[go: up one dir, main page]

WO2023216987A1 - Container image construction method and apparatus - Google Patents

Container image construction method and apparatus Download PDF

Info

Publication number
WO2023216987A1
WO2023216987A1 PCT/CN2023/092255 CN2023092255W WO2023216987A1 WO 2023216987 A1 WO2023216987 A1 WO 2023216987A1 CN 2023092255 W CN2023092255 W CN 2023092255W WO 2023216987 A1 WO2023216987 A1 WO 2023216987A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
blocks
container image
metadata
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2023/092255
Other languages
French (fr)
Chinese (zh)
Inventor
高翔
齐江
刘奖
刘博�
彭涛
徐静波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Publication of WO2023216987A1 publication Critical patent/WO2023216987A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • G06F16/137Hash-based
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Definitions

  • One or more embodiments of this specification relate to the field of computer technology, and in particular, to a container image construction method and device.
  • container technology has become a widely recognized and applied method of sharing server resources. Developers can use container technology to deploy applications to any device that supports containers.
  • a container image is a special file system that standardizes and encapsulates the application code and its running environment. Container images can run directly on any operating system that has containers installed.
  • one or more embodiments of this specification provide a password acceleration method and device based on password acceleration hardware to solve problems existing in related technologies.
  • a container image construction method which method includes:
  • the file blocks among the several file blocks are respectively encrypted based on the generated random symmetric key to generate an encrypted container image.
  • a container image construction method which method includes:
  • the file blocks among the several file blocks are respectively encrypted based on the generated fourth symmetric key to generate an encrypted container image.
  • a container image building device is proposed, and the method includes:
  • File acquisition unit obtains the image file used to create a container image
  • File cutting unit cuts the image file into several file blocks
  • Key generation unit divide the several files into blocks and generate corresponding random symmetric keys respectively;
  • Image generation unit respectively encrypts the file blocks in the several file blocks based on the generated random symmetric key to generate an encrypted container image.
  • a container image building device is proposed, and the method includes:
  • File acquisition unit obtains the image file used to create a container image
  • File cutting unit cuts the image file into several file blocks
  • Key generation unit calculates hash values corresponding to the plurality of file blocks; calculates and generates a fourth symmetric key based on the hash value and the third symmetric key specified by the user;
  • Image generation unit respectively encrypts the file blocks among the several file blocks based on the generated fourth symmetric key to generate an encrypted container image.
  • a cryptographic co-processing including:
  • Memory used to store instructions executable by the processor
  • the processor implements the method described in the first aspect by running the executable instructions.
  • a computer-readable storage medium on which computer instructions are stored, and when the instructions are executed by a processor, the steps of the method described in the first aspect are implemented.
  • This application cuts the image file used to create the container image into several file blocks, generates corresponding random symmetric keys for the several file blocks, encrypts the file blocks with the random symmetric key, and generates an encrypted container image.
  • the symmetric key used for encryption is completely randomly generated, so it can completely resist offline dictionary attacks and improve the security of container images.
  • Figure 1 is a schematic system architecture diagram of a container image building method provided by an exemplary embodiment.
  • Figure 2 is a flow chart of a container image building method provided by an exemplary embodiment.
  • Figure 3 is a metadata file structure diagram provided by an exemplary embodiment.
  • Figure 4 is a schematic diagram of a container image building process provided by an exemplary embodiment.
  • Figure 5 is a schematic diagram of another container image building process provided by an exemplary embodiment.
  • Figure 6 is a schematic diagram of a container image deployment process provided by an exemplary embodiment.
  • FIG. 7 is a schematic structural diagram of an electronic device for container construction provided in an exemplary embodiment.
  • Figure 8 is a block diagram of a container image building apparatus provided by an exemplary embodiment.
  • Figure 9 is a flow chart of a container image building method provided by an exemplary embodiment.
  • Figure 10 is a metadata file structure diagram provided by an exemplary embodiment.
  • Figure 11 is a schematic diagram of another container image building process provided by an exemplary embodiment.
  • Figure 12 is a schematic diagram of a container image deployment process provided by an exemplary embodiment.
  • Figure 13 is a schematic structural diagram of an electronic device for container construction provided in an exemplary embodiment.
  • Figure 14 is a block diagram of a container image building device provided in an exemplary embodiment.
  • the steps of the corresponding method are not necessarily performed in the order shown and described in this specification.
  • methods may include more or fewer steps than described in this specification.
  • a single step described in this specification may be broken down into multiple steps for description in other embodiments; and multiple steps described in this specification may also be combined into a single step in other embodiments. describe.
  • container image files are encrypted to generate encrypted container image files, and convergent encryption (CE, Convergent encryption) is usually used.
  • CE Convergent encryption
  • the convergent encryption key is calculated from the original file of the container image. Therefore, an attacker can encrypt the plaintext of the guessed container image and compare it with it, possibly guessing the original file.
  • any user with access to the original file can calculate the convergence key based on the original file content and then encrypt the image file, this makes the image file vulnerable to offline dictionary attacks. .
  • this manual proposes a container image construction method.
  • a completely random symmetric key is generated, and then the random symmetric key is used for encryption.
  • the image file used to create the container image is obtained, and the image file is cut into several file blocks. Generate corresponding random symmetric keys for several file blocks, then encrypt each file block based on the generated random symmetric key, and finally generate an encrypted container image.
  • Figure 1 is a schematic system architecture diagram of a container image building method provided by an exemplary embodiment.
  • the system may include multiple different forms of terminals 102, 106, 108, 110, and a network for connecting different terminals.
  • the terminals 102, 106, 108, and 110 may include electronic devices such as laptops, mobile phones, and tablet devices, as well as virtual terminals such as cloud computers and cloud servers.
  • the network 104 may include multiple types of wired or wireless networks.
  • the terminals 102, 106, 108, and 110 are all computers.
  • the user can create an encrypted container image through the terminal 102 based on the container construction method provided in this manual, and upload the container image to the network. Users of other terminals can obtain the container image through the network through terminals 106, 108, 110, etc., and deploy the container image to their own terminals for use.
  • Figure 2 is a flow chart of a container image building method provided by an exemplary embodiment. As shown in Figure 2, the method may include the following execution steps:
  • Step 202 Obtain the image file used to create the container image
  • the image file used to create the container image can be generated from a local data file, or a new image file can be generated based on an existing image file by adding a data file.
  • Users can directly obtain the image file used to create the image through the network, for example, they can pull it directly from the image warehouse; users can also obtain the container image through the network and add data files locally to generate the image file.
  • the image file used to create a container image can be a collection of files, for example, it can be a directory of image files pulled from the image warehouse.
  • the file collection of image files can also be preprocessed, and the image files used to create the container image can be serialized into one file, which can facilitate subsequent cutting processing.
  • Step 204 Cut the image file into several file blocks
  • container images are usually managed in layers.
  • the smallest unit that can be shared between different images is the layer in the image.
  • the file blocks generated after cutting can be deduplicated.
  • the corresponding hash value can be calculated for each file block according to the corresponding hash algorithm, and deduplication processing can be performed based on the calculated hash value.
  • the hash algorithm may be MD5 algorithm, SHA algorithm, etc., which is not limited in the present invention.
  • the hash value of each file block can be calculated locally, and deduplication processing is performed on the hash value of each file block. Specifically, each hash value can be matched locally. If the hash values are the same, only one of the file blocks is reserved for data sharing. It should be noted that the user can freely set the scope of the shared domain. For example, the user can choose to retain multiple file blocks with the same hash value, or only retain one. The present invention does not limit this. In one case, the user can also set one or more encrypted file blocks as a shared domain. During local deduplication, since the relevant data and hash values of these file blocks cannot be accessed, problems related to these file blocks may appear. Encrypted multiple file chunks file chunks with the same hash value.
  • the deduplication process can also be performed by a deduplication server based on the calculated hash value.
  • the hash value of each file block can be calculated locally and the hash value is sent to the deduplication server through an encrypted connection.
  • the deduplication server matches the hash value of each file chunk. If the hash values are the same, only one is retained. Files are chunked for sharing.
  • the user can also preset the scope of the shared domain. For example, the user can set the deduplication server to retain multiple file blocks with the same hash value, or only one, which is not limited by the present invention. In one case, the user can also set one or more encrypted file blocks as a shared domain.
  • the deduplication server does not have permission to obtain the hash values of these file blocks, so the deduplication server does not target these hash values. Deduplication is performed so that file chunks can appear that have the same hash as these encrypted multiple file chunks.
  • Users can also send file blocks directly to the deduplication server through an encrypted connection, so that the deduplication server can calculate the hash value of each file block, and then deduplicate the hash value of the file block.
  • each file block can also be compressed, and then the compressed file blocks can be further processed.
  • Step 206 Divide the several files into blocks and generate corresponding random symmetric keys respectively;
  • container image files are encrypted to generate encrypted container image files, and convergent encryption (CE, Convergent encryption) is usually used.
  • CE Convergent encryption
  • the convergent encryption key is calculated from the original file of the container image. Therefore, an attacker can encrypt the plaintext of the guessed container image and compare it with it, possibly guessing the original file.
  • any user with access to the original file can calculate the convergence key based on the original file content and then encrypt the image file, this makes the image file vulnerable to offline dictionary attacks.
  • the container image can be encrypted with a completely random symmetric key.
  • corresponding random symmetric keys are generated for several file blocks generated after cutting the image file, and are used to encrypt the several file blocks.
  • the above-mentioned random symmetric key may specifically be a parameter used to convert data plaintext into data ciphertext. Users are free to choose any random algorithm to generate completely random symmetric keys. Since the above symmetric key is generated completely randomly, the attacker cannot crack it based on the password dictionary.
  • a completely random symmetric key can be generated for the deduplicated file blocks; if deduplication is performed locally, corresponding random symmetric keys can be generated locally for several deduplicated file blocks. . If you use a deduplication server to remove duplication, the deduplication server can generate corresponding random symmetric keys for the deduplicated file blocks.
  • Step 208 Encrypt the file blocks among the several file blocks based on the generated random symmetric key respectively to generate an encrypted container image.
  • each file block can be encrypted separately based on the above-mentioned randomly generated symmetric key, and then an encrypted container image can be constructed based on the encrypted file blocks.
  • files can be organized into blocks in any form to build an encrypted container image, which is not limited by the present invention. Because the files are segmented in advance and deduplicated based on the hash values of the file segments, the local storage cost of the container image is reduced; because each file segment is encrypted with a completely random symmetric key, it can resist Possible offline dictionary attacks improve the security of container images.
  • the data format corresponding to the container image may also include a metadata file and at least one data file; wherein the data file is composed of at least one file block and is used to record the data in the container image; the data file also has Description information can be used to indicate the specific storage location of each file block in the data file.
  • the description information may also include a random symmetric key corresponding to each file block generated above.
  • the metadata file is used to record the metadata corresponding to the data file; where the metadata indicates the specific storage location of each data file in the container image, and the at least one data file corresponding to the description information corresponding to the above-mentioned at least one data file can be generated.
  • a piece of metadata is used to record the metadata corresponding to the data file; where the metadata indicates the specific storage location of each data file in the container image, and the at least one data file corresponding to the description information corresponding to the above-mentioned at least one data file can be generated.
  • At least one data file can be generated based on at least one file segment; at least one piece of metadata is generated based on the description information corresponding to the at least one data file, and then a metadata file is generated based on the at least one piece of metadata.
  • an encrypted container image can be generated based on at least one data file and metadata file.
  • the metadata file may be composed of multiple pieces of metadata; the metadata may be composed of multiple pieces of description information; each piece of description information may include the storage location of multiple file blocks and the random number corresponding to the file block. Symmetric key.
  • the data format corresponding to the above-mentioned container image may also include a hash database file. The hash database file is used to manage the hash values of the above-mentioned file blocks and the random symmetric keys corresponding to the above-generated file blocks. .
  • a hash database file is usually required; in the technical solution based on deduplication server for deduplication, the user can freely choose to generate a hash database file or not to generate a hash database file.
  • database file which is not limited by the present invention.
  • the corresponding relationship between the hash value and the random symmetric key can be established based on the hash value and the random symmetric key. And save the corresponding relationship to the above hash database file. It should be noted that since the above random symmetric key is completely randomly generated, the same random symmetric key may correspond to the hash values of multiple file blocks, so the corresponding relationship between the above hash value and the random symmetric key can be Multiple hash values correspond to the same random symmetric key.
  • the above hash database file can be used to deduplicate the hash value of each file block locally when building a container image.
  • the symmetric relationship between the hash value of the file block and the random symmetric key can be established and saved to the hash database according to the shared domain range set by the above user.
  • the actual hash value of the block is matched against the hash value stored in the hash database. If the matching results are consistent, and the user has not preset that the file block does not require deduplication, the deduplication process will be performed accordingly. If the matching results are inconsistent, a new hash value of the file block and the random symmetric key will be established. The corresponding relationship is saved to the hash database file.
  • the corresponding hash value can be calculated for each file block according to the corresponding hash algorithm; based on the hash value corresponding to the file block, the corresponding hash value can be calculated based on the shared domain range set by the above user.
  • the metadata file and hash database generated above can be further encrypted, where the encryption method can be a symmetric encryption method or an asymmetric encryption method.
  • the hash database can be encrypted based on the first symmetric key specified by the user, and the metadata file can be encrypted based on the second symmetric key specified by the user.
  • the third symmetric key specified by the user The one symmetric key and the second symmetric key may be the same or different, and the present invention does not limit this.
  • the hash database can be encrypted based on the public key of the first asymmetric key specified by the user, and the metadata file can be encrypted based on the public key of the second asymmetric key specified by the user.
  • the first asymmetric key and the second asymmetric key specified by the user may be the same or different, and the present invention does not limit this.
  • a lightweight encrypted container image can be built.
  • the user can also selectively deploy the container image.
  • the user can obtain the container image constructed by the above method in any form, such as downloading through the network, transmitting through a secure connection, etc., which is not limited by the present invention.
  • you can obtain the metadata file and at least one data file in the container image, where the data file includes at least one encrypted file block; the metadata file records at least one piece of metadata, where the metadata also The random symmetric key corresponding to the encrypted file block is stored.
  • the encrypted file block can be decrypted based on the random symmetric key, and then a file system tree is built based on the metadata file and several file blocks to complete the container image. deployment.
  • the metadata file in the container image is also encrypted. Therefore, during the deployment process, it is necessary to obtain the symmetric key or asymmetric key provided by the user, and pair the metadata file. Only after decrypting the metadata can the random symmetric key of each file block be obtained, and then the file can be Decrypt in chunks for subsequent deployment operations.
  • the hash database in the container image is also encrypted. Therefore, during the deployment process, when the hash database needs to be used, it is also necessary to obtain the symmetric key or asymmetric key provided by the user, decrypt the hash database, and perform subsequent deployment operations.
  • the encrypted container image can include metadata files, several data files, and hash database files.
  • the file blocks shown in Figure 4 are file blocks generated after being cut according to the above-mentioned image file through a specific file cutting algorithm. After generating file chunks, a corresponding random symmetric key can be generated for each file chunk, and the hash value of each file chunk can be calculated based on the file chunks. Then create a corresponding relationship between the random symmetric key and the hash value of the file block, and generate a hash database file based on the corresponding relationship between the random symmetric key and the hash value of the file block.
  • the user can specify a symmetric key or an asymmetric key to encrypt the hash database file.
  • the hash values of the file blocks and the hash values stored in the hash database can be matched to perform deduplication locally.
