密钥管理服务KMS

    密钥管理

    创建MasterKey

    如下代码可以创建MasterKey,返回MasterKeyId,创建时间等等。

    public void createKey(KmsClient client) {
        try {
            CreateKeyRequest createKeyRequest = new CreateKeyRequest(
    			"Orville",
            	Constants.ProtectedBy.SOFTWARE.toString(), 
    			"ENCRYPT_DECRYPT",
    			Constants.KeySpec.AES_128.toString(),
    			Constants.Origin.BAIDU_KMS.toString());
            // 执行创建master key请求  
            CreateKeyResponse createKeyResponse = client.createKey(createKeyRequest);
            // 打印 master key Id
            System.out.println(createKeyResponse.getKeyMetadata().getKeyId());
            // 打印 master key 创建日期
            System.out.println(createKeyResponse.getKeyMetadata().getCreationDate());
        } catch (BceServiceException e) {
            System.out.println(e.getMessage());
        } catch (BceClientException e) {
            System.out.println(e.getMessage());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    列举MasterKey

    使用如下代码可以列举出该账号所创建的MasterKey

    public void listKeys(KmsClient client) {
        try {
            ListKeysRequest listKeysRequest = new ListKeysRequest();
            // 设置返回的KeyId的数目
            listKeysRequest.setLimit(100);
            // 设置master key id位置的标记
            listKeysRequest.setMarker("");
            // 请求枚举 master key
            ListKeysResponse listKeysResponse = client.listKeys(listKeysRequest);
            // 打印出返回的master key Id
            List<ListKeysResponse.Key> keys = listKeysResponse.getKeys();
            for (ListKeysResponse.Key key : keys) {
                System.out.println(key.getKeyId());
            }
        } catch (BceServiceException e) {
            System.out.println(e.getMessage());
        } catch (BceClientException e) {
            System.out.println(e.getMessage());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    加密数据

    如下代码可以对原文进行加密

    public void encrypt(KmsClient client) {
        try {
            EncryptRequest encryptRequest = new EncryptRequest();
            // 设置待加密的明文数据,注意这里的原文一定是base64编码的
            encryptRequest.setPlaintext("Q2FybFN1biBpcyBnZW5pdXMh");
            // 设置master key Id
            encryptRequest.setKeyId("your Master Key Id");
            // 请求加密
            EncryptResponse encryptResponse = client.encrypt(encryptRequest);
            // 输出密文
            System.out.println(encryptResponse.getCiphertext());
            // 输出master key id 
            System.out.println(encryptResponse.getKeyId());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    解密数据

    如下代码对密文进行解密

    public void decrypt(KmsClient client) {
        try {
            DecryptRequest decryptRequest = new DecryptRequest();
            // 设置密文内容
            decryptRequest.setCiphertext("your ciphertext");
            // 设置master key Id
            decryptRequest.setKeyId("your Master Key Id");
            // 请求解密
            DecryptResponse decryptResponse = client.decrypt(decryptRequest);
            // 打印出master key id
            System.out.println(decryptResponse.getKeyId());
            // 打印出原文
            System.out.println(decryptResponse.getPlaintext());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    生成Datakey

    如下代码可以生成DataKey的原文和密文

    public void generateDataKey(KmsClient client) {
        try {
            GenerateDataKeyRequest generateDataKeyRequest = new GenerateDataKeyRequest();
            // 设置master key Id
            generateDataKeyRequest.setKeyId("your master key id");
            // 设置data key 的长度
            generateDataKeyRequest.setKeySpec(Constants.KeySpec.AES_256);
            // 设置data key明文的长度 
            generateDataKeyRequest.setNumberOfBytes(20);
            // 请求生成data key 
            GenerateDataKeyResponse  generateDataKeyResponse = client.generateDataKey(generateDataKeyRequest);
            // 打印data key 密文
            System.out.println(generateDataKeyResponse.getCiphertext());
            // 打印 Master key id
            System.out.println(generateDataKeyResponse.getKeyId());
            // 打印data key原文
            System.out.println(generateDataKeyResponse.getPlaintext());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    使MasterKey处于可用状态

    如下代码可以enable master key

    public void enableKey(KmsClient client) {
        try {
            // 初始化EnableKeyRequest并且设置master key id 
            EnableKeyRequest enableKeyRequest = new EnableKeyRequest("your master key id");
            // 请求使Master Key 可用
            client.enableKey(enableKeyRequest);
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    使MasterKey处于不可用状态

    如下代码可以disable master key

    public void disableKey(KmsClient client) {
        try {
            DisableKeyRequest disableKeyRequset = new DisableKeyRequest();
            // 设计master key id
            disableKeyRequset.setKeyId("your master key id");
            // 请求是Master Key 不可用
            client.disableKey(disableKeyRequset);
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    删除MasterKey

    如下代码可以删除MasterKey,等待删除的时间,最少7天,最多30天,默认30天。会在到达指定时间后的24小时内删除

    public void scheduleKeyDeletion(KmsClient client) {
        try {
            ScheduleKeyDeletionRequest request = new ScheduleKeyDeletionRequest();
            // 设置等待删除的时间
            request.setPendingWindowInDays(8);
            // 设置master key id 
            request.setKeyId("your master key id");
            // 请求删除master key
            ScheduleKeyDeletionResponse response = client.scheduleKeyDeletion(request);
            // 打印master key
            System.out.println(response.getKeyId());
            // 打印该master key 删除的时间
            System.out.println(response.getDeletionDate().toString());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    取消删除MasterKey

