Reidentificar dados de tabela usando criptografia com preservação de formato
Mais informações
Para ver a documentação detalhada que inclui este exemplo de código, consulte:
Exemplo de código
C#
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
using System;
using Google.Api.Gax.ResourceNames;
using Google.Cloud.Dlp.V2;
using Google.Protobuf;
using static Google.Cloud.Dlp.V2.CryptoReplaceFfxFpeConfig.Types;
public class ReidentifyTableDataWithFpe
{
public static Table ReidentifyTableData(
string projectId,
string keyName,
string wrappedKey,
FfxCommonNativeAlphabet alphabet = FfxCommonNativeAlphabet.Numeric,
Table tableToInspect = null)
{
// Instantiate a client.
var dlp = DlpServiceClient.Create();
// Construct the table if null.
var table = tableToInspect;
if (table == null)
{
var row1 = new Value[]
{
new Value { StringValue = "28777" },
new Value { StringValue = "Justin" }
};
var row2 = new Value[]
{
new Value { StringValue = "28778" },
new Value { StringValue = "Gary" }
};
table = new Table
{
Headers =
{
new FieldId { Name = "Employee ID" },
new FieldId { Name = "Employee Name" }
},
Rows =
{
new Table.Types.Row { Values = { row1 } },
new Table.Types.Row { Values = { row2 } }
}
};
}
// Construct the content item by providing the table.
var contentItem = new ContentItem { Table = table };
// Specify how to decrypt the previously de-identified information.
var cryptoReplaceFfxFpeConfig = new CryptoReplaceFfxFpeConfig
{
CryptoKey = new CryptoKey
{
KmsWrapped = new KmsWrappedCryptoKey
{
CryptoKeyName = keyName,
WrappedKey = ByteString.FromBase64(wrappedKey)
}
},
CommonAlphabet = alphabet
};
// Specify the field to be decrypted.
var fields = new FieldId[] { new FieldId { Name = "Employee ID" } };
// Construct the re-identify config and specify the transformation.
var reidentifyConfig = new DeidentifyConfig
{
RecordTransformations = new RecordTransformations
{
FieldTransformations =
{
new FieldTransformation
{
PrimitiveTransformation = new PrimitiveTransformation
{
CryptoReplaceFfxFpeConfig = cryptoReplaceFfxFpeConfig,
},
Fields = { fields }
}
}
}
};
// Construct the request.
var request = new ReidentifyContentRequest
{
Parent = new LocationName(projectId, "global").ToString(),
Item = contentItem,
ReidentifyConfig = reidentifyConfig
};
// Call the API.
ReidentifyContentResponse response = dlp.ReidentifyContent(request);
// Inspect the response.
Console.WriteLine($"Table after re-identification: {response.Item.Table}");
return response.Item.Table;
}
}
Go
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
import (
"context"
"encoding/base64"
"fmt"
"io"
dlp "cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// reidTableDataWithFPE re-identifies table data with FPE
func reidTableDataWithFPE(w io.Writer, projectID, kmsKeyName, wrappedAesKey string) error {
// projectId := "my-project-id"
/* kmsKeyName := "projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME"
*/
// wrappedAesKey := "YOUR_ENCRYPTED_AES_256_KEY"
ctx := context.Background()
// Initialize a client once and reuse it to send multiple requests. Clients
// are safe to use across goroutines. When the client is no longer needed,
// call the Close method to cleanup its resources.
client, err := dlp.NewClient(ctx)
if err != nil {
return err
}
// Closing the client safely cleans up background resources.
defer client.Close()
// Specify the table data that needs to be re-identified.
tableToReIdentify := &dlppb.Table{
Headers: []*dlppb.FieldId{
{Name: "Employee ID"},
},
Rows: []*dlppb.Table_Row{
{
Values: []*dlppb.Value{
{
Type: &dlppb.Value_StringValue{
StringValue: "90511",
},
},
},
},
},
}
// Specify the content you want to re-identify.
contentItem := &dlppb.ContentItem{
DataItem: &dlppb.ContentItem_Table{
Table: tableToReIdentify,
},
}
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
kmsWrappedCryptoKey, err := base64.StdEncoding.DecodeString(wrappedAesKey)
if err != nil {
return err
}
cryptoKey := &dlppb.CryptoKey{
Source: &dlppb.CryptoKey_KmsWrapped{
KmsWrapped: &dlppb.KmsWrappedCryptoKey{
WrappedKey: kmsWrappedCryptoKey,
CryptoKeyName: kmsKeyName,
},
},
}
// Specify how to un-encrypt the previously de-identified information.
