Re-identify text data with format-preserving encryption.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
C#
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
using
System
;
using
Google.Api.Gax.ResourceNames
;
using
Google.Cloud.Dlp.V2
;
using
Google.Protobuf
;
using
static
Google
.
Cloud
.
Dlp
.
V2
.
CryptoReplaceFfxFpeConfig
.
Types
;
public
class
ReidentifyFreeTextFpe
{
public
static
ReidentifyContentResponse
ReidentifyContent
(
string
projectId
,
string
text
,
string
keyName
,
string
wrappedKey
,
FfxCommonNativeAlphabet
alphabet
=
FfxCommonNativeAlphabet
.
Numeric
,
InfoType
surrogateType
=
null
)
{
// Instantiate the client.
var
dlp
=
DlpServiceClient
.
Create
();
// Construct the infoType which will be used as both surrogate type and infoType.
var
infotype
=
surrogateType
??
new
InfoType
{
Name
=
"PHONE_TOKEN"
};
// Specify how to un-encrypt the previously de-identified information.
var
cryptoReplaceFfxFpeConfig
=
new
CryptoReplaceFfxFpeConfig
{
CryptoKey
=
new
CryptoKey
{
KmsWrapped
=
new
KmsWrappedCryptoKey
{
CryptoKeyName
=
keyName
,
WrappedKey
=
ByteString
.
FromBase64
(
wrappedKey
)
}
},
CommonAlphabet
=
alphabet
,
SurrogateInfoType
=
infotype
};
// Construct re-identify config using the CryptoReplaceFfxFpeConfig transformation method.
var
reidentifyConfig
=
new
DeidentifyConfig
{
InfoTypeTransformations
=
new
InfoTypeTransformations
{
Transformations
=
{
new
InfoTypeTransformations
.
Types
.
InfoTypeTransformation
{
PrimitiveTransformation
=
new
PrimitiveTransformation
{
CryptoReplaceFfxFpeConfig
=
cryptoReplaceFfxFpeConfig
,
},
InfoTypes
=
{
infotype
}
}
}
}
};
// Construct the inspect config using custom infoTypes.
var
inspectConfig
=
new
InspectConfig
{
CustomInfoTypes
=
{
new
CustomInfoType
{
InfoType
=
infotype
,
SurrogateType
=
new
CustomInfoType
.
Types
.
SurrogateType
()
}
}
};
// Construct the request.
var
request
=
new
ReidentifyContentRequest
{
ParentAsLocationName
=
new
LocationName
(
projectId
,
"global"
),
InspectConfig
=
inspectConfig
,
ReidentifyConfig
=
reidentifyConfig
,
Item
=
new
ContentItem
{
Value
=
text
},
};
// Call the API.
ReidentifyContentResponse
response
=
dlp
.
ReidentifyContent
(
request
);
// Inspect the response.
Console
.
WriteLine
(
$"Reidentified content: {response. Item
. Value
}"
);
return
response
;
}
}
Go
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
(
"context"
"encoding/base64"
"fmt"
"io"
dlp
"cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// ReidTextDataWithFPE re-identifies text data with FPE
func
reidTextDataWithFPE
(
w
io
.
Writer
,
projectID
,
textToReidentify
,
kmsKeyName
,
wrappedAESKey
,
surrogateInfoType
string
)
error
{
// projectId := "my-project-id"
// textToReidentify := "My SSN is AGE(9):FHKByqA13"
/* kmsKeyName := "projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME"
*/
// wrappedAesKey := "YOUR_ENCRYPTED_AES_256_KEY"
// surrogateInfoType := "AGE"
ctx
:=
context
.
Background
()
// Initialize a client once and reuse it to send multiple requests. Clients
// are safe to use across goroutines. When the client is no longer needed,
// call the Close method to cleanup its resources.
client
,
err
:=
dlp
.
NewClient
(
ctx
)
if
err
!=
nil
{
return
err
}
// Closing the client safely cleans up background resources.
defer
client
.
Close
()
// Specify what content you want the service to re-identify.
contentItem
:=
& dlppb
.
ContentItem
{
DataItem
:
& dlppb
.
ContentItem_Value
{
Value
:
textToReidentify
,
},
}
// Specify the type of info the inspection will re-identify. This must use the same custom
// into type that was used as a surrogate during the initial encryption.
infotype
:=
& dlppb
.
InfoType
{
Name
:
surrogateInfoType
,
}
customInfotype
:=
& dlppb
.
