密钥管理

更新时间：2022-03-30

创建MasterKey

如下代码可以创建MasterKey，返回MasterKeyId，创建时间等等。

Plain Text

1public void createKey(KmsClient client) {
2    try {
3        CreateKeyRequest createKeyRequest = new CreateKeyRequest(
4			"[DESCRIPTION]", //密钥描述
5        	Constants.ProtectedBy.SOFTWARE.toString(), //密钥保护类型
6			"ENCRYPT_DECRYPT", // 密钥应用场景
7			Constants.KeySpec.AES_128.toString(), // 密钥类型
8			Constants.Origin.BAIDU_KMS.toString(), // 密钥来源
9            100); // 轮转天数，0为不开启，其他填7-365
10        // 执行创建master key请求  
11        CreateKeyResponse createKeyResponse = client.createKey(createKeyRequest);
12        // 打印 master key Id
13        System.out.println(createKeyResponse.getKeyMetadata().getKeyId());
14        // 打印 master key 创建日期
15        System.out.println(createKeyResponse.getKeyMetadata().getCreationDate());
16    } catch (BceServiceException e) {
17        System.out.println(e.getMessage());
18    } catch (BceClientException e) {
19        System.out.println(e.getMessage());
20    } catch (Exception e) {
21        System.out.println(e.getMessage());
22    }
23}

列举MasterKey

使用如下代码可以列举出该账号所创建的MasterKey

Plain Text

1public void listKeys(KmsClient client) {
2    try {
3        ListKeysRequest listKeysRequest = new ListKeysRequest();
4        // 设置返回的KeyId的数目
5        listKeysRequest.setLimit(100);
6        // 设置master key id位置的标记
7        listKeysRequest.setMarker("");
8        // 请求枚举 master key
9        ListKeysResponse listKeysResponse = client.listKeys(listKeysRequest);
10        // 打印出返回的master key Id
11        List<ListKeysResponse.Key> keys = listKeysResponse.getKeys();
12        for (ListKeysResponse.Key key : keys) {
13            System.out.println(key.getKeyId());
14        }
15    } catch (BceServiceException e) {
16        System.out.println(e.getMessage());
17    } catch (BceClientException e) {
18        System.out.println(e.getMessage());
19    } catch (Exception e) {
20        System.out.println(e.getMessage());
21    }
22}

加密数据

如下代码可以对原文进行加密

Plain Text

1public void encrypt(KmsClient client) {
2    try {
3        EncryptRequest encryptRequest = new EncryptRequest();
4        // 设置待加密的明文数据，注意这里的原文一定是base64编码的
5        encryptRequest.setPlaintext("Q2FybFN1biBpcyBnZW5pdXMh");
6        // 设置master key Id
7        encryptRequest.setKeyId("your Master Key Id");
8        // 请求加密
9        EncryptResponse encryptResponse = client.encrypt(encryptRequest);
10        // 输出密文
11        System.out.println(encryptResponse.getCiphertext());
12        // 输出master key id 
13        System.out.println(encryptResponse.getKeyId());
14    } catch (Exception e) {
15        System.out.println(e.getMessage());
16    }
17}

解密数据

如下代码对密文进行解密

Plain Text

1public void decrypt(KmsClient client) {
2    try {
3        DecryptRequest decryptRequest = new DecryptRequest();
4        // 设置密文内容
5        decryptRequest.setCiphertext("your ciphertext");
6        // 设置master key Id
7        decryptRequest.setKeyId("your Master Key Id");
8        // 请求解密
9        DecryptResponse decryptResponse = client.decrypt(decryptRequest);
10        // 打印出master key id
11        System.out.println(decryptResponse.getKeyId());
12        // 打印出原文
13        System.out.println(decryptResponse.getPlaintext());
14    } catch (Exception e) {
15        System.out.println(e.getMessage());
16    }
17}

生成Datakey

如下代码可以生成DataKey的原文和密文

Plain Text

1public void generateDataKey(KmsClient client) {
2    try {
3        GenerateDataKeyRequest generateDataKeyRequest = new GenerateDataKeyRequest();
4        // 设置master key Id
5        generateDataKeyRequest.setKeyId("your master key id");
6        // 设置data key 的长度
7        generateDataKeyRequest.setKeySpec(Constants.KeySpec.AES_256);
8        // 设置data key明文的长度 
9        generateDataKeyRequest.setNumberOfBytes(20);
10        // 请求生成data key 
11        GenerateDataKeyResponse  generateDataKeyResponse = client.generateDataKey(generateDataKeyRequest);
12        // 打印data key 密文
13        System.out.println(generateDataKeyResponse.getCiphertext());
14        // 打印 Master key id
15        System.out.println(generateDataKeyResponse.getKeyId());
16        // 打印data key原文
17        System.out.println(generateDataKeyResponse.getPlaintext());
18    } catch (Exception e) {
19        System.out.println(e.getMessage());
20    }
21}

