Reidentificar conteúdo que foi desidentificado anteriormente com a criptografia determinística.
Mais informações
Para ver a documentação detalhada que inclui este exemplo de código, consulte:
Exemplo de código
C#
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
using System;
using Google.Api.Gax.ResourceNames;
using Google.Cloud.Dlp.V2;
using Google.Protobuf;
public class ReidentifyContentUsingDeterministic
{
public static ReidentifyContentResponse ReidentifyDeterministic(
string projectId,
string text,
string keyName,
string wrappedKey,
InfoType surrogateType = null)
{
// Instantiate the client.
var dlp = DlpServiceClient.Create();
// Construct the infoType if null which will be used as surrogate type and infoType both.
var infoType = surrogateType ?? new InfoType { Name = "PHONE_TOKEN" };
// Construct crypto deterministic config using the crypto key name and wrapped key.
var cryptoDeterministicConfig = new CryptoDeterministicConfig
{
CryptoKey = new CryptoKey
{
KmsWrapped = new KmsWrappedCryptoKey
{
CryptoKeyName = keyName,
WrappedKey = ByteString.FromBase64(wrappedKey)
}
},
SurrogateInfoType = infoType,
};
// Construct the reidentify config using crypto config.
var reidentifyConfig = new DeidentifyConfig
{
InfoTypeTransformations = new InfoTypeTransformations
{
Transformations =
{
new InfoTypeTransformations.Types.InfoTypeTransformation
{
PrimitiveTransformation = new PrimitiveTransformation
{
CryptoDeterministicConfig = cryptoDeterministicConfig
}
}
}
}
};
// Construct the inspect config.
var inspectConfig = new InspectConfig
{
CustomInfoTypes =
{
new CustomInfoType
{
InfoType = infoType,
SurrogateType = new CustomInfoType.Types.SurrogateType()
}
}
};
// Construct the request.
var request = new ReidentifyContentRequest
{
ParentAsLocationName = new LocationName(projectId, "global"),
ReidentifyConfig = reidentifyConfig,
InspectConfig = inspectConfig,
Item = new ContentItem { Value = text },
};
// Call the API.
ReidentifyContentResponse response = dlp.ReidentifyContent(request);
// Inspect the response.
Console.WriteLine($"Reidentified content: {response.Item.Value}");
return response;
}
}
Go
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
import (
"context"
"encoding/base64"
"fmt"
"io"
dlp "cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// reidentifyWithDeterministic re-identifies content encrypted by deterministic encryption.
func reidentifyWithDeterministic(w io.Writer, projectID, inputStr, surrogateType, keyName, wrappedKey string) error {
// projectId := "my-project-id"
// inputStr := "EMAIL_ADDRESS_TOKEN(52):AVAx2eIEnIQP5jbNEr2j9wLOAd5m4kpSBR/0jjjGdAOmryzZbE/q"
// surrogateType := "EMAIL_ADDRESS_TOKEN"
/* keyName := "projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME"
*/
// wrappedKey := "YOUR_ENCRYPTED_AES_256_KEY"
ctx := context.Background()
// Initialize a client once and reuse it to send multiple requests. Clients
// are safe to use across goroutines. When the client is no longer needed,
// call the Close method to cleanup its resources.
client, err := dlp.NewClient(ctx)
if err != nil {
return err
}
// Closing the client safely cleans up background resources.
defer client.Close()
// The wrapped key is base64-encoded, but the library expects a binary
// string, so decode it here.
keyBytes, err := base64.StdEncoding.DecodeString(wrappedKey)
if err != nil {
return err
}
// Create crypto deterministic config.
cryptoDeterministicConfig := &dlppb.CryptoDeterministicConfig{
CryptoKey: &dlppb.CryptoKey{
Source: &dlppb.CryptoKey_KmsWrapped{
KmsWrapped: &dlppb.KmsWrappedCryptoKey{
WrappedKey: keyBytes,
CryptoKeyName: keyName,
},
},
},
SurrogateInfoType: &dlppb.InfoType{
Name: surrogateType,
},
}
// Create a config for primitive transformation.
primitiveTransformation := &dlppb.PrimitiveTransformation{
Transformation: &dlppb.PrimitiveTransformation_CryptoDeterministicConfig{
CryptoDeterministicConfig: cryptoDeterministicConfig,
},
}
transformation := &dlppb.DeidentifyConfig_InfoTypeTransformations{
InfoTypeTransformations: &dlppb.InfoTypeTransformations{
Transformations: []*dlppb.InfoTypeTransformations_InfoTypeTransformation{
{
PrimitiveTransformation: primitiveTransformation,
},
},
},
}
// Construct config to re-identify the config.
reIdentifyConfig := &dlppb.DeidentifyConfig{
Transformation: transformation,
}
// Construct a config for inspection.
inspectConfig := &dlppb.InspectConfig{
CustomInfoTypes: []*dlppb.CustomInfoType{
{
InfoType: &dlppb.InfoType{
Name: surrogateType,
},
Type: &dlppb.CustomInfoType_SurrogateType_{
SurrogateType: &dlppb.CustomInfoType_SurrogateType{},
},
},
},
}
// Item to be analyzed.
item := &dlppb.ContentItem{
DataItem: &dlppb.ContentItem_Value{
Value: inputStr,
},
}
// Construct the Inspect request to be sent by the client.
req := &dlppb.ReidentifyContentRequest{
Parent: fmt.Sprintf("projects/%s/locations/global", projectID),
ReidentifyConfig: reIdentifyConfig,
InspectConfig: inspectConfig,
Item: item,
}
// Send the request.
r, err := client.ReidentifyContent(ctx, req)
if err != nil {
return err
}
// Print the result.
fmt.Fprintf(w, "output: %v", r.GetItem().GetValue())
return nil
}
Java
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
import com.google.cloud.dlp.v2.DlpServiceClient;
import com.google.privacy.dlp.v2.ContentItem;
import com.google.privacy.dlp.v2.CryptoDeterministicConfig;
import com.google.privacy.dlp.v2.CryptoKey;
import com.google.privacy.dlp.v2.CustomInfoType;
import com.google.privacy.dlp.v2.DeidentifyConfig;
import com.google.privacy.dlp.v2.InfoType;
import com.google.privacy.dlp.v2.InfoTypeTransformations;
import com.google.privacy.dlp.v2.InspectConfig;
import com.google.privacy.dlp.v2.KmsWrappedCryptoKey;
import com.google.privacy.dlp.v2.LocationName;
import com.google.privacy.dlp.v2.PrimitiveTransformation;
import com.google.privacy.dlp.v2.ReidentifyContentRequest;
import com.google.privacy.dlp.v2.ReidentifyContentResponse;
import com.google.protobuf.ByteString;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import org.apache.commons.codec.binary.Base64;
public class ReidentifyWithDeterministicEncryption {
public static void main(String[] args) throws Exception {
// TODO(developer): Replace these variables before running the sample.
// The Google Cloud project id to use as a parent resource.
String projectId = "your-project-id";
// The string to de-identify.
String textToIdentify = "My SSN is 372819127";
// The encrypted ('wrapped') AES-256 key to use.
// This key should be encrypted using the Cloud KMS key specified by key_name.
String wrappedKey = "YOUR_ENCRYPTED_AES_256_KEY";
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
String kmsKeyName =
"projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME";
// The string to re-identify.
String textToReIdentify =
DeIdenitfyWithDeterministicEncryption.deIdentifyWithDeterministicEncryption(
projectId, textToIdentify, wrappedKey, kmsKeyName);
reIdentifyWithDeterminsiticEncryption(projectId, textToReIdentify, wrappedKey, kmsKeyName);
}
// Re-identifies sensitive data in a string that was previously de-identified through
// deterministic encryption.
public static void reIdentifyWithDeterminsiticEncryption(
String projectId, String textToReIdentify, String wrappedKey, String key) throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try (DlpServiceClient dlp = DlpServiceClient.create()) {
// Specify what content you want the service to re-identify.
ContentItem contentItem = ContentItem.newBuilder().setValue(textToReIdentify).build();
CustomInfoType.SurrogateType surrogateType =
CustomInfoType.SurrogateType.newBuilder().build();
// Specify the surrogate type used at time of de-identification.
