Two Ways To Protect And Manage Storage Keys

With the rapid development of modern science and technology,more and more important data need to store hard disk.Due to security threats such as hard disk data leakage or illegal modification and hard disk theft,these hard disks that store important data generally need to provide encryption protection.Because symmetric encryption technology is fast,it is usually used to encrypt hard disk data.The security of encryption is not only dependent on the cryptosystem and encryption algorithm,but the security of key management is particularly important.Therefore,how to ensure the security of key management has become a topic of concern to all parties.In view of the key protection and management issues,this paper presents two different ways.The first is based on X.509 technology to achieve the program.The program uses the X.509 certificate and the Open SSL toolkit.Aiming at this scheme,the system implementation model is put forward,and the composition and basic principle of the model are analyzed.Describes the system design flow,including server certificate configuration management,LUKS partition start service,encryption process and decryption process.The second is based on the Mc Callum-Relyea exchange protocol implementation.The scheme uses the Mc Callum-Relyea switching protocol,which is an improved protocol for the ECDH key exchange protocol,which is also based on the fact that the elliptic curve is discrete logarithm.Then,a storage key management system is proposed,which is divided into five parts: key distribution phase,key authentication phase,symmetric key management phase,symmetric key recovery phase and key update phase.Of these two scenarios,the decryption server used is stateless.As the application of the X.509 certificate,the certificate configuration and implementation process is more complex,and the client needs to pass their own key to the server through the network,which need to provide TLS security tunnel and authentication.In order to solve the drawbacks of Solution 1,the Mc Callum-Relyea switching protocol and JOSE are used in Scenario 2,so there is no need to provide TLS security tunnel and authentication function,and the server will never touch the key information of the client's hard disk.Will get any identity information to the client,that is,the client remains anonymous to the server.