partitions (20-1, 20-2) according to the embodiment are designed to have multiple disk encryption keys, the key management device (10) must also be able to store status values such as the encryption key number, the encryption key, the encryption key issuance time, and whether the encryption key is discarded.

The key management device (10) can perform at least one of the following functions: authentication of the server (100), addition and removal of partitions for each server (100), issuance and disposal of keys for each partition, transmission upon request of keys for each partition, and guidance on key possession status for each partition.

The server (100) communicates with the key management device (10) to receive a disk encryption key required for disk encryption, and performs disk encryption for partitions (20-1, 20-2).

The server (100) can provide a function that allows the user to directly read and write data from the partitions (20-1, 20-2). Through this, data is encrypted and stored on the disk, but the user can be provided with an environment similar to directly using decrypted plaintext data.

The server (100) can manage various metadata required for disk encryption by utilizing some space of a partition (20-1, 20-2) or a separate storage device.

Partitions (20-1, 20-2) are targets to which disk encryption is applied. The physical media may be rotating storage devices such as hard disks, floppy disks, and optical media, or non-rotating fixed storage devices such as flash memory, and may be collectively referred to as block devices.

Here, the block device is composed of multiple blocks (or sectors) of uniform size, and can provide a read/write function by specifying an arbitrary block (sector).

Depending on the embodiment, partition (20-1, 20-2) may mean the entire block device as well as a partition within the block device.

In addition, the partitions (20-1, 20-2) may include a local encryption target (20-1) installed in the form of a built-in hard disk, etc., inside the encryption device, or a network encryption target (20-2), such as a network block device connected via a cable or various networks from outside the device. However, since the embodiment can be equally applied to both types of partitions, it will be explained by integrating them into a partition.

A disk encryption service according to an embodiment may provide at least one of adding a partition, discarding a disk encryption key, removing a partition, starting a disk encryption service, requesting a disk encryption key, configuring encryption information of a partition, and an alternative configuration without a key management device.

At this time, all data transmitted and received by the disk encryption service must be transmitted through a secure communication channel that guarantees confidentiality and integrity. In addition, the entity sending and receiving data must guarantee and verify the source authentication, integrity, and non-repudiation characteristics of the data by using message authentication codes and electronic signatures.

FIG. 2 is a signal flow diagram for explaining a partition addition service according to an embodiment.

Referring to Fig. 2, the server (100) manager requests the key management device (10) to add a new partition (S210). At this time, a unique ID and disk encryption key for the partition are requested together.

After that, the key management device (10) registers the requested new partition (S220). That is, it assigns a unique ID to the new partition, generates a disk encryption key, assigns a key number to the generated key, and then records the history.

After that, the key management device (10) transmits new partition registration information to the server (100) (S230). That is, the unique ID of the created partition, disk encryption key, key number, key generation time, etc. are transmitted to the server (100).

The server (100) initializes (formats) the partition so that disk encryption can be applied using the partition's unique ID, disk encryption key, and key number received from the key management device (10) (S240).

FIG. 3 is a signal flow diagram for explaining a disk encryption key renewal service according to an embodiment.

Referring to FIG. 3, the administrator of the server (100) transmits a disk encryption key renewal request message including the unique ID of the partition for which the disk encryption key is to be renewed to the key management device (10) (S310). At this time, the disk encryption key renewal request may also include an automatic renewal request due to expiration of the validity period of the disk encryption key, etc.

Then, the key management device (10) verifies whether the unique ID of the requested partition is owned by the server (100) that requested the renewal of the disk encryption key (S315).

The key management device (10) generates a new disk encryption key (S320), assigns a key number to the generated key, and then records the generation history.

After that, the key management device (10) transmits the partition's unique ID, disk encryption key, key number, key generation time, etc. to the server (100) (S330).

The server (100) updates the encryption information of the partitions (20-1, 20-2) (S340). Then, the server (100) can start a background re-encryption process if necessary.

FIG. 4 is a signal flow diagram for explaining a disk encryption key disposal service according to an embodiment.

Referring to FIG. 4, the administrator of the server (100) requests the key management device (10) to discard the existing disk encryption key (S410).

At this time, the server (100) must check whether the key is being used for disk encryption before requesting the disposal of the disk encryption key. Then, if necessary, it must perform disk encryption key renewal, re-encryption process, etc., and when requesting disposal, it must provide the unique ID and key number of the partition to which the disk encryption key to be disposed was applied.

Additionally, a disk encryption key destruction request may also include an automatic destruction request due to expiration of the disk encryption key's validity period.

Then, the key management device (10) verifies whether the unique ID of the requested partition belongs to the server (100) that requested the disposal of the disk encryption key (S415).

After that, the key management device (10) discards the existing disk encryption key and records the discard history (S420). At this time, instead of directly discarding the disk encryption key, a status value may be separately assigned and changed to a discard status according to the key management policy.

After that, the key management device (10) notifies the server (100) that the disk encryption key requested for disposal has been disposed of (S430).

FIG. 5 is a signal flow diagram for explaining a partition removal service according to an embodiment.

Referring to FIG. 5, the administrator of the server (100) requests the removal of a partition including the unique ID of the partition to be removed to the key management device (10) (S510).

Then, the key management device (10) verifies whether the unique ID of the requested partition is owned by the server (100) that requested the removal of the partition (S515).

After that, the key management device (10) removes the partition for which removal is requested from the management list (S520). That is, the disk encryption key used in the partition is discarded and the corresponding history is recorded. At this time, instead of directly removing the partition, depending on the policy, a status value may be separately assigned and changed to a removal status.

