使用KMS金鑰組資料加解密 - Key Management Service

初始化KMS執行個體SDK用戶端後，您可以通過用戶端調用Encrypt和Decrypt介面對資料進行加密解密。本文介紹整合KMS進行對稱式加密解密的程式碼範例。

完整程式碼範例

整合KMS進行對稱式加密解密包含三個步驟：

初始化調用KMS介面的用戶端。
使用用戶端調用Encrypt介面對資料進行加密。
使用用戶端調用Decrypt介面對密文資料進行解密。

Python 2版本源碼github地址：aes_encrypt_decrypt_sample.py

Python 3版本源碼github地址：aes_encrypt_decrypt_sample.py

本文以Python 3版本為例介紹。

加密解密完整程式碼範例

# -*- coding: utf-8 -*-
import os

from openapi.models import Config
from openapi_util.models import RuntimeOptions
from sdk.client import Client
from sdk.models import EncryptRequest, DecryptRequest

config = Config()
# 連線協定請設定為"https"。KMS執行個體服務僅允許通過HTTPS協議訪問。
config.protocol = "https"
# Client Key。
config.client_key_file = "<your-client-key-file>"
# Client Key解密口令。
config.password = os.getenv('CLIENT_KEY_PASSWORD')
# 設定endpoint為<your KMS Instance Id>.cryptoservice.kms.aliyuncs.com。
config.endpoint = "<your-endpoint>"
client = Client(config)


class AESEncryptContext(object):
    """The aes encrypt context may be stored."""

    def __init__(self, key_id, ciphertext_blob, iv, algorithm):
        self.key_id = key_id
        self.ciphertext_blob = ciphertext_blob
        self.iv = iv
        # Use default algorithm value,if the value is not set.
        self.algorithm = algorithm


def encrypt(key_id, plaintext):
    request = EncryptRequest()
    request.plaintext = plaintext
    request.key_id = key_id
    runtime_options = RuntimeOptions()
    # 忽略服務端認證
    # runtime_options.ignore_ssl = True
    # verify表示執行個體CA認證的路徑
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.encrypt_with_options(request, runtime_options)
    print(resp)
    return AESEncryptContext(resp.key_id, resp.ciphertext_blob, resp.iv, resp.algorithm)


def decrypt(context):
    request = DecryptRequest()
    request.ciphertext_blob = context.ciphertext_blob
    request.key_id = context.key_id
    request.iv = context.iv
    request.algorithm = context.algorithm
    runtime_options = RuntimeOptions()
    # 忽略服務端認證
    # runtime_options.ignore_ssl = True
    # verify表示執行個體CA認證的路徑
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.decrypt_with_options(request, runtime_options)
    print(resp)


plaintext = "<your-plaintext>".encode("utf-8")
key_id = "<your-key-id>"
context = encrypt(key_id, plaintext)
decrypt(context)

程式碼範例解析

初始化用戶端

關於初始化用戶端的詳細介紹，請參見初始化用戶端。

# -*- coding: utf-8 -*-
from openapi.models import Config
from sdk.client import Client

config = Config()
# 連線協定請設定為"https"。KMS執行個體服務僅允許通過HTTPS協議訪問。
config.protocol = "https"

# Client Key。
config.client_key_file = "<your-client-key-file>"

# Client Key解密口令。
config.password = os.getenv('CLIENT_KEY_PASSWORD')

# 設定endpoint為<your KMS Instance Id>.cryptoservice.kms.aliyuncs.com。
config.endpoint = "<your-endpoint>"
client = Client(config)

調用Encrypt介面使用對稱金鑰對資料加密

def encrypt(key_id, plaintext):
    request = EncryptRequest()
    request.plaintext = plaintext
    request.key_id = key_id
    runtime_options = RuntimeOptions()
    # 忽略服務端認證
    # runtime_options.ignore_ssl = True
    # verify表示執行個體CA認證的路徑
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.encrypt_with_options(request, runtime_options)
    print(resp)
    return AESEncryptContext(resp.key_id, resp.ciphertext_blob, resp.iv, resp.algorithm)

調用Decrypt介面使用對稱金鑰解密密文

    def decrypt(context):
    request = DecryptRequest()
    request.ciphertext_blob = context.ciphertext_blob
    request.key_id = context.key_id
    request.iv = context.iv
    request.algorithm = context.algorithm
    runtime_options = RuntimeOptions()
    # 忽略服務端認證
    # runtime_options.ignore_ssl = True
    # verify表示執行個體CA認證的路徑
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.decrypt_with_options(request, runtime_options)
    print(resp)