Demonstrates encrypting sensitive data in a table while maintaining format.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
C#
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
using
System
;
using
Google.Api.Gax.ResourceNames
;
using
Google.Cloud.Dlp.V2
;
using
Google.Protobuf
;
using
static
Google
.
Cloud
.
Dlp
.
V2
.
CryptoReplaceFfxFpeConfig
.
Types
;
public
class
DeidentifyTableWithFpe
{
public
static
Table
DeidentifyTable
(
string
projectId
,
string
keyName
,
string
wrappedKey
,
FfxCommonNativeAlphabet
alphabet
=
FfxCommonNativeAlphabet
.
Numeric
,
Table
tableToInspect
=
null
)
{
// Instantiate a client.
var
dlp
=
DlpServiceClient
.
Create
();
// Construct the table if null.
if
(
tableToInspect
==
null
)
{
var
row1
=
new
Value
[]
{
new
Value
{
StringValue
=
"11111"
},
new
Value
{
StringValue
=
"2015"
},
new
Value
{
StringValue
=
"$10"
}
};
var
row2
=
new
Value
[]
{
new
Value
{
StringValue
=
"33333"
},
new
Value
{
StringValue
=
"2016"
},
new
Value
{
StringValue
=
"$20"
}
};
var
row3
=
new
Value
[]
{
new
Value
{
StringValue
=
"22222"
},
new
Value
{
StringValue
=
"2016"
},
new
Value
{
StringValue
=
"$15"
}
};
tableToInspect
=
new
Table
{
Headers
=
{
new
FieldId
{
Name
=
"Employee ID"
},
new
FieldId
{
Name
=
"Date"
},
new
FieldId
{
Name
=
"Compensation"
}
},
Rows
=
{
new
Table
.
Types
.
Row
{
Values
=
{
row1
}
},
new
Table
.
Types
.
Row
{
Values
=
{
row2
}
},
new
Table
.
Types
.
Row
{
Values
=
{
row3
}
}
}
};
}
// Provide the table and construct the content item.
var
contentItem
=
new
ContentItem
{
Table
=
tableToInspect
};
// Specify an encrypted AES-256 key and the name of the Cloud KMS Key that
// encrypted it and specify how it should be encrypted.
var
cryptoReplaceFfxFpeConfig
=
new
CryptoReplaceFfxFpeConfig
{
CryptoKey
=
new
CryptoKey
{
KmsWrapped
=
new
KmsWrappedCryptoKey
{
CryptoKeyName
=
keyName
,
WrappedKey
=
ByteString
.
FromBase64
(
wrappedKey
)
}
},
CommonAlphabet
=
alphabet
};
// Specify fields to be encrypted.
var
fields
=
new
FieldId
[]
{
new
FieldId
{
Name
=
"Employee ID"
}
};
// Construct the deidentify config using crypto replace config created above.
var
deidentifyConfig
=
new
DeidentifyConfig
{
RecordTransformations
=
new
RecordTransformations
{
FieldTransformations
=
{
new
FieldTransformation
{
PrimitiveTransformation
=
new
PrimitiveTransformation
{
CryptoReplaceFfxFpeConfig
=
cryptoReplaceFfxFpeConfig
},
Fields
=
{
fields
}
}
}
}
};
// Construct the request.
var
request
=
new
DeidentifyContentRequest
{
ParentAsLocationName
=
new
LocationName
(
projectId
,
"global"
),
DeidentifyConfig
=
deidentifyConfig
,
Item
=
contentItem
,
};
// Call the API.
DeidentifyContentResponse
response
=
dlp
.
DeidentifyContent
(
request
);
// Inspect the response.
Console
.
WriteLine
(
response
.
Item
.
Table
);
return
response
.
Item
.
Table
;
}
}
Go
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
(
"context"
"encoding/base64"
"fmt"
"io"
dlp
"cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// deidentifyTableFPE de-identifies table data with format preserving encryption.
func
deidentifyTableFPE
(
w
io
.