After that, the key management device (10) notifies the server (100) that the partition requested for disposal has been removed from the management list (S530).

Then, the server (100) removes the partition and deletes the corresponding data (S540).

Figure 6 is a signal flow diagram for explaining a disk encryption service startup service according to an embodiment.

Referring to FIG. 6, the server (100) transmits the unique ID of the partition to the key management device (10) and requests the latest disk encryption key of the corresponding partition (S610).

At this time, the server (100) may request one or more keys including the latest disk encryption key by using the generation time and number of disk encryption keys, etc. In addition, the server (100) may request disk encryption keys for each of multiple partitions simultaneously if necessary.

Then, the key management device (10) verifies whether the unique ID of the received partition is owned by the server (100) that requested the disk encryption key (S620).

As verification is completed at S620, the key management device (10) transmits partition latest encryption key information including the unique ID of the partition requested by the server (100), the latest disk encryption key, the number of the latest disk encryption key, and the key generation time to the server (100) (S630).

Then, the server (100) starts the disk encryption service using the partition encryption information and the received disk encryption key (S640).

The above-described booting procedure of S610 to S640 is assumed to be performed after the operating system (OS) of the server (100) is booted. However, by mounting a module capable of performing this booting procedure in a boot loader or the like, the OS booting can be performed even if the OS is encrypted and stored in a partition.

FIG. 7 is a signal flow diagram for explaining a disk encryption key request service according to an embodiment.

The server (100) may require an additional disk encryption key to decrypt a partition while the disk encryption service is in operation (after the disk encryption service is started). Here, the additional disk encryption key may be a previous disk encryption key that was not transmitted from the key management device (10) when the disk encryption service was started, or a disk encryption key that was transmitted from the key management device (10) but has been erased from memory.

Referring to FIG. 7, the server (100) requests a disk encryption key from the key management device (10) using the partition's unique ID and disk encryption key number (S710).

Then, the key management device (10) verifies whether the unique ID of the received partition is owned by the server (100) that requested the disk encryption key (S720).

As verification of S720 is completed, the key management device (10) transmits disk encryption key information including the unique ID of the partition requested by the server (100), the disk encryption key corresponding to the disk encryption key number, and the key generation time to the server (100) (S730).

Then, the server (100) resumes the disk encryption service after receiving the disk encryption key information (S740).

Next, we will explain the encryption information configuration service of a partition according to an embodiment.

As described above, in order to operate the disk encryption service, the encryption information of the partition may include at least one of the partition unique ID, encryption algorithm (password, encryption operation mode, integrity verification method, key size, etc.), partition size, logical sector (disk encryption unit) size, and partition registration information (unique ID, encryption algorithm, size, etc.), a signature of a key management device (10), and the latest disk encryption key number.

At this time, you can add items and use them if necessary, and the encryption information can be written to a specific space in the partition. For example, it can be written to the first sector of the partition.

Next, an alternative configuration service without a key management device (10) according to an embodiment will be described.

In an embodiment, disk encryption technology can be utilized even without a key management device (10).

That is, the server (100) can collect disk encryption keys to create a disk encryption key bundle, and manage it by encrypting it with a separate key (encryption key of the disk encryption key bundle).

FIG. 8 is an example diagram of a disk encryption key bundle for an alternative configuration service without a key management device according to an embodiment.

Referring to FIG. 8, the disk encryption key bundle may be composed of data including a disk encryption key number, a disk encryption key, a creation time (issue date), an expiration time, and a status. In other words, it may include all values managed by the key management device (10).

Additionally, the disk encryption key bundle encryption key can be managed by using methods such as deriving it from a password or storing it in a secure element (SE), a trusted platform module (TPM), and a trusted execution environment (TEE).

Then, let's look at a disk encryption and decryption method that provides dynamic disk encryption key change according to an embodiment. Before that, let's first look at the disk encryption data structure inside the partition that is the encryption target.

Figure 9 is an example diagram of a disk encryption data structure according to an embodiment.

Referring to FIG. 9, a partition (20) may be composed of a data storage and a metadata storage. When the server (100) encrypts data and writes it to the partition (20), a write command must be issued to both the data sector (21) of the data storage and the metadata sector (22) of the metadata storage.

However, in a general disk operation environment, the data sector (21) and the metadata sector (22) are not logically connected data. Therefore, it is not possible to guarantee that both the data sector (21) and the metadata sector (22) are changed at the same time, or that neither of them is changed at the same time. For example, if a power outage occurs and disk writing is interrupted, or some data is lost during communication with a network disk, writing may occur to only one of the two sectors (21, 22). In this case, it may lead to a problem in which all data in the encrypted sector is lost.

In particular, in the embodiment, since it is essential to store which key was used for encryption in disk encryption, it is very important to safely store metadata. Therefore, in the embodiment, the metadata sector (22) of the partition is expanded, and metadata (22) for one data sector (21) is stored in duplicate as metadata 1 (22-1) and metadata 2 (22-2).

At this time, information related to the disk encryption key used for the last (latest) write record may be recorded in metadata 1 (22-1), and information related to the disk encryption key used for the previous write record may be recorded in metadata 2 (22-2). Using this duplication method, encrypted data can be successfully decrypted even if some of the write commands for the two sectors (21, 22) fail.

Additionally, each of the metadata (22-1, 22-2) may include information necessary to decrypt the encrypted sector and detailed information (23) about the sector.

