Disclosure of Invention
In view of the above, the present invention provides a cloud hard disk backup method, apparatus, computer device and storage medium, so as to solve the problem that the security of backup data cannot be ensured in the transmission and storage process of the backup data in the related technology.
In a first aspect, the present invention provides a cloud hard disk backup method, including:
acquiring data to be backed up of a cloud hard disk to be backed up;
The method comprises the steps of obtaining an encrypted data volume, copying data to be backed up to the encrypted data volume, wherein the encrypted data volume contains encryption information, and the encrypted data volume is used for encrypting the data to be backed up according to the encryption information to obtain and store the encrypted backup data;
creating a backup data volume, and copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume.
According to the cloud hard disk backup method, the encrypted data volume is obtained, the data to be backed up is copied to the encrypted data volume, the encrypted data volume encrypts the data to be backed up according to the encryption information to obtain and store the encrypted backup data, and the encrypted backup data and the encryption information in the encrypted data volume are copied to the backup data volume to complete the encrypted backup of the cloud hard disk to be backed up. The method can not only ensure that user data is not damaged, deleted or lost accidentally, but also ensure confidentiality of the data to be backed up in the transmission and storage processes and prevent data leakage, and even if an attacker can access the backup data volume, the attacker cannot directly read the encrypted data to be backed up in the backup data volume, thereby preventing unauthorized access. The problem that the safety of the backup data cannot be ensured in the transmission and storage processes of the backup data in the related technology is solved.
In some alternative embodiments, obtaining an encrypted data volume includes:
acquiring a data volume list corresponding to a cloud hard disk to be backed up at the back end of backup;
Judging whether a data volume with the same capacity as the backup size in the backup record and the same encryption type as the encryption type information in the backup record exists in the data volume list, and if so, taking the data volume as the encryption data volume, wherein the backup record is used for representing the backup information of the cloud hard disk to be backed up;
If the first empty data volume does not exist, the first empty data volume with the capacity same as the backup size in the backup record is created at the backup back end by the first component, the encryption type information in the backup record is used for formatting the first empty data volume, so that the encryption data volume is obtained, and encryption information is generated in the encryption data volume.
In this embodiment, an encrypted data volume containing encryption information is obtained or created at the back end of the backup, and in the process of backing up the cloud hard disk to be backed up, the encrypted data volume can encrypt data to be backed up according to the encryption information to obtain and store the encrypted backup data, so that confidentiality of the data to be backed up in the transmission and storage processes can be ensured, and even if an attacker can obtain the encrypted backup data, the encrypted backup data cannot be directly read, thereby preventing unauthorized access.
In some alternative embodiments, before determining whether there is a data volume in the data volume list that has the same size as the backup size in the backup record and the same encryption type as the encryption type information in the backup record, the method further includes:
acquiring encryption algorithm configuration information, encryption operation information, an encryption algorithm and a key length;
Obtaining encryption type information according to encryption algorithm configuration information, encryption operation information, an encryption algorithm and a key length, wherein the encryption type information is used for generating encryption information in an encryption data volume;
acquiring a backup name and a backup size;
a backup record is created in the database containing the encryption type information, the backup name, and the backup size.
In this embodiment, a backup record including encryption type information, a backup name and a backup size is created, and then an encrypted data volume may be created according to the encryption type information in the backup record, and a backup data volume may be created according to the backup name and the backup size in the backup record, so as to implement encrypted backup of the cloud hard disk to be backed up.
In some optional embodiments, obtaining data to be backed up of the cloud hard disk to be backed up includes:
freezing a file system of a cloud hard disk to be backed up;
Creating a snapshot of the cloud hard disk to be backed up according to the first component, wherein the snapshot comprises data to be backed up;
and generating a temporary cloud hard disk according to the snapshot, and recovering the file system, wherein the temporary cloud hard disk is used for temporarily storing data to be backed up.
In some alternative embodiments, copying data to be backed up to an encrypted data volume includes:
mounting the temporary cloud hard disk and the encrypted data volume on a host machine;
Comparing the temporary cloud hard disk with the encrypted data volume by using a host, determining difference data, and taking the difference data as data to be backed up;
and writing the data to be backed up into the encrypted data volume by using a preset protocol framework of the host.
In this embodiment, the host machine is used to compare the temporary cloud hard disk with the encrypted data volume to determine the difference data, so that full-scale backup and incremental backup can be performed on the cloud host machine to be backed up. And writing the data to be backed up into the encrypted data volume in parallel by using a preset protocol framework of the host machine, so that the data backup efficiency is improved.
In some alternative embodiments, mounting the temporary cloud hard disk and the encrypted data volume to the host machine includes:
Judging whether the temporary cloud hard disk is an encrypted cloud hard disk or not;
If not, mounting the temporary cloud hard disk to a host machine file directory of the host machine through a preset mounting command;
if yes, decrypting the temporary cloud hard disk through a preset decryption command, and mounting the decrypted temporary cloud hard disk to a host machine file directory through a preset mounting command;
decrypting the encrypted data volume through a preset decryption command, and mounting the decrypted encrypted data volume to a host machine file directory through a preset mounting command.
In some alternative embodiments, creating a backup data volume, copying encrypted backup data and encrypted information in the encrypted data volume to the backup data volume, includes:
The backup name and the backup size are obtained from the backup record, a second empty data volume with the same name and size as the backup size is created at the back end of the backup, and the second empty data volume is used as the backup data volume;
unloading the encrypted data volume at the host;
Establishing a local copy relationship between the encrypted data volume and the backup data volume by using the backup back end;
and copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume based on the local copy relationship.
In the embodiment, the backup data volume is created at the backup back end, the encrypted data volume is unloaded at the host computer, the encrypted backup data and the encrypted information in the encrypted data volume are copied to the backup data volume by utilizing the local copy function of the backup back end, the data copy efficiency is improved, and the available resources of the host computer are not required to be occupied.
