System starting method, system information processing method, device, equipment and medium thereof

Abstract

The application discloses a system starting method, a system information processing method, a device, equipment and a medium. In response to a system starting instruction, an encrypted root key is read from a root key library, and an encryption and decryption password is read from a configuration file; the encrypted root key is decrypted based on the encryption and decryption password to obtain a decrypted root key; the decrypted root key is set as an environment variable in the configuration file to obtain an updated configuration file; and the system is started based on the updated configuration file. The system starting method and the system information processing method provided by the application use encryption technology processing and password storage processing on system information, add decryption technology processing to the starting and use of the system, ensure the safe starting of the system and the safe storage of information, solve the storage safety problem of the root key used for system information encryption and decryption, and improve the reliability of system information management.

Description

Technical Field

[0001] This invention relates to the field of system information security technology, and in particular to system startup methods, system information processing methods, devices, equipment and media. Background Technology

[0002] In the field of system information security technology, measures are needed to protect information and prevent information leakage. Cryptography is one of the main means of protecting information security, and it is used to encrypt and authenticate system information.

[0003] Currently, information protection employs key encryption, along with storage management of the encrypted information. Key encryption methods include symmetric and asymmetric encryption. Storage methods vary, with some storing the encryption root key at the same level as sensitive information or in a unified configuration file, others storing it in the application's startup parameters, and still others having system administrators manage the encryption root key.

[0004] The current solution cannot meet users' security requirements for system information. Most system information is stored in plaintext in configuration files or system environment variables. However, configuration files and system environment variables are easily visible, making it easy to obtain encrypted system information. Once encrypted information is obtained, maintaining system security becomes extremely difficult. Summary of the Invention

[0005] This invention provides a system startup method, a system information processing method, an apparatus, a device, and a medium thereof to address the problems of easy leakage of system information and system security.

[0006] According to one aspect of the present invention, a system startup method is provided, comprising:

[0007] In response to the system startup command, the encryption root key is read from the root key store, and the encryption / decryption password is read from the configuration file;

[0008] The encrypted root key is decrypted based on the encryption / decryption cipher to obtain the decrypted root key.

[0009] Set the decrypted root key as an environment variable in the configuration file to obtain the updated configuration file;

[0010] The system starts based on the updated configuration file.

[0011] According to another aspect of the present invention, a system information processing method is provided, comprising:

[0012] Acquire sensitive system information, encrypt the sensitive system information based on the working key to obtain the encrypted sensitive system information, and encrypt the working key based on the root key;

[0013] Obtain the encryption / decryption password, and encrypt the root key based on the encryption / decryption password to obtain the encrypted root key;

[0014] Store the encryption root key in the root key store, and set the encryption / decryption password and encryption sensitive information in the configuration file.

[0015] According to another aspect of the present invention, a system startup device is provided, comprising:

[0016] The key reading module is used to read the encryption root key from the root key store and the encryption / decryption password from the configuration file in response to the system startup command;

[0017] The root key acquisition module is used to decrypt the encrypted root key based on the encryption / decryption cipher to obtain the decrypted root key;

[0018] The configuration file update module is used to set the decrypted root key as an environment variable in the configuration file, thus obtaining the updated configuration file.

[0019] The system startup module is used to start the system based on the updated configuration file.

[0020] According to another aspect of the present invention, a system information processing apparatus is provided, comprising:

[0021] The information encryption module is used to acquire sensitive system information, encrypt the sensitive system information based on the working key to obtain encrypted sensitive system information, and encrypt the working key based on the root key.

[0022] The root key encryption module is used to obtain the encryption and decryption passwords, and to encrypt the root key based on the encryption and decryption passwords to obtain the encrypted root key;

[0023] The information storage module is used to store the encryption root key in the root key store and to set the encryption / decryption password and sensitive encryption information in the configuration file.

[0024] According to another aspect of the present invention, an electronic device is provided, the electronic device comprising:

[0025] At least one processor; and

[0026] A memory that is communicatively connected to at least one processor; wherein,

[0027] The memory stores a computer program that can be executed by at least one processor, such that the at least one processor is able to perform the system startup method and / or system information processing method according to any embodiment of the present invention.

[0028] According to another aspect of the present invention, a computer-readable storage medium is provided, which stores computer instructions for causing a processor to execute and implement the system startup method and / or system information processing method of any embodiment of the present invention.

