密钥管理
更新时间:2022-03-30
创建MasterKey
如下代码可以创建MasterKey,返回MasterKeyId,创建时间等等。
public void createKey(KmsClient client) {
try {
CreateKeyRequest createKeyRequest = new CreateKeyRequest(
"[DESCRIPTION]", //密钥描述
Constants.ProtectedBy.SOFTWARE.toString(), //密钥保护类型
"ENCRYPT_DECRYPT", // 密钥应用场景
Constants.KeySpec.AES_128.toString(), // 密钥类型
Constants.Origin.BAIDU_KMS.toString(), // 密钥来源
100); // 轮转天数,0为不开启,其他填7-365
// 执行创建master key请求
CreateKeyResponse createKeyResponse = client.createKey(createKeyRequest);
// 打印 master key Id
System.out.println(createKeyResponse.getKeyMetadata().getKeyId());
// 打印 master key 创建日期
System.out.println(createKeyResponse.getKeyMetadata().getCreationDate());
} catch (BceServiceException e) {
System.out.println(e.getMessage());
} catch (BceClientException e) {
System.out.println(e.getMessage());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}列举MasterKey
使用如下代码可以列举出该账号所创建的MasterKey
public void listKeys(KmsClient client) {
try {
ListKeysRequest listKeysRequest = new ListKeysRequest();
// 设置返回的KeyId的数目
listKeysRequest.setLimit(100);
// 设置master key id位置的标记
listKeysRequest.setMarker("");
// 请求枚举 master key
ListKeysResponse listKeysResponse = client.listKeys(listKeysRequest);
// 打印出返回的master key Id
List<ListKeysResponse.Key> keys = listKeysResponse.getKeys();
for (ListKeysResponse.Key key : keys) {
System.out.println(key.getKeyId());
}
} catch (BceServiceException e) {
System.out.println(e.getMessage());
} catch (BceClientException e) {
System.out.println(e.getMessage());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}加密数据
如下代码可以对原文进行加密
public void encrypt(KmsClient client) {
try {
EncryptRequest encryptRequest = new EncryptRequest();
// 设置待加密的明文数据,注意这里的原文一定是base64编码的
encryptRequest.setPlaintext("Q2FybFN1biBpcyBnZW5pdXMh");
// 设置master key Id
encryptRequest.setKeyId("your Master Key Id");
// 请求加密
EncryptResponse encryptResponse = client.encrypt(encryptRequest);
// 输出密文
System.out.println(encryptResponse.getCiphertext());
// 输出master key id
System.out.println(encryptResponse.getKeyId());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}解密数据
如下代码对密文进行解密
public void decrypt(KmsClient client) {
try {
DecryptRequest decryptRequest = new DecryptRequest();
// 设置密文内容
decryptRequest.setCiphertext("your ciphertext");
// 设置master key Id
decryptRequest.setKeyId("your Master Key Id");
// 请求解密
DecryptResponse decryptResponse = client.decrypt(decryptRequest);
// 打印出master key id
System.out.println(decryptResponse.getKeyId());
// 打印出原文
System.out.println(decryptResponse.getPlaintext());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}生成Datakey
如下代码可以生成DataKey的原文和密文
public void generateDataKey(KmsClient client) {
try {
GenerateDataKeyRequest generateDataKeyRequest = new GenerateDataKeyRequest();
// 设置master key Id
generateDataKeyRequest.setKeyId("your master key id");
// 设置data key 的长度
generateDataKeyRequest.setKeySpec(Constants.KeySpec.AES_256);
// 设置data key明文的长度
generateDataKeyRequest.setNumberOfBytes(20);
// 请求生成data key
GenerateDataKeyResponse generateDataKeyResponse = client.generateDataKey(generateDataKeyRequest);
// 打印data key 密文
System.out.println(generateDataKeyResponse.getCiphertext());
// 打印 Master key id
System.out.println(generateDataKeyResponse.getKeyId());
// 打印data key原文
System.out.println(generateDataKeyResponse.getPlaintext());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}使MasterKey处于可用状态
如下代码可以enable master key
public void enableKey(KmsClient client) {
try {
// 初始化EnableKeyRequest并且设置master key id
EnableKeyRequest enableKeyRequest = new EnableKeyRequest("your master key id");
// 请求使Master Key 可用
client.enableKey(enableKeyRequest);
} catch (Exception e) {
System.out.println(e.getMessage());
}
}使MasterKey处于不可用状态
如下代码可以disable master key
public void disableKey(KmsClient client) {
try {
DisableKeyRequest disableKeyRequset = new DisableKeyRequest();
// 设计master key id
disableKeyRequset.setKeyId("your master key id");
// 请求是Master Key 不可用
client.disableKey(disableKeyRequset);
} catch (Exception e) {
System.out.println(e.getMessage());
}
}删除MasterKey
如下代码可以删除MasterKey,等待删除的时间,最少7天,最多30天,默认30天。会在到达指定时间后的24小时内删除
public void scheduleKeyDeletion(KmsClient client) {
try {
ScheduleKeyDeletionRequest request = new ScheduleKeyDeletionRequest();
// 设置等待删除的时间
request.setPendingWindowInDays(8);
// 设置master key id
request.setKeyId("your master key id");
// 请求删除master key
ScheduleKeyDeletionResponse response = client.scheduleKeyDeletion(request);
// 打印master key
System.out.println(response.getKeyId());
// 打印该master key 删除的时间
System.out.println(response.getDeletionDate().toString());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}取消删除MasterKey
如下代码可以取消对MasterKey的删除操作
public void cancelKeyDeletion(KmsClient client) {
try {