  • the file blocks can be selectively compressed, and each file block can be encrypted using the random symmetric key generated above.
  • several data files of container images can be composed according to the encrypted file blocks.
  • the description information of the data file and the random symmetric keys corresponding to the above-mentioned file blocks can form metadata, and a metadata file is generated based on the metadata.
  • the user can specify a symmetric key or an asymmetric key to encrypt the metadata file.
  • the encrypted container image can include metadata files and several data files.
  • the file blocks shown in Figure 5 are file blocks generated after being cut according to the above-mentioned image file through a specific file cutting algorithm. After the file chunks are generated, the hash value of each file chunk is calculated based on the file chunks. The hash values of the file chunks are then sent to the deduplication server, which performs deduplication. After the deduplication server deduplicates the file into chunks, it can generate a random symmetric key corresponding to the file chunks. After the file chunks are deduplicated by the deduplication server, the file chunks can be selectively compressed, and each file chunk can be encrypted using the random symmetric key generated above. Then the data of several container images can be composed according to the encrypted file chunks. document.
  • the description information of the data file and the random symmetric keys corresponding to the above-mentioned file blocks can form metadata, and a metadata file is generated based on the metadata.
  • the user can specify a symmetric key or an asymmetric key to encrypt the metadata file.
  • the encrypted container image can include metadata files and several data files.
  • the metadata file can be decrypted based on the symmetric key or asymmetric key specified by the user.
  • the metadata file records multiple pieces of metadata, which contains description information to describe the specific storage location of the data file in the image, and a random symmetric key for decrypting file blocks.
  • the data file includes several file blocks, and the file blocks are decrypted using the above random symmetric key.
  • the file blocks can be decompressed to obtain the original file blocks.
  • a file system tree can be constructed to complete the deployment of the container image.
  • FIG. 7 is a schematic structural diagram of an electronic device for container construction provided in an exemplary embodiment.
  • the device includes a processor 702, an internal bus 704, a network interface 706, a memory 708, and a non-volatile memory 710.
  • the processor 702 reads the corresponding computer program from the non-volatile memory 710 into the memory 708 and then runs it.
  • the execution subject of the following processing flow is not limited to each A logic unit can also be a hardware or logic device.
  • FIG. 8 is a block diagram of a cryptographic acceleration device based on cryptographic acceleration hardware provided in an exemplary embodiment.
  • File acquisition unit 802 used to acquire image files used to create container images
  • File cutting unit 804 used to cut the image file into several file blocks
  • Key generation unit 806 used to divide the several files into blocks and generate corresponding random symmetric keys respectively;
  • Image generation unit 808 configured to respectively encrypt the file blocks among the several file blocks based on the generated random symmetric key to generate an encrypted container image.
  • the data format corresponding to the container image includes a metadata file and at least one data file;
  • the metadata file is used to record metadata corresponding to the data file;
  • the image generation unit 808 specifically used to generate based on The random symmetric key respectively encrypts the file blocks in the several file blocks, and generates the at least one data file based on the encrypted several file blocks;
  • the key generation unit 806 specifically calculates hash values corresponding to the several file blocks; and performs deduplication processing on the several file blocks based on the calculated hash values.
  • the data format corresponding to the image file also includes a hash database file; the image generation unit 808 is further configured to be based on the hash values of the several file blocks and all the generated files for the several file blocks. Correspondence between the random symmetric keys; generate at least one hash database file corresponding to the several file blocks.
  • the container image building device further includes: a data encryption unit: encrypts the hash database file based on the first symmetric key specified by the user; or, based on the first asymmetric key pair of the user The public key encrypts the hash database file.
  • the container image building device further includes: a data encryption unit: configured to encrypt the metadata file based on a second symmetric key specified by the user; or, based on the user's second asymmetric key pair
  • the metadata file is encrypted with the public key.
  • the first symmetric key and the second symmetric key are the same; the first asymmetric key and the second asymmetric key are the same.
  • the container image building device further includes: an image deployment unit: obtaining the generated encrypted container image;
  • a file system tree is constructed in blocks based on the metadata file and the decrypted files to complete the deployment of the container image.
  • the container image device further includes: an incremental deduplication unit: obtaining a new data file corresponding to the encrypted container image;
  • Figure 9 is a flow chart of a container image building method provided by an exemplary embodiment. As shown in Figure 8, the method may include the following execution steps:
  • Step 902 Obtain the image file used to create the container image
  • the image file used to create the container image can be generated by the virtual machine based on the original operating system, or a new image file can be generated based on the existing image file by adding a data file.
  • Users can directly obtain the image file used to create an image through the network. For example, they can directly pull it from the image warehouse, or they can generate the image file used for creation locally through a virtual machine. Users can also obtain the container image through the network and upload it to Add data files locally to generate image files.
  • the image file used to create a container image can be a collection of files, for example, it can be a directory of image files pulled from the image warehouse.
  • the file collection of image files can also be preprocessed, and the image files used to create the container image can be serialized into one file, which can facilitate subsequent cutting processing.
  • Step 904 Cut the image file into several file blocks
  • container images are usually managed in layers.
  • the smallest unit that can be shared between different images is the layer in the image.
  • the image file used to create the container image can be serialized, and the image file is cut into several file blocks of the same size through a file cutting algorithm according to the file block size preset by the user.
  • File chunking usually stores less data, takes up less storage space, is easier to manage, and is easier to deduplicate.
  • the file blocks generated after cutting can be deduplicated.
  • the corresponding hash value can be calculated for each file block according to the corresponding hash algorithm, and deduplication processing can be performed based on the calculated hash value.
  • the hash algorithm may be MD5 algorithm, SHA algorithm, etc., which is not limited in the present invention.
  • the hash value of each file block can be calculated locally, and deduplication processing is performed on the hash value of each file block. Specifically, each hash value can be matched locally. If the hash values are the same, only one of the file blocks is reserved for data sharing. It should be noted that the user can freely set the scope of the shared domain. For example, the user can choose to retain multiple file blocks with the same hash value, or only retain one. The present invention does not limit this. In one case, the user can also set one or more encrypted file blocks as a shared domain. During local deduplication, since the relevant data and hash values of these file blocks cannot be accessed, problems related to these file blocks may appear. Encrypted multiple file chunks file chunks with the same hash value.
  • each file block can also be compressed, and then the compressed file blocks can be further processed.
  • Step 906 Calculate hash values corresponding to the several file blocks; calculate and generate a fourth symmetric key based on the hash value and the third symmetric key specified by the user;
  • container image files are encrypted to generate encrypted container image files, and convergent encryption (CE, Convergent encryption) is usually used.
  • CE Convergent encryption
  • the convergent encryption key is calculated from the original file of the container image. Therefore, an attacker can encrypt the plaintext of the guessed container image and compare it with it, possibly guessing the original file.
  • any user with access to the original file can calculate the convergence key based on the original file content and then encrypt the image file, this makes the image file vulnerable to offline dictionary attacks.
  • a fourth symmetric key can be generated based on the hash value of the file block and the third symmetric key specified by the user, and the container image can be encrypted with the fourth symmetric key. Since the third symmetric key is an arbitrary key specified by the user, after calculating the hash value of the file block itself, the attacker cannot crack it with brute force, nor can it crack it based on the ciphertext dictionary.
  • a fourth symmetric key is calculated based on the hash value of the file blocks and the third symmetric key specified by the user, which is used to encrypt the several file blocks.
  • File chunking The above-mentioned fourth symmetric key may specifically be a parameter used to convert data plaintext into data ciphertext.
  • the above calculation can be performed in various ways, and is used to calculate the fourth symmetric key from the hash value and the third symmetric key specified by the user, which is not limited by the present invention.
  • the above calculation may specifically be an XOR operation.
  • the deduplicated file can be divided into blocks, and a fourth symmetric key can be generated based on the hash value of the file blocks and the third symmetric key specified by the user; if deduplication is performed locally, the fourth symmetric key can be generated. Corresponding fourth symmetric keys are generated locally for several file blocks after deduplication.
  • Step 908 Encrypt the file blocks among the several file blocks based on the generated fourth symmetric key respectively to generate an encrypted container image.
  • each file block can be encrypted separately according to the fourth symmetric key generated above, and then an encrypted container image can be constructed based on the encrypted file blocks.
  • files can be organized into blocks in any form to build an encrypted container image, which is not limited by the present invention. Since the file is divided into blocks in advance and deduplication is performed based on the hash value of the file block, the local storage cost of the container image is reduced; because each file block is encrypted using the fourth symmetric key, and the fourth The symmetric key is calculated from the hash value of the file block itself and the third symmetric key specified by the user, so it can resist possible offline dictionary attacks and improve the security of the container image.
  • the data format corresponding to the container image may also include a metadata file and at least one data file; wherein the data file is composed of at least one file block and is used to record the data in the container image; the data file also has Description information can be used to indicate the specific storage location of each file block in the data file.
  • the description information may also include a hash value corresponding to each file block generated above.
  • the metadata file is used to record the metadata corresponding to the data file; where the metadata indicates the specific storage location of each data file in the container image, and the at least one data file corresponding to the description information corresponding to the above-mentioned at least one data file can be generated.
  • a piece of metadata is used to record the metadata corresponding to the data file; where the metadata indicates the specific storage location of each data file in the container image, and the at least one data file corresponding to the description information corresponding to the above-mentioned at least one data file can be generated.
  • the metadata file may be composed of multiple pieces of metadata; the metadata may be composed of multiple pieces of description information; each piece of description information It can include the storage locations of multiple file chunks and the hash values corresponding to the file chunks.
  • At least one data file can be generated based on at least one file segment; at least one piece of metadata is generated based on the description information corresponding to the at least one data file, and then a metadata file is generated based on the at least one piece of metadata.
  • an encrypted container image can be generated based on at least one data file and metadata file.
  • the metadata file generated above can be further encrypted, where the encryption method can be a symmetric encryption method or an asymmetric encryption method.
  • the metadata file can be encrypted based on the fifth symmetric key specified by the user; in the asymmetric encryption method, the metadata file can be encrypted based on the public key of the third asymmetric key specified by the user. Encrypt.
  • a lightweight encrypted container image can be built.
  • the user can also selectively deploy the container image.
  • the user can obtain the container image constructed by the above method in any form, such as downloading through the network, transmitting through a secure connection, etc., which is not limited by the present invention.
  • you can obtain the metadata file and at least one data file in the container image, where the data file includes at least one encrypted file block; the metadata file records at least one piece of metadata, where the metadata also The hash value corresponding to the encrypted file block is stored.
  • the fourth symmetric key can be calculated based on the hash value and the third symmetric key specified by the user, and then the encrypted file block is processed based on the fourth symmetric key. Decrypt, and finally build a file system tree based on the metadata file and several file blocks to complete the deployment of the container image.
  • the metadata files and hash database files in the container image are also encrypted. Therefore, during the deployment process, it is necessary to obtain the symmetric key or asymmetric key provided by the user to decrypt the metadata file; only after decrypting the metadata file can the hash value of each file block be obtained. Calculate the fourth symmetric key based on the hash value and the third symmetric key specified by the user, and then decrypt the file blocks for subsequent deployment operations.
  • the encrypted container image can include metadata files and several data files.
  • the file blocks shown in Figure 11 are file blocks generated by cutting the above image file through a specific file cutting algorithm. After the file chunks are generated, the hash value of each file chunk is calculated based on the file chunks. Calculate the symmetric key used to encrypt the file chunks based on the hash value of each file chunk and a user-specified random symmetric key; the chunks can then be deduplicated based on the hash value, which can be done directly locally Deduplication processing.
  • the file blocks pass the deduplication process, the file blocks can be selectively compressed, and each file block can be encrypted using the symmetric key generated above. Then the data of several container images can be composed according to the encrypted file blocks. document.
  • the description information of the data file and the hash values corresponding to the above-mentioned file blocks can form metadata, and a metadata file is generated based on the metadata.
  • the user can specify a symmetric key or an asymmetric key to encrypt the metadata file.
  • the encrypted container image can include metadata files and several data files.
  • the metadata file can be decrypted based on the symmetric key or asymmetric key specified by the user.
  • the metadata file records multiple pieces of metadata, which contains description information to describe the specific storage location of the data file in the image, and also has hash values of the file blocks. Users can use the specified symmetric key to calculate the hash value of the file block to generate a symmetric key for decryption.
  • the data file includes several file blocks, and the file blocks are decrypted using the symmetric key generated above for decryption. After decrypting the file blocks, if the file blocks are compressed file blocks, the file blocks can be decompressed to obtain the original file blocks. Based on the description information of the metadata file and several file blocks, a file system tree can be constructed to complete the deployment of the container image.
  • Figure 13 is a schematic structural diagram of an electronic device for container construction provided in an exemplary embodiment.
  • the device includes a processor 1302, an internal bus 1304, a network interface 1306, a memory 1308, and a non-volatile memory 1310.
  • the processor 1302 reads the corresponding computer program from the non-volatile memory 1310 into the memory 1308 and then runs it.
  • the execution subject of the following processing flow is not limited to each A logic unit can also be a hardware or logic device.
  • FIG. 14 is a block diagram of a cryptographic acceleration device based on cryptographic acceleration hardware provided in an exemplary embodiment.
  • File acquisition unit 1402 used to acquire image files used to create container images
  • File cutting unit 1404 used to cut the image file into several file blocks
  • Key generation unit 1406 used to calculate hash values corresponding to the plurality of file blocks; calculate and generate a fourth symmetric key based on the hash value and the third symmetric key specified by the user;
  • Image generation unit 1408 configured to respectively encrypt the file blocks among the several file blocks based on the generated random symmetric key to generate an encrypted container image.
  • the data format corresponding to the container image includes a metadata file and at least one data file; the metadata file is used to record metadata corresponding to the data file; the image generation unit 1408: specifically used to generate based on The fourth symmetric key respectively encrypts the file blocks in the plurality of file blocks to generate an encrypted container image.
  • the key generation unit 1406 performs deduplication processing on the several file blocks based on the calculated hash value.
  • the container image building device further includes: a data encryption unit: encrypts the metadata file based on a fifth symmetric key specified by the user; or,
  • the metadata file is encrypted based on the public key in the user's third asymmetric key pair.
  • the container image building device further includes: an image deployment unit: obtaining the generated encrypted container image;
  • a file system tree is constructed in blocks based on the metadata file and the decrypted files to complete the deployment of the container image.
  • a typical implementation device is a computer, which may be in the form of a personal computer, a laptop, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email transceiver, or a game controller. desktop, tablet, wearable device, or a combination of any of these devices.
  • a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • Memory may include non-permanent storage in computer-readable media, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash random access memory
  • Computer-readable media includes both persistent and non-volatile, removable and non-removable media that can be implemented by any method or technology for storage of information.
  • Information may be computer-readable instructions, data structures, modules of programs, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), and read-only memory.
  • PRAM phase change memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • RAM random access memory
  • read-only memory read-only memory
  • ROM read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • flash memory or other memory technology
  • compact disc read-only memory CD-ROM
  • DVD digital versatile disc
  • Magnetic tape cartridges magnetic disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission medium, can be used to store information that can be accessed by computing devices.
  • computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
  • first, second, third, etc. may use the terms first, second, third, etc. to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other.
  • first information may also be called second information, and similarly, the second information may also be called first information.
  • word “if” as used herein may be interpreted as "when” or “when” or “in response to determining.”

