Gunakan kunci KMS untuk enkripsi data dan dekripsi - Key Management Service

Setelah menginisialisasi SDK client instance KMS, Anda dapat menggunakannya untuk memanggil API Encrypt dan Decrypt untuk melakukan enkripsi dan dekripsi data. Topik ini menyediakan contoh kode untuk proses tersebut.

Kode sumber di Github:

Python 3: aes_encrypt_decrypt_sample.py.
Python 2: aes_encrypt_decrypt_sample.py.

Python 3 digunakan dalam topik ini.

Contoh lengkap

# -*- coding: utf-8 -*-
import os

from openapi.models import Config
from openapi_util.models import RuntimeOptions
from sdk.client import Client
from sdk.models import EncryptRequest, DecryptRequest

config = Config()
# Setel protokol koneksi ke "https". Layanan instance KMS hanya mengizinkan akses melalui protokol HTTPS.
config.protocol = "https"
# Client Key.
config.client_key_file = "<CLIENT_KEY_FILE>"
# Kata sandi dekripsi Client Key.
config.password = os.getenv('CLIENT_KEY_PASSWORD')
# Setel endpoint ke <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
config.endpoint = "<ENDPOINT>"
client = Client(config)


class AESEncryptContext(object):
    """Konteks enkripsi aes mungkin disimpan."""

    def __init__(self, key_id, ciphertext_blob, iv, algorithm):
        self.key_id = key_id
        self.ciphertext_blob = ciphertext_blob
        self.iv = iv
        # Gunakan nilai algoritma default, jika nilainya tidak diatur.
        self.algorithm = algorithm


def encrypt(key_id, plaintext):
    request = EncryptRequest()
    request.plaintext = plaintext
    request.key_id = key_id
    runtime_options = RuntimeOptions()
    # Abaikan sertifikat server.
    # runtime_options.ignore_ssl = True
    # verify menunjukkan jalur sertifikat CA instance.
    runtime_options.verify = "<CA_CERTIFICATE_FILE_PATH>"
    resp = client.encrypt_with_options(request, runtime_options)
    print(resp)
    return AESEncryptContext(resp.key_id, resp.ciphertext_blob, resp.iv, resp.algorithm)


def decrypt(context):
    request = DecryptRequest()
    request.ciphertext_blob = context.ciphertext_blob
    request.key_id = context.key_id
    request.iv = context.iv
    request.algorithm = context.algorithm
    runtime_options = RuntimeOptions()
    # Abaikan sertifikat server.
    # runtime_options.ignore_ssl = True
    # verify menunjukkan jalur sertifikat CA instance.
    runtime_options.verify = "<CA_CERTIFICATE_FILE_PATH>"
    resp = client.decrypt_with_options(request, runtime_options)
    print(resp)


plaintext = "<PLAINTEXT>".encode("utf-8")
key_id = "<KEY_ID>"
context = encrypt(key_id, plaintext)
decrypt(context)

Penjelasan contoh

Inisialisasi client

# -*- coding: utf-8 -*-
from openapi.models import Config
from sdk.client import Client

config = Config()
# Protokol koneksi. Atur nilainya menjadi https. Layanan instance KMS hanya mengizinkan akses melalui protokol HTTPS.
config.protocol = "https"

# Client Key.
config.client_key_file = "<CLIENT_KEY_FILE>"

# Kata sandi dekripsi Client Key.
config.password = os.getenv('CLIENT_KEY_PASSWORD')

# Endpoint instance KMS Anda. Atur nilainya dalam format berikut: <ID instance KMS Anda>.cryptoservice.kms.aliyuncs.com.
config.endpoint = "<ENDPOINT>"
client = Client(config)

Panggil API Encrypt untuk mengenkripsi data menggunakan kunci simetris

def encrypt(key_id, plaintext):
    request = EncryptRequest()
    request.plaintext = plaintext
    request.key_id = key_id
    runtime_options = RuntimeOptions()
    # Abaikan sertifikat server.
    # runtime_options.ignore_ssl = True
    # verify menunjukkan jalur sertifikat CA instance.
    runtime_options.verify = "<CA_CERTIFICATE_FILE_PATH>"
    resp = client.encrypt_with_options(request, runtime_options)
    print(resp)
    return AESEncryptContext(resp.key_id, resp.ciphertext_blob, resp.iv, resp.algorithm)

Panggil API Decrypt untuk mendekripsi ciphertext menggunakan kunci simetris

    def decrypt(context):
    request = DecryptRequest()
    request.ciphertext_blob = context.ciphertext_blob
    request.key_id = context.key_id
    request.iv = context.iv
    request.algorithm = context.algorithm
    runtime_options = RuntimeOptions()
    # Abaikan sertifikat server.
    # runtime_options.ignore_ssl = True
    # verify menunjukkan jalur sertifikat CA instance.
    runtime_options.verify = "<CA_CERTIFICATE_FILE_PATH>"
    resp = client.decrypt_with_options(request, runtime_options)
    print(resp)