[0029] The technical solution of this invention encrypts system information to obtain data such as a root key, an encrypted root key, and an encrypted password. The key and password are stored separately in different files, databases, or servers. Upon system startup, the key and its decryption password are obtained, and decryption is performed using decryption technology to obtain the plaintext root key and the plaintext of sensitive information, thus completing system startup. This solves the problems of root key storage security and secure system startup, strengthens the protection of system information, reduces the probability of system information leakage, and improves system security.

[0030] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of the present invention, nor is it intended to limit the scope of the invention. Other features of the invention will become readily apparent from the following description. Attached Figure Description

[0031] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0032] Figure 1 This is a flowchart of a system startup method provided in Embodiment 1 of the present invention;

[0033] Figure 2 This is a flowchart of an information processing method provided in Embodiment 2 of the present invention;

[0034] Figure 3 This is a schematic diagram of the structure of a system startup device provided in Embodiment 3 of the present invention;

[0035] Figure 4 This is a schematic diagram of the structure of a system information processing device provided in Embodiment 4 of the present invention;

[0036] Figure 5 This is a schematic diagram of the structure of an electronic device provided in Embodiment 5 of the present invention. Detailed Implementation

[0037] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.

[0038] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0039] Example 1

[0040] Figure 1 This is a flowchart of a system startup method provided in Embodiment 1 of the present invention. This embodiment is applicable to situations where the system is started via a startup command. This method can be executed by a system startup device, which can be implemented in hardware and / or software. The system startup device can be configured in electronic devices such as computers, mobile phones, game consoles, and servers. Figure 1 As shown, the method includes:

[0041] S110, in response to the system startup command, reads the encryption root key from the root key store and the encryption / decryption password from the configuration file.

[0042] Here, a startup command refers to the instruction that enables an electronic device to power on. The command can consist of a string of binary numbers or a signal provided by a switching device; there is no limitation on the startup command itself. This startup command can be generated in response to a startup operation, such as detecting a pressed startup button, a selected startup control, or a detected startup gesture. It is understood that the type of system being started is not limited here.

[0043] A key is a parameter used by electronic devices to encrypt and decrypt data. It can be a seemingly random string of numbers or a structured string composed of multiple parts. The key can be generated by the system using a pseudo-random number generator or by an encryption algorithm based on a password. A root key is an encryption key used for data protection. It is typically generated automatically by the system after approval by a designated key installation personnel. A root key store is a database that stores encrypted root keys, i.e., a database that stores root key ciphertext. It can be created using a database generator or generated by executing a script file. This root key store can be obtained from the system's hardware, an external server, or a public root key management system. A configuration file is a file that stores program and system configuration parameters, user information, and initial settings. Different programs or systems use different configuration file formats. This configuration file is automatically generated during the system development process.

[0044] The system's response to a boot command involves the system detecting the command and executing a series of operations. For example, upon receiving the boot command, the system retrieves its root key and its corresponding decryption password to complete the boot process. The encrypted root key is obtained from a root key store by traversing its records. The encryption / decryption password is retrieved from a configuration file, matching the obtained encrypted root key.

[0045] In this embodiment, the encryption root key is stored in the root key library, and the encryption / decryption password is set in the configuration file. By storing the encryption root key and the encryption / decryption password in different storage locations, the difficulty of obtaining the encryption root key and the encryption / decryption password at the same time is increased, as well as the difficulty of cracking the root key is reduced, thereby reducing the security risk of the root key and further improving the security of system data.

[0046] Optionally, the encrypted root key can be read from the root key store, including: obtaining system credentials based on a preset function, sending the system credentials to the root key store for verification; and obtaining the encrypted root key returned by the root key store if the verification is successful.

[0047] Preset functions are functions used to execute system startup. They can be pre-defined functional modules or a reusable code block; there are no restrictions on preset functions here. Preset functions can be generated from function functional models or obtained by encapsulating some programs. System credentials refer to a type of identity verification that can be passed by the system. System credentials may include, but are not limited to, system usernames and passwords, registration certificates, etc. These credentials can be randomly assigned by the system, randomly assigned by the server, or assigned by the system administrator, etc.

[0048] System credential verification determines whether the credential can pass the system's identity verification. Verification can be performed through the system's identity verification module or through the management system. Feedback refers to the result given by the system / device in response to an input signal. Feedback can be a signal, a string of characters output after program execution, etc. This feedback can be output through a control model, obtained through program execution, or provided by the management system.