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

A container image construction method, comprising: obtaining a mirror file used for creating a container image; cutting the mirror file into a plurality of file blocks; respectively generating corresponding random symmetric keys for the plurality of file blocks; on the basis of the generated random symmetric keys, encrypting each file block in the plurality of file blocks to generate an encrypted container image.

Description

容器镜像构建方法及装置Container image construction method and device

本申请要求于2022年05月13日提交中国专利局、申请号为202210524707.7、申请名称为“容器镜像构建方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application submitted to the China Patent Office on May 13, 2022, with application number 202210524707.7 and the application name "Container Image Construction Method and Device", the entire content of which is incorporated into this application by reference.

技术领域Technical field

本说明书一个或多个实施例涉及计算机技术领域,尤其涉及一种容器镜像构建方法及装置。One or more embodiments of this specification relate to the field of computer technology, and in particular, to a container image construction method and device.

背景技术Background technique

随着互联网技术和云计算技术的飞速发展,容器技术已经成为一种被广泛认可和应用的服务器资源共享方式,开发者可以通过容器技术将应用部署到任何支持容器的设备上。容器镜像是对应用程序的代码及其运行环境进行标准化封装,得到的一种特殊的文件系统。容器镜像可直接运行在任何安装有容器的操作系统中。With the rapid development of Internet technology and cloud computing technology, container technology has become a widely recognized and applied method of sharing server resources. Developers can use container technology to deploy applications to any device that supports containers. A container image is a special file system that standardizes and encapsulates the application code and its running environment. Container images can run directly on any operating system that has containers installed.

发明内容Contents of the invention

有鉴于此,本说明书一个或多个实施例提供一种基于密码加速硬件的密码加速方法及装置,以解决相关技术中存在的问题。In view of this, one or more embodiments of this specification provide a password acceleration method and device based on password acceleration hardware to solve problems existing in related technologies.

为实现上述目的,本说明书一个或多个实施例提供技术方案如下:To achieve the above objectives, one or more embodiments of this specification provide the following technical solutions:

根据本说明书一个或多个实施例的第一方面,提出了一种容器镜像构建方法,所述方法包括:According to a first aspect of one or more embodiments of this specification, a container image construction method is proposed, which method includes:

获取用于创建容器镜像的镜像文件;Obtain the image file used to create the container image;

将所述镜像文件切割为若干文件分块;Cut the image file into several file blocks;

为所述若干文件分块,分别生成对应的随机对称密钥;Divide the several files into blocks and generate corresponding random symmetric keys respectively;

基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。The file blocks among the several file blocks are respectively encrypted based on the generated random symmetric key to generate an encrypted container image.

根据本说明书一个或多个实施例的第二方面,提出了一种容器镜像构建方法,所述方法包括:According to the second aspect of one or more embodiments of this specification, a container image construction method is proposed, which method includes:

获取用于创建容器镜像的镜像文件;Obtain the image file used to create the container image;

将所述镜像文件切割为若干文件分块; Cut the image file into several file blocks;

计算所述若干文件分块对应的哈希值;基于所述哈希值与用户指定的第三对称密钥计算生成第四对称密钥;Calculate hash values corresponding to the plurality of file blocks; calculate and generate a fourth symmetric key based on the hash value and the third symmetric key specified by the user;

基于生成的第四对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。The file blocks among the several file blocks are respectively encrypted based on the generated fourth symmetric key to generate an encrypted container image.

根据本说明书一个或多个实施例的第三方面,提出了一种容器镜像构建装置,所述方法包括:According to a third aspect of one or more embodiments of this specification, a container image building device is proposed, and the method includes:

文件获取单元:获取用于创建容器镜像的镜像文件;File acquisition unit: obtains the image file used to create a container image;

文件切割单元:将所述镜像文件切割为若干文件分块;File cutting unit: cuts the image file into several file blocks;

密钥生成单元:为所述若干文件分块,分别生成对应的随机对称密钥;Key generation unit: divide the several files into blocks and generate corresponding random symmetric keys respectively;

镜像生成单元:基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。Image generation unit: respectively encrypts the file blocks in the several file blocks based on the generated random symmetric key to generate an encrypted container image.

根据本说明书一个或多个实施例的第四方面,提出了一种容器镜像构建装置,所述方法包括:According to a fourth aspect of one or more embodiments of this specification, a container image building device is proposed, and the method includes:

文件获取单元:获取用于创建容器镜像的镜像文件;File acquisition unit: obtains the image file used to create a container image;

文件切割单元:将所述镜像文件切割为若干文件分块;File cutting unit: cuts the image file into several file blocks;

密钥生成单元:计算所述若干文件分块对应的哈希值;基于所述哈希值与用户指定的第三对称密钥计算生成第四对称密钥;Key generation unit: calculates hash values corresponding to the plurality of file blocks; calculates and generates a fourth symmetric key based on the hash value and the third symmetric key specified by the user;

镜像生成单元:基于生成的第四对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。Image generation unit: respectively encrypts the file blocks among the several file blocks based on the generated fourth symmetric key to generate an encrypted container image.

根据本说明书一个或多个实施例的第五方面,提出了一种密码协处理,包括:According to the fifth aspect of one or more embodiments of this specification, a cryptographic co-processing is proposed, including:

处理器;processor;

用于存储处理器可执行指令的存储器;Memory used to store instructions executable by the processor;

其中,所述处理器通过运行所述可执行指令以实现如第一方面所述的方法。Wherein, the processor implements the method described in the first aspect by running the executable instructions.

根据本说明书一个或多个实施例的第六方面,提出了一种计算机可读存储介质,其上存储有计算机指令,该指令被处理器执行时实现如第一方面所述方法的步骤。According to a sixth aspect of one or more embodiments of this specification, a computer-readable storage medium is proposed, on which computer instructions are stored, and when the instructions are executed by a processor, the steps of the method described in the first aspect are implemented.

本申请的有益效果:Beneficial effects of this application:

本申请将于创建容器镜像的镜像文件切割为若干文件分块,并为若干文件分块生成对应的随机对称密钥,通过随机对称密钥对文件分块进行加密,生成加密的容器镜像,由于用于加密的对称密钥为完全随机生成,因此可以完全抵抗离线字典攻击,提高容器镜像的安全性。This application cuts the image file used to create the container image into several file blocks, generates corresponding random symmetric keys for the several file blocks, encrypts the file blocks with the random symmetric key, and generates an encrypted container image. The symmetric key used for encryption is completely randomly generated, so it can completely resist offline dictionary attacks and improve the security of container images.

附图说明Description of the drawings

图1是一示例性实施例提供的一种容器镜像构建方法的系统架构示意图。Figure 1 is a schematic system architecture diagram of a container image building method provided by an exemplary embodiment.

图2是一示例性实施例提供的一种容器镜像构建方法的流程图。Figure 2 is a flow chart of a container image building method provided by an exemplary embodiment.

图3是一示例性实施例提供的一种元数据文件结构图。 Figure 3 is a metadata file structure diagram provided by an exemplary embodiment.

图4是一示例性实施例提供的一种容器镜像构建过程示意图。Figure 4 is a schematic diagram of a container image building process provided by an exemplary embodiment.

图5是一示例性实施例提供的另一种容器镜像构建过程示意图。Figure 5 is a schematic diagram of another container image building process provided by an exemplary embodiment.

图6是一示例性实施例提供的一种容器镜像部署过程示意图。Figure 6 is a schematic diagram of a container image deployment process provided by an exemplary embodiment.

图7是一示例性实施例提供的一种用于进行容器构建的电子设备的结构示意图。FIG. 7 is a schematic structural diagram of an electronic device for container construction provided in an exemplary embodiment.

图8是一示例性实施例提供的一种容器镜像构建装置的框图。Figure 8 is a block diagram of a container image building apparatus provided by an exemplary embodiment.

图9是一示例性实施例提供的一种容器镜像构建方法的流程图。Figure 9 is a flow chart of a container image building method provided by an exemplary embodiment.

图10是一示例性实施例提供的一种元数据文件结构图。Figure 10 is a metadata file structure diagram provided by an exemplary embodiment.

图11是一示例性实施例提供的另一种容器镜像构建过程示意图。Figure 11 is a schematic diagram of another container image building process provided by an exemplary embodiment.

图12是一示例性实施例提供的一种容器镜像部署过程示意图。Figure 12 is a schematic diagram of a container image deployment process provided by an exemplary embodiment.

图13是一示例性实施例提供的一种用于进行容器构建的电子设备的结构示意图。Figure 13 is a schematic structural diagram of an electronic device for container construction provided in an exemplary embodiment.

图14是一示例性实施例提供的一种容器镜像构建装置的框图。Figure 14 is a block diagram of a container image building device provided in an exemplary embodiment.

具体实施方式Detailed ways

这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本说明书一个或多个实施例相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本说明书一个或多个实施例的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, examples of which are illustrated in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of this specification. Rather, they are merely examples of apparatus and methods consistent with some aspects of one or more embodiments of this specification as detailed in the appended claims.

需要说明的是:在其他实施例中并不一定按照本说明书示出和描述的顺序来执行相应方法的步骤。在一些其他实施例中,其方法所包括的步骤可以比本说明书所描述的更多或更少。此外,本说明书中所描述的单个步骤,在其他实施例中可能被分解为多个步骤进行描述;而本说明书中所描述的多个步骤,在其他实施例中也可能被合并为单个步骤进行描述。It should be noted that in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, methods may include more or fewer steps than described in this specification. In addition, a single step described in this specification may be broken down into multiple steps for description in other embodiments; and multiple steps described in this specification may also be combined into a single step in other embodiments. describe.

在相关技术中,针对容器镜像的文件进行加密以生成加密的容器镜像文件,通常使用收敛加密(CE,Convergent encryption)。其中,收敛加密的密钥由容器镜像的原始文件计算而来。因此,攻击者可以根据猜测的容器镜像的明文进行加密并与之对比,有可能猜测出原始文件。而且,由于任何可以访问该原始文件用户,都能根据原始文件内容计算得到收敛密钥,然后对镜像文件加密,这使得镜像文件容易遭受离线字典攻击。。In related technologies, container image files are encrypted to generate encrypted container image files, and convergent encryption (CE, Convergent encryption) is usually used. Among them, the convergent encryption key is calculated from the original file of the container image. Therefore, an attacker can encrypt the plaintext of the guessed container image and compare it with it, possibly guessing the original file. Moreover, since any user with access to the original file can calculate the convergence key based on the original file content and then encrypt the image file, this makes the image file vulnerable to offline dictionary attacks. .

有鉴于此,本说明书提出一种容器镜像构建方法,在构建镜像时,生成完全随机的对称密钥,再用随机对称密钥进行加密的技术方案。In view of this, this manual proposes a container image construction method. When building the image, a completely random symmetric key is generated, and then the random symmetric key is used for encryption.

在实现时,获取用于创建容器镜像的镜像文件,将镜像文件切割为若干文件分块。为若干文件分块分别生成对应的随机对称密钥,然后基于生成的随机对称密钥对每一个文件分块分别进行加密,最后生成加密的容器镜像。During implementation, the image file used to create the container image is obtained, and the image file is cut into several file blocks. Generate corresponding random symmetric keys for several file blocks, then encrypt each file block based on the generated random symmetric key, and finally generate an encrypted container image.

图1是一示例性实施例提供的一种容器镜像构建方法的系统架构示意图。如图1所示,该系统可以包括多个不同形式的终端102,106,108,110,以及用于连接不同终端的网络 104。终端102,106,108,110可以包括笔记本电脑,手机,平板设备等电子设备以及云电脑,云服务器等虚拟终端,网络104可以包括多种类型的有线或无线网络。Figure 1 is a schematic system architecture diagram of a container image building method provided by an exemplary embodiment. As shown in Figure 1, the system may include multiple different forms of terminals 102, 106, 108, 110, and a network for connecting different terminals. 104. The terminals 102, 106, 108, and 110 may include electronic devices such as laptops, mobile phones, and tablet devices, as well as virtual terminals such as cloud computers and cloud servers. The network 104 may include multiple types of wired or wireless networks.

在一实施例中,以终端102,106,108,110均为电脑为例。用户可以通过终端102,基于本说明书提供的容器构建方法,创建加密的容器镜像,并将容器镜像上传至网络。其他终端的用户可以通过终端106,108,110等通过网络获取该容器镜像,并将该容器镜像部署至自己的终端进行使用。In one embodiment, it is assumed that the terminals 102, 106, 108, and 110 are all computers. The user can create an encrypted container image through the terminal 102 based on the container construction method provided in this manual, and upload the container image to the network. Users of other terminals can obtain the container image through the network through terminals 106, 108, 110, etc., and deploy the container image to their own terminals for use.

下面结合附图对本说明书的容器镜像构建方案进行详细说明。The container image construction scheme of this manual will be described in detail below with reference to the accompanying drawings.

请参见图2,图2是一示例性实施例提供的一种容器镜像构建方法的流程图。如图2所示,所述方法可以包括如下的执行步骤:Please refer to Figure 2. Figure 2 is a flow chart of a container image building method provided by an exemplary embodiment. As shown in Figure 2, the method may include the following execution steps:

步骤202,获取用于创建容器镜像的镜像文件;Step 202: Obtain the image file used to create the container image;

在本实施例中,用于创建容器镜像的镜像文件可以由本地的数据文件生成,也可以基于已有镜像文件增加数据文件生成新的镜像文件。用户可以通过网络直接获取用于创建镜像的镜像文件,例如,可以从镜像仓库直接拉取;用户还可以通过网络获取容器镜像后,并在本地增加数据文件以生成镜像文件。需要说明的是,用于创建容器镜像的镜像文件可以是一个文件集合,例如,可以是从镜像仓库拉取的镜像文件目录。在一种实施例中,还可以对镜像文件的文件集合进行预处理,将用于创建容器镜像的镜像文件序列化为一个文件,可以便于后续切割处理。In this embodiment, the image file used to create the container image can be generated from a local data file, or a new image file can be generated based on an existing image file by adding a data file. Users can directly obtain the image file used to create the image through the network, for example, they can pull it directly from the image warehouse; users can also obtain the container image through the network and add data files locally to generate the image file. It should be noted that the image file used to create a container image can be a collection of files, for example, it can be a directory of image files pulled from the image warehouse. In one embodiment, the file collection of image files can also be preprocessed, and the image files used to create the container image can be serialized into one file, which can facilitate subsequent cutting processing.

步骤204,将所述镜像文件切割为若干文件分块;Step 204: Cut the image file into several file blocks;

在相关技术中,容器镜像通常以层来进行管理,不同镜像之间可以共享的最小单位是镜像中的层,层与层之间可能存在大量重复的数据,但即使有微小的差别,也会被作为不同的层。因此,为了便于镜像文件的去重,可以对文件进行分块处理。In related technologies, container images are usually managed in layers. The smallest unit that can be shared between different images is the layer in the image. There may be a large amount of duplicate data between layers, but even if there are minor differences, are treated as different layers. Therefore, in order to facilitate the deduplication of image files, the files can be processed into blocks.

由于对全部镜像文件进行切割后可能会产生数据相同的文件分块,因此可以对切割后产生的文件分块进行去重处理。在本实施例中,可以根据相应的哈希算法,针对每个文件分块,计算对应的哈希值,并基于计算出的哈希值进行去重处理。其中,哈希算法具体可以是MD5算法,SHA算法等等,本发明对此不作限定。Since cutting all image files may produce file blocks with the same data, the file blocks generated after cutting can be deduplicated. In this embodiment, the corresponding hash value can be calculated for each file block according to the corresponding hash algorithm, and deduplication processing can be performed based on the calculated hash value. Specifically, the hash algorithm may be MD5 algorithm, SHA algorithm, etc., which is not limited in the present invention.

在一种实施方式中,可以在本地计算出每个文件分块的哈希值,针对每个文件分块的哈希值进行去重处理。具体的,可以在本地对每个哈希值进行匹配,如果哈希值相同,那么只保留其中一个文件分块用于数据共享。需要说明的是,用户可以自由设定共享域的范围,比如,用户可以选择保留相同哈希值的多个文件分块,也可以只保留一个,本发明对此不作限定。在一种情况中,用户还可以设定加密的一个或多个文件分块作为共享域,在本地去重时,由于无法访问这些文件分块的相关数据以及哈希值,因此可以出现与这些加密的多个文件分块相同哈希值的文件分块。In one implementation, the hash value of each file block can be calculated locally, and deduplication processing is performed on the hash value of each file block. Specifically, each hash value can be matched locally. If the hash values are the same, only one of the file blocks is reserved for data sharing. It should be noted that the user can freely set the scope of the shared domain. For example, the user can choose to retain multiple file blocks with the same hash value, or only retain one. The present invention does not limit this. In one case, the user can also set one or more encrypted file blocks as a shared domain. During local deduplication, since the relevant data and hash values of these file blocks cannot be accessed, problems related to these file blocks may appear. Encrypted multiple file chunks file chunks with the same hash value.

在另一种实施方式中,还可以通过去重服务器基于计算出的哈希值进行去重处理。具体的,可以在本地计算出每个文件分块的哈希值,通过加密连接将哈希值发送至去重服务器。去重服务器针对每个文件分块的哈希值进行匹配,如果哈希值相同,那么只保留一个 文件分块用于共享。需要说明的是,用户也可以预先设定共享域的范围,比如,用户可以设定去重服务器保留相同哈希值的多个文件分块,也可以只保留一个,本发明对此不作限定。在一种情况中,用户还可以设定加密的一个或多个文件分块作为共享域,去重服务器没有权限获取到这些文件分块的哈希值,因此去重服务器不针对这些哈希值进行去重,因而可以出现与这些加密的多个文件分块相同哈希值的文件分块。In another implementation, the deduplication process can also be performed by a deduplication server based on the calculated hash value. Specifically, the hash value of each file block can be calculated locally and the hash value is sent to the deduplication server through an encrypted connection. The deduplication server matches the hash value of each file chunk. If the hash values are the same, only one is retained. Files are chunked for sharing. It should be noted that the user can also preset the scope of the shared domain. For example, the user can set the deduplication server to retain multiple file blocks with the same hash value, or only one, which is not limited by the present invention. In one case, the user can also set one or more encrypted file blocks as a shared domain. The deduplication server does not have permission to obtain the hash values of these file blocks, so the deduplication server does not target these hash values. Deduplication is performed so that file chunks can appear that have the same hash as these encrypted multiple file chunks.

用户还可以将文件分块通过加密连接直接发送至去重服务器,以由去重服务器计算出每个文件分块的哈希值,再针对文件分块的哈希值进行去重。Users can also send file blocks directly to the deduplication server through an encrypted connection, so that the deduplication server can calculate the hash value of each file block, and then deduplicate the hash value of the file block.

为了进一步减少镜像文件的存储开销,在将镜像文件切割为若干文件分块后,还可以对每个文件分块进行压缩处理,再对压缩后的文件分块进一步处理。In order to further reduce the storage overhead of the image file, after cutting the image file into several file blocks, each file block can also be compressed, and then the compressed file blocks can be further processed.

步骤206,为所述若干文件分块,分别生成对应的随机对称密钥;Step 206: Divide the several files into blocks and generate corresponding random symmetric keys respectively;

在相关技术中,针对容器镜像的文件进行加密以生成加密的容器镜像文件,通常使用收敛加密(CE,Convergent encryption)。其中,收敛加密的密钥由容器镜像的原始文件计算而来。因此,攻击者可以根据猜测的容器镜像的明文进行加密并与之对比,有可能猜测出原始文件。而且,由于任何可以访问该原始文件用户,都能根据原始文件内容计算得到收敛密钥,然后对镜像文件加密,这使得镜像文件容易遭受离线字典攻击。In related technologies, container image files are encrypted to generate encrypted container image files, and convergent encryption (CE, Convergent encryption) is usually used. Among them, the convergent encryption key is calculated from the original file of the container image. Therefore, an attacker can encrypt the plaintext of the guessed container image and compare it with it, possibly guessing the original file. Moreover, since any user with access to the original file can calculate the convergence key based on the original file content and then encrypt the image file, this makes the image file vulnerable to offline dictionary attacks.

为了抵抗可能出现的离线字典攻击,可以用完全随机的对称密钥对容器镜像进行加密。在本实施例中,针对镜像文件切割后产生的若干文件分块,分别生成对应的随机对称密钥,用于加密所述若干文件分块。上述随机对称密钥具体可以是一种参数,用于将数据明文转换为数据密文。用户可以自由选择任意随机算法,生成完全随机的对称密钥。由于上述对称密钥是由完全随机产生的,因此攻击者完全无法根据密文字典进行破解。To resist possible offline dictionary attacks, the container image can be encrypted with a completely random symmetric key. In this embodiment, corresponding random symmetric keys are generated for several file blocks generated after cutting the image file, and are used to encrypt the several file blocks. The above-mentioned random symmetric key may specifically be a parameter used to convert data plaintext into data ciphertext. Users are free to choose any random algorithm to generate completely random symmetric keys. Since the above symmetric key is generated completely randomly, the attacker cannot crack it based on the password dictionary.

在一实施例中,可以对去重后的文件分块生成完全随机的对称密钥;如果是在本地去重,可以在本地针对去重后的若干文件分块分别生成对应的随机对称密钥。如果通过去重服务器去重,可以由去重服务器针对去重后的文件分块生成对应的随机对称密钥。In one embodiment, a completely random symmetric key can be generated for the deduplicated file blocks; if deduplication is performed locally, corresponding random symmetric keys can be generated locally for several deduplicated file blocks. . If you use a deduplication server to remove duplication, the deduplication server can generate corresponding random symmetric keys for the deduplicated file blocks.

步骤208,基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。Step 208: Encrypt the file blocks among the several file blocks based on the generated random symmetric key respectively to generate an encrypted container image.

在本实施例中,可以根据上述随机生成的对称密钥,对每一文件分块分别进行加密,然后可以基于加密后的文件分块,构建加密的容器镜像。需要说明的是,可以根据用户需要,通过任意形式将文件分块组织在一起,构建加密的容器镜像,本发明对此不作限定。由于预先经过文件分块,并基于文件分块的哈希值进行去重,减小了容器镜像的本地存储成本;由于对每一文件分块都使用完全随机的对称密钥进行加密,可以抵抗可能出现的离线字典攻击,提高了容器镜像的安全性。In this embodiment, each file block can be encrypted separately based on the above-mentioned randomly generated symmetric key, and then an encrypted container image can be constructed based on the encrypted file blocks. It should be noted that according to user needs, files can be organized into blocks in any form to build an encrypted container image, which is not limited by the present invention. Because the files are segmented in advance and deduplicated based on the hash values of the file segments, the local storage cost of the container image is reduced; because each file segment is encrypted with a completely random symmetric key, it can resist Possible offline dictionary attacks improve the security of container images.

在一实施例中,上述容器镜像对应的数据格式还可以包括元数据文件和至少一个数据文件;其中,数据文件由至少一个文件分块构成,用于记录容器镜像中的数据;数据文件还具有描述信息,可以用于指示每一文件分块在数据文件中的具体存储位置。其中,描述信息还可以包括上述生成的每一文件分块对应的随机对称密钥。 In one embodiment, the data format corresponding to the container image may also include a metadata file and at least one data file; wherein the data file is composed of at least one file block and is used to record the data in the container image; the data file also has Description information can be used to indicate the specific storage location of each file block in the data file. The description information may also include a random symmetric key corresponding to each file block generated above.

元数据文件用于记录与数据文件对应的元数据;其中,元数据指示每一数据文件在容器镜像中的具体存储位置,可以基于上述至少一个数据文件对应的描述信息生成至少一个数据文件对应的一条元数据。The metadata file is used to record the metadata corresponding to the data file; where the metadata indicates the specific storage location of each data file in the container image, and the at least one data file corresponding to the description information corresponding to the above-mentioned at least one data file can be generated. A piece of metadata.

在生成上述若干文件分块后,可以基于至少一个文件分块生成至少一个数据文件;并基于至少一个数据文件对应的描述信息生成至少一条元数据,然后基于至少一条元数据生成元数据文件,在生成上述至少一个数据文件以及元数据文件后,可以基于至少一个数据文件和元数据文件生成加密的容器镜像。After generating the above-mentioned several file segments, at least one data file can be generated based on at least one file segment; at least one piece of metadata is generated based on the description information corresponding to the at least one data file, and then a metadata file is generated based on the at least one piece of metadata. After generating the above at least one data file and metadata file, an encrypted container image can be generated based on at least one data file and metadata file.

请参见图3,图3是一示例性实施例提供的一种元数据文件结构图。如图3所示,所述元数据文件可以由多条元数据组成;元数据可以由多条描述信息组成;每条描述信息可以包括多条文件分块的存储位置以及文件分块对应的随机对称密钥。在另一实施例中,上述容器镜像对应的数据格式还可以包括哈希数据库文件,哈希数据库文件用于管理上述文件分块的哈希值以及上述生成的文件分块对应的随机对称密钥。需要说明的是,在上述基于本地去重的技术方案中,通常需要哈希数据库文件;而在基于去重服务器进行去重的技术方案中,用户可以自由选择生成哈希数据库文件或不生成哈希数据库文件,本发明对此不做限定。Please refer to Figure 3, which is a metadata file structure diagram provided by an exemplary embodiment. As shown in Figure 3, the metadata file may be composed of multiple pieces of metadata; the metadata may be composed of multiple pieces of description information; each piece of description information may include the storage location of multiple file blocks and the random number corresponding to the file block. Symmetric key. In another embodiment, the data format corresponding to the above-mentioned container image may also include a hash database file. The hash database file is used to manage the hash values of the above-mentioned file blocks and the random symmetric keys corresponding to the above-generated file blocks. . It should be noted that in the above technical solution based on local deduplication, a hash database file is usually required; in the technical solution based on deduplication server for deduplication, the user can freely choose to generate a hash database file or not to generate a hash database file. database file, which is not limited by the present invention.

在计算上述每一文件分块对应的哈希值并生成文件分块对应的随机对称密钥后,可以基于哈希值以及随机对称密钥,建立哈希值与随机对称密钥的对应关系,并将对应关系保存至上述哈希数据库文件。需要说明的是,由于上述随机对称密钥是完全随机生成的,因此相同的随机对称密钥可能对应多个文件分块的哈希值,因此上述哈希值与随机对称密钥的对应关系可以是多个哈希值对应同一个随机对称密钥。After calculating the hash value corresponding to each file block and generating the random symmetric key corresponding to the file block, the corresponding relationship between the hash value and the random symmetric key can be established based on the hash value and the random symmetric key. And save the corresponding relationship to the above hash database file. It should be noted that since the above random symmetric key is completely randomly generated, the same random symmetric key may correspond to the hash values of multiple file blocks, so the corresponding relationship between the above hash value and the random symmetric key can be Multiple hash values correspond to the same random symmetric key.

上述哈希数据库文件可以用于构建容器镜像时,在本地针对每个文件分块的哈希值进行去重处理。在构建容器镜像时,由于可能需要本地去重,因此可以根据上述用户设定的共享域范围,建立文件分块的哈希值和随机对称密钥的对称关系保存至哈希数据库,根据文件分块实际的哈希值与哈希数据库存储的哈希值进行匹配。如果匹配结果一致,且用户没有预先设定该文件分块不需要去重,则相应的进行去重处理,如果匹配结果不一致,则建立新的文件分块的哈希值与随机对称密钥的对应关系保存至哈希数据库文件。The above hash database file can be used to deduplicate the hash value of each file block locally when building a container image. When building a container image, since local deduplication may be required, the symmetric relationship between the hash value of the file block and the random symmetric key can be established and saved to the hash database according to the shared domain range set by the above user. The actual hash value of the block is matched against the hash value stored in the hash database. If the matching results are consistent, and the user has not preset that the file block does not require deduplication, the deduplication process will be performed accordingly. If the matching results are inconsistent, a new hash value of the file block and the random symmetric key will be established. The corresponding relationship is saved to the hash database file.