FIG. 10 is a flowchart illustrating a disk encryption writing method using two metadata according to an embodiment.

Referring to FIG. 10, in the embodiment, a write operation requires two types of write commands to be performed: one for writing an encrypted data sector (21) to a partition (20) and one for writing a sector containing metadata (22). Even if only one of these two types of write commands succeeds and the other fails, in order to be able to decrypt previously written encrypted data sectors, a task of writing two metadata, each containing previous encryption information and latest encryption information, to the partition must first be performed.

To this end, if there is previously encrypted data, the server (100) reads metadata 1 value (S810) so that the previous data can be decrypted, moves it to metadata 2, and preserves it (S820).

After that, the server (100) records the encryption information used to encrypt new data in metadata 1 (S830).

Afterwards, using the two metadata, the metadata sector can be written and the previously written encrypted data sector can be decrypted using the second metadata even if the encrypted data sector was not written.

On the other hand, if the storage media does not respect the I/O order and the metadata sector write fails while only the encrypted data sector write succeeds, data loss may occur because information about the disk encryption key used to encrypt the sector is not recorded in the metadata. However, most disk devices perform I/O while respecting the requested order, so if the metadata sector write is requested first, the data of the previously written encrypted data sector can usually be preserved even if the write operation fails.

After the server (100) normally completes writing metadata sectors (S840) and writing encrypted data sectors (S850) to a partition, it can output an encrypted write completion notification to the user (S860).

As described above, after the write operation (S840 to S850) is performed normally, the previous metadata is no longer needed. Therefore, the server (100) deletes metadata value 2 that is no longer needed (S870) and leaves only metadata value 1 to be written as a partition (S880).

As mentioned above, if the operation is completed normally, only metadata 1 will remain in all sectors. That is, if metadata 2 remains, it may be during a write operation or may be interrupted during a write operation.

FIG. 11 is a flowchart illustrating a disk encryption reading method using two metadata according to an embodiment.

Referring to FIG. 11, the server (100) reads both the metadata sector (22) and the data sector (21) from the partition (20) (S905 to S910).

After that, the server (100) attempts to decrypt using metadata value 1 (S915) and determines whether integrity verification is successful (S920). Generally, decryption is possible using metadata value 1.

If the integrity verification is successful as a result of the judgment of S920, the server (100) returns the decrypted plaintext data to the user (S925).

After that, since decryption was successful with metadata value 1, if metadata value 2 exists (S930), the server (100) deletes the metadata value 2 because the previous writing procedure was not fully completed (S935).

After that, the server (100) updates metadata and data sectors as needed (S940). That is, if the key used to encrypt the read data is old, the server can also re-encrypt the data as needed.

Meanwhile, if the integrity verification is not successful as a result of the judgment of S920, the server (100) can determine that the previous write operation was not performed properly, and attempts decryption using the metadata 2 value (S945) to determine whether the integrity verification is successful (S950).

If the result of S950 is determined to be normal and the integrity verification is successful, the server (100) returns the decrypted plaintext data to the user (S955).

After that, the server (100) can replace the metadata 1 value with the metadata 2 value to return to the previous write state (S960). Then, the process can proceed to S965.

On the other hand, if the integrity verification result of S950 is not successful, the server (100) outputs a notification of decryption failure to the user (S970).

Meanwhile, the following may be considered to make the disk encryption write and read methods described above more secure and efficient.

(1) Handling sectors with empty content

If all values of the sector are filled with 0 (zero-fill) during the process of recording the sector, other methods can be considered instead of encrypting the sector. For example, flash memory-based storage devices sometimes perform internal optimization by giving a separate state to the zero-filled sector, so instead of encryption, the command provided by the OS (discard) can be executed. Performance can also be improved by leaving a metadata that the sector is a discarded sector and optimizing read/write operations.

(2) Error response

There are a variety of errors that can occur during the disk encryption process, and it should be able to perform reads and writes without problems in various situations and report any errors that occurred.

(3) High-speed process such as cache management

Compared to conventional disk encryption methods, at least one additional operation is required to read and write metadata sectors. To reduce this, a cache manager for sector metadata is introduced, but it must still be designed so that normal decryption can be performed even if the writing process fails.

(4) Re-encryption process

Since conventional disk encryption methods do not clearly present a method for re-encrypting previously encrypted data with a new key, the present invention must also present a re-encryption method for re-encrypting data with a new key.

Then, let us examine in detail the disk encryption writing and reading method according to an embodiment considering the aforementioned matters.

First, let's look in detail at the disk encryption writing method according to the embodiment with reference to FIGS. 12 to 17.

The embodiment provides a write scheme that can dynamically change multiple disk encryption keys simultaneously and perform disk encryption using these keys.

Additionally, by using a write operation according to an embodiment, data encrypted with a previous disk encryption key can be decrypted even if the write operation is not completed normally, such as due to a disk I/O failure, network disconnection, or early termination of the disk encryption service.

In addition, the write operation can be performed synchronously, but can also be performed asynchronously for efficiency reasons. That is, in the embodiment, the disk encryption method can be performed in two ways, synchronously or asynchronously, and can include a safe mode that always identifies a key that can decrypt the encrypted sector, aiming to safely write in a synchronous manner, and an optimized mode that increases efficiency by excluding exceptional situations that rarely occur in an asynchronous manner.

(1) Cache manager operation

In this embodiment, a cache manager is introduced to perform writes and reads concurrently while minimizing the use of global locks.

