Usa la API de Data Loss Prevention para desidentificar datos sensibles en una string mediante encriptación determinista, que es un método criptográfico reversible. La encriptación se realiza con una clave unida.
Muestra de código
C#
Para obtener información sobre cómo instalar y usar la biblioteca cliente de Protección de datos sensibles, consulta Bibliotecas cliente de protección de datos sensibles.
Para autenticarte en la Protección de datos sensibles, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local.
using System;
using System.Collections.Generic;
using Google.Api.Gax.ResourceNames;
using Google.Cloud.Dlp.V2;
public class DeidentifyWithDeterministic
{
public static DeidentifyContentResponse Deidentify(
string projectId,
string text,
string keyName,
string wrapperKey,
InfoType surrogateType = null,
IEnumerable<InfoType> infoTypes = null)
{
// Instantiate a client.
var dlp = DlpServiceClient.Create();
// Construct the inspect config by specifying the type of info to be inspected.
var inspectConfig = new InspectConfig
{
InfoTypes =
{
infoTypes ?? new InfoType[] { new InfoType { Name = "PHONE_NUMBER" } }
}
};
// Construct the crypto deterministic config by providing key name, wrapped key and surrogate type.
var cryptoDeterministicConfig = new CryptoDeterministicConfig
{
CryptoKey = new CryptoKey
{
KmsWrapped = new KmsWrappedCryptoKey
{
CryptoKeyName = keyName,
WrappedKey = Google.Protobuf.ByteString.FromBase64(wrapperKey)
}
},
SurrogateInfoType = surrogateType ?? new InfoType { Name = "PHONE_TOKEN" }
};
// Construct the deidentify config using crypto deterministic config.
var deidentifyConfig = new DeidentifyConfig
{
InfoTypeTransformations = new InfoTypeTransformations
{
Transformations =
{
new InfoTypeTransformations.Types.InfoTypeTransformation
{
PrimitiveTransformation = new PrimitiveTransformation
{
CryptoDeterministicConfig = cryptoDeterministicConfig
}
}
}
}
};
// Construct the request.
var request = new DeidentifyContentRequest
{
ParentAsLocationName = new LocationName(projectId, "global"),
DeidentifyConfig = deidentifyConfig,
InspectConfig = inspectConfig,
Item = new ContentItem { Value = text }
};
// Call the API.
DeidentifyContentResponse response = dlp.DeidentifyContent(request);
// Check the de-identified content.
Console.WriteLine($"De-identified content: {response.Item.Value}");
return response;
}
}
Go
Para obtener información sobre cómo instalar y usar la biblioteca cliente de Protección de datos sensibles, consulta Bibliotecas cliente de protección de datos sensibles.
Para autenticarte en la Protección de datos sensibles, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local.
import (
"context"
"encoding/base64"
"fmt"
"io"
dlp "cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// deIdentifyDeterministicEncryption de-identifies through deterministic encryption
func deIdentifyDeterministicEncryption(w io.Writer, projectID, inputStr string, infoTypeNames []string, keyFileName, cryptoKeyName, surrogateInfoType string) error {
// projectId := "your-project-id"
// inputStr := "My SSN is 111111111"
// infoTypeNames := []string{"US_SOCIAL_SECURITY_NUMBER"}
/* keyFileName := "projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME"
*/
// cryptoKeyName := "YOUR_ENCRYPTED_AES_256_KEY"
// surrogateInfoType := "SSN_TOKEN"
ctx := context.Background()
// Initialize a client once and reuse it to send multiple requests. Clients
// are safe to use across goroutines. When the client is no longer needed,
// call the Close method to cleanup its resources.
client, err := dlp.NewClient(ctx)
if err != nil {
return err
}
// Closing the client safely cleans up background resources.
defer client.Close()
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
wrappedKey, err := base64.StdEncoding.DecodeString(cryptoKeyName)
if err != nil {
return err
}
// Specify the type of info the inspection will look for.
// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
var infoTypes []*dlppb.InfoType
for _, it := range infoTypeNames {
infoTypes = append(infoTypes, &dlppb.InfoType{Name: it})
}
// Specify the key used by the encryption function for deterministic encryption.
cryptoReplaceDeterministicConfig := &dlppb.CryptoDeterministicConfig{
CryptoKey: &dlppb.CryptoKey{
Source: &dlppb.CryptoKey_KmsWrapped{
KmsWrapped: &dlppb.KmsWrappedCryptoKey{
WrappedKey: wrappedKey,
CryptoKeyName: keyFileName,
},
},
},
SurrogateInfoType: &dlppb.InfoType{
Name: surrogateInfoType,
},
}
// Specifying the info-types to look for.
inspectConfig := &dlppb.InspectConfig{
InfoTypes: infoTypes,
}
// Specify what content you want the service to de-identify.
contentItem := &dlppb.ContentItem{
DataItem: &dlppb.ContentItem_Value{
Value: inputStr,
},
}
// Specifying the deterministic crypto.
primitiveTransformation := &dlppb.PrimitiveTransformation{
Transformation: &dlppb.PrimitiveTransformation_CryptoDeterministicConfig{
CryptoDeterministicConfig: cryptoReplaceDeterministicConfig,
},
}
// Construct a de-identification config for de-identify deterministic request.
deIdentifyConfig := &dlppb.DeidentifyConfig{
Transformation: &dlppb.DeidentifyConfig_InfoTypeTransformations{
InfoTypeTransformations: &dlppb.InfoTypeTransformations{
Transformations: []*dlppb.InfoTypeTransformations_InfoTypeTransformation{
{
PrimitiveTransformation: primitiveTransformation,
},
},
},
},
}
// Construct the de-identification request to be sent by the client.
req := &dlppb.DeidentifyContentRequest{
Parent: fmt.Sprintf("projects/%s/locations/global", projectID),
DeidentifyConfig: deIdentifyConfig,
InspectConfig: inspectConfig,
Item: contentItem,
}
// Send the request.
resp, err := client.DeidentifyContent(ctx, req)
if err != nil {
return err
}
// Print the results.
fmt.Fprintf(w, "output : %v", resp.GetItem().GetValue())
return nil
}
Java
Para obtener información sobre cómo instalar y usar la biblioteca cliente de Protección de datos sensibles, consulta Bibliotecas cliente de protección de datos sensibles.
Para autenticarte en la Protección de datos sensibles, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local.
import com.google.cloud.dlp.v2.DlpServiceClient;
import com.google.privacy.dlp.v2.ContentItem;
import com.google.privacy.dlp.v2.CryptoDeterministicConfig;
import com.google.privacy.dlp.v2.CryptoKey;
import com.google.privacy.dlp.v2.DeidentifyConfig;
import com.google.privacy.dlp.v2.DeidentifyContentRequest;
import com.google.privacy.dlp.v2.DeidentifyContentResponse;
import com.google.privacy.dlp.v2.InfoType;
import com.google.privacy.dlp.v2.InfoTypeTransformations;
import com.google.privacy.dlp.v2.InspectConfig;
import com.google.privacy.dlp.v2.KmsWrappedCryptoKey;
import com.google.privacy.dlp.v2.LocationName;
import com.google.privacy.dlp.v2.PrimitiveTransformation;
import com.google.protobuf.ByteString;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import org.apache.commons.codec.binary.Base64;
public class DeIdenitfyWithDeterministicEncryption {
public static void main(String[] args) throws Exception {
// TODO(developer): Replace these variables before running the sample.
//The Google Cloud project id to use as a parent resource.
String projectId = "your-project-id";
// The string to de-identify.
String textToDeIdentify = "My SSN is 372819127";
// The encrypted ('wrapped') AES-256 key to use.
// This key should be encrypted using the Cloud KMS key specified by key_name.
String wrappedKey = "YOUR_ENCRYPTED_AES_256_KEY";
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
String kmsKeyName =
"projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME";
deIdentifyWithDeterministicEncryption(projectId, textToDeIdentify, wrappedKey, kmsKeyName);
}
// De-identifies sensitive data in a string using deterministic encryption. The encryption is
// performed with a wrapped key.
public static String deIdentifyWithDeterministicEncryption(
String projectId, String textToDeIdentify, String wrappedKey, String key) throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try (DlpServiceClient dlp = DlpServiceClient.create()) {
// Specify what content you want the service to de-identify.
ContentItem contentItem = ContentItem.newBuilder()
.setValue(textToDeIdentify)
.build();
// Specify the type of info the inspection will look for.
// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
InfoType infoType = InfoType.newBuilder()
.setName("US_SOCIAL_SECURITY_NUMBER")
.build();
InspectConfig inspectConfig = InspectConfig.newBuilder()
.addAllInfoTypes(Collections.singletonList(infoType))
.build();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
KmsWrappedCryptoKey unwrappedCryptoKey = KmsWrappedCryptoKey.newBuilder()
.setWrappedKey(ByteString.copyFrom(
Base64.decodeBase64(wrappedKey.getBytes(StandardCharsets.UTF_8))))
.setCryptoKeyName(key)
.build();
CryptoKey cryptoKey = CryptoKey.newBuilder()
.setKmsWrapped(unwrappedCryptoKey)
.build();
// Specify how the info from the inspection should be encrypted.
InfoType surrogateInfoType = InfoType.newBuilder()
.setName("SSN_TOKEN")
.build();
CryptoDeterministicConfig cryptoDeterministicConfig = CryptoDeterministicConfig.newBuilder()
.setSurrogateInfoType(surrogateInfoType)
.setCryptoKey(cryptoKey)
.build();
PrimitiveTransformation primitiveTransformation = PrimitiveTransformation.newBuilder()
.setCryptoDeterministicConfig(cryptoDeterministicConfig)
.build();
InfoTypeTransformations.InfoTypeTransformation infoTypeTransformation =
InfoTypeTransformations.InfoTypeTransformation.newBuilder()
.setPrimitiveTransformation(primitiveTransformation)
.build();
InfoTypeTransformations transformations = InfoTypeTransformations.newBuilder()
.addTransformations(infoTypeTransformation)
.build();
DeidentifyConfig deidentifyConfig = DeidentifyConfig.newBuilder()
.setInfoTypeTransformations(transformations)
.build();
// Combine configurations into a request for the service.
DeidentifyContentRequest request = DeidentifyContentRequest.newBuilder()
.setParent(LocationName.of(projectId, "global").toString())
.setItem(contentItem)
.setInspectConfig(inspectConfig)
.setDeidentifyConfig(deidentifyConfig)
.build();
// Send the request and receive response from the service.
DeidentifyContentResponse response = dlp.deidentifyContent(request);
// Print the results.
System.out.println(
"Text after de-identification: " + response.getItem().getValue());
return response.getItem().getValue();
}
}
}
Node.js
Para obtener información sobre cómo instalar y usar la biblioteca cliente de Protección de datos sensibles, consulta Bibliotecas cliente de protección de datos sensibles.
Para autenticarte en la Protección de datos sensibles, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local.
// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');
// Instantiates a client
const dlp = new DLP.DlpServiceClient();
// The project ID to run the API call under
// const projectId = 'my-project';
// The string to deidentify
// const string = 'My name is Alicia Abernathy, and my email address is aabernathy@example.com.';
// The infoTypes of information to match
// const infoTypes = [{ name: 'EMAIL_ADDRESS' }];
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// The name of the surrogate custom info type to use
// Only necessary if you want to reverse the deidentification process
// Can be essentially any arbitrary string, as long as it doesn't appear
// in your dataset otherwise.
// const surrogateType = 'EMAIL_ADDRESS_TOKEN';
async function deidentifyDeterministic() {
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
const cryptoDeterministicEncryption = {
cryptoKey: {
kmsWrapped: {
wrappedKey: wrappedKey,
cryptoKeyName: keyName,
},
},
surrogateInfoType: {name: surrogateType},
};
// Construct inspect configuration to match information
const inspectConfig = {
infoTypes,
};
// Associate the encryption with the infotype transformation.
const infoTypeTransformations = {
transformations: [
{
infoTypes,
primitiveTransformation: {
cryptoDeterministicConfig: cryptoDeterministicEncryption,
},
},
],
};
// Construct item to inspect
const item = {value: string};
// Combine configurations into a request for the service.
const request = {
parent: `projects/${projectId}/locations/global`,
deidentifyConfig: {
infoTypeTransformations: infoTypeTransformations,
},
inspectConfig,
item: item,
};
// Run de-identification request
const [response] = await dlp.deidentifyContent(request);
const deidentifiedItem = response.item;
// Print results
console.log(deidentifiedItem.value);
}
await deidentifyDeterministic();PHP
Para obtener información sobre cómo instalar y usar la biblioteca cliente de Protección de datos sensibles, consulta Bibliotecas cliente de protección de datos sensibles.
Para autenticarte en la Protección de datos sensibles, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local.
use Google\Cloud\Dlp\V2\DlpServiceClient;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoDeterministicConfig;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\InfoTypeTransformations\InfoTypeTransformation;
use Google\Cloud\Dlp\V2\InfoTypeTransformations;
use Google\Cloud\Dlp\V2\InspectConfig;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\CryptoKey;
/**
* De-identify content through deterministic encryption.
* Use the Data Loss Prevention API to de-identify sensitive data in a string using deterministic encryption,
* which is a reversible cryptographic method. The encryption is performed with a wrapped key.
