확정적 암호화를 통해 이전에 익명화된 콘텐츠를 재식별합니다.
더 살펴보기
이 코드 샘플이 포함된 자세한 문서는 다음을 참조하세요.
코드 샘플
C#
민감한 정보 보호의 클라이언트 라이브러리를 설치하고 사용하는 방법은 민감한 정보 보호 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
using System;
using Google.Api.Gax.ResourceNames;
using Google.Cloud.Dlp.V2;
using Google.Protobuf;
public class ReidentifyContentUsingDeterministic
{
public static ReidentifyContentResponse ReidentifyDeterministic(
string projectId,
string text,
string keyName,
string wrappedKey,
InfoType surrogateType = null)
{
// Instantiate the client.
var dlp = DlpServiceClient.Create();
// Construct the infoType if null which will be used as surrogate type and infoType both.
var infoType = surrogateType ?? new InfoType { Name = "PHONE_TOKEN" };
// Construct crypto deterministic config using the crypto key name and wrapped key.
var cryptoDeterministicConfig = new CryptoDeterministicConfig
{
CryptoKey = new CryptoKey
{
KmsWrapped = new KmsWrappedCryptoKey
{
CryptoKeyName = keyName,
WrappedKey = ByteString.FromBase64(wrappedKey)
}
},
SurrogateInfoType = infoType,
};
// Construct the reidentify config using crypto config.
var reidentifyConfig = new DeidentifyConfig
{
InfoTypeTransformations = new InfoTypeTransformations
{
Transformations =
{
new InfoTypeTransformations.Types.InfoTypeTransformation
{
PrimitiveTransformation = new PrimitiveTransformation
{
CryptoDeterministicConfig = cryptoDeterministicConfig
}
}
}
}
};
// Construct the inspect config.
var inspectConfig = new InspectConfig
{
CustomInfoTypes =
{
new CustomInfoType
{
InfoType = infoType,
SurrogateType = new CustomInfoType.Types.SurrogateType()
}
}
};
// Construct the request.
var request = new ReidentifyContentRequest
{
ParentAsLocationName = new LocationName(projectId, "global"),
ReidentifyConfig = reidentifyConfig,
InspectConfig = inspectConfig,
Item = new ContentItem { Value = text },
};
// Call the API.
ReidentifyContentResponse response = dlp.ReidentifyContent(request);
// Inspect the response.
Console.WriteLine($"Reidentified content: {response.Item.Value}");
return response;
}
}
Go
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import (
"context"
"encoding/base64"
"fmt"
"io"
dlp "cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// reidentifyWithDeterministic re-identifies content encrypted by deterministic encryption.
func reidentifyWithDeterministic(w io.Writer, projectID, inputStr, surrogateType, keyName, wrappedKey string) error {
// projectId := "my-project-id"
// inputStr := "EMAIL_ADDRESS_TOKEN(52):AVAx2eIEnIQP5jbNEr2j9wLOAd5m4kpSBR/0jjjGdAOmryzZbE/q"
// surrogateType := "EMAIL_ADDRESS_TOKEN"
/* keyName := "projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME"
*/
// wrappedKey := "YOUR_ENCRYPTED_AES_256_KEY"
ctx := context.Background()
// Initialize a client once and reuse it to send multiple requests. Clients
// are safe to use across goroutines. When the client is no longer needed,
// call the Close method to cleanup its resources.
client, err := dlp.NewClient(ctx)
if err != nil {
return err
}
// Closing the client safely cleans up background resources.
defer client.Close()
// The wrapped key is base64-encoded, but the library expects a binary
// string, so decode it here.
keyBytes, err := base64.StdEncoding.DecodeString(wrappedKey)
if err != nil {
return err
}
// Create crypto deterministic config.
cryptoDeterministicConfig := &dlppb.CryptoDeterministicConfig{
CryptoKey: &dlppb.CryptoKey{
Source: &dlppb.CryptoKey_KmsWrapped{
KmsWrapped: &dlppb.KmsWrappedCryptoKey{
WrappedKey: keyBytes,
CryptoKeyName: keyName,
},
},
},
SurrogateInfoType: &dlppb.InfoType{
Name: surrogateType,
},
}
// Create a config for primitive transformation.
