Dedicated KMS SDK for Python allows you to call the API operations of Dedicated Key Management Service (KMS) in a convenient manner. Dedicated KMS SDK for Python is suitable for business scenarios such as data encryption, data decryption, digital signature generation, and digital signature verification.

Background information

Your comments and code examples are greatly appreciated.

Prerequisites

  • A dedicated KMS instance of the Standard edition is purchased and connected to a hardware security module (HSM) cluster. A customer master key (CMK) and an application access endpoint (AAP) are created for the instance, and the client key and CA certificate are saved.
  • The virtual private cloud (VPC) address to access the dedicated KMS instance of the Standard edition is accessible. The VPC address must meet the following conditions:
    • The VPC address is specified when you activate the HSM cluster.
    • The VPC address can be accessed from your computer.

    For more information, see Query a dedicated KMS instance of the Standard edition.

Install Dedicated KMS SDK

  • If you use Dedicated KMS SDK for Python 3 to install the alibabacloud-dkms-gcs module, run the following command:
    pip install alibabacloud-dkms-gcs
  • If you use Dedicated KMS SDK for Python 2 to install the alibabacloud-dkms-gcs module, run the following command:
    pip install alibabacloud-dkms-gcs-python2

Initialize Dedicated KMS SDK

You can initialize a Python client for a dedicated KMS instance of the Standard edition to call resources that are managed by the dedicated KMS instance. For example, you can use the client to call the keys that are managed by the instance. Before you can use Dedicated KMS SDK for Python to initiate an API request, you must create a client and modify the default configuration items of Config based on your business requirements.

  1. Configure a CA certificate.

    To ensure secure communications in the production environment, you must configure a trusted certificate.

    Set the verify filed in the RuntimeOptions option to the path of the CA certificate.
    # -*- coding: utf-8 -*-
    from openapi_util.models import RuntimeOptions
    
    runtime_options = RuntimeOptions()
    # Ignore SSL verification.
    # runtime_options.ignore_ssl = True
    # CA certificate path
    runtime_options.verify = "<your-ca-certificate-file-path>"
    ...
    response = client.encrypt_with_options(request, runtime_options)
                            
  2. Create a client for the dedicated KMS instance of the Standard edition.

    When you create a client for a dedicated KMS instance of the Standard edition, you must specify the endpoint of the instance. The endpoint excludes the scheme https. For more information about the endpoint of a dedicated KMS instance of the Standard edition, see Query a dedicated KMS instance of the Standard edition.

    # -*- coding: utf-8 -*-
    from openapi.models import Config
    from sdk.client import Client
    
    config = Config()
    # The connection protocol. Set the value to https.
    config.protocol = "https"
    # The client key of the dedicated KMS instance of the Standard edition.
    config.client_key_content = "<your-client-key-content>"
    # The password that is used to decrypt the client key of the dedicated KMS instance of the Standard edition.
    config.password = "<your-password>"
    # The endpoint of the dedicated KMS instance of the Standard edition. The value excludes the scheme https.
    config.endpoint = "<your-endpoint>"
    client = Client(config)

Examples

  • Use the client of a dedicated KMS instance of the Standard edition to call the Encrypt operation to encrypt data.

    For more information about the sample code, visit Original code.

    # -*- coding: utf-8 -*-
    
    from sdk.models import EncryptRequest
    
    request = EncryptRequest()
    # The data that you want to encrypt.
    request.plaintext = "<your-plaintext>".encode("utf-8")
    # The ID or alias of the CMK of the dedicated KMS instance of the Standard edition. The CMK is used for encryption.
    request.key_id = "<your-key-id>"
    encrypt_response = client.encrypt_with_options(request, runtime_options)
    # The ciphertext.
    ciphertext_blob = encrypt_response.ciphertext_blob
    # The initial vector of Cipher, which is used to decrypt data.
    iv = encrypt_response.iv
    # The ID of the request.
    request_id = encrypt_response.request_id
  • Use the client of a dedicated KMS instance of the Standard edition to call the Decrypt operation to decrypt ciphertext.

    For more information about the sample code, visit Original code.

    # -*- coding: utf-8 -*-
    
    from sdk.models import DecryptRequest
    
    request = DecryptRequest()
    # The ciphertext that you want to decrypt.
    request.ciphertext_blob = "<your-ciphertext-blob>"
    # The ID or alias of the CMK of the dedicated KMS instance of the Standard edition. The CMK is used for decryption.
    request.key_id = "<your-key-id>"
    # The initial vector of Cipher. The initial vector must be the same as the initial vector that is specified for encryption.
    request.iv = "<your-iv>"
    decrypt_response = client.decrypt_with_options(request, runtime_options)
    // The plaintext.
    plaintext = decrypt_response.plaintext;
    // The ID of the request.
    request_id = decrypt_response.request_id;
  • Use the client of a dedicated KMS instance of the Standard edition to call the Sign operation to generate a digital signature.

    For more information about the sample code, visit Original code.

    # -*- coding: utf-8 -*-
    
    from sdk.models import SignRequest
    
    request = SignRequest()
    # The ID or alias of the CMK of the dedicated KMS instance of the Standard edition. The CMK is used for signature generation and verification.
    request.key_id = "<your-key-id>"
    # The data to sign.
    request.message = "<your_raw_message>"
    # The value RAW indicates raw data. The value DIGEST indicates the digest of the raw data.
    request.message_type = "RAW"
    # The signature algorithm.
    request.algorithm = "<your-algorithm>"
    sign_response = client.sign_with_options(request, runtime_options)
    # The signature value.
    signature = sign_response.signature
    # The ID of the request.
    request_id = sign_response.request_id
  • Use the client of a dedicated KMS instance of the Standard edition to call the Verify operation to verify a digital signature.

    For more information about the sample code, visit Original code.

    # -*- coding: utf-8 -*-
    
    from sdk.models import SignRequest
    
    request = VerifyRequest()
    #  The ID or alias of the CMK of the dedicated KMS instance of the Standard edition. The CMK is used for signature generation and verification. 
    request.key_id = "<your-key-id>"
    # The data for which you want to verify the digital signature.
    request.message = "<your_raw_message>"
    # The value RAW indicates raw data. The value DIGEST indicates the digest of the raw data.
    request.message_type = "RAW"
    # The signature algorithm.
    request.algorithm = "<your-algorithm>"
    # The signature value.
    request.signature = "<your-signature>"
    verify_response = client.verify_with_options(request, runtime_options)
    # The verification result.
    valid = verify_response.valid
    # The ID of the request.
    request_id = verify_response.request_id