As mentioned above, performing the disk encryption write method requires a total of three partition (20) write commands.

Here, the write command may include writing a metadata sector containing two metadata, writing an encrypted data sector, and writing a metadata sector containing one metadata.

The last of these three write commands need not be performed immediately after the previous two write commands. The last write command can be omitted in some cases without causing problems in reading encrypted data sectors, or it can be processed in multiple cases at once, or it can be performed using idle time, thus reducing the load on the disk.

Instead of immediately writing the metadata to the partition (20), the write-back policy can be applied to output the metadata to the cache manager, and then the metadata can be written to the partition (20) at an appropriate time. Here, the time of writing to the partition (20) can be determined according to the policy of the disk encryption service.

If metadata writes are properly managed using the cache manager, metadata can be retrieved from the cache manager when reading and writing metadata of the same sector or adjacent sectors, which can also save read commands.

On the other hand, if the first write command of a write operation is not performed immediately, previously written encrypted data sectors cannot be decrypted when the write operation is not completed normally. Therefore, a write-through policy that outputs metadata to the cache manager and writes metadata to the partition (20) must be applied in the first write command.

(2) Safe Mode

Figures 12 to 15 are flowcharts for explaining a disk encryption writing method in safe mode according to an embodiment.

Considering the disk encryption write method and cache manager operation as illustrated in Figure 12, even if a write operation fails, there is no problem in reading previously written data sectors, i.e., performing decryption of previous data.

If the write operation is performed normally, the metadata about the encrypted data sector of the partition (20) is empty (discard state) or contains information about only one disk encryption key. If the metadata about the sector contains information about two disk encryption keys, it means that a write error or abnormal termination has occurred.

Safe mode includes a procedure to identify which of the two metadata values can be used to decrypt the encrypted data sectors, even while rewriting new values to sectors that have had problems with write operations, in order to decrypt previously written encrypted data. This procedure is almost identical to that performed in a read operation, so the read operation described below can be referred to.

Specifically, referring to FIG. 12, if target sector metadata exists in the cache manager (S1001), the server (100) loads metadata from the cache manager (S1002).

On the other hand, if the target sector metadata does not exist in the cache manager (S1001), the server (100) reads the metadata from the partition and registers it with the cache manager (S1003), and then proceeds to S1002.

After that, the server (100) executes a discard operation (S1005) if the data to be recorded is zero-fill (S1004).

On the other hand, if the data to be recorded is not zero-fill (S1004), the server (100) generates encryption elements such as IV/Nonce required for new encryption (S1006) and performs sector encryption and integrity verification value calculation (S1007).

If there is one metadata (S1008), the server (100) proceeds to S1017 of Fig. 13, and if there is not one metadata (S1008), it determines whether the previously recorded metadata status is discard or initialized (S1009).

As a result of the judgment of S1009, if the metadata status is discard or initialized, the server (100) changes the metadata status 1 to discard (S1010) and then proceeds to S1017 of Fig. 13.

As a result of the judgment of S1009, if the metadata status is not in the discard or initialization state, the server (100) reads the encrypted sector (S1011).

After that, if the server (100) has metadata key 1 (S1012), it proceeds to S1034 of Fig. 14.

On the other hand, if the server (100) does not have the metadata key 1 (S1012), it requests (S1013) an encryption key from the key management device (10) and receives it (S1014), and then proceeds to S1034 of FIG. 14.

On the other hand, if the encryption key is not received from the key management device (10) (S1014), the server (100) outputs a warning message indicating that the previous disk encryption key cannot be received (S1015) and then executes a procedure to determine whether to resume writing (S1016).

Next, referring to FIG. 13, the server (100) writes detailed metadata including a disk encryption key number, encryption elements such as IN/NONCE, sector status information, integrity verification information such as MAC/TAG, etc. as metadata 1, and writes the previous metadata as metadata 2 (S1017).

After that, the server (100) outputs metadata to the cache manager (S1018) and requests writing metadata to the partition (S1019).

After that, the server (100) requests writing of an encrypted sector to a partition (S1020).

The server (100) waits until the write request is completed (S1021), and when the write success is confirmed (S1022), it outputs an encrypted write completion notification to the user (S1023).

After that, the server (100) deletes metadata No. 2 (S1024) and outputs the metadata to the cache manager (S1025).

On the other hand, if the writing success is not confirmed (S1022), the server (100) determines whether the specified number of retries has been exceeded (S1026).

If it is determined that the number of retries has not been exceeded, the server (100) re-requests writing the missing part to the partition (S1027) and then proceeds to step S1021.

On the other hand, if the number of retries exceeds a predetermined number (S1026), and if it is determined that the encrypted sector write has failed (S1029), an encrypted write failure notification is output to the user (S1032), and then the metadata exported to the cache manager is returned (S1033).

On the other hand, if it is determined that the encrypted sector write is successful (S1029), the server (100) notifies data loss (S1030) and then returns the metadata exported to the cache manager (S1031).

Next, referring to FIG. 14, the server (100) attempts to decrypt metadata No. 1 (S1034) and, if integrity verification is successful (S1035), deletes metadata No. 2 (S1036) and proceeds to S1017 of FIG. 13.

On the other hand, if decryption is attempted with metadata 1 (S1034) and integrity verification is not successful (S1035), the server (100) determines whether it has metadata 2 value (S1037).

