Tink 可让您对某些数据执行客户端加密,并保护您的数据, 密钥。其工作原理如下:
- 客户端生成数据加密密钥 (DEK)。
- 客户端使用 DEK 对数据进行加密。
- DEK 使用存储在云端的密钥加密密钥 (KEK) 进行加密 KMS。
通过使用云端 KMS,您的 KEK 会安全地存储在云端,您可以 您可以根据需要将其旋转、停用或销毁。
如需了解详情,请参阅密钥管理概览部分 Tink 与 Cloud KMS 交互所需满足的条件。
借助 Tink,您可以通过以下两种方式使用 Cloud KMS 执行客户端加密:
使用 KMS 信封 AEAD 原语 (
KmsEnvelopeAead
) – 对于每个 加密时,Tink 会创建新的 AEAD DEK,并使用云 KMS KEK 对其进行加密。 并将其存储为密文的一部分,因此您不需要处理 DEK 。因此,密文要长一点, 包含经过加密的 DEK。此外,每次加密或解密时 Tink 向 KMS(密钥的实际解密或加密) 数据在本地执行)。使用另一个基元并通过云加密密钥集 KMS - 该服务更加灵活,因为 您可以使用除 AEAD 之外的其他基元,并且可以限制 对云端 KMS 的调用。
KMS 信封 AEAD
当您使用 KmsEnvelopeAead
基元加密数据时,Tink 会执行
以下内容:
- 生成随机 DEK,并用它来在本地加密数据。
- 向您的 KMS 发出请求,以使用 KMS KEK 加密 DEK。
- 将 KEK 加密的加密 DEK 与加密的数据串联起来。
DEK 类型和 KEK URI 均在 KmsEnvelopeAead
键中指定。
解密时,Tink 会执行反向操作:
- 提取 KEK 加密的 DEK 密钥。
- 向您的 KMS 发出请求,对经过 KEK 加密的 DEK 进行解密。
- 使用 DEK 在本地解密密文。
以下示例展示了如何使用 KmsEnvelopeAead
基元。
C++
在此示例中,您需要 Google Cloud KMS 扩展程序
tink-cc-gcpkms
。
// A command-line utility for testing Tink Envelope AEAD with Google Cloud KMS. #include <fstream> #include <iostream> #include <memory> #include <ostream> #include <sstream> #include <string> #include <utility> #include "absl/flags/flag.h" #include "absl/flags/parse.h" #include "absl/log/check.h" #include "absl/log/log.h" #include "absl/status/status.h" #include "absl/strings/str_cat.h" #include "absl/strings/string_view.h" #include "tink/aead.h" #include "tink/aead/aead_config.h" #include "tink/aead/aead_key_templates.h" #include "tink/aead/kms_envelope_aead.h" #include "tink/integration/gcpkms/gcp_kms_client.h" #include "tink/util/status.h" #include "tink/util/statusor.h" #include "proto/tink.pb.h" ABSL_FLAG(std::string, mode, "", "Mode of operation {encrypt|decrypt}"); ABSL_FLAG(std::string, kek_uri, "", "URI of the KMS Key Encryption Key to use"); ABSL_FLAG(std::string, input_filename, "", "Input file name"); ABSL_FLAG(std::string, output_filename, "", "Output file name"); ABSL_FLAG(std::string, credentials, "", "Optional Google Cloud KMS credentials file path; if not specified, " "use the default credentials"); ABSL_FLAG(std::string, associated_data, "", "Optional associated data"); namespace { using ::crypto::tink::Aead; using ::crypto::tink::AeadKeyTemplates; using ::crypto::tink::integration::gcpkms::GcpKmsClient; using ::crypto::tink::util::Status; using ::crypto::tink::util::StatusOr; using ::google::crypto::tink::KeyTemplate; constexpr absl::string_view kEncrypt = "encrypt"; constexpr absl::string_view kDecrypt = "decrypt"; void ValidateParams() { // ... } absl::StatusOr<std::string> ReadFile(absl::string_view filename) { // ... } absl::Status WriteToFile(absl::string_view data_to_write, absl::string_view filename) { // ... } } // namespace namespace tink_cc_gcpkms_examples { void KmsEnvelopAeadCli(absl::string_view mode, absl::string_view kek_uri, absl::string_view input_filename, absl::string_view output_filename, absl::string_view credentials, absl::string_view associated_data) { CHECK_OK(crypto::tink::AeadConfig::Register()); // Obtain a remote Aead that can use the KEK. StatusOr<std::unique_ptr<GcpKmsClient>> gcp_kms_client = GcpKmsClient::New(kek_uri, credentials); CHECK_OK(gcp_kms_client.status()); StatusOr<std::unique_ptr<Aead>> remote_aead = (*gcp_kms_client)->GetAead(kek_uri); CHECK_OK(remote_aead.status()); // Define the DEK template. KeyTemplate dek_key_template = AeadKeyTemplates::Aes256Gcm(); // Create a KmsEnvelopeAead instance. StatusOr<std::unique_ptr<Aead>> aead = crypto::tink::KmsEnvelopeAead::New( dek_key_template, *std::move(remote_aead)); CHECK_OK(aead.status()); StatusOr<std::string> input_file_content = ReadFile(input_filename); CHECK_OK(input_file_content.status()); if (mode == kEncrypt) { // Generate the ciphertext. StatusOr<std::string> encrypt_result = (*aead)->Encrypt(*input_file_content, associated_data); CHECK_OK(encrypt_result.status()); CHECK_OK(WriteToFile(encrypt_result.value(), output_filename)); } else { // mode == kDecrypt. // Recover the plaintext. StatusOr<std::string> decrypt_result = (*aead)->Decrypt(*input_file_content, associated_data); CHECK_OK(decrypt_result.status()); CHECK_OK(WriteToFile(decrypt_result.value(), output_filename)); } } } // namespace tink_cc_gcpkms_examples int main(int argc, char** argv) { absl::ParseCommandLine(argc, argv); ValidateParams(); std::string mode = absl::GetFlag(FLAGS_mode); std::string kek_uri = absl::GetFlag(FLAGS_kek_uri); std::string input_filename = absl::GetFlag(FLAGS_input_filename); std::string output_filename = absl::GetFlag(FLAGS_output_filename); std::string credentials = absl::GetFlag(FLAGS_credentials); std::string associated_data = absl::GetFlag(FLAGS_associated_data); LOG(INFO) << "Using kek-uri " << kek_uri << " with " << (credentials.empty() ? "default credentials" : absl::StrCat("credentials file ", credentials)) << " to envelope " << mode << " file " << input_filename << " with associated data '" << associated_data << "'." << '\n'; LOG(INFO) << "The resulting output will be written to " << output_filename << '\n'; tink_cc_gcpkms_examples::KmsEnvelopAeadCli(mode, kek_uri, input_filename, output_filename, credentials, associated_data); return 0; }
Go
import ( "fmt" "log" "github.com/tink-crypto/tink-go/v2/aead" "github.com/tink-crypto/tink-go/v2/testing/fakekms" ) // The fake KMS should only be used in tests. It is not secure. const keyURI = "fake-kms://CM2b3_MDElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEIK75t5L-adlUwVhWvRuWUwYARABGM2b3_MDIAE" func Example_kmsEnvelopeAEAD() { // Get a KEK (key encryption key) AEAD. This is usually a remote AEAD to a KMS. In this example, // we use a fake KMS to avoid making RPCs. client, err := fakekms.NewClient(keyURI) if err != nil { log.Fatal(err) } kekAEAD, err := client.GetAEAD(keyURI) if err != nil { log.Fatal(err) } // Get the KMS envelope AEAD primitive. primitive := aead.NewKMSEnvelopeAEAD2(aead.AES256GCMKeyTemplate(), kekAEAD) // Use the primitive. plaintext := []byte("message") associatedData := []byte("example KMS envelope AEAD encryption") ciphertext, err := primitive.Encrypt(plaintext, associatedData) if err != nil { log.Fatal(err) } decrypted, err := primitive.Decrypt(ciphertext, associatedData) if err != nil { log.Fatal(err) } fmt.Println(string(decrypted)) // Output: message }
Java
在此示例中,您需要 Google Cloud KMS 扩展程序
tink-java-gcpkms
。
package envelopeaead; import static java.nio.charset.StandardCharsets.UTF_8; import com.google.crypto.tink.Aead; import com.google.crypto.tink.KmsClient; import com.google.crypto.tink.aead.AeadConfig; import com.google.crypto.tink.aead.KmsEnvelopeAead; import com.google.crypto.tink.aead.PredefinedAeadParameters; import com.google.crypto.tink.integration.gcpkms.GcpKmsClient; import java.io.File; import java.io.FileOutputStream; import java.nio.file.Files; import java.nio.file.Paths; import java.security.GeneralSecurityException; /** * A command-line utility for encrypting small files with envelope encryption. * * <p>It requires the following arguments: * * <ul> * <li>mode: Can be "encrypt" or "decrypt" to encrypt/decrypt the input to the output. * <li>kek-uri: Use this Cloud KMS' key as the key-encrypting-key for envelope encryption. * <li>gcp-credential-file: Use this JSON credential file to connect to Cloud KMS. * <li>input-file: Read the input from this file. * <li>output-file: Write the result to this file. * <li>[optional] associated-data: Associated data used for the encryption or decryption. */ public final class EnvelopeAeadExample { private static final String MODE_ENCRYPT = "encrypt"; private static final String MODE_DECRYPT = "decrypt"; public static void main(String[] args) throws Exception { if (args.length != 5 && args.length != 6) { System.err.printf("Expected 5 or 6 