CN111158857A

Movatterモバイル変換

Info

Publication number: CN111158857A
Application number: CN201911347007.XA
Authority: CN
Inventors: 廖焕康; 万齐齐
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2019-12-24
Filing date: 2019-12-24
Publication date: 2020-05-15
Anticipated expiration: 2039-12-24
Also published as: CN111158857B

Abstract

The invention discloses a data encryption method, a data encryption device, data encryption equipment and a storage medium. Wherein the method comprises the following steps: receiving a data transmission request which is sent by a virtual desktop client and used for exporting target data of virtual machine operation to a mobile storage device; acquiring the target data output by the virtual machine based on the data transmission request; determining an encryption strategy of the target data, and encrypting the target data according to the encryption strategy; and transmitting the encrypted target data to a virtual desktop client, so that the virtual desktop client transmits the encrypted target data to the mobile storage device. The embodiment of the invention improves the data security, and simultaneously can reduce the resource occupation of the virtual machine in the data encryption process, thereby improving the user experience of accessing the virtual machine through the virtual desktop client.

Description

Data encryption method, device, equipment and storage medium

Technical Field

The present invention relates to the field of data processing, and in particular, to a data encryption method, apparatus, device, and storage medium.

Background

With the development of communication technology, virtual desktops are gradually replacing traditional personal computers to provide services to users. The virtual desktop can centralize the scattered physical machines in a data center so as to achieve the purposes of centralized management and centralized operation and maintenance. The Virtual Desktop may be implemented based on a Virtual Desktop Infrastructure (VDI), and the VDI may centrally arrange a server and run a Virtual Machine (VM) of a Desktop system, so that a user may use the Desktop system and perform Desktop operations through a network without being limited to a physical space. Meanwhile, in the desktop operation process, only the image of the desktop system is transmitted, and the user cannot contact the actual data of the desktop system, so that the data security is ensured.

When a user uses the virtual desktop, the user inevitably needs to use mobile storage equipment such as a U disk and the like to copy data in the virtual desktop to the mobile storage equipment, so that the circulation of the data is realized. At this time, the virtual desktop cannot implement security control on the exported data because the related data leaves the environment of the virtual desktop.

Disclosure of Invention

In view of this, embodiments of the present invention provide a data encryption method, apparatus, device, and storage medium, which aim to improve security of data export in a virtual desktop environment.

The technical scheme of the embodiment of the invention is realized as follows:

the embodiment of the invention provides a data encryption method, which is applied to a virtual desktop management platform and comprises the following steps:

receiving a data transmission request which is sent by a virtual desktop client and used for exporting target data of virtual machine operation to a mobile storage device; the mobile storage device is connected with the virtual desktop client;

acquiring the target data output by the virtual machine based on the data transmission request;

determining an encryption strategy of the target data, and encrypting the target data according to the encryption strategy;

and transmitting the encrypted target data to a virtual desktop client, so that the virtual desktop client transmits the encrypted target data to the mobile storage device.

The embodiment of the invention also provides a data encryption device, which is applied to the virtual desktop management platform, and the device comprises:

the receiving module is used for receiving a data transmission request which is sent by the virtual desktop client and used for exporting the target data of the running of the virtual machine to the mobile storage device; the mobile storage device is connected with the virtual desktop client;

an obtaining module, configured to obtain the target data output by the virtual machine based on the data transmission request;

the data encryption module is used for determining an encryption strategy corresponding to the target data and encrypting the target data according to the encryption strategy;

and the sending module is used for transmitting the encrypted target data to the virtual desktop client so that the virtual desktop client can transmit the encrypted target data to the mobile storage device.

An embodiment of the present invention further provides a virtual desktop management platform, including: a processor and a memory for storing a computer program capable of running on the processor, wherein the processor, when running the computer program, is adapted to perform the steps of the method according to any of the embodiments of the present invention.

The embodiment of the invention also provides a storage medium, wherein a computer program is stored on the storage medium, and when the computer program is executed by a processor, the steps of the method of any embodiment of the invention are realized.