[0049] Specifically, the system detects the startup command, calls a preset function to obtain system credentials, and sends them to the management system. Upon successful system verification, it accesses the root key store, iterates through all data, and obtains the encrypted root key. The preset function can be understood as a pre-defined main function that includes credential information acquisition, information matching, and encryption / decryption capabilities. This main function obtains randomly assigned credential information from the system and sends it as the system credential to the management system belonging to the root key store. The management system verifies the system credential, obtains the verification result, and, if the verification is successful, logs into the root key store, iterates through the data in the root key store, finds the encrypted root key, and outputs the encrypted root key corresponding to the system credential as an output parameter. Here, the root key store can store encrypted root keys from different systems. Correspondingly, the root key store can associate and store encrypted root keys with system information (such as identifiers). When the system credential verification is successful, the system matches the system information (such as system information in the system credential or system information in the system startup command) in the root key store to obtain the matching encrypted root key.

[0050] For example, when the power button of an electronic device is pressed, the system detects the power-on command, obtains system credentials such as username and password by calling the preset main function, and sends them to the root key management system to which the root key store belongs. The root key management system completes the authentication and accesses the root key store if the authentication is successful, and obtains the encrypted root key corresponding to the system credentials.

[0051] In this embodiment, once a system startup command is generated, the system responds to the startup command by retrieving the encryption root key and encryption / decryption password from different storage locations. The encryption root key can be obtained from the root key library, and the encryption / decryption password can be obtained from the system configuration file. This increases the difficulty of obtaining the root key and improves the security of the root key.

[0052] S120. Decrypt the encrypted root key based on the encryption / decryption cipher to obtain the decrypted root key.

[0053] The decryption process involves using appropriate algorithms and keys to process the encrypted information, converting the ciphertext into plaintext. Decryption can be performed using a dedicated decryption module or an open-source decryption component, including but not limited to Jasypt. The encryption component can be varied according to the encryption / decryption requirements. The decrypted root key refers to the plaintext information obtained through decryption technology. This decrypted root key can be obtained through processing by a module with decryption capabilities or by using a decryption component.

[0054] Specifically, the decrypted root key is obtained by decrypting the encrypted root key in the system's root key library using certain decryption techniques based on the encryption / decryption passwords in the configuration file. It can be understood that the decryption technique can be performed using open-source components, or it can utilize a decryption algorithm model, taking the encryption / decryption passwords and the encrypted root key as input parameters to the open-source component and / or the decryption algorithm model, processing them, and then outputting the plaintext of the encrypted root key.

[0055] For example, the encryption / decryption password and the encrypted root key are obtained, and these are used as input parameters to obtain the decrypted root key through the DES (Data Encryption Standard) decryption algorithm.

[0056] In this embodiment, the encryption root key is decrypted using encryption and decryption ciphers, which improves the decryption speed of the system's encryption root key, enabling the root key to be obtained quickly and speeding up the system's startup.

[0057] S130. Set the decrypted root key as an environment variable in the configuration file to obtain the updated configuration file.

[0058] Environment variables are parameters that specify the system's operating environment. They contain information used by one or more system applications, and different applications have different environment variables. These environment variables can be initialized during system startup via scripts, set in the system registry, configured via system commands, or automatically generated from configuration files by open-source components.

[0059] Specifically, the plaintext information of the root key is obtained through decryption and set to the corresponding environment variable in the configuration file, thereby updating the configuration file.

[0060] For example, the plaintext of the root key is obtained through a decryption algorithm, and the obtained plaintext of the root key is set to the environment variable "jasypt.encryptor.password" of the open-source component Jasypt, and the configuration file of the component is updated.

[0061] In this embodiment, the system automatically obtains the plaintext information of the root key and automatically assigns it to the environment variables of the configuration file, avoiding manual modification of the configuration file by the system operator and improving the accuracy of configuration file updates. By setting the decrypted root key in the configuration file as an environment variable, it is convenient to start the system using the updated configuration file.

[0062] S140, Start the system based on the updated configuration file.

[0063] The updated configuration file is the file resulting from adding, modifying, or deleting parameters from the system configuration file. Updates can be performed automatically by the system, manually by a system operator, or through a preset function.

[0064] Specifically, the preset function assigns the plaintext information of the obtained root key to the environment variable of the open source component, completes the update of the configuration file, and starts the system with the updated configuration file.

[0065] For example, the default function main obtains the plaintext information of the root key, sets the plaintext information to the environment variable "jasypt.encryptor.password" of the open-source component Jasypt, updates the configuration file of the open-source component, and then completes the system startup.

[0066] Optionally, the system can be started based on the updated configuration file, including: parsing the decrypted root key in the updated configuration file to obtain sensitive system information, and then starting the system based on the sensitive system information.

