If you want to encrypt and decrypt user data in MaxCompute SQL, you can use user-defined functions (UDFs) together with Key Management Service (KMS) instances. This topic describes how to use KMS instances to encrypt and decrypt data in MaxCompute UDFs.
Overview
In the encryption process, a KMS instance client is initialized and a data key is generated during UDF initialization, and the data key is used for envelope encryption during data processing. If you want to encrypt a large amount of data, we recommend that you use a secret to obtain a data key. This prevents excessive data keys from being generated.
In the decryption process, a KMS instance client, a thread pool, and the cache are initialized during UDF initialization, and the data key ciphertext is decrypted during data processing. Then, data is decrypted by using the plaintext data key.
The fields that store the encrypted data are of the string type. The data format is [Data key length|Fixed length 4][Data key ciphertext][Ciphertext of the data in the field].
The concurrency of MaxCompute UDFs is high. We recommend that you implement envelope encryption to generate a data key from a KMS instance and use the data key to encrypt data rather than you use a key to directly encrypt data in UDFs. For more information about envelope encryption, see Use envelope encryption.
Prerequisites
A KMS instance of the software key management type or a KMS instance of the hardware key management type is purchased. For more information, see Purchase and enable a KMS instance.
A customer master key (CMK) is created. Envelope encryption supports only the Galois/Counter Mode (GCM) mode. Therefore, you must select Symmetric Key for the Key Type parameter when you create a CMK. For more information about key specifications and encryption modes, see Key types and specifications.
An access point is created, a client key is saved, and the certification authority (CA) certificate of a KMS instance is obtained. For more information, see Create an AAP and Obtain the instance CA certificate.
Sample code
If you require high performance, we recommend that you use SynchronousKeyEncryptUDF in Java.
Sample code in Java
4. Create an encryption UDF
We recommend that you use the
com.aliyun.kms.sample.SynchronousKeyEncryptUDFclass as a high-performance encryption UDF for tables that contain a large amount of data.If your tables contain a small amount of data and the UDF concurrency is low, you can use the
com.aliyun.kms.sample.EncryptUDFclass as an encryption UDF.
SynchronousKeyEncryptUDF example
SynchronousKeyEncryptUDF is suitable for scenarios that involve a large amount of data and high concurrency. You can use ForSynchronousKeyEncryptUDF to leverage the secret management capabilities of KMS and store data keys and version information as secrets in KMS. This prevents multiple keys that have the same version, reduces the number of keys generated, and improves performance. The following figure shows the flowchart for generating a data key.
Create a secret named xxxxSynchronousSecret
Create a generic secret in the KMS console or by calling KMS API operations. The secret name is xxxxSynchronousSecret, and the secret value is a random value. The generic secret is used to store your data key. You can specify the udf.synchronous.secret.name parameter in the UDF to specify the secret. For more information about how to create a secret, see Manage and use generic secrets.
Create a RAM secret named xxxxRamSecret
Create a RAM secret in the KMS console or by calling KMS API operations. The value of the RAM secret is the AccessKey pair of the KMS account that is used to call the shared gateway. The RAM secret is retrieved for identity authentication when the UDF calls API operations. You can specify the udf.ram.secret.name parameter in the UDF to specify the secret. For more information about how to create a RAM secret and create an AccessKey pair for a KMS account, see Manage and use RAM secrets and Create an AccessKey pair. Example of the secret value
{ "AccessKeyId":"****", "AccessKeySecret":"****" }Define the SynchronousKeyEncryptUDF.java class
package com.aliyun.kms.sample; import com.aliyun.kms.kms20160120.TransferClient; import com.aliyun.kms.kms20160120.model.KmsConfig; import com.aliyun.kms.kms20160120.model.KmsRuntimeOptions; import com.aliyun.kms20160120.Client; import com.aliyun.kms20160120.models.*; import com.aliyun.odps.udf.ExecutionContext; import com.aliyun.odps.udf.UDF; import com.aliyun.odps.udf.UDFException; import com.aliyun.tea.TeaException; import com.aliyun.tea.utils.StringUtils; import com.google.gson.Gson; import org.apache.commons.codec.binary.Base64; import javax.crypto.Cipher; import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.SecretKeySpec; import java.io.IOException; import java.io.InputStream; import java.io.Serializable; import java.nio.charset.StandardCharsets; import java.security.SecureRandom; import java.util.Map; import java.util.Properties; import java.util.concurrent.ConcurrentHashMap; public class SynchronousKeyEncryptUDF extends UDF { private static Gson gson = new Gson(); private static Client instanceClient; private static com.aliyun.kms.kms20160120.Client shareClient; private static Map<String, DataKeyObject> dataKeyObjectMap; private static Base64 base64 = new Base64(); private String runTaskIdentify; private String keySecretName; private String keyId; private Properties properties = new Properties(); @Override public void setup(ExecutionContext ctx) throws UDFException, IOException { super.setup(ctx); try { InputStream in = ctx.readResourceFileAsStream(UDFConstant.KMS_UDF_CONF_NAME); properties.load(in); // The dimension for generating a data key. If a data key is generated by project, you must use the getRunningProject method. If a data key is generated by table, you must use the getTableInfo method. runTaskIdentify = ctx.getRunningProject(); dataKeyObjectMap = new ConcurrentHashMap<>(); keySecretName = properties.getProperty(UDFConstant.KMS_SYNCHRONOUS_SECRET_NAME_KEY); keyId = properties.getProperty(UDFConstant.UDF_ENCRYPT_KEY_ID_KEY); if (StringUtils.isEmpty(keySecretName)) { throw new UDFException("the secret name is null"); } buildInstanceClient(ctx); checkSecretExist(); buildShareClient(); } catch (Exception e) { throw new UDFException(e); } } public String evaluate(String keyIdentify, String data) { if (UDFUtils.isNull(data)) { return data; } byte[] dataBytes = data.getBytes(StandardCharsets.UTF_8); byte[] iv = null; byte[] cipherTextBytes = null; try { String keyVersion = UDFUtils.getSynchronousKeyVersion(runTaskIdentify, keyIdentify); if (!dataKeyObjectMap.containsKey(keyVersion)) { dataKeyObjectMap.put(keyVersion, getDataKeyObject(keyVersion)); } DataKeyObject dataKeyObject = dataKeyObjectMap.get(keyVersion); iv = new byte[UDFConstant.GCM_IV_LENGTH]; SecureRandom random = new SecureRandom(); random.nextBytes(iv); Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); SecretKeySpec keySpec = new SecretKeySpec(dataKeyObject.plaintextBytes, "AES"); GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(UDFConstant.GCM_TAG_LENGTH * 8, iv); cipher.init(Cipher.ENCRYPT_MODE, keySpec, gcmParameterSpec); cipherTextBytes = cipher.doFinal(dataBytes); return dataKeyObject.encryptedDataKeyPart + base64.encodeAsString(iv) + base64.encodeAsString(cipherTextBytes); } catch (Exception e) { e.printStackTrace(); throw new RuntimeException(e); } } private DataKeyObject getDataKeyObject(String keyVersion) throws Exception { try { return getDataKeyObjectByGetSecretValue(keyVersion); } catch (TeaException e) { if ("Forbidden.ResourceNotFound".equals(e.code)) { return buildDataKeyObject(keyVersion); } } return null; } private DataKeyObject getDataKeyObjectByGetSecretValue(String keyVersion) throws Exception { String secretData = getSecretValue(keyVersion); DataKeyPersistentObject dataKeyPersistentObject = gson.fromJson(secretData, DataKeyPersistentObject.class); byte[] plaintextBytes = base64.decode(dataKeyPersistentObject.plaintext); return new DataKeyObject(plaintextBytes, dataKeyPersistentObject.encryptedDataKeyPart); } private DataKeyObject buildDataKeyObject(String keyVersion) throws Exception { GenerateDataKeyRequest request = new GenerateDataKeyRequest(); request.setKeyId(keyId); KmsRuntimeOptions runtimeOptions = new KmsRuntimeOptions(); GenerateDataKeyResponse response = instanceClient.generateDataKeyWithOptions(request, runtimeOptions); String plaintext = response.getBody().plaintext; byte[] plaintextBytes = base64.decode(plaintext); String encryptedDataKeyPart = String.format(UDFConstant.ENCRYPT_DATA_KEY_FORMAT, response.getBody().ciphertextBlob.length()) + response.getBody().ciphertextBlob; DataKeyObject dataKeyObject = new DataKeyObject(plaintextBytes, encryptedDataKeyPart); DataKeyPersistentObject dataKeyPersistentObject = new DataKeyPersistentObject(plaintext, encryptedDataKeyPart); PutSecretValueRequest putSecretValueRequest = new PutSecretValueRequest(); putSecretValueRequest.secretData = dataKeyPersistentObject.toJsonString(); putSecretValueRequest.secretName = keySecretName; putSecretValueRequest.versionId = keyVersion; try { shareClient.putSecretValue(putSecretValueRequest); } catch (TeaException e) { if ("Rejected.ResourceExist".equals(e.code)) { return getDataKeyObjectByGetSecretValue(keyVersion); } } return dataKeyObject; } @Override public void close() throws UDFException, IOException { super.close(); } private void buildInstanceClient(ExecutionContext ctx) throws Exception { try { KmsConfig config = new KmsConfig(); String clientKeyFileName = properties.getProperty(UDFConstant.KMS_CLIENT_KEY_FILE_KEY); byte[] clientKeyFileContent = ctx.readResourceFile(clientKeyFileName); config.setClientKeyContent(new String(clientKeyFileContent, StandardCharsets.UTF_8)); String caFileName = properties.getProperty(UDFConstant.KMS_INSTANCE_CA_FILE_KEY); byte[] caFileContent = ctx.readResourceFile(caFileName); config.setCa(new String(caFileContent, StandardCharsets.UTF_8)); config.setPassword(properties.getProperty(UDFConstant.KMS_CLIENT_KEY_PASSWORD_KEY)); config.setEndpoint(properties.getProperty(UDFConstant.KMS_INSTANCE_ENDPOINT_KEY)); instanceClient = new TransferClient(config); } catch (Exception e) { throw new UDFException(e); } } private void checkSecretExist() throws Exception { getSecretValue(null); } private String getSecretValue(String versionId) throws Exception { GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest(); getSecretValueRequest.setSecretName(keySecretName); if (!StringUtils.isEmpty(versionId)) { getSecretValueRequest.setVersionId(versionId); } KmsRuntimeOptions runtimeOptions = new KmsRuntimeOptions(); GetSecretValueResponse getSecretValueResponse = instanceClient.getSecretValueWithOptions(getSecretValueRequest, runtimeOptions); return getSecretValueResponse.body.secretData; } private void buildShareClient() throws Exception { String ramSecretName = properties.getProperty(UDFConstant.KMS_RAM_SECRET_NAME_KEY); GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest(); getSecretValueRequest.setSecretName(ramSecretName); KmsRuntimeOptions runtimeOptions = new KmsRuntimeOptions(); GetSecretValueResponse getSecretValueResponse = instanceClient.getSecretValueWithOptions(getSecretValueRequest, runtimeOptions); AccessKeyObject accessKeyObject = gson.fromJson(getSecretValueResponse.body.secretData, AccessKeyObject.class); com.aliyun.teaopenapi.models.Config shareConfig = new com.aliyun.teaopenapi.models.Config() .setAccessKeyId(accessKeyObject.AccessKeyId) .setAccessKeySecret(accessKeyObject.AccessKeySecret) .setEndpoint(properties.getProperty(UDFConstant.KMS_ENDPOINT_KEY)); shareClient = new com.aliyun.kms.kms20160120.Client(shareConfig); } private static class AccessKeyObject implements Serializable { private String AccessKeyId; private String AccessKeySecret; } private final static class DataKeyObject { private byte[] plaintextBytes; private String encryptedDataKeyPart; public DataKeyObject() { } public DataKeyObject(byte[] plaintextBytes, String encryptedDataKeyPart) { this.plaintextBytes = plaintextBytes; this.encryptedDataKeyPart = encryptedDataKeyPart; } } private final static class DataKeyPersistentObject implements Serializable { private String plaintext; private String encryptedDataKeyPart; public DataKeyPersistentObject() { } public DataKeyPersistentObject(String plaintext, String encryptedDataKeyPart) { this.plaintext = plaintext; this.encryptedDataKeyPart = encryptedDataKeyPart; } public String toJsonString() { return gson.toJson(this); } } }Main method description
Method
Description
setup
Reads the configuration file, initializes KMS Instance SDK and Alibaba Cloud SDK, and checks whether the initial secret exists.
buildInstanceClient
Initializes KMS Instance SDK.
buildShareClient
Obtains the AccessKey pair that is stored in the RAM secret and initializes Alibaba Cloud SDK.
getDataKeyObjectByGetSecretValue
Obtains the key that is stored in the secret.
buildDataKeyObject
Generates a new key and stores the key in the secret.
evaluate
Encrypts data and returns the encrypted data.
NoteThe following API operations of KMS are used.
KMS Instance API operations: The GenerateDataKey operation is called to generate a data key and the GetSecretValue operation to retrieve a secret value.
KMS API operations: The PutSecretValue operation is called to store a secret value.
For more information about API operations of KMS and how to call the API operations, see API references and SDK references.
EncryptUDF example
Define the EncryptUDF.java class
package com.aliyun.kms.sample;
import com.aliyun.kms.kms20160120.TransferClient;
import com.aliyun.kms.kms20160120.model.KmsConfig;
import com.aliyun.kms.kms20160120.model.KmsRuntimeOptions;
import com.aliyun.kms20160120.Client;
import com.aliyun.kms20160120.models.GenerateDataKeyRequest;
import com.aliyun.kms20160120.models.GenerateDataKeyResponse;
import com.aliyun.odps.udf.ExecutionContext;
import com.aliyun.odps.udf.UDF;
import com.aliyun.odps.udf.UDFException;
import org.apache.commons.codec.binary.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Properties;
public class EncryptUDF extends UDF {
private static Client client;
private static String plaintext;
private static byte[] plaintextBytes;
private static String encryptedDataKeyPart;
private static Base64 base64 = new Base64();
@Override
public void setup(ExecutionContext ctx) throws UDFException, IOException {
super.setup(ctx);
try {
InputStream in = ctx.readResourceFileAsStream(UDFConstant.KMS_UDF_CONF_NAME);
Properties properties = new Properties();
properties.load(in);
KmsConfig config = new KmsConfig();
String clientKeyFileName = properties.getProperty(UDFConstant.KMS_CLIENT_KEY_FILE_KEY);
byte[] clientKeyFileContent = ctx.readResourceFile(clientKeyFileName);
config.setClientKeyContent(new String(clientKeyFileContent, StandardCharsets.UTF_8));
String caFileName = properties.getProperty(UDFConstant.KMS_INSTANCE_CA_FILE_KEY);
byte[] caFileContent = ctx.readResourceFile(caFileName);
config.setCa(new String(caFileContent, StandardCharsets.UTF_8));
config.setPassword(properties.getProperty(UDFConstant.KMS_CLIENT_KEY_PASSWORD_KEY));
config.setEndpoint(properties.getProperty(UDFConstant.KMS_INSTANCE_ENDPOINT_KEY));
String keyId = properties.getProperty(UDFConstant.UDF_ENCRYPT_KEY_ID_KEY);
client = new TransferClient(config);
GenerateDataKeyRequest request = new GenerateDataKeyRequest();
request.setKeyId(keyId);
KmsRuntimeOptions runtimeOptions = new KmsRuntimeOptions();
GenerateDataKeyResponse response = client.generateDataKeyWithOptions(request, runtimeOptions);
plaintext = response.getBody().plaintext;
plaintextBytes = base64.decode(plaintext);
encryptedDataKeyPart = String.format(UDFConstant.ENCRYPT_DATA_KEY_FORMAT, response.getBody().ciphertextBlob.length()) + response.getBody().ciphertextBlob;
} catch (Exception e) {
throw new UDFException(e);
}
}
public String evaluate(String data) {
if (UDFUtils.isNull(data)) {
return data;
}
byte[] dataBytes = data.getBytes(StandardCharsets.UTF_8);
byte[] iv = null;
byte[] cipherTextBytes = null;
try {
iv = new byte[UDFConstant.GCM_IV_LENGTH];
SecureRandom random = new SecureRandom();
random.nextBytes(iv);
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
SecretKeySpec keySpec = new SecretKeySpec(plaintextBytes, "AES");
GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(UDFConstant.GCM_TAG_LENGTH * 8, iv);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, gcmParameterSpec);
cipherTextBytes = cipher.doFinal(dataBytes);
return encryptedDataKeyPart + base64.encodeAsString(iv) + base64.encodeAsString(cipherTextBytes);
} catch (Exception e) {
e.printStackTrace();
throw new RuntimeException(e);
}
}
@Override
public void close() throws UDFException, IOException {
super.close();
}
}
Main method description
Method | Description |
setup | Reads the configuration file, initializes KMS Instance SDK, and generates the data key ciphertext. |
evaluate | Encrypts data and returns the encrypted data. |
The following API operations of KMS are used.
KMS Instance API: The GenerateDataKey operation is called to generate a data key.
For more information about API operations of KMS and how to call the API operations, see API references and SDK references.