借助 Data Loss Prevention API,您可以使用确定性加密(一种可逆加密方法)对字符串中的敏感数据进行去标识化。使用封装的密钥执行加密。
深入探索
如需查看包含此代码示例的详细文档,请参阅以下内容:
代码示例
C#
如需了解如何安装和使用用于敏感数据保护的客户端库,请参阅敏感数据保护客户端库。
如需向敏感数据保护服务进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证。
using System;
using System.Collections.Generic;
using Google.Api.Gax.ResourceNames;
using Google.Cloud.Dlp.V2;
public class DeidentifyWithDeterministic
{
public static DeidentifyContentResponse Deidentify(
string projectId,
string text,
string keyName,
string wrapperKey,
InfoType surrogateType = null,
IEnumerable<InfoType> infoTypes = null)
{
// Instantiate a client.
var dlp = DlpServiceClient.Create();
// Construct the inspect config by specifying the type of info to be inspected.
var inspectConfig = new InspectConfig
{
InfoTypes =
{
infoTypes ?? new InfoType[] { new InfoType { Name = "PHONE_NUMBER" } }
}
};
// Construct the crypto deterministic config by providing key name, wrapped key and surrogate type.
var cryptoDeterministicConfig = new CryptoDeterministicConfig
{
CryptoKey = new CryptoKey
{
KmsWrapped = new KmsWrappedCryptoKey
{
CryptoKeyName = keyName,
WrappedKey = Google.Protobuf.ByteString.FromBase64(wrapperKey)
}
},
SurrogateInfoType = surrogateType ?? new InfoType { Name = "PHONE_TOKEN" }
};
// Construct the deidentify config using crypto deterministic config.
var deidentifyConfig = new DeidentifyConfig
{
InfoTypeTransformations = new InfoTypeTransformations
{
Transformations =
{
new InfoTypeTransformations.Types.InfoTypeTransformation
{
PrimitiveTransformation = new PrimitiveTransformation
{
CryptoDeterministicConfig = cryptoDeterministicConfig
}
}
}
}
};
// Construct the request.
var request = new DeidentifyContentRequest
{
ParentAsLocationName = new LocationName(projectId, "global"),
DeidentifyConfig = deidentifyConfig,
InspectConfig = inspectConfig,
Item = new ContentItem { Value = text }
};
// Call the API.
DeidentifyContentResponse response = dlp.DeidentifyContent(request);
// Check the de-identified content.
Console.WriteLine($"De-identified content: {response.Item.Value}");
return response;
}
}
Go
如需了解如何安装和使用用于敏感数据保护的客户端库,请参阅敏感数据保护客户端库。
如需向敏感数据保护服务进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证。
import (
"context"
"encoding/base64"
"fmt"
"io"
dlp "cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// deIdentifyDeterministicEncryption de-identifies through deterministic encryption
func deIdentifyDeterministicEncryption(w io.Writer, projectID, inputStr string, infoTypeNames []string, keyFileName, cryptoKeyName, surrogateInfoType string) error {
// projectId := "your-project-id"
// inputStr := "My SSN is 111111111"
// infoTypeNames := []string{"US_SOCIAL_SECURITY_NUMBER"}
/* keyFileName := "projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME"
*/
// cryptoKeyName := "YOUR_ENCRYPTED_AES_256_KEY"
// surrogateInfoType := "SSN_TOKEN"
ctx := context.Background()
// Initialize a client once and reuse it to send multiple requests. Clients
// are safe to use across goroutines. When the client is no longer needed,
// call the Close method to cleanup its resources.
client, err := dlp.NewClient(ctx)
if err != nil {
return err
}
// Closing the client safely cleans up background resources.
defer client.Close()
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
wrappedKey, err := base64.StdEncoding.DecodeString(cryptoKeyName)
if err != nil {
return err
}
// Specify the type of info the inspection will look for.
// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
var infoTypes []*dlppb.InfoType
for _, it := range infoTypeNames {
infoTypes = append(infoTypes, &dlppb.InfoType{Name: it})
}
// Specify the key used by the encryption function for deterministic encryption.
cryptoReplaceDeterministicConfig := &dlppb.CryptoDeterministicConfig{
CryptoKey: &dlppb.CryptoKey{
Source: &dlppb.CryptoKey_KmsWrapped{
KmsWrapped: &dlppb.KmsWrappedCryptoKey{
WrappedKey: wrappedKey,
CryptoKeyName: keyFileName,
},
},
},
SurrogateInfoType: &dlppb.InfoType{
Name: surrogateInfoType,
},
}
// Specifying the info-types to look for.
inspectConfig := &dlppb.InspectConfig{
InfoTypes: infoTypes,
}
// Specify what content you want the service to de-identify.
contentItem := &dlppb.ContentItem{
DataItem: &dlppb.ContentItem_Value{
Value: inputStr,
},
}
// Specifying the deterministic crypto.
primitiveTransformation := &dlppb.PrimitiveTransformation{
Transformation: &dlppb.PrimitiveTransformation_CryptoDeterministicConfig{
CryptoDeterministicConfig: cryptoReplaceDeterministicConfig,
},
}
// Construct a de-identification config for de-identify deterministic request.
deIdentifyConfig := &dlppb.DeidentifyConfig{
Transformation: &dlppb.DeidentifyConfig_InfoTypeTransformations{
InfoTypeTransformations: &dlppb.InfoTypeTransformations{
Transformations: []*dlppb.InfoTypeTransformations_InfoTypeTransformation{
{
PrimitiveTransformation: primitiveTransformation,
},
},
},
},
}
// Construct the de-identification request to be sent by the client.
req := &dlppb.DeidentifyContentRequest{
Parent: fmt.Sprintf("projects/%s/locations/global", projectID),
DeidentifyConfig: deIdentifyConfig,
InspectConfig: inspectConfig,
Item: contentItem,
}
// Send the request.
resp, err := client.DeidentifyContent(ctx, req)
if err != nil {
return err
}
// Print the results.
fmt.Fprintf(w, "output : %v", resp.GetItem().GetValue())
return nil
}
Java
如需了解如何安装和使用用于敏感数据保护的客户端库,请参阅敏感数据保护客户端库。
如需向敏感数据保护服务进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证。
import com.google.cloud.dlp.v2.DlpServiceClient;
import com.google.privacy.dlp.v2.ContentItem;
import com.google.privacy.dlp.v2.CryptoDeterministicConfig;
import com.google.privacy.dlp.v2.CryptoKey;
import com.google.privacy.dlp.v2.DeidentifyConfig;
import com.google.privacy.dlp.v2.DeidentifyContentRequest;
import com.google.privacy.dlp.v2.DeidentifyContentResponse;
import com.google.privacy.dlp.v2.InfoType;
import com.google.privacy.dlp.v2.InfoTypeTransformations;
import com.google.privacy.dlp.v2.InspectConfig;
import com.google.privacy.dlp.v2.KmsWrappedCryptoKey;
import com.google.privacy.dlp.v2.LocationName;
import com.google.privacy.dlp.v2.PrimitiveTransformation;
import com.google.protobuf.ByteString;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import org.apache.commons.codec.binary.Base64;
public class DeIdenitfyWithDeterministicEncryption {
public static void main(String[] args) throws Exception {
// TODO(developer): Replace these variables before running the sample.
//The Google Cloud project id to use as a parent resource.
String projectId = "your-project-id";
// The string to de-identify.
String textToDeIdentify = "My SSN is 372819127";
// The encrypted ('wrapped') AES-256 key to use.
// This key should be encrypted using the Cloud KMS key specified by key_name.
String wrappedKey = "YOUR_ENCRYPTED_AES_256_KEY";
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
String kmsKeyName =
"projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME";
deIdentifyWithDeterministicEncryption(projectId, textToDeIdentify, wrappedKey, kmsKeyName);
}
// De-identifies sensitive data in a string using deterministic encryption. The encryption is
// performed with a wrapped key.
public static String deIdentifyWithDeterministicEncryption(
String projectId, String textToDeIdentify, String wrappedKey, String key) throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try (DlpServiceClient dlp = DlpServiceClient.create()) {
// Specify what content you want the service to de-identify.
ContentItem contentItem = ContentItem.newBuilder()
.setValue(textToDeIdentify)
.build();
// Specify the type of info the inspection will look for.
// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
InfoType infoType = InfoType.newBuilder()
.setName("US_SOCIAL_SECURITY_NUMBER")
.build();
InspectConfig inspectConfig = InspectConfig.newBuilder()
.addAllInfoTypes(Collections.singletonList(infoType))
.build();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
KmsWrappedCryptoKey unwrappedCryptoKey = KmsWrappedCryptoKey.newBuilder()
.setWrappedKey(ByteString.copyFrom(
Base64.decodeBase64(wrappedKey.getBytes(StandardCharsets.UTF_8))))
.setCryptoKeyName(key)
.build();
CryptoKey cryptoKey = CryptoKey.newBuilder()
.setKmsWrapped(unwrappedCryptoKey)
.build();
// Specify how the info from the inspection should be encrypted.
