密钥管理
所有文档

          密钥管理服务 KMS

          密钥管理

          创建MasterKey

          如下代码可以创建MasterKey,返回MasterKeyId,创建时间等等。

          public void createKey(KmsClient client) {
              try {
                  CreateKeyRequest createKeyRequest = new CreateKeyRequest(
          			"Orville",
                  	Constants.ProtectedBy.SOFTWARE.toString(), 
          			"ENCRYPT_DECRYPT",
          			Constants.KeySpec.AES_128.toString(),
          			Constants.Origin.BAIDU_KMS.toString());
                  // 执行创建master key请求  
                  CreateKeyResponse createKeyResponse = client.createKey(createKeyRequest);
                  // 打印 master key Id
                  System.out.println(createKeyResponse.getKeyMetadata().getKeyId());
                  // 打印 master key 创建日期
                  System.out.println(createKeyResponse.getKeyMetadata().getCreationDate());
              } catch (BceServiceException e) {
                  System.out.println(e.getMessage());
              } catch (BceClientException e) {
                  System.out.println(e.getMessage());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          列举MasterKey

          使用如下代码可以列举出该账号所创建的MasterKey

          public void listKeys(KmsClient client) {
              try {
                  ListKeysRequest listKeysRequest = new ListKeysRequest();
                  // 设置返回的KeyId的数目
                  listKeysRequest.setLimit(100);
                  // 设置master key id位置的标记
                  listKeysRequest.setMarker("");
                  // 请求枚举 master key
                  ListKeysResponse listKeysResponse = client.listKeys(listKeysRequest);
                  // 打印出返回的master key Id
                  List<ListKeysResponse.Key> keys = listKeysResponse.getKeys();
                  for (ListKeysResponse.Key key : keys) {
                      System.out.println(key.getKeyId());
                  }
              } catch (BceServiceException e) {
                  System.out.println(e.getMessage());
              } catch (BceClientException e) {
                  System.out.println(e.getMessage());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          加密数据

          如下代码可以对原文进行加密

          public void encrypt(KmsClient client) {
              try {
                  EncryptRequest encryptRequest = new EncryptRequest();
                  // 设置待加密的明文数据,注意这里的原文一定是base64编码的
                  encryptRequest.setPlaintext("Q2FybFN1biBpcyBnZW5pdXMh");
                  // 设置master key Id
                  encryptRequest.setKeyId("your Master Key Id");
                  // 请求加密
                  EncryptResponse encryptResponse = client.encrypt(encryptRequest);
                  // 输出密文
                  System.out.println(encryptResponse.getCiphertext());
                  // 输出master key id 
                  System.out.println(encryptResponse.getKeyId());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          解密数据

          如下代码对密文进行解密

          public void decrypt(KmsClient client) {
              try {
                  DecryptRequest decryptRequest = new DecryptRequest();
                  // 设置密文内容
                  decryptRequest.setCiphertext("your ciphertext");
                  // 设置master key Id
                  decryptRequest.setKeyId("your Master Key Id");
                  // 请求解密
                  DecryptResponse decryptResponse = client.decrypt(decryptRequest);
                  // 打印出master key id
                  System.out.println(decryptResponse.getKeyId());
                  // 打印出原文
                  System.out.println(decryptResponse.getPlaintext());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          生成Datakey

          如下代码可以生成DataKey的原文和密文

          public void generateDataKey(KmsClient client) {
              try {
                  GenerateDataKeyRequest generateDataKeyRequest = new GenerateDataKeyRequest();
                  // 设置master key Id
                  generateDataKeyRequest.setKeyId("your master key id");
                  // 设置data key 的长度
                  generateDataKeyRequest.setKeySpec(Constants.KeySpec.AES_256);
                  // 设置data key明文的长度 
                  generateDataKeyRequest.setNumberOfBytes(20);
                  // 请求生成data key 
                  GenerateDataKeyResponse  generateDataKeyResponse = client.generateDataKey(generateDataKeyRequest);
                  // 打印data key 密文
                  System.out.println(generateDataKeyResponse.getCiphertext());
                  // 打印 Master key id
                  System.out.println(generateDataKeyResponse.getKeyId());
                  // 打印data key原文
                  System.out.println(generateDataKeyResponse.getPlaintext());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          使MasterKey处于可用状态

          如下代码可以enable master key

          public void enableKey(KmsClient client) {
              try {
                  // 初始化EnableKeyRequest并且设置master key id 
                  EnableKeyRequest enableKeyRequest = new EnableKeyRequest("your master key id");
                  // 请求使Master Key 可用
                  client.enableKey(enableKeyRequest);
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          使MasterKey处于不可用状态

          如下代码可以disable master key

          public void disableKey(KmsClient client) {
              try {
                  DisableKeyRequest disableKeyRequset = new DisableKeyRequest();
                  // 设计master key id
                  disableKeyRequset.setKeyId("your master key id");
                  // 请求是Master Key 不可用
                  client.disableKey(disableKeyRequset);
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          删除MasterKey

          如下代码可以删除MasterKey,等待删除的时间,最少7天,最多30天,默认30天。会在到达指定时间后的24小时内删除

          public void scheduleKeyDeletion(KmsClient client) {
              try {
                  ScheduleKeyDeletionRequest request = new ScheduleKeyDeletionRequest();
                  // 设置等待删除的时间
                  request.setPendingWindowInDays(8);
                  // 设置master key id 
                  request.setKeyId("your master key id");
                  // 请求删除master key
                  ScheduleKeyDeletionResponse response = client.scheduleKeyDeletion(request);
                  // 打印master key
                  System.out.println(response.getKeyId());
                  // 打印该master key 删除的时间
                  System.out.println(response.getDeletionDate().toString());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          取消删除MasterKey