[0067] Optionally, based on the decrypted root key in the updated configuration file, the process includes: reading the decrypted root key from the environment variables in the updated configuration file; decrypting the encrypted working key based on the decrypted root key to obtain the decrypted working key; and processing the encrypted system sensitive information based on the decrypted working key to obtain the system sensitive information.

[0068] System-sensitive information refers to information that, if leaked, illegally provided, or misused, could endanger personal and property safety. This system-sensitive information includes, but is not limited to, usernames, passwords, technical information, and experimental data. A working key is a key used to encrypt data, also known as a data key. This key includes, but is not limited to, PIN keys, MAC keys, and magnetic stripe keys, and can be automatically generated by encryption components or automatically generated when generating configuration files.

[0069] The decrypted root key is read based on a preset function. This function reads the encrypted sensitive information from the configuration file and then decrypts it using decryption techniques. Methods for reading the configuration include, but are not limited to, using methods of the Properties configuration class object or calling methods of the development framework. Techniques for decrypting the encrypted sensitive information include, but are not limited to, open-source encryption / decryption components, decryption algorithms, and decryption models. The acquisition of system sensitive information is accomplished by combining the working key, the encrypted sensitive information, and encryption / decryption techniques. In some embodiments, this may involve calling a decryption model, inputting the working key and the encrypted sensitive information, and obtaining the decrypted sensitive information output by the model. In some embodiments, decryption is performed directly through a decryption algorithm, using the working key and the encrypted sensitive information as input parameters. The algorithm processes the data to obtain the decrypted sensitive information.

[0070] Specifically, the root key of the system is obtained, then set as an environment variable for the decryption system. The decryption system is then started, and after processing, it obtains the working key. Then, the encrypted sensitive information in the configuration file is obtained, and the encrypted sensitive information is decrypted through the decryption system to obtain the plaintext of the sensitive information.

[0071] For example, the system configures the obtained root key into the environment variables of the open-source component Jasypt, and then starts the Spring Boot environment. Spring Boot decrypts the root key and the encrypted sensitive information according to the rules of the Jasypt component to obtain the plaintext of the sensitive information.

[0072] The technical solution of this embodiment responds to the system startup command through a system startup method, sending the obtained system credentials to the root key management system to which the root key store belongs. The root key management system verifies the system credentials. After verification, it logs in to view the root key database, traverses the database, and obtains the encrypted root key corresponding to the system credentials. A preset function decrypts the encrypted root key and the encrypted password obtained from the configuration file using decryption technology to obtain the plaintext of the root key. The preset function configures the root key to the environment variable of the open-source component Jasypt, starts the Spring Boot environment, and uses the open-source component to complete the decryption of the working key and encrypted sensitive information, finally obtaining the plaintext of the sensitive information and completing the system startup. By using the above system startup method and storing the root key and encrypted sensitive information in different locations, the problem of easy information leakage is avoided, the difficulty of obtaining key information is increased, the protection of the root key and sensitive information is enhanced, and the system security is improved.

[0073] Example 2

[0074] Figure 2 This is a flowchart of a system information processing method provided in Embodiment 2 of the present invention. This embodiment adds a processing method to the information in the above embodiments. This method can be executed by a system information processing device, which can be implemented in hardware and / or software, and can be configured in electronic devices such as computers, mobile phones, game consoles, and servers. Figure 2 As shown, the method includes:

[0075] S210. Obtain sensitive system information, encrypt the sensitive system information based on the working key to obtain encrypted sensitive system information, and encrypt the working key based on the root key.

[0076] Sensitive system information refers to fundamental environmental information about the system itself, such as system details, middleware versions, and user information. Leakage of this information could provide attackers with more attack avenues and methods. Sensitive system information can be obtained from system configuration files, system environment variables, or from server commands. To protect this sensitive information, it needs to be encrypted.

[0077] Specifically, sensitive system information is processed using encryption technology to obtain the corresponding working key. To prevent the leakage of security information, encryption technology is used to further encrypt the working key to obtain the root key corresponding to the working key.

[0078] For example, when acquiring sensitive system information, such as usernames and passwords, to protect this information, it is encrypted using the AES symmetric encryption algorithm and then stored in the system's configuration file. To further enhance the security of sensitive system information, the working key is further encrypted using encryption techniques based on the root key.

[0079] In this embodiment, sensitive system information is encrypted, and the obtained key is encrypted again. This encryption method reduces the risk of leakage of sensitive system information and improves the security of sensitive system information.