If the judgment result of S1037 holds metadata value 2, the server (100) attempts to decrypt metadata value 2 (S1038), and if the integrity verification is successful (S1039), it replaces metadata value 1 with value 2, deletes value 2 (S1040), and then proceeds to S1017 of Fig. 13.

On the other hand, if decryption is attempted with metadata value 2 (S1038) and integrity verification fails (S1039), the server (100) outputs a warning that previous data cannot be decrypted (S1041) and then executes a procedure to determine whether to resume writing (S1042).

Meanwhile, if the server (100) does not have metadata key 2 in S1037, it requests an encryption key from the key management device (10) (S1043) and if it receives it (S1044), it proceeds to S1038.

On the other hand, if the encryption key is not received from the key management device (10) (S1044), the server (100) outputs a warning that the disk encryption key cannot be received (S1045) and then proceeds to S1042.

Meanwhile, the detailed procedure of the procedure for determining whether to resume writing (S1016, S1042) in FIGS. 12 and 14 is illustrated in FIG. 15.

Referring to FIG. 15, if write resumption is possible according to the policy (S1061), the server (100) marks the sector status information stored in the metadata as discard (S1062), exports the metadata to the cache manager (S1063), and then re-executes the encryption write operation (S1064).

On the other hand, if write resumption is not possible according to the policy (S1061), the server (100) notifies an encryption write failure (S1065).

(3) Optimization mode

Figure 16 is a flowchart for explaining a disk encryption writing method in an optimization mode according to an embodiment.

In safe mode, even if consecutive write commands to the same sector accidentally fail, previously recorded encrypted data can be decrypted. However, the probability of consecutive data write failure to the same sector is generally very low unless the disk itself fails. Therefore, some applications can assume that the write command does not fail consecutively and introduce an optimized mode write that omits the physical disk read request, as shown in Fig. 16. Specifically, the 'procedure for identifying which of the two metadata can be used to decrypt the encrypted data sector' in safe mode is replaced with the 'procedure for obtaining the first of the two metadata.' Since it is assumed that the write command does not fail consecutively, even if the write command fails once or an abnormal termination occurs, the previously recorded encrypted data sector can always be decrypted.

Specifically, referring to FIG. 16, if target sector metadata exists in the cache manager (S1101), the server (100) loads metadata from the cache manager (S1102).

On the other hand, if the target sector metadata does not exist in the cache manager (S1101), the server (100) reads the metadata from the partition and registers it with the cache manager (S1103), and then proceeds to S1102.

After that, the server (100) executes a discard operation (S1105) if the data to be recorded is zero-fill (S1104).

On the other hand, if the data to be recorded is not zero-fill (S1104), the server (100) generates a new encryption element (IV/Nonce) (S1106) and performs sector encryption and integrity verification value calculation (S1107).

If there is one metadata (S1108), the server (100) proceeds to S1017 of Fig. 13, and if there is not one metadata (S1108), it determines whether the previously recorded metadata status is discard or initialized (S1109).

As a result of the judgment of S1109, if the previously recorded metadata state is discard or initialized, the server (100) changes the metadata state 1 to discard (S1110) and then proceeds to S1017 of FIG. 13.

As a result of the judgment of S1109, if the previously recorded metadata state is not a discard or initialization state, the server (100) deletes metadata No. 2 (S1111) and then proceeds to S1017 of Fig. 13.

(4) Discard operation procedure

Fig. 17 is a flowchart for explaining the process of executing the Discard task in the safe mode and the optimized mode according to the embodiment. That is, Fig. 17 is a drawing explaining in detail the Discard task execution step S1005 of Fig. 12 and S1105 of Fig. 16.

If all data is zero-filled during the process of recording a sector, a separate discard procedure is performed for the convenience of SSD trim operations. If the storage device supports the discard command, such as an SSD controller, a separate procedure can be performed instead of zero-fill, and the metadata can indicate that the sector is empty and quickly complete the write operation.

Specifically, referring to FIG. 17, the server (100) marks the metadata status as discard (S1201), outputs metadata to the cache manager (S1202), requests metadata writing to a partition (S1203), and requests sector discard to the partition (S1204).

After that, the server (100) waits for the write request to be completed (S1205), and if it is confirmed that the write is successful (S1206), it notifies the completion of the encrypted write (S1207).

On the other hand, if the writing success is not confirmed (S1206), the server (100) determines whether the specified number of retries has been exceeded (S1208).

If it is determined that the specified number of retries has not been exceeded (S1208), the server (100) re-requests writing of the missing part to the partition (S1209) and then proceeds to S1205.

On the other hand, if the number of predetermined retries is exceeded (S1208), the server (100) notifies the completion of the encrypted write portion (S1211) if either the metadata sector write or the encrypted data sector write is successful (S1210).

On the other hand, if neither metadata nor sector writing is successful (S1210), the server (100) returns the metadata exported to the cache manager (S1212) and outputs an encryption write failure notification to the user (S1213).

(5) Metadata cache reflection procedure

Figure 18 is a flowchart for explaining a metadata cache reflection process according to an embodiment.

When at least one of the following occurs, including when the cache capacity set by the cache manager of the server (100) is full, when the cache period has expired, and when the disk encryption process has ended, metadata is reflected to the partition (20).

It can be called in S1002 illustrated in Fig. 12, S1018, S1025 of Fig. 13, S1063 of Fig. 15, S1102 of Fig. 16, S1202 of Fig. 17, S1401 of Fig. 19, and S1416, S1429 of Fig. 20. At this time, if the cache capacity set by the cache manager is full, it is performed unconditionally, and if the capacity is not full, it can be determined whether to perform it or not according to the policy. Since this procedure does not need to be executed in synchronization with the actual read/write operation, background execution is the principle.

