Desidentificar texto libre con FPE mediante un subrogado

Usa la API de Data Loss Prevention para desidentificar datos sensibles en una string mediante la encriptación de preservación de formato (FPE). La encriptación se realiza con una clave separada.

Muestra de código


Si deseas obtener información para instalar y usar la biblioteca cliente de Cloud DLP, consulta Bibliotecas cliente de Cloud DLP.

def deidentify_free_text_with_fpe_using_surrogate(
    """Uses the Data Loss Prevention API to deidentify sensitive data in a
       string using Format Preserving Encryption (FPE).
       The encryption is performed with an unwrapped key.
        project: The Google Cloud project id to use as a parent resource.
        input_str: The string to deidentify (will be treated as text).
        alphabet: The set of characters to replace sensitive ones with. For
            more information, see
        info_type: The name of the info type to de-identify
        surrogate_type: The name of the surrogate custom info type to use. Can
            be essentially any arbitrary string, as long as it doesn't appear
            in your dataset otherwise.
        unwrapped_key: The base64-encoded AES-256 key to use.
        None; the response from the API is printed to the terminal.
    # Import the client library

    # Instantiate a client
    dlp =

    # Convert the project id into a full resource id.
    parent = f"projects/{project}"

    # The unwrapped key is base64-encoded, but the library expects a binary
    # string, so decode it here.
    import base64

    unwrapped_key = base64.b64decode(unwrapped_key)

    # Construct de-identify config
    transformation = {
        "info_types": [{"name": info_type}],
        "primitive_transformation": {
            "crypto_replace_ffx_fpe_config": {
                "crypto_key": {"unwrapped": {"key": unwrapped_key}},
                "common_alphabet": alphabet,
                "surrogate_info_type": {"name": surrogate_type},

    deidentify_config = {
        "info_type_transformations": {"transformations": [transformation]}

    # Construct the inspect config, trying to finding all PII with likelihood
    # higher than UNLIKELY
    inspect_config = {
        "info_types": [{"name": info_type}],

    # Convert string to item
    item = {"value": input_str}

    # Call the API
    response = dlp.deidentify_content(
            "parent": parent,
            "deidentify_config": deidentify_config,
            "inspect_config": inspect_config,
            "item": item,

    # Print results

¿Qué sigue?

Para buscar y filtrar muestras de código para otros productos de Google Cloud, consulta el navegador de muestra de Google Cloud.