使MasterKey处于可用状态

如下代码可以enable master key

Plain Text

1public void enableKey(KmsClient client) {
2    try {
3        // 初始化EnableKeyRequest并且设置master key id 
4        EnableKeyRequest enableKeyRequest = new EnableKeyRequest("your master key id");
5        // 请求使Master Key 可用
6        client.enableKey(enableKeyRequest);
7    } catch (Exception e) {
8        System.out.println(e.getMessage());
9    }
10}

使MasterKey处于不可用状态

如下代码可以disable master key

Plain Text

1public void disableKey(KmsClient client) {
2    try {
3        DisableKeyRequest disableKeyRequset = new DisableKeyRequest();
4        // 设计master key id
5        disableKeyRequset.setKeyId("your master key id");
6        // 请求是Master Key 不可用
7        client.disableKey(disableKeyRequset);
8    } catch (Exception e) {
9        System.out.println(e.getMessage());
10    }
11}

删除MasterKey

如下代码可以删除MasterKey，等待删除的时间，最少7天，最多30天，默认30天。会在到达指定时间后的24小时内删除

Plain Text

1public void scheduleKeyDeletion(KmsClient client) {
2    try {
3        ScheduleKeyDeletionRequest request = new ScheduleKeyDeletionRequest();
4        // 设置等待删除的时间
5        request.setPendingWindowInDays(8);
6        // 设置master key id 
7        request.setKeyId("your master key id");
8        // 请求删除master key
9        ScheduleKeyDeletionResponse response = client.scheduleKeyDeletion(request);
10        // 打印master key
11        System.out.println(response.getKeyId());
12        // 打印该master key 删除的时间
13        System.out.println(response.getDeletionDate().toString());
14    } catch (Exception e) {
15        System.out.println(e.getMessage());
16    }
17}

取消删除MasterKey

如下代码可以取消对MasterKey的删除操作

Plain Text

1public void cancelKeyDeletion(KmsClient client) {
2    try {
3        CancelKeyDeletionRequest request = new CancelKeyDeletionRequest();
4        // 设计master key id
5        request.setKeyId("your master key id");
6        // 请求取消对master key的删除
7        client.cancelKeyDeletion(request);
8    } catch (Exception e) {
9        System.out.println(e.getMessage());
10    }
11}

获取MasterKey详细信息

如下代码可以获取MasterKey的详细信息

Plain Text

1public void describeKey(KmsClient client) {
2    try {
3        DescribeKeyRequest request = new DescribeKeyRequest();
4        // 设计master key id 
5        request.setKeyId("your master key id");
6        // 请求放回该master key的详细信息
7        DescribeKeyResponse response = client.describeKey(request);
8        // 打印master key id 
9        System.out.println(response.getKeyMetadata().getKeyId());
10        // 打印master key的创建时间
11        System.out.println(response.getKeyMetadata().getCreationDate().toString());
12        // 打印master key 的状态(disabled or enabled)
13        System.out.println(response.getKeyMetadata().getKeyState());
14        // 打印master key的描述信息
15        System.out.println(response.getKeyMetadata().getDescription());
16        // 打印master key的使用方式
17        System.out.println(response.getKeyMetadata().getKeyUsage());
18        // 打印master key所在的地区 
19        System.out.println(response.getKeyMetadata().getRegion());
20        // 打印master key被删除的时间
21        System.out.println(response.getKeyMetadata().getDeletionDate());
22        // 打印master key来源
23        System.out.println(response.getKeyMetadata().getOrigin());
24        // 打印master key密钥类型
25        System.out.println(response.getKeyMetadata().getKeySpec());
26        // 打印master key保护级别
27        System.out.println(response.getKeyMetadata().getProtectedBy());
28    } catch (BceServiceException e) {
29        System.out.println(e.getMessage());
30    } catch (BceClientException e) {
31        System.out.println(e.getMessage());
32    } catch (Exception e) {
33        System.out.println(e.getMessage());
34    }
35}

获取导入密钥参数

如下代码可以获取导入密钥参数

Plain Text

1public void getParametersForImport(KmsClient client) {
2    try {
3        System.out.println("__________getParametersForImport_______");
4        GetParametersForImportRequest request = new GetParametersForImportRequest();
5        request.setKeyId("your master key id");
6        request.setPublicKeyEncoding(Constants.PublicKeyEncoding.BASE64.toString());
7        GetParametersForImportResponse response = client.getParametersForImport(request);
8        System.out.println(response.getImportToken());
9        System.out.println(response.getKeyId());
10        System.out.println(response.getPublicKey());
11        System.out.println(response.getTokenValidTill());
12    } catch (BceServiceException e) {
13        System.out.println(e.getMessage());
14    } catch (BceClientException e) {
15        System.out.println(e.getMessage());
16    } catch (Exception e) {
17        System.out.println(e.getMessage());
18    }
19}

导入对称密钥

如下代码可以导入对称密钥

Plain Text

1public void importKey (KmsClient client) {
2    try {
3        System.out.println("__________importKey_______");
4        ImportKeyRequest request = new ImportKeyRequest();
5        request.setKeyId("your master key id");
6        request.setEncryptedKey("your encryped key");
7        request.setImportToken("your token");
8        request.setKeySpec(Constants.KeySpec.AES_128.toString());
9        request.setKeyUsage("ENCRYPT_DECRYPT");
10        KmsResponse response = client.importKey(request);
11    } catch (BceServiceException e) {
12        System.out.println(e.getMessage());
13    } catch (BceClientException e) {
14        System.out.println(e.getMessage());
15    } catch (Exception e) {
16        System.out.println(e.getMessage());
17    }
18}

导入非对称密钥

如下代码可以导入RSA非对称密钥

Plain Text

1public void importAsymmetricKey (KmsClient client) {
2    try {
3        System.out.println("__________importKey_______");
4        ImportAsymmetricKeyRequest request = new ImportAsymmetricKeyRequest();
5        request.setKeyId("your master key id");
6        request.setAsymmetricKeySpec(Constants.KeySpec.RSA_1024.toString());
7        request.setAsymmetricKeyUsage("ENCRYPT_DECRYPT");
8        request.setEncryptedKeyEncryptionKey("your EncryptedKey by EncryptionKey");
9        EncryptedRsaKey rsaKey = new EncryptedRsaKey();
10        rsaKey.setEncryptedD("your D encrypted by your EncryptedKey then base64 encode");
11        rsaKey.setEncryptedDp("your Dp encrypted by your EncryptedKey then base64 encode");
12        rsaKey.setEncryptedDq("your Dq encrypted by your EncryptedKey then base64 encode");
13        rsaKey.setEncryptedP("your p encrypted by your EncryptedKey then base64 encode");
14        rsaKey.setEncryptedQ("your Q encrypted by your EncryptedKey then base64 encode");
15        rsaKey.setEncryptedQinv("your Qinv encrypted by your EncryptedKey then base64 encode");
16        rsaKey.setPublicKeyDer("your publickey encrypted by base64");
17        request.setEncryptedRsaKey(rsaKey);
18        request.setImportToken("your token");
19        KmsResponse response = client.importAsymmetricKey(request);
20    } catch (BceServiceException e) {
21        System.out.println(e.getMessage());
22    } catch (BceClientException e) {
23        System.out.println(e.getMessage());
24    } catch (Exception e) {
25        System.out.println(e.getMessage());
26    }
27}

配置masterKey轮转间隔时间

如下代码可以配置 master key 轮转间隔时间

Plain Text

1public void updateRotateKey(KmsClient client) {
2    try {
3        // 初始化UpdateRotateKeyRequest并且设置master key id, 轮转时间0为不开启轮转，其他填7-365
4        UpdateRotationRequest updateRotationRequest = new UpdateRotationRequest("your master key id", 360);
5        // 请求使Master Key 可用
6        client.updateRotateKey(updateRotationRequest);
7    } catch (Exception e) {
8        System.out.println(e.getMessage());
9    }
10}

初始化

异常处理

百度智能云

密钥管理服务 KMS

密钥管理服务 KMS

密钥管理

创建MasterKey

列举MasterKey

加密数据

解密数据

生成Datakey

使MasterKey处于可用状态

使MasterKey处于不可用状态

删除MasterKey

取消删除MasterKey

获取MasterKey详细信息

获取导入密钥参数

导入对称密钥

导入非对称密钥

配置masterKey轮转间隔时间