primitiveTransformation := &dlppb.PrimitiveTransformation{
Transformation: &dlppb.PrimitiveTransformation_CryptoDeterministicConfig{
CryptoDeterministicConfig: cryptoDeterministicConfig,
},
}
transformation := &dlppb.DeidentifyConfig_InfoTypeTransformations{
InfoTypeTransformations: &dlppb.InfoTypeTransformations{
Transformations: []*dlppb.InfoTypeTransformations_InfoTypeTransformation{
{
PrimitiveTransformation: primitiveTransformation,
},
},
},
}
// Construct config to re-identify the config.
reIdentifyConfig := &dlppb.DeidentifyConfig{
Transformation: transformation,
}
// Construct a config for inspection.
inspectConfig := &dlppb.InspectConfig{
CustomInfoTypes: []*dlppb.CustomInfoType{
{
InfoType: &dlppb.InfoType{
Name: surrogateType,
},
Type: &dlppb.CustomInfoType_SurrogateType_{
SurrogateType: &dlppb.CustomInfoType_SurrogateType{},
},
},
},
}
// Item to be analyzed.
item := &dlppb.ContentItem{
DataItem: &dlppb.ContentItem_Value{
Value: inputStr,
},
}
// Construct the Inspect request to be sent by the client.
req := &dlppb.ReidentifyContentRequest{
Parent: fmt.Sprintf("projects/%s/locations/global", projectID),
ReidentifyConfig: reIdentifyConfig,
InspectConfig: inspectConfig,
Item: item,
}
// Send the request.
r, err := client.ReidentifyContent(ctx, req)
if err != nil {
return err
}
// Print the result.
fmt.Fprintf(w, "output: %v", r.GetItem().GetValue())
return nil
}
Java
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import com.google.cloud.dlp.v2.DlpServiceClient;
import com.google.privacy.dlp.v2.ContentItem;
import com.google.privacy.dlp.v2.CryptoDeterministicConfig;
import com.google.privacy.dlp.v2.CryptoKey;
import com.google.privacy.dlp.v2.CustomInfoType;
import com.google.privacy.dlp.v2.DeidentifyConfig;
import com.google.privacy.dlp.v2.InfoType;
import com.google.privacy.dlp.v2.InfoTypeTransformations;
import com.google.privacy.dlp.v2.InspectConfig;
import com.google.privacy.dlp.v2.KmsWrappedCryptoKey;
import com.google.privacy.dlp.v2.LocationName;
import com.google.privacy.dlp.v2.PrimitiveTransformation;
import com.google.privacy.dlp.v2.ReidentifyContentRequest;
import com.google.privacy.dlp.v2.ReidentifyContentResponse;
import com.google.protobuf.ByteString;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import org.apache.commons.codec.binary.Base64;
public class ReidentifyWithDeterministicEncryption {
public static void main(String[] args) throws Exception {
// TODO(developer): Replace these variables before running the sample.
// The Google Cloud project id to use as a parent resource.
String projectId = "your-project-id";
// The string to de-identify.
String textToIdentify = "My SSN is 372819127";
// The encrypted ('wrapped') AES-256 key to use.
// This key should be encrypted using the Cloud KMS key specified by key_name.
String wrappedKey = "YOUR_ENCRYPTED_AES_256_KEY";
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
String kmsKeyName =
"projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME";
// The string to re-identify.
String textToReIdentify =
DeIdenitfyWithDeterministicEncryption.deIdentifyWithDeterministicEncryption(
projectId, textToIdentify, wrappedKey, kmsKeyName);
reIdentifyWithDeterminsiticEncryption(projectId, textToReIdentify, wrappedKey, kmsKeyName);
}
// Re-identifies sensitive data in a string that was previously de-identified through
// deterministic encryption.
public static void reIdentifyWithDeterminsiticEncryption(
String projectId, String textToReIdentify, String wrappedKey, String key) throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try (DlpServiceClient dlp = DlpServiceClient.create()) {
// Specify what content you want the service to re-identify.
ContentItem contentItem = ContentItem.newBuilder().setValue(textToReIdentify).build();
CustomInfoType.SurrogateType surrogateType =
CustomInfoType.SurrogateType.newBuilder().build();
// Specify the surrogate type used at time of de-identification.
