最近更新时间:2022.05.25 13:08:39
首次发布时间:2022.05.25 13:08:39
密钥管理服务(Key Management Service,KMS)是火山引擎提供的密钥管理和数据加密服务。KMS 能帮助用户轻松管理密钥、保护云上核心数据的安全。同时极大降低用户自行部署密码基础设施的采购、研发成本。帮助业务轻松满足监管和合规需求。
本实验将帮助您在火山引擎上使用KMS在线加密简单数据。
进入KMS控制台,点击新建秘钥环,然后新建秘钥,具体您可以参考此文档。
1、签名方法
要调用KMS API,需要对请求进行签名,签名方法,您可以参考此文档。
根据上述签名方法,编写具体关于签名的代码。
2、加密示例代码,此处以python为例
参数说明:
host = 'open.volcengineapi.com'
region = 'cn-beijing'
endpoint = 'https://open.volcengineapi.com'
import sys, os, base64, datetime, hashlib, hmac import requests,json # ************* REQUEST VALUES ************* method = 'POST' host = 'open.volcengineapi.com' region = 'cn-beijing' endpoint = 'https://open.volcengineapi.com' def sign(key, msg): return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest() def getSignatureKey(key, dateStamp, regionName, serviceName): kDate = sign(key.encode('utf-8'), dateStamp) kRegion = sign(kDate, regionName) kService = sign(kRegion, serviceName) kSigning = sign(kService, 'request') return kSigning def formatParameters(parameters): request_parameters_init = '' for key in sorted(parameters): request_parameters_init += key + '=' + parameters[key] + '&' request_parameters = request_parameters_init[:-1] return request_parameters def sigv4(access_key, secret_key, service, request_parameters,request_playload): if access_key is None or secret_key is None: print('No access key is available.') sys.exit() print("playload data is :"+request_playload) print(type(request_playload)) t = datetime.datetime.utcnow() current_date = t.strftime('%Y%m%dT%H%M%SZ') # current_date = '20210818T095729Z' datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope canonical_uri = '/' canonical_querystring = request_parameters signed_headers = 'content-type;host;x-content-sha256;x-date' payload_hash = hashlib.sha256(request_playload.encode('utf-8')).hexdigest() content_type = 'application/json' canonical_headers = 'content-type:' + content_type + '\n' + 'host:' + host + '\n' + 'x-content-sha256:' + payload_hash + '\n' + 'x-date:' + current_date + '\n' canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash algorithm = 'HMAC-SHA256' credential_scope = datestamp + '/' + region + '/' + service + '/' + 'request' string_to_sign = algorithm + '\n' + current_date + '\n' + credential_scope + '\n' + hashlib.sha256( canonical_request.encode('utf-8')).hexdigest() print("signStr is:"+string_to_sign) signing_key = getSignatureKey(secret_key, datestamp, region, service) print("signing_key:",signing_key) signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest() print("signature:"+signature) authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature print("Authorizaiton的头部信息:"+authorization_header) headers = {'X-Date': current_date, 'Authorization': authorization_header, 'X-Content-Sha256': payload_hash, 'Content-Type': content_type, 'X-Amz-Date': '20180614T114308Z' } print(headers) # ************* SEND THE REQUEST ************* request_url = endpoint + '?' + canonical_querystring print('\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++') print('Request URL = ' + request_url) r = requests.post(request_url, data=request_playload,headers=headers) print('\nRESPONSE++++++++++++++++++++++++++++++++++++') print('Response code: %d\n' % r.status_code) parsed = json.loads(r.text) print(json.dumps(parsed, indent=4, sort_keys=True)) return parsed if __name__ == "__main__": #自定义ak,sk, service access_key = 'AKLTNDY2MzdhNjAyZGNkNGZiOWFkNWUwOWQ1Zxxxxxx' secret_key = 'WVdZMll6WTBOR0UwWW1ZMU5HSm1OR0k0T1RreE16Zxxxxxxxxxxx' # 上述AK、SK替换为真实AK、SK service = 'kms' #post请求参数 request_playload = '{' request_playload += '"Plaintext":"aGVsbG93b3JsZAo="'# 明文需要进行base64编码 request_playload += '}' kms_parameter = { 'Action': 'Encrypt', 'Version': '2021-02-18', "KeyringName": 'test',#替换为真实秘钥环名称 "KeyName":'test'# 替换为真实秘钥名称 } formatted_parameters = formatParameters(kms_parameter) kms_result=sigv4(access_key, secret_key, service, formatted_parameters,request_playload) print(kms_result)
注意:
1、使用post方法
2、待加密的明文要进行base64编码
运行上述示例代码,返回如下:
{ "ResponseMetadata": { "Action": "Encrypt", "Region": "cn-beijing", "RequestId": "2022050921391301021206303205130000", "Service": "kms", "Version": "2021-02-18" }, "Result": { "CiphertextBlob": "nLLw4NI/RUiVOG4CeMWRCAAAplWZ7kwZml/MlS22D65SdC76qzYvqrv+KIeSUZwxlHRUVNv1aQEnWtlNdxQK5Kxe7D+KPW7otvT651wjSAvBfCsZYzFdKEs=" } }
如果您有其他问题,欢迎您联系火山引擎技术支持服务。