堆栈内存溢出
  简体   繁体   English

GCP - DLP - 解密失败:使用 KMS 封装的密钥时密文无效错误

[英]GCP - DLP - Decryption failed: the ciphertext is invalid error when using KMS wrapped key

 原文  2020-10-27 05:22:45       google-cloud-platform/ google-cloud-kms/ google-cloud-dlp

问题描述

While trying out on a POC with GCP DLP, facing the below issue:在使用 GCP DLP 尝试 POC 时,面临以下问题:

log:

Received the following error message from Cloud KMS when unwrapping KmsWrappedCryptoKey
 "projects/<<PROJECT_ID>>/locations/global/keyRings/<<KMS_KEY_RING>>/cryptoKeys
/<<KMS_KEY_NAME>>": Decryption failed: the ciphertext is invalid.

I have just created the key and key ring using the generate key option in KMS and a basic DLP template to Pseudoanaonymize the data with cryptographic deterministic token.我刚刚使用 KMS 中的生成密钥选项和基本 DLP 模板创建了密钥和密钥环,以使用加密确定性令牌对数据进行伪匿名化。 The wrapped key I gave is a simple base-64 format key.我给出的封装密钥是一个简单的 base-64 格式密钥。 When testing out this template in console with the data, I am facing this issue.在控制台中使用数据测试此模板时,我遇到了这个问题。 The same issue is replicated in the application logs when trying to encrypt the data.尝试加密数据时,应用程序日志中会复制相同的问题。

PS : We have tried out generating a manual key using Open SSL and importing it into the KMS. PS :我们已尝试使用 Open SSL 生成手动密钥并将其导入 KMS。 We are still facing this issue.我们仍然面临这个问题。

Attaching a screen shot for reference :附上屏幕截图以供参考: 在此处输入图片说明

1 个解决方案

解决方案1
 4 已采纳  2020-10-27 09:06:04

Figured out the issue in this case.在这种情况下找出问题。

The issue was with the way we created the wrapped key which we gave in the DLP template.问题在于我们创建在 DLP 模板中提供的封装密钥的方式。 Below are the steps to generate the wrapped key:以下是生成包装密钥的步骤:

  1. Choose the wrapped key (could be anything. A string, random text etc)选择包装好的密钥(可以是任何东西。字符串、随机文本等)
  2. Encrypt the wrapped key in above step using the KMS key that you are going to use in the DLP template.使用您将在 DLP 模板中使用的 KMS 密钥加密上述步骤中封装的密钥。
  3. Convert the above encrypted key into base 64 format and use this in the DLP template.将上述加密密钥转换为 base 64 格式并在 DLP 模板中使用它。

Below are the commands for above steps in the same order:以下是按相同顺序执行上述步骤的命令:

openssl rand 16 > secret.txt

This generates random string of 16 bytes.这将生成 16 个字节的随机字符串。 The size had to be one of 16,24,32 (mandatory)大小必须是 16,24,32 之一(强制)

gcloud kms encrypt --location global --keyring <key-ring-name> --key \
<key-name> --plaintext-file secret.txt --ciphertext-file \
mysecret.txt.encrypted

This encrpts the random string.这将加密随机字符串。

base64 mysecret.txt.encrypted

Use this in the DLP template.在 DLP 模板中使用它。

This answer helped me figure out the issue : https://stackoverflow.com/a/60513800/6908062这个答案帮助我弄清楚了这个问题: https : //stackoverflow.com/a/60513800/6908062

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 GCP DLP(数据丢失防护)得到“解密失败:密文无效。”-400 错误 - GCP DLP(Data Loss prevention) getting “Decryption failed: the ciphertext is invalid.”-400 error GCP DLP(数据丢失防护)得到“解密失败:密文无效”。 - GCP DLP(Data Loss prevention) getting "Decryption failed: the ciphertext is invalid." 我们可以将使用云 KMS 密钥生成的打包密钥保存在 DLP 去识别模板中(使用 Python Api)吗? - Can we save wrapped keys generated with cloud KMS keys in DLP deidentification templates(using Python Api)? 当 SSL 卸载到 GCP Cloud KMS 时,如何在 NGINX 中进行解密? - How decryption is done in NGINX when SSL offloaded to GCP Cloud KMS? 使用自定义服务帐户在 GCP 中创建 VM 时 KMS 权限出现 400 错误 - 400 Error on KMS Permissions when creating a VM in GCP using a custom service account 使用 GCP DLP 和 DataFusion,找不到模板 - Using GCP DLP with DataFusion, unable to find template GCP KMS:正在加密但未解密 - GCP KMS : Encryption taking place but decryption isn't 使 GCP 中 DLP 的 FPE 算法在编码时避免使用特定的字符集 - make FPE algorithm of DLP in GCP refrain from using a specific set of characters when encoding GCP KMS 导入以太坊钱包私钥 - GCP KMS Importing Ethereum Wallet private key 使用 KMS 密钥在 Terraform 中为 GCP 创建虚拟机时出错(创建实例时出错:googleapi:错误 503) - Error creating a VM in Terraform for GCP with KMS key (Error creating instance: googleapi: Error 503)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM