Dimostra la reidentificazione di contenuti anonimizzati.
Per saperne di più
Per la documentazione dettagliata che include questo esempio di codice, consulta quanto segue:
Esempio di codice
C#
Per scoprire come installare e utilizzare la libreria client per Sensitive Data Protection, consulta Librerie client di Sensitive Data Protection.
Per eseguire l'autenticazione in Sensitive Data Protection, configura Credenziali predefinite dell'applicazione. Per maggiori informazioni, consulta Configurare l'autenticazione per un ambiente di sviluppo locale.
using System;
using Google.Api.Gax.ResourceNames;
using Google.Cloud.Dlp.V2;
using Google.Protobuf;
using static Google.Cloud.Dlp.V2.CryptoReplaceFfxFpeConfig.Types;
public class ReidentifyContentUsingFpe
{
public static ReidentifyContentResponse ReidentifyContent(
string projectId,
string text,
string keyName,
string wrappedKey,
FfxCommonNativeAlphabet alphabet = FfxCommonNativeAlphabet.Numeric,
InfoType surrogateType = null)
{
// Instantiate the client.
var dlp = DlpServiceClient.Create();
// Specify the type of info the inspection will re-identify. This must use the same custom
// info type that was used as a surrogate during the initial encryption.
var infotype = surrogateType ?? new InfoType { Name = "SSN_TOKEN" };
// Specify how to un-encrypt the previously de-identified information.
var cryptoReplaceFfxFpeConfig = new CryptoReplaceFfxFpeConfig
{
CryptoKey = new CryptoKey
{
KmsWrapped = new KmsWrappedCryptoKey
{
CryptoKeyName = keyName,
WrappedKey = ByteString.FromBase64(wrappedKey)
}
},
CommonAlphabet = alphabet,
SurrogateInfoType = infotype
};
// Construct reidentify config using above created crypto replace config.
var reidentifyConfig = new DeidentifyConfig
{
InfoTypeTransformations = new InfoTypeTransformations
{
Transformations =
{
new InfoTypeTransformations.Types.InfoTypeTransformation
{
PrimitiveTransformation = new PrimitiveTransformation
{
CryptoReplaceFfxFpeConfig = cryptoReplaceFfxFpeConfig,
},
InfoTypes = { infotype }
}
}
}
};
// Construct the inspect config.
var inspectConfig = new InspectConfig
{
CustomInfoTypes =
{
new CustomInfoType
{
InfoType = infotype,
SurrogateType = new CustomInfoType.Types.SurrogateType()
}
}
};
// Construct the request.
var request = new ReidentifyContentRequest
{
ParentAsLocationName = new LocationName(projectId, "global"),
InspectConfig = inspectConfig,
ReidentifyConfig = reidentifyConfig,
Item = new ContentItem { Value = text },
};
// Call the API.
var response = dlp.ReidentifyContent(request);
// Inspect the response.
Console.WriteLine($"Reidentified content: {response.Item.Value}");
return response;
}
}
Go
Per scoprire come installare e utilizzare la libreria client per Sensitive Data Protection, consulta Librerie client di Sensitive Data Protection.
Per eseguire l'autenticazione in Sensitive Data Protection, configura Credenziali predefinite dell'applicazione. Per maggiori informazioni, consulta Configurare l'autenticazione per un ambiente di sviluppo locale.
import (
"context"
"encoding/base64"
"fmt"
"io"
dlp "cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// reidentifyFPE reidentifies the input with FPE (Format Preserving Encryption).
// keyFileName is the file name with the KMS wrapped key and cryptoKeyName is the
// full KMS key resource name used to wrap the key. surrogateInfoType is an
// the identifier used during deidentification.
// Info types can be found with the infoTypes.list method or on https://cloud.google.com/dlp/docs/infotypes-reference
func reidentifyFPE(w io.Writer, projectID, input, kmsKeyName, wrappedAesKey, surrogateInfoType string) error {
// projectID := "my-project-id"
// input := "My SSN is 123456789"
// keyFileName := "projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME"
// cryptoKeyName := "YOUR_ENCRYPTED_AES_256_KEY"
// surrogateInfoType := "AGE"
ctx := context.Background()
client, err := dlp.NewClient(ctx)
if err != nil {
return fmt.Errorf("dlp.NewClient: %w", err)
}
defer client.Close()
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
kmsWrappedCryptoKey, err := base64.StdEncoding.DecodeString(wrappedAesKey)
if err != nil {
fmt.Fprintf(w, "error %v", err)
return err
}
// Specify the crypto key configuration that will used for encryption.
cryptoKey := &dlppb.CryptoKey{
Source: &dlppb.CryptoKey_KmsWrapped{
KmsWrapped: &dlppb.KmsWrappedCryptoKey{
WrappedKey: kmsWrappedCryptoKey,
CryptoKeyName: kmsKeyName,
},
},
}
// Create a configured request.
req := &dlppb.ReidentifyContentRequest{
Parent: fmt.Sprintf("projects/%s/locations/global", projectID),
ReidentifyConfig: &dlppb.DeidentifyConfig{
Transformation: &dlppb.DeidentifyConfig_InfoTypeTransformations{
InfoTypeTransformations: &dlppb.InfoTypeTransformations{
Transformations: []*dlppb.InfoTypeTransformations_InfoTypeTransformation{
{
InfoTypes: []*dlppb.InfoType{},
PrimitiveTransformation: &dlppb.PrimitiveTransformation{
Transformation: &dlppb.PrimitiveTransformation_CryptoReplaceFfxFpeConfig{
CryptoReplaceFfxFpeConfig: &dlppb.CryptoReplaceFfxFpeConfig{
CryptoKey: cryptoKey,
// Set the alphabet used for the encrypted fields.
Alphabet: &dlppb.CryptoReplaceFfxFpeConfig_CommonAlphabet{
CommonAlphabet: dlppb.CryptoReplaceFfxFpeConfig_ALPHA_NUMERIC,
},
// Set the surrogate info type used during deidentification.
SurrogateInfoType: &dlppb.InfoType{
Name: surrogateInfoType,
},
},
},
},
},
},
},
},
},
// The InspectConfig must identify the surrogate info type to reidentify.
InspectConfig: &dlppb.InspectConfig{
CustomInfoTypes: []*dlppb.CustomInfoType{
{
InfoType: &dlppb.InfoType{
Name: surrogateInfoType,
},
Type: &dlppb.CustomInfoType_SurrogateType_{
SurrogateType: &dlppb.CustomInfoType_SurrogateType{},
},
},
},
},
// The item to analyze.
Item: &dlppb.ContentItem{
DataItem: &dlppb.ContentItem_Value{
Value: input,
},
},
}
// Send the request.
r, err := client.ReidentifyContent(ctx, req)
if err != nil {
return fmt.Errorf("ReidentifyContent: %w", err)
}
// Print the result.
fmt.Fprint(w, r.GetItem().GetValue())
return nil
}
Java
Per scoprire come installare e utilizzare la libreria client per Sensitive Data Protection, consulta Librerie client di Sensitive Data Protection.
Per eseguire l'autenticazione in Sensitive Data Protection, configura Credenziali predefinite dell'applicazione. Per maggiori informazioni, consulta Configurare l'autenticazione per un ambiente di sviluppo locale.
import com.google.cloud.dlp.v2.DlpServiceClient;
import com.google.common.io.BaseEncoding;
import com.google.privacy.dlp.v2.ContentItem;
import com.google.privacy.dlp.v2.CryptoKey;
import com.google.privacy.dlp.v2.CryptoReplaceFfxFpeConfig;
import com.google.privacy.dlp.v2.CryptoReplaceFfxFpeConfig.FfxCommonNativeAlphabet;
import com.google.privacy.dlp.v2.CustomInfoType;
import com.google.privacy.dlp.v2.CustomInfoType.SurrogateType;
import com.google.privacy.dlp.v2.DeidentifyConfig;
import com.google.privacy.dlp.v2.InfoType;
import com.google.privacy.dlp.v2.InfoTypeTransformations;
import com.google.privacy.dlp.v2.InfoTypeTransformations.InfoTypeTransformation;
import com.google.privacy.dlp.v2.InspectConfig;
import com.google.privacy.dlp.v2.KmsWrappedCryptoKey;
import com.google.privacy.dlp.v2.LocationName;
import com.google.privacy.dlp.v2.PrimitiveTransformation;
import com.google.privacy.dlp.v2.ReidentifyContentRequest;
import com.google.privacy.dlp.v2.ReidentifyContentResponse;
import com.google.protobuf.ByteString;
import java.io.IOException;
public class ReIdentifyWithFpe {
public static void main(String[] args) throws Exception {
// TODO(developer): Replace these variables before running the sample.
String projectId = "your-project-id";
String textToReIdentify = "My SSN is SSN_TOKEN(9):731997681";
String kmsKeyName =
"projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME";
String wrappedAesKey = "YOUR_ENCRYPTED_AES_256_KEY";
reIdentifyWithFpe(projectId, textToReIdentify, kmsKeyName, wrappedAesKey);
}
public static void reIdentifyWithFpe(
String projectId, String textToReIdentify, String kmsKeyName, String wrappedAesKey)
throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try (DlpServiceClient dlp = DlpServiceClient.create()) {
// Specify what content you want the service to re-identify
ContentItem contentItem = ContentItem.newBuilder().setValue(textToReIdentify).build();
// Specify the type of info the inspection will re-identify. This must use the same custom
// into type that was used as a surrogate during the initial encryption.
InfoType surrogateInfoType = InfoType.newBuilder().setName("SSN_TOKEN").build();
CustomInfoType customInfoType =
CustomInfoType.newBuilder()
.setInfoType(surrogateInfoType)
.setSurrogateType(SurrogateType.getDefaultInstance())
.build();
InspectConfig inspectConfig =
InspectConfig.newBuilder().addCustomInfoTypes(customInfoType).build();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
KmsWrappedCryptoKey kmsWrappedCryptoKey =
KmsWrappedCryptoKey.newBuilder()
.setWrappedKey(ByteString.copyFrom(BaseEncoding.base64().decode(wrappedAesKey)))
.setCryptoKeyName(kmsKeyName)
.build();
CryptoKey cryptoKey = CryptoKey.newBuilder().setKmsWrapped(kmsWrappedCryptoKey).build();
// Specify how to un-encrypt the previously de-identified information
CryptoReplaceFfxFpeConfig cryptoReplaceFfxFpeConfig =
CryptoReplaceFfxFpeConfig.newBuilder()
.setCryptoKey(cryptoKey)
// Set of characters in the input text. For more info, see
// https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#DeidentifyTemplate.FfxCommonNativeAlphabet
.setCommonAlphabet(FfxCommonNativeAlphabet.NUMERIC)
.setSurrogateInfoType(surrogateInfoType)
.build();
PrimitiveTransformation primitiveTransformation =
PrimitiveTransformation.newBuilder()
.setCryptoReplaceFfxFpeConfig(cryptoReplaceFfxFpeConfig)
.build();
InfoTypeTransformation infoTypeTransformation =
InfoTypeTransformation.newBuilder()
.setPrimitiveTransformation(primitiveTransformation)
.addInfoTypes(surrogateInfoType)
.build();
InfoTypeTransformations transformations =
InfoTypeTransformations.newBuilder().addTransformations(infoTypeTransformation).build();
DeidentifyConfig reidentifyConfig =
DeidentifyConfig.newBuilder().setInfoTypeTransformations(transformations).build();
// Combine configurations into a request for the service.
ReidentifyContentRequest request =
ReidentifyContentRequest.newBuilder()
.setParent(LocationName.of(projectId, "global").toString())
.setItem(contentItem)
.setInspectConfig(inspectConfig)
.setReidentifyConfig(reidentifyConfig)
.build();
// Send the request and receive response from the service
ReidentifyContentResponse response = dlp.reidentifyContent(request);
// Print the results
System.out.println("Text after re-identification: " + response.getItem().getValue());
}
}
}
Node.js
Per scoprire come installare e utilizzare la libreria client per Sensitive Data Protection, consulta Librerie client di Sensitive Data Protection.
Per eseguire l'autenticazione in Sensitive Data Protection, configura Credenziali predefinite dell'applicazione. Per maggiori informazioni, consulta Configurare l'autenticazione per un ambiente di sviluppo locale.
// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');
// Instantiates a client
const dlp = new DLP.DlpServiceClient();
// The project ID to run the API call under
// const projectId = 'my-project';
// The string to reidentify
// const string = 'My SSN is PHONE_TOKEN(9):#########';
// The set of characters to replace sensitive ones with
// For more information, see https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#ffxcommonnativealphabet
// const alphabet = 'ALPHA_NUMERIC';
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// The name of the surrogate custom info type to use when reidentifying data
// const surrogateType = 'SOME_INFO_TYPE_DEID';
async function reidentifyWithFpe() {
// Construct deidentification request
const item = {value: string};
const request = {
parent: `projects/${projectId}/locations/global`,
reidentifyConfig: {
infoTypeTransformations: {
transformations: [
{
primitiveTransformation: {
cryptoReplaceFfxFpeConfig: {
cryptoKey: {
kmsWrapped: {
wrappedKey: wrappedKey,
cryptoKeyName: keyName,
},
},
commonAlphabet: alphabet,
surrogateInfoType: {
name: surrogateType,
},
},
},
},
],
},
},
inspectConfig: {
customInfoTypes: [
{
infoType: {
name: surrogateType,
},
surrogateType: {},
},
],
},
item: item,
};
// Run reidentification request
const [response] = await dlp.reidentifyContent(request);
const reidentifiedItem = response.item;
console.log(reidentifiedItem.value);
}
reidentifyWithFpe();
PHP
Per scoprire come installare e utilizzare la libreria client per Sensitive Data Protection, consulta Librerie client di Sensitive Data Protection.
Per eseguire l'autenticazione in Sensitive Data Protection, configura Credenziali predefinite dell'applicazione. Per maggiori informazioni, consulta Configurare l'autenticazione per un ambiente di sviluppo locale.
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig\FfxCommonNativeAlphabet;
use Google\Cloud\Dlp\V2\CustomInfoType;
use Google\Cloud\Dlp\V2\CustomInfoType\SurrogateType;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\InfoTypeTransformations;
use Google\Cloud\Dlp\V2\InfoTypeTransformations\InfoTypeTransformation;
use Google\Cloud\Dlp\V2\InspectConfig;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\ReidentifyContentRequest;
/**
* Reidentify a deidentified string using Format-Preserving Encryption (FPE).
*
* @param string $callingProjectId The GCP Project ID to run the API call under
* @param string $string The string to reidentify
* @param string $keyName The name of the Cloud KMS key used to encrypt (wrap) the AES-256 key
* @param string $wrappedKey The name of the Cloud KMS key use, encrypted with the KMS key in $keyName
* @param string $surrogateTypeName (Optional) Surrogate custom info type to enable reidentification
*/
function reidentify_fpe(
string $callingProjectId,
string $string,
string $keyName,
string $wrappedKey,
string $surrogateTypeName
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
// The infoTypes of information to mask
$ssnInfoType = (new InfoType())
->setName('US_SOCIAL_SECURITY_NUMBER');
$infoTypes = [$ssnInfoType];
// The set of characters to replace sensitive ones with
// For more information, see https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#ffxcommonnativealphabet
$commonAlphabet = FfxCommonNativeAlphabet::NUMERIC;
// Create the wrapped crypto key configuration object
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedKey))
->setCryptoKeyName($keyName);
// Create the crypto key configuration object
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Create the surrogate type object
$surrogateType = (new InfoType())
->setName($surrogateTypeName);
$customInfoType = (new CustomInfoType())
->setInfoType($surrogateType)
->setSurrogateType(new SurrogateType());
// Create the crypto FFX FPE configuration object
$cryptoReplaceFfxFpeConfig = (new CryptoReplaceFfxFpeConfig())
->setCryptoKey($cryptoKey)
->setCommonAlphabet($commonAlphabet)
->setSurrogateInfoType($surrogateType);
// Create the information transform configuration objects
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoReplaceFfxFpeConfig($cryptoReplaceFfxFpeConfig);
$infoTypeTransformation = (new InfoTypeTransformation())
->setPrimitiveTransformation($primitiveTransformation);
$infoTypeTransformations = (new InfoTypeTransformations())
->setTransformations([$infoTypeTransformation]);
// Create the inspect configuration object
$inspectConfig = (new InspectConfig())
->setCustomInfoTypes([$customInfoType]);
// Create the reidentification configuration object
$reidentifyConfig = (new DeidentifyConfig())
->setInfoTypeTransformations($infoTypeTransformations);
$item = (new ContentItem())
->setValue($string);
$parent = "projects/$callingProjectId/locations/global";
// Run request
$reidentifyContentRequest = (new ReidentifyContentRequest())
->setParent($parent)
->setReidentifyConfig($reidentifyConfig)
->setInspectConfig($inspectConfig)
->setItem($item);
$response = $dlp->reidentifyContent($reidentifyContentRequest);
// Print the results
$reidentifiedValue = $response->getItem()->getValue();
print($reidentifiedValue);
}
Python
Per scoprire come installare e utilizzare la libreria client per Sensitive Data Protection, consulta Librerie client di Sensitive Data Protection.
Per eseguire l'autenticazione in Sensitive Data Protection, configura Credenziali predefinite dell'applicazione. Per maggiori informazioni, consulta Configurare l'autenticazione per un ambiente di sviluppo locale.
import base64
import google.cloud.dlp
def reidentify_with_fpe(
project: str,
input_str: str,
alphabet: str = None,
surrogate_type: str = None,
key_name: str = None,
wrapped_key: str = None,
) -> None:
"""Uses the Data Loss Prevention API to reidentify sensitive data in a
string that was encrypted by Format Preserving Encryption (FPE).
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to deidentify (will be treated as text).
alphabet: The set of characters to replace sensitive ones with. For
more information, see https://cloud.google.com/dlp/docs/reference/
rest/v2beta2/organizations.deidentifyTemplates#ffxcommonnativealphabet
surrogate_type: The name of the surrogate custom info type to used
during the encryption process.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
# Instantiate a client
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Convert the project id into a full resource id.
parent = f"projects/{project}/locations/global"
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
wrapped_key = base64.b64decode(wrapped_key)
# Construct Deidentify Config
reidentify_config = {
"info_type_transformations": {
"transformations": [
{
"primitive_transformation": {
"crypto_replace_ffx_fpe_config": {
"crypto_key": {
"kms_wrapped": {
"wrapped_key": wrapped_key,
"crypto_key_name": key_name,
}
},
"common_alphabet": alphabet,
"surrogate_info_type": {"name": surrogate_type},
}
}
}
]
}
}
inspect_config = {
"custom_info_types": [
{"info_type": {"name": surrogate_type}, "surrogate_type": {}}
]
}
# Convert string to item
item = {"value": input_str}
# Call the API
response = dlp.reidentify_content(
request={
"parent": parent,
"reidentify_config": reidentify_config,
"inspect_config": inspect_config,
"item": item,
}
)
# Print results
print(response.item.value)
Passaggi successivi
Per cercare e filtrare esempi di codice per altri prodotti Google Cloud, consulta la pagina relativa al browser di esempio Google Cloud.