本頁面說明如何使用 Cloud Key Management Service (Cloud KMS) 建立包裝金鑰,然後使用該金鑰將 deidentify 和 reidentify 要求傳送至 Sensitive Data Protection 的 Cloud Data Loss Prevention API。
使用加密金鑰去識別化及重新識別內容的程序稱為「匿名化」 (或「代碼化」)。如要瞭解這項程序的概念資訊,請參閱「匿名化」。
如需端對端範例,瞭解如何建立包裝金鑰、將內容權杖化,以及重新識別權杖化內容,請參閱「快速入門:將機密文字去識別化及重新識別化」。
完成本主題中的步驟大約需要 5 到 10 分鐘,不包括「事前準備」步驟。
事前準備
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Install the Google Cloud CLI.
-
如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI。
-
如要初始化 gcloud CLI,請執行下列指令:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Sensitive Data Protection and Cloud KMS APIs:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable dlp.googleapis.com
cloudkms.googleapis.com -
Grant roles to your user account. Run the following command once for each of the following IAM roles:
roles/dlp.usergcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE
Replace the following:
PROJECT_ID: your project ID.USER_IDENTIFIER: the identifier for your user account—for example,myemail@example.com.ROLE: the IAM role that you grant to your user account.
-
Install the Google Cloud CLI.
-
如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI。
-
如要初始化 gcloud CLI,請執行下列指令:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Sensitive Data Protection and Cloud KMS APIs:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable dlp.googleapis.com
cloudkms.googleapis.com -
Grant roles to your user account. Run the following command once for each of the following IAM roles:
roles/dlp.usergcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE
Replace the following:
PROJECT_ID: your project ID.USER_IDENTIFIER: the identifier for your user account—for example,myemail@example.com.ROLE: the IAM role that you grant to your user account.
建立金鑰環:
gcloud kms keyrings create "dlp-keyring" \ --location "global"建立金鑰:
gcloud kms keys create "dlp-key" \ --location "global" \ --keyring "dlp-keyring" \ --purpose "encryption"列出金鑰環和金鑰:
gcloud kms keys list \ --location "global" \ --keyring "dlp-keyring"您會看到以下輸出內容:
NAME PURPOSE ALGORITHM PROTECTION_LEVEL LABELS PRIMARY_ID PRIMARY_STATE projects/PROJECT_ID/locations/global/keyRings/dlp-keyring/cryptoKeys/dlp-key ENCRYPT_DECRYPT GOOGLE_SYMMETRIC_ENCRYPTION SOFTWARE 1 ENABLED
在這個輸出內容中,
PROJECT_ID是專案 ID。NAME下方的路徑是 Cloud KMS 金鑰的完整資源名稱。請記下這項資訊,因為去識別化和重新識別要求需要這項資訊。建立 128、192 或 256 位元的 AES 金鑰。下列指令會使用
openssl在目前目錄中建立 256 位元金鑰:openssl rand -out "./aes_key.bin" 32檔案
aes_key.bin會新增至目前目錄。將 AES 金鑰編碼為 Base64 字串:
base64 -i ./aes_key.bin您會看到類似以下的輸出內容:
uEDo6/yKx+zCg2cZ1DBwpwvzMVNk/c+jWs7OwpkMc/s=
進一步瞭解如何透過加密編譯金鑰將資料代碼化。
逐步完成端對端範例,瞭解如何建立包裝金鑰、將內容權杖化,以及重新識別權杖化內容。
進一步瞭解接受這個包裝金鑰的去識別化方法,並查看程式碼範例。
步驟 1:建立金鑰環和金鑰
開始這項程序前,請先決定要讓 Sensitive Data Protection 在何處處理去識別化和重新識別化要求。建立 Cloud KMS 金鑰時,您必須將金鑰儲存在 global,或是儲存在您要用於 Sensitive Data Protection 要求的相同區域。否則 Sensitive Data Protection 要求會失敗。
如要查看支援的地點清單,請參閱「Sensitive Data Protection 地點」。請記下所選區域的名稱 (例如 us-west1)。
這個程序會使用 global 做為所有 API 要求的所在位置。如要使用其他地區,請將 global 替換為地區名稱。
步驟 2:建立採用 Base64 編碼的 AES 金鑰
本節說明如何建立進階加密標準 (AES) 金鑰,並以 base64 格式編碼。
步驟 3:使用 Cloud KMS 金鑰包裝 AES 金鑰
本節說明如何使用在步驟 1 中建立的 Cloud KMS 金鑰,包裝在步驟 2 中建立的 Base64 編碼 AES 金鑰。
如要包裝 AES 金鑰,請使用 curl 將下列要求傳送至 Cloud KMS API projects.locations.keyRings.cryptoKeys.encrypt:
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/global/keyRings/dlp-keyring/cryptoKeys/dlp-key:encrypt" \
--request "POST" \
--header "Authorization:Bearer $(gcloud auth application-default print-access-token)" \
--header "content-type: application/json" \
--data "{\"plaintext\": \"BASE64_ENCODED_AES_KEY\"}"
更改下列內容:
您從 Cloud KMS 取得的回應類似於下列 JSON:
{
"name": "projects/PROJECT_ID/locations/global/keyRings/dlp-keyring/cryptoKeys/dlp-key/cryptoKeyVersions/1",
"ciphertext": "CiQAYuuIGo5DVaqdE0YLioWxEhC8LbTmq7Uy2G3qOJlZB7WXBw0SSQAjdwP8ZusZJ3Kr8GD9W0vaFPMDksmHEo6nTDaW/j5sSYpHa1ym2JHk+lUgkC3Zw5bXhfCNOkpXUdHGZKou1893O8BDby/82HY=",
"ciphertextCrc32c": "901327763",
"protectionLevel": "SOFTWARE"
}
在這個輸出內容中,PROJECT_ID 是專案 ID。
請記下您收到的回應中 ciphertext 的值。這就是經過包裝的金鑰。