Demonstrates encrypting sensitive characters while maintaining format.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
C#
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
using
System
;
using
System.Collections.Generic
;
using
Google.Api.Gax.ResourceNames
;
using
Google.Cloud.Dlp.V2
;
using
Google.Protobuf
;
using
static
Google
.
Cloud
.
Dlp
.
V2
.
CryptoReplaceFfxFpeConfig
.
Types
;
public
class
DeidentifyWithFpe
{
public
static
DeidentifyContentResponse
Deidentify
(
string
projectId
,
string
dataValue
,
IEnumerable<InfoType>
infoTypes
,
string
keyName
,
string
wrappedKey
,
FfxCommonNativeAlphabet
alphabet
)
{
var
deidentifyConfig
=
new
DeidentifyConfig
{
InfoTypeTransformations
=
new
InfoTypeTransformations
{
Transformations
=
{
new
InfoTypeTransformations
.
Types
.
InfoTypeTransformation
{
PrimitiveTransformation
=
new
PrimitiveTransformation
{
CryptoReplaceFfxFpeConfig
=
new
CryptoReplaceFfxFpeConfig
{
CommonAlphabet
=
alphabet
,
CryptoKey
=
new
CryptoKey
{
KmsWrapped
=
new
KmsWrappedCryptoKey
{
CryptoKeyName
=
keyName
,
WrappedKey
=
ByteString
.
FromBase64
(
wrappedKey
)
}
},
SurrogateInfoType
=
new
InfoType
{
Name
=
"TOKEN"
}
}
}
}
}
}
};
var
dlp
=
DlpServiceClient
.
Create
();
var
response
=
dlp
.
DeidentifyContent
(
new
DeidentifyContentRequest
{
Parent
=
new
LocationName
(
projectId
,
"global"
).
ToString
(),
InspectConfig
=
new
InspectConfig
{
InfoTypes
=
{
infoTypes
}
},
DeidentifyConfig
=
deidentifyConfig
,
Item
=
new
ContentItem
{
Value
=
dataValue
}
});
Console
.
WriteLine
(
$"Deidentified content: {response.Item. Value
}"
);
return
response
;
}
}
Go
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
(
"context"
"encoding/base64"
"fmt"
"io"
dlp
"cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// deidentifyFPE deidentifies the input with FPE (Format Preserving Encryption).
// keyFileName is the file name with the KMS wrapped key and cryptoKeyName is the
// full KMS key resource name used to wrap the key. surrogateInfoType is an
// optional identifier needed for reidentification. surrogateInfoType can be any
// value not found in your input.
// Info types can be found with the infoTypes.list method or on https://cloud.google.com/dlp/docs/infotypes-reference
func
deidentifyFPE
(
w
io
.
Writer
,
projectID
,
input
string
,
infoTypeNames
[]
string
,
kmsKeyName
,
wrappedAESKey
,
surrogateInfoType
string
)
error
{
// projectID := "my-project-id"
// input := "My SSN is 123456789"
// infoTypeNames := []string{"US_SOCIAL_SECURITY_NUMBER"}
// kmsKeyName := "projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME"
// wrappedAESKey := "YOUR_ENCRYPTED_AES_256_KEY"
// surrogateInfoType := "AGE"
ctx
:=
context
.
Background
()
client
,
err
:=
dlp
.
NewClient
(
ctx
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"dlp.NewClient: %w"
,
err
)
}
defer
client
.
Close
()
// Convert the info type strings to a list of InfoTypes.
var
infoTypes
[]
*
dlppb
.
InfoType
for
_
,
it
:=
range
infoTypeNames
{
infoTypes
=
append
(
infoTypes
,
& dlppb
.
InfoType
{
Name
:
it
})
}
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
kmsWrappedCryptoKey
,
err
:=
base64
.
StdEncoding
.