CancelKeyDeletionRequest request = new CancelKeyDeletionRequest();
// 设计master key id
request.setKeyId("your master key id");
// 请求取消对master key的删除
client.cancelKeyDeletion(request);
} catch (Exception e) {
System.out.println(e.getMessage());
}
}获取MasterKey详细信息
如下代码可以获取MasterKey的详细信息
public void describeKey(KmsClient client) {
try {
DescribeKeyRequest request = new DescribeKeyRequest();
// 设计master key id
request.setKeyId("your master key id");
// 请求放回该master key的详细信息
DescribeKeyResponse response = client.describeKey(request);
// 打印master key id
System.out.println(response.getKeyMetadata().getKeyId());
// 打印master key的创建时间
System.out.println(response.getKeyMetadata().getCreationDate().toString());
// 打印master key 的状态(disabled or enabled)
System.out.println(response.getKeyMetadata().getKeyState());
// 打印master key的描述信息
System.out.println(response.getKeyMetadata().getDescription());
// 打印master key的使用方式
System.out.println(response.getKeyMetadata().getKeyUsage());
// 打印master key所在的地区
System.out.println(response.getKeyMetadata().getRegion());
// 打印master key被删除的时间
System.out.println(response.getKeyMetadata().getDeletionDate());
// 打印master key来源
System.out.println(response.getKeyMetadata().getOrigin());
// 打印master key密钥类型
System.out.println(response.getKeyMetadata().getKeySpec());
// 打印master key保护级别
System.out.println(response.getKeyMetadata().getProtectedBy());
} catch (BceServiceException e) {
System.out.println(e.getMessage());
} catch (BceClientException e) {
System.out.println(e.getMessage());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}获取导入密钥参数
如下代码可以获取导入密钥参数
public void getParametersForImport(KmsClient client) {
try {
System.out.println("__________getParametersForImport_______");
GetParametersForImportRequest request = new GetParametersForImportRequest();
request.setKeyId("your master key id");
request.setPublicKeyEncoding(Constants.PublicKeyEncoding.BASE64.toString());
GetParametersForImportResponse response = client.getParametersForImport(request);
System.out.println(response.getImportToken());
System.out.println(response.getKeyId());
System.out.println(response.getPublicKey());
System.out.println(response.getTokenValidTill());
} catch (BceServiceException e) {
System.out.println(e.getMessage());
} catch (BceClientException e) {
System.out.println(e.getMessage());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}导入对称密钥
如下代码可以导入对称密钥
public void importKey (KmsClient client) {
try {
System.out.println("__________importKey_______");
ImportKeyRequest request = new ImportKeyRequest();
request.setKeyId("your master key id");
request.setEncryptedKey("your encryped key");
request.setImportToken("your token");
request.setKeySpec(Constants.KeySpec.AES_128.toString());
request.setKeyUsage("ENCRYPT_DECRYPT");
KmsResponse response = client.importKey(request);
} catch (BceServiceException e) {
System.out.println(e.getMessage());
} catch (BceClientException e) {
System.out.println(e.getMessage());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}导入非对称密钥
如下代码可以导入RSA非对称密钥
public void importAsymmetricKey (KmsClient client) {
try {
System.out.println("__________importKey_______");
ImportAsymmetricKeyRequest request = new ImportAsymmetricKeyRequest();
request.setKeyId("your master key id");
request.setAsymmetricKeySpec(Constants.KeySpec.RSA_1024.toString());
request.setAsymmetricKeyUsage("ENCRYPT_DECRYPT");
request.setEncryptedKeyEncryptionKey("your EncryptedKey by EncryptionKey");
EncryptedRsaKey rsaKey = new EncryptedRsaKey();
rsaKey.setEncryptedD("your D encrypted by your EncryptedKey then base64 encode");
rsaKey.setEncryptedDp("your Dp encrypted by your EncryptedKey then base64 encode");
rsaKey.setEncryptedDq("your Dq encrypted by your EncryptedKey then base64 encode");
rsaKey.setEncryptedP("your p encrypted by your EncryptedKey then base64 encode");
rsaKey.setEncryptedQ("your Q encrypted by your EncryptedKey then base64 encode");
rsaKey.setEncryptedQinv("your Qinv encrypted by your EncryptedKey then base64 encode");
rsaKey.setPublicKeyDer("your publickey encrypted by base64");
request.setEncryptedRsaKey(rsaKey);
request.setImportToken("your token");
KmsResponse response = client.importAsymmetricKey(request);
} catch (BceServiceException e) {
System.out.println(e.getMessage());
} catch (BceClientException e) {
System.out.println(e.getMessage());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}配置masterKey轮转间隔时间
如下代码可以配置 master key 轮转间隔时间
public void updateRotateKey(KmsClient client) {
try {
// 初始化UpdateRotateKeyRequest并且设置master key id, 轮转时间0为不开启轮转,其他填7-365
UpdateRotationRequest updateRotationRequest = new UpdateRotationRequest("your master key id", 360);
// 请求使Master Key 可用
client.updateRotateKey(updateRotationRequest);
} catch (Exception e) {
System.out.println(e.getMessage());
}
}