GoogleSQL for BigQuery supports the following DLP functions that allow interoperable encryption and decryption between BigQuery and Cloud Data Loss Prevention (Cloud DLP), using AES-SIV.
Function list
| Name | Summary |
|---|---|
DLP_DETERMINISTIC_ENCRYPT
|
Encrypts data with a DLP compatible algorithm. |
DLP_DETERMINISTIC_DECRYPT
|
Decrypts DLP-encrypted data. |
DLP_KEY_CHAIN
|
Gets a data encryption key that is wrapped by Cloud Key Management Service. |
DLP_DETERMINISTIC_ENCRYPT
DLP_DETERMINISTIC_ENCRYPT(key, plaintext, context)
DLP_DETERMINISTIC_ENCRYPT(key, plaintext, context, surrogate)
Description
This function derives a data encryption key from key and context, and then
encrypts plaintext. Optionally, you can use surrogate to prepend the
encryption result.
Definitions
key: A serializedBYTESvalue that is returned byDLP_KEY_CHAIN.keymust be set toENABLEDin Cloud KMS. For information about how to generate a wrapped key, see gcloud kms encrypt.plaintext: TheSTRINGvalue to encrypt.context: A user-providedSTRINGvalue that is used with a Cloud KMS key to derive a data encryption key. For more information, see CryptoDeterministicConfig:context.surrogate: ASTRINGvalue that you can prepend to output.
Return data type
STRING
Example
SELECT
DLP_DETERMINISTIC_ENCRYPT(
DLP_KEY_CHAIN(
'gcp-kms://projects/my_project/locations/us-central1/keyRings/keyringtest/cryptoKeys/testkey',
b'\123\044\290\876....'),
plaintext,
'',
'test') AS results
/*--------------------------------------*
| results |
+--------------------------------------+
| AXDEwUnZsTf/NzxoHaC8AZXcawWuma7L39A= |
*--------------------------------------*/
DLP_DETERMINISTIC_DECRYPT
DLP_DETERMINISTIC_DECRYPT(key, ciphertext, context)
DLP_DETERMINISTIC_DECRYPT(key, ciphertext, context, surrogate)
Description
This function decrypts ciphertext using an encryption key derived from key
and context. Optionally, you can use surrogate to prepend the decryption
result.
Definitions
key: A serializedBYTESvalue returned byDLP_KEY_CHAIN.keymust be set toENABLEDin Cloud KMS. For information about how to generate a wrapped key, see gcloud kms encrypt.ciphertext: TheSTRINGvalue to decrypt.context: ASTRINGvalue that is used with a Cloud KMS key to derive a data encryption key. For more information, see CryptoDeterministicConfig:context.surrogate: ASTRINGvalue that you can prepend to output.
Return data type
STRING
Example
SELECT
DLP_DETERMINISTIC_DECRYPT(
DLP_KEY_CHAIN(
'gcp-kms://projects/myproject/locations/us-central1/keyRings/keyringtest/cryptoKeys/testkey',
b'\123\044\290\876....'),
'your_surrogate(36)AdFnA6r5doSDWxPwW/W4vBaa4iOvDagC8z8=',
'',
'your_surrogate') AS results
/*-----------*
| results |
+-----------+
| plaintext |
*-----------*/
DLP_KEY_CHAIN
DLP_KEY_CHAIN(kms_resource_name, wrapped_key)
Description
You can use this function instead of the key argument for
DLP deterministic encryption functions. This function lets
you use the AES-SIV encryption functions
without including plaintext keys in a query.
Definitions
kms_resource_name: ASTRINGliteral that contains the resource path to the Cloud KMS key.kms_resource_namecannot beNULLand must reside in the same Cloud region where this function is executed. This argument is used to derive the data encryption key in theDLP_DETERMINISTIC_DECRYPTandDLP_DETERMINISTIC_ENCRYPTfunctions. A Cloud KMS key looks like this:gcp-kms://projects/my-project/locations/us/keyRings/my-key-ring/cryptoKeys/my-crypto-keywrapped_key: ABYTESliteral that represents a secret text chosen by the user. This secret text can be 16, 24, or 32 bytes. For information about how to generate a wrapped key, see gcloud kms encrypt.
Return data type
STRUCT
Example
SELECT
DLP_DETERMINISTIC_ENCRYPT(
DLP_KEY_CHAIN(
'gcp-kms://projects/my_project/locations/us-central1/keyRings/keyringtest/cryptoKeys/testkey',
b'\123\044\290\876....'),
plaintext,
'',
'test') AS results
/*--------------------------------------*
| results |
+--------------------------------------+
| AXDEwUnZsTf/NzxoHaC8AZXcawWuma7L39A= |
*--------------------------------------*/