InfoType surrogateInfoType = InfoType.newBuilder()
.setName("SSN_TOKEN")
.build();
CryptoDeterministicConfig cryptoDeterministicConfig = CryptoDeterministicConfig.newBuilder()
.setSurrogateInfoType(surrogateInfoType)
.setCryptoKey(cryptoKey)
.build();
PrimitiveTransformation primitiveTransformation = PrimitiveTransformation.newBuilder()
.setCryptoDeterministicConfig(cryptoDeterministicConfig)
.build();
InfoTypeTransformations.InfoTypeTransformation infoTypeTransformation =
InfoTypeTransformations.InfoTypeTransformation.newBuilder()
.setPrimitiveTransformation(primitiveTransformation)
.build();
InfoTypeTransformations transformations = InfoTypeTransformations.newBuilder()
.addTransformations(infoTypeTransformation)
.build();
DeidentifyConfig deidentifyConfig = DeidentifyConfig.newBuilder()
.setInfoTypeTransformations(transformations)
.build();
// Combine configurations into a request for the service.
DeidentifyContentRequest request = DeidentifyContentRequest.newBuilder()
.setParent(LocationName.of(projectId, "global").toString())
.setItem(contentItem)
.setInspectConfig(inspectConfig)
.setDeidentifyConfig(deidentifyConfig)
.build();
// Send the request and receive response from the service.
DeidentifyContentResponse response = dlp.deidentifyContent(request);
// Print the results.
System.out.println(
"Text after de-identification: " + response.getItem().getValue());
return response.getItem().getValue();
}
}
}
Node.js
如需了解如何安装和使用用于敏感数据保护的客户端库,请参阅敏感数据保护客户端库。
如需向敏感数据保护服务进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证。
// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');
// Instantiates a client
const dlp = new DLP.DlpServiceClient();
// The project ID to run the API call under
// const projectId = 'my-project';
// The string to deidentify
// const string = 'My name is Alicia Abernathy, and my email address is aabernathy@example.com.';
// The infoTypes of information to match
// const infoTypes = [{ name: 'EMAIL_ADDRESS' }];
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// The name of the surrogate custom info type to use
// Only necessary if you want to reverse the deidentification process
// Can be essentially any arbitrary string, as long as it doesn't appear
// in your dataset otherwise.
// const surrogateType = 'EMAIL_ADDRESS_TOKEN';
async function deidentifyDeterministic() {
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
const cryptoDeterministicEncryption = {
cryptoKey: {
kmsWrapped: {
wrappedKey: wrappedKey,
cryptoKeyName: keyName,
},
},
surrogateInfoType: {name: surrogateType},
};
// Construct inspect configuration to match information
const inspectConfig = {
infoTypes,
};
// Associate the encryption with the infotype transformation.
const infoTypeTransformations = {
transformations: [
{
infoTypes,
primitiveTransformation: {
cryptoDeterministicConfig: cryptoDeterministicEncryption,
},
},
],
};
// Construct item to inspect
const item = {value: string};
// Combine configurations into a request for the service.
const request = {
parent: `projects/${projectId}/locations/global`,
deidentifyConfig: {
infoTypeTransformations: infoTypeTransformations,
},
inspectConfig,
item: item,
};
// Run de-identification request
const [response] = await dlp.deidentifyContent(request);
const deidentifiedItem = response.item;
// Print results
console.log(deidentifiedItem.value);
}
await deidentifyDeterministic();PHP
如需了解如何安装和使用用于敏感数据保护的客户端库,请参阅敏感数据保护客户端库。
如需向敏感数据保护服务进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证。
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoDeterministicConfig;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\DeidentifyContentRequest;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\InfoTypeTransformations;
use Google\Cloud\Dlp\V2\InfoTypeTransformations\InfoTypeTransformation;
use Google\Cloud\Dlp\V2\InspectConfig;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
/**
* De-identify content through deterministic encryption.
* Use the Data Loss Prevention API to de-identify sensitive data in a string using deterministic encryption,
* which is a reversible cryptographic method. The encryption is performed with a wrapped key.