DecodeString
(
wrappedAESKey
)
if
err
!=
nil
{
return
err
}
// Create a configured request.
req
:=
& dlppb
.
DeidentifyContentRequest
{
Parent
:
fmt
.
Sprintf
(
"projects/%s/locations/global"
,
projectID
),
InspectConfig
:
& dlppb
.
InspectConfig
{
InfoTypes
:
infoTypes
,
},
DeidentifyConfig
:
& dlppb
.
DeidentifyConfig
{
Transformation
:
& dlppb
.
DeidentifyConfig_InfoTypeTransformations
{
InfoTypeTransformations
:
& dlppb
.
InfoTypeTransformations
{
Transformations
:
[]
*
dlppb
.
InfoTypeTransformations_InfoTypeTransformation
{
{
InfoTypes
:
[]
*
dlppb
.
InfoType
{},
// Match all info types.
PrimitiveTransformation
:
& dlppb
.
PrimitiveTransformation
{
Transformation
:
& dlppb
.
PrimitiveTransformation_CryptoReplaceFfxFpeConfig
{
CryptoReplaceFfxFpeConfig
:
& dlppb
.
CryptoReplaceFfxFpeConfig
{
CryptoKey
:
& dlppb
.
CryptoKey
{
Source
:
& dlppb
.
CryptoKey_KmsWrapped
{
KmsWrapped
:
& dlppb
.
KmsWrappedCryptoKey
{
WrappedKey
:
kmsWrappedCryptoKey
,
CryptoKeyName
:
kmsKeyName
,
},
},
},
// Set the alphabet used for the output.
Alphabet
:
& dlppb
.
CryptoReplaceFfxFpeConfig_CommonAlphabet
{
CommonAlphabet
:
dlppb
.
CryptoReplaceFfxFpeConfig_ALPHA_NUMERIC
,
},
// Set the surrogate info type, used for reidentification.
SurrogateInfoType
:
& dlppb
.
InfoType
{
Name
:
surrogateInfoType
,
},
},
},
},
},
},
},
},
},
// The item to analyze.
Item
:
& dlppb
.
ContentItem
{
DataItem
:
& dlppb
.
ContentItem_Value
{
Value
:
input
,
},
},
}
// Send the request.
r
,
err
:=
client
.
DeidentifyContent
(
ctx
,
req
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"DeidentifyContent: %w"
,
err
)
}
// Print the result.
fmt
.
Fprint
(
w
,
r
.
GetItem
().
GetValue
())
return
nil
}
Java
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
com.google.cloud.dlp.v2. DlpServiceClient
;
import
com.google.common.io.BaseEncoding
;
import
com.google.privacy.dlp.v2. ContentItem
;
import
com.google.privacy.dlp.v2. CryptoKey
;
import
com.google.privacy.dlp.v2. CryptoReplaceFfxFpeConfig
;
import
com.google.privacy.dlp.v2. CryptoReplaceFfxFpeConfig
. FfxCommonNativeAlphabet
;
import
com.google.privacy.dlp.v2. DeidentifyConfig
;
import
com.google.privacy.dlp.v2. DeidentifyContentRequest
;
import
com.google.privacy.dlp.v2. DeidentifyContentResponse
;
import
com.google.privacy.dlp.v2. InfoType
;
import
com.google.privacy.dlp.v2. InfoTypeTransformations
;
import
com.google.privacy.dlp.v2. InfoTypeTransformations
. InfoTypeTransformation
;
import
com.google.privacy.dlp.v2. InspectConfig
;
import
com.google.privacy.dlp.v2. KmsWrappedCryptoKey
;
import
com.google.privacy.dlp.v2. LocationName
;
import
com.google.privacy.dlp.v2. PrimitiveTransformation
;
import
com.google.protobuf. ByteString
;
import
java.io.IOException
;
import
java.util.Arrays
;
public
class
DeIdentifyWithFpe
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
// TODO(developer): Replace these variables before running the sample.
