Some time ago, due to work needs, some Intranet security things were required. To prevent files in the LAN from being kept confidential, some transparent encryption technologies were involved. Take a look at the materials and take notes.
1. Transparent file-based Encryption
Based on the name of the accessed file, the transparent encryption system based on the file suffix or
To determine whether to perform encryption and decryption [23].
Specifically, you can set key files and Their read/write permissions (the file name supports wildcards * And ?) To control the off
Key File read/write access, record key file read/write access, record write access to removable disks and other functions.
2. process-based transparent Encryption
The process-based transparent encryption system determines whether to perform encryption and decryption based on the process of accessing files.
A process is a scheduling unit within the operating system. Each file access can be associated with a specific
. The process-based transparent encryption system performs encryption and decryption control on the unit of system processes.
A process-based transparent encryption system needs to distinguish which processes need to access protected confidential files.
You do not need to access confidential files. For a process that requires access to a confidential file, the system reads and writes it.
1/o Through dynamic encryption and decryption, to ensure that users access files. Transparent for processes that are not accessing confidential files
The encryption system allows it to access unprotected common files without the dynamic encryption/Decryption drive. In this way
The process is divided into two types. One is to access information through dynamic encryption and decryption under the monitoring of transparent encryption systems
File process, called "monitored process ". The other type is not affected by the transparent encryption system, and normal access is not affected.
Protection of common files, which are called "unmonitored processes"
Conversely, write operations of monitored processes are encrypted and read operations are decrypted, but not read operations of monitored processes.
Write operations are not affected.
A process-based transparent encryption system requires communication between processes monitored and non-monitored. If
The process sends the decrypted data as the communication data to an unmonitored process, which is not monitored.
The process can write the data to the disk without encryption, thus stealing confidential files. Transparent encryption system
To prevent communication between monitored and not monitored processes. In this way, the monitored and unmonitored processes are
Are separated in two different environments.
In addition to the encryption and decryption of the driver layer, the main functions of a process-based transparent encryption system also require reliable
The ability to identify processes.
The disadvantage of a process-based transparent encryption system is that when the application environment is complex, management is difficult and users cannot
Added support for new applications.
Theoretically, it cannot be implemented if the monitoring and non-monitoring processes need to read and write the common configuration files.
The process-based transparent encryption system determines whether a system process is being edited.
File encryption or decryption, so its most critical weakness is that it cannot effectively solve the problem of plug-ins and macro leaks.
Distinguish between the plug-in the process and its own reading. Since it will be decrypted during reading, if it cannot be distinguished as a plug-in
Or the process itself. After the plug-in reads the plain text, it can send the plain text through non-storage means such as the network. Because
This type of system requires other auxiliary means to further refine the file access control.
3. disk-based transparent Encryption
The disk-based transparent encryption system encrypts all files stored on the disk by disk partition. The system identifies an encrypted partition through the configuration file and the special mark of the partition header.
Microsoft provides bitlock technology in the new operating system vista to encrypt the entire partition. But more often
See the use of virtual disk technology to achieve disk-based transparent encryption system.
The disk-based transparent encryption system only needs to determine the partition where the accessed file is located.
No is encrypted, so it is simpler than transparent encryption system logic based on file names and processes.
By specifying a partition or creating a virtual disk partition, the disk-based transparent encryption system automatically performs
Encrypt the file stored in the partition and automatically decrypt the content read from the partition.
The disk-based transparent encryption system has nothing to do with the file type and access process. However, in actual anti-leaks
In applications, You need to restrict access to encrypted partitions by some processes.
The disk-based transparent encryption system needs to prevent copying files from encrypted disks to non-encrypted disks and
The peripheral port and network are sent out for leaks.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