[0080] S220. Obtain the encryption / decryption password, and encrypt the root key based on the encryption / decryption password to obtain the encrypted root key.

[0081] Encryption / decryption passwords are passwords set to protect software, files, and other data on electronic devices. An encryption / decryption password consists of an encryption password and a decryption password. Depending on the encryption method, the encryption and decryption passwords can be the same or different. The encryption / decryption password can be obtained by calling a cryptographic model; by inputting the information to be encrypted into the encryption model, the encrypted information and the encryption / decryption password are obtained. Alternatively, the encryption / decryption password can be obtained by executing encryption instructions on the information to be encrypted.

[0082] The encrypted root key is obtained based on the encryption / decryption cipher. The root key is then encrypted using the encryption / decryption cipher to obtain the encrypted root key. This encryption process can be achieved using an encryption model, where the encryption cipher and root key are input to the model to obtain the encrypted root key; alternatively, an encryption component can be used, where the encryption cipher and root key are input parameters and encrypted by the component to obtain the encrypted root key; or, the encrypted root key can be obtained by reading a configuration file from the system or server.

[0083] Specifically, encryption and decryption passwords are typically stored in the electronic device's configuration file. The passwords are obtained by reading the configuration file, encrypting the root key, and then obtaining the encrypted root key. It's understandable that encryption can utilize open-source components for key encryption, or it can employ encryption algorithms to encrypt the root key.

[0084] For example, the system uses an open-source encryption component to encrypt sensitive information to obtain a working key and the encrypted sensitive information. Then, the working key is encrypted again using the open-source encryption component. In order to ensure the protection of the root key, the root key needs to be further encrypted. This can be done by using the open-source encryption component Jasypt to encrypt the root key, thereby obtaining the encrypted root key and the encryption / decryption password.

[0085] In this embodiment, the encryption and decryption password generated by the encryption component and the password generation model is obtained. The root key is then encrypted using the encryption and decryption password to obtain the encrypted root key. The root keys are dynamically generated and not stored, which enhances the confidentiality of the root key and improves the security of the system.

[0086] S230. Store the encryption root key in the root key store and set the encryption / decryption password and encryption sensitive information in the configuration file.

[0087] The configuration file settings involve configuring environment variables. These parameters can be added, modified, or deleted by system operators, configured using preset functions, or configured by calling a server.

[0088] Specifically, the system obtains information such as the encryption root key, root key, encryption / decryption password, and encrypted sensitive information. For the security of the root key, the system stores this information in different locations, which may include, but are not limited to, system configuration files, encryption / decryption component configuration files, servers, management systems, etc. For example, the encryption root key is stored in the root key library in the root key management system, and the encrypted sensitive information and the decryption password of the encryption root key are stored in the system configuration file.

[0089] For example, the system obtains sensitive information, uses an open-source encryption component for encryption, stores the encrypted sensitive information and encryption / decryption passwords in the system's configuration file, encrypts the working key to obtain the root key, and needs to encrypt the root key to protect it. The encrypted root key is stored in the root key library in the root key management system, and the encryption / decryption passwords are stored in the configuration file.

[0090] Furthermore, the method also includes: obtaining system verification information and sending the system verification information to the root key store, so that the root key store adds the system verification information to the whitelist for authentication when the system requests the root key.

[0091] System verification information is a type of identity verification information. This information can be SMS verification, IP address verification, username and password verification, passphrase verification, QR code verification, etc. This verification information can be randomly assigned by the system, assigned by professional administrators, or requested by the user. A whitelist refers to a list of trusted entities. Information in the whitelist includes, but is not limited to, usernames and passwords, user IP addresses, email addresses, and application software. In one embodiment, an IP address whitelist records the IP addresses of users allowed to access the system or server. Generally, the IP address whitelist records the application identifier corresponding to the system; the corresponding IP address can be found based on the application identifier, and the existing IP address is the allowed IP address to access the system.

[0092] Specifically, the preset function obtains the system verification information and sends it to the root key store in the root key management system. It stores a portion of the verification information in a whitelist, which may include, but is not limited to, IP addresses, usernames and passwords, and email addresses. When the system requests the encryption root key and root key information, it needs to verify the system verification information against the whitelist to determine whether the requested verification information is trustworthy.

[0093] For example, after obtaining system authentication information, it is sent to the system whitelist and the root key management system of the root key store. One or more pieces of the authentication information are stored in the whitelist, and all or all information except the IP address is stored in the root key store. If a request to access the root key store is detected, the authentication information provided by the requesting user is verified using these stored authentication information.