Writer
,
projectID
string
,
kmsKeyName
,
wrappedAESKey
string
)
error
{
// projectId := "your-project-id"
/* keyFileName := "projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME"
*/
// wrappedAESKey := "YOUR_ENCRYPTED_AES_256_KEY"
// define your table.
row1
:=
& dlppb
.
Table_Row
{
Values
:
[]
*
dlppb
.
Value
{
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
"11111"
}},
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
"2015"
}},
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
"$10"
}},
},
}
row2
:=
& dlppb
.
Table_Row
{
Values
:
[]
*
dlppb
.
Value
{
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
"22222"
}},
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
"2016"
}},
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
"$20"
}},
},
}
row3
:=
& dlppb
.
Table_Row
{
Values
:
[]
*
dlppb
.
Value
{
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
"33333"
}},
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
"2016"
}},
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
"$15"
}},
},
}
table
:=
& dlppb
.
Table
{
Headers
:
[]
*
dlppb
.
FieldId
{
{
Name
:
"Employee ID"
},
{
Name
:
"Date"
},
{
Name
:
"Compensation"
},
},
Rows
:
[]
*
dlppb
.
Table_Row
{
{
Values
:
row1
.
Values
},
{
Values
:
row2
.
Values
},
{
Values
:
row3
.
Values
},
},
}
ctx
:=
context
.
Background
()
// Initialize a client once and reuse it to send multiple requests. Clients
// are safe to use across goroutines. When the client is no longer needed,
// call the Close method to cleanup its resources.
client
,
err
:=
dlp
.
NewClient
(
ctx
)
if
err
!=
nil
{
return
err
}
// Closing the client safely cleans up background resources.
defer
client
.
Close
()
// Specify what content you want the service to de-identify.
contentItem
:=
& dlppb
.
ContentItem
{
DataItem
:
& dlppb
.
ContentItem_Table
{
Table
:
table
,
},
}
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
kmsKeyDecode
,
err
:=
base64
.
StdEncoding
.
DecodeString
(
wrappedAESKey
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"error in decoding key: %w"
,
err
)
}
kmsWrappedCryptoKey
:=
& dlppb
.
KmsWrappedCryptoKey
{
WrappedKey
:
kmsKeyDecode
,
CryptoKeyName
:
kmsKeyName
,
}
cryptoKey
:=
& dlppb
.
CryptoKey_KmsWrapped
{
KmsWrapped
:
kmsWrappedCryptoKey
,
}
// Specify how the content should be encrypted.
cryptoReplaceFfxFpeConfig
:=
& dlppb
.
CryptoReplaceFfxFpeConfig
{
CryptoKey
:
& dlppb
.
CryptoKey
{
Source
:
cryptoKey
,
},
Alphabet
:
& dlppb
.
CryptoReplaceFfxFpeConfig_CommonAlphabet
{
CommonAlphabet
:
dlppb
.
CryptoReplaceFfxFpeConfig_NUMERIC
,
},
}
primitiveTransformation
:=
& dlppb
.
PrimitiveTransformation
{
Transformation
:
& dlppb
.
PrimitiveTransformation_CryptoReplaceFfxFpeConfig
{
CryptoReplaceFfxFpeConfig
:
cryptoReplaceFfxFpeConfig
,
},
}
// Specify field to be encrypted.
fieldId
:=
& dlppb
.
FieldId
{
Name
:
"Employee ID"
,
}
// Associate the encryption with the specified field.
fieldTransformation
:=
& dlppb
.
FieldTransformation
{
Fields
:
[]
*
dlppb
.
FieldId
{
fieldId
,
},
Transformation
:
& dlppb
.
FieldTransformation_PrimitiveTransformation
{
PrimitiveTransformation
:
primitiveTransformation
,
},
}
transformations
:=
& dlppb
.
RecordTransformations
{
FieldTransformations
:
[]
*
dlppb
.
FieldTransformation
{
fieldTransformation
,
},
}
// Construct the de-identification request to be sent by the client.
req
:=
& dlppb
.
DeidentifyContentRequest
{
Parent
:
fmt
.
Sprintf
(
"projects/%s/locations/global"
,
projectID
),
DeidentifyConfig
:
& dlppb
.