parameters, got %d\n", args.length); System.err.println( "Usage: java EnvelopeAeadExample encrypt/decrypt kek-uri gcp-credential-file" + " input-file output-file [associated-data]"); System.exit(1); } String mode = args[0]; String kekUri = args[1]; String gcpCredentialFilename = args[2]; byte[] input = Files.readAllBytes(Paths.get(args[3])); File outputFile = new File(args[4]); byte[] associatedData = new byte[0]; if (args.length == 6) { System.out.println("Associated data!"); associatedData = args[5].getBytes(UTF_8); } // Initialise Tink: register all AEAD key types with the Tink runtime AeadConfig.register(); // Read the GCP credentials and create a remote AEAD object. Aead remoteAead = null; try { KmsClient kmsClient = new GcpKmsClient().withCredentials(gcpCredentialFilename); remoteAead = kmsClient.getAead(kekUri); } catch (GeneralSecurityException ex) { System.err.println("Error initializing GCP client: " + ex); System.exit(1); } // Create envelope AEAD primitive using AES256 GCM for encrypting the data Aead aead = KmsEnvelopeAead.create(PredefinedAeadParameters.AES256_GCM, remoteAead); // Use the primitive to encrypt/decrypt files. if (MODE_ENCRYPT.equals(mode)) { byte[] ciphertext = aead.encrypt(input, associatedData); try (FileOutputStream stream = new FileOutputStream(outputFile)) { stream.write(ciphertext); } } else if (MODE_DECRYPT.equals(mode)) { byte[] plaintext = aead.decrypt(input, associatedData); try (FileOutputStream stream = new FileOutputStream(outputFile)) { stream.write(plaintext); } } else { System.err.println("The first argument must be either encrypt or decrypt, got: " + mode); System.exit(1); } System.exit(0); } private EnvelopeAeadExample() {} }
Python
"""A command-line utility for encrypting small files using envelope encryption with GCP.""" from absl import app from absl import flags from absl import logging import tink from tink import aead from tink.integration import gcpkms FLAGS = flags.FLAGS flags.DEFINE_enum( 'mode', None, ['encrypt', 'decrypt'], 'The operation to perform.' ) flags.DEFINE_string( 'kek_uri', None, 'The Cloud KMS URI of the key encryption key.' ) flags.DEFINE_string( 'gcp_credential_path', None, 'Path to the GCP credentials JSON file.' ) flags.DEFINE_string('input_path', None, 'Path to the input file.') flags.DEFINE_string('output_path', None, 'Path to the output file.') flags.DEFINE_string( 'associated_data', None, 'Optional associated data used for the encryption.' ) def main(argv): del argv # Unused. associated_data = ( b'' if not FLAGS.associated_data else bytes(FLAGS.associated_data, 'utf-8') ) # Initialise Tink aead.register() try: # Read the GCP credentials and setup client client = gcpkms.GcpKmsClient(FLAGS.kek_uri, FLAGS.gcp_credential_path) except tink.TinkError as e: logging.exception('Error creating GCP KMS client: %s', e) return 1 # Create envelope AEAD primitive using AES256 GCM for encrypting the data try: remote_aead = client.get_aead(FLAGS.kek_uri) env_aead = aead.KmsEnvelopeAead( aead.aead_key_templates.AES256_GCM, remote_aead ) except tink.TinkError as e: logging.exception('Error creating primitive: %s', e) return 1 with open(FLAGS.input_path, 'rb') as input_file: input_data = input_file.read() if FLAGS.mode == 'decrypt': output_data = env_aead.decrypt(input_data, associated_data) elif FLAGS.mode == 'encrypt': output_data = env_aead.encrypt(input_data, associated_data) else: logging.error( 'Unsupported mode %s. Please choose "encrypt" or "decrypt".', FLAGS.mode, ) return 1 with open(FLAGS.output_path, 'wb') as output_file: output_file.write(output_data) if __name__ == '__main__': flags.mark_flags_as_required( ['mode', 'kek_uri', 'gcp_credential_path', 'input_path', 'output_path'] ) app.run(main)
后续步骤
您可以使用客户端加密功能对数据进行加密,然后再将其添加到 Cloud SQL 数据库。
详细了解如何将客户端加密功能与 Tink 和 Cloud 搭配使用 KMS: 然后再将其上传到 Google Cloud Storage。