*
* @param string $callingProjectId The Google Cloud project id to use as a parent resource.
* @param string $inputString The string to deidentify (will be treated as text).
* @param string $kmsKeyName The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
* Example: key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'.
* @param string $infoTypeName The Info type name to be inspect.
* @param string $surrogateTypeName The name of the surrogate custom info type to use.
* Only necessary if you want to reverse the deidentification process. Can be essentially any arbitrary
* string, as long as it doesn't appear in your dataset otherwise.
* @param string $wrappedAesKey The encrypted ('wrapped') AES-256 key to use.
*
* */
function deidentify_deterministic(
string $callingProjectId,
string $kmsKeyName,
string $wrappedAesKey,
string $inputString = 'My PHONE NUMBER IS 731997681',
string $infoTypeName = 'PHONE_NUMBER',
string $surrogateTypeName = 'PHONE_TOKEN'
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
$parent = "projects/$callingProjectId/locations/global";
// Specify what content you want the service to DeIdentify.
$content = (new ContentItem())->setValue($inputString);
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedAesKey))
->setCryptoKeyName($kmsKeyName);
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Specify how the info from the inspection should be encrypted.
$cryptoDeterministicConfig = (new CryptoDeterministicConfig())
->setCryptoKey($cryptoKey);
if (!empty($surrogateTypeName)) {
$cryptoDeterministicConfig = $cryptoDeterministicConfig->setSurrogateInfoType((new InfoType())
->setName($surrogateTypeName));
}
// Specify the type of info the inspection will look for.
$infoType = (new InfoType())
->setName($infoTypeName);
$inspectConfig = (new InspectConfig())
->setInfoTypes([$infoType]);
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoDeterministicConfig($cryptoDeterministicConfig);
$infoTypeTransformation = (new InfoTypeTransformation())
->setPrimitiveTransformation($primitiveTransformation);
$infoTypeTransformations = (new InfoTypeTransformations())
->setTransformations([$infoTypeTransformation]);
$deidentifyConfig = (new DeidentifyConfig())
->setInfoTypeTransformations($infoTypeTransformations);
// Send the request and receive response from the service.
$deidentifyContentRequest = (new DeidentifyContentRequest())
->setParent($parent)
->setDeidentifyConfig($deidentifyConfig)
->setItem($content)
->setInspectConfig($inspectConfig);
$response = $dlp->deidentifyContent($deidentifyContentRequest);
// Print the results.
printf($response->getItem()->getValue());
}Python
如需了解如何安装和使用用于敏感数据保护的客户端库,请参阅敏感数据保护客户端库。
如需向敏感数据保护服务进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证。
import base64
from typing import List
import google.cloud.dlp
def deidentify_with_deterministic(
project: str,
input_str: str,
info_types: List[str],
surrogate_type: str = None,
key_name: str = None,
wrapped_key: str = None,
) -> None:
"""Deidentifies sensitive data in a string using deterministic encryption.
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to deidentify (will be treated as text).
info_types: A list of strings representing info types to look for.
surrogate_type: The name of the surrogate custom info type to use. Only
necessary if you want to reverse the deidentification process. Can
be essentially any arbitrary string, as long as it doesn't appear
in your dataset otherwise.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
# Instantiate a client
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Convert the project id into a full resource id.
parent = f"projects/{project}/locations/global"
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
wrapped_key = base64.b64decode(wrapped_key)
# Construct Deterministic encryption configuration dictionary
crypto_replace_deterministic_config = {
"crypto_key": {
"kms_wrapped": {"wrapped_key": wrapped_key, "crypto_key_name": key_name}
},
}
# Add surrogate type
if surrogate_type:
crypto_replace_deterministic_config["surrogate_info_type"] = {
"name": surrogate_type
}
# Construct inspect configuration dictionary
inspect_config = {"info_types": [{"name": info_type} for info_type in info_types]}
# Construct deidentify configuration dictionary
deidentify_config = {
"info_type_transformations": {
"transformations": [
{
"primitive_transformation": {
"crypto_deterministic_config": crypto_replace_deterministic_config
}
}
]
}
}
# Convert string to item
item = {"value": input_str}
# Call the API
response = dlp.deidentify_content(
request={
"parent": parent,
"deidentify_config": deidentify_config,
"inspect_config": inspect_config,
"item": item,
}
)
# Print results
print(response.item.value)
后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。