In some alternative embodiments, creating a backup data volume, copying encrypted backup data and encrypted information in the encrypted data volume to the backup data volume, includes:
The backup name and the backup size are obtained from the backup record, a second empty data volume with the same name and size as the backup size is created at the back end of the backup, and the second empty data volume is used as the backup data volume;
mounting the backup data volume on a host machine;
and copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume by using a preset protocol framework of the host.
In this embodiment, the encrypted backup data and the encrypted information in the encrypted data volume are written in parallel into the encrypted data volume by using a preset protocol frame of the host, so as to improve the data backup efficiency.
In some alternative embodiments, unloading the encrypted data volume at the host includes:
Unloading the encrypted data volume from the host file directory through a preset unloading command;
executing the data volume closing command to close the encrypted data volume.
In some alternative embodiments, after writing the data to be backed up to the encrypted data volume, the method further comprises:
Judging whether the temporary cloud hard disk is an encrypted cloud hard disk or not;
If not, unloading the temporary cloud hard disk from the host machine file directory through a preset unloading command;
if yes, unloading the temporary cloud hard disk from the host machine file directory through a preset unloading command, executing a cloud hard disk closing command, and closing the temporary cloud hard disk.
In some alternative embodiments, the method further comprises:
before creating a snapshot of the cloud hard disk to be backed up according to the first component, modifying the state of the cloud hard disk to be backed up into backup in a database;
After creating a snapshot of the cloud hard disk to be backed up according to the first component, modifying the state of the cloud hard disk to be backed up into an available state in the database.
In this embodiment, before creating the snapshot of the cloud hard disk to be backed up, the state of the cloud hard disk to be backed up is modified into backup, so that backup failure caused by other operations performed on the cloud hard disk to be backed up by the user in the backup process is prevented. After the snapshot is created, the state of the cloud hard disk to be backed up is changed into an available state, and the cloud host can perform read-write operation on the cloud hard disk to be backed up, so that the normal production service of the cloud host cannot be affected by the encryption backup flow.
In some alternative embodiments, after copying the encrypted backup data and the encryption information in the encrypted data volume to the backup data volume, the method further comprises:
Under the condition that a data recovery instruction and a secret key are received, decrypting the backup data volume by using the secret key, and acquiring data to be recovered corresponding to the data recovery instruction from the decrypted backup data volume;
And determining a target cloud hard disk according to the data recovery instruction, and recovering the data to be recovered to the target cloud hard disk.
In the embodiment, the data to be recovered is recovered to the target cloud hard disk by using the data recovery instruction and the secret key, so that the protection and recovery capacity of the data are provided, the user data can be recovered quickly under the conditions of loss, damage or accidents, the integrity of the user data is effectively ensured, the confidentiality of the backup data in the transmission and storage processes is ensured, and the safety of the data is enhanced.
In a second aspect, the present invention provides a cloud hard disk backup apparatus, including:
The data acquisition module is used for acquiring data to be backed up of the cloud hard disk to be backed up;
the first backup module is used for acquiring an encrypted data volume and copying data to be backed up to the encrypted data volume, wherein the encrypted data volume contains encryption information, and the encrypted data volume is used for encrypting the data to be backed up according to the encryption information to obtain and store the encrypted backup data;
and the second backup module is used for creating a backup data volume and copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume.
In a third aspect, the present invention provides a computer device, including a memory and a processor, where the memory and the processor are communicatively connected to each other, and the memory stores computer instructions, and the processor executes the computer instructions, so as to execute the cloud hard disk backup method of the first aspect or any implementation manner corresponding to the first aspect.
In a fourth aspect, the present invention provides a computer readable storage medium, where computer instructions are stored on the computer readable storage medium, where the computer instructions are configured to cause a computer to perform the cloud hard disk backup method according to the first aspect or any one of the embodiments corresponding to the first aspect.
In a fifth aspect, the present invention provides a computer program product, including computer instructions for causing a computer to perform the cloud hard disk backup method of the first aspect or any of the corresponding embodiments thereof.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
OpenStack is a project for cloud platform management, and OpenStack can provide software for construction and management of public cloud, private cloud and hybrid cloud. The primary task of OpenStack is to simplify the cloud deployment process and bring about good scalability, and OpenStack is a combination of several major components, including Cinder, nova, etc., which adds persistent storage for the virtual machine, and Cinder provides an infrastructure to manage data volumes and interact with the OpenStack computing service. Cinder also activates functions to manage snapshots of volumes and volume types. Nova is the most core service of OpenStack, responsible for maintaining and managing computing resources of the cloud environment. Virtual machine lifecycle management is also implemented by Nova.
Although the OpenStack cloud platform has realized the basic function of cloud hard disk backup, the OpenStack cloud platform only has the capability of protecting and recovering the cloud hard disk data, and may leak backup data in the process of transmitting and storing the backup data, so that the safety of the backup data cannot be ensured.
Based on the above, the embodiment of the invention provides a cloud hard disk backup method, which comprises the steps of firstly, copying all data to be backed up of a cloud hard disk to be backed up to a temporary cloud hard disk, then simultaneously mounting the temporary cloud hard disk and an encrypted data volume to a host, and simultaneously copying the data to be backed up to the encrypted data volume through the host, wherein the encrypted data volume contains encryption information which is used for encrypting the data to be backed up, unloading the encrypted data volume from the host after copying is completed, creating a backup volume at a backup back end, and copying all data of the encrypted data volume to the backup volume through a local copy function of the backup back end, wherein the backup volume contains the same encryption information, so that the backup and encryption processes of the cloud hard disk to be backed up are completed. Under the condition that the production task of the cloud host is not affected, the cloud hard disk data is backed up and encrypted, so that confidentiality of the backup data in the transmission and storage processes can be ensured, data leakage is prevented, and even if an attacker can access the cloud storage service, the encrypted backup data cannot be directly read, and unauthorized access is prevented. The technical effects of ensuring that the user data is not damaged, deleted or lost accidentally, ensuring confidentiality of the backup data in the transmission and storage processes and enhancing the safety of the user data are achieved.