在通过对已有容器镜像新增数据文件进行构建新的容器镜像时;或是基于已有的容器镜像的数据文件,重新组织生成新的元文件以构建新的容器镜像时;也需要使用哈希数据库文件进行去重处理,其去重方式与上述在本地进行去重类似。可以获取针对加密的容器镜像对应的新增的数据文件;可以将新增的数据文件进行序列化处理,根据用户预先设置的文件分块的大小,通过文件切割算法将镜像文件切割为相同大小的若干文件分块;可以根据相应的哈希算法,针对每个文件分块,计算对应的哈希值;基于文件分块对应的的哈希值,可以根据上述用户设定的共享域范围,与哈希数据库存储的哈希值进行匹配,如果匹配结果一致,则相应的进行去重处理,如果匹配结果不一致,则建立新的文件分块的哈希值与随机对称密钥的对应关系保存至哈希数据库文件。 When building a new container image by adding data files to an existing container image; or when reorganizing and generating new meta files based on the data files of an existing container image to build a new container image; you also need to use Ha. The database file is required to be deduplicated in a similar manner to the local deduplication described above. You can obtain new data files corresponding to the encrypted container image; you can serialize the new data files, and use the file cutting algorithm to cut the image files into the same size according to the file block size preset by the user. Several file blocks; the corresponding hash value can be calculated for each file block according to the corresponding hash algorithm; based on the hash value corresponding to the file block, the corresponding hash value can be calculated based on the shared domain range set by the above user. Match the hash values stored in the hash database. If the matching results are consistent, deduplication processing will be performed accordingly. If the matching results are inconsistent, a new correspondence between the hash values of the file blocks and the random symmetric key will be established and saved to Hash database file.

在另一实施例中,为了进一步确保容器镜像的安全性,可以对上述生成的元数据文件以及哈希数据库进一步加密,其中,加密方式可以是对称加密方式也可以是非对称加密方式。In another embodiment, in order to further ensure the security of the container image, the metadata file and hash database generated above can be further encrypted, where the encryption method can be a symmetric encryption method or an asymmetric encryption method.

在对称加密的方式中,可以基于用户指定的第一对称密钥对哈希数据库进行加密,可以基于用户指定的第二对称密钥对元数据文件进行加密,需要说明的是,用户指定的第一对称密钥和第二对称密钥可以相同,也可以不同,本发明对此不做限定。In the symmetric encryption method, the hash database can be encrypted based on the first symmetric key specified by the user, and the metadata file can be encrypted based on the second symmetric key specified by the user. It should be noted that the third symmetric key specified by the user The one symmetric key and the second symmetric key may be the same or different, and the present invention does not limit this.

在非对称加密的方式中,可以基于用户指定的第一非对称密钥的公钥对哈希数据库进行加密,可以基于用户指定的第二非对称密钥的公钥对元数据文件进行加密,需要说明的是,用户指定的第一非对称密钥和第二非对称密钥可以相同,也可以不同,本发明对此不做限定。In the asymmetric encryption method, the hash database can be encrypted based on the public key of the first asymmetric key specified by the user, and the metadata file can be encrypted based on the public key of the second asymmetric key specified by the user. It should be noted that the first asymmetric key and the second asymmetric key specified by the user may be the same or different, and the present invention does not limit this.

通过本说明书记载的上述方法,可以构建轻量的加密容器镜像,与构建容器镜像对应的,用户还可以有选择的部署该容器镜像。Through the above methods described in this manual, a lightweight encrypted container image can be built. Corresponding to the construction of the container image, the user can also selectively deploy the container image.

用户可以通过任意形式获取通过上述方法构建的容器镜像,例如可以通过网络下载,通过安全连接传输等等,本发明对此不作限定。在获取加密的容器镜像后,可以获取容器镜像中的元数据文件以及至少一个数据文件,其中数据文件包括至少一个已经加密的文件分块;元数据文件记录了至少一条元数据,其中元数据还存储了加密的文件分块对应的随机对称密钥,可以基于该随机对称密钥对加密后的文件分块进行解密,然后基于元数据文件和若干文件分块构建文件系统树,以完成容器镜像的部署。The user can obtain the container image constructed by the above method in any form, such as downloading through the network, transmitting through a secure connection, etc., which is not limited by the present invention. After obtaining the encrypted container image, you can obtain the metadata file and at least one data file in the container image, where the data file includes at least one encrypted file block; the metadata file records at least one piece of metadata, where the metadata also The random symmetric key corresponding to the encrypted file block is stored. The encrypted file block can be decrypted based on the random symmetric key, and then a file system tree is built based on the metadata file and several file blocks to complete the container image. deployment.

在一种实施方式中,为了确保容器镜像的安全性,还对其中的元数据文件文件进行加密。因此,在部署过程中,需要获得用户提供的对称密钥或非对称密钥,对元数据文件和;其中,解密元数据后才可以获得每一文件分块的随机对称密钥,才能对文件分块进行解密,进行后续部署操作。在实际应用中,还对容器镜像中的哈希数据库进行加密。因此,在部署过程中,当需要使用到哈希数据库时,还需要获得用户提供的对称密钥或非对称密钥,对哈希数据库进行解密,进行后续的部署操作。In one implementation, in order to ensure the security of the container image, the metadata file in the container image is also encrypted. Therefore, during the deployment process, it is necessary to obtain the symmetric key or asymmetric key provided by the user, and pair the metadata file. Only after decrypting the metadata can the random symmetric key of each file block be obtained, and then the file can be Decrypt in chunks for subsequent deployment operations. In practical applications, the hash database in the container image is also encrypted. Therefore, during the deployment process, when the hash database needs to be used, it is also necessary to obtain the symmetric key or asymmetric key provided by the user, decrypt the hash database, and perform subsequent deployment operations.

下面结合图,通过一个具体实施例进一步解释上述容器镜像构建方法。The above container image construction method will be further explained through a specific embodiment in conjunction with the figure below.

如图4所示,加密的容器镜像可以包括元数据文件,若干数据文件,以及哈希数据库文件。图4示出的文件分块即根据上述镜像文件通过特定文件切割算法切割后产生的文件分块。在生成文件分块后,可以对每一文件分块生成对应的随机对称密钥,并基于文件分块计算每个文件分块的哈希值。然后创建随机对称密钥及文件分块的哈希值的对应关系,基于随机对称密钥及文件分块的哈希值的对应关系生成哈希数据库文件。用户可以指定对称密钥或非对称密钥加密哈希数据库文件。As shown in Figure 4, the encrypted container image can include metadata files, several data files, and hash database files. The file blocks shown in Figure 4 are file blocks generated after being cut according to the above-mentioned image file through a specific file cutting algorithm. After generating file chunks, a corresponding random symmetric key can be generated for each file chunk, and the hash value of each file chunk can be calculated based on the file chunks. Then create a corresponding relationship between the random symmetric key and the hash value of the file block, and generate a hash database file based on the corresponding relationship between the random symmetric key and the hash value of the file block. The user can specify a symmetric key or an asymmetric key to encrypt the hash database file.

在生成哈希数据库文件的过程中,可以对文件分块的哈希值及哈希数据库存储的哈希值匹配在本地进行去重。当文件分块在本地去重后,可以有选择的压缩文件分块,并使用上述生成的随机对称密钥加密每一文件分块,然后根据加密文件分块可以组成若干容器镜像的数据文件。 During the process of generating a hash database file, the hash values of the file blocks and the hash values stored in the hash database can be matched to perform deduplication locally. After the file blocks are deduplicated locally, the file blocks can be selectively compressed, and each file block can be encrypted using the random symmetric key generated above. Then several data files of container images can be composed according to the encrypted file blocks.

数据文件的描述信息以及上述若干文件分块对应的随机对称密钥可以组成元数据,基于元数据生成元数据文件。用户可以指定对称密钥或非对称密钥加密元数据文件。在生成元数据文件及若干数据文件后,加密的容器镜像构建完成。The description information of the data file and the random symmetric keys corresponding to the above-mentioned file blocks can form metadata, and a metadata file is generated based on the metadata. The user can specify a symmetric key or an asymmetric key to encrypt the metadata file. After generating the metadata file and several data files, the encrypted container image is built.

下面结合图5,通过另一个具体实施例进一步解释上述容器镜像构建方法。The above container image construction method will be further explained through another specific embodiment with reference to Figure 5.

如图5所示,加密的容器镜像可以包括元数据文件,若干数据文件。图5示出的文件分块即根据上述镜像文件通过特定文件切割算法切割后产生的文件分块。在生成文件分块后,基于文件分块计算每个文件分块的哈希值。然后将文件分块的哈希值发送至去重服务器,由去重服务器进行去重。当去重服务器将文件分块去重后,可以生成文件分块对应的随机对称密钥。当文件分块通过去重服务器去重后,可以有选择的压缩文件分块,并使用上述生成的随机对称密钥加密每一文件分块,然后根据加密文件分块可以组成若干容器镜像的数据文件。As shown in Figure 5, the encrypted container image can include metadata files and several data files. The file blocks shown in Figure 5 are file blocks generated after being cut according to the above-mentioned image file through a specific file cutting algorithm. After the file chunks are generated, the hash value of each file chunk is calculated based on the file chunks. The hash values of the file chunks are then sent to the deduplication server, which performs deduplication. After the deduplication server deduplicates the file into chunks, it can generate a random symmetric key corresponding to the file chunks. After the file chunks are deduplicated by the deduplication server, the file chunks can be selectively compressed, and each file chunk can be encrypted using the random symmetric key generated above. Then the data of several container images can be composed according to the encrypted file chunks. document.

数据文件的描述信息以及上述若干文件分块对应的随机对称密钥可以组成元数据,基于元数据生成元数据文件。用户可以指定对称密钥或非对称密钥加密元数据文件。在生成元数据文件及若干数据文件后,加密的容器镜像构建完成。The description information of the data file and the random symmetric keys corresponding to the above-mentioned file blocks can form metadata, and a metadata file is generated based on the metadata. The user can specify a symmetric key or an asymmetric key to encrypt the metadata file. After generating the metadata file and several data files, the encrypted container image is built.

需要说明的是,在本实施例中,由于将文件分块的哈希值发送至去重服务器,由去重服务器去重,因此无需在本地进行去重,可以无需记录文件分块的哈希值及随机对称密钥的对应关系,因此无需生成哈希数据库文件。用户可以选择是否生成哈希数据库文件,本发明对此不做限定。It should be noted that in this embodiment, since the hash values of the file blocks are sent to the deduplication server, and the deduplication is deduplicated by the deduplication server, there is no need to perform deduplication locally, and there is no need to record the hashes of the file blocks. The corresponding relationship between the value and the random symmetric key, so there is no need to generate a hash database file. The user can choose whether to generate a hash database file, and the present invention does not limit this.

下面结合图6,通过另一个具体实施例进一步解释上述容器镜像部署过程。The above container image deployment process will be further explained through another specific embodiment in conjunction with Figure 6 below.

如图6所示,加密的容器镜像可以包括元数据文件,以及若干数据文件。用户获取到加密的容器镜像后,可以根据用户指定的对称密钥或非对称密钥对元数据文件进行解密。元数据文件记录了多条元数据,其中具有描述信息用于描述数据文件在镜像中具体的存储位置,还具有随机对称密钥用于解密文件分块。数据文件中包括若干文件分块,使用上述随机对称密钥对文件分块进行解密。在对文件分块解密后,如果文件分块是压缩后的文件分块,可以对文件分块进行解压缩以获取原文件分块。根据元数据文件的描述信息及若干文件分块,可以构建文件系统树,以完成容器镜像的部署。As shown in Figure 6, the encrypted container image can include metadata files and several data files. After the user obtains the encrypted container image, the metadata file can be decrypted based on the symmetric key or asymmetric key specified by the user. The metadata file records multiple pieces of metadata, which contains description information to describe the specific storage location of the data file in the image, and a random symmetric key for decrypting file blocks. The data file includes several file blocks, and the file blocks are decrypted using the above random symmetric key. After decrypting the file blocks, if the file blocks are compressed file blocks, the file blocks can be decompressed to obtain the original file blocks. Based on the description information of the metadata file and several file blocks, a file system tree can be constructed to complete the deployment of the container image.

图7是一示例性实施例提供的一种用于进行容器构建的电子设备的结构示意图。请参考图7,在硬件层面,该设备包括处理器702、内部总线704、网络接口706、内存708以及非易失性存储器710,当然还可能包括其他业务所需要的硬件。本说明书一个或多个实施例可以基于软件方式来实现,比如由处理器702从非易失性存储器710中读取对应的计算机程序到内存708中然后运行。当然,除了软件实现方式之外,本说明书一个或多个实施例并不排除其他实现方式,比如逻辑器件抑或软硬件结合的方式等等,也就是说以下处理流程的执行主体并不限定于各个逻辑单元,也可以是硬件或逻辑器件。FIG. 7 is a schematic structural diagram of an electronic device for container construction provided in an exemplary embodiment. Please refer to Figure 7. At the hardware level, the device includes a processor 702, an internal bus 704, a network interface 706, a memory 708, and a non-volatile memory 710. Of course, it may also include other hardware required for services. One or more embodiments of this specification may be implemented based on software. For example, the processor 702 reads the corresponding computer program from the non-volatile memory 710 into the memory 708 and then runs it. Of course, in addition to software implementation, one or more embodiments of this specification do not exclude other implementations, such as logic devices or a combination of software and hardware, etc. That is to say, the execution subject of the following processing flow is not limited to each A logic unit can also be a hardware or logic device.

请参考图8,图8是一示例性实施例提供的一种基于密码加速硬件的密码加速装置的框图。 Please refer to FIG. 8 , which is a block diagram of a cryptographic acceleration device based on cryptographic acceleration hardware provided in an exemplary embodiment.

文件获取单元802:用于获取用于创建容器镜像的镜像文件;File acquisition unit 802: used to acquire image files used to create container images;

文件切割单元804:用于将所述镜像文件切割为若干文件分块;File cutting unit 804: used to cut the image file into several file blocks;

密钥生成单元806:用于为所述若干文件分块,分别生成对应的随机对称密钥;Key generation unit 806: used to divide the several files into blocks and generate corresponding random symmetric keys respectively;

镜像生成单元808:用于基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。Image generation unit 808: configured to respectively encrypt the file blocks among the several file blocks based on the generated random symmetric key to generate an encrypted container image.

可选的,所述容器镜像对应的数据格式包括元数据文件和至少一个数据文件;所述元数据文件用于记录与所述数据文件对应的元数据;镜像生成单元808:具体用于基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,基于加密后的所述若干文件分块生成所述至少一个数据文件;Optionally, the data format corresponding to the container image includes a metadata file and at least one data file; the metadata file is used to record metadata corresponding to the data file; the image generation unit 808: specifically used to generate based on The random symmetric key respectively encrypts the file blocks in the several file blocks, and generates the at least one data file based on the encrypted several file blocks;

基于所述至少一个数据文件对应的描述信息生成与所述至少一个数据文件对应的至少一条元数据,并基于所述至少一条元数据进一步生成所述元数据文件;其中,所述描述信息包括所述随机对称密钥;Generate at least one piece of metadata corresponding to the at least one data file based on the description information corresponding to the at least one data file, and further generate the metadata file based on the at least one piece of metadata; wherein the description information includes the The random symmetric key;

基于所述至少一个数据文件和所述元数据文件生成加密的容器镜像。Generate an encrypted container image based on the at least one data file and the metadata file.

可选的,密钥生成单元806:具体计算所述若干文件分块对应的哈希值;基于计算出的所述哈希值针对所述若干文件分块进行去重处理。Optionally, the key generation unit 806: specifically calculates hash values corresponding to the several file blocks; and performs deduplication processing on the several file blocks based on the calculated hash values.

可选的,所述镜像文件对应的数据格式中还包括哈希数据库文件;镜像生成单元808,进一步用于基于所述若干文件分块的哈希值和为所述若干文件分块生成的所述随机对称密钥之间的对应关系;生成与所述若干文件分块对应的至少一个哈希数据库文件。Optionally, the data format corresponding to the image file also includes a hash database file; the image generation unit 808 is further configured to be based on the hash values of the several file blocks and all the generated files for the several file blocks. Correspondence between the random symmetric keys; generate at least one hash database file corresponding to the several file blocks.

可选的,所述容器镜像构建装置还包括:数据加密单元:基于用户指定的第一对称密钥对所述哈希数据库文件进行加密;或,基于用户的第一非对称密钥对中的公钥对所述哈希数据库文件进行加密。Optionally, the container image building device further includes: a data encryption unit: encrypts the hash database file based on the first symmetric key specified by the user; or, based on the first asymmetric key pair of the user The public key encrypts the hash database file.

可选的,所述容器镜像构建装置还包括:数据加密单元:用于基于用户指定的第二对称密钥对所述元数据文件进行加密;或,基于用户的第二非对称密钥对中的公钥对所述元数据文件进行加密。Optionally, the container image building device further includes: a data encryption unit: configured to encrypt the metadata file based on a second symmetric key specified by the user; or, based on the user's second asymmetric key pair The metadata file is encrypted with the public key.

可选的,所述第一对称密钥和所述第二对称密钥为相同;所述第一非对称密钥和所述第二非对称密钥为相同。Optionally, the first symmetric key and the second symmetric key are the same; the first asymmetric key and the second asymmetric key are the same.

可选的,所述容器镜像构建装置还包括:镜像部署单元:获取已生成的加密的容器镜像;Optionally, the container image building device further includes: an image deployment unit: obtaining the generated encrypted container image;

获取所述加密的容器镜像的元数据文件中的随机对称密钥;Obtain the random symmetric key in the metadata file of the encrypted container image;

基于所述随机对称密钥分别对所述加密的容器镜像的数据文件的若干文件分块进行解密;Decrypt several file blocks of the data file of the encrypted container image based on the random symmetric key respectively;

基于所述元数据文件和解密后的所述若干文件分块构建文件系统树,以完成容器镜像的部署。A file system tree is constructed in blocks based on the metadata file and the decrypted files to complete the deployment of the container image.

可选的,所述容器镜像装置还包括:增量去重单元:获取针对所述加密的容器镜像对应的新增的数据文件; Optionally, the container image device further includes: an incremental deduplication unit: obtaining a new data file corresponding to the encrypted container image;

将所述新增的数据文件切割为若干文件分块,并计算所述若干文件分块对应的哈希值;Cut the newly added data file into several file blocks, and calculate the hash values corresponding to the several file blocks;

将所述若干文件分块对应的哈希值与所述哈希数据库文件存储的哈希值匹配进行去重。Match the hash values corresponding to the several file blocks with the hash values stored in the hash database file to perform deduplication.

请参见图9,图9是一示例性实施例提供的一种容器镜像构建方法的流程图。如图8所示,所述方法可以包括如下的执行步骤:Please refer to Figure 9. Figure 9 is a flow chart of a container image building method provided by an exemplary embodiment. As shown in Figure 8, the method may include the following execution steps:

步骤902,获取用于创建容器镜像的镜像文件;Step 902: Obtain the image file used to create the container image;

在本实施例中,用于创建容器镜像的镜像文件可以由虚拟机基于原始操作系统生成,也可以基于已有镜像文件增加数据文件生成新的镜像文件。用户可以通过网络直接获取用于创建镜像的镜像文件,例如,可以从镜像仓库直接拉取,也可以在本地通过虚拟机生成用于创建的镜像文件,用户还可以通过网络获取容器镜像,并在本地增加数据文件以生成镜像文件。需要说明的是,用于创建容器镜像的镜像文件可以是一个文件集合,例如,可以是从镜像仓库拉取的镜像文件目录。在一种实施例中,还可以对镜像文件的文件集合进行预处理,将用于创建容器镜像的镜像文件序列化为一个文件,可以便于后续切割处理。In this embodiment, the image file used to create the container image can be generated by the virtual machine based on the original operating system, or a new image file can be generated based on the existing image file by adding a data file. Users can directly obtain the image file used to create an image through the network. For example, they can directly pull it from the image warehouse, or they can generate the image file used for creation locally through a virtual machine. Users can also obtain the container image through the network and upload it to Add data files locally to generate image files. It should be noted that the image file used to create a container image can be a collection of files, for example, it can be a directory of image files pulled from the image warehouse. In one embodiment, the file collection of image files can also be preprocessed, and the image files used to create the container image can be serialized into one file, which can facilitate subsequent cutting processing.

步骤904,将所述镜像文件切割为若干文件分块;Step 904: Cut the image file into several file blocks;

在相关技术中,容器镜像通常以层来进行管理,不同镜像之间可以共享的最小单位是镜像中的层,层与层之间可能存在大量重复的数据,但即使有微小的差别,也会被作为不同的层。因此,为了便于镜像文件的去重,可以对文件进行分块处理。In related technologies, container images are usually managed in layers. The smallest unit that can be shared between different images is the layer in the image. There may be a large amount of duplicate data between layers, but even if there are minor differences, are treated as different layers. Therefore, in order to facilitate the deduplication of image files, the files can be processed into blocks.

在本实施例中,可以将用于创建容器镜像的镜像文件进行序列化处理,根据用户预先设置的文件分块的大小,通过文件切割算法将镜像文件切割为相同大小的若干文件分块。文件分块通常存储较少的数据,占用的存储空间小,便于管理且易于去重。In this embodiment, the image file used to create the container image can be serialized, and the image file is cut into several file blocks of the same size through a file cutting algorithm according to the file block size preset by the user. File chunking usually stores less data, takes up less storage space, is easier to manage, and is easier to deduplicate.

由于对全部镜像文件进行切割后可能会产生数据相同的文件分块,因此可以对切割后产生的文件分块进行去重处理。在本实施例中,可以根据相应的哈希算法,针对每个文件分块,计算对应的哈希值,并基于计算出的哈希值进行去重处理。其中,哈希算法具体可以是MD5算法,SHA算法等等,本发明对此不作限定。Since cutting all image files may produce file blocks with the same data, the file blocks generated after cutting can be deduplicated. In this embodiment, the corresponding hash value can be calculated for each file block according to the corresponding hash algorithm, and deduplication processing can be performed based on the calculated hash value. Specifically, the hash algorithm may be MD5 algorithm, SHA algorithm, etc., which is not limited in the present invention.

在一种实施方式中,可以在本地计算出每个文件分块的哈希值,针对每个文件分块的哈希值进行去重处理。具体的,可以在本地对每个哈希值进行匹配,如果哈希值相同,那么只保留其中一个文件分块用于数据共享。需要说明的是,用户可以自由设定共享域的范围,比如,用户可以选择保留相同哈希值的多个文件分块,也可以只保留一个,本发明对此不作限定。在一种情况中,用户还可以设定加密的一个或多个文件分块作为共享域,在本地去重时,由于无法访问这些文件分块的相关数据以及哈希值,因此可以出现与这些加密的多个文件分块相同哈希值的文件分块。In one implementation, the hash value of each file block can be calculated locally, and deduplication processing is performed on the hash value of each file block. Specifically, each hash value can be matched locally. If the hash values are the same, only one of the file blocks is reserved for data sharing. It should be noted that the user can freely set the scope of the shared domain. For example, the user can choose to retain multiple file blocks with the same hash value, or only retain one. The present invention does not limit this. In one case, the user can also set one or more encrypted file blocks as a shared domain. During local deduplication, since the relevant data and hash values of these file blocks cannot be accessed, problems related to these file blocks may appear. Encrypted multiple file chunks file chunks with the same hash value.

为了进一步减少镜像文件的存储开销,在将镜像文件切割为若干文件分块后,还可以对每个文件分块进行压缩处理,再对压缩后的文件分块进一步处理。In order to further reduce the storage overhead of the image file, after cutting the image file into several file blocks, each file block can also be compressed, and then the compressed file blocks can be further processed.

步骤906,计算所述若干文件分块对应的哈希值;基于所述哈希值与用户指定的第三对称密钥计算生成第四对称密钥; Step 906: Calculate hash values corresponding to the several file blocks; calculate and generate a fourth symmetric key based on the hash value and the third symmetric key specified by the user;

在相关技术中,针对容器镜像的文件进行加密以生成加密的容器镜像文件,通常使用收敛加密(CE,Convergent encryption)。其中,收敛加密的密钥由容器镜像的原始文件计算而来。因此,攻击者可以根据猜测的容器镜像的明文进行加密并与之对比,有可能猜测出原始文件。而且,由于任何可以访问该原始文件用户,都能根据原始文件内容计算得到收敛密钥,然后对镜像文件加密,这使得镜像文件容易遭受离线字典攻击。In related technologies, container image files are encrypted to generate encrypted container image files, and convergent encryption (CE, Convergent encryption) is usually used. Among them, the convergent encryption key is calculated from the original file of the container image. Therefore, an attacker can encrypt the plaintext of the guessed container image and compare it with it, possibly guessing the original file. Moreover, since any user with access to the original file can calculate the convergence key based on the original file content and then encrypt the image file, this makes the image file vulnerable to offline dictionary attacks.

为了抵抗可能出现的离线字典攻击,可以根据文件分块的哈希值与用户指定的第三对称密钥进行计算生成第四对称密钥,用第四对称密钥对容器镜像进行加密。由于第三对称密钥由用户指定的任意密钥,因此和文件分块本身的哈希值进行运算后,攻击者无法蛮力破解,也不能根据密文字典进行破解。In order to resist possible offline dictionary attacks, a fourth symmetric key can be generated based on the hash value of the file block and the third symmetric key specified by the user, and the container image can be encrypted with the fourth symmetric key. Since the third symmetric key is an arbitrary key specified by the user, after calculating the hash value of the file block itself, the attacker cannot crack it with brute force, nor can it crack it based on the ciphertext dictionary.

在本实施例中,针对镜像文件切割后产生的若干文件分块,根据文件分块的哈希值与用户指定的第三对称密钥进行计算生成第四对称密钥,用于加密所述若干文件分块。上述第四对称密钥具体可以是一种参数,用于将数据明文转换为数据密文。上述计算可以是多种方式,用于将哈希值与用户指定的第三对称密钥计算出第四对称密钥,本发明对此不作限定。例如,上述计算具体可以是异或运算。In this embodiment, for several file blocks generated after cutting the image file, a fourth symmetric key is calculated based on the hash value of the file blocks and the third symmetric key specified by the user, which is used to encrypt the several file blocks. File chunking. The above-mentioned fourth symmetric key may specifically be a parameter used to convert data plaintext into data ciphertext. The above calculation can be performed in various ways, and is used to calculate the fourth symmetric key from the hash value and the third symmetric key specified by the user, which is not limited by the present invention. For example, the above calculation may specifically be an XOR operation.

在一实施例中,可以对去重后的文件分块,基于文件分块的哈希值与用户指定的第三对称密钥进行计算生成第四对称密钥;如果是在本地去重,可以在本地针对去重后的若干文件分块分别生成对应的第四对称密钥。In one embodiment, the deduplicated file can be divided into blocks, and a fourth symmetric key can be generated based on the hash value of the file blocks and the third symmetric key specified by the user; if deduplication is performed locally, the fourth symmetric key can be generated. Corresponding fourth symmetric keys are generated locally for several file blocks after deduplication.

步骤908,基于生成的第四对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。Step 908: Encrypt the file blocks among the several file blocks based on the generated fourth symmetric key respectively to generate an encrypted container image.

在本实施例中,可以根据上述生成的第四对称密钥,对每一文件分块分别进行加密,然后可以基于加密后的文件分块,构建加密的容器镜像。需要说明的是,可以根据用户需要,通过任意形式将文件分块组织在一起,构建加密的容器镜像,本发明对此不作限定。由于预先经过文件分块,并基于文件分块的哈希值进行去重,减小了容器镜像的本地存储成本;由于对每一文件分块都使用第四对称密钥进行加密,而第四对称密钥由文件分块本身的哈希值和用户指定的第三对称密钥计算而来,因此可以抵抗可能出现的离线字典攻击,提高了容器镜像的安全性。In this embodiment, each file block can be encrypted separately according to the fourth symmetric key generated above, and then an encrypted container image can be constructed based on the encrypted file blocks. It should be noted that according to user needs, files can be organized into blocks in any form to build an encrypted container image, which is not limited by the present invention. Since the file is divided into blocks in advance and deduplication is performed based on the hash value of the file block, the local storage cost of the container image is reduced; because each file block is encrypted using the fourth symmetric key, and the fourth The symmetric key is calculated from the hash value of the file block itself and the third symmetric key specified by the user, so it can resist possible offline dictionary attacks and improve the security of the container image.

在一实施例中,上述容器镜像对应的数据格式还可以包括元数据文件和至少一个数据文件;其中,数据文件由至少一个文件分块构成,用于记录容器镜像中的数据;数据文件还具有描述信息,可以用于指示每一文件分块在数据文件中的具体存储位置。其中,描述信息还可以包括上述生成的每一文件分块对应的哈希值。In one embodiment, the data format corresponding to the container image may also include a metadata file and at least one data file; wherein the data file is composed of at least one file block and is used to record the data in the container image; the data file also has Description information can be used to indicate the specific storage location of each file block in the data file. The description information may also include a hash value corresponding to each file block generated above.

元数据文件用于记录与数据文件对应的元数据;其中,元数据指示每一数据文件在容器镜像中的具体存储位置,可以基于上述至少一个数据文件对应的描述信息生成至少一个数据文件对应的一条元数据。The metadata file is used to record the metadata corresponding to the data file; where the metadata indicates the specific storage location of each data file in the container image, and the at least one data file corresponding to the description information corresponding to the above-mentioned at least one data file can be generated. A piece of metadata.

请参见图10,图10是一示例性实施例提供的一种元数据文件结构图。如图10所示,所述元数据文件可以由多条元数据组成;元数据可以由多条描述信息组成;每条描述信息 可以包括多条文件分块的存储位置以及文件分块对应的哈希值。Please refer to Figure 10, which is a metadata file structure diagram provided by an exemplary embodiment. As shown in Figure 10, the metadata file may be composed of multiple pieces of metadata; the metadata may be composed of multiple pieces of description information; each piece of description information It can include the storage locations of multiple file chunks and the hash values corresponding to the file chunks.

在生成上述若干文件分块后,可以基于至少一个文件分块生成至少一个数据文件;并基于至少一个数据文件对应的描述信息生成至少一条元数据,然后基于至少一条元数据生成元数据文件,在生成上述至少一个数据文件以及元数据文件后,可以基于至少一个数据文件和元数据文件生成加密的容器镜像。在另一实施例中,为了进一步确保容器镜像的安全性,可以对上述生成的元数据文件进一步加密,其中,加密方式可以是对称加密方式也可以是非对称加密方式。After generating the above-mentioned several file segments, at least one data file can be generated based on at least one file segment; at least one piece of metadata is generated based on the description information corresponding to the at least one data file, and then a metadata file is generated based on the at least one piece of metadata. After generating the above at least one data file and metadata file, an encrypted container image can be generated based on at least one data file and metadata file. In another embodiment, in order to further ensure the security of the container image, the metadata file generated above can be further encrypted, where the encryption method can be a symmetric encryption method or an asymmetric encryption method.

在对称加密的方式中,可以基于用户指定的第五对称密钥对元数据文件进行加密;在非对称加密的方式中,可以基于用户指定的第三非对称密钥的公钥对元数据文件进行加密。In the symmetric encryption method, the metadata file can be encrypted based on the fifth symmetric key specified by the user; in the asymmetric encryption method, the metadata file can be encrypted based on the public key of the third asymmetric key specified by the user. Encrypt.

通过本说明书记载的上述方法,可以构建轻量的加密容器镜像,与构建容器镜像对应的,用户还可以有选择的部署该容器镜像。Through the above methods described in this manual, a lightweight encrypted container image can be built. Corresponding to the construction of the container image, the user can also selectively deploy the container image.

用户可以通过任意形式获取通过上述方法构建的容器镜像,例如可以通过网络下载,通过安全连接传输等等,本发明对此不作限定。在获取加密的容器镜像后,可以获取容器镜像中的元数据文件以及至少一个数据文件,其中数据文件包括至少一个已经加密的文件分块;元数据文件记录了至少一条元数据,其中元数据还存储了加密的文件分块对应的哈希值,可以根据哈希值以及用户指定的第三对称密钥计算第四对称密钥,然后基于该第四对称密钥对加密后的文件分块进行解密,最后基于元数据文件和若干文件分块构建文件系统树,以完成容器镜像的部署。The user can obtain the container image constructed by the above method in any form, such as downloading through the network, transmitting through a secure connection, etc., which is not limited by the present invention. After obtaining the encrypted container image, you can obtain the metadata file and at least one data file in the container image, where the data file includes at least one encrypted file block; the metadata file records at least one piece of metadata, where the metadata also The hash value corresponding to the encrypted file block is stored. The fourth symmetric key can be calculated based on the hash value and the third symmetric key specified by the user, and then the encrypted file block is processed based on the fourth symmetric key. Decrypt, and finally build a file system tree based on the metadata file and several file blocks to complete the deployment of the container image.

在一种实施方式中,为了确保容器镜像的安全性,还对其中的元数据文件以及哈希数据库文件进行加密。因此,在部署过程中,需要获得用户提供的对称密钥或非对称密钥,对元数据文件进行解密;其中,解密元数据文件后才可以获得每一文件分块的哈希值,才可以根据哈希值以及用户指定的第三对称密钥计算第四对称密钥,进而对文件分块进行解密,进行后续部署操作。In one implementation, in order to ensure the security of the container image, the metadata files and hash database files in the container image are also encrypted. Therefore, during the deployment process, it is necessary to obtain the symmetric key or asymmetric key provided by the user to decrypt the metadata file; only after decrypting the metadata file can the hash value of each file block be obtained. Calculate the fourth symmetric key based on the hash value and the third symmetric key specified by the user, and then decrypt the file blocks for subsequent deployment operations.

下面结合图11,通过另一个具体实施例进一步解释上述容器镜像构建方法。The above container image construction method will be further explained through another specific embodiment with reference to Figure 11.

如图11所示,加密的容器镜像可以包括元数据文件,若干数据文件。图11示出的文件分块即根据上述镜像文件通过特定文件切割算法切割后产生的文件分块。在生成文件分块后,基于文件分块计算每个文件分块的哈希值。基于每个文件分块的哈希值和用户指定的随机对称密钥计算用于加密文件分块的对称密钥;然后可以基于哈希值对分件分块进行去重,可以在本地直接进行去重处理,当文件分块通过去重后,可以有选择的压缩文件分块,并使用上述生成的对称密钥加密每一文件分块,然后根据加密文件分块可以组成若干容器镜像的数据文件。As shown in Figure 11, the encrypted container image can include metadata files and several data files. The file blocks shown in Figure 11 are file blocks generated by cutting the above image file through a specific file cutting algorithm. After the file chunks are generated, the hash value of each file chunk is calculated based on the file chunks. Calculate the symmetric key used to encrypt the file chunks based on the hash value of each file chunk and a user-specified random symmetric key; the chunks can then be deduplicated based on the hash value, which can be done directly locally Deduplication processing. When the file blocks pass the deduplication process, the file blocks can be selectively compressed, and each file block can be encrypted using the symmetric key generated above. Then the data of several container images can be composed according to the encrypted file blocks. document.

数据文件的描述信息以及上述若干文件分块对应的哈希值可以组成元数据,基于元数据生成元数据文件。用户可以指定对称密钥或非对称密钥加密元数据文件。在生成元数据文件及若干数据文件后,加密的容器镜像构建完成。The description information of the data file and the hash values corresponding to the above-mentioned file blocks can form metadata, and a metadata file is generated based on the metadata. The user can specify a symmetric key or an asymmetric key to encrypt the metadata file. After generating the metadata file and several data files, the encrypted container image is built.

下面结合图12,通过另一个具体实施例进一步解释上述容器镜像部署过程。 The above container image deployment process will be further explained through another specific embodiment with reference to Figure 12.

如图12所示,加密的容器镜像可以包括元数据文件,以及若干数据文件。用户获取到加密的容器镜像后,可以根据用户指定的对称密钥或非对称密钥对元数据文件进行解密。元数据文件记录了多条元数据,其中具有描述信息用于描述数据文件在镜像中具体的存储位置,还具有文件分块的哈希值。用户可以使用指定的对称密钥,与文件分块的哈希值进行计算,生成用于解密的对称密钥。数据文件中包括若干文件分块,使用上述生成的用于解密的对称密钥对文件分块进行解密。在对文件分块解密后,如果文件分块是压缩后的文件分块,可以对文件分块进行解压缩以获取原文件分块。根据元数据文件的描述信息及若干文件分块,可以构建文件系统树,以完成容器镜像的部署。As shown in Figure 12, the encrypted container image can include metadata files and several data files. After the user obtains the encrypted container image, the metadata file can be decrypted based on the symmetric key or asymmetric key specified by the user. The metadata file records multiple pieces of metadata, which contains description information to describe the specific storage location of the data file in the image, and also has hash values of the file blocks. Users can use the specified symmetric key to calculate the hash value of the file block to generate a symmetric key for decryption. The data file includes several file blocks, and the file blocks are decrypted using the symmetric key generated above for decryption. After decrypting the file blocks, if the file blocks are compressed file blocks, the file blocks can be decompressed to obtain the original file blocks. Based on the description information of the metadata file and several file blocks, a file system tree can be constructed to complete the deployment of the container image.

图13是一示例性实施例提供的一种用于进行容器构建的电子设备的结构示意图。请参考图13,在硬件层面,该设备包括处理器1302、内部总线1304、网络接口1306、内存1308以及非易失性存储器1310,当然还可能包括其他业务所需要的硬件。本说明书一个或多个实施例可以基于软件方式来实现,比如由处理器1302从非易失性存储器1310中读取对应的计算机程序到内存1308中然后运行。当然,除了软件实现方式之外,本说明书一个或多个实施例并不排除其他实现方式,比如逻辑器件抑或软硬件结合的方式等等,也就是说以下处理流程的执行主体并不限定于各个逻辑单元,也可以是硬件或逻辑器件。Figure 13 is a schematic structural diagram of an electronic device for container construction provided in an exemplary embodiment. Please refer to Figure 13. At the hardware level, the device includes a processor 1302, an internal bus 1304, a network interface 1306, a memory 1308, and a non-volatile memory 1310. Of course, it may also include other hardware required by the business. One or more embodiments of this specification can be implemented based on software. For example, the processor 1302 reads the corresponding computer program from the non-volatile memory 1310 into the memory 1308 and then runs it. Of course, in addition to software implementation, one or more embodiments of this specification do not exclude other implementations, such as logic devices or a combination of software and hardware, etc. That is to say, the execution subject of the following processing flow is not limited to each A logic unit can also be a hardware or logic device.

请参考图14,图14是一示例性实施例提供的一种基于密码加速硬件的密码加速装置的框图。Please refer to FIG. 14 , which is a block diagram of a cryptographic acceleration device based on cryptographic acceleration hardware provided in an exemplary embodiment.

文件获取单元1402:用于获取用于创建容器镜像的镜像文件;File acquisition unit 1402: used to acquire image files used to create container images;

文件切割单元1404:用于将所述镜像文件切割为若干文件分块;File cutting unit 1404: used to cut the image file into several file blocks;

密钥生成单元1406:用于计算所述若干文件分块对应的哈希值;基于所述哈希值与用户指定的第三对称密钥计算生成第四对称密钥;Key generation unit 1406: used to calculate hash values corresponding to the plurality of file blocks; calculate and generate a fourth symmetric key based on the hash value and the third symmetric key specified by the user;

镜像生成单元1408:用于基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。Image generation unit 1408: configured to respectively encrypt the file blocks among the several file blocks based on the generated random symmetric key to generate an encrypted container image.

可选的,所述容器镜像对应的数据格式包括元数据文件和至少一个数据文件;所述元数据文件用于记录与所述数据文件对应的元数据;镜像生成单元1408:具体用于基于生成的所述第四对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。Optionally, the data format corresponding to the container image includes a metadata file and at least one data file; the metadata file is used to record metadata corresponding to the data file; the image generation unit 1408: specifically used to generate based on The fourth symmetric key respectively encrypts the file blocks in the plurality of file blocks to generate an encrypted container image.

基于所述至少一个数据文件对应的描述信息生成与所述至少一个数据文件对应的至少一条元数据,并基于所述至少一条元数据进一步生成所述元数据文件;其中,所述描述信息包括所述文件分块的哈希值Generate at least one piece of metadata corresponding to the at least one data file based on the description information corresponding to the at least one data file, and further generate the metadata file based on the at least one piece of metadata; wherein the description information includes the The hash value of the file chunks

基于所述至少一个数据文件和所述元数据文件生成加密的容器镜像。Generate an encrypted container image based on the at least one data file and the metadata file.

可选的,密钥生成单元1406:基于计算出的所述哈希值针对所述若干文件分块进行去重处理。Optionally, the key generation unit 1406: performs deduplication processing on the several file blocks based on the calculated hash value.

可选的,所述容器镜像构建装置还包括:数据加密单元:基于用户指定的第五对称密钥对所述元数据文件进行加密;或, Optionally, the container image building device further includes: a data encryption unit: encrypts the metadata file based on a fifth symmetric key specified by the user; or,

基于用户的第三非对称密钥对中的公钥对所述元数据文件进行加密。The metadata file is encrypted based on the public key in the user's third asymmetric key pair.

可选的,所述容器镜像构建装置还包括:镜像部署单元:获取已生成的加密的容器镜像;Optionally, the container image building device further includes: an image deployment unit: obtaining the generated encrypted container image;

获取已生成的加密的容器镜像;Get the generated encrypted container image;

获取所述加密的容器镜像的元数据文件中的所述哈希值;Obtain the hash value in the metadata file of the encrypted container image;

基于所述哈希值与用户指定的所述第三对称密钥计算生成第四对称密钥;Calculate and generate a fourth symmetric key based on the hash value and the third symmetric key specified by the user;

基于所述第四对称密钥分别对所述加密的容器镜像的数据文件的若干文件分块进行解密;Decrypt several file blocks of the data file of the encrypted container image based on the fourth symmetric key respectively;

基于所述元数据文件和解密后的所述若干文件分块构建文件系统树,以完成容器镜像的部署。A file system tree is constructed in blocks based on the metadata file and the decrypted files to complete the deployment of the container image.

上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机,计算机的具体形式可以是个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件收发设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任意几种设备的组合。The systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer, which may be in the form of a personal computer, a laptop, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email transceiver, or a game controller. desktop, tablet, wearable device, or a combination of any of these devices.

在一个典型的配置中,计算机包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in computer-readable media, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带、磁盘存储、量子存储器、基于石墨烯的存储介质或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media includes both persistent and non-volatile, removable and non-removable media that can be implemented by any method or technology for storage of information. Information may be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), and read-only memory. (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, Magnetic tape cartridges, magnetic disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission medium, can be used to store information that can be accessed by computing devices. As defined in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "comprises," "comprises," or any other variation thereof are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that includes a list of elements not only includes those elements, but also includes Other elements are not expressly listed or are inherent to the process, method, article or equipment. Without further limitation, an element defined by the statement "comprises a..." does not exclude the presence of additional identical elements in a process, method, article, or device that includes the stated element.

上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在 一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The foregoing describes specific embodiments of this specification. Other embodiments are within the scope of the appended claims. exist In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve the desired results. Additionally, the processes depicted in the figures do not necessarily require the specific order shown, or sequential order, to achieve desirable results. Multitasking and parallel processing are also possible or may be advantageous in certain implementations.

在本说明书一个或多个实施例使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本说明书一个或多个实施例。在本说明书一个或多个实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terminology used in one or more embodiments of this specification is for the purpose of describing particular embodiments only and is not intended to limit the one or more embodiments of this specification. As used in one or more embodiments of this specification and the appended claims, the singular forms "a," "the" and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It will also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.

应当理解,尽管在本说明书一个或多个实施例可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本说明书一个或多个实施例范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although one or more embodiments of this specification may use the terms first, second, third, etc. to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other. For example, without departing from the scope of one or more embodiments of this specification, the first information may also be called second information, and similarly, the second information may also be called first information. Depending on the context, the word "if" as used herein may be interpreted as "when" or "when" or "in response to determining."

以上所述仅为本说明书一个或多个实施例的较佳实施例而已,并不用以限制本说明书一个或多个实施例,凡在本说明书一个或多个实施例的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本说明书一个或多个实施例保护的范围之内。 The above are only preferred embodiments of one or more embodiments of this specification, and are not intended to limit one or more embodiments of this specification. Within the spirit and principles of one or more embodiments of this specification, Any modifications, equivalent substitutions, improvements, etc. shall be included in the scope of protection of one or more embodiments of this specification.