InfoType surrogateInfoType = InfoType.newBuilder()
.setName("SSN_TOKEN")
.build();
CustomInfoType customInfoType = CustomInfoType.newBuilder()
.setInfoType(surrogateInfoType)
.setSurrogateType(surrogateType)
.build();
InspectConfig inspectConfig = InspectConfig.newBuilder()
.addCustomInfoTypes(customInfoType)
.build();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
KmsWrappedCryptoKey unwrappedCryptoKey = KmsWrappedCryptoKey.newBuilder()
.setWrappedKey(
ByteString.copyFrom(
Base64.decodeBase64(wrappedKey.getBytes(StandardCharsets.UTF_8))))
.setCryptoKeyName(key)
.build();
CryptoKey cryptoKey = CryptoKey.newBuilder()
.setKmsWrapped(unwrappedCryptoKey)
.build();
CryptoDeterministicConfig cryptoDeterministicConfig = CryptoDeterministicConfig.newBuilder()
.setSurrogateInfoType(surrogateInfoType)
.setCryptoKey(cryptoKey)
.build();
PrimitiveTransformation primitiveTransformation = PrimitiveTransformation.newBuilder()
.setCryptoDeterministicConfig(cryptoDeterministicConfig)
.build();
InfoTypeTransformations.InfoTypeTransformation infoTypeTransformation =
InfoTypeTransformations.InfoTypeTransformation.newBuilder()
.setPrimitiveTransformation(primitiveTransformation)
.build();
InfoTypeTransformations transformations = InfoTypeTransformations.newBuilder()
.addTransformations(infoTypeTransformation)
.build();
DeidentifyConfig deidentifyConfig = DeidentifyConfig.newBuilder()
.setInfoTypeTransformations(transformations)
.build();
// Combine configurations into a request for the service.
ReidentifyContentRequest request = ReidentifyContentRequest.newBuilder()
.setParent(LocationName.of(projectId, "global").toString())
.setItem(contentItem)
.setInspectConfig(inspectConfig)
.setReidentifyConfig(deidentifyConfig)
.build();
// Send the request and receive response from the service.
ReidentifyContentResponse response = dlp.reidentifyContent(request);
// Print the results.
System.out.println("Text after re-identification: " + response.getItem().getValue());
}
}
}
Node.js
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');
// Instantiates a client
const dlp = new DLP.DlpServiceClient();
// The project ID to run the API call under
// const projectId = 'my-project';
// The string to deidentify
// const string = 'My name is Alicia Abernathy, and my email address is EMAIL_ADDRESS_TOKEN(52):XXXXXX';
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// The name of the surrogate custom info type to use
// Only necessary if you want to reverse the de-identification process
// Can be essentially any arbitrary string, as long as it doesn't appear
// in your dataset otherwise.
// const surrogateType = 'EMAIL_ADDRESS_TOKEN';
async function reidentifyDeterministic() {
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
const cryptoDeterministicEncryption = {
cryptoKey: {
kmsWrapped: {
wrappedKey: wrappedKey,
cryptoKeyName: keyName,
},
},
surrogateInfoType: {name: surrogateType},
};
// Construct custom infotype to match information
const customInfoTypes = [
{
infoType: {
name: surrogateType,
},
surrogateType: {},
},
];
// Associate the encryption with the infotype transformation.
const infoTypeTransformations = {
transformations: [
{
infoTypes: [{name: surrogateType}],
primitiveTransformation: {
cryptoDeterministicConfig: cryptoDeterministicEncryption,
},
},
],
};
// Construct item to inspect
const item = {value: string};
// Combine configurations into a request for the service.
const request = {
parent: `projects/${projectId}/locations/global`,
reidentifyConfig: {
infoTypeTransformations: infoTypeTransformations,
},
inspectConfig: {customInfoTypes},
item,
};
// Run re-identification request
const [response] = await dlp.reidentifyContent(request);
const deidentifiedItem = response.item;
// Print results
console.log(deidentifiedItem.value);
}
await reidentifyDeterministic();PHP
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoDeterministicConfig;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\CustomInfoType;
use Google\Cloud\Dlp\V2\CustomInfoType\SurrogateType;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\InfoTypeTransformations;
use Google\Cloud\Dlp\V2\InfoTypeTransformations\InfoTypeTransformation;
use Google\Cloud\Dlp\V2\InspectConfig;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\ReidentifyContentRequest;
/**
* Re-identify content encrypted by deterministic encryption.
* Re-identify content that was previously de-identified through deterministic encryption.
*
* @param string $callingProjectId The GCP Project ID to run the API call under.
* @param string $string The string to reidentify.
* @param string $keyName The name of the Cloud KMS key used to encrypt (wrap) the AES-256 key.
* @param string $wrappedKey The name of the Cloud KMS key use, encrypted with the KMS key in $keyName.
* @param string $surrogateTypeName Surrogate custom info type to enable reidentification.
*/
function reidentify_deterministic(
string $callingProjectId,
string $string,
string $surrogateTypeName,
string $keyName,
string $wrappedKey
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
$parent = "projects/$callingProjectId/locations/global";
// Specify what content you want the service to Re-identify.
$item = (new ContentItem())
->setValue($string);
// Specify the surrogate type used at time of de-identification.
$surrogateType = (new InfoType())
->setName($surrogateTypeName);
$customInfoType = (new CustomInfoType())
->setInfoType($surrogateType)
->setSurrogateType(new SurrogateType());
// Create the inspect configuration object.
$inspectConfig = (new InspectConfig())
->setCustomInfoTypes([$customInfoType]);
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedKey))
->setCryptoKeyName($keyName);
// Create the crypto key configuration object.
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Create the crypto deterministic configuration object.
$cryptoDeterministicConfig = (new CryptoDeterministicConfig())
->setCryptoKey($cryptoKey)
->setSurrogateInfoType($surrogateType);
// Create the information transform configuration objects.
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoDeterministicConfig($cryptoDeterministicConfig);
$infoTypeTransformation = (new InfoTypeTransformation())
->setPrimitiveTransformation($primitiveTransformation);
$infoTypeTransformations = (new InfoTypeTransformations())
->setTransformations([$infoTypeTransformation]);
// Create the reidentification configuration object.
$reidentifyConfig = (new DeidentifyConfig())
->setInfoTypeTransformations($infoTypeTransformations);
// Run request.
$reidentifyContentRequest = (new ReidentifyContentRequest())
->setParent($parent)
->setReidentifyConfig($reidentifyConfig)
->setInspectConfig($inspectConfig)
->setItem($item);
$response = $dlp->reidentifyContent($reidentifyContentRequest);
// Print the results.
printf($response->getItem()->getValue());
}Python
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import base64
import google.cloud.dlp
def reidentify_with_deterministic(
project: str,
input_str: str,
surrogate_type: str = None,
key_name: str = None,
wrapped_key: str = None,
) -> None:
"""Re-identifies content that was previously de-identified through deterministic encryption.
Args:
project: The Google Cloud project ID to use as a parent resource.
input_str: The string to be re-identified. Provide the entire token. Example:
EMAIL_ADDRESS_TOKEN(52):AVAx2eIEnIQP5jbNEr2j9wLOAd5m4kpSBR/0jjjGdAOmryzZbE/q
surrogate_type: The name of the surrogate custom infoType used
during the encryption process.
key_name: The name of the Cloud KMS key used to encrypt ("wrap") the
AES-256 key. Example:
keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ("wrapped") AES-256 key previously used to encrypt the content.
This key must have been encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
# Instantiate a client
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Convert the project id into a full resource id.
parent = f"projects/{project}/locations/global"
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
wrapped_key = base64.b64decode(wrapped_key)
# Construct reidentify Configuration
reidentify_config = {
"info_type_transformations": {
"transformations": [
{
"primitive_transformation": {
"crypto_deterministic_config": {
"crypto_key": {
"kms_wrapped": {
"wrapped_key": wrapped_key,
"crypto_key_name": key_name,
}
},
"surrogate_info_type": {"name": surrogate_type},
}
}
}
]
}
}
inspect_config = {
"custom_info_types": [
{"info_type": {"name": surrogate_type}, "surrogate_type": {}}
]
}
# Convert string to item
item = {"value": input_str}
# Call the API
response = dlp.reidentify_content(
request={
"parent": parent,
"reidentify_config": reidentify_config,
"inspect_config": inspect_config,
"item": item,
}
)
# Print results
print(response.item.value)
다음 단계
다른 Google Cloud 제품의 코드 샘플을 검색하고 필터링하려면 Google Cloud 샘플 브라우저를 참조하세요.