    如下代码可以取消对MasterKey的删除操作

    public void cancelKeyDeletion(KmsClient client) {
        try {
            CancelKeyDeletionRequest request = new CancelKeyDeletionRequest();
            // 设计master key id
            request.setKeyId("your master key id");
            // 请求取消对master key的删除
            client.cancelKeyDeletion(request);
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    获取MasterKey详细信息

    如下代码可以获取MasterKey的详细信息

    public void describeKey(KmsClient client) {
        try {
            DescribeKeyRequest request = new DescribeKeyRequest();
            // 设计master key id 
            request.setKeyId("your master key id");
            // 请求放回该master key的详细信息
            DescribeKeyResponse response = client.describeKey(request);
            // 打印master key id 
            System.out.println(response.getKeyMetadata().getKeyId());
            // 打印master key的创建时间
            System.out.println(response.getKeyMetadata().getCreationDate().toString());
            // 打印master key 的状态(disabled or enabled)
            System.out.println(response.getKeyMetadata().getKeyState());
            // 打印master key的描述信息
            System.out.println(response.getKeyMetadata().getDescription());
            // 打印master key的使用方式
            System.out.println(response.getKeyMetadata().getKeyUsage());
            // 打印master key所在的地区 
            System.out.println(response.getKeyMetadata().getRegion());
            // 打印master key被删除的时间
            System.out.println(response.getKeyMetadata().getDeletionDate());
            // 打印master key来源
            System.out.println(response.getKeyMetadata().getOrigin());
            // 打印master key密钥类型
            System.out.println(response.getKeyMetadata().getKeySpec());
            // 打印master key保护级别
            System.out.println(response.getKeyMetadata().getProtectedBy());
        } catch (BceServiceException e) {
            System.out.println(e.getMessage());
        } catch (BceClientException e) {
            System.out.println(e.getMessage());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    获取导入密钥参数

    如下代码可以获取导入密钥参数

    public void getParametersForImport(KmsClient client) {
        try {
            System.out.println("__________getParametersForImport_______");
            GetParametersForImportRequest request = new GetParametersForImportRequest();
            request.setKeyId("your master key id");
            request.setPublicKeyEncoding(Constants.PublicKeyEncoding.BASE64.toString());
            GetParametersForImportResponse response = client.getParametersForImport(request);
            System.out.println(response.getImportToken());
            System.out.println(response.getKeyId());
            System.out.println(response.getPublicKey());
            System.out.println(response.getTokenValidTill());
        } catch (BceServiceException e) {
            System.out.println(e.getMessage());
        } catch (BceClientException e) {
            System.out.println(e.getMessage());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    导入对称密钥

    如下代码可以导入对称密钥

    public void importKey (KmsClient client) {
        try {
            System.out.println("__________importKey_______");
            ImportKeyRequest request = new ImportKeyRequest();
            request.setKeyId("your master key id");
            request.setEncryptedKey("your encryped key");
            request.setImportToken("your token");
            request.setKeySpec(Constants.KeySpec.AES_128.toString());
            request.setKeyUsage("ENCRYPT_DECRYPT");
            KmsResponse response = client.importKey(request);
        } catch (BceServiceException e) {
            System.out.println(e.getMessage());
        } catch (BceClientException e) {
            System.out.println(e.getMessage());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }

    导入非对称密钥

    如下代码可以导入RSA非对称密钥

    public void importAsymmetricKey (KmsClient client) {
        try {
            System.out.println("__________importKey_______");
            ImportAsymmetricKeyRequest request = new ImportAsymmetricKeyRequest();
            request.setKeyId("your master key id");
            request.setAsymmetricKeySpec(Constants.KeySpec.RSA_1024.toString());
            request.setAsymmetricKeyUsage("ENCRYPT_DECRYPT");
            request.setEncryptedKeyEncryptionKey("your EncryptedKey by EncryptionKey");
            EncryptedRsaKey rsaKey = new EncryptedRsaKey();
            rsaKey.setEncryptedD("your D encrypted by your EncryptedKey then base64 encode");
            rsaKey.setEncryptedDp("your Dp encrypted by your EncryptedKey then base64 encode");
            rsaKey.setEncryptedDq("your Dq encrypted by your EncryptedKey then base64 encode");
            rsaKey.setEncryptedP("your p encrypted by your EncryptedKey then base64 encode");
            rsaKey.setEncryptedQ("your Q encrypted by your EncryptedKey then base64 encode");
            rsaKey.setEncryptedQinv("your Qinv encrypted by your EncryptedKey then base64 encode");
            rsaKey.setPublicKeyDer("your publickey encrypted by base64");
            request.setEncryptedRsaKey(rsaKey);
            request.setImportToken("your token");
            KmsResponse response = client.importAsymmetricKey(request);
        } catch (BceServiceException e) {
            System.out.println(e.getMessage());
        } catch (BceClientException e) {
            System.out.println(e.getMessage());
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }
    }
    上一篇
    初始化
    下一篇
    异常处理