According to an embodiment of the present invention, a cloud hard disk backup embodiment is provided, and it should be noted that, the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer device having data processing capability, such as a computer, a server, etc., and, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different from that illustrated herein.
In this embodiment, a cloud hard disk backup method is provided, and fig. 1 is a flowchart of the cloud hard disk backup method according to an embodiment of the present invention, as shown in fig. 1, where the flowchart includes the following steps:
step S101, obtaining data to be backed up of a cloud hard disk to be backed up.
Specifically, as shown in fig. 1, cloud host management and cloud hard disk management are performed by using OpenStack, a Nova component in OpenStack is used for managing a cloud host, and a Cinder component is used for managing a cloud hard disk in a storage backend.
And determining a source Yun Yingpan at the storage back end, wherein the source cloud hard disk is a cloud hard disk which needs to be backed up. And taking the source cloud hard disk as the cloud hard disk to be backed up. The invention supports full backup and incremental backup of the cloud hard disk. And if the incremental backup is performed, changing data in the cloud hard disk to be backed up compared with the previous backup is used as the data to be backed up. In addition, the snapshot function of the backup back end can be used for copying all data to be backed up of the cloud hard disk to the temporary cloud hard disk, the data to be backed up is temporarily stored in the temporary cloud hard disk, and the data read-write function of the cloud hard disk to be backed up is not affected during the process of backing up the data to be backed up.
Step S102, an encrypted data volume is obtained, the data to be backed up is copied to the encrypted data volume, wherein the encrypted data volume contains encryption information, and the encrypted data volume is used for encrypting the data to be backed up according to the encryption information, so as to obtain and store the encrypted backup data.
Specifically, an encrypted data volume is obtained at the back-up end, where the encrypted data volume is, for example, an encrypted Base (Base) volume, and if the back-up end already has the encrypted data volume associated with Yun Yingpan to be backed-up, the encrypted data volume is directly used, and if not, an empty data volume needs to be created at the back-up end, and then the encrypted information is written into the empty data volume to obtain the encrypted data volume. The encrypted data volume contains encrypted information such as encryption algorithm, disk encryption technology, key length, encryption operation location, etc.
The data to be backed up is copied to the encrypted data volume. The cloud hard disk (such as a temporary cloud hard disk) for storing the data to be backed up and the encrypted data volume can be mounted on the same host, and the host is utilized to copy the data to be backed up to the encrypted data volume. The encrypted data volume can encrypt the data to be backed up according to the encryption information to obtain and store the encrypted backup data.
Step S103, creating a backup data volume, and copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume.
Specifically, a backup data volume is created at the backup back-end. The backup data volume and the encrypted data volume are both positioned at the backup back end, so that the encrypted data volume can be unloaded from the host machine first, and then the encrypted backup data and the encrypted information in the encrypted data volume are copied to the backup data volume by utilizing the local copy function of the backup back end. Or the backup data volume can also be mounted on the host machine, and the host machine is utilized to copy the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume. And finally, unloading and deleting the temporary cloud hard disk from the host machine to finish the backup and encryption processes of the cloud hard disk to be backed up.
According to the cloud hard disk backup method, the encrypted data volume is obtained, the data to be backed up is copied to the encrypted data volume, the encrypted data volume encrypts the data to be backed up according to the encryption information to obtain and store the encrypted backup data, and the encrypted backup data and the encryption information in the encrypted data volume are copied to the backup data volume to complete the encrypted backup of the cloud hard disk to be backed up. The method can not only ensure that user data is not damaged, deleted or lost accidentally, but also ensure confidentiality of the data to be backed up in the transmission and storage processes and prevent data leakage, and even if an attacker can access the backup data volume, the attacker cannot directly read the encrypted data to be backed up in the backup data volume, thereby preventing unauthorized access. The problem that the safety of the backup data cannot be ensured in the transmission and storage processes of the backup data in the related technology is solved.
In some alternative embodiments, obtaining an encrypted data volume includes:
acquiring a data volume list corresponding to a cloud hard disk to be backed up at the back end of backup;
Judging whether a data volume with the same capacity as the backup size in the backup record and the same encryption type as the encryption type information in the backup record exists in the data volume list, and if so, taking the data volume as the encryption data volume, wherein the backup record is used for representing the backup information of the cloud hard disk to be backed up;
If the first empty data volume does not exist, the first empty data volume with the capacity same as the backup size in the backup record is created at the backup back end by the first component, the encryption type information in the backup record is used for formatting the first empty data volume, so that the encryption data volume is obtained, and encryption information is generated in the encryption data volume.
Specifically, a Base volume list, namely a data volume list, associated with a source cloud hard disk is acquired at a backup back end. The source cloud hard disk is the cloud hard disk to be backed up.
And judging whether a data volume which has the latest creation time, the same capacity as the backup size in the backup record and the same encryption type as the encryption type information in the backup record exists in the data volume list. If so, the encrypted backup of the source cloud hard disk is created for the non-first time, the data in the encrypted Base volume contains the encrypted information and the backup data of the source cloud hard disk last time, and the data volume is taken as an encrypted data volume. The backup record is used for representing backup information of the cloud hard disk to be backed up, the backup size in the backup record is the size of the cloud hard disk to be backed up, and the encryption information in the backup record contains backup encryption type information to be created.