[0094] In this embodiment, by storing the root key, encryption / decryption password, and encrypted sensitive information in the root key and configuration file respectively, the difficulty of obtaining these information simultaneously is increased, thereby increasing the difficulty of obtaining sensitive information and enhancing the system's protection of sensitive information.

[0095] The technical solution of this embodiment increases the difficulty for external systems to obtain encrypted information and its keys by acquiring sensitive information, encrypting and decrypting sensitive information, encrypting and decrypting working keys and root keys, and storing encrypted information and keys in different locations, thereby reducing the risk of sensitive information leakage, improving the storage security of system information, and enhancing system security.

[0096] Example 3

[0097] Figure 3 This is a schematic diagram of a system startup device provided in Embodiment 3 of the present invention. Figure 3 As shown, the device includes:

[0098] The key reading module 310 is used to read the encryption root key from the root key store and the encryption / decryption password from the configuration file in response to the system startup command.

[0099] The root key acquisition module 320 is used to decrypt the encrypted root key based on the encryption and decryption cipher to obtain the decrypted root key;

[0100] The configuration file update module 330 is used to set the decrypted root key as an environment variable in the configuration file to obtain the updated configuration file.

[0101] System startup module 340 is used to start the system based on the updated configuration file.

[0102] Optionally, the key reading module 310 is specifically used for:

[0103] Based on a preset function, obtain the system credentials and send them to the root key store for verification.

[0104] If the verification is successful, obtain the encrypted root key returned by the root key store.

[0105] Optionally, the system startup module 340 includes:

[0106] The sensitive information decryption unit is used to parse the system's sensitive information based on the decrypted root key in the updated configuration file.

[0107] The system startup unit is used to start the system based on sensitive system information.

[0108] Optional, sensitive information decryption unit, specifically used for:

[0109] Read the decrypted root key from the environment variables in the updated configuration file, and decrypt the encryption working key based on the decrypted root key to obtain the decrypted working key;

[0110] The encrypted sensitive information is processed using the decrypted working key to obtain the sensitive information.

[0111] The technical solution of this embodiment, through the cooperation of various modules, realizes operations such as system startup and system information acquisition in electronic devices. This system information includes system credentials, encryption root key, encryption / decryption password, root key, and decrypted sensitive information. This embodiment of the invention achieves secure system startup by verifying system credentials, decrypting the encryption root key, and updating configuration files, thereby improving the security of system startup.

[0112] The system startup device provided in the embodiments of the present invention can execute the system startup method provided in any embodiment of the present invention, and has the corresponding functional modules and beneficial effects of the execution method.

[0113] Example 4

[0114] Figure 4 This is a schematic diagram of the structure of a system information processing device provided in Embodiment 4 of the present invention.

[0115] like Figure 4 As shown, the device includes:

[0116] The information encryption module 410 is used to acquire sensitive system information, encrypt the sensitive system information based on the working key to obtain encrypted sensitive system information, and encrypt the working key based on the root key.

[0117] The root key encryption module 420 is used to obtain the encryption and decryption password, and to encrypt the root key based on the encryption and decryption password to obtain the encrypted root key;

[0118] The information storage module 430 is used to store the encryption root key in the root key library and to set the encryption and decryption passwords and encryption sensitive information in the configuration file.

[0119] Furthermore, the device also includes an information verification module, specifically used for:

[0120] Obtain system verification information and send it to the root key store so that the root key store adds the system verification information to the whitelist for authentication when the system requests the root key.

[0121] The technical solution in this embodiment, through the cooperation of various modules, realizes operations such as information encryption, root key encryption, and information storage in electronic devices. This embodiment avoids storing encrypted sensitive information in the same or same-level configuration file, increasing the difficulty for external electronic devices to obtain encrypted sensitive information and keys, reducing the risk of sensitive information leakage, and improving system information security.

[0122] The system information processing device provided in the embodiments of the present invention can execute the system information processing method provided in any embodiment of the present invention, and has the corresponding functional modules and beneficial effects of executing the method.

[0123] Example 5

[0124] Figure 5 This is a schematic diagram of the structure of an electronic device provided in Embodiment 5 of the present invention. The electronic device 10 is intended to represent various forms of digital computers, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device may also represent various forms of mobile devices, such as personal digital processors, cellular phones, smartphones, wearable devices (such as helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely illustrative and are not intended to limit the implementation of the invention described and / or claimed herein.

