我们是否可以将使用云KMS密钥生成的包装密钥保存在DLP取消标识模板中(使用Python Api)? [英] Can we save wrapped keys generated with cloud KMS keys in DLP deidentification templates(using Python Api)?
问题描述
我正在研究PII取消身份验证项目,并使用google cloud的数据丢失防护api.
I am working on a PII de-identification project and using google cloud's data loss prevention api.
用例:使用云KMS密钥加密字段.
Use case: To encrypt a field with cloud KMS key.
- 创建了dlp身份验证模板,以下是代码段:
{
"deidentify_template":{
"display_name":"deidentification_encryption",
"description":"deidentification_encryption",
"deidentify_config":{
"record_transformations":{
"field_transformations":[
{
"fields":[
{
"name":"password"
}
],
"primitive_transformation":{
"crypto_hash_config": {
"crypto_key": {
"kms_wrapped": {
"wrapped_key": "[base64 encoded]",
"crypto_key_name": "kms-key-resource-name"
}
}
}
}
-
将模板另存为JSON文件.
Saved the template as JSON file.
当我尝试使用
python Api构建模板时,出现以下错误:When I am trying to built the template using
python Api, I am getting following error:TypeError:无法设置google.privacy.dlp.v2.KmsWrappedCryptoKey.wrapped_key [base64编码]:[base64编码]的类型为< class'str'> ;,但应为以下其中一种:((< class'bytes'> ;,)表示字段KmsWrappedCryptoKey我们如何在json中写入字节?不确定可行性
我使用的解决方法:
Workaround I used:
- 使用瞬态加密密钥创建模板:
"cryptoKey": { "transient": { "name": "ola-32" } } }- 在DLP UI中修改了模板配置.
- 将密码字段的转换更改为KMS包装的加密密钥.
- 添加了资源名称和KMS生成的密钥.
- 它工作正常,测试了模板.
- 我进行了API调用以检查配置,在使用UI添加了KMS密钥后,我看到了这样的包装密钥:
- 创建 KMS钥匙圈和钥匙.您稍后将使用它来包装您的取消标识密钥.
- 创建一个128/192/256加密密钥作为您的DLP取消标识密钥.
- Base64从步骤2开始对该密钥进行编码.
- 将步骤3中的base64编码密钥与步骤1中的KMS密钥包装/加密.
- Create a KMS Key Ring and Key. You will use this later to wrap your de-identification key.
- Create an 128/192/256 encryption key to use as your DLP de-identification key.
- Base64 encode this key from step #2.
- Wrap/encrypt this base64 encoded key from step #3 with the KMS key from step #1.
其他观察结果:
Additional observation:
据我所知,无法在json中使用这种格式的包装密钥.
Its not possible to use wrapped key in this format in json as per my knowledge.
是否可以使用另存为json的模板来使用KMS密钥?
推荐答案
是的,您应该能够在模板中使用KMSWrapped密钥.您可以使用JSON并调用API或通过此处的云控制台UI .
Yes you should be able to use a KMSWrapped key in a template. You can do this using JSON and calling the API or via the Cloud Console UI here.
您收到的错误很可能是由于密钥被包装为错误的格式.
It's possible that the error you are getting is due to the key being wrapped in the wrong format.
我刚刚完成了这些步骤,并使用
KMSWrappedKey成功地获得了DLPdeidentify_template.I just went through these steps and got a successfully working DLP
deidentify_templatewith aKMSWrappedKey.要创建包装密钥,您可以尝试以下步骤:
To create a wrapped key you can try the following steps:
示例 KMS 呼叫:
curl "https://cloudkms.googleapis.com/v1/projects/<project-id>/locations/global/keyRings/<key-ring-id>/cryptoKeys/<key-id>:encrypt" \ --request "POST" \ --header "Authorization:Bearer $(gcloud auth application-default print-access-token)" \ --header "content-type: application/json" \ --data "{\"plaintext\": \"<your base64 encoded key>\"}"这应该产生类似
{ "name": "projects/<project-id>/locations/global/keyRings/<key-ring-id>/cryptoKeys/<key-id>/cryptoKeyVersions/1", "ciphertext": "<cipher text>", "ciphertextCrc32c": "<some number>" }- 将
name字段中的内容复制到DLPcryptoKeyName中,但放下最后一部分/cryptoKeyVersions/1并复制<将code>密文值添加到DLPwrappedKey字段中.
- Copy what is in the
namefield into the DLPcryptoKeyNamebut drop the last part/cryptoKeyVersions/1and copy what's in theciphertextvalue into the DLPwrappedKeyfield.
示例:
... "crypto_hash_config": { "crypto_key": { "kmsWrapped": { "wrappedKey": "CiQA4yqJRKIrMRQCdYdsSHIhqGthDuuxnhBOLN512drs6f59tt4SOQAwcYzUXvT1tJQmHHhqycGMj/lB+UPkmIb7j+QcIGxtQuMbuqG2xdRC8WVMQ9MFJ9tuOO6vxJqaVw==", "cryptoKeyName": "projects/<project-id>/locations/global/keyRings/<key-ring-id>/cryptoKeys/<key-id>" } } }-
保存您的模板并尝试一下.您可以在此处的API测试器中进行测试或在此处使用Cloud DLP控制台模板测试器(只需点击您制作的模板,然后点击
Test标签).
Save your template and try it out. You can test it in the API tester here or in the Cloud DLP Console template tester here (just click on the template that you made and then the
Testtab).
以下是创建模板.您只需要在您的项目下运行此项目,并将您的项目作为父ID,并需要确保您的关键资源ID与您的关键资源ID相匹配.在这里,我在名为
project-test-123的项目中使用称为keyring1的密钥环和名为key1的密钥:Below is a full JSON example for creating a template. You would just need to run this under your project with your project as a parent id and need to ensure that your key resource ID matches yours. Here I use a keyring called
keyring1and a key calledkey1in a project calledproject-test-123:{ "deidentifyTemplate": { "deidentifyConfig": { "infoTypeTransformations": { "transformations": [ { "primitiveTransformation": { "cryptoHashConfig": { "cryptoKey": { "kmsWrapped": { "cryptoKeyName": "projects/project-test-123/locations/global/keyRings/keyring1/cryptoKeys/key1", "wrappedKey": "CiQA4yqJRKIrMRQCdYdsSHIhqGthDuuxnhBOLN512drs6f59tt4SOQAwcYzUXvT1tJQmHHhqycGMj/lB+UPkmIb7j+QcIGxtQuMbuqG2xdRC8WVMQ9MFJ9tuOO6vxJqaVw==" } } } } } ] } } }, "templateId": "test1" }注意:这是使用KMS包装的随机生成的128位密钥.由于该密钥在此处公开发布,因此请勿在任何生产系统中使用此实际密钥或保护任何数据.
这篇关于我们是否可以将使用云KMS密钥生成的包装密钥保存在DLP取消标识模板中(使用Python Api)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