InfoType surrogateInfoType = InfoType.newBuilder()
.setName("SSN_TOKEN")
.build();
CustomInfoType customInfoType = CustomInfoType.newBuilder()
.setInfoType(surrogateInfoType)
.setSurrogateType(surrogateType)
.build();
InspectConfig inspectConfig = InspectConfig.newBuilder()
.addCustomInfoTypes(customInfoType)
.build();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
KmsWrappedCryptoKey unwrappedCryptoKey = KmsWrappedCryptoKey.newBuilder()
.setWrappedKey(
ByteString.copyFrom(
Base64.decodeBase64(wrappedKey.getBytes(StandardCharsets.UTF_8))))
.setCryptoKeyName(key)
.build();
CryptoKey cryptoKey = CryptoKey.newBuilder()
.setKmsWrapped(unwrappedCryptoKey)
.build();
CryptoDeterministicConfig cryptoDeterministicConfig = CryptoDeterministicConfig.newBuilder()
.setSurrogateInfoType(surrogateInfoType)
.setCryptoKey(cryptoKey)
.build();
PrimitiveTransformation primitiveTransformation = PrimitiveTransformation.newBuilder()
.setCryptoDeterministicConfig(cryptoDeterministicConfig)
.build();
InfoTypeTransformations.InfoTypeTransformation infoTypeTransformation =
InfoTypeTransformations.InfoTypeTransformation.newBuilder()
.setPrimitiveTransformation(primitiveTransformation)
.build();
InfoTypeTransformations transformations = InfoTypeTransformations.newBuilder()
.addTransformations(infoTypeTransformation)
.build();
DeidentifyConfig deidentifyConfig = DeidentifyConfig.newBuilder()
.setInfoTypeTransformations(transformations)
.build();
// Combine configurations into a request for the service.
ReidentifyContentRequest request = ReidentifyContentRequest.newBuilder()
.setParent(LocationName.of(projectId, "global").toString())
.setItem(contentItem)
.setInspectConfig(inspectConfig)
.setReidentifyConfig(deidentifyConfig)
.build();
// Send the request and receive response from the service.
ReidentifyContentResponse response = dlp.reidentifyContent(request);
// Print the results.
System.out.println("Text after re-identification: " + response.getItem().getValue());
}
}
}
Node.js
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');
// Instantiates a client
const dlp = new DLP.DlpServiceClient();
// The project ID to run the API call under
// const projectId = 'my-project';
// The string to deidentify
// const string = 'My name is Alicia Abernathy, and my email address is EMAIL_ADDRESS_TOKEN(52):XXXXXX';
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// The name of the surrogate custom info type to use
// Only necessary if you want to reverse the de-identification process
// Can be essentially any arbitrary string, as long as it doesn't appear
// in your dataset otherwise.
// const surrogateType = 'EMAIL_ADDRESS_TOKEN';
async function reidentifyDeterministic() {
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
const cryptoDeterministicEncryption = {
cryptoKey: {
kmsWrapped: {
wrappedKey: wrappedKey,
cryptoKeyName: keyName,
},
},
surrogateInfoType: {name: surrogateType},
};
// Construct custom infotype to match information
const customInfoTypes = [
{
infoType: {
name: surrogateType,
},
surrogateType: {},
},
];
// Associate the encryption with the infotype transformation.
const infoTypeTransformations = {
transformations: [
{
infoTypes: [{name: surrogateType}],
primitiveTransformation: {
cryptoDeterministicConfig: cryptoDeterministicEncryption,
},
},
],
};
// Construct item to inspect
const item = {value: string};
// Combine configurations into a request for the service.
const request = {
parent: `projects/${projectId}/locations/global`,
reidentifyConfig: {
infoTypeTransformations: infoTypeTransformations,
},
inspectConfig: {customInfoTypes},
item,
};
// Run re-identification request
const [response] = await dlp.reidentifyContent(request);
const deidentifiedItem = response.item;
// Print results
console.log(deidentifiedItem.value);
}
await reidentifyDeterministic();PHP
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoDeterministicConfig;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\CustomInfoType;
use Google\Cloud\Dlp\V2\CustomInfoType\SurrogateType;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\InfoTypeTransformations;
use Google\Cloud\Dlp\V2\InfoTypeTransformations\InfoTypeTransformation;
use Google\Cloud\Dlp\V2\InspectConfig;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\ReidentifyContentRequest;
/**
* Re-identify content encrypted by deterministic encryption.
