SecretID
, SecretKey
, and endpoint. The endpoint of KMS is kms.tencentcloudapi.com
. For more information, please see the documentation of the specified product.pip install tencentcloud-sdk-python
GenerateDataKey
API to generate a DEK, and the system encrypts data with the plaintext key and stores the ciphertext key and ciphertext in the disk.Decrypt
API of KMS, returns the plaintext key, and finally decrypts the ciphertext data with the plaintext key.GenerateDataKey
API is used to generate a DEK, which is a second-level key generated based on a CMK and used for encrypting and decrypting local data. KMS does not store or manage DEKs, which need to be stored by yourself instead.KeyId
parameter is required for this API. For more information, please see the GenerateDataKey API document.# -*- coding: utf-8 -*-import base64from Crypto.Cipher import AESfrom tencentcloud.common import credentialfrom tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKExceptionfrom tencentcloud.common.profile.client_profile import ClientProfilefrom tencentcloud.common.profile.http_profile import HttpProfilefrom tencentcloud.kms.v20190118 import kms_client, modelsdef KmsInit(region="ap-guangzhou", secretId="", secretKey=""):try:credProfile = credential.Credential(secretId, secretKey)client = kms_client.KmsClient(credProfile, region)return clientexcept TencentCloudSDKException as err:print(err)return Nonedef GenerateDatakey(client, keyId, keyspec='AES_128'):try:req = models.GenerateDataKeyRequest()req.KeyId = keyIdreq.KeySpec = keyspec# Call the `GenerateDataKey` APIgeneratedatakeyResp = client.GenerateDataKey(req)# The plaintext key needs to be used in the memory, while the ciphertext key is used for persistent storageprint "DEK cipher=", generatedatakeyResp.CiphertextBlobreturn generatedatakeyRespexcept TencentCloudSDKException as err:print(err)def AddTo16(value):while len(value) % 16 != 0:value += '\\0'return str.encode(value)# User-defined logic. The example here is for reference onlydef LocalEncrypt(dataKey="", plaintext=""):aes = AES.new(base64.b64decode(dataKey), AES.MODE_ECB)encryptedData = aes.encrypt(AddTo16(plaintext))ciphertext = base64.b64encode(encryptedData)print "plaintext=", plaintext, ", cipher=", ciphertextif __name__ == '__main__':# User-defined parameterssecretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"region = "ap-guangzhou"keyId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"keySpec = "AES_256"plaintext = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"client = KmsInit(region, secretId, secretKey)rsp = GenerateDatakey(client, keyId, keySpec)LocalEncrypt(rsp.Plaintext, plaintext)
Decrypt
API to decrypt the ciphertext key, and then decrypt data through the decrypted plaintext key.Decrypt
API is used to decrypt data.CiphertextBlob
parameter is required for this API. For more information, please see the Decrypt API document.Decrypt
API, and then use the obtained DEK plaintext to decrypt the ciphertext data.# -*- coding: utf-8 -*-import base64from Crypto.Cipher import AESfrom tencentcloud.common import credentialfrom tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKExceptionfrom tencentcloud.common.profile.client_profile import ClientProfilefrom tencentcloud.common.profile.http_profile import HttpProfilefrom tencentcloud.kms.v20190118 import kms_client, modelsdef KmsInit(region="ap-guangzhou", secretId="", secretKey=""):try:credProfile = credential.Credential(secretId, secretKey)client = kms_client.KmsClient(credProfile, region)return clientexcept TencentCloudSDKException as err:print(err)return Nonedef DecryptDataKey(client, ciphertextBlob):try:req = models.DecryptRequest()req.CiphertextBlob = ciphertextBlobrsp = client.Decrypt(req) # Call the `Decrypt` API to decrypt the DEKreturn rspexcept TencentCloudSDKException as err:print(err)# User-defined logic. The example here is for reference onlydef LocalDecrypt(dataKey="", ciphertext=""):aes = AES.new(base64.b64decode(dataKey), AES.MODE_ECB)decryptedData = aes.decrypt(base64.b64decode(ciphertext))plaintext = str(decryptedData)print "plaintext=", plaintext, ", cipher=", ciphertextif __name__ == '__main__':# User-defined parameterssecretId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"region = "ap-guangzhou"dekCipherBlob="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"ciphertext="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"client = KmsInit(region, secretId, secretKey)rsp = DecryptDataKey(client, dekCipherBlob)LocalDecrypt(rsp.Plaintext, ciphertext)
Was this page helpful?