[0125] like Figure 5 As shown, the electronic device 10 includes at least one processor 11 and a memory, such as a read-only memory (ROM) 12 or a random access memory (RAM) 13, communicatively connected to the at least one processor 11. The memory stores computer programs executable by the at least one processor. The processor 11 can perform various appropriate actions and processes based on the computer program stored in the ROM 12 or loaded from storage unit 18 into the RAM 13. The RAM 13 may also store various programs and data required for the operation of the electronic device 10. The processor 11, ROM 12, and RAM 13 are interconnected via a bus 14. An input / output (I / O) interface 15 is also connected to the bus 14.

[0126] Multiple components in electronic device 10 are connected to I / O interface 15, including: input unit 16, such as keyboard, mouse, etc.; output unit 17, such as various types of displays, speakers, etc.; storage unit 18, such as disk, optical disk, etc.; and communication unit 19, such as network card, modem, wireless transceiver, etc. Communication unit 19 allows electronic device 10 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks.

[0127] Processor 11 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various special-purpose artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, a digital signal processor (DSP), and any suitable processor, controller, microcontroller, etc. Processor 11 performs the various methods and processes described above, such as system startup methods and / or system information processing methods.

[0128] In some embodiments, the system startup method and / or system information processing method may be implemented as a computer program tangibly contained in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and / or installed on electronic device 10 via ROM 12 and / or communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the system startup method and / or system information processing method described above may be performed. Alternatively, in other embodiments, processor 11 may be configured to perform the system startup method and / or system information processing method by any other suitable means (e.g., by means of firmware).

[0129] Various embodiments of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), payload-programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various embodiments may include implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.

[0130] Computer programs used to implement the system startup method and / or system information processing method of the present invention can be written in any combination of one or more programming languages. These computer programs can be provided to the processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that when executed by the processor, the computer programs cause the functions / operations specified in the flowcharts and / or block diagrams to be implemented. The computer programs can be executed entirely on the machine, partially on the machine, as a standalone software package partially on the machine and partially on a remote machine, or entirely on a remote machine or server.

[0131] Example 6

[0132] Embodiment 6 of the present invention also provides a computer-readable storage medium storing computer instructions for causing a processor to execute a system startup method, including:

[0133] In response to the system startup command, the encrypted root key is read from the root key store and the encryption / decryption password is read from the configuration file; the encrypted root key is decrypted based on the encryption / decryption password to obtain the decrypted root key; the decrypted root key is set as an environment variable in the configuration file to obtain an updated configuration file; and the system is started based on the updated configuration file.

[0134] And / or, computer instructions are used to cause a processor to perform a system information processing method, including:

[0135] The system acquires sensitive information, encrypts it using the working key to obtain encrypted sensitive information, and encrypts the working key using the root key; it acquires encryption and decryption passwords, encrypts the root key using these passwords to obtain an encrypted root key; it stores the encrypted root key in the root key store, and sets the encryption and decryption passwords and encrypted sensitive information in the configuration file.

[0136] In the context of this invention, a computer-readable storage medium can be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, apparatus, or device. A computer-readable storage medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination thereof. Alternatively, a computer-readable storage medium may be a machine-readable signal medium. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0137] To provide interaction with a user, the systems and techniques described herein can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user; and a keyboard and pointing device (e.g., a mouse or trackball) through which the user provides input to the electronic device. Other types of devices can also be used to provide interaction with the user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including sound input, voice input, or tactile input).

[0138] The systems and technologies described herein can be implemented in computing systems that include backend components (e.g., as data servers), or computing systems that include middleware components (e.g., application servers), or computing systems that include frontend components (e.g., user computers with graphical user interfaces or web browsers through which users can interact with implementations of the systems and technologies described herein), or any combination of such backend, middleware, or frontend components. The components of the system can be interconnected via digital data communication of any form or medium (e.g., communication networks). Examples of communication networks include local area networks (LANs), wide area networks (WANs), blockchain networks, and the Internet.

[0139] A computing system can include clients and servers. Clients and servers are generally located far apart and typically interact through communication networks. The client-server relationship is created by computer programs running on the respective computers and having a client-server relationship with each other. The server can be a cloud server, also known as a cloud computing server or cloud host, which is a hosting product within the cloud computing service system to address the shortcomings of traditional physical hosts and VPS services, such as high management difficulty and weak business scalability.

[0140] It should be understood that the various forms of processes shown above can be used, with steps reordered, added, or deleted. For example, the steps described in this invention can be executed in parallel, sequentially, or in different orders, as long as the desired result of the technical solution of this invention can be achieved, and this is not limited herein.