If the data volume list does not exist in the data volume list, the fact that the encrypted data volume needs to be re-created for first creating the encrypted backup of the source cloud hard disk is indicated. The first component is, for example, a Cinder component. And creating a first empty data volume with the same capacity as the backup size in the backup record at the backup back end by using the first component. And formatting the first empty data volume according to the encryption type information in the backup record through cryptsetup luksFormat commands, wherein the formatted first empty data volume contains encryption information, and the encrypted data volume is obtained.
In this embodiment, an encrypted data volume containing encryption information is obtained or created at the back end of the backup, and in the process of backing up the cloud hard disk to be backed up, the encrypted data volume can encrypt data to be backed up according to the encryption information to obtain and store the encrypted backup data, so that confidentiality of the data to be backed up in the transmission and storage processes can be ensured, and even if an attacker can obtain the encrypted backup data, the encrypted backup data cannot be directly read, thereby preventing unauthorized access.
In some alternative embodiments, before determining whether there is a data volume in the data volume list that has the same size as the backup size in the backup record and the same encryption type as the encryption type information in the backup record, the method further includes:
acquiring encryption algorithm configuration information, encryption operation information, an encryption algorithm and a key length;
Obtaining encryption type information according to encryption algorithm configuration information, encryption operation information, an encryption algorithm and a key length, wherein the encryption type information is used for generating encryption information in an encryption data volume;
acquiring a backup name and a backup size;
a backup record is created in the database containing the encryption type information, the backup name, and the backup size.
Specifically, when the cloud hard disk to be backed up is encrypted, firstly, encryption type information of the backup is specified, and the encryption type information is used for generating encryption information in an encryption data volume. The encryption type information consists of four configuration parameters of provider, control location, encryption algorithm and key length. Provider, encryption algorithm configuration information, refers to a software library, service or hardware module that implements an encryption algorithm, such as LUKS (Linux Unified Key Setup, standard for Linux hard disk encryption), which is a commonly used disk encryption technology, by providing a standard disk format, it can not only promote compatibility between issuers, but also provide security management of multiple user passwords, and LUKS stores all necessary setting information in partition information headers, enabling users to seamlessly transfer or migrate their data. The control location, i.e. the encryption operation information, refers to the context or environment in which the encryption operation occurs, the default control location is the front end, and its corresponding service is the Nova component. The encryption algorithm is the core of the encryption process, which defines how data is encrypted and decrypted, such as aes-xts-place 64, where aes is the encryption algorithm, xts is the encryption mode, and place 64 is the initialization vector mode of the encryption mode. The key length is the number of bits of the key used in the encryption algorithm, longer keys generally providing greater security, and key lengths are typically 128 or 256 bits.
And acquiring a backup name and a backup size, wherein the backup name is set according to actual requirements, and the backup size is the same as the size of the cloud hard disk to be backed up. A backup record is created in the database containing encryption type information, backup name, and backup size, and may further include information such as a backup status, e.g., in creation, idle, use, etc., a source Yun Yingpan ID (Identity document, identity), etc.
According to the cloud hard disk encryption backup method, a user only needs to specify a backup name, an encryption type and a backup back end, so that the operation is simple, the usability is high, the additional hardware and software cost is not required to be increased, and the production cost is low.
In this embodiment, a backup record including encryption type information, a backup name and a backup size is created, and then an encrypted data volume may be created according to the encryption type information in the backup record, and a backup data volume may be created according to the backup name and the backup size in the backup record, so as to implement encrypted backup of the cloud hard disk to be backed up.
In some optional embodiments, obtaining data to be backed up of the cloud hard disk to be backed up includes:
freezing a file system of a cloud hard disk to be backed up;
Creating a snapshot of the cloud hard disk to be backed up according to the first component, wherein the snapshot comprises data to be backed up;
and generating a temporary cloud hard disk according to the snapshot, and recovering the file system, wherein the temporary cloud hard disk is used for temporarily storing data to be backed up.
Specifically, the embodiment is used for creating a temporary cloud hard disk. Firstly, freezing a source cloud hard disk, namely a file system of the cloud hard disk to be backed up, and preventing a cloud host from performing read-write operation on the cloud hard disk to be backed up.
The first component is, for example, a Cinder component. A snapshot of the current time is created to be backed up Yun Yingpan according to the first component. And creating a snapshot of the cloud hard disk to be backed up according to the first component, wherein the snapshot can be directly used as a temporary cloud hard disk, or creating an empty cloud hard disk, and writing data in the snapshot into the empty cloud hard disk and using the data in the snapshot as the temporary cloud hard disk. Because the cloud hard disk to be backed up and the temporary cloud hard disk are positioned at the same storage back end, all data of the cloud hard disk to be backed up are copied to the temporary cloud hard disk through a local copying function of the storage back end. As shown in fig. 2, a snapshot of the source cloud hard disk is created at the storage backend, and a temporary cloud hard disk is created according to the snapshot. After the temporary cloud hard disk is established, the file system of the source cloud hard disk is restored, the cloud host can perform read-write operation on the cloud hard disk to be backed up, the subsequent encryption backup flow is completed by the temporary cloud hard disk, and normal production business of the cloud host cannot be affected.
In some alternative embodiments, copying data to be backed up to an encrypted data volume includes:
mounting the temporary cloud hard disk and the encrypted data volume on a host machine;
Comparing the temporary cloud hard disk with the encrypted data volume by using a host, determining difference data, and taking the difference data as data to be backed up;
and writing the data to be backed up into the encrypted data volume by using a preset protocol framework of the host.
Specifically, the present embodiment uses the host to perform data transmission between the temporary cloud hard disk and the encrypted data volume. And mounting the temporary cloud hard disk and the encrypted data volume on a host.