DeidentifyConfig
{
Transformation
:
& dlppb
.
DeidentifyConfig_RecordTransformations
{
RecordTransformations
:
transformations
,
},
},
Item
:
contentItem
,
}
// Send the request.
resp
,
err
:=
client
.
DeidentifyContent
(
ctx
,
req
)
if
err
!=
nil
{
return
err
}
// Print the results.
fmt
.
Fprintf
(
w
,
"De-identify Table after format-preserving encryption : %+v"
,
resp
.
GetItem
().
GetTable
())
return
nil
}
Java
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
com.google.cloud.dlp.v2. DlpServiceClient
;
import
com.google.common.io.BaseEncoding
;
import
com.google.privacy.dlp.v2. ContentItem
;
import
com.google.privacy.dlp.v2. CryptoKey
;
import
com.google.privacy.dlp.v2. CryptoReplaceFfxFpeConfig
;
import
com.google.privacy.dlp.v2. CryptoReplaceFfxFpeConfig
. FfxCommonNativeAlphabet
;
import
com.google.privacy.dlp.v2. DeidentifyConfig
;
import
com.google.privacy.dlp.v2. DeidentifyContentRequest
;
import
com.google.privacy.dlp.v2. DeidentifyContentResponse
;
import
com.google.privacy.dlp.v2. FieldId
;
import
com.google.privacy.dlp.v2. FieldTransformation
;
import
com.google.privacy.dlp.v2. KmsWrappedCryptoKey
;
import
com.google.privacy.dlp.v2. LocationName
;
import
com.google.privacy.dlp.v2. PrimitiveTransformation
;
import
com.google.privacy.dlp.v2. RecordTransformations
;
import
com.google.privacy.dlp.v2. Table
;
import
com.google.privacy.dlp.v2. Table
. Row
;
import
com.google.privacy.dlp.v2. Value
;
import
com.google.protobuf. ByteString
;
import
java.io.IOException
;
public
class
DeIdentifyTableWithFpe
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
// TODO(developer): Replace these variables before running the sample.
String
projectId
=
"your-project-id"
;
String
kmsKeyName
=
"projects/YOUR_PROJECT/"
+
"locations/YOUR_KEYRING_REGION/"
+
"keyRings/YOUR_KEYRING_NAME/"
+
"cryptoKeys/YOUR_KEY_NAME"
;
String
wrappedAesKey
=
"YOUR_ENCRYPTED_AES_256_KEY"
;
Table
tableToDeIdentify
=
Table
.
newBuilder
()
.
addHeaders
(
FieldId
.
newBuilder
().
setName
(
"Employee ID"
).
build
())
.
addHeaders
(
FieldId
.
newBuilder
().
setName
(
"Date"
).
build
())
.
addHeaders
(
FieldId
.
newBuilder
().
setName
(
"Compensation"
).
build
())
.
addRows
(
Row
.
newBuilder
()
.
addValues
(
Value
.
newBuilder
().
setStringValue
(
"11111"
).
build
())
.
addValues
(
Value
.
newBuilder
().
setStringValue
(
"2015"
).
build
())
.
addValues
(
Value
.
newBuilder
().
setStringValue
(
"$10"
).
build
())
.
build
())
.
addRows
(
Row
.
newBuilder
()
.
addValues
(
Value
.
newBuilder
().
setStringValue
(
"22222"
).
build
())
.
addValues
(
Value
.
newBuilder
().
setStringValue
(
"2016"
).
build
())
.
addValues
(
Value
.
newBuilder
().
setStringValue
(
"$20"
).
build
())
.
build
())
.
addRows
(
Row
.
newBuilder
()
.
addValues
(
Value
.
newBuilder
().
setStringValue
(
"33333"
).
build
())
.
addValues
(
Value
.
newBuilder
().
setStringValue
(
"2016"
).
build
())
.
addValues
(
Value
.
newBuilder
().
setStringValue
(
"$15"
).
build
())
.
build
())
.
build
();
deIdentifyTableWithFpe
(
projectId
,
tableToDeIdentify
,
kmsKeyName
,
wrappedAesKey
);
}
public
static
void
deIdentifyTableWithFpe
(
String
projectId
,
Table
tableToDeIdentify
,
String
kmsKeyName
,
String
wrappedAesKey
)
throws
IOException
{
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try
(
DlpServiceClient
dlp
=
DlpServiceClient
.
create
())
{
// Specify what content you want the service to de-identify.
