L'API Data Loss Prevention permet d'anonymiser les données sensibles dans une chaîne à l'aide du chiffrement déterministe, qui est une méthode cryptographique réversible. Le chiffrement est effectué à l'aide d'une clé encapsulée.
Exemple de code
Java
Pour savoir comment installer et utiliser la bibliothèque cliente pour Cloud DLP, consultez Bibliothèques clientes Cloud DLP.
Pour vous authentifier auprès de Cloud DLP, configurez les Identifiants par défaut de l'application. Pour en savoir plus, consultez Configurer l'authentification pour un environnement de développement local.
import com.google.cloud.dlp.v2.DlpServiceClient;
import com.google.privacy.dlp.v2.ContentItem;
import com.google.privacy.dlp.v2.CryptoDeterministicConfig;
import com.google.privacy.dlp.v2.CryptoKey;
import com.google.privacy.dlp.v2.DeidentifyConfig;
import com.google.privacy.dlp.v2.DeidentifyContentRequest;
import com.google.privacy.dlp.v2.DeidentifyContentResponse;
import com.google.privacy.dlp.v2.InfoType;
import com.google.privacy.dlp.v2.InfoTypeTransformations;
import com.google.privacy.dlp.v2.InspectConfig;
import com.google.privacy.dlp.v2.KmsWrappedCryptoKey;
import com.google.privacy.dlp.v2.LocationName;
import com.google.privacy.dlp.v2.PrimitiveTransformation;
import com.google.protobuf.ByteString;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import org.apache.commons.codec.binary.Base64;
public class DeIdenitfyWithDeterministicEncryption {
public static void main(String[] args) throws Exception {
// TODO(developer): Replace these variables before running the sample.
//The Google Cloud project id to use as a parent resource.
String projectId = "your-project-id";
// The string to de-identify.
String textToDeIdentify = "My SSN is 372819127";
// The encrypted ('wrapped') AES-256 key to use.
// This key should be encrypted using the Cloud KMS key specified by key_name.
String wrappedKey = "YOUR_ENCRYPTED_AES_256_KEY";
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
String kmsKeyName =
"projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME";
deIdentifyWithDeterministicEncryption(projectId, textToDeIdentify, wrappedKey, kmsKeyName);
}
public static String deIdentifyWithDeterministicEncryption(
String projectId, String textToDeIdentify, String wrappedKey, String key) throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try (DlpServiceClient dlp = DlpServiceClient.create()) {
// Specify what content you want the service to DeIdentify.
ContentItem contentItem = ContentItem.newBuilder()
.setValue(textToDeIdentify)
.build();
// Specify the type of info the inspection will look for.
// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
InfoType infoType = InfoType.newBuilder()
.setName("US_SOCIAL_SECURITY_NUMBER")
.build();
InspectConfig inspectConfig = InspectConfig.newBuilder()
.addAllInfoTypes(Collections.singletonList(infoType))
.build();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
KmsWrappedCryptoKey unwrappedCryptoKey = KmsWrappedCryptoKey.newBuilder()
.setWrappedKey(ByteString.copyFrom(
Base64.decodeBase64(wrappedKey.getBytes(StandardCharsets.UTF_8))))
.setCryptoKeyName(key)
.build();
CryptoKey cryptoKey = CryptoKey.newBuilder()
.setKmsWrapped(unwrappedCryptoKey)
.build();
// Specify how the info from the inspection should be encrypted.
InfoType surrogateInfoType = InfoType.newBuilder()
.setName("SSN_TOKEN")
.build();
CryptoDeterministicConfig cryptoDeterministicConfig = CryptoDeterministicConfig.newBuilder()
.setSurrogateInfoType(surrogateInfoType)
.setCryptoKey(cryptoKey)
.build();
PrimitiveTransformation primitiveTransformation = PrimitiveTransformation.newBuilder()
.setCryptoDeterministicConfig(cryptoDeterministicConfig)
.build();
InfoTypeTransformations.InfoTypeTransformation infoTypeTransformation =
InfoTypeTransformations.InfoTypeTransformation.newBuilder()
.setPrimitiveTransformation(primitiveTransformation)
.build();
InfoTypeTransformations transformations = InfoTypeTransformations.newBuilder()
.addTransformations(infoTypeTransformation)
.build();
DeidentifyConfig deidentifyConfig = DeidentifyConfig.newBuilder()
.setInfoTypeTransformations(transformations)
.build();
// Combine configurations into a request for the service.
DeidentifyContentRequest request = DeidentifyContentRequest.newBuilder()
.setParent(LocationName.of(projectId, "global").toString())
.setItem(contentItem)
.setInspectConfig(inspectConfig)
.setDeidentifyConfig(deidentifyConfig)
.build();
// Send the request and receive response from the service.
DeidentifyContentResponse response = dlp.deidentifyContent(request);
// Print the results.
System.out.println(
"Text after de-identification: " + response.getItem().getValue());
return response.getItem().getValue();
}
}
}
Python
Pour savoir comment installer et utiliser la bibliothèque cliente pour Cloud DLP, consultez Bibliothèques clientes Cloud DLP.
Pour vous authentifier auprès de Cloud DLP, configurez les Identifiants par défaut de l'application. Pour en savoir plus, consultez Configurer l'authentification pour un environnement de développement local.
import base64 # noqa: F811, E402, I100
from typing import List # noqa: F811, E402
import google.cloud.dlp # noqa: F811, E402
def deidentify_with_deterministic(
project: str,
input_str: str,
info_types: List[str],
surrogate_type: str = None,
key_name: str = None,
wrapped_key: str = None,
) -> None:
"""Deidentifies sensitive data in a string using deterministic encryption.
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to deidentify (will be treated as text).
info_types: A list of strings representing info types to look for.
surrogate_type: The name of the surrogate custom info type to use. Only
necessary if you want to reverse the deidentification process. Can
be essentially any arbitrary string, as long as it doesn't appear
in your dataset otherwise.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
# Instantiate a client
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Convert the project id into a full resource id.
parent = f"projects/{project}"
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
wrapped_key = base64.b64decode(wrapped_key)
# Construct Deterministic encryption configuration dictionary
crypto_replace_deterministic_config = {
"crypto_key": {
"kms_wrapped": {"wrapped_key": wrapped_key, "crypto_key_name": key_name}
},
}
# Add surrogate type
if surrogate_type:
crypto_replace_deterministic_config["surrogate_info_type"] = {
"name": surrogate_type
}
# Construct inspect configuration dictionary
inspect_config = {"info_types": [{"name": info_type} for info_type in info_types]}
# Construct deidentify configuration dictionary
deidentify_config = {
"info_type_transformations": {
"transformations": [
{
"primitive_transformation": {
"crypto_deterministic_config": crypto_replace_deterministic_config
}
}
]
}
}
# Convert string to item
item = {"value": input_str}
# Call the API
response = dlp.deidentify_content(
request={
"parent": parent,
"deidentify_config": deidentify_config,
"inspect_config": inspect_config,
"item": item,
}
)
# Print results
print(response.item.value)
Étapes suivantes
Pour rechercher et filtrer des exemples de code pour d'autres produits Google Cloud, consultez l'exemple de navigateur Google Cloud.