A cloud computing platform may effectively provide massive computing resources for a user in a form of a virtual machine (VM) by effectively integrating various interconnected computing resources and implementing multi-level virtualization and abstraction. Specifically, virtualization software deployed in a cloud computing host constitutes an environment in which the virtual machine runs, and provides services such as a network and storage for the virtual machine. User data is stored in a virtual hard disk of the virtual machine, an actual physical storage space of the virtual hard disk is in a hard disk array of a storage server, and the storage server organizes storage space of the virtual hard disk into a large file or a large data block, where the large file or the large data block is referred to as a hard disk image. The hard disk image is a storage entity of data in the virtual machine and indicates a storage state in which content of a disk or a hard disk of the virtual machine is organized in a unit of sector. The cloud computing platform needs to provide a reliable security assurance technology, so as to ensure security of user data in the hard disk image and avoid disclosure of user private data that includes a business secret.
As shown in FIG. 1, FIG. 1 is a schematic structural diagram for implementing an encryption and decryption technology in a prior-art virtualization system. To ensure security of user data, a device mapping and encrypting module is included in a virtual machine monitor (VMM) and is configured to map a hard disk image as a virtual block device. The hard disk image is invisible to a user virtual machine, virtualization software connects the block device to the user virtual machine, and the device mapping and encrypting module may perceive access to the block device by the user virtual machine and perform encryption processing on accessed data in the hard disk image, thereby implementing protection for the user data. However, hundreds of hard disk images may exist in a cloud computing host. These hard disk images include many types, for example, a large file, a local block device, and a network block device. Some hard disk images need to be encrypted, and some do not need to be encrypted. Therefore, the device mapping and encrypting module needs to separately perform identification and processing, which results in complicated implementation of the device mapping and encrypting module and brings a great impact on stability of a cloud computing operating system.