cryptoReplaceFfxFpeConfig := &dlppb.CryptoReplaceFfxFpeConfig{
CryptoKey: cryptoKey,
Alphabet: &dlppb.CryptoReplaceFfxFpeConfig_CommonAlphabet{
CommonAlphabet: dlppb.CryptoReplaceFfxFpeConfig_NUMERIC,
},
}
primitiveTransformation := &dlppb.PrimitiveTransformation{
Transformation: &dlppb.PrimitiveTransformation_CryptoReplaceFfxFpeConfig{
CryptoReplaceFfxFpeConfig: cryptoReplaceFfxFpeConfig,
},
}
// Specify field to be decrypted.
fieldId := &dlppb.FieldId{
Name: "Employee ID",
}
// Associate the decryption with the specified field.
fieldTransformation := &dlppb.FieldTransformation{
Transformation: &dlppb.FieldTransformation_PrimitiveTransformation{
PrimitiveTransformation: primitiveTransformation,
},
Fields: []*dlppb.FieldId{
fieldId,
},
}
recordTransformations := &dlppb.RecordTransformations{
FieldTransformations: []*dlppb.FieldTransformation{
fieldTransformation,
},
}
deidentifyConfig := &dlppb.DeidentifyConfig{
Transformation: &dlppb.DeidentifyConfig_RecordTransformations{
RecordTransformations: recordTransformations,
},
}
// Combine configurations into a request for the service.
req := &dlppb.ReidentifyContentRequest{
Parent: fmt.Sprintf("projects/%s/locations/global", projectID),
ReidentifyConfig: deidentifyConfig,
Item: contentItem,
}
// Send the request and receive response from the service.
resp, err := client.ReidentifyContent(ctx, req)
if err != nil {
return err
}
// Print the result.
fmt.Fprintf(w, "Table after re-identification : %v", resp.GetItem().GetTable())
return nil
}
Java
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
import com.google.cloud.dlp.v2.DlpServiceClient;
import com.google.common.io.BaseEncoding;
import com.google.privacy.dlp.v2.ContentItem;
import com.google.privacy.dlp.v2.CryptoKey;
import com.google.privacy.dlp.v2.CryptoReplaceFfxFpeConfig;
import com.google.privacy.dlp.v2.CryptoReplaceFfxFpeConfig.FfxCommonNativeAlphabet;
import com.google.privacy.dlp.v2.DeidentifyConfig;
import com.google.privacy.dlp.v2.FieldId;
import com.google.privacy.dlp.v2.FieldTransformation;
import com.google.privacy.dlp.v2.KmsWrappedCryptoKey;
import com.google.privacy.dlp.v2.LocationName;
import com.google.privacy.dlp.v2.PrimitiveTransformation;
import com.google.privacy.dlp.v2.RecordTransformations;
import com.google.privacy.dlp.v2.ReidentifyContentRequest;
import com.google.privacy.dlp.v2.ReidentifyContentResponse;
import com.google.privacy.dlp.v2.Table;
import com.google.privacy.dlp.v2.Table.Row;
import com.google.privacy.dlp.v2.Value;
import com.google.protobuf.ByteString;
import java.io.IOException;
public class ReIdentifyTableWithFpe {
public static void main(String[] args) throws Exception {
// TODO(developer): Replace these variables before running the sample.
String projectId = "your-project-id";
String kmsKeyName =
"projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME";
String wrappedAesKey = "YOUR_ENCRYPTED_AES_256_KEY";
Table tableToReIdentify =
Table.newBuilder()
.addHeaders(FieldId.newBuilder().setName("Employee ID").build())
.addRows(
Row.newBuilder()
.addValues(Value.newBuilder().setStringValue("28777").build())
.build())
.build();
reIdentifyTableWithFpe(projectId, tableToReIdentify, kmsKeyName, wrappedAesKey);
}
public static void reIdentifyTableWithFpe(
String projectId, Table tableToReIdentify, String kmsKeyName, String wrappedAesKey)
throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try (DlpServiceClient dlp = DlpServiceClient.create()) {
// Specify what content you want the service to re-identify.
ContentItem contentItem = ContentItem.newBuilder().setTable(tableToReIdentify).build();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
KmsWrappedCryptoKey kmsWrappedCryptoKey =
KmsWrappedCryptoKey.newBuilder()
.setWrappedKey(ByteString.copyFrom(BaseEncoding.base64().decode(wrappedAesKey)))
.setCryptoKeyName(kmsKeyName)
.build();
CryptoKey cryptoKey = CryptoKey.newBuilder().setKmsWrapped(kmsWrappedCryptoKey).build();
// Specify how to un-encrypt the previously de-identified information.