String
projectId
=
"your-project-id"
;
String
textToDeIdentify
=
"I'm Gary and my SSN is 552096781"
;
String
kmsKeyName
=
"projects/YOUR_PROJECT/"
+
"locations/YOUR_KEYRING_REGION/"
+
"keyRings/YOUR_KEYRING_NAME/"
+
"cryptoKeys/YOUR_KEY_NAME"
;
String
wrappedAesKey
=
"YOUR_ENCRYPTED_AES_256_KEY"
;
deIdentifyWithFpe
(
projectId
,
textToDeIdentify
,
kmsKeyName
,
wrappedAesKey
);
}
public
static
void
deIdentifyWithFpe
(
String
projectId
,
String
textToDeIdentify
,
String
kmsKeyName
,
String
wrappedAesKey
)
throws
IOException
{
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try
(
DlpServiceClient
dlp
=
DlpServiceClient
.
create
())
{
// Specify what content you want the service to DeIdentify
ContentItem
contentItem
=
ContentItem
.
newBuilder
().
setValue
(
textToDeIdentify
).
build
();
// Specify the type of info the inspection will look for.
// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
InfoType
infoType
=
InfoType
.
newBuilder
().
setName
(
"US_SOCIAL_SECURITY_NUMBER"
).
build
();
InspectConfig
inspectConfig
=
InspectConfig
.
newBuilder
().
addAllInfoTypes
(
Arrays
.
asList
(
infoType
)).
build
();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
KmsWrappedCryptoKey
kmsWrappedCryptoKey
=
KmsWrappedCryptoKey
.
newBuilder
()
.
setWrappedKey
(
ByteString
.
copyFrom
(
BaseEncoding
.
base64
().
decode
(
wrappedAesKey
)))
.
setCryptoKeyName
(
kmsKeyName
)
.
build
();
CryptoKey
cryptoKey
=
CryptoKey
.
newBuilder
().
setKmsWrapped
(
kmsWrappedCryptoKey
).
build
();
// Specify how the info from the inspection should be encrypted.
InfoType
surrogateInfoType
=
InfoType
.
newBuilder
().
setName
(
"SSN_TOKEN"
).
build
();
CryptoReplaceFfxFpeConfig
cryptoReplaceFfxFpeConfig
=
CryptoReplaceFfxFpeConfig
.
newBuilder
()
.
setCryptoKey
(
cryptoKey
)
// Set of characters in the input text. For more info, see
// https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#DeidentifyTemplate.FfxCommonNativeAlphabet
.
setCommonAlphabet
(
FfxCommonNativeAlphabet
.
NUMERIC
)
.
setSurrogateInfoType
(
surrogateInfoType
)
.
build
();
PrimitiveTransformation
primitiveTransformation
=
PrimitiveTransformation
.
newBuilder
()
.
setCryptoReplaceFfxFpeConfig
(
cryptoReplaceFfxFpeConfig
)
.
build
();
InfoTypeTransformation
infoTypeTransformation
=
InfoTypeTransformation
.
newBuilder
()
.
setPrimitiveTransformation
(
primitiveTransformation
)
.
build
();
InfoTypeTransformations
transformations
=
InfoTypeTransformations
.
newBuilder
().
addTransformations
(
infoTypeTransformation
).
build
();
DeidentifyConfig
deidentifyConfig
=
DeidentifyConfig
.
newBuilder
().
setInfoTypeTransformations
(
transformations
).
build
();
// Combine configurations into a request for the service.