Specifically, referring to FIG. 18, the server (100) selects a metadata cache to be deleted from the cache manager (S1301) when at least one of the following cases occurs: the cache capacity is full, the cache period has expired, and the disk encryption process has ended. The cache capacity, cache expiration period, flush policy, etc. of the cache manager can be appropriately set and used as needed.

Then, if there is a changed part in the metadata to be deleted (S1302), the server (100) requests writing of metadata to a partition (S1303) and then waits for completion of the write request (S1304). Then, the metadata is removed from the cache manager (S1305).

At this time, if the write fails, you can check whether it was successful by repeating S1301 or S1303 as many times as the number of retries. That is, since the contents remaining in the cache manager are okay even if the write fails, if there is a metadata cache that failed to be written, leave it for now and try another candidate that is likely to succeed.

However, since it fails while the two metadata are still in a safe state, the data can be decrypted, but it may be a problem for full disk encryption services.

Therefore, if the number of retries for S1301 is exceeded, it may be appropriate to send a 'Cache Export Failure Notification' to the service and then remove the metadata from the cache manager.

At this time, if you choose not to remove the metadata, a problem may arise where the service is stopped due to policy, and even if it is removed, the present invention does not export the cache, so the read/write process is designed to handle it safely in case two metadata remain.

On the other hand, if there is no change in the metadata to be deleted (S1302), the server (100) immediately removes the metadata from the cache manager (S1305).

FIGS. 19 and 20 are flowcharts for explaining a disk encryption reading method according to an embodiment.

The disk encryption technology of the present invention uses multiple disk encryption keys simultaneously to support dynamic change of disk encryption keys, and uses two metadata when decrypting encrypted data for security, so that a sector read operation different from that of general disk encryption technologies is required.

Referring to FIGS. 19 and 20, there are three cases in which a read operation is completed normally: a case in which zero-fill data is returned because it is a Discard sector, a case in which decryption with metadata 1 is successful, and a case in which decryption with metadata 2 is successful. If data is read normally, it is checked whether the disk encryption key used for encryption needs to be updated, and if necessary, re-encryption can be performed with the latest or new key.

In the event of an error, there are cases where the disk encryption key required for decryption cannot be received from both the server (100) and the key management device (10), and where decryption is attempted using the provided metadata but does not pass the integrity verification. In both cases, the principle is to return zero-fill data for cryptographic security and to notify the disk encryption service that a problem has occurred.

Specifically, referring to FIG. 19, if target sector metadata exists in the cache manager (S1400), the server (100) loads metadata from the cache manager (S1401).

On the other hand, if the target sector metadata does not exist in the cache manager (S1400), the server (100) reads the metadata from the partition and registers it with the cache manager (S1402), and then proceeds to S1401.

After that, the server (100) returns zero-fill data (S1404) if the sector status information of the metadata is marked as discard (S1403) according to the detailed metadata (23) of Fig. 9.

On the other hand, if it is not stored as a discard sector in the metadata (S1403), the server (100) performs data sector reading (S1405).

Then, if the server (100) has metadata key 1 (S1406), the server (100) proceeds to S1410 of Fig. 20.

On the other hand, if the server (100) does not have the metadata key 1 (S1406), the server (100) requests an encryption key from the key management device (10) (S1407) and if it receives it (S1408), it proceeds to S1410 of FIG. 20.

On the other hand, if the encryption key is not received from the key management device (10) (S1408), the server (100) outputs a notification that the disk encryption key cannot be received (S1409) and then proceeds to S1404.

Next, referring to FIG. 20, the server (100) attempts to decrypt with metadata No. 1 (S1410), and if the integrity verification is successful (S1411), it returns plaintext data (S1412). Afterwards, if metadata No. 2 exists (S1413), the server (100) deletes metadata No. 2 (S1415) and outputs the metadata to the cache manager (S1416). At this time, if necessary, a re-encryption task may be additionally executed (S1414).

On the other hand, if decryption is attempted with metadata 1 (S1410) and integrity verification is not successful (S1411), the server (100) determines whether metadata 2 value exists (S1417).

If metadata value 2 does not exist (S1417), the server (100) notifies that decryption is impossible (S1418) and returns zero-fill data (S1419).

On the other hand, if metadata 2 value exists (S1417), the server (100) determines whether it has the disk encryption key recorded in metadata 2 (S1420).

If the judgment result of S1420 holds metadata value 2, the server (100) attempts to decrypt metadata value 2 (S1424), and if the integrity verification succeeds (S1425), returns plaintext data (S1427), replaces metadata value 1 with value 2, and then deletes value 2 (S1428). After that, the metadata is exported to the cache manager (S1429), and if necessary, a re-encryption task can be additionally executed (S1430).

On the other hand, if decryption is attempted with metadata value 2 (S1424) and integrity verification fails (S1425), the server (100) outputs a notification that previous data cannot be decrypted (S1426) and then proceeds to S1419.

Meanwhile, if the server (100) does not have metadata key 2 in S1420, it requests an encryption key from the key management device (10) (S1421) and if it receives it (S1422), it proceeds to S1424.

On the other hand, if the encryption key is not received from the key management device (10) (S1422), the server (100) outputs a notification that the disk encryption key cannot be received (S1423) and then proceeds to S1419.