CryptoReplaceFfxFpeConfig cryptoReplaceFfxFpeConfig =
CryptoReplaceFfxFpeConfig.newBuilder()
.setCryptoKey(cryptoKey)
// Set of characters in the input text. For more info, see
// https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#DeidentifyTemplate.FfxCommonNativeAlphabet
.setCommonAlphabet(FfxCommonNativeAlphabet.NUMERIC)
.build();
PrimitiveTransformation primitiveTransformation =
PrimitiveTransformation.newBuilder()
.setCryptoReplaceFfxFpeConfig(cryptoReplaceFfxFpeConfig)
.build();
// Specify field to be decrypted.
FieldId fieldId = FieldId.newBuilder().setName("Employee ID").build();
// Associate the decryption with the specified field.
FieldTransformation fieldTransformation =
FieldTransformation.newBuilder()
.setPrimitiveTransformation(primitiveTransformation)
.addFields(fieldId)
.build();
RecordTransformations transformations =
RecordTransformations.newBuilder().addFieldTransformations(fieldTransformation).build();
DeidentifyConfig reidentifyConfig =
DeidentifyConfig.newBuilder().setRecordTransformations(transformations).build();
// Combine configurations into a request for the service.
ReidentifyContentRequest request =
ReidentifyContentRequest.newBuilder()
.setParent(LocationName.of(projectId, "global").toString())
.setItem(contentItem)
.setReidentifyConfig(reidentifyConfig)
.build();
// Send the request and receive response from the service
ReidentifyContentResponse response = dlp.reidentifyContent(request);
// Print the results
System.out.println("Table after re-identification: " + response.getItem().getValue());
}
}
}Node.js
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');
// Instantiates a client
const dlp = new DLP.DlpServiceClient();
// The project ID to run the API call under
// const projectId = 'my-project';
// The set of characters to replace sensitive ones with
// For more information, see https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#ffxcommonnativealphabet
// const alphabet = 'ALPHA_NUMERIC';
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// The name of the surrogate custom info type to use when reidentifying data
// const surrogateType = 'SOME_INFO_TYPE_DEID';
// Table to re-identify
const tablularData = {
headers: [{name: 'Employee ID'}],
rows: [{values: [{stringValue: '90511'}]}],
};
async function reidentifyTableWithFpe() {
// Specify field to be re-identified.
const fieldIds = [{name: 'Employee ID'}];
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
const cryptoKeyConfig = {
kmsWrapped: {
wrappedKey: wrappedKey,
cryptoKeyName: keyName,
},
};
// Associate transformation with crypto key congurations.
const primitiveTransformation = {
cryptoReplaceFfxFpeConfig: {
cryptoKey: cryptoKeyConfig,
commonAlphabet: alphabet,
},
};
// Combine configurations into a request for the service.
const request = {
parent: `projects/${projectId}/locations/global`,
reidentifyConfig: {
recordTransformations: {
fieldTransformations: [
{
fields: fieldIds,
primitiveTransformation: primitiveTransformation,
},
],
},
},
item: {
table: tablularData,
},
};
// Send the request and receive response from the service.
const [response] = await dlp.reidentifyContent(request);
// Print the results.
console.log(
`Table after re-identification: ${JSON.stringify(response.item.table)}`
);
}
await reidentifyTableWithFpe();PHP
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig\FfxCommonNativeAlphabet;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\FieldId;
use Google\Cloud\Dlp\V2\FieldTransformation;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\RecordTransformations;
use Google\Cloud\Dlp\V2\ReidentifyContentRequest;
use Google\Cloud\Dlp\V2\Table;
use Google\Cloud\Dlp\V2\Table\Row;
use Google\Cloud\Dlp\V2\Value;
/**
* Re-identify table data with FPE.
*
* @param string $callingProjectId The Google Cloud project id to use as a parent resource.
* @param string $inputCsvFile The input file(csv) path to reidentify.
* @param string $outputCsvFile The oupt file path to save reidentify content.
* @param string $encryptedFieldNames The field to be encrypted.
* @param string $kmsKeyName The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
* Example: key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
* @param string $wrappedAesKey The encrypted ('wrapped') AES-256 key to use.
*
* */
function reidentify_table_fpe(
string $callingProjectId,
string $inputCsvFile,
string $outputCsvFile,
string $encryptedFieldNames,
string $kmsKeyName,
string $wrappedAesKey
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
$parent = "projects/$callingProjectId/locations/global";
// Read a CSV file.
$csvLines = file($inputCsvFile, FILE_IGNORE_NEW_LINES);
$csvHeaders = explode(',', $csvLines[0]);
$csvRows = array_slice($csvLines, 1);
// Convert CSV file into protobuf objects.
$tableHeaders = array_map(function ($csvHeader) {
return (new FieldId)
->setName($csvHeader);
}, $csvHeaders);
$tableRows = array_map(function ($csvRow) {
$rowValues = array_map(function ($csvValue) {
return (new Value())
->setStringValue($csvValue);
}, explode(',', $csvRow));
return (new Row())
->setValues($rowValues);
}, $csvRows);
// Construct the table object.
$tableToDeIdentify = (new Table())
->setHeaders($tableHeaders)
->setRows($tableRows);
// Specify the content to be reidentify.
$content = (new ContentItem())
->setTable($tableToDeIdentify);
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedAesKey))
->setCryptoKeyName($kmsKeyName);
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Specify how to un-encrypt the previously de-identified information.
$cryptoReplaceFfxFpeConfig = (new CryptoReplaceFfxFpeConfig())
->setCryptoKey($cryptoKey)
->setCommonAlphabet(FfxCommonNativeAlphabet::NUMERIC);
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoReplaceFfxFpeConfig($cryptoReplaceFfxFpeConfig);
// Specify field to be decrypted.
$encryptedFields = array_map(function ($encryptedFieldName) {
return (new FieldId())
->setName($encryptedFieldName);
}, explode(',', $encryptedFieldNames));
// Associate the decryption with the specified field.
$fieldTransformation = (new FieldTransformation())
->setPrimitiveTransformation($primitiveTransformation)
->setFields($encryptedFields);
$recordtransformations = (new RecordTransformations())
->setFieldTransformations([$fieldTransformation]);
$reidentifyConfig = (new DeidentifyConfig())
->setRecordTransformations($recordtransformations);
// Run request.
$reidentifyContentRequest = (new ReidentifyContentRequest())
->setParent($parent)
->setReidentifyConfig($reidentifyConfig)
->setItem($content);
$response = $dlp->reidentifyContent($reidentifyContentRequest);
// Print the results.
$csvRef = fopen($outputCsvFile, 'w');
fputcsv($csvRef, $csvHeaders);
foreach ($response->getItem()->getTable()->getRows() as $tableRow) {
$values = array_map(function ($tableValue) {
return $tableValue->getStringValue();
}, iterator_to_array($tableRow->getValues()));
fputcsv($csvRef, $values);
};
printf('Table after re-identification (File Location): %s', $outputCsvFile);
}Python
Para saber como instalar e usar a biblioteca de cliente para proteção de dados sensíveis, consulte Bibliotecas de cliente de proteção de dados sensíveis.
Para usar a proteção de dados sensíveis, configure o Application Default Credentials. Para mais informações, consulte Configurar a autenticação para um ambiente de desenvolvimento local.
import base64
from typing import List
import google.cloud.dlp
def reidentify_table_with_fpe(
project: str,
table_header: List[str],
table_rows: List[List[str]],
reid_field_names: List[str],
key_name: str = None,
wrapped_key: bytes = None,
alphabet: str = None,
) -> None:
"""Uses the Data Loss Prevention API to re-identify sensitive data in a
table that was encrypted by Format Preserving Encryption (FPE).
Args:
project: The Google Cloud project id to use as a parent resource.
table_header: List of strings representing table field names.
table_rows: List of rows representing table data.
reid_field_names: A list of fields in table to re-identify.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The decrypted ('wrapped', in bytes) AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
alphabet: The set of characters to replace sensitive ones with. For
more information, see https://cloud.google.com/dlp/docs/reference/
rest/v2/projects.deidentifyTemplates#ffxcommonnativealphabet
"""
# Instantiate a client.
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Construct the `table`. For more details on the table schema, please see
# https://cloud.google.com/dlp/docs/reference/rest/v2/ContentItem#Table
headers = [{"name": val} for val in table_header]
rows = []
for row in table_rows:
rows.append({"values": [{"string_value": cell_val} for cell_val in row]})
table = {"headers": headers, "rows": rows}
# Convert table to `item`
item = {"table": table}
# Specify fields to be re-identified/decrypted.
reid_field_names = [{"name": _i} for _i in reid_field_names]
# Construct FPE configuration dictionary
crypto_replace_ffx_fpe_config = {
"crypto_key": {
"kms_wrapped": {"wrapped_key": wrapped_key, "crypto_key_name": key_name}
},
"common_alphabet": alphabet,
}
# Construct reidentify configuration dictionary
reidentify_config = {
"record_transformations": {
"field_transformations": [
{
"primitive_transformation": {
"crypto_replace_ffx_fpe_config": crypto_replace_ffx_fpe_config,
},
"fields": reid_field_names,
}
]
}
}
# Convert the project id into a full resource id.
parent = f"projects/{project}/locations/global"
# Call the API.
response = dlp.reidentify_content(
request={
"parent": parent,
"reidentify_config": reidentify_config,
"item": item,
}
)
# Print out results.
print(f"Table after re-identification: {response.item.table}")
A seguir
Para pesquisar e filtrar exemplos de código de outros produtos do Google Cloud, consulte o navegador de amostra do Google Cloud.