DeidentifyContentRequest
request
=
DeidentifyContentRequest
.
newBuilder
()
.
setParent
(
LocationName
.
of
(
projectId
,
"global"
).
toString
())
.
setItem
(
contentItem
)
.
setInspectConfig
(
inspectConfig
)
.
setDeidentifyConfig
(
deidentifyConfig
)
.
build
();
// Send the request and receive response from the service
DeidentifyContentResponse
response
=
dlp
.
deidentifyContent
(
request
);
// Print the results
System
.
out
.
println
(
"Text after format-preserving encryption: "
+
response
.
getItem
().
getValue
());
}
}
}
Node.js
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
// Imports the Google Cloud Data Loss Prevention library
const
DLP
=
require
(
' @google-cloud/dlp
'
);
// Instantiates a client
const
dlp
=
new
DLP
.
DlpServiceClient
();
// The project ID to run the API call under
// const projectId = 'my-project';
// The string to deidentify
// const string = 'My SSN is 372819127';
// The set of characters to replace sensitive ones with
// For more information, see https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#ffxcommonnativealphabet
// const alphabet = 'ALPHA_NUMERIC';
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// (Optional) The name of the surrogate custom info type to use
// Only necessary if you want to reverse the deidentification process
// Can be essentially any arbitrary string, as long as it doesn't appear
// in your dataset otherwise.
// const surrogateType = 'SOME_INFO_TYPE_DEID';
async
function
deidentifyWithFpe
()
{
// Construct FPE config
const
cryptoReplaceFfxFpeConfig
=
{
cryptoKey
:
{
kmsWrapped
:
{
wrappedKey
:
wrappedKey
,
cryptoKeyName
:
keyName
,
},
},
commonAlphabet
:
alphabet
,
};
if
(
surrogateType
)
{
cryptoReplaceFfxFpeConfig
.
surrogateInfoType
=
{
name
:
surrogateType
,
};
}
// Construct deidentification request
const
item
=
{
value
:
string
};
const
request
=
{
parent
:
`projects/
${
projectId
}
/locations/global`
,
deidentifyConfig
:
{
infoTypeTransformations
:
{
transformations
:
[
{
primitiveTransformation
:
{
cryptoReplaceFfxFpeConfig
:
cryptoReplaceFfxFpeConfig
,
},
},
],
},
},
item
:
item
,
};
// Run deidentification request
const
[
response
]
=
await
dlp
.
deidentifyContent
(
request
);
const
deidentifiedItem
=
response
.
item
;
console
.
log
(
deidentifiedItem
.
value
);
}
deidentifyWithFpe
();
PHP
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig\FfxCommonNativeAlphabet;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\DeidentifyContentRequest;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\InfoTypeTransformations;
use Google\Cloud\Dlp\V2\InfoTypeTransformations\InfoTypeTransformation;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
/**
* Deidentify a string using Format-Preserving Encryption (FPE).
*
* @param string $callingProjectId The GCP Project ID to run the API call under
* @param string $string The string to deidentify
* @param string $keyName The name of the Cloud KMS key used to encrypt (wrap) the AES-256 key
* @param string $wrappedKey The name of the Cloud KMS key use, encrypted with the KMS key in $keyName
* @param string $surrogateTypeName (Optional) surrogate custom info type to enable reidentification
*/
function deidentify_fpe(
string $callingProjectId,
string $string,
string $keyName,
string $wrappedKey,
string $surrogateTypeName = ''
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
// The infoTypes of information to mask
$ssnInfoType = (new InfoType())
->setName('US_SOCIAL_SECURITY_NUMBER');
$infoTypes = [$ssnInfoType];
// Create the wrapped crypto key configuration object
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedKey))
->setCryptoKeyName($keyName);
// The set of characters to replace sensitive ones with
// For more information, see https://cloud.google.com/dlp/docs/reference/rest/V2/organizations.deidentifyTemplates#ffxcommonnativealphabet
$commonAlphabet = FfxCommonNativeAlphabet::NUMERIC;