ContentItem
contentItem
=
ContentItem
.
newBuilder
().
setTable
(
tableToDeIdentify
).
build
();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
KmsWrappedCryptoKey
kmsWrappedCryptoKey
=
KmsWrappedCryptoKey
.
newBuilder
()
.
setWrappedKey
(
ByteString
.
copyFrom
(
BaseEncoding
.
base64
().
decode
(
wrappedAesKey
)))
.
setCryptoKeyName
(
kmsKeyName
)
.
build
();
CryptoKey
cryptoKey
=
CryptoKey
.
newBuilder
().
setKmsWrapped
(
kmsWrappedCryptoKey
).
build
();
// Specify how the content should be encrypted.
CryptoReplaceFfxFpeConfig
cryptoReplaceFfxFpeConfig
=
CryptoReplaceFfxFpeConfig
.
newBuilder
()
.
setCryptoKey
(
cryptoKey
)
// Set of characters in the input text. For more info, see
// https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#DeidentifyTemplate.FfxCommonNativeAlphabet
.
setCommonAlphabet
(
FfxCommonNativeAlphabet
.
NUMERIC
)
.
build
();
PrimitiveTransformation
primitiveTransformation
=
PrimitiveTransformation
.
newBuilder
()
.
setCryptoReplaceFfxFpeConfig
(
cryptoReplaceFfxFpeConfig
)
.
build
();
// Specify field to be encrypted.
FieldId
fieldId
=
FieldId
.
newBuilder
().
setName
(
"Employee ID"
).
build
();
// Associate the encryption with the specified field.
FieldTransformation
fieldTransformation
=
FieldTransformation
.
newBuilder
()
.
setPrimitiveTransformation
(
primitiveTransformation
)
.
addFields
(
fieldId
)
.
build
();
RecordTransformations
transformations
=
RecordTransformations
.
newBuilder
().
addFieldTransformations
(
fieldTransformation
).
build
();
DeidentifyConfig
deidentifyConfig
=
DeidentifyConfig
.
newBuilder
().
setRecordTransformations
(
transformations
).
build
();
// Combine configurations into a request for the service.
DeidentifyContentRequest
request
=
DeidentifyContentRequest
.
newBuilder
()
.
setParent
(
LocationName
.
of
(
projectId
,
"global"
).
toString
())
.
setItem
(
contentItem
)
.
setDeidentifyConfig
(
deidentifyConfig
)
.
build
();
// Send the request and receive response from the service.
DeidentifyContentResponse
response
=
dlp
.
deidentifyContent
(
request
);
// Print the results.
System
.
out
.
println
(
"Table after format-preserving encryption: "
+
response
.
getItem
().
getTable
());
}
}
}
Node.js
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
// Imports the Google Cloud Data Loss Prevention library
const
DLP
=
require
(
' @google-cloud/dlp
'
);
// Instantiates a client
const
dlp
=
new
DLP
.
DlpServiceClient
();
// The project ID to run the API call under
// const projectId = 'my-project';
// The set of characters to replace sensitive ones with
// For more information, see https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#ffxcommonnativealphabet
// const alphabet = 'NUMERIC';
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// Table to de-identify
const
tablularData
=
{
headers
:
[{
name
:
'Employee ID'
},
{
name
:
' Date
'
},
{
name
:
'Compensation'
}],
rows
:
[
{
values
:
[
{
stringValue
:
'11111'
},
{
stringValue
:
'2015'
},
{
stringValue
:
'$10'
},
],
},
{
values
:
[
{
stringValue
:
'22222'
},
{
stringValue
:
'2016'
},
{
stringValue
:
'$20'
},
],
},
{
values
:
[
{
stringValue
:
'33333'
},
{
stringValue
:
'2016'
},
{
stringValue
:
'$15'
},
],
},
],
};
async
function
deidentifyTableWithFpe
()
{
// Specify field to be encrypted.