[0141] The specific embodiments described above do not constitute a limitation on the scope of protection of this invention. Those skilled in the art should understand that various modifications, combinations, sub-combinations, and substitutions can be made according to design requirements and other factors. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of this invention should be included within the scope of protection of this invention.

Claims

1. A system startup method, characterized by, include: In response to the system startup command, the encryption root key is read from the root key store, and the encryption / decryption password is read from the configuration file; The encrypted root key is decrypted based on the encryption / decryption cipher to obtain the decrypted root key. Set the decrypted root key as an environment variable in the configuration file to obtain the updated configuration file; The system starts up based on the updated configuration file; wherein, the updated configuration file is a file after adding / modifying / deleting parameters from the system configuration file; The step of reading the encryption root key from the root key store includes: Based on a preset function, a system credential is obtained and sent to the root key store for verification; wherein, the verification of the system credential determines whether the credential can pass the system's authentication. If the verification is successful, obtain the encrypted root key returned by the root key library; The system startup based on the updated configuration file includes: Based on the decrypted root key in the updated configuration file, sensitive system information is obtained, and the system is started based on the sensitive system information.

2. The method of claim 1, wherein, The system sensitive information obtained by parsing the decrypted root key from the updated configuration file includes: Read the decrypted root key from the environment variables in the updated configuration file, and decrypt the encryption working key based on the decrypted root key to obtain the decrypted working key; The encrypted system sensitive information is processed based on the decrypted working key to obtain the system sensitive information.

3. A system information processing method, characterized by, include: Acquire sensitive system information, encrypt the sensitive system information based on the working key to obtain encrypted sensitive system information, and encrypt the working key based on the root key; Obtain the encryption / decryption password, and encrypt the root key based on the encryption / decryption password to obtain the encrypted root key; The method further includes storing the encryption root key in a root key store and setting the encryption / decryption password and encryption sensitive information in a configuration file; wherein the configuration file is a file that is updated when the system starts by adding the decrypted root key as an environment variable; the method also includes: The system verification information is obtained and sent to the root key store, so that the root key store adds the system verification information to the whitelist for authentication when the system requests the root key; wherein, the system verification information is a kind of identity recognition information.

4. A system startup apparatus, characterized by comprising: include: The key reading module is used to read the encryption root key from the root key store and the encryption / decryption password from the configuration file in response to the system startup command; The root key acquisition module is used to decrypt the encrypted root key based on the encryption / decryption cipher to obtain the decrypted root key; The configuration file update module is used to set the decrypted root key as an environment variable in the configuration file to obtain an updated configuration file; wherein, the updated configuration file is a file after adding / modifying / deleting parameters in the system configuration file; The system startup module is used to start the system based on the updated configuration file; Specifically, the key reading module is used for: Based on a preset function, a system credential is obtained and sent to the root key store for verification; wherein, the verification of the system credential determines whether the credential can pass the system's authentication; if the verification is successful, the encrypted root key fed back by the root key store is obtained; The system startup module includes: The sensitive information decryption unit is used to parse the system sensitive information based on the decrypted root key in the updated configuration file; The system startup unit is used to start the system based on the system sensitive information.

5. A system information processing apparatus, characterized by comprising: include: The information encryption module is used to acquire sensitive system information, encrypt the sensitive system information based on the working key to obtain encrypted sensitive system information, and encrypt the working key based on the root key. The root key encryption module is used to obtain the encryption and decryption password, and to encrypt the root key based on the encryption and decryption password to obtain the encrypted root key; An information storage module is used to store the encryption root key in a root key library and to set the encryption / decryption password and encryption sensitive information in a configuration file; wherein, the configuration file is a file that is updated when the system starts by adding the decrypted root key as an environment variable; The device further includes: The information verification module is used to obtain system verification information and send the system verification information to the root key library, so that the root key library adds the system verification information to the whitelist for identity verification when the system requests the root key; wherein, the system verification information is a kind of identity recognition information.

6. An electronic device, comprising: The electronic device includes: At least one processor; and A memory communicatively connected to the at least one processor; wherein, The memory stores a computer program that can be executed by the at least one processor, the computer program being executed by the at least one processor to enable the at least one processor to perform the system startup method of any one of claims 1-2, and / or the system information processing method of claim 3.

7. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions that cause a processor to execute the system startup method of any one of claims 1-2, and / or the system information processing method of claim 3.

Images