// Create the crypto key configuration object
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Create the crypto FFX FPE configuration object
$cryptoReplaceFfxFpeConfig = (new CryptoReplaceFfxFpeConfig())
->setCryptoKey($cryptoKey)
->setCommonAlphabet($commonAlphabet);
if ($surrogateTypeName) {
$surrogateType = (new InfoType())
->setName($surrogateTypeName);
$cryptoReplaceFfxFpeConfig->setSurrogateInfoType($surrogateType);
}
// Create the information transform configuration objects
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoReplaceFfxFpeConfig($cryptoReplaceFfxFpeConfig);
$infoTypeTransformation = (new InfoTypeTransformation())
->setPrimitiveTransformation($primitiveTransformation)
->setInfoTypes($infoTypes);
$infoTypeTransformations = (new InfoTypeTransformations())
->setTransformations([$infoTypeTransformation]);
// Create the deidentification configuration object
$deidentifyConfig = (new DeidentifyConfig())
->setInfoTypeTransformations($infoTypeTransformations);
$content = (new ContentItem())
->setValue($string);
$parent = "projects/$callingProjectId/locations/global";
// Run request
$deidentifyContentRequest = (new DeidentifyContentRequest())
->setParent($parent)
->setDeidentifyConfig($deidentifyConfig)
->setItem($content);
$response = $dlp->deidentifyContent($deidentifyContentRequest);
// Print the results
$deidentifiedValue = $response->getItem()->getValue();
print($deidentifiedValue);
}
Python
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
base64
from
typing
import
List
import
google.cloud.dlp
def
deidentify_with_fpe
(
project
:
str
,
input_str
:
str
,
info_types
:
List
[
str
],
alphabet
:
str
=
None
,
surrogate_type
:
str
=
None
,
key_name
:
str
=
None
,
wrapped_key
:
str
=
None
,
)
-
> None
:
"""Uses the Data Loss Prevention API to deidentify sensitive data in a
string using Format Preserving Encryption (FPE).
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to deidentify (will be treated as text).
info_types: A list of strings representing info types to look for.
alphabet: The set of characters to replace sensitive ones with. For
more information, see https://cloud.google.com/dlp/docs/reference/
rest/v2beta2/organizations.deidentifyTemplates#ffxcommonnativealphabet
surrogate_type: The name of the surrogate custom info type to use. Only
necessary if you want to reverse the deidentification process. Can
be essentially any arbitrary string, as long as it doesn't appear
in your dataset otherwise.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
Returns:
None; the response from the API is printed to the terminal.
"""
# Instantiate a client
dlp
=
google
.
cloud
.
dlp_v2
.
DlpServiceClient
()
# Convert the project id into a full resource id.
parent
=
f
"projects/
{
project
}
/locations/global"
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
wrapped_key
=
base64
.
b64decode
(
wrapped_key
)
# Construct FPE configuration dictionary
crypto_replace_ffx_fpe_config
=
{
"crypto_key"
:
{
"kms_wrapped"
:
{
"wrapped_key"
:
wrapped_key
,
"crypto_key_name"
:
key_name
}
},
"common_alphabet"
:
alphabet
,
}
# Add surrogate type
if
surrogate_type
:
crypto_replace_ffx_fpe_config
[
"surrogate_info_type"
]
=
{
"name"
:
surrogate_type
}
# Construct inspect configuration dictionary
inspect_config
=
{
"info_types"
:
[{
"name"
:
info_type
}
for
info_type
in
info_types
]}
# Construct deidentify configuration dictionary
deidentify_config
=
{
"info_type_transformations"
:
{
"transformations"
:
[
{
"primitive_transformation"
:
{
"crypto_replace_ffx_fpe_config"
:
crypto_replace_ffx_fpe_config
}
}
]
}
}
# Convert string to item
item
=
{
"value"
:
input_str
}
# Call the API
response
=
dlp
.
deidentify_content
(
request
=
{
"parent"
:
parent
,
"deidentify_config"
:
deidentify_config
,
"inspect_config"
:
inspect_config
,
"item"
:
item
,
}
)
# Print results
print
(
response
.
item
.
value
)
What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .
