고객 제공 암호화 키 사용

이 페이지에서는 Cloud Storage에서 고객 제공 암호화 키라 하는 자체 암호화 키를 사용하는 방법을 설명합니다. 이 기능에 대한 자세한 내용(사용 가능한 국가 포함)은 고객 제공 암호화 키를 참조하세요. Cloud Storage의 다른 암호화 옵션은 데이터 암호화 옵션을 참조하세요.

자체 암호화 키 생성

다양한 방법으로 Base64 인코딩 AES-256 암호화 키를 만들 수 있습니다. 다음은 몇 가지 예입니다.

C++

자세한 내용은 Cloud Storage C++ API 참조 문서를 참조하세요.

// Create a pseudo-random number generator (PRNG), this is included for
// demonstration purposes only. You should consult your security team about
// best practices to initialize PRNG. In particular, you should verify that
// the C++ library and operating system provide enough entropy to meet the
// security policies in your organization.

// Use the Mersenne-Twister Engine in this example:
//   https://en.cppreference.com/w/cpp/numeric/random/mersenne_twister_engine
// Any C++ PRNG can be used below, the choice is arbitrary.
using GeneratorType = std::mt19937_64;

// Create the default random device to fetch entropy.
std::random_device rd;

// Compute how much entropy we need to initialize the GeneratorType:
constexpr auto kRequiredEntropyWords =
    GeneratorType::state_size *
    (GeneratorType::word_size / std::numeric_limits<unsigned int>::digits);

// Capture the entropy bits into a vector.
std::vector<unsigned long> entropy(kRequiredEntropyWords);
std::generate(entropy.begin(), entropy.end(), [&rd] { return rd(); });

// Create the PRNG with the fetched entropy.
std::seed_seq seed(entropy.begin(), entropy.end());

// initialized with enough entropy such that the encryption keys are not
// predictable. Note that the default constructor for all the generators in
// the C++ standard library produce predictable keys.
std::mt19937_64 gen(seed);

namespace gcs = google::cloud::storage;
gcs::EncryptionKeyData data = gcs::CreateKeyFromGenerator(gen);

std::cout << "Base64 encoded key = " << data.key << "\n"
          << "Base64 encoded SHA256 of key = " << data.sha256 << "\n";

C#

자세한 내용은 Cloud Storage C# API 참조 문서를 참조하세요.

void GenerateEncryptionKey()
{
    Console.Write(EncryptionKey.Generate().Base64Key);
}

Node.js

자세한 내용은 Cloud Storage Node.js API 참조 문서를 참조하세요.

const crypto = require('crypto');

/**
 * Generates a 256 bit (32 byte) AES encryption key and prints the base64
 * representation.
 *
 * This is included for demonstration purposes. You should generate your own
 * key. Please remember that encryption keys should be handled with a
 * comprehensive security policy.
 *
 * @returns {string} The encryption key.
 */
function generateEncryptionKey() {
  const buffer = crypto.randomBytes(32);
  const encodedKey = buffer.toString('base64');

  console.log(`Base 64 encoded encryption key: ${encodedKey}`);

  return encodedKey;
}

PHP

자세한 내용은 Cloud Storage PHP API 참조 문서를 참조하세요.

/**
 * Generate a base64 encoded encryption key for Google Cloud Storage.
 *
 * @return void
 */
function generate_encryption_key()
{
    $key = random_bytes(32);
    $encodedKey = base64_encode($key);
    printf('Your encryption key: %s' . PHP_EOL, $encodedKey);
}

Python

자세한 내용은 Cloud Storage Python API 참조 문서를 참조하세요.

def generate_encryption_key():
    """Generates a 256 bit (32 byte) AES encryption key and prints the
    base64 representation.

    This is included for demonstration purposes. You should generate your own
    key. Please remember that encryption keys should be handled with a
    comprehensive security policy.
    """
    key = os.urandom(32)
    encoded_key = base64.b64encode(key).decode('utf-8')
    print('Base 64 encoded encryption key: {}'.format(encoded_key))

Ruby

자세한 내용은 Cloud Storage Ruby API 참조 문서를 참조하세요.

require "base64"
require "openssl"

encryption_key  = OpenSSL::Cipher.new("aes-256-cfb").encrypt.random_key
encoded_enc_key = Base64.encode64 encryption_key

puts "Sample encryption key: #{encoded_enc_key}"

암호화 키를 사용한 업로드

고객 제공 암호화 키를 사용하여 객체를 업로드하려면 다음을 따르세요.

gsutil

  1. boto 구성 파일[GSUtil] 섹션에 다음 옵션을 추가합니다.

    encryption_key = [YOUR_ENCRYPTION_KEY]

    여기서 [YOUR_ENCRYPTION_KEY]는 업로드한 파일을 암호화하는 키입니다.

  2. gsutil cp 명령어를 사용합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.

    gsutil cp [LOCAL_OBJECT_LOCATION] gs://[DESTINATION_BUCKET_NAME]/

코드 샘플

C++

자세한 내용은 Cloud Storage C++ API 참조 문서를 참조하세요.

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name, std::string object_name,
   std::string base64_aes256_key) {
  StatusOr<gcs::ObjectMetadata> object_metadata = client.InsertObject(
      bucket_name, object_name, "top secret",
      gcs::EncryptionKey::FromBase64Key(base64_aes256_key));

  if (!object_metadata) {
    throw std::runtime_error(object_metadata.status().message());
  }

  std::cout << "The object " << object_metadata->name()
            << " was created in bucket " << object_metadata->bucket()
            << "\nFull metadata: " << *object_metadata << "\n";
}

C#

자세한 내용은 Cloud Storage C# API 참조 문서를 참조하세요.

private void UploadEncryptedFile(string key, string bucketName,
    string localPath, string objectName = null)
{
    var storage = StorageClient.Create();
    using (var f = File.OpenRead(localPath))
    {
        objectName = objectName ?? Path.GetFileName(localPath);
        storage.UploadObject(bucketName, objectName, null, f,
            new UploadObjectOptions()
            {
                EncryptionKey = EncryptionKey.Create(
                Convert.FromBase64String(key))
            });
        Console.WriteLine($"Uploaded {objectName}.");
    }
}

Go

자세한 내용은 Cloud Storage Go API 참조 문서를 참조하세요.

obj := client.Bucket(bucket).Object(object)
// Encrypt the object's contents.
wc := obj.Key(secretKey).NewWriter(ctx)
if _, err := wc.Write([]byte("top secret")); err != nil {
	return err
}
if err := wc.Close(); err != nil {
	return err
}

자바

자세한 내용은 Cloud Storage 자바 API 참조 문서를 참조하세요.

byte[] data = "Hello, World!".getBytes(UTF_8);

BlobId blobId = BlobId.of(bucketName, blobName);
BlobInfo blobInfo = BlobInfo.newBuilder(blobId).setContentType("text/plain").build();
Blob blob = storage.create(blobInfo, data, BlobTargetOption.encryptionKey(encryptionKey));

Node.js

자세한 내용은 Cloud Storage Node.js API 참조 문서를 참조하세요.

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const srcFilename = 'Local file to upload, e.g. ./local/path/to/file.txt';
// const destFilename = 'Remote destination for file, e.g. file_encrypted.txt';

// See the "Generating your own encryption key" section above.
// const key = 'A base64 encoded customer-supplied key';

const options = {
  // The path to which the file should be uploaded, e.g. "file_encrypted.txt"
  destination: destFilename,
  // Encrypt the file with a customer-supplied key.
  // See the "Generating your own encryption key" section above.
  encryptionKey: Buffer.from(key, 'base64'),
};

// Encrypts and uploads a local file, e.g. "./local/path/to/file.txt".
// The file will only be retrievable using the key used to upload it.
await storage.bucket(bucketName).upload(srcFilename, options);

console.log(
  `File ${srcFilename} uploaded to gs://${bucketName}/${destFilename}.`
);

PHP

자세한 내용은 Cloud Storage PHP API 참조 문서를 참조하세요.

use Google\Cloud\Storage\StorageClient;

/**
 * Upload an encrypted file.
 *
 * @param string $bucketName the name of your Google Cloud bucket.
 * @param string $objectName the name of your Google Cloud object.
 * @param resource $source the path to the file to upload.
 * @param string $base64EncryptionKey the base64 encoded encryption key.
 *
 * @return void
 */
function upload_encrypted_object($bucketName, $objectName, $source, $base64EncryptionKey)
{
    $storage = new StorageClient();
    $file = fopen($source, 'r');
    $bucket = $storage->bucket($bucketName);
    $object = $bucket->upload($file, [
        'name' => $objectName,
        'encryptionKey' => $base64EncryptionKey,
    ]);
    printf('Uploaded encrypted %s to gs://%s/%s' . PHP_EOL,
        basename($source), $bucketName, $objectName);
}

Python

자세한 내용은 Cloud Storage Python API 참조 문서를 참조하세요.

def upload_encrypted_blob(bucket_name, source_file_name,
                          destination_blob_name, base64_encryption_key):
    """Uploads a file to a Google Cloud Storage bucket using a custom
    encryption key.

    The file will be encrypted by Google Cloud Storage and only
    retrievable using the provided encryption key.
    """
    storage_client = storage.Client()
    bucket = storage_client.get_bucket(bucket_name)
    # Encryption key must be an AES256 key represented as a bytestring with
    # 32 bytes. Since it's passed in as a base64 encoded string, it needs
    # to be decoded.
    encryption_key = base64.b64decode(base64_encryption_key)
    blob = Blob(destination_blob_name, bucket, encryption_key=encryption_key)

    blob.upload_from_filename(source_file_name)

    print('File {} uploaded to {}.'.format(
        source_file_name,
        destination_blob_name))

Ruby

자세한 내용은 Cloud Storage Ruby API 참조 문서를 참조하세요.

# project_id        = "Your Google Cloud project ID"
# bucket_name       = "Your Google Cloud Storage bucket name"
# local_file_path   = "Path to local file to upload"
# storage_file_path = "Path to store the file in Google Cloud Storage"
# encryption_key    = "AES-256 encryption key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

bucket = storage.bucket bucket_name

file = bucket.create_file local_file_path, storage_file_path,
                          encryption_key: encryption_key

puts "Uploaded #{file.name} with encryption key"

REST API

JSON API

  1. OAuth 2.0 Playground에서 승인 액세스 토큰을 가져옵니다. Playground에서 OAuth 사용자 인증 정보를 사용하도록 구성합니다.
  2. 객체 데이터를 요청 본문에 추가합니다.
  3. cURL을 사용하여 POST Object 요청으로 JSON API를 호출합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.
    curl -X POST --data-binary @[OBJECT] \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "Content-Type: [OBJECT_CONTENT_TYPE]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [YOUR_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_YOUR_KEY]" \
        "https://www.googleapis.com/upload/storage/v1/b/[BUCKET_NAME]/o?uploadType=media&name=[OBJECT_NAME]"

암호화 관련 헤더에 대한 자세한 내용은 암호화 요청 헤더를 참조하세요.

XML API

  1. OAuth 2.0 Playground에서 승인 액세스 토큰을 가져옵니다. Playground에서 OAuth 사용자 인증 정보를 사용하도록 구성합니다.
  2. 객체 데이터를 요청 본문에 추가합니다.
  3. cURL을 사용하여 PUT Object 요청으로 XML API를 호출합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.
    curl -X -i PUT --data-binary @[OBJECT] \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "Content-Type: [OBJECT_CONTENT_TYPE]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [YOUR_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_YOUR_KEY]" \
        "https://storage.googleapis.com/[BUCKET_NAME]/[OBJECT_NAME]"

암호화 관련 헤더에 대한 자세한 내용은 암호화 요청 헤더를 참조하세요.

암호화한 객체 다운로드

고객 제공 암호화 키로 암호화하여 Cloud Storage에 저장된 객체를 다운로드하려면 다음을 따르세요.

gsutil

  1. boto 구성 파일[GSUtil] 섹션에 다음 옵션을 추가합니다.

    decryption_key1 = [YOUR_ENCRYPTION_KEY]

    여기서 [YOUR_ENCRYPTION_KEY]는 업로드 시 객체를 암호화는 데 사용된 키입니다.

  2. gsutil cp 명령어를 사용합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.

    gsutil cp gs://[BUCKET_NAME]/[OBJECT_NAME] [OBJECT_DESTINATION]

코드 샘플

C++

자세한 내용은 Cloud Storage C++ API 참조 문서를 참조하세요.

namespace gcs = google::cloud::storage;
[](gcs::Client client, std::string bucket_name, std::string object_name,
   std::string base64_aes256_key) {
  gcs::ObjectReadStream stream =
      client.ReadObject(bucket_name, object_name,
                        gcs::EncryptionKey::FromBase64Key(base64_aes256_key));

  std::string data(std::istreambuf_iterator<char>{stream}, {});
  std::cout << "The object contents are: " << data << "\n";
}

C#

자세한 내용은 Cloud Storage C# API 참조 문서를 참조하세요.

private void DownloadEncryptedObject(string key, string bucketName,
    string objectName, string localPath = null)
{
    var storage = StorageClient.Create();
    localPath = localPath ?? Path.GetFileName(objectName);
    using (var outputFile = File.OpenWrite(localPath))
    {
        storage.DownloadObject(bucketName, objectName, outputFile,
            new DownloadObjectOptions()
            {
                EncryptionKey = EncryptionKey.Create(
                    Convert.FromBase64String(key))
            });
    }
    Console.WriteLine($"downloaded {objectName} to {localPath}.");
}

Go

자세한 내용은 Cloud Storage Go API 참조 문서를 참조하세요.

obj := client.Bucket(bucket).Object(object)
rc, err := obj.Key(secretKey).NewReader(ctx)
if err != nil {
	return nil, err
}
defer rc.Close()

data, err := ioutil.ReadAll(rc)
if err != nil {
	return nil, err
}

자바

자세한 내용은 Cloud Storage 자바 API 참조 문서를 참조하세요.

byte[] content =
    storage.readAllBytes(bucketName, blobName, BlobSourceOption.decryptionKey(decryptionKey));

Node.js

자세한 내용은 Cloud Storage Node.js API 참조 문서를 참조하세요.

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const srcFilename = 'File to download, e.g. file_encrypted.txt';
// const destFilename = 'Local destination for file, e.g. ./file.txt';

// See the "Generating your own encryption key" section above.
// const key = 'A base64 encoded customer-supplied key';

const options = {
  // The path to which the file should be downloaded, e.g. "./file.txt"
  destination: destFilename,
};

// Descrypts and downloads the file. This can only be done with the key used
// to encrypt and upload the file.
await storage
  .bucket(bucketName)
  .file(srcFilename)
  .setEncryptionKey(Buffer.from(key, 'base64'))
  .download(options);

console.log(`File ${srcFilename} downloaded to ${destFilename}.`);

PHP

자세한 내용은 Cloud Storage PHP API 참조 문서를 참조하세요.

use Google\Cloud\Storage\StorageClient;

/**
 * Download an encrypted file
 *
 * @param string $bucketName the name of your Google Cloud bucket.
 * @param string $objectName the name of your Google Cloud object.
 * @param string $destination the local destination to save the encrypted file.
 * @param string $base64EncryptionKey the base64 encoded encryption key.
 *
 * @return void
 */
function download_encrypted_object($bucketName, $objectName, $destination, $base64EncryptionKey)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);
    $object = $bucket->object($objectName);
    $object->downloadToFile($destination, [
        'encryptionKey' => $base64EncryptionKey,
    ]);
    printf('Encrypted object gs://%s/%s downloaded to %s' . PHP_EOL,
        $bucketName, $objectName, basename($destination));
}

Python

자세한 내용은 Cloud Storage Python API 참조 문서를 참조하세요.

def download_encrypted_blob(bucket_name, source_blob_name,
                            destination_file_name, base64_encryption_key):
    """Downloads a previously-encrypted blob from Google Cloud Storage.

    The encryption key provided must be the same key provided when uploading
    the blob.
    """
    storage_client = storage.Client()
    bucket = storage_client.get_bucket(bucket_name)
    # Encryption key must be an AES256 key represented as a bytestring with
    # 32 bytes. Since it's passed in as a base64 encoded string, it needs
    # to be decoded.
    encryption_key = base64.b64decode(base64_encryption_key)
    blob = Blob(source_blob_name, bucket, encryption_key=encryption_key)

    blob.download_to_filename(destination_file_name)

    print('Blob {} downloaded to {}.'.format(
        source_blob_name,
        destination_file_name))

Ruby

자세한 내용은 Cloud Storage Ruby API 참조 문서를 참조하세요.

# project_id     = "Your Google Cloud project ID"
# bucket_name    = "Your Google Cloud Storage bucket name"
# file_name      = "Name of file in Google Cloud Storage to download locally"
# local_path     = "Destination path for downloaded file"
# encryption_key = "AES-256 encryption key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

bucket = storage.bucket bucket_name

file = bucket.file storage_file_path, encryption_key: encryption_key
file.download local_file_path, encryption_key: encryption_key

puts "Downloaded encrypted #{file.name}"

REST API

JSON API

  1. OAuth 2.0 Playground에서 승인 액세스 토큰을 가져옵니다. OAuth 사용자 인증 정보를 사용할 수 있도록 플레이그라운드를 구성합니다.
  2. cURL을 사용하여 GET Object 요청으로 JSON API를 호출합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.
    curl -X GET \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [YOUR_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_YOUR_KEY]" \
        -o "[SAVE_TO_LOCATION]" \
        "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/o/[OBJECT_NAME]?alt=media"

암호화 관련 헤더에 대한 자세한 내용은 암호화 요청 헤더를 참조하세요.

XML API

  1. OAuth 2.0 Playground에서 승인 액세스 토큰을 가져옵니다. OAuth 사용자 인증 정보를 사용할 수 있도록 플레이그라운드를 구성합니다.
  2. cURL을 사용하여 GET Object 요청으로 XML API를 호출합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.
    curl -X GET \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [YOUR_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_YOUR_KEY]" \
        -o "[SAVE_TO_LOCATION]" \
        "https://storage.googleapis.com/[BUCKET_NAME]/[OBJECT_NAME]"

암호화 관련 헤더에 대한 자세한 내용은 암호화 요청 헤더를 참조하세요.

암호화 키 순환

고객 제공 암호화 키를 순환하려면 다음을 따르세요.

gsutil

  1. boto 구성 파일[GSUtil] 섹션에 다음 옵션을 추가합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.

    encryption_key = [NEW_ENCRYPTION_KEY]
    decryption_key1 = [OLD_ENCRYPTION_KEY]
  2. gsutil rewrite 명령어를 -k 플래그와 함께 사용합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.

    gsutil rewrite -k gs://[BUCKET-NAME]/[OBJECT_NAME]

코드 샘플

C++

자세한 내용은 Cloud Storage C++ API 참조 문서를 참조하세요.

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name, std::string object_name,
   std::string old_key_base64, std::string new_key_base64) {
  StatusOr<gcs::ObjectMetadata> object_metadata =
      client.RewriteObjectBlocking(
          bucket_name, object_name, bucket_name, object_name,
          gcs::SourceEncryptionKey::FromBase64Key(old_key_base64),
          gcs::EncryptionKey::FromBase64Key(new_key_base64));

  if (!object_metadata) {
    throw std::runtime_error(object_metadata.status().message());
  }

  std::cout << "Rotated key on object " << object_metadata->name()
            << " in bucket " << object_metadata->bucket()
            << "\nFull Metadata: " << *object_metadata << "\n";
}

Go

자세한 내용은 Cloud Storage Go API 참조 문서를 참조하세요.

client, err := storage.NewClient(ctx)
if err != nil {
	return err
}
obj := client.Bucket(bucket).Object(object)
// obj is encrypted with key, we are encrypting it with the newKey.
_, err = obj.Key(newKey).CopierFrom(obj.Key(key)).Run(ctx)
if err != nil {
	return err
}

자바

자세한 내용은 Cloud Storage 자바 API 참조 문서를 참조하세요.

BlobId blobId = BlobId.of(bucketName, blobName);
CopyRequest request =
    CopyRequest.newBuilder()
        .setSource(blobId)
        .setSourceOptions(BlobSourceOption.decryptionKey(oldEncryptionKey))
        .setTarget(blobId, BlobTargetOption.encryptionKey(newEncryptionKey))
        .build();
Blob blob = storage.copy(request).getResult();

PHP

자세한 내용은 Cloud Storage PHP API 참조 문서를 참조하세요.

use Google\Cloud\Storage\StorageClient;

/**
 * Change the encryption key used to store an existing object.
 *
 * @param string $bucketName the name of your Google Cloud bucket.
 * @param string $objectName the name of your Google Cloud object.
 * @param string $base64EncryptionKey the base64 encoded encryption key.
 * @param string $newBase64EncryptionKey the new base64 encoded encryption key.
 *
 * @return void
 */
function rotate_encryption_key(
    $bucketName,
    $objectName,
    $base64EncryptionKey,
    $newBase64EncryptionKey
) {
    $storage = new StorageClient();
    $object = $storage->bucket($bucketName)->object($objectName);

