Tink 可让您对某些数据执行客户端加密,并使用云密钥管理系统 (KMS) 保护您的密钥。工作原理如下:
- 客户端生成数据加密密钥 (DEK)。
- 客户端使用 DEK 对数据进行加密。
- DEK 通过存储在云 KMS 中的密钥加密密钥 (KEK) 进行加密。
通过使用 Cloud KMS,您的 KEK 可以安全地存储在云端,您可以根据自己的需求对其进行轮替、停用或销毁。
如需详细了解 Tink 需要哪些才能与 Cloud KMS 交互,请参阅密钥管理概览部分。
借助 Tink,您可以通过以下两种方式使用 Cloud KMS 执行客户端加密:
使用 KMS 信封 AEAD 基元 (
KmsEnvelopeAead) - 如果使用KmsEnvelopeAead基元,对于每个加密,Tink 都会创建一个新的 AEAD DEK,使用 Cloud KMS KEK 对其进行加密,并将其作为密文的一部分存储,因此您无需自行处理 DEK。因此,密文稍微长一点,因为它包含加密的 DEK。此外,每次您加密或解密时,Tink 都会向 KMS 发出 RPC(数据的实际解密或加密操作在本地执行)。使用另一个基元并通过 Cloud KMS 加密密钥集 - 这种方式更灵活,因为它可以使用除 AEAD 以外的不同基元,并且可以限制对 Cloud KMS 的调用。
KMS 信封 AEAD
使用 KmsEnvelopeAead 基元加密数据时,Tink 会为您执行以下操作:
- 生成随机 DEK,并用它在本地加密您的数据。
- 向您的 KMS 发出请求,以使用 KMS KEK 加密 DEK。
- 将 KEK 加密的加密 DEK 与加密的数据串联起来。
DEK 类型和 KEK URI 在 KmsEnvelopeAead 键中指定。在解密时,Tink 会执行反向操作:
- 提取经过 KEK 加密的 DEK 密钥。
- 向您的 KMS 发出请求,以解密 KEK 加密的 DEK。
- 使用 DEK 在本地解密密文。
以下示例展示了如何使用 KmsEnvelopeAead 基元。
C++
对于此示例,您需要 Google Cloud KMS 扩展程序 tink-cc-gcpkms。
// A command-line utility for testing Tink Envelope AEAD with Google Cloud KMS.
#include <fstream>
#include <iostream>
#include <memory>
#include <ostream>
#include <sstream>
#include <string>
#include <utility>
#include "absl/flags/flag.h"
#include "absl/flags/parse.h"
#include "absl/log/check.h"
#include "absl/log/log.h"
#include "absl/status/status.h"
#include "absl/strings/str_cat.h"
#include "absl/strings/string_view.h"
#include "tink/aead.h"
#include "tink/aead/aead_config.h"
#include "tink/aead/aead_key_templates.h"
#include "tink/aead/kms_envelope_aead.h"
#include "tink/integration/gcpkms/gcp_kms_client.h"
#include "tink/util/status.h"
#include "tink/util/statusor.h"
#include "proto/tink.pb.h"
ABSL_FLAG(std::string, mode, "", "Mode of operation {encrypt|decrypt}");
ABSL_FLAG(std::string, kek_uri, "", "URI of the KMS Key Encryption Key to use");
ABSL_FLAG(std::string, input_filename, "", "Input file name");
ABSL_FLAG(std::string, output_filename, "", "Output file name");
ABSL_FLAG(std::string, credentials, "",
"Optional Google Cloud KMS credentials file path; if not specified, "
"use the default credentials");
ABSL_FLAG(std::string, associated_data, "", "Optional associated data");
namespace {
using ::crypto::tink::Aead;
using ::crypto::tink::AeadKeyTemplates;
using ::crypto::tink::integration::gcpkms::GcpKmsClient;
using ::crypto::tink::util::Status;
using ::crypto::tink::util::StatusOr;
using ::google::crypto::tink::KeyTemplate;
constexpr absl::string_view kEncrypt = "encrypt";
constexpr absl::string_view kDecrypt = "decrypt";
void ValidateParams() {
// ...
}
absl::StatusOr<std::string> ReadFile(absl::string_view filename) {
// ...
}
absl::Status WriteToFile(absl::string_view data_to_write,
absl::string_view filename) {
// ...
}
} // namespace
namespace tink_cc_gcpkms_examples {
void KmsEnvelopAeadCli(absl::string_view mode, absl::string_view kek_uri,
absl::string_view input_filename,
absl::string_view output_filename,
absl::string_view credentials,
absl::string_view associated_data) {
CHECK_OK(crypto::tink::AeadConfig::Register());
// Obtain a remote Aead that can use the KEK.
StatusOr<std::unique_ptr<GcpKmsClient>> gcp_kms_client =
GcpKmsClient::New(kek_uri, credentials);
CHECK_OK(gcp_kms_client.status());
StatusOr<std::unique_ptr<Aead>> remote_aead =
(*gcp_kms_client)->GetAead(kek_uri);
CHECK_OK(remote_aead.status());
// Define the DEK template.
KeyTemplate dek_key_template = AeadKeyTemplates::Aes256Gcm();
// Create a KmsEnvelopeAead instance.
StatusOr<std::unique_ptr<Aead>> aead = crypto::tink::KmsEnvelopeAead::New(
dek_key_template, *std::move(remote_aead));
CHECK_OK(aead.status());
StatusOr<std::string> input_file_content = ReadFile(input_filename);
CHECK_OK(input_file_content.status());
if (mode == kEncrypt) {
// Generate the ciphertext.
StatusOr<std::string> encrypt_result =
(*aead)->Encrypt(*input_file_content, associated_data);
CHECK_OK(encrypt_result.status());
CHECK_OK(WriteToFile(encrypt_result.value(), output_filename));
} else { // mode == kDecrypt.
// Recover the plaintext.
StatusOr<std::string> decrypt_result =
(*aead)->Decrypt(*input_file_content, associated_data);
CHECK_OK(decrypt_result.status());
CHECK_OK(WriteToFile(decrypt_result.value(), output_filename));
}
}
} // namespace tink_cc_gcpkms_examples
int main(int argc, char** argv) {
absl::ParseCommandLine(argc, argv);
ValidateParams();
std::string mode = absl::GetFlag(FLAGS_mode);
std::string kek_uri = absl::GetFlag(FLAGS_kek_uri);
std::string input_filename = absl::GetFlag(FLAGS_input_filename);
std::string output_filename = absl::GetFlag(FLAGS_output_filename);
std::string credentials = absl::GetFlag(FLAGS_credentials);
std::string associated_data = absl::GetFlag(FLAGS_associated_data);
LOG(INFO) << "Using kek-uri " << kek_uri << " with "
<< (credentials.empty()
? "default credentials"
: absl::StrCat("credentials file ", credentials))
<< " to envelope " << mode << " file " << input_filename
<< " with associated data '" << associated_data << "'." << '\n';
LOG(INFO) << "The resulting output will be written to " << output_filename
<< '\n';
tink_cc_gcpkms_examples::KmsEnvelopAeadCli(mode, kek_uri, input_filename,
output_filename, credentials,
associated_data);
return 0;
}
Go
import (
"fmt"
"log"
"github.com/tink-crypto/tink-go/v2/aead"
"github.com/tink-crypto/tink-go/v2/testing/fakekms"
)
// The fake KMS should only be used in tests. It is not secure.
const keyURI = "fake-kms://CM2b3_MDElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEIK75t5L-adlUwVhWvRuWUwYARABGM2b3_MDIAE"
func Example_kmsEnvelopeAEAD() {
// Get a KEK (key encryption key) AEAD. This is usually a remote AEAD to a KMS. In this example,
// we use a fake KMS to avoid making RPCs.
client, err := fakekms.NewClient(keyURI)
if err != nil {
log.Fatal(err)
}
kekAEAD, err := client.GetAEAD(keyURI)
if err != nil {
log.Fatal(err)
}
// Get the KMS envelope AEAD primitive.
primitive := aead.NewKMSEnvelopeAEAD2(aead.AES256GCMKeyTemplate(), kekAEAD)
// Use the primitive.
plaintext := []byte("message")
associatedData := []byte("example KMS envelope AEAD encryption")
ciphertext, err := primitive.Encrypt(plaintext, associatedData)
if err != nil {
log.Fatal(err)
}
decrypted, err := primitive.Decrypt(ciphertext, associatedData)
if err != nil {
log.Fatal(err)
}
fmt.Println(string(decrypted))
// Output: message
}
Java
对于此示例,您需要 Google Cloud KMS 扩展程序 tink-java-gcpkms。
package envelopeaead;
import static java.nio.charset.StandardCharsets.UTF_8;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.aead.KmsEnvelopeAead;
import com.google.crypto.tink.aead.PredefinedAeadParameters;
import com.google.crypto.tink.integration.gcpkms.GcpKmsClient;
import java.io.File;
import java.io.FileOutputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
/**
* A command-line utility for encrypting small files with envelope encryption.
*
* <p>It requires the following arguments:
*
* <ul>
* <li>mode: Can be "encrypt" or "decrypt" to encrypt/decrypt the input to the output.
* <li>kek-uri: Use this Cloud KMS' key as the key-encrypting-key for envelope encryption.
* <li>gcp-credential-file: Use this JSON credential file to connect to Cloud KMS.
* <li>input-file: Read the input from this file.
* <li>output-file: Write the result to this file.
* <li>[optional] associated-data: Associated data used for the encryption or decryption.
*/
public final class EnvelopeAeadExample {
private static final String MODE_ENCRYPT = "encrypt";
private static final String MODE_DECRYPT = "decrypt";
public static void main(String[] args) throws Exception {
if (args.length != 5 && args.length != 6) {
System.err.printf("Expected 5 or 6 parameters, got %d\n", args.length);
System.err.println(
"Usage: java EnvelopeAeadExample encrypt/decrypt kek-uri gcp-credential-file"
+ " input-file output-file [associated-data]");
System.exit(1);
}
String mode = args[0];
String kekUri = args[1];
String gcpCredentialFilename = args[2];
byte[] input = Files.readAllBytes(Paths.get(args[3]));
File outputFile = new File(args[4]);
byte[] associatedData = new byte[0];
if (args.length == 6) {
System.out.println("Associated data!");
associatedData = args[5].getBytes(UTF_8);
}
// Initialise Tink: register all AEAD key types with the Tink runtime
AeadConfig.register();
// Read the GCP credentials and create a remote AEAD object.
Aead remoteAead = null;
try {
KmsClient kmsClient = new GcpKmsClient().withCredentials(gcpCredentialFilename);
remoteAead = kmsClient.getAead(kekUri);
} catch (GeneralSecurityException ex) {
System.err.println("Error initializing GCP client: " + ex);
System.exit(1);
}
// Create envelope AEAD primitive using AES256 GCM for encrypting the data
Aead aead = KmsEnvelopeAead.create(PredefinedAeadParameters.AES256_GCM, remoteAead);
// Use the primitive to encrypt/decrypt files.
if (MODE_ENCRYPT.equals(mode)) {
byte[] ciphertext = aead.encrypt(input, associatedData);
try (FileOutputStream stream = new FileOutputStream(outputFile)) {
stream.write(ciphertext);
}
} else if (MODE_DECRYPT.equals(mode)) {
byte[] plaintext = aead.decrypt(input, associatedData);
try (FileOutputStream stream = new FileOutputStream(outputFile)) {
stream.write(plaintext);
}
} else {
System.err.println("The first argument must be either encrypt or decrypt, got: " + mode);
System.exit(1);
}
System.exit(0);
}
private EnvelopeAeadExample() {}
}
Python
"""A command-line utility for encrypting small files using envelope encryption with GCP."""
from absl import app
from absl import flags
from absl import logging
import tink
from tink import aead
from tink.integration import gcpkms
FLAGS = flags.FLAGS
flags.DEFINE_enum(
'mode', None, ['encrypt', 'decrypt'], 'The operation to perform.'
)
flags.DEFINE_string(
'kek_uri', None, 'The Cloud KMS URI of the key encryption key.'
)
flags.DEFINE_string(
'gcp_credential_path', None, 'Path to the GCP credentials JSON file.'
)
flags.DEFINE_string('input_path', None, 'Path to the input file.')
flags.DEFINE_string('output_path', None, 'Path to the output file.')
flags.DEFINE_string(
'associated_data', None, 'Optional associated data used for the encryption.'
)
def main(argv):
del argv # Unused.
associated_data = (
b''
if not FLAGS.associated_data
else bytes(FLAGS.associated_data, 'utf-8')
)
# Initialise Tink
aead.register()
try:
# Read the GCP credentials and setup client
client = gcpkms.GcpKmsClient(FLAGS.kek_uri, FLAGS.gcp_credential_path)
except tink.TinkError as e:
logging.exception('Error creating GCP KMS client: %s', e)
return 1
# Create envelope AEAD primitive using AES256 GCM for encrypting the data
try:
remote_aead = client.get_aead(FLAGS.kek_uri)
env_aead = aead.KmsEnvelopeAead(
aead.aead_key_templates.AES256_GCM, remote_aead
)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
with open(FLAGS.input_path, 'rb') as input_file:
input_data = input_file.read()
if FLAGS.mode == 'decrypt':
output_data = env_aead.decrypt(input_data, associated_data)
elif FLAGS.mode == 'encrypt':
output_data = env_aead.encrypt(input_data, associated_data)
else:
logging.error(
'Unsupported mode %s. Please choose "encrypt" or "decrypt".',
FLAGS.mode,
)
return 1
with open(FLAGS.output_path, 'wb') as output_file:
output_file.write(output_data)
if __name__ == '__main__':
flags.mark_flags_as_required(
['mode', 'kek_uri', 'gcp_credential_path', 'input_path', 'output_path']
)
app.run(main)
后续步骤
您可以使用客户端加密功能先对数据进行加密,然后再将其添加到 Cloud SQL 数据库。
详细了解如何通过 Tink 和 Cloud KMS 使用客户端加密功能对数据进行加密,然后再将其上传到 Google Cloud Storage。