Fig. 21 is a flowchart for explaining a re-encryption method according to an embodiment. That is, it is for explaining processes S1414 and S1430 of Fig. 20.

Referring to Figure 21, during a read operation, sectors that are not encrypted with the latest disk encryption key may be found. In addition, sectors encrypted with an invalid disk encryption key may be found due to expiration of the validity period, key information leakage, various policies, etc. In this case, it is necessary to re-encrypt the sectors with the latest or new disk encryption key.

That is, if the server (100) determines that the disk encryption key of the key number recorded in the metadata 1 value is a target for renewal (S1501), it executes a write operation with the latest key (S1502).

Since the plaintext has already been returned to the requester in disk I/O, the re-encryption process can be performed in the background without disturbing the user if necessary.

Next, we will look in detail at the background re-encryption method according to the embodiment.

By utilizing the read/write operations and re-encryption procedures described above, a background re-encryption service can be configured to always encrypt and store stored data with the latest disk encryption key without interruption of the disk encryption service.

This service can determine the sectors that require re-encryption and set the cycle at which the re-encryption service will be performed. For example, if the disk encryption key is operated by setting the expiration period, data encrypted with a key that is about to expire can be set to be re-encrypted with a new key. The background re-encryption service identifies the sectors that require re-encryption by sequentially reading the first sector of the partition (20) from the last sector by utilizing the idle time of the partition (20) by the server (100) and, if necessary, performs the re-encryption process within the read operation mentioned above. If necessary, the re-encryption operation can be temporarily suspended, the number of the sector where re-encryption was last performed can be stored, and then resumed later.

After completing the task of reading all sectors from the first sector to the last sector, the disk encryption keys that are no longer in use can be identified and notified to the key management device (10) so that the unused keys can be deleted.

The effects of the disk encryption device and method according to the above-described embodiment can be described in more detail as follows.

(1) Dynamic change of disk encryption key

A typical disk encryption service uses a master key, which is one key used throughout the entire life cycle of disk encryption, and does not provide a method for changing the master key. Some disk encryption services that provide a master key change function use a method of re-encrypting all data on the disk at once, so access to all data is inevitably restricted until the re-encryption process is completed. The disk encryption technology of the present invention allows multiple disk encryption keys to be managed simultaneously, allowing the disk encryption key to be dynamically changed without service interruption.

In order to mitigate the risk of using a single master key, a method of deriving a different key for each sector using the master key and encrypting it has been proposed. However, since the security of the key derived for each sector cannot but depend on the security of a single master key, even if this method is used, if there is a problem with the security of the master key due to long-term use or leakage, the master key must be changed. This method also inevitably requires the suspension of the disk encryption service in order to change the master key.

(2) Introduction of a remote key management server for a partial trust environment

In cloud services, etc., there are various entities that can read encrypted disk sectors, and thus, they provide relatively low reliability compared to environments where one directly utilizes one's own equipment. Therefore, in such environments, a highly reliable disk encryption key management method is essential. For this purpose, the present invention proposes a method of utilizing a reliable remote key management server. By introducing a remote key management server (operated in a secure location), the limitations of key management reliability that a cloud service environment inevitably has can be overcome, and the disk encryption key can be changed efficiently and safely. Furthermore, when the server (100) on the cloud service is not in operation, the disk encryption key is not stored, and even when in operation, only the minimum disk encryption key is managed, thereby minimizing the possibility of key exposure. Meanwhile, the present invention also proposes an alternative method in cases where there is no key management server.

(3) Minimizing data loss during disk encryption process

General disk encryption requires a data sector write command and a metadata sector write command for one sector write command. It is possible to build a disk encryption service that omits metadata sector writes, but this has limitations in security and efficiency, and cannot provide dynamic changes to disk encryption keys.

During this process, if only some write commands are performed due to problems such as power outage, network disk disconnection, etc., data will be lost.

The disk encryption technology of the present invention introduces a metadata duplication method to complement these problems and to compensate for inconsistencies that may occur when operating multiple disk encryption keys. By utilizing the write operation of the present invention, data can be preserved without being lost even if there is a failure at any stage during the disk write procedure.

This allows disk encryption to operate in a variety of environments, such as a local partition (20-1) that always guarantees stable read/write, as well as a network partition (20-2) connected to another computing network.

(4) Optimizing disk I/O during disk encryption process

The disk encryption technology of the present invention minimizes the performance degradation that may occur when adopting a metadata duplication method by utilizing an active cache manager operation and an asynchronous control method. When metadata is configured in duplicate, if processed simply, a logical read operation for a partition (20) requires two disk reads, and a logical write operation requires two disk reads and three disk writes. By utilizing the optimization technology of the present invention that actively introduces a cache manager, a logical read operation can be completed with one disk read, and a logical write operation can be completed with two disk writes, assuming that metadata is stored in the cache.

Figure 22 is a diagram showing a computer system configuration according to an embodiment.

A disk encryption device according to an embodiment may be implemented in a computer system (1000) such as a computer-readable recording medium.

The computer system (1000) may include one or more processors (1010), memory (1030), user interface input devices (1040), user interface output devices (1050), and storage (1060) that communicate with each other via a bus (1020). In addition, the computer system (1000) may further include a network interface (1070) that is connected to a network (1080). The processor (1010) may be a central processing unit or a semiconductor device that executes programs or processing instructions stored in the memory (1030) or the storage (1060). The memory (1030) and the storage (1060) may be storage media that include at least one of a volatile medium, a nonvolatile medium, a removable medium, a non-removable medium, a communication medium, or an information transmission medium. For example, the memory (1030) may include a ROM (1031) or a RAM (1032).