    $rewrittenObject = $object->rewrite($bucketName, [
        'encryptionKey' => $base64EncryptionKey,
        'destinationEncryptionKey' => $newBase64EncryptionKey,
    ]);

    printf('Rotated encryption key for object gs://%s/%s' . PHP_EOL,
        $bucketName, $objectName);
}

Python

자세한 내용은 Cloud Storage Python API 참조 문서를 참조하세요.

def rotate_encryption_key(bucket_name, blob_name, base64_encryption_key,
                          base64_new_encryption_key):
    """Performs a key rotation by re-writing an encrypted blob with a new
    encryption key."""
    storage_client = storage.Client()
    bucket = storage_client.get_bucket(bucket_name)
    current_encryption_key = base64.b64decode(base64_encryption_key)
    new_encryption_key = base64.b64decode(base64_new_encryption_key)

    # Both source_blob and destination_blob refer to the same storage object,
    # but destination_blob has the new encryption key.
    source_blob = Blob(
        blob_name, bucket, encryption_key=current_encryption_key)
    destination_blob = Blob(
        blob_name, bucket, encryption_key=new_encryption_key)

    token = None

    while True:
        token, bytes_rewritten, total_bytes = destination_blob.rewrite(
            source_blob, token=token)
        if token is None:
            break

    print('Key rotation complete for Blob {}'.format(blob_name))

Ruby

자세한 내용은 Cloud Storage Ruby API 참조 문서를 참조하세요.

# project_id             = "Your Google Cloud project ID"
# bucket_name            = "Your Google Cloud Storage bucket name"
# file_name              = "Name of a file in the Cloud Storage bucket"
# current_encryption_key = "Encryption key currently being used"
# new_encryption_key     = "New encryption key to use"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket  = storage.bucket bucket_name
file    = bucket.file file_name, encryption_key: current_encryption_key

file.rotate encryption_key:     current_encryption_key,
            new_encryption_key: new_encryption_key

puts "The encryption key for #{file.name} in #{bucket.name} was rotated."

REST API

JSON API

  1. OAuth 2.0 Playground에서 승인 액세스 토큰을 가져옵니다. OAuth 사용자 인증 정보를 사용할 수 있도록 플레이그라운드를 구성합니다.
  2. cURL을 사용하여 POST Object 요청으로 JSON API를 호출합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.
    curl -X POST --data-binary @[OBJECT] \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "Content-Type: [OBJECT_CONTENT_TYPE]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [NEW_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_NEW_KEY]" \
        -H "x-goog-copy-source-encryption-algorithm: AES256" \
        -H "x-goog-copy-source-encryption-key: [OLD_ENCRYPTION_KEY]" \
        -H "x-goog-copy-source-encryption-key-sha256: [HASH_OF_OLD_KEY]" \
        "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/o/[OBJECT_NAME]/rewriteTo/b/[BUCKET_NAME]/o/[OBJECT_NAME]"

암호화 관련 헤더에 대한 자세한 내용은 암호화 요청 헤더를 참조하세요.

XML API

  1. OAuth 2.0 Playground에서 승인 액세스 토큰을 가져옵니다. Playground에서 OAuth 사용자 인증 정보를 사용하도록 구성합니다.
  2. Cloud Storage에서 원본 객체를 삭제합니다. 이렇게 하려면 cURL을 사용하여 DELETE Object 요청으로 XML API를 호출합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.
    curl -X DELETE \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        "https://storage.googleapis.com/[BUCKET_NAME]/[OBJECT_NAME]"
  3. 객체 데이터를 새로운 요청 본문에 추가합니다.
  4. cURL을 사용하여 PUT Object 요청으로 XML API를 호출합니다. 여기서 [VALUES_IN_BRACKETS]를 적절한 값으로 바꿉니다.
    curl -X -i PUT --data-binary @[OBJECT] \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "Content-Type: [OBJECT_CONTENT_TYPE]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [NEW_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_NEW_KEY]" \
        "https://storage.googleapis.com/[BUCKET_NAME]/[OBJECT_NAME]"

암호화 관련 헤더에 대한 자세한 내용은 암호화 요청 헤더를 참조하세요.

이 페이지가 도움이 되었나요? 평가를 부탁드립니다.

다음에 대한 의견 보내기...

도움이 필요하시나요? 지원 페이지를 방문하세요.