According to the technical scheme provided by the embodiment of the invention, the target data output by the virtual machine based on the data transmission request is obtained through the virtual desktop management platform, and the target data is encrypted according to the corresponding encryption strategy, so that the data security is improved, the resource occupation of the virtual machine in the data encryption process can be reduced, and the user experience of accessing the virtual machine through the virtual desktop client is improved. In addition, the exported data is encrypted through the virtual desktop management platform, so that encryption failure caused by operation flaws of the virtual machine is avoided, and the safety of the exported data is further improved.

Drawings

FIG. 1 is a flow chart of a data encryption method according to an embodiment of the present invention;

FIG. 2 is a schematic structural diagram of a VDI according to an embodiment of the present invention;

FIG. 3 is a flow chart of a data encryption method according to an embodiment of the present invention;

FIG. 4 is a schematic structural diagram of a data encryption apparatus according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a virtual desktop management platform according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings and examples.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.

To facilitate an understanding of the invention, the following terms are to be construed as follows:

desktop virtualization refers to virtualization of a terminal system of a computer, that is, a user can access a desktop system of the user at any place and any time through a network by using any device. Desktop virtualization relies on server virtualization, which is to virtualize a server on a server of a data center through a desktop virtualization platform (virtual software), generate a large number of independent desktop operating systems (virtual machines or virtual desktops), and send the operating systems to a terminal device according to a proprietary virtual desktop protocol. The user terminal logs in the virtual host through the Ethernet, and can access the desktop system of the user terminal through the network at any time and any place only by remembering the user name, the password and the gateway information, so that single machine and multiple users are realized.

The virtual machine virtualizes a server (physical machine) through a virtual desktop management platform, so that a large number of independent desktop systems are obtained, an operating environment can be created for an end user, and the end user operates software based on the operating environment. The terminal can be a smart phone, a tablet computer, a desktop computer, an electronic device (thin terminal) specially used for accessing the VDI, and the like.

Based on this, in various embodiments of the present invention, the target data output by the virtual machine based on the data transmission request is obtained through the virtual desktop management platform, and the target data is encrypted according to the corresponding encryption policy, so that the data security is improved, and meanwhile, the resource occupation of the virtual machine in the data encryption process can be reduced, so that the user experience of accessing the virtual machine through the virtual desktop client is improved.

An embodiment of the present invention provides a data encryption method, which is applied to a virtual desktop management platform, and as shown in fig. 1, the method includes:

step 101, receiving a data transmission request which is sent by a virtual desktop client and used for exporting target data of virtual machine operation to a mobile storage device; the mobile storage device is connected with the virtual desktop client;

here, the virtual desktop management platform is a carrier on which the virtual machine runs. The virtual desktop client is a terminal used by accessing a virtual desktop at a user side, and includes but is not limited to a windows client, a mac client, a linux client, or an android client, and may be a smart phone, a tablet computer, a desktop computer, an electronic device (thin terminal) specially used for accessing a VDI, and the like. The mobile storage device can be a portable storage device such as a U disk and a mobile hard disk.

102, acquiring the target data output by the virtual machine based on the data transmission request;

103, determining an encryption strategy of the target data, and encrypting the target data according to the encryption strategy;

and 104, transmitting the encrypted target data to a virtual desktop client, so that the virtual desktop client transmits the encrypted target data to the mobile storage device.

Here, the virtual desktop management platform obtains the target data output by the virtual machine based on the data transmission request, determines an encryption policy corresponding to the target data, and encrypts the target data according to the encryption policy. The data security is improved, and meanwhile, the resource occupation of the virtual machine in the data encryption process can be reduced, so that the user experience of accessing the virtual machine through the virtual desktop client is improved. In addition, the exported data is encrypted through the virtual desktop management platform, so that encryption failure caused by operation flaws of the virtual machine is avoided, and the safety of the exported data is further improved.

In an embodiment, the method further comprises:

the virtual desktop management platform receives an access request for accessing the virtual machine, which is sent by a virtual desktop client;

and the virtual desktop management platform verifies the access request, and if the verification is passed, the virtual desktop client is allowed to access the corresponding virtual machine.