*
* @param string $callingProjectId The Google Cloud project id to use as a parent resource.
* @param string $inputString The string to deidentify (will be treated as text).
* @param string $kmsKeyName The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
* Example: key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'.
* @param string $infoTypeName The Info type name to be inspect.
* @param string $surrogateTypeName The name of the surrogate custom info type to use.
* Only necessary if you want to reverse the deidentification process. Can be essentially any arbitrary
* string, as long as it doesn't appear in your dataset otherwise.
* @param string $wrappedAesKey The encrypted ('wrapped') AES-256 key to use.
*
* */
function deidentify_deterministic(
string $callingProjectId,
string $kmsKeyName,
string $wrappedAesKey,
string $inputString = 'My PHONE NUMBER IS 731997681',
string $infoTypeName = 'PHONE_NUMBER',
string $surrogateTypeName = 'PHONE_TOKEN'
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
$parent = "projects/$callingProjectId/locations/global";
// Specify what content you want the service to DeIdentify.
$content = (new ContentItem())->setValue($inputString);
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedAesKey))
->setCryptoKeyName($kmsKeyName);
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Specify how the info from the inspection should be encrypted.
$cryptoDeterministicConfig = (new CryptoDeterministicConfig())
->setCryptoKey($cryptoKey);
if (!empty($surrogateTypeName)) {
$cryptoDeterministicConfig = $cryptoDeterministicConfig->setSurrogateInfoType((new InfoType())
->setName($surrogateTypeName));
}
// Specify the type of info the inspection will look for.
$infoType = (new InfoType())
->setName($infoTypeName);
$inspectConfig = (new InspectConfig())
->setInfoTypes([$infoType]);
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoDeterministicConfig($cryptoDeterministicConfig);
$infoTypeTransformation = (new InfoTypeTransformation())
->setPrimitiveTransformation($primitiveTransformation);
$infoTypeTransformations = (new InfoTypeTransformations())
->setTransformations([$infoTypeTransformation]);
$deidentifyConfig = (new DeidentifyConfig())
->setInfoTypeTransformations($infoTypeTransformations);
// Send the request and receive response from the service.
$response = $dlp->deidentifyContent([
'parent' => $parent,
'deidentifyConfig' => $deidentifyConfig,
'item' => $content,
'inspectConfig' => $inspectConfig
]);
// Print the results.
printf($response->getItem()->getValue());
}Python
Para obtener información sobre cómo instalar y usar la biblioteca cliente de Protección de datos sensibles, consulta Bibliotecas cliente de protección de datos sensibles.
Para autenticarte en la Protección de datos sensibles, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local.
import base64
from typing import List
import google.cloud.dlp
def deidentify_with_deterministic(
project: str,
input_str: str,
info_types: List[str],
surrogate_type: str = None,
key_name: str = None,
wrapped_key: str = None,
) -> None:
"""Deidentifies sensitive data in a string using deterministic encryption.
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to deidentify (will be treated as text).
info_types: A list of strings representing info types to look for.
surrogate_type: The name of the surrogate custom info type to use. Only
necessary if you want to reverse the deidentification process. Can
be essentially any arbitrary string, as long as it doesn't appear
in your dataset otherwise.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
# Instantiate a client
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Convert the project id into a full resource id.
parent = f"projects/{project}/locations/global"
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
wrapped_key = base64.b64decode(wrapped_key)
# Construct Deterministic encryption configuration dictionary
crypto_replace_deterministic_config = {
"crypto_key": {
"kms_wrapped": {"wrapped_key": wrapped_key, "crypto_key_name": key_name}
},
}
# Add surrogate type
if surrogate_type:
crypto_replace_deterministic_config["surrogate_info_type"] = {
"name": surrogate_type
}
# Construct inspect configuration dictionary
inspect_config = {"info_types": [{"name": info_type} for info_type in info_types]}
# Construct deidentify configuration dictionary
deidentify_config = {
"info_type_transformations": {
"transformations": [
{
"primitive_transformation": {
"crypto_deterministic_config": crypto_replace_deterministic_config
}
}
]
}
}
# Convert string to item
item = {"value": input_str}
# Call the API
response = dlp.deidentify_content(
request={
"parent": parent,
"deidentify_config": deidentify_config,
"inspect_config": inspect_config,
"item": item,
}
)
# Print results
print(response.item.value)
¿Qué sigue?
Para buscar y filtrar muestras de código de otros productos de Google Cloud, consulta el navegador de muestra de Google Cloud.