const
fieldIds
=
[{
name
:
'Employee ID'
}];
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
const
cryptoKeyConfig
=
{
kmsWrapped
:
{
wrappedKey
:
wrappedKey
,
cryptoKeyName
:
keyName
,
},
};
// Specify how the content should be encrypted.
const
cryptoReplaceFfxFpeConfig
=
{
cryptoKey
:
cryptoKeyConfig
,
commonAlphabet
:
alphabet
,
};
// Associate the encryption with the specified field.
const
fieldTransformations
=
[
{
fields
:
fieldIds
,
primitiveTransformation
:
{
cryptoReplaceFfxFpeConfig
,
},
},
];
// Combine configurations into a request for the service.
const
request
=
{
parent
:
`projects/
${
projectId
}
/locations/global`
,
deidentifyConfig
:
{
recordTransformations
:
{
fieldTransformations
,
},
},
item
:
{
table
:
tablularData
,
},
};
// Send the request and receive response from the service.
const
[
response
]
=
await
dlp
.
deidentifyContent
(
request
);
// Print the results.
console
.
log
(
`Table after de-identification:
${
JSON
.
stringify
(
response
.
item
.
table
)
}
`
);
}
await
deidentifyTableWithFpe
();
PHP
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig\FfxCommonNativeAlphabet;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\DeidentifyContentRequest;
use Google\Cloud\Dlp\V2\FieldId;
use Google\Cloud\Dlp\V2\FieldTransformation;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\RecordTransformations;
use Google\Cloud\Dlp\V2\Table;
use Google\Cloud\Dlp\V2\Table\Row;
use Google\Cloud\Dlp\V2\Value;
/**
* De-identify table data with format-preserving encryption.
* Demonstrates encrypting sensitive data in a table while maintaining format.
*
* @param string $callingProjectId The Google Cloud project id to use as a parent resource.
* @param string $inputCsvFile The input file(csv) path to deidentify.
* @param string $outputCsvFile The oupt file path to save deidentify content.
* @param string $encryptedFieldNames The field to be encrypted.
* @param string $kmsKeyName The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
* Example: key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
* @param string $wrappedAesKey The encrypted ('wrapped') AES-256 key to use.
* */
function deidentify_table_fpe(
string $callingProjectId,
string $inputCsvFile,
string $outputCsvFile,
string $encryptedFieldNames,
string $kmsKeyName,
string $wrappedAesKey
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
$parent = "projects/$callingProjectId/locations/global";
// Read a CSV file.
$csvLines = file($inputCsvFile, FILE_IGNORE_NEW_LINES);
$csvHeaders = explode(',', $csvLines[0]);
$csvRows = array_slice($csvLines, 1);
// Convert CSV file into protobuf objects.
$tableHeaders = array_map(function ($csvHeader) {
return (new FieldId)
->setName($csvHeader);
}, $csvHeaders);
$tableRows = array_map(function ($csvRow) {
$rowValues = array_map(function ($csvValue) {
return (new Value())
->setStringValue($csvValue);
}, explode(',', $csvRow));
return (new Row())
->setValues($rowValues);
}, $csvRows);
// Construct the table object.
$tableToDeIdentify = (new Table())
->setHeaders($tableHeaders)
->setRows($tableRows);
// Specify the content to be de-identify.
$content = (new ContentItem())
->setTable($tableToDeIdentify);
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedAesKey))
->setCryptoKeyName($kmsKeyName);
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Specify how the content should be encrypted.
$cryptoReplaceFfxFpeConfig = (new CryptoReplaceFfxFpeConfig())
->setCryptoKey($cryptoKey)
->setCommonAlphabet(FfxCommonNativeAlphabet::NUMERIC);
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoReplaceFfxFpeConfig($cryptoReplaceFfxFpeConfig);
// Specify field to be encrypted.