Claims (14)

一种容器镜像构建方法,其特征在于,所述方法包括:A container image building method, characterized in that the method includes: 获取用于创建容器镜像的镜像文件;Obtain the image file used to create the container image; 将所述镜像文件切割为若干文件分块;Cut the image file into several file blocks; 为所述若干文件分块,分别生成对应的随机对称密钥;Divide the several files into blocks and generate corresponding random symmetric keys respectively; 基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。The file blocks among the several file blocks are respectively encrypted based on the generated random symmetric key to generate an encrypted container image. 根据权利要求1所述的方法,所述容器镜像对应的数据格式包括元数据文件和至少一个数据文件;所述元数据文件用于记录与所述数据文件对应的元数据;The method according to claim 1, the data format corresponding to the container image includes a metadata file and at least one data file; the metadata file is used to record metadata corresponding to the data file; 所述基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像,包括:The step of encrypting file blocks among the several file blocks based on the generated random symmetric key to generate an encrypted container image includes: 基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,基于加密后的所述若干文件分块生成所述至少一个数据文件;Encrypt file blocks in the plurality of file blocks based on the generated random symmetric key respectively, and generate the at least one data file based on the encrypted file blocks; 基于所述至少一个数据文件对应的描述信息生成与所述至少一个数据文件对应的至少一条元数据,并基于所述至少一条元数据进一步生成所述元数据文件;其中,所述描述信息包括所述随机对称密钥;Generate at least one piece of metadata corresponding to the at least one data file based on the description information corresponding to the at least one data file, and further generate the metadata file based on the at least one piece of metadata; wherein the description information includes the The random symmetric key; 基于所述至少一个数据文件和所述元数据文件生成加密的容器镜像。Generate an encrypted container image based on the at least one data file and the metadata file. 根据权利要求1所述的方法,所述基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密之前,所述方法包括:The method according to claim 1, before encrypting the file blocks in the plurality of file blocks based on the generated random symmetric key, the method includes: 计算所述若干文件分块对应的哈希值;Calculate the hash values corresponding to the several file blocks; 基于计算出的所述哈希值针对所述若干文件分块进行去重处理。Deduplication processing is performed on the several file blocks based on the calculated hash value. 根据权利要求3所述的方法,所述基于计算出的所述哈希值针对所述若干文件分块进行去重处理,包括:The method according to claim 3, performing deduplication processing on the several file blocks based on the calculated hash value, including: 在本地基于计算出的所述哈希值,针对所述若干文件分块进行去重处理;或,Perform deduplication processing on the several file blocks locally based on the calculated hash value; or, 将所述哈希值发送至去重服务器,以由所述去重服务器基于计算出的所述哈希值针对所述哈希值进行去重处理。The hash value is sent to a deduplication server, so that the deduplication server performs deduplication processing on the hash value based on the calculated hash value. 根据权利要求3所述的方法,所述镜像文件对应的数据格式中还包括哈希数据库文件;所述方法还包括:According to the method of claim 3, the data format corresponding to the image file further includes a hash database file; the method further includes: 基于所述若干文件分块的哈希值和为所述若干文件分块生成的所述随机对称密钥之间的对应关系;生成与所述若干文件分块对应的至少一个哈希数据库文件。Based on the correspondence between the hash values of the several file blocks and the random symmetric keys generated for the several file blocks; generating at least one hash database file corresponding to the several file blocks. 根据权利要求5所述的方法,所述方法还包括以下示出的任一:The method of claim 5, further comprising any of the following: 基于用户指定的第一对称密钥对所述哈希数据库文件进行加密;或,Encrypt the hash database file based on a user-specified first symmetric key; or, 基于用户的第一非对称密钥对中的公钥对所述哈希数据库文件进行加密。The hash database file is encrypted based on the public key in the user's first asymmetric key pair. 根据权利要求2所述的方法,所述方法还包括以下示出的任一:The method of claim 2, further comprising any of the following: 基于用户指定的第二对称密钥对所述元数据文件进行加密;或, Encrypt the metadata file based on a user-specified second symmetric key; or, 基于用户的第二非对称密钥对中的公钥对所述元数据文件进行加密。The metadata file is encrypted based on the public key in the user's second asymmetric key pair. 根据权利要求2所述的方法,所述方法还包括:The method of claim 2, further comprising: 获取已生成的加密的容器镜像;Get the generated encrypted container image; 获取所述加密的容器镜像的元数据文件中的随机对称密钥;Obtain the random symmetric key in the metadata file of the encrypted container image; 基于所述随机对称密钥分别对所述加密的容器镜像的数据文件的若干文件分块进行解密;Decrypt several file blocks of the data file of the encrypted container image based on the random symmetric key respectively; 基于所述元数据文件和解密后的所述若干文件分块构建文件系统树,以完成容器镜像的部署。A file system tree is constructed in blocks based on the metadata file and the decrypted files to complete the deployment of the container image. 根据权利要求5所述的方法,所述方法还包括:The method of claim 5, further comprising: 获取针对所述加密的容器镜像对应的新增的数据文件;Obtain the newly added data file corresponding to the encrypted container image; 将所述新增的数据文件切割为若干文件分块,并计算所述若干文件分块对应的哈希值;Cut the newly added data file into several file blocks, and calculate the hash values corresponding to the several file blocks; 将所述若干文件分块对应的哈希值与所述哈希数据库文件存储的哈希值匹配进行去重。Match the hash values corresponding to the several file blocks with the hash values stored in the hash database file to perform deduplication. 一种容器镜像构建方法,其特征在于,所述方法包括:A container image building method, characterized in that the method includes: 获取用于创建容器镜像的镜像文件;Obtain the image file used to create the container image; 将所述镜像文件切割为若干文件分块;Cut the image file into several file blocks; 计算所述若干文件分块对应的哈希值;基于所述哈希值与用户指定的第三对称密钥计算生成第四对称密钥;Calculate hash values corresponding to the plurality of file blocks; calculate and generate a fourth symmetric key based on the hash value and the third symmetric key specified by the user; 基于生成的所述第四对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像。The file blocks among the several file blocks are respectively encrypted based on the generated fourth symmetric key to generate an encrypted container image. 根据权利要求10所述的方法,所述容器镜像对应的数据格式包括元数据文件和至少一个数据文件;所述元数据文件用于记录与所述数据文件对应的元数据;The method according to claim 10, the data format corresponding to the container image includes a metadata file and at least one data file; the metadata file is used to record metadata corresponding to the data file; 所述基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,以生成加密的容器镜像,包括:The step of encrypting file blocks among the several file blocks based on the generated random symmetric key to generate an encrypted container image includes: 基于生成的所述随机对称密钥分别对所述若干文件分块中的文件分块进行加密,基于加密后的所述若干文件分块生成所述至少一个数据文件;Encrypt file blocks in the plurality of file blocks based on the generated random symmetric key respectively, and generate the at least one data file based on the encrypted file blocks; 基于所述至少一个数据文件对应的描述信息生成与所述至少一个数据文件对应的至少一条元数据,并基于所述至少一条元数据进一步生成所述元数据文件;其中,所述描述信息包括所述文件分块的哈希值;Generate at least one piece of metadata corresponding to the at least one data file based on the description information corresponding to the at least one data file, and further generate the metadata file based on the at least one piece of metadata; wherein the description information includes the The hash value of the file block; 基于所述至少一个数据文件和所述元数据文件生成加密的容器镜像。Generate an encrypted container image based on the at least one data file and the metadata file. 根据权利要求11所述的方法,所述基于生成的所述第四对称密钥分别对所述若干文件分块中的文件分块进行加密之前,所述方法包括:The method according to claim 11, before encrypting the file blocks in the plurality of file blocks based on the generated fourth symmetric key, the method includes: 基于所述哈希值针对所述若干文件分块进行去重处理。Deduplication processing is performed on the several file blocks based on the hash value. 一种电子设备,其特征在于,包括:An electronic device, characterized by including: 处理器; processor; 用于存储处理器可执行指令的存储器;Memory used to store instructions executable by the processor; 其中,所述处理器通过运行所述可执行指令以实现如权利要求1-12中任一项所述的方法。Wherein, the processor implements the method according to any one of claims 1-12 by running the executable instructions. 一种计算机可读存储介质,其特征在于,其上存储有计算机指令,该指令被处理器执行时实现如权利要求1-12中任一项所述方法的步骤。 A computer-readable storage medium, characterized in that computer instructions are stored thereon, and when the instructions are executed by a processor, the steps of the method according to any one of claims 1-12 are implemented.
PCT/CN2023/092255 2022-05-13 2023-05-05 Container image construction method and apparatus Ceased WO2023216987A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210524707.7A CN114995949A (en) 2022-05-13 2022-05-13 Container mirror image construction method and device
CN202210524707.7 2022-05-13

Publications (1)

Publication Number Publication Date
WO2023216987A1 true WO2023216987A1 (en) 2023-11-16

Family

ID=83026762

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/092255 Ceased WO2023216987A1 (en) 2022-05-13 2023-05-05 Container image construction method and apparatus

Country Status (2)

Country Link
CN (1) CN114995949A (en)
WO (1) WO2023216987A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119011125A (en) * 2024-10-18 2024-11-22 北京华隐熵策数据科技有限公司 Encryption and duplication removal method for resisting leakage of converged key

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114995949A (en) * 2022-05-13 2022-09-02 阿里巴巴(中国)有限公司 Container mirror image construction method and device
CN118694525B (en) * 2024-07-05 2025-10-28 中国联合网络通信集团有限公司 Image file transmission method, device and storage medium
CN120597288A (en) * 2025-08-06 2025-09-05 南京龟兔赛跑软件研究院有限公司 Container image security management method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8782441B1 (en) * 2012-03-16 2014-07-15 Google Inc. Methods and systems for storage of large data objects
US10158483B1 (en) * 2018-04-30 2018-12-18 Xanadu Big Data, Llc Systems and methods for efficiently and securely storing data in a distributed data storage system
CN110109617A (en) * 2019-04-22 2019-08-09 电子科技大学 A kind of Metadata Management method in encryption data deduplication system
CN110955901A (en) * 2019-10-12 2020-04-03 烽火通信科技股份有限公司 Storage method and server for virtual machine image file of cloud computing platform
CN114995949A (en) * 2022-05-13 2022-09-02 阿里巴巴(中国)有限公司 Container mirror image construction method and device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8189778B2 (en) * 2008-07-07 2012-05-29 General Instrument Corporation Adaptive generation of a pseudo random number generator seed
CN102402488A (en) * 2010-09-16 2012-04-04 电子科技大学 An Encryption Scheme for Disk-Based Eliminating Redundancy Storage Systems (ESDS)
CN103685162A (en) * 2012-09-05 2014-03-26 中国移动通信集团公司 File storing and sharing method
CN103944711B (en) * 2014-02-17 2017-05-24 国家超级计算深圳中心 Cloud storage ciphertext retrieval method and system
CN104780048B (en) * 2015-04-13 2018-04-10 中国电子科技集团公司第二十八研究所 The image file encryption system and method for a kind of lightweight
CN104917609B (en) * 2015-05-19 2017-11-10 华中科技大学 A kind of highly effective and safe data duplicate removal method and system perceived based on user
CN106612320B (en) * 2016-06-14 2019-10-18 深圳市中盛瑞达科技有限公司 A Deduplication Method for Encrypted Data in Cloud Storage
CN109919610A (en) * 2019-01-14 2019-06-21 如般量子科技有限公司 Anti- quantum calculation block chain secure transactions method and system based on P2P public key pond

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8782441B1 (en) * 2012-03-16 2014-07-15 Google Inc. Methods and systems for storage of large data objects
US10158483B1 (en) * 2018-04-30 2018-12-18 Xanadu Big Data, Llc Systems and methods for efficiently and securely storing data in a distributed data storage system
CN110109617A (en) * 2019-04-22 2019-08-09 电子科技大学 A kind of Metadata Management method in encryption data deduplication system
CN110955901A (en) * 2019-10-12 2020-04-03 烽火通信科技股份有限公司 Storage method and server for virtual machine image file of cloud computing platform
CN114995949A (en) * 2022-05-13 2022-09-02 阿里巴巴(中国)有限公司 Container mirror image construction method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Doctoral Dissertation", 18 March 2012, UNIVERSITY OF ELECTRONIC SCIENCE AND TECHNOLOGY OF CHINA, CN, article WANG, CAN: "Research on Key Technology in Mass Data Processing Based on Inline Deduplication", pages: 1 - 157, XP009550423 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119011125A (en) * 2024-10-18 2024-11-22 北京华隐熵策数据科技有限公司 Encryption and duplication removal method for resisting leakage of converged key

Also Published As

Publication number Publication date
CN114995949A (en) 2022-09-02

Similar Documents

Publication Publication Date Title
US10140370B1 (en) Systems and methods for maintaining encrypted search indexes on third-party storage systems
EP4222630B1 (en) Efficient deduplication using block-based convergent encryption
WO2023216987A1 (en) Container image construction method and apparatus
WO2022252632A1 (en) Data encryption processing method and apparatus, computer device, and storage medium
US8762743B2 (en) Encrypting data objects to back-up
US10204235B2 (en) Content item encryption on mobile devices
CN112685753B (en) Method and equipment for storing encrypted data
JP2016154033A (en) Community-based de-duplication for encrypted data
CN116547642B (en) Efficient deduplication using block-based convergent encryption
US9886448B2 (en) Managing downloads of large data sets
Almrezeq et al. An enhanced approach to improve the security and performance for deduplication
Wang et al. A policy-based deduplication mechanism for securing cloud storage
CN106919348A (en) Distributed memory system and storage method that anti-violence is cracked
Virvilis et al. Secure cloud storage: Available infrastructures and architectures review and evaluation
Kambo et al. Secure data deduplication mechanism based on Rabin CDC and MD5 in cloud computing environment
Baligodugula et al. A comparative study of secure and efficient data duplication mechanisms for cloud-based iot applications
Kirubakaran et al. A cloud based model for deduplication of large data
CN116710916A (en) Method and system for preventing duplication of encrypted data
CN110995690A (en) Secure storage method and device based on cloud storage
Zhang et al. Secure deduplication based on Rabin fingerprinting over wireless sensing data in cloud computing
Nandhini et al. A review of hilevel authorized deduplication method for cloud storage system
Karthika et al. Zero-Knowledge Cross-User De-Duplication for Big Data Storage on Cloud
Tharunkumar et al. Optimizing Cloud Efficiency Through Data De-Duplication Technique
Hui et al. A Mobile Terminal Security Strategy Based On the Cloud Storage
Sajjan et al. Authorized data availability with secure deduplication framework using hybrid cloud

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23802759

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 23802759

Country of ref document: EP

Kind code of ref document: A1