After the temporary cloud hard disk and the encrypted data volume are mounted on the host machine, comparing user data in the temporary cloud hard disk and the encrypted data volume, if the encrypted backup is not carried out on the cloud hard disk to be backed up for the first time, reading incremental data in the temporary cloud hard disk, taking the incremental data as difference data, and if the encrypted backup is carried out on the cloud hard disk to be backed up for the first time, reading full data in the temporary cloud hard disk, and taking the full data as the difference data.
The preset protocol frame of the host machine is, for example, a protocol frame of eventlet library. And writing the data to be backed up into the encrypted data volume concurrently by utilizing a preset protocol framework of the host machine. After the temporary cloud hard disk data is copied to the encrypted data volume, other data in the encrypted data volume are completely consistent with the data in the temporary cloud hard disk and the source cloud hard disk except the encrypted information in the encrypted data volume. As shown in fig. 2, data of the temporary cloud hard disk is copied to an encrypted Base volume at the back-up back-end.
In this embodiment, the host machine is used to compare the temporary cloud hard disk with the encrypted data volume to determine the difference data, so that full-scale backup and incremental backup can be performed on the cloud host machine to be backed up. And writing the data to be backed up into the encrypted data volume in parallel by using a preset protocol framework of the host machine, so that the data backup efficiency is improved.
In some alternative embodiments, mounting the temporary cloud hard disk and the encrypted data volume to the host machine includes:
Judging whether the temporary cloud hard disk is an encrypted cloud hard disk or not;
If not, mounting the temporary cloud hard disk to a host machine file directory of the host machine through a preset mounting command;
if yes, decrypting the temporary cloud hard disk through a preset decryption command, and mounting the decrypted temporary cloud hard disk to a host machine file directory through a preset mounting command;
decrypting the encrypted data volume through a preset decryption command, and mounting the decrypted encrypted data volume to a host machine file directory through a preset mounting command.
Specifically, the embodiment is used for mounting the temporary cloud hard disk and the encrypted data volume on a host machine. When the temporary cloud hard disk is created, all data including encrypted data in the cloud hard disk to be backed up are copied to the temporary cloud hard disk, so if the source cloud hard disk is the encrypted cloud hard disk, the temporary cloud hard disk is also the encrypted cloud hard disk.
Judging whether the temporary cloud hard disk is an encrypted cloud hard disk or not, and if the temporary cloud hard disk is the encrypted cloud hard disk, decrypting the temporary cloud hard disk before mounting the temporary cloud hard disk on a host machine. The preset decryption command is, for example, cryptsetup luksOpen commands, and the preset mount command is, for example, mount commands. And if the temporary cloud hard disk is a common cloud hard disk and is not an encrypted cloud hard disk, the temporary cloud hard disk is directly mounted to the host machine file directory or the host machine mounting point directory of the host machine through the preset mounting command.
Decrypting the encrypted data volume through a preset decryption command, and then mounting the decrypted encrypted data volume to a host machine file directory or a host machine mounting point directory through a preset mounting command.
In some alternative embodiments, creating a backup data volume, copying encrypted backup data and encrypted information in the encrypted data volume to the backup data volume, includes:
The backup name and the backup size are obtained from the backup record, a second empty data volume with the same name and size as the backup size is created at the back end of the backup, and the second empty data volume is used as the backup data volume;
unloading the encrypted data volume at the host;
Establishing a local copy relationship between the encrypted data volume and the backup data volume by using the backup back end;
and copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume based on the local copy relationship.
Specifically, a backup name and a backup size are obtained from a backup record, the backup name is set according to actual requirements, and the backup size is the same as the size of a cloud hard disk to be backed up.
And creating a second empty data volume with the same name and size as the backup name at the backup back end, and taking the second empty data volume as the backup data volume.
After the backup data volume is created, the encrypted data volume and the backup data volume are both on the backup back end, so that the local copy function of the backup back end can be utilized for data copy. To facilitate the use of the backup backend local copy function, the encrypted data volumes need to be offloaded at the host first.
And establishing a local copy relationship between the encrypted data volume and the backup data volume by using the backup back end. And based on the local copy relationship, the encrypted backup data and the encrypted information in the encrypted data volume are all copied to the backup data volume. And after copying is completed, the backup data volume is the encrypted backup volume of the source cloud hard disk. As shown in fig. 2, at the back-end of the backup, the data in the encrypted Base volume is copied to the encrypted backup volume by local copy.
In the embodiment, the backup data volume is created at the backup back end, the encrypted data volume is unloaded at the host computer, the encrypted backup data and the encrypted information in the encrypted data volume are copied to the backup data volume by utilizing the local copy function of the backup back end, the data copy efficiency is improved, and the available resources of the host computer are not required to be occupied.
In some alternative embodiments, creating a backup data volume, copying encrypted backup data and encrypted information in the encrypted data volume to the backup data volume, includes:
The backup name and the backup size are obtained from the backup record, a second empty data volume with the same name and size as the backup size is created at the back end of the backup, and the second empty data volume is used as the backup data volume;
mounting the backup data volume on a host machine;
and copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume by using a preset protocol framework of the host.
Specifically, a backup name and a backup size are obtained from a backup record, the backup name is set according to actual requirements, and the backup size is the same as the size of a cloud hard disk to be backed up.
And creating a second empty data volume with the same name and size as the backup name at the backup back end, and taking the second empty data volume as the backup data volume.
The preset protocol frame of the host machine is, for example, a protocol frame of eventlet library. Because the data can be copied concurrently by using the preset protocol frame of the host, the data copying efficiency is higher, and therefore, the data copying can be performed by using the preset protocol frame of the host. In order to facilitate the use of the host's pre-set protocol framework, the backup data volume needs to be first mounted to the host.
And copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume by utilizing a preset protocol framework of the host machine. After copying, the backup data volume is the encrypted backup volume of the source cloud hard disk, and other data in the backup data volume are completely consistent with the data in the temporary cloud hard disk and the source cloud hard disk except the encrypted information in the backup data volume.
In this embodiment, the encrypted backup data and the encrypted information in the encrypted data volume are written in parallel into the encrypted data volume by using a preset protocol frame of the host, so as to improve the data backup efficiency.
In some alternative embodiments, unloading the encrypted data volume at the host includes:
Unloading the encrypted data volume from the host file directory through a preset unloading command;
executing the data volume closing command to close the encrypted data volume.
Specifically, the unload command is preset, for example, an umount command. The data volume close command is, for example, cryptsetup luksClose command.
And after copying the data to be backed up of the temporary cloud hard disk to the encrypted data volume, unloading the encrypted data volume from the host machine file directory through a preset unloading command, and executing a data volume closing command to close the encrypted data volume to finish unloading the encrypted data volume.
It should be noted that after the encrypted backup of the cloud hard disk to be backed up is completed, the encrypted data volume is not deleted, and the encrypted data volume is utilized to copy the user incremental data when the encrypted backup of the cloud hard disk to be backed up is performed next time.
In some alternative embodiments, after writing the data to be backed up to the encrypted data volume, the method further comprises:
Judging whether the temporary cloud hard disk is an encrypted cloud hard disk or not;
If not, unloading the temporary cloud hard disk from the host machine file directory through a preset unloading command;
if yes, unloading the temporary cloud hard disk from the host machine file directory through a preset unloading command, executing a cloud hard disk closing command, and closing the temporary cloud hard disk.
Specifically, when the host computer uninstalls the temporary cloud hard disk, it is also required to determine whether the temporary cloud hard disk is an encrypted cloud hard disk, and if the temporary cloud hard disk is an encrypted cloud hard disk, it is required to decrypt the temporary cloud hard disk first.
The preset unload command is, for example, an umount command. Cloud hard disk shutdown commands such as cryptsetup luksClose commands.
And if the temporary cloud hard disk is not the encrypted cloud hard disk, directly unloading the temporary cloud hard disk from the host file directory through a preset unloading command. And deleting the temporary cloud hard disk after the temporary cloud hard disk is unloaded from the host machine.
If the temporary cloud hard disk is an encrypted cloud hard disk, unloading the temporary cloud hard disk from the host file directory through a preset unloading command, executing a cloud hard disk closing command, and closing the temporary cloud hard disk. And deleting the temporary cloud hard disk after the temporary cloud hard disk is unloaded from the host machine.
In some alternative embodiments, the method further comprises:
before creating a snapshot of the cloud hard disk to be backed up according to the first component, modifying the state of the cloud hard disk to be backed up into backup in a database;
After creating a snapshot of the cloud hard disk to be backed up according to the first component, modifying the state of the cloud hard disk to be backed up into an available state in the database.
Specifically, before creating a snapshot of the cloud hard disk to be backed up according to the first component, freezing a source cloud hard disk, namely a file system of the cloud hard disk to be backed up, modifying the cloud hard disk state from being used to being backed up in a database, and preventing a user from performing other operations on the cloud hard disk to be backed up in the backup process.
After the snapshot of the cloud hard disk to be backed up is created, or after the temporary cloud hard disk is created, restoring the file system of the cloud hard disk to be backed up, modifying the state of the cloud hard disk to be backed up into an available state in a database, and enabling the cloud host to perform read-write operation on the cloud hard disk to be backed up, wherein the subsequent encryption backup flow is completed by the temporary cloud hard disk, so that normal production business of the cloud host is not affected.
In this embodiment, before creating the snapshot of the cloud hard disk to be backed up, the state of the cloud hard disk to be backed up is modified into backup, so that backup failure caused by other operations performed on the cloud hard disk to be backed up by the user in the backup process is prevented. After the snapshot is created, the state of the cloud hard disk to be backed up is changed into an available state, and the cloud host can perform read-write operation on the cloud hard disk to be backed up, so that the normal production service of the cloud host cannot be affected by the encryption backup flow.
In some alternative embodiments, after copying the encrypted backup data and the encryption information in the encrypted data volume to the backup data volume, the method further comprises:
Under the condition that a data recovery instruction and a secret key are received, decrypting the backup data volume by using the secret key, and acquiring data to be recovered corresponding to the data recovery instruction from the decrypted backup data volume;
And determining a target cloud hard disk according to the data recovery instruction, and recovering the data to be recovered to the target cloud hard disk.
Specifically, after the encrypted backup data and the encrypted information in the encrypted data volume are copied to the backup data volume, the encrypted backup of the cloud hard disk to be backed up is completed. The state of the backup data volume in the database is changed from the creation to the available state, and at this time, the user can utilize the backup data volume to restore data. For example, the user sends a data recovery instruction and a key to the backup back end, and the user formulates the data to be recovered, namely the data to be recovered and the position to be recovered, such as a target cloud hard disk, through the data recovery instruction. The backup back-end decrypts the backup data volume by using the key, acquires data to be restored corresponding to the data restoration instruction from the decrypted backup data volume, determines the target cloud hard disk according to the data restoration instruction, and restores the data to be restored to the target cloud hard disk.
In the embodiment, the data to be recovered is recovered to the target cloud hard disk by using the data recovery instruction and the secret key, so that the protection and recovery capacity of the data are provided, the user data can be recovered quickly under the conditions of loss, damage or accidents, the integrity of the user data is effectively ensured, the confidentiality of the backup data in the transmission and storage processes is ensured, and the safety of the data is enhanced.
In some optional embodiments, a custom policy may be set to implement automatic backup for the cloud hard disk, and the specific flow may include steps A1 to A4.
And A1, after a cloud hard disk is created, determining the cloud hard disk to be backed up automatically.
