Research And Implementation Of Transparent File Encryption System Based On FUSE

To ensure enterprise data security,the requirement of preventing sensitive enterprise information disclosure is that staff can use the encrypted data file in the enterprise freely,but cannot be used outside the company.Transparent file encryption technology is a important technology to solve this problem,the so-called transparent file encryption technology,is a technology that implemented the encryption and decryption of files automatically without changing the user's habit.This thesis mainly research transparent file encryption system based on FUSE(File System in User Space).Traditional transparent file encryption system based on file filter driver,usually divide the program processes that accessing the data into trusted processes and non-trusted processes.When trusted processes and non-trusted processes alternate access an encrypted file,in order to ensure the correct data(plaintext or cipher text)in the file cache,file encryption system requires to clean up the file cache data constantly.The method of cache cleanup is such violence and reduces the efficiency of file operations greatly,and there are some compatibility issues.For the shortcomings of traditional transparent file encryption system in the cache processing,this thesis proposed a transparent file encryption system based on FUSE.The system redirected file operations of application processes in security directory to the virtual disk mapped by FUSE file system,transferring file operations in security directory to the realization of file operations in security directory by FUSE user space process.The transparent file encryption system based on FUSE of this thesis is divided into three modules for development,file redirection filter module,bridge file system encryption module,system security reinforcement module.File redirection filter module,designed and implemented the management of security directory at application layer,file redirection for secure directory at kernel layer.Bridge file system encryption module,implemented the identification of process and files operations,while implemented the encryption and decryption of files using three encryption modes,and adds caching mechanism for the efficiency of document literacy.System security reinforcement module,it implemented anti-copy and anti-screenshots for files in security directory using the process monitoring and clipboard monitoring,while the process has been verified authenticity,and protected the security of the configuration file.The innovation of this thesis is to present a new idea that by means of FUSE file system that plays a role as a bridge and the use of IBE(Identity Based Encryption)encryption algorithm to achieve transparent file encryption and decryption,to ensure that file data in the file system cache is always cipher text.At the same time,transferring I/O operations of files in security directory to the FUSE user space,making it easier to implement and easier to maintain,but also using the clipboard monitoring,prevent data loss due screenshots,copy and other operations,and the authenticity verification of trusted processes,implemented the security reinforcement of the system.