使用KMS密钥对数据加解密_密钥管理服务(KMS)-阿里云帮助中心

初始化KMS实例SDK客户端后，您可以通过客户端调用Encrypt和Decrypt接口对数据进行加密解密。本文介绍集成KMS进行对称加密解密的代码示例。

完整代码示例

集成KMS进行对称加密解密包含三个步骤：

初始化调用KMS接口的客户端。
使用客户端调用Encrypt接口对数据进行加密。
使用客户端调用Decrypt接口对密文数据进行解密。

Python 2版本源码github地址：aes_encrypt_decrypt_sample.py

Python 3版本源码github地址：aes_encrypt_decrypt_sample.py

本文以Python 3版本为例介绍。

加密解密完整代码示例

# -*- coding: utf-8 -*-
import os

from openapi.models import Config
from openapi_util.models import RuntimeOptions
from sdk.client import Client
from sdk.models import EncryptRequest, DecryptRequest

config = Config()
# 连接协议请设置为"https"。KMS实例服务仅允许通过HTTPS协议访问。
config.protocol = "https"
# Client Key。
config.client_key_file = "<your-client-key-file>"
# Client Key解密口令。
config.password = os.getenv('CLIENT_KEY_PASSWORD')
# 设置endpoint为<your KMS Instance Id>.cryptoservice.kms.aliyuncs.com。
config.endpoint = "<your-endpoint>"
client = Client(config)


class AESEncryptContext(object):
    """The aes encrypt context may be stored."""

    def __init__(self, key_id, ciphertext_blob, iv, algorithm):
        self.key_id = key_id
        self.ciphertext_blob = ciphertext_blob
        self.iv = iv
        # Use default algorithm value,if the value is not set.
        self.algorithm = algorithm


def encrypt(key_id, plaintext):
    request = EncryptRequest()
    request.plaintext = plaintext
    request.key_id = key_id
    runtime_options = RuntimeOptions()
    # 忽略服务端证书
    # runtime_options.ignore_ssl = True
    # verify表示实例CA证书的路径
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.encrypt_with_options(request, runtime_options)
    print(resp)
    return AESEncryptContext(resp.key_id, resp.ciphertext_blob, resp.iv, resp.algorithm)


def decrypt(context):
    request = DecryptRequest()
    request.ciphertext_blob = context.ciphertext_blob
    request.key_id = context.key_id
    request.iv = context.iv
    request.algorithm = context.algorithm
    runtime_options = RuntimeOptions()
    # 忽略服务端证书
    # runtime_options.ignore_ssl = True
    # verify表示实例CA证书的路径
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.decrypt_with_options(request, runtime_options)
    print(resp)


plaintext = "<your-plaintext>".encode("utf-8")
key_id = "<your-key-id>"
context = encrypt(key_id, plaintext)
decrypt(context)

代码示例解析

初始化客户端

关于初始化客户端的详细介绍，请参见初始化客户端。

# -*- coding: utf-8 -*-
from openapi.models import Config
from sdk.client import Client

config = Config()
# 连接协议请设置为"https"。KMS实例服务仅允许通过HTTPS协议访问。
config.protocol = "https"

# Client Key。
config.client_key_file = "<your-client-key-file>"

# Client Key解密口令。
config.password = os.getenv('CLIENT_KEY_PASSWORD')

# 设置endpoint为<your KMS Instance Id>.cryptoservice.kms.aliyuncs.com。
config.endpoint = "<your-endpoint>"
client = Client(config)

调用Encrypt接口使用对称密钥对数据加密

def encrypt(key_id, plaintext):
    request = EncryptRequest()
    request.plaintext = plaintext
    request.key_id = key_id
    runtime_options = RuntimeOptions()
    # 忽略服务端证书
    # runtime_options.ignore_ssl = True
    # verify表示实例CA证书的路径
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.encrypt_with_options(request, runtime_options)
    print(resp)
    return AESEncryptContext(resp.key_id, resp.ciphertext_blob, resp.iv, resp.algorithm)

调用Decrypt接口使用对称密钥解密密文

    def decrypt(context):
    request = DecryptRequest()
    request.ciphertext_blob = context.ciphertext_blob
    request.key_id = context.key_id
    request.iv = context.iv
    request.algorithm = context.algorithm
    runtime_options = RuntimeOptions()
    # 忽略服务端证书
    # runtime_options.ignore_ssl = True
    # verify表示实例CA证书的路径
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.decrypt_with_options(request, runtime_options)
    print(resp)