Specifically, a user selects the type of a cloud hard disk through an OpenStack client component according to the requirements of the user, creates the cloud hard disk to be used, and determines the cloud hard disk to be backed up automatically in the created cloud hard disk.
And step A2, creating a self-defined backup strategy according to the service requirement.
Specifically, the attribute information of the backup strategy set by the user-defined backup strategy is created through the basic operation type provided by the strategy module, and the backup strategy is started. The backup strategy is stored in an independent data table which is extended and added based on the OpenStack database, and a user can perform basic data operation on the self-defined backup strategy, wherein basic data operation types comprise creation, deletion, modification, inquiry, association, enabling and disabling. The backup strategy of the cloud hard disk is a service resource type provided by a data service class component for carrying out service expansion based on the OpenStack open-source service framework.
And step A3, associating the created backup strategy with the cloud hard disk to be backed up automatically, and storing the association relation information into an association relation data table corresponding to the database.
Specifically, the relationship between the backup policy and the cloud hard disk is a one-to-many relationship, that is, one backup policy may be associated with a plurality of cloud hard disks, and one cloud hard disk may be associated with only one backup policy. The attribute information of the backup strategy includes the ID, name, status, period (daily, weekly or monthly), time point (specified time), and attribution information of the backup strategy. The association relation information comprises cloud hard disk ID, backup strategy ID and attribution information. For example, the cloud hard disk a and the cloud hard disk B are both associated with the backup policy created in the step A2, and at this time, association relations between the two cloud hard disks and the backup policy are generated, and the cloud hard disk a and the cloud hard disk B (in which the cloud hard disk ID, the backup policy ID, the attribution information, etc. are recorded) are recorded respectively and stored in an association relation data table corresponding to the database.
And A4, creating an automatic backup script, wherein the automatic backup script is used for scanning association relation information in the association relation data table according to a backup strategy, and utilizing the cloud hard disk backup methods in the steps S101 to S103 and other embodiments to automatically backup the cloud hard disk determined to be backed up, so as to generate a corresponding backup data volume.
Specifically, the automatic backup script scans association relationship information recorded in the association relationship data table according to a defined backup policy, and performs automatic backup on the cloud hard disk determined to be automatically backed up by using the cloud hard disk backup methods in steps S101 to S103 and other embodiments to generate a corresponding backup data volume for the period and the time point designated by the cloud hard disk in the backup policy.
In the embodiment, the user-defined backup strategy is added to realize automatic backup of the appointed cloud hard disk based on the appointed time point and the appointed strategy, so that the risk of safe data storage is greatly reduced, the user is more humanized, the operation is more convenient, and the use experience of the user is improved.
In some optional implementations, fig. 3 is a flowchart of a cloud hard disk encryption backup method according to an embodiment of the present invention, where the method may also solve the problem that the security of backup data cannot be guaranteed in the transmission and storage process of the backup data in the related art, as shown in fig. 3, where the method includes the following steps:
Specifying encryption type, modifying source cloud hard disk state, creating backup record by database, creating temporary cloud hard disk, judging whether source cloud hard disk is encrypted, if yes, host machine decrypting and mounting temporary cloud hard disk, if not, host machine mounting temporary cloud hard disk, judging whether there is an encrypted Base roll, if not, creating Base roll, encrypting and formatting Base roll, host machine decrypting and mounting Base roll, if yes, host machine decrypting and mounting Base roll, temporary cloud hard disk copying data to Base roll, host machine unloading Base roll, creating backup roll, base roll copying data to backup roll, unloading and deleting temporary cloud hard disk, updating source cloud hard disk and backup state.
In the embodiment, the method and the device not only can ensure that the user data is prevented from being damaged, deleted or lost accidentally and provide the capability of protecting and recovering the data, but also ensure the confidentiality of the backup data in the transmission and storage processes, prevent unauthorized access and further enhance the safety of the user data.
In this embodiment, a cloud hard disk backup device is further provided, and the device is used to implement the foregoing embodiments and preferred embodiments, and will not be described again. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides a cloud hard disk backup device, as shown in fig. 4, including:
The data acquisition module 401 is configured to acquire data to be backed up of the cloud hard disk to be backed up;
The first backup module 402 is configured to obtain an encrypted data volume, copy data to be backed up to the encrypted data volume, where the encrypted data volume contains encryption information, and encrypt the data to be backed up according to the encryption information to obtain and store encrypted backup data;
and a second backup module 403, configured to create a backup data volume, and copy the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume.
In some alternative embodiments, the first backup module 402 includes:
The acquisition unit is used for acquiring a data volume list corresponding to the cloud hard disk to be backed up at the back end of the backup;
the judging unit is used for judging whether the data volume list has the data volume with the same capacity as the backup size in the backup record and the same encryption type as the encryption type information in the backup record, and if so, taking the data volume as the encryption data volume, wherein the backup record is used for representing the backup information of the cloud hard disk to be backed up;
And the first creating unit is used for creating a first empty data volume with the same capacity as the backup size in the backup record at the backup back end by using the first component, formatting the first empty data volume by using the encryption type information in the backup record to obtain an encrypted data volume and generating encryption information in the encrypted data volume if the first empty data volume does not exist.
In some alternative embodiments, the apparatus further comprises:
the first acquisition module is used for acquiring encryption algorithm configuration information, encryption operation information, an encryption algorithm and a key length;
The obtaining module is used for obtaining encryption type information according to the encryption algorithm configuration information, the encryption operation information, the encryption algorithm and the key length, wherein the encryption type information is used for generating encryption information in the encrypted data volume;
the second acquisition module is used for acquiring the backup name and the backup size;
And the creation module is used for creating a backup record containing the encryption type information, the backup name and the backup size in the database.