Here, the access request may include a user name and a login password, the virtual desktop management platform verifies whether the user name exists and whether the corresponding login password is correct according to the received access request, if the verification is passed, a connection is established between the virtual desktop client that sends the access request and the virtual desktop management platform based on a virtual desktop protocol, and the virtual desktop client may log in to a target virtual machine deployed on the virtual desktop management platform through ethernet, thereby implementing a remote login of a desktop system of a user and performing a desktop operation.

In practical application, after a user logs in a target virtual machine through a virtual desktop client, the mobile storage device is connected to the virtual desktop client, desktop operation can be performed on a desktop system, and for example, a data transmission request for exporting target data from the mobile storage device is generated in a file dragging manner or a copying and pasting manner. The target virtual machine responds to the dragging file or the copying and pasting behaviors, corresponding target data are exported to a virtual desktop management platform, the virtual desktop management platform determines an encryption strategy of the target data according to a preset encryption strategy, encrypts the target data according to the corresponding encryption strategy, and transmits the encrypted target data to the virtual desktop client side so that the virtual desktop client side can transmit the encrypted target data to the mobile storage device.

In some embodiments, the operation and maintenance manager presets and stores the encryption policy of each virtual machine on the virtual management platform, so that the virtual desktop management platform may determine the encryption policy corresponding to the target data according to the prestored encryption policy, for example, the encryption policy corresponding to the virtual machine may be selected as the encryption policy corresponding to the target data.

In some embodiments, the virtual desktop management platform may further obtain an encryption policy corresponding to the access request online, and determine an encryption policy corresponding to the target data based on the encryption policy corresponding to the access request. Therefore, resource consumption of the virtual desktop management platform can be reduced, and the access efficiency of the virtual machine can be improved.

In some embodiments, the obtaining the encryption policy of the virtual machine based on the access request includes: and the virtual desktop management platform receives the encryption strategy of the virtual machine sent by the virtual desktop access control platform based on the access request. And the virtual desktop management platform determines the encryption strategy of the target data according to the encryption strategy of the virtual machine.

In practical application, operation and maintenance management personnel preset and store the encryption strategies of all virtual machines on the virtual management platform at the side of the virtual desktop access control platform. The virtual desktop management platform receives an access request for accessing the virtual machine, which is sent by the virtual desktop client, the virtual desktop management platform sends the access request to the virtual desktop access control platform, the virtual desktop access control platform verifies the access request, and if the access request passes the verification, the virtual desktop access control platform feeds back the verification result to the virtual desktop management platform. And the virtual desktop management platform establishes connection with a virtual desktop client based on a virtual desktop protocol according to the feedback result, and the virtual desktop client can log in a target virtual machine deployed on the virtual desktop management platform through the Ethernet. In addition, the virtual desktop access control platform determines an encryption policy corresponding to the access request in pre-stored encryption policies according to the access request, and sends the encryption policy corresponding to the access request to the virtual desktop management platform, and the virtual desktop management platform can determine the encryption policy of the target data according to the encryption policy corresponding to the access request.

Here, the encryption policy is an encryption algorithm for encrypting the target data. The encryption policy of the virtual machine may include: the file encryption method comprises a first encryption strategy corresponding to a user, a second encryption strategy corresponding to a file type and a third encryption strategy corresponding to file content.

In some embodiments, obtaining the encryption policy of the virtual machine based on the access request comprises:

and the virtual desktop management platform receives the encryption strategy of the virtual machine sent by the virtual desktop access control platform based on the access request.

Here, the virtual desktop access control platform may send the first encryption policy corresponding to the user based on the user identification (e.g., user name, user ID, etc.) in the access request.

In this way, the virtual desktop management platform may encrypt the target data based on the first encryption policy corresponding to the user.

In order to perform encryption management of data under the same user with different security levels, in some embodiments, the encryption policy obtained by the virtual desktop management platform further includes: the determining the encryption policy of the target data includes:

determining whether the target data matches a second encryption strategy based on the file type identifier corresponding to the target data;

if the target data is matched with the second encryption strategy, taking the second encryption strategy as the encryption strategy of the target data;

if the target data do not match the second encryption strategy, determining a first encryption strategy based on a user identifier corresponding to the target data, and taking the first encryption strategy as the encryption strategy of the target data;

the first encryption strategy corresponds to a user of the virtual machine, and the second encryption strategy corresponds to a file type under the virtual machine.