* Re-identify content that was previously de-identified through deterministic encryption.
*
* @param string $callingProjectId The GCP Project ID to run the API call under.
* @param string $string The string to reidentify.
* @param string $keyName The name of the Cloud KMS key used to encrypt (wrap) the AES-256 key.
* @param string $wrappedKey The name of the Cloud KMS key use, encrypted with the KMS key in $keyName.
* @param string $surrogateTypeName Surrogate custom info type to enable reidentification.
*/
function reidentify_deterministic(
string $callingProjectId,
string $string,
string $surrogateTypeName,
string $keyName,
string $wrappedKey
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
$parent = "projects/$callingProjectId/locations/global";
// Specify what content you want the service to Re-identify.
$item = (new ContentItem())
->setValue($string);
// Specify the surrogate type used at time of de-identification.
$surrogateType = (new InfoType())
->setName($surrogateTypeName);
$customInfoType = (new CustomInfoType())
->setInfoType($surrogateType)
->setSurrogateType(new SurrogateType());
// Create the inspect configuration object.
$inspectConfig = (new InspectConfig())
->setCustomInfoTypes([$customInfoType]);
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedKey))
->setCryptoKeyName($keyName);
// Create the crypto key configuration object.
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Create the crypto deterministic configuration object.
$cryptoDeterministicConfig = (new CryptoDeterministicConfig())
->setCryptoKey($cryptoKey)
->setSurrogateInfoType($surrogateType);
// Create the information transform configuration objects.
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoDeterministicConfig($cryptoDeterministicConfig);
$infoTypeTransformation = (new InfoTypeTransformation())
->setPrimitiveTransformation($primitiveTransformation);
$infoTypeTransformations = (new InfoTypeTransformations())
->setTransformations([$infoTypeTransformation]);
// Create the reidentification configuration object.
$reidentifyConfig = (new DeidentifyConfig())
->setInfoTypeTransformations($infoTypeTransformations);
// Run request.
$reidentifyContentRequest = (new ReidentifyContentRequest())
->setParent($parent)
->setReidentifyConfig($reidentifyConfig)
->setInspectConfig($inspectConfig)
->setItem($item);
$response = $dlp->reidentifyContent($reidentifyContentRequest);
// Print the results.
printf($response->getItem()->getValue());
}Python
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
import base64
import google.cloud.dlp
def reidentify_with_deterministic(
project: str,
input_str: str,
surrogate_type: str = None,
key_name: str = None,
wrapped_key: str = None,
) -> None:
"""Re-identifies content that was previously de-identified through deterministic encryption.
Args:
project: The Google Cloud project ID to use as a parent resource.
input_str: The string to be re-identified. Provide the entire token. Example:
EMAIL_ADDRESS_TOKEN(52):AVAx2eIEnIQP5jbNEr2j9wLOAd5m4kpSBR/0jjjGdAOmryzZbE/q
surrogate_type: The name of the surrogate custom infoType used
during the encryption process.
key_name: The name of the Cloud KMS key used to encrypt ("wrap") the
AES-256 key. Example:
keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ("wrapped") AES-256 key previously used to encrypt the content.
This key must have been encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
# Instantiate a client
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Convert the project id into a full resource id.
parent = f"projects/{project}/locations/global"
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
wrapped_key = base64.b64decode(wrapped_key)
# Construct reidentify Configuration
reidentify_config = {
"info_type_transformations": {
"transformations": [
{
"primitive_transformation": {
"crypto_deterministic_config": {
"crypto_key": {
"kms_wrapped": {
"wrapped_key": wrapped_key,
"crypto_key_name": key_name,
}
},
"surrogate_info_type": {"name": surrogate_type},
}
}
}
]
}
}
inspect_config = {
"custom_info_types": [
{"info_type": {"name": surrogate_type}, "surrogate_type": {}}
]
}
# Convert string to item
item = {"value": input_str}
# Call the API
response = dlp.reidentify_content(
request={
"parent": parent,
"reidentify_config": reidentify_config,
"inspect_config": inspect_config,
"item": item,
}
)
# Print results
print(response.item.value)
A seguir
Para pesquisar e filtrar exemplos de código de outros produtos do Google Cloud, consulte o navegador de amostra do Google Cloud.