In some alternative embodiments, the data acquisition module 401 includes:
the freezing unit is used for freezing the file system of the cloud hard disk to be backed up;
the second creating unit is used for creating a snapshot of the cloud hard disk to be backed up according to the first component, wherein the snapshot comprises data to be backed up;
And the recovery unit is used for generating a temporary cloud hard disk according to the snapshot and recovering the file system, wherein the temporary cloud hard disk is used for temporarily storing the data to be backed up.
In some alternative embodiments, the first backup module 402 includes:
The first mounting unit is used for mounting the temporary cloud hard disk and the encrypted data volume on the host;
The determining unit is used for comparing the temporary cloud hard disk with the encrypted data volume by utilizing the host machine, determining difference data and taking the difference data as data to be backed up;
and the writing unit is used for writing the data to be backed up into the encrypted data volume by utilizing a preset protocol framework of the host machine.
In some alternative embodiments, the first mounting unit includes:
the first judging submodule is used for judging whether the temporary cloud hard disk is an encrypted cloud hard disk or not;
The first mounting sub-module is used for mounting the temporary cloud hard disk to a host machine file directory of the host machine through a preset mounting command if the temporary cloud hard disk is not the same;
The second mounting sub-module is used for decrypting the temporary cloud hard disk through a preset decryption command and mounting the decrypted temporary cloud hard disk to a host machine file directory through a preset mounting command if the temporary cloud hard disk is in the first mounting sub-module;
and the third mounting sub-module is used for decrypting the encrypted data volume through a preset decryption command and mounting the decrypted encrypted data volume to the host machine file directory through the preset mounting command.
In some alternative embodiments, the second backup module 403 includes:
The third creating unit is used for obtaining the backup name and the backup size from the backup record, creating a second empty data volume with the same name and size as the backup name and the same size as the backup size at the backup back end, and taking the second empty data volume as the backup data volume;
the unloading unit is used for unloading the encrypted data volume in the host machine;
the establishing unit is used for establishing a local copy relationship between the encrypted data volume and the backup data volume by utilizing the backup back end;
And the first copying unit is used for copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume based on the local copying relation.
In some alternative embodiments, the second backup module 403 includes:
a fourth creation unit, configured to obtain a backup name and a backup size from the backup record, create, at a backup back end, a second empty data volume having a name identical to the backup name and a size identical to the backup size, and use the second empty data volume as a backup data volume;
the second mounting unit is used for mounting the backup data volume on the host machine;
And the second copying unit is used for copying the encrypted backup data and the encrypted information in the encrypted data volume to the backup data volume by utilizing a preset protocol framework of the host machine.
In some alternative embodiments, the unloading unit includes:
the first unloading submodule is used for unloading the encrypted data volume from the host machine file catalog through a preset unloading command;
and the closing sub-module is used for executing a data volume closing command and closing the encrypted data volume.
In some alternative embodiments, the first backup module 402 further comprises:
the second judging submodule is used for judging whether the temporary cloud hard disk is an encrypted cloud hard disk or not;
the second unloading submodule is used for unloading the temporary cloud hard disk from the host machine file catalog through a preset unloading command if the temporary cloud hard disk is not the temporary cloud hard disk;
And the third unloading sub-module is used for unloading the temporary cloud hard disk from the host machine file directory through a preset unloading command if the temporary cloud hard disk is unloaded, executing a cloud hard disk closing command and closing the temporary cloud hard disk.
In some alternative embodiments, the data acquisition module 401 further comprises:
The first state modifying unit is used for modifying the state of the cloud hard disk to be backed up into backup in the database before the snapshot of the cloud hard disk to be backed up is created according to the first component;
And the second state modifying unit is used for modifying the state of the cloud hard disk to be backed up into an available state in the database after the snapshot of the cloud hard disk to be backed up is created according to the first component.
In some alternative embodiments, the apparatus further comprises:
The decryption module is used for decrypting the backup data volume by utilizing the key under the condition of receiving the data recovery instruction and the key, and acquiring data to be recovered corresponding to the data recovery instruction from the decrypted backup data volume;
And the recovery module is used for determining the target cloud hard disk according to the data recovery instruction and recovering the data to be recovered to the target cloud hard disk.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The cloud hard disk backup device in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or fixed programs, and/or other devices that can provide the above functions.
The embodiment of the invention also provides computer equipment, which is provided with the cloud hard disk backup device shown in the figure 4.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, and as shown in fig. 5, the computer device includes one or more processors 10, a memory 20, and interfaces for connecting components, including a high-speed interface and a low-speed interface. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 5.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further comprise, among other things, an integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.
The memory 20 may include a storage program area that may store an operating system, application programs required for at least one function, and a storage data area that may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The memory 20 may comprise volatile memory, such as random access memory, or nonvolatile memory, such as flash memory, hard disk or solid state disk, or the memory 20 may comprise a combination of the above types of memory.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium may be a magnetic disk, an optical disk, a read-only memory, a random-access memory, a flash memory, a hard disk, a solid state disk, or the like, and further, the storage medium may further include a combination of the above types of memories. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Portions of the present invention may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or aspects in accordance with the present invention by way of operation of the computer. Those skilled in the art will appreciate that the existence of computer program instructions in a computer-readable medium includes, but is not limited to, source files, executable files, installation package files, and the like, and accordingly, the manner in which computer program instructions are executed by a computer includes, but is not limited to, the computer directly executing the instructions, or the computer compiling the instructions and then executing the corresponding compiled programs, or the computer reading and executing the instructions, or the computer reading and installing the instructions and then executing the corresponding installed programs. Herein, a computer-readable medium may be any available computer-readable storage medium or communication medium that can be accessed by a computer.
Although the embodiments of the present application have been described with reference to the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the application, and such modifications and variations fall within the scope of the application as defined by the claims.