In practical application, the data of a specific file type can be encrypted at a high security level according to requirements, so as to be different from the encryption of the ordinary data of the user, for example, a file of a set extension type can be selected as the data required to be subjected to the second encryption policy. And if the target data conforms to the set extension name type, determining that the target data is matched with the second encryption strategy, and encrypting the target data according to the second encryption strategy. And if the target data does not accord with the set extension name type, encrypting the target data according to a first encryption strategy.

In some embodiments, the encryption policy obtained by the virtual desktop management platform further comprises: the determining the encryption policy of the target data according to a third encryption policy corresponding to the content of the file in the virtual machine includes:

extracting keywords from the target data, and determining whether the target data matches a third encryption strategy based on the extraction result of the keywords;

if the target data is matched with the third encryption strategy, taking the third encryption strategy as the encryption strategy of the target data;

if the target data do not match the third encryption strategy, determining a first encryption strategy based on a user identifier corresponding to the target data, and taking the first encryption strategy as the encryption strategy of the target data;

the first encryption strategy corresponds to a user of the virtual machine, and the third encryption strategy corresponds to file content under the virtual machine.

In practical application, a file containing sensitive content may be encrypted at a high security level according to a requirement, so as to be different from the encryption of ordinary data of the user, for example, contents such as "confidential", "internal data", "avoid leakage" and the like may be selected as sensitive content to set a tag of a third encryption policy, keyword extraction is performed on target data, whether the target data contains the sensitive content is determined, if so, it is determined that the target data matches the third encryption policy, and the target data is encrypted according to the third encryption policy. And if the target data does not have the third encryption strategy, encrypting the target data according to the first encryption strategy.

In some embodiments, the encryption policy obtained by the virtual desktop management platform may include: the first encryption strategy, the second encryption strategy and the third encryption strategy can preferentially judge whether the target data is matched with the third encryption strategy, and if so, encryption is carried out according to the third encryption strategy; if not, judging whether the target data is matched with a second encryption strategy, and if so, encrypting according to the second encryption strategy; and if not, encrypting according to the first encryption strategy. In other embodiments, it may be preferentially determined whether the target data matches the second encryption policy, and if yes, the target data is encrypted according to the second encryption policy; if not, judging whether the target data is matched with a third encryption strategy, and if so, encrypting according to the third encryption strategy; and if not, encrypting according to the first encryption strategy.

Therefore, the encryption strategy for encrypting the target data by the virtual desktop management platform is flexible, and the data encryption requirements of different levels can be met.

The present invention will be described in further detail with reference to the following application examples.

Fig. 2 shows a schematic structural diagram of the VDI of the embodiment of the present application. The VDI comprises: a virtual desktopaccess control platform 201, a virtualdesktop management platform 202, and avirtual desktop client 203. Wherein, the virtual desktopaccess control platform 201 includes: the policy group unit 2011 and the policy group issuing control unit 2012 are configured, and the virtualdesktop management platform 202 includes: a plurality of virtual machines (e.g., VM1, VM2), a data encryption unit 2021, a first data transmission unit 2022, thevirtual desktop client 203 comprising: a USB (Universal Serial Bus) control unit 2031 and a second data transmission unit 2032.

Here, the policy group unit 2011 is used to store and update the encryption policy of each virtual machine. The policy group issuing control unit 2012 is configured to issue a corresponding encryption policy to the data encryption unit 2021 of thedesktop management platform 202 according to the access request, and the data encryption unit 2021 is configured to encrypt the target data. The first data transmission unit is configured to transmit the encrypted target data to thevirtual desktop client 203. The USB control unit 2031 is configured to manage an access request of themobile storage device 204 connected to thevirtual desktop client 203, and manage a behavior of reading data from themobile storage device 204 or writing data to themobile storage device 204.

As shown in fig. 3, in this application embodiment, the method for encrypting data exported to a mobile storage device specifically includes the following steps:

step 301, adding an encryption policy derived from data to a policy group, and binding to a virtual machine;

the operation and maintenance manager imports the relevant encryption policy into the policy group unit 2011 on the virtual desktopaccess control platform 201 side, and the policy group unit binds the encryption policy to the corresponding virtual machine according to the corresponding relationship between the encryption policy and the virtual machine.

Step 302, the virtual desktop access control platform issues the encryption strategy to the virtual desktop management platform;

a user sends an access request for accessing a target virtual machine to the virtualdesktop management platform 202 through thevirtual desktop client 203, the virtualdesktop management platform 202 forwards the access request to the virtual desktopaccess control platform 201, the virtual desktopaccess control platform 201 verifies the access request, and if the verification is passed, the virtualdesktop management platform 202 and thevirtual desktop client 203 are indicated to establish connection based on a virtual desktop protocol, so that thevirtual desktop client 203 can log in the target virtual machine deployed on the virtualdesktop management platform 202 through the ethernet.

The policy group issuing control unit 2012 in the virtual desktopaccess control platform 201 further sends the encryption policy corresponding to the access request to the data encryption unit 2021 in the virtualdesktop management platform 202 according to the access request.

And step 303, the virtual desktop management platform encrypts the data exported to the mobile storage device according to the encryption policy, and sends the encrypted data to the virtual desktop client.

The data encryption unit 2021 encrypts the target data output by the target virtual machine based on the encryption policy, the first data transmission unit 2022 transfers the encrypted target data to the second data transmission unit 2032 on thevirtual desktop client 203 side, and the second data transmission unit 2032 sends the encrypted target data to themobile storage device 204.

According to the method for exporting the data, when the data in the virtual machine is exported to the mobile storage device, the data can be encrypted, and meanwhile, an encryption strategy control function for exporting the data to the mobile storage device is provided. The method and the system ensure the safety of data transmission to the mobile storage device in the virtual desktop of the user and also provide flexible policy control of an operation and maintenance administrator. In addition, the data encryption unit 2021 in the virtualdesktop management platform 202 reduces the occupation of virtual desktop resources in the encryption process, and is favorable for guaranteeing the use experience of users.

In order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides a data encryption apparatus, which is disposed on a virtual desktop management platform, and as shown in fig. 4, the apparatus includes: a receiving module 401, an obtaining module 402, a data encrypting module 403 and a sending module 404.

Here, the receiving module 401 is configured to receive a data transmission request sent by the virtual desktop client to export target data of the virtual machine operation to the mobile storage device; and the mobile storage equipment is connected with the virtual desktop client. The obtaining module 402 is configured to obtain the target data output by the virtual machine based on the data transmission request. The data encryption module 403 is configured to determine an encryption policy corresponding to the target data, and encrypt the target data according to the encryption policy. The sending module 404 is configured to transmit the encrypted target data to the virtual desktop client, so that the virtual desktop client transmits the encrypted target data to the mobile storage device.

In some embodiments, the receiving module 401 is further configured to: and receiving an access request for accessing the virtual machine, which is sent by the virtual desktop client. The obtaining module 402 is further configured to: and if the access request passes the verification, acquiring the encryption strategy of the virtual machine based on the access request.

In some embodiments, the data encryption module 403 is specifically configured to:

determining a first encryption strategy based on a user identifier corresponding to the target data, and using the first encryption strategy as an encryption strategy of the target data; wherein the first encryption policy corresponds to a user of the virtual machine.

extracting keywords from the target data, and determining whether the target data matches a third encryption strategy based on the keywords;

In some embodiments, the obtaining module 402 is specifically configured to:

and receiving the encryption strategy of the virtual machine sent by the virtual desktop access control platform based on the access request.

Based on the data encryption device of the above embodiment, the virtual desktop management platform may obtain target data output by the virtual machine based on the data transmission request, determine an encryption policy corresponding to the target data, and encrypt the target data according to the encryption policy. The data security is improved, and meanwhile, the resource occupation of the virtual machine in the data encryption process can be reduced, so that the user experience of accessing the virtual machine through the virtual desktop client is improved. In addition, the exported data is encrypted through the virtual desktop management platform, so that encryption failure caused by operation flaws of the virtual machine is avoided, and the safety of the exported data is further improved. In addition, the encryption strategy for encrypting the target data by the virtual desktop management platform is flexible, and the data encryption requirements of different levels of the same user can be met.

In practical applications, the receiving module 401, the obtaining module 402, the data encrypting module 403 and the sending module 404 may be implemented by a processor in a data encrypting apparatus. Of course, the processor needs to run a computer program in memory to implement its functions.

It should be noted that: in the data encryption device provided in the above embodiment, only the division of each program module is exemplified when data encryption is performed, and in practical applications, the above processing distribution may be completed by different program modules according to needs, that is, the internal structure of the device may be divided into different program modules to complete all or part of the above-described processing. In addition, the data encryption device and the data encryption method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.

Based on the hardware implementation of the program module, and in order to implement the method of the embodiment of the present invention, the embodiment of the present invention further provides a virtual desktop management platform. Fig. 5 shows only an exemplary structure of the virtual desktop management platform, not the entire structure, and some or all of the structures shown in fig. 5 may be implemented as necessary.

As shown in fig. 5, a virtualdesktop management platform 500 provided in an embodiment of the present invention includes: at least oneprocessor 501,memory 502, auser interface 503, and at least one network interface 504. The various components in virtualdesktop management platform 500 are coupled together bybus system 505. It will be appreciated that thebus system 505 is used to enable communications among the components of the connection. Thebus system 505 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled asbus system 505 in FIG. 5.

Theuser interface 503 may include a display, a keyboard, a mouse, a trackball, a click wheel, a key, a button, a touch pad, a touch screen, or the like, among others.

Memory 502 in embodiments of the present invention is used to store various types of data to support the operation of virtualdesktop management platform 500. Examples of such data include: any computer program for operating on virtualdesktop management platform 500.

The data encryption method disclosed by the embodiment of the invention can be applied to theprocessor 501, or implemented by theprocessor 501. Theprocessor 501 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the data encryption method may be performed by integrated logic circuits of hardware or instructions in the form of software in theprocessor 501. TheProcessor 501 may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc.Processor 501 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in thememory 502, and theprocessor 501 reads the information in thememory 502 to complete the steps of the data encryption method provided by the embodiment of the present invention in combination with the hardware thereof.

In an exemplary embodiment, the virtualdesktop management platform 500 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), FPGAs, general purpose processors, controllers, Micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the aforementioned methods.

It will be appreciated that thememory 502 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The described memory for embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.

In an exemplary embodiment, the embodiment of the present invention further provides a storage medium, that is, a computer storage medium, which may be specifically a computer readable storage medium, for example, including amemory 502 storing a computer program, where the computer program is executable by aprocessor 501 of a virtualdesktop management platform 500 to perform the steps described in the method of the embodiment of the present invention. The computer readable storage medium may be a ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM, among others.

It should be noted that: "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

In addition, the technical solutions described in the embodiments of the present invention may be arbitrarily combined without conflict.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. A data encryption method is applied to a virtual desktop management platform, and comprises the following steps:

2. The method of claim 1, further comprising:

receiving an access request for accessing a virtual machine, which is sent by a virtual desktop client;

if the access request passes the verification, acquiring an encryption strategy of the virtual machine based on the access request; wherein the encryption policy of the virtual machine is used to determine the encryption policy of the target data.

3. The method of claim 1, wherein the determining the encryption policy of the target data comprises:

4. The method of claim 1, wherein the determining the encryption policy of the target data comprises:

5. The method of claim 1, wherein the determining the encryption policy of the target data comprises:

6. The method of claim 2, wherein the obtaining the encryption policy of the virtual machine based on the access request comprises:

7. A data encryption device is applied to a virtual desktop management platform and comprises:

8. The apparatus of claim 7,

the receiving module is further configured to: receiving an access request for accessing a virtual machine, which is sent by a virtual desktop client;

the acquisition module is further configured to: and if the access request passes the verification, acquiring the encryption strategy of the virtual machine based on the access request.

9. A virtual desktop management platform, comprising: a processor and a memory for storing a computer program capable of running on the processor, wherein,

the processor, when executing the computer program, is adapted to perform the steps of the method of any of claims 1 to 6.

10. A storage medium having a computer program stored thereon, the computer program, when executed by a processor, implementing the steps of the method of any one of claims 1 to 6.