$encryptedFields = array_map(function ($encryptedFieldName) {
return (new FieldId())
->setName($encryptedFieldName);
}, explode(',', $encryptedFieldNames));
// Associate the encryption with the specified field.
$fieldTransformation = (new FieldTransformation())
->setPrimitiveTransformation($primitiveTransformation)
->setFields($encryptedFields);
$recordtransformations = (new RecordTransformations())
->setFieldTransformations([$fieldTransformation]);
$deidentifyConfig = (new DeidentifyConfig())
->setRecordTransformations($recordtransformations);
// Run request.
$deidentifyContentRequest = (new DeidentifyContentRequest())
->setParent($parent)
->setDeidentifyConfig($deidentifyConfig)
->setItem($content);
$response = $dlp->deidentifyContent($deidentifyContentRequest);
// Print the results.
$csvRef = fopen($outputCsvFile, 'w');
fputcsv($csvRef, $csvHeaders);
foreach ($response->getItem()->getTable()->getRows() as $tableRow) {
$values = array_map(function ($tableValue) {
return $tableValue->getStringValue();
}, iterator_to_array($tableRow->getValues()));
fputcsv($csvRef, $values);
};
printf('Table after format-preserving encryption (File Location): %s', $outputCsvFile);
}
Python
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
from
typing
import
List
import
google.cloud.dlp
def
deidentify_table_with_fpe
(
project
:
str
,
table_header
:
List
[
str
],
table_rows
:
List
[
List
[
str
]],
deid_field_names
:
List
[
str
],
key_name
:
str
=
None
,
wrapped_key
:
bytes
=
None
,
alphabet
:
str
=
None
,
)
-
> None
:
"""Uses the Data Loss Prevention API to de-identify sensitive data in a
table while maintaining format.
Args:
project: The Google Cloud project id to use as a parent resource.
table_header: List of strings representing table field names.
table_rows: List of rows representing table data.
deid_field_names: A list of fields in table to de-identify.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The decrypted ('wrapped', in bytes) AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
alphabet: The set of characters to replace sensitive ones with. For
more information, see https://cloud.google.com/dlp/docs/reference/
rest/v2/projects.deidentifyTemplates#ffxcommonnativealphabet
"""
# Instantiate a client.
dlp
=
google
.
cloud
.
dlp_v2
.
DlpServiceClient
()
# Construct the `table`. For more details on the table schema, please see
# https://cloud.google.com/dlp/docs/reference/rest/v2/ContentItem#Table
headers
=
[{
"name"
:
val
}
for
val
in
table_header
]
rows
=
[]
for
row
in
table_rows
:
rows
.
append
({
"values"
:
[{
"string_value"
:
cell_val
}
for
cell_val
in
row
]})
table
=
{
"headers"
:
headers
,
"rows"
:
rows
}
# Construct the `item` for table.
item
=
{
"table"
:
table
}
# Specify fields to be de-identified.
deid_field_names
=
[{
"name"
:
_i
}
for
_i
in
deid_field_names
]
# Construct FPE configuration dictionary
crypto_replace_ffx_fpe_config
=
{
"crypto_key"
:
{
"kms_wrapped"
:
{
"wrapped_key"
:
wrapped_key
,
"crypto_key_name"
:
key_name
},
},
"common_alphabet"
:
alphabet
,
}
# Construct deidentify configuration dictionary
deidentify_config
=
{
"record_transformations"
:
{
"field_transformations"
:
[
{
"primitive_transformation"
:
{
"crypto_replace_ffx_fpe_config"
:
crypto_replace_ffx_fpe_config
},
"fields"
:
deid_field_names
,
}
]
}
}
# Convert the project id into a full resource id.
parent
=
f
"projects/
{
project
}
/locations/global"
# Call the API.
response
=
dlp
.
deidentify_content
(
request
=
{
"parent"
:
parent
,
"deidentify_config"
:
deidentify_config
,
"item"
:
item
}
)
# Print out results.
print
(
f
"Table after de-identification:
{
response
.
item
.
table
}
"
)
What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .
