使用KMS在线加密数据

前言

密钥管理服务（Key Management Service,KMS）是火山引擎提供的密钥管理和数据加密服务。KMS 能帮助用户轻松管理密钥、保护云上核心数据的安全。同时极大降低用户自行部署密码基础设施的采购、研发成本。帮助业务轻松满足监管和合规需求。

本实验将帮助您在火山引擎上使用KMS在线加密简单数据。

关于实验

• 预计部署时间：20分钟
• 级别：初级
• 相关产品：KMS
• 受众： 通用

实验说明

• 点击此链接登录控制台。

• 如果您还没有账户，请点击此链接注册账户。

• 用户在火山引擎某个地域内首次进入 KMS 控制台时，KMS 会为用户自动开通服务。服务开通过程需要几分钟的时间。

实验步骤

第一步-创建秘钥环、生成秘钥

进入KMS控制台，点击新建秘钥环，然后新建秘钥，具体您可以参考此文档。

第二步-使用KMS提供的加密接口进行数据加密

1、签名方法

要调用KMS API，需要对请求进行签名，签名方法，您可以参考此文档。

根据上述签名方法，编写具体关于签名的代码。

2、加密示例代码，此处以python为例

参数说明：
host = 'open.volcengineapi.com'
region = 'cn-beijing'
endpoint = 'https://open.volcengineapi.com'

import sys, os, base64, datetime, hashlib, hmac
import requests,json

# ************* REQUEST VALUES *************
method = 'POST'
host = 'open.volcengineapi.com'
region = 'cn-beijing'
endpoint = 'https://open.volcengineapi.com'


def sign(key, msg):
    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()


def getSignatureKey(key, dateStamp, regionName, serviceName):
    kDate = sign(key.encode('utf-8'), dateStamp)
    kRegion = sign(kDate, regionName)
    kService = sign(kRegion, serviceName)
    kSigning = sign(kService, 'request')
    return kSigning


def formatParameters(parameters):
    request_parameters_init = ''
    for key in sorted(parameters):
        request_parameters_init += key + '=' + parameters[key] + '&'
    request_parameters = request_parameters_init[:-1]
    return request_parameters


def sigv4(access_key, secret_key, service, request_parameters,request_playload):
    if access_key is None or secret_key is None:
        print('No access key is available.')
        sys.exit()

    print("playload data is :"+request_playload)
    print(type(request_playload))

    t = datetime.datetime.utcnow()
    current_date = t.strftime('%Y%m%dT%H%M%SZ')
    # current_date = '20210818T095729Z'
    datestamp = t.strftime('%Y%m%d')  # Date w/o time, used in credential scope

    canonical_uri = '/'

    canonical_querystring = request_parameters

    signed_headers = 'content-type;host;x-content-sha256;x-date'

    payload_hash = hashlib.sha256(request_playload.encode('utf-8')).hexdigest()

    content_type = 'application/json'

    canonical_headers = 'content-type:' + content_type + '\n' + 'host:' + host + '\n' + 'x-content-sha256:' + payload_hash + '\n' + 'x-date:' + current_date + '\n'
    canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash

    algorithm = 'HMAC-SHA256'
    credential_scope = datestamp + '/' + region + '/' + service + '/' + 'request'
    string_to_sign = algorithm + '\n' + current_date + '\n' + credential_scope + '\n' + hashlib.sha256(
        canonical_request.encode('utf-8')).hexdigest()
    print("signStr is:"+string_to_sign)

    signing_key = getSignatureKey(secret_key, datestamp, region, service)
    print("signing_key:",signing_key)
    signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest()
    print("signature:"+signature)

    authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature
    print("Authorizaiton的头部信息："+authorization_header)
    headers = {'X-Date': current_date,
               'Authorization': authorization_header,
               'X-Content-Sha256': payload_hash,
               'Content-Type': content_type,
               'X-Amz-Date': '20180614T114308Z'
               }
    print(headers)

    # ************* SEND THE REQUEST *************
    request_url = endpoint + '?' + canonical_querystring

    print('\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++')
    print('Request URL = ' + request_url)
    r = requests.post(request_url, data=request_playload,headers=headers)

    print('\nRESPONSE++++++++++++++++++++++++++++++++++++')
    print('Response code: %d\n' % r.status_code)
    parsed = json.loads(r.text)
    print(json.dumps(parsed, indent=4, sort_keys=True))
    return parsed

if __name__ == "__main__":

    #自定义ak,sk, service
    access_key = 'AKLTNDY2MzdhNjAyZGNkNGZiOWFkNWUwOWQ1Zxxxxxx'
    secret_key = 'WVdZMll6WTBOR0UwWW1ZMU5HSm1OR0k0T1RreE16Zxxxxxxxxxxx'
    # 上述AK、SK替换为真实AK、SK
    service = 'kms'
    #post请求参数
    request_playload = '{'
    request_playload += '"Plaintext":"aGVsbG93b3JsZAo="'# 明文需要进行base64编码
    request_playload += '}'

    kms_parameter = {
    'Action': 'Encrypt',
    'Version': '2021-02-18',
    "KeyringName": 'test',#替换为真实秘钥环名称
    "KeyName":'test'# 替换为真实秘钥名称
    }
    
    formatted_parameters = formatParameters(kms_parameter)
    kms_result=sigv4(access_key, secret_key, service, formatted_parameters,request_playload)
    print(kms_result)
   

注意：
1、使用post方法
2、待加密的明文要进行base64编码

第三步-进行测试

运行上述示例代码，返回如下：

{
    "ResponseMetadata": {
        "Action": "Encrypt",
        "Region": "cn-beijing",
        "RequestId": "2022050921391301021206303205130000",
        "Service": "kms",
        "Version": "2021-02-18"
    },
    "Result": {
        "CiphertextBlob": "nLLw4NI/RUiVOG4CeMWRCAAAplWZ7kwZml/MlS22D65SdC76qzYvqrv+KIeSUZwxlHRUVNv1aQEnWtlNdxQK5Kxe7D+KPW7otvT651wjSAvBfCsZYzFdKEs="
    }
}

如果您有其他问题，欢迎您联系火山引擎技术支持服务。