          如下代码可以取消对MasterKey的删除操作

          public void cancelKeyDeletion(KmsClient client) {
              try {
                  CancelKeyDeletionRequest request = new CancelKeyDeletionRequest();
                  // 设计master key id
                  request.setKeyId("your master key id");
                  // 请求取消对master key的删除
                  client.cancelKeyDeletion(request);
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          获取MasterKey详细信息

          如下代码可以获取MasterKey的详细信息

          public void describeKey(KmsClient client) {
              try {
                  DescribeKeyRequest request = new DescribeKeyRequest();
                  // 设计master key id 
                  request.setKeyId("your master key id");
                  // 请求放回该master key的详细信息
                  DescribeKeyResponse response = client.describeKey(request);
                  // 打印master key id 
                  System.out.println(response.getKeyMetadata().getKeyId());
                  // 打印master key的创建时间
                  System.out.println(response.getKeyMetadata().getCreationDate().toString());
                  // 打印master key 的状态(disabled or enabled)
                  System.out.println(response.getKeyMetadata().getKeyState());
                  // 打印master key的描述信息
                  System.out.println(response.getKeyMetadata().getDescription());
                  // 打印master key的使用方式
                  System.out.println(response.getKeyMetadata().getKeyUsage());
                  // 打印master key所在的地区 
                  System.out.println(response.getKeyMetadata().getRegion());
                  // 打印master key被删除的时间
                  System.out.println(response.getKeyMetadata().getDeletionDate());
                  // 打印master key来源
                  System.out.println(response.getKeyMetadata().getOrigin());
                  // 打印master key密钥类型
                  System.out.println(response.getKeyMetadata().getKeySpec());
                  // 打印master key保护级别
                  System.out.println(response.getKeyMetadata().getProtectedBy());
              } catch (BceServiceException e) {
                  System.out.println(e.getMessage());
              } catch (BceClientException e) {
                  System.out.println(e.getMessage());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          获取导入密钥参数

          如下代码可以获取导入密钥参数

          public void getParametersForImport(KmsClient client) {
              try {
                  System.out.println("__________getParametersForImport_______");
                  GetParametersForImportRequest request = new GetParametersForImportRequest();
                  request.setKeyId("your master key id");
                  request.setPublicKeyEncoding(Constants.PublicKeyEncoding.BASE64.toString());
                  GetParametersForImportResponse response = client.getParametersForImport(request);
                  System.out.println(response.getImportToken());
                  System.out.println(response.getKeyId());
                  System.out.println(response.getPublicKey());
                  System.out.println(response.getTokenValidTill());
              } catch (BceServiceException e) {
                  System.out.println(e.getMessage());
              } catch (BceClientException e) {
                  System.out.println(e.getMessage());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          导入对称密钥

          如下代码可以导入对称密钥

          public void importKey (KmsClient client) {
              try {
                  System.out.println("__________importKey_______");
                  ImportKeyRequest request = new ImportKeyRequest();
                  request.setKeyId("your master key id");
                  request.setEncryptedKey("your encryped key");
                  request.setImportToken("your token");
                  request.setKeySpec(Constants.KeySpec.AES_128.toString());
                  request.setKeyUsage("ENCRYPT_DECRYPT");
                  KmsResponse response = client.importKey(request);
              } catch (BceServiceException e) {
                  System.out.println(e.getMessage());
              } catch (BceClientException e) {
                  System.out.println(e.getMessage());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }

          导入非对称密钥

          如下代码可以导入RSA非对称密钥

          public void importAsymmetricKey (KmsClient client) {
              try {
                  System.out.println("__________importKey_______");
                  ImportAsymmetricKeyRequest request = new ImportAsymmetricKeyRequest();
                  request.setKeyId("your master key id");
                  request.setAsymmetricKeySpec(Constants.KeySpec.RSA_1024.toString());
                  request.setAsymmetricKeyUsage("ENCRYPT_DECRYPT");
                  request.setEncryptedKeyEncryptionKey("your EncryptedKey by EncryptionKey");
                  EncryptedRsaKey rsaKey = new EncryptedRsaKey();
                  rsaKey.setEncryptedD("your D encrypted by your EncryptedKey then base64 encode");
                  rsaKey.setEncryptedDp("your Dp encrypted by your EncryptedKey then base64 encode");
                  rsaKey.setEncryptedDq("your Dq encrypted by your EncryptedKey then base64 encode");
                  rsaKey.setEncryptedP("your p encrypted by your EncryptedKey then base64 encode");
                  rsaKey.setEncryptedQ("your Q encrypted by your EncryptedKey then base64 encode");
                  rsaKey.setEncryptedQinv("your Qinv encrypted by your EncryptedKey then base64 encode");
                  rsaKey.setPublicKeyDer("your publickey encrypted by base64");
                  request.setEncryptedRsaKey(rsaKey);
                  request.setImportToken("your token");
                  KmsResponse response = client.importAsymmetricKey(request);
              } catch (BceServiceException e) {
                  System.out.println(e.getMessage());
              } catch (BceClientException e) {
                  System.out.println(e.getMessage());
              } catch (Exception e) {
                  System.out.println(e.getMessage());
              }
          }
          上一篇
          初始化
          下一篇
          异常处理