Can we save wrapped keys generated with cloud KMS keys in DLP deidentification templates(using Python Api)?

Question

I am working on a PII de-identification project and using google cloud's data loss prevention api.

Use case: To encrypt a field with cloud KMS key.

• Created a dlp-deidentification template, here is the snippet:

{
  "deidentify_template":{
    "display_name":"deidentification_encryption",
    "description":"deidentification_encryption",
    "deidentify_config":{
      "record_transformations":{
        "field_transformations":[
          {
            "fields":[
              {
                "name":"password"
              }
            ],
            "primitive_transformation":{
              "crypto_hash_config": {
                "crypto_key": {
                    "kms_wrapped": {
                      "wrapped_key": "[base64 encoded]",
                      "crypto_key_name": "kms-key-resource-name"
                    }
              }
              }
            }

• Saved the template as JSON file.

• When I am trying to built the template using python Api, I am getting following error:

TypeError: Cannot set google.privacy.dlp.v2.KmsWrappedCryptoKey.wrapped_key [base64-encoded]: [base64-encoded] has type <class 'str'>, but expected one of: (<class 'bytes'>,) for field KmsWrappedCryptoKey

How we can write bytes in json? Not sure about the feasibility

Workaround I used:

• Created a template with transient crypto key:

                      "cryptoKey": {
                        "transient": {
                            "name": "ola-32"
                      }
                    }
                }

• In the DLP UI modified the template configuration.
• Changed the transformation for password field to KMS wrapped crypto key.
• Added the resource name and the KMS generated key.
• Its working fine, tested the template.

Additional observation:

• I did a API call to check the configuration, after i added the KMS keys using UI, i saw the wrapped key like this:

Its not possible to use wrapped key in this format in json as per my knowledge.

Is there a way to use KMS keys using templates saved as json?

Answer 1

Yes you should be able to use a KMSWrapped key in a template. You can do this using JSON and calling the API or via the Cloud Console UI here.

It's possible that the error you are getting is due to the key being wrapped in the wrong format.

I just went through these steps and got a successfully working DLP deidentify_template with a KMSWrappedKey.

To create a wrapped key you can try the following steps:

1. Create a KMS Key Ring and Key. You will use this later to wrap your de-identification key.
2. Create an 128/192/256 encryption key to use as your DLP de-identification key.
3. Base64 encode this key from step #2.
4. Wrap/encrypt this base64 encoded key from step #3 with the KMS key from step #1.

sample KMS call:

curl "https://cloudkms.googleapis.com/v1/projects/<project-id>/locations/global/keyRings/<key-ring-id>/cryptoKeys/<key-id>:encrypt" \
  --request "POST" \
  --header "Authorization:Bearer $(gcloud auth application-default print-access-token)" \
  --header "content-type: application/json" \
  --data "{\"plaintext\": \"<your base64 encoded key>\"}"

This should produce output like

{
  "name": "projects/<project-id>/locations/global/keyRings/<key-ring-id>/cryptoKeys/<key-id>/cryptoKeyVersions/1",
  "ciphertext": "<cipher text>",
  "ciphertextCrc32c": "<some number>"
}

5. Copy what is in the name field into the DLP cryptoKeyName but drop the last part /cryptoKeyVersions/1 and copy what's in the ciphertext value into the DLP wrappedKey field.

Example:

...
        "crypto_hash_config": {
          "crypto_key": {
              "kmsWrapped": {
                "wrappedKey": "CiQA4yqJRKIrMRQCdYdsSHIhqGthDuuxnhBOLN512drs6f59tt4SOQAwcYzUXvT1tJQmHHhqycGMj/lB+UPkmIb7j+QcIGxtQuMbuqG2xdRC8WVMQ9MFJ9tuOO6vxJqaVw==",
                "cryptoKeyName": "projects/<project-id>/locations/global/keyRings/<key-ring-id>/cryptoKeys/<key-id>"
              }
          }
        }

6. Save your template and try it out. You can test it in the API tester here or in the Cloud DLP Console template tester here (just click on the template that you made and then the Test tab).

7. Below is a full JSON example for creating a template. You would just need to run this under your project with your project as a parent id and need to ensure that your key resource ID matches yours. Here I use a keyring called keyring1 and a key called key1 in a project called project-test-123:

{
  "deidentifyTemplate": {
    "deidentifyConfig": {
      "infoTypeTransformations": {
        "transformations": [
          {
            "primitiveTransformation": {
              "cryptoHashConfig": {
                "cryptoKey": {
                  "kmsWrapped": {
                    "cryptoKeyName": "projects/project-test-123/locations/global/keyRings/keyring1/cryptoKeys/key1",
                    "wrappedKey": "CiQA4yqJRKIrMRQCdYdsSHIhqGthDuuxnhBOLN512drs6f59tt4SOQAwcYzUXvT1tJQmHHhqycGMj/lB+UPkmIb7j+QcIGxtQuMbuqG2xdRC8WVMQ9MFJ9tuOO6vxJqaVw=="
                  }
                }
              }
            }
          }
        ]
      }
    }
  },
  "templateId": "test1"
}

Note: this is a randomly generated 128 bit key that has been wrapped using KMS. Please don't use this actual key in any production systems or to protect any data since it's posted publicly here.