Although the embodiments of the present invention have been described above with reference to the attached drawings, those skilled in the art to which the present invention pertains will understand that the present invention can be implemented in other specific forms without changing the technical idea or essential features thereof. Therefore, it should be understood that the embodiments described above are exemplary in all respects and not restrictive.

Claims (19)

The encryption target includes a data sector where encrypted data is recorded and a metadata sector where metadata, which is information related to the encryption key, is recorded.
Metadata is,
The first value is information related to the encryption key used when performing the latest write, and
Including the second value, which is information related to the encryption key used in the previous write,
Step of reading the metadata sector of the encryption target;
A step of replacing a second value with a first value of the read metadata;
A step of recording information related to an encryption key as the first value of metadata while encrypting data;
A step of writing the generated metadata to the encryption target; and
A step of writing encrypted data to an encryption target; and
Including a step of outputting a notification of completion of encryption write,
A step of deleting a second value from the metadata of the encryption target; and
A disk encryption write method further comprising the step of writing metadata including a first value to an encryption target. delete In the first paragraph, the step of writing the generated metadata to the encryption target is:
A method of writing disk encryption that is performed simultaneously with outputting the generated metadata to the cache manager. In the first paragraph, the step of writing metadata including the first value to the encryption target is:
A method of writing disk encryption, further comprising the step of outputting metadata including the first value to the cache manager prior to that. The encryption target includes a data sector where encrypted data is recorded and a metadata sector where metadata, which is information related to the encryption key, is recorded.
Metadata is,
The first value is information related to the encryption key used when performing the latest write, and
Including the second value, which is information related to the encryption key used in the previous write,
Step of reading metadata sectors and data sectors from the encryption target;
A step of decrypting the read data into the first value of metadata; and
Including a step of returning the decrypted plaintext data if the decryption is successful,
A disk encryption read method further comprising the step of deleting the second value of the metadata from the encryption target if the second value of the metadata exists. delete In clause 5,
If decryption is not successful, a step of decrypting the read data into the second value of the metadata;
If decryption is successful, a step of returning the decrypted plaintext data; and
A disk encryption reading method further comprising the step of replacing a first value of metadata in an encryption target with a second value and deleting the second value. In Article 7,
A disk encryption reading method further comprising the step of outputting a decryption failure notification if the read data is not successfully decrypted into the second value of the metadata. In Article 7,
A disk encryption reading method further comprising the step of decrypting data encrypted with a disk encryption key requiring renewal among data recorded in a data sector, re-encrypting it with a latest or new encryption key, and recording it in an encryption target when an update of a first value of metadata is required. memory in which at least one program is recorded; and
Contains a processor for executing a program;
The program is,
Communicate with a key management device to receive an encryption key required for encryption of at least one encryption target, and encrypt data of the encryption target using the received encryption key.
Encrypts and writes data input as an encryption target upon request from the user, or reads data from the encryption target, decrypts it, and then outputs it to the user.
The target of encryption is,
Including a data sector where encrypted data is recorded and a metadata sector where metadata, which is information related to the encryption key, is recorded.
Metadata is,
The first value is information related to the encryption key used when performing the latest write, and
Contains a second value, which is information related to the encryption key used in the previous write,
The program is,
A disk encryption device that requests an encryption key by transmitting an identifier for a new encryption target to a key management device, and performs initialization for the new encryption target upon receiving information including at least one of a unique ID of the new encryption target, a disk encryption key, a key number, and a key generation time from the key management device. delete In Article 10, the program,
A disk encryption device that performs at least one of the following services: adding an encryption target service, discarding a disk encryption key service, deleting a partition service, starting a disk encryption service, requesting a disk encryption key service, and configuring encryption information for a partition, in conjunction with a key management device. In Article 10, the program,
A disk encryption device that reads a metadata sector of an encryption target, replaces a second value with a first value of the read metadata, records encryption key-related information as the first value of the metadata as data is encrypted, writes the generated metadata to the encryption target, writes the encrypted data to the encryption target, outputs an encryption write completion notification, deletes the second value from the metadata of the encryption target, and writes metadata including the first value to the encryption target. In Article 13, the program,
When writing the generated metadata to the encryption target, it is performed at the same time as outputting the generated metadata to the cache manager.
A disk encryption device, which outputs metadata including a first value to a cache manager prior to writing metadata including a first value to an encryption target. In Article 10, the program,
A disk encryption device that reads metadata sectors and data sectors from an encryption target, decrypts the read data into a first value of the metadata, and if the decryption is successful, returns the decrypted plaintext data and re-encrypts it as necessary. In Article 15, the program,
A disk encryption device that deletes a second value of metadata from an encryption target if a second value of metadata exists. In Article 15, the program,
A disk encryption device that, if decryption is not successful, decrypts the read data into the second value of the metadata, and, if decryption is successful, returns the decrypted plaintext data, replaces the first value of the metadata with the second value in the decryption target, and deletes the second value. In Article 17, the program,
A disk encryption device that outputs a decryption failure notification when it fails to successfully decrypt the read data into the second value of the metadata. In Article 17, the program,
A disk encryption device that, when the first value of metadata needs to be updated, decrypts data encrypted with a disk encryption key that needs to be updated among the data recorded in the data sector, re-encrypts it with the latest or new encryption key, and records it on the encryption target.

Images