iSCSI网络存储系统中加密方法研究与设计

由于iSCSI协议不提供安全服务,大部分网络存储也不具备加密功能,提出了一种面向iSCSI的实时加密模块,使得网络存储系统加载该模块后,能够为用户提供透明实时的数据安全服务。为iSCSI target设计了加密写和解密读流程,加解密模块相对原网络存储系统独立,不用更改系统内核,而iSCSI initiator不会感知加密操作的存在,基于标准iSCSI协议的客户端可直接使用。此外,利用多核网络处理器的加密协处理器,来优化读写性能。实验结果显示,系统并没有因为加密模块的引入而导致严重的性能损失,性能令人满意。

An encryption method based on iSCSI network storage system

Due to the fact that the iSCSI protocol does not provide security services and most network storage systems do not have the encryption capabilities either, we propose a real time encryption module for the iSCSI, which enables the network storage system to provide users with transparent real time encryption services after loading this module. We design an encrypted writing and decrypted reading process for the iSCSI target. Since the encryption module is independent of the original network storage system, the operating system's kernel does not need to change. The iSCSI initiator does not perceive the existence of encryption operation, thus clients based on standard iSCSI protocol can use the service directly. In addition, we use the security coprocessor of the multi core network processor to optimize the read and write performance. Experimental results show that introducing the encryption module to network storage system does not lead to serious loss of performance, and the system performance is satisfactory.