本页面介绍如何使用 Cloud Key Management Service (Cloud KMS) 创建封装的密钥,之后可以使用该密钥向 Sensitive Data Protection 的 Cloud Data Loss Prevention API 发出 deidentify 和 reidentify 请求。
使用加密密钥对内容进行去标识化和重标识的过程称为“假名化”(或“令牌化”)。如需了解此过程的概念信息,请参阅假名化。
如需查看演示如何创建封装密钥、对内容进行令牌化和重标识令牌化内容的端到端示例,请参阅快速入门:对敏感文本进行去标识化和重标识。
您可以在 5 至 10 分钟内完成本主题中的步骤,但不包括准备工作步骤。
准备工作
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Install the Google Cloud CLI.
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Sensitive Data Protection and Cloud KMS APIs:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable dlp.googleapis.com
cloudkms.googleapis.com -
Grant roles to your user account. Run the following command once for each of the following IAM roles:
roles/dlp.usergcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE
Replace the following:
PROJECT_ID: Your project ID.USER_IDENTIFIER: The identifier for your user account. For example,myemail@example.com.ROLE: The IAM role that you grant to your user account.
-
Install the Google Cloud CLI.
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Sensitive Data Protection and Cloud KMS APIs:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable dlp.googleapis.com
cloudkms.googleapis.com -
Grant roles to your user account. Run the following command once for each of the following IAM roles:
roles/dlp.usergcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE
Replace the following:
PROJECT_ID: Your project ID.USER_IDENTIFIER: The identifier for your user account. For example,myemail@example.com.ROLE: The IAM role that you grant to your user account.
创建密钥环:
gcloud kms keyrings create "dlp-keyring" \ --location "global"创建密钥:
gcloud kms keys create "dlp-key" \ --location "global" \ --keyring "dlp-keyring" \ --purpose "encryption"列出密钥环和密钥:
gcloud kms keys list \ --location "global" \ --keyring "dlp-keyring"您将获得以下输出:
NAME PURPOSE ALGORITHM PROTECTION_LEVEL LABELS PRIMARY_ID PRIMARY_STATE projects/PROJECT_ID/locations/global/keyRings/dlp-keyring/cryptoKeys/dlp-key ENCRYPT_DECRYPT GOOGLE_SYMMETRIC_ENCRYPTION SOFTWARE 1 ENABLED
在此输出中,
PROJECT_ID是您的项目 ID。NAME下的路径是您的 Cloud KMS 密钥的完整资源名称。请记下此路径,去标识化和重标识请求将需要它。创建 128 位、192 位或 256 位 AES 密钥。以下命令使用
openssl在当前目录中创建一个 256 位密钥:openssl rand -out "./aes_key.bin" 32文件
aes_key.bin已添加到当前目录。将 AES 密钥编码为 base64 字符串:
base64 -i ./aes_key.bin您将看到类似于以下内容的输出:
uEDo6/yKx+zCg2cZ1DBwpwvzMVNk/c+jWs7OwpkMc/s=
详细了解如何通过加密密钥将数据令牌化。
完成演示如何创建封装的密钥、对内容进行令牌化和重标识令牌化内容的端到端示例。
第 1 步:创建密钥环和密钥
在开始此步骤之前,请先确定您希望 Sensitive Data Protection 处理去标识化和重标识请求的位置。创建 Cloud KMS 密钥时,您必须将其存储在 global 位置或用于 Sensitive Data Protection 请求的同一区域中。否则,Sensitive Data Protection 请求将失败。
您可以在敏感数据保护位置中找到受支持位置的列表。记下所选区域的名称(例如 us-west1)。
此步骤使用 global 作为所有 API 请求的位置。如果要使用其他区域,请将 global 替换为区域名称。
第 2 步:创建 base64 编码的 AES 密钥
本部分介绍如何创建高级加密标准 (AES) 密钥并采用 base64 格式进行编码。
第 3 步:使用 Cloud KMS 密钥封装 AES 密钥
本部分介绍如何使用第 1 步中创建的 Cloud KMS 密钥来封装第 2 步中创建的 base64 编码的 AES 密钥。
如需封装 AES 密钥,请使用 curl 将以下请求发送至 Cloud KMS API projects.locations.keyRings.cryptoKeys.encrypt:
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/global/keyRings/dlp-keyring/cryptoKeys/dlp-key:encrypt" \
--request "POST" \
--header "Authorization:Bearer $(gcloud auth application-default print-access-token)" \
--header "content-type: application/json" \
--data "{\"plaintext\": \"BASE64_ENCODED_AES_KEY\"}"
请替换以下内容:
您从 Cloud KMS 获得的响应类似于以下 JSON:
{
"name": "projects/PROJECT_ID/locations/global/keyRings/dlp-keyring/cryptoKeys/dlp-key/cryptoKeyVersions/1",
"ciphertext": "CiQAYuuIGo5DVaqdE0YLioWxEhC8LbTmq7Uy2G3qOJlZB7WXBw0SSQAjdwP8ZusZJ3Kr8GD9W0vaFPMDksmHEo6nTDaW/j5sSYpHa1ym2JHk+lUgkC3Zw5bXhfCNOkpXUdHGZKou1893O8BDby/82HY=",
"ciphertextCrc32c": "901327763",
"protectionLevel": "SOFTWARE"
}
在此输出中,PROJECT_ID 是您的项目 ID。
记下您获得的响应中的 ciphertext 值。这是封装的密钥。