密钥管理

更新时间：2022-03-30

创建密钥

如下代码可以创建MasterKey，返回MasterKeyId，创建时间等等。

                Python
                
                kmsClient.create_masterKey("test", protectedby_class.HSM, 
                                    keyspec_class.AES_256, 
                                    origin_class.EXTERNAL,360)

列举MasterKey

                Python
                
                result = kmsClient.list_masterKey(10)
#打印所有密钥keyid
for index in range(len(result.keys)):
            print result.keys[index].key_id

加密数据

Plain Text

1keyId = "xxxxxxx"
2plaintext = base64.b64encode("hellobaby")
3result = kmsClient.encrypt(keyId, plaintext)
4print result.ciphertext

解密数据

Plain Text

1keyId = "xxxxxx"
2ciphertext = "xxxxxxxxxxxxx"
3result = kmsClient.decrypt(keyId, ciphertext)
4print result.plaintext

生成DataKey

Plain Text

1keyId = "xxxxxx"
2kmsClient.generate_dataKey(keyId, keyspec_class.AES_128, 128)

使MasterKey处于可用状态

Plain Text

1keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
2kmsClient.enable_masterKey(keyId)

使MasterKey处于不可用状态

Plain Text

1keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
2kmsClient.disable_masterKey(keyId)

删除MasterKey

Plain Text

1keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
2kmsClient.scheduleDelete_masterKey(keyId, 7)

取消删除MasterKey

Plain Text

1keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
2kmsClient.cancelDelete_maaterKey(keyId)

获取MasterKey详细信息

Plain Text

1keyId = '001f9ef4-0a4b-1333-db42-e79dbd80fd25'
2result = self.client.describe_masterKey(keyId)
3print result.key_metadata.protected_by

获取导入密钥参数

Plain Text

1keyId = "16f97e43-3bdc-c97d-903f-4d7f2bc5828e"
2publicKeyEncoding = publickeyencoding_class.PEM
3result =  self.client.get_parameters_for_import(keyId, publicKeyEncoding)
4print result.public_key

导入对称密钥

Plain Text

1import base64
2from Crypto.PublicKey import RSA
3from Crypto.Cipher import PKCS1_v1_5
4from Crypto.Cipher import AES
5from Crypto.Util.asn1 import DerSequence
6from Crypto import Random
7# create external key
8result = self.client.create_masterKey("test", protectedby_class.HSM, 
9                                    keyspec_class.AES_128, origin_class.EXTERNAL)
10keyId = str(result.key_metadata.key_id)
11        
12# get import parameter
13publicKeyEncoding = publickeyencoding_class.PEM
14result = self.client.get_parameters_for_import(keyId, publicKeyEncoding)
15pubKey = str(result.public_key)
16importToken = str(result.import_token)
17rsa_pubKey = RSA.importKey(pubKey)
18cipher = PKCS1_v1_5.new(rsa_pubKey)
19aeskey = "1122334455667788"
20encryptedKey = base64.b64encode(cipher.encrypt(aeskey))
21self.client.import_symmetricMasterKey(keyId, importToken, encryptedKey, keySpec="AES_128")

导入非对称密钥

Plain Text

1from Crypto.PublicKey import RSA
2from Crypto.Cipher import PKCS1_v1_5
3from Crypto.Cipher import AES
4from Crypto.Util.asn1 import DerSequence, DerObject
5from Crypto import Random
6
7    def test_import_RSA_1024(self):
8        """
9        test case for import_RSA_1024
10        """
11        # create external key
12        result = self.client.create_masterKey("test", protectedby_class.HSM, 
13                                    keyspec_class.RSA_1024, origin_class.EXTERNAL)
14        keyId = str(result.key_metadata.key_id)
15        
16        # get import parameter
17        publicKeyEncoding = publickeyencoding_class.PEM
18        result = self.client.get_parameters_for_import(keyId, publicKeyEncoding)
19        pubKey = str(result.public_key)
20        importToken = str(result.import_token)
21        rsa_pubKey = RSA.importKey(pubKey)
22        cipher = PKCS1_v1_5.new(rsa_pubKey)
23        #随机生成一对rsa1024密钥
24        random_generator = Random.new().read
25        rsa = RSA.generate(1024, random_generator)
26        print rsa.exportKey()
27        der = DerSequence()
28        der.append(rsa.n)
29        der.append(rsa.e)
30        pub_key = base64.b64encode(der.encode())
31        D = str(hex(rsa.d)[2:-1]).decode("hex")
32        P = str(hex(rsa.p)[2:-1]).decode("hex")
33        Q = str(hex(rsa.q)[2:-1]).decode("hex")
34        Dp = str(hex(rsa.d % (rsa.p - 1))[2:-1]).decode("hex")
35        Dq = str(hex(rsa.d % (rsa.q - 1))[2:-1]).decode("hex")
36        Qinv = str(hex(self.findModReverse(rsa.q, rsa.p))[2:-1]).decode("hex")
37        ##用户自定义aes128密钥
38        encryptedKey  = '1122334455667788'
39        aes_obj = AES.new(encryptedKey, AES.MODE_ECB, Random.new().read(AES.block_size))
40        D_b64 = base64.b64encode(aes_obj.encrypt(D))
41        P_b64 = base64.b64encode(aes_obj.encrypt(P))
42        Q_b64 = base64.b64encode(aes_obj.encrypt(Q))
43        Dp_b64 = base64.b64encode(aes_obj.encrypt(Dp))
44        Dq_b64 = base64.b64encode(aes_obj.encrypt(Dq))
45        Qinv_b64 = base64.b64encode(aes_obj.encrypt(Qinv))
46        encryptedKeyEncryptionKey = base64.b64encode(cipher.encrypt(encryptedKey))
47        self.client.import_asymmetricMasterKey(keyId, importToken, keyspec_class.RSA_1024, encryptedKeyEncryptionKey,
48                                            publicKeyDer=pub_key, encryptedD=D_b64, encryptedP=P_b64,
49                                            encryptedQ=Q_b64, encryptedDp=Dp_b64, encryptedDq=Dq_b64,
50                                            encryptedQinv=Qinv_b64)
51

配置MasterKey轮转周期

Plain Text

1keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
2kmsClient.updateRotate_masterKey(keyId, 365)

安装SDK工具包

Java-SDK

百度智能云

密钥管理服务 KMS

密钥管理服务 KMS

密钥管理

创建密钥

列举MasterKey

加密数据

解密数据

生成DataKey

使MasterKey处于可用状态

使MasterKey处于不可用状态

删除MasterKey

取消删除MasterKey

获取MasterKey详细信息

获取导入密钥参数

导入对称密钥

导入非对称密钥

配置MasterKey轮转周期