def reidentify_with_deterministic( project, input_str, surrogate_type=None, key_name=None, wrapped_key=None, ): """Deidentifies sensitive data in a string using deterministic encryption. Args: project: The Google Cloud project id to use as a parent resource. input_str: The string to deidentify (will be treated as text). surrogate_type: The name of the surrogate custom info type to used during the encryption process. key_name: The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key. Example: keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/ keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME' wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key should be encrypted using the Cloud KMS key specified by key_name. Returns: None; the response from the API is printed to the terminal. """ import base64 # Import the client library import google.cloud.dlp # Instantiate a client dlp = google.cloud.dlp_v2.DlpServiceClient() # Convert the project id into a full resource id. parent = f"projects/{project}" # The wrapped key is base64-encoded, but the library expects a binary # string, so decode it here. wrapped_key = base64.b64decode(wrapped_key) # Construct reidentify Configuration reidentify_config = { "info_type_transformations": { "transformations": [{ "primitive_transformation": { "crypto_deterministic_config": { "crypto_key": { "kms_wrapped": { "wrapped_key": wrapped_key, "crypto_key_name": key_name, } }, "surrogate_info_type": { "name": surrogate_type }, } } }] } } inspect_config = { "custom_info_types": [{ "info_type": { "name": surrogate_type }, "surrogate_type": {} }] } # Convert string to item item = {"value": input_str} # Call the API response = dlp.reidentify_content( request={ "parent": parent, "reidentify_config": reidentify_config, "inspect_config": inspect_config, "item": item, }) # Print results print(f"\tThe response from DLP API call for {input_str} is", response.item.value) return response.item.value
def reidentify_with_fpe(project, string, alphabet=None, surrogate_type=None, key_name=None, wrapped_key=None): """Uses the Data Loss Prevention API to reidentify sensitive data in a string that was encrypted by Format Preserving Encryption (FPE). Args: project: The Google Cloud project id to use as a parent resource. item: The string to deidentify (will be treated as text). alphabet: The set of characters to replace sensitive ones with. For more information, see https://cloud.google.com/dlp/docs/reference/ rest/v2beta2/organizations.deidentifyTemplates#ffxcommonnativealphabet surrogate_type: The name of the surrogate custom info type to used during the encryption process. key_name: The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key. Example: keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/ keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME' wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key should be encrypted using the Cloud KMS key specified by key_name. Returns: None; the response from the API is printed to the terminal. """ # Import the client library import google.cloud.dlp # Instantiate a client dlp = google.cloud.dlp.DlpServiceClient() # Convert the project id into a full resource id. parent = dlp.project_path(project) # The wrapped key is base64-encoded, but the library expects a binary # string, so decode it here. import base64 wrapped_key = base64.b64decode(wrapped_key) # Construct Deidentify Config reidentify_config = { 'info_type_transformations': { 'transformations': [ { 'primitive_transformation': { 'crypto_replace_ffx_fpe_config': { 'crypto_key': { 'kms_wrapped': { 'wrapped_key': wrapped_key, 'crypto_key_name': key_name } }, 'common_alphabet': alphabet, 'surrogate_info_type': { 'name': surrogate_type } } } } ] } } inspect_config = { 'custom_info_types': [ { 'info_type': { 'name': surrogate_type }, 'surrogate_type': { } } ] } # Convert string to item item = {'value': string} # Call the API response = dlp.reidentify_content( parent, inspect_config=inspect_config, reidentify_config=reidentify_config, item=item) # Print results print(response.item.value)
def reidentify_with_fpe(project, string, alphabet=None, surrogate_type=None, key_name=None, wrapped_key=None): """Uses the Data Loss Prevention API to reidentify sensitive data in a string that was encrypted by Format Preserving Encryption (FPE). Args: project: The Google Cloud project id to use as a parent resource. item: The string to deidentify (will be treated as text). alphabet: The set of characters to replace sensitive ones with. For more information, see https://cloud.google.com/dlp/docs/reference/ rest/v2beta2/organizations.deidentifyTemplates#ffxcommonnativealphabet surrogate_type: The name of the surrogate custom info type to used during the encryption process. key_name: The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key. Example: keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/ keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME' wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key should be encrypted using the Cloud KMS key specified by key_name. Returns: None; the response from the API is printed to the terminal. """ # Import the client library import google.cloud.dlp # Instantiate a client dlp = google.cloud.dlp.DlpServiceClient() # Convert the project id into a full resource id. parent = dlp.project_path(project) # The wrapped key is base64-encoded, but the library expects a binary # string, so decode it here. import base64 wrapped_key = base64.b64decode(wrapped_key) # Construct Deidentify Config reidentify_config = { 'info_type_transformations': { 'transformations': [{ 'primitive_transformation': { 'crypto_replace_ffx_fpe_config': { 'crypto_key': { 'kms_wrapped': { 'wrapped_key': wrapped_key, 'crypto_key_name': key_name } }, 'common_alphabet': alphabet, 'surrogate_info_type': { 'name': surrogate_type } } } }] } } inspect_config = { 'custom_info_types': [{ 'info_type': { 'name': surrogate_type }, 'surrogate_type': {} }] } # Convert string to item item = {'value': string} # Call the API response = dlp.reidentify_content(parent, inspect_config=inspect_config, reidentify_config=reidentify_config, item=item) # Print results print(response.item.value)
def reidentify_free_text_with_fpe_using_surrogate( project, input_str, alphabet="NUMERIC", surrogate_type="PHONE_TOKEN", unwrapped_key="YWJjZGVmZ2hpamtsbW5vcA==", ): """Uses the Data Loss Prevention API to reidentify sensitive data in a string that was encrypted by Format Preserving Encryption (FPE) with surrogate type. The encryption is performed with an unwrapped key. Args: project: The Google Cloud project id to use as a parent resource. input_str: The string to deidentify (will be treated as text). alphabet: The set of characters to replace sensitive ones with. For more information, see https://cloud.google.com/dlp/docs/reference/ rest/v2beta2/organizations.deidentifyTemplates#ffxcommonnativealphabet surrogate_type: The name of the surrogate custom info type to used during the encryption process. unwrapped_key: The base64-encoded AES-256 key to use. Returns: None; the response from the API is printed to the terminal. """ # Import the client library import google.cloud.dlp # Instantiate a client dlp = google.cloud.dlp_v2.DlpServiceClient() # Convert the project id into a full resource id. parent = dlp.project_path(project) # The unwrapped key is base64-encoded, but the library expects a binary # string, so decode it here. import base64 unwrapped_key = base64.b64decode(unwrapped_key) # Construct Deidentify Config transformation = { "primitive_transformation": { "crypto_replace_ffx_fpe_config": { "crypto_key": { "unwrapped": { "key": unwrapped_key } }, "common_alphabet": alphabet, "surrogate_info_type": { "name": surrogate_type }, } } } reidentify_config = { "info_type_transformations": { "transformations": [transformation] } } inspect_config = { "custom_info_types": [{ "info_type": { "name": surrogate_type }, "surrogate_type": {} }] } # Convert string to item item = {"value": input_str} # Call the API response = dlp.reidentify_content( parent, inspect_config=inspect_config, reidentify_config=reidentify_config, item=item, ) # Print results print(response.item.value)
def reidentify_with_fpe(project, string, alphabet=None, surrogate_type=None, key_name=None, wrapped_key=None): """Uses the Data Loss Prevention API to reidentify sensitive data in a string that was encrypted by Format Preserving Encryption (FPE). """ # Import the client library import google.cloud.dlp # Instantiate a client dlp = google.cloud.dlp.DlpServiceClient() # Convert the project id into a full resource id. parent = dlp.project_path(project) # The wrapped key is base64-encoded, but the library expects a binary # string, so decode it here. import base64 wrapped_key = base64.b64decode(wrapped_key) # Construct Deidentify Config reidentify_config = { 'info_type_transformations': { 'transformations': [ { 'primitive_transformation': { 'crypto_replace_ffx_fpe_config': { 'crypto_key': { 'kms_wrapped': { 'wrapped_key': wrapped_key, 'crypto_key_name': key_name } }, 'common_alphabet': alphabet, 'surrogate_info_type': { 'name': surrogate_type } } } } ] } } inspect_config = { 'custom_info_types': [ { 'info_type': { 'name': surrogate_type }, 'surrogate_type': { } } ] } # Convert string to item item = {'value': string} # Call the API response = dlp.reidentify_content( parent, inspect_config=inspect_config, reidentify_config=reidentify_config, item=item) return response.item.value
def reidentify_with_fpe( project, input_str, alphabet=None, surrogate_type=None, key_name=None, wrapped_key=None, ): """Uses the Data Loss Prevention API to reidentify sensitive data in a string that was encrypted by Format Preserving Encryption (FPE). Args: project: The Google Cloud project id to use as a parent resource. input_str: The string to deidentify (will be treated as text). surrogate_type: The name of the surrogate custom info type to used during the encryption process. key_name: The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key. Example: keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/ keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME' wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key should be encrypted using the Cloud KMS key specified by key_name. Returns: None; the response from the API is printed to the terminal. """ import google.cloud.dlp dlp = google.cloud.dlp_v2.DlpServiceClient() # Convert the project id into a full resource id. parent = f"projects/{project}" # The wrapped key is base64-encoded, but the library expects a binary string, so decode it here. import base64 wrapped_key = base64.b64decode(wrapped_key) reidentify_config = { "info_type_transformations": { "transformations": [{ "primitive_transformation": { "crypto_replace_ffx_fpe_config": { "crypto_key": { "kms_wrapped": { "wrapped_key": wrapped_key, "crypto_key_name": key_name, } }, "common_alphabet": alphabet, "surrogate_info_type": { "name": surrogate_type }, } } }] } } inspect_config = { "custom_info_types": [{ "info_type": { "name": surrogate_type }, "surrogate_type": {} }] } item = {"value": input_str} # Call the DLP API https://cloud.google.com/dlp/docs/pseudonymization response = dlp.reidentify_content( request={ "parent": parent, "reidentify_config": reidentify_config, "inspect_config": inspect_config, "item": item, }) return response.item.value