CustomInfoType
{
InfoType
:
infotype
,
Type
:
& dlppb
.
CustomInfoType_SurrogateType_
{
SurrogateType
:
& dlppb
.
CustomInfoType_SurrogateType
{},
},
}
inspectConfig
:=
& dlppb
.
InspectConfig
{
CustomInfoTypes
:
[]
*
dlppb
.
CustomInfoType
{
customInfotype
,
},
}
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
kmsWrappedCryptoKey
,
err
:=
base64
.
StdEncoding
.
DecodeString
(
wrappedAESKey
)
if
err
!=
nil
{
return
err
}
cryptoKey
:=
& dlppb
.
CryptoKey
{
Source
:
& dlppb
.
CryptoKey_KmsWrapped
{
KmsWrapped
:
& dlppb
.
KmsWrappedCryptoKey
{
WrappedKey
:
kmsWrappedCryptoKey
,
CryptoKeyName
:
kmsKeyName
,
},
},
}
// Specify how to un-encrypt the previously de-identified information.
cryptoReplaceFfxFpeConfig
:=
& dlppb
.
CryptoReplaceFfxFpeConfig
{
CryptoKey
:
cryptoKey
,
Alphabet
:
& dlppb
.
CryptoReplaceFfxFpeConfig_CommonAlphabet
{
CommonAlphabet
:
dlppb
.
CryptoReplaceFfxFpeConfig_ALPHA_NUMERIC
,
},
SurrogateInfoType
:
infotype
,
}
primitiveTransformation
:=
& dlppb
.
PrimitiveTransformation_CryptoReplaceFfxFpeConfig
{
CryptoReplaceFfxFpeConfig
:
cryptoReplaceFfxFpeConfig
,
}
InfoTypeTransformations
:=
& dlppb
.
InfoTypeTransformations
{
Transformations
:
[]
*
dlppb
.
InfoTypeTransformations_InfoTypeTransformation
{
{
PrimitiveTransformation
:
& dlppb
.
PrimitiveTransformation
{
Transformation
:
primitiveTransformation
,
},
InfoTypes
:
[]
*
dlppb
.
InfoType
{
infotype
,
},
},
},
}
// Combine configurations into a request for the service.
reidentifyConfig
:=
& dlppb
.
DeidentifyConfig
{
Transformation
:
& dlppb
.
DeidentifyConfig_InfoTypeTransformations
{
InfoTypeTransformations
:
InfoTypeTransformations
,
},
}
// Construct the Inspect request to be sent by the client.
req
:=
& dlppb
.
ReidentifyContentRequest
{
Parent
:
fmt
.
Sprintf
(
"projects/%s/locations/global"
,
projectID
),
ReidentifyConfig
:
reidentifyConfig
,
Item
:
contentItem
,
InspectConfig
:
inspectConfig
,
}
// Send the request.
r
,
err
:=
client
.
ReidentifyContent
(
ctx
,
req
)
if
err
!=
nil
{
return
err
}
// Print the result.
fmt
.
Fprintf
(
w
,
"output: %v"
,
r
.
GetItem
().
GetValue
())
return
nil
}
Java
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
com.google.cloud.dlp.v2. DlpServiceClient
;
import
com.google.common.io.BaseEncoding
;
import
com.google.privacy.dlp.v2. ContentItem
;
import
com.google.privacy.dlp.v2. CryptoKey
;
import
com.google.privacy.dlp.v2. CryptoReplaceFfxFpeConfig
;
import
com.google.privacy.dlp.v2. CryptoReplaceFfxFpeConfig
. FfxCommonNativeAlphabet
;
import
com.google.privacy.dlp.v2. CustomInfoType
;
import
com.google.privacy.dlp.v2. CustomInfoType
. SurrogateType
;
import
com.google.privacy.dlp.v2. DeidentifyConfig
;
import
com.google.privacy.dlp.v2. InfoType
;
import
com.google.privacy.dlp.v2. InfoTypeTransformations
;
import
com.google.privacy.dlp.v2. InfoTypeTransformations
. InfoTypeTransformation
;
import
com.google.privacy.dlp.v2. InspectConfig
;
import
com.google.privacy.dlp.v2. KmsWrappedCryptoKey
;
import
com.google.privacy.dlp.v2. LocationName
;
import
com.google.privacy.dlp.v2. PrimitiveTransformation
;
import
com.google.privacy.dlp.v2. ReidentifyContentRequest
;
import
com.google.privacy.dlp.v2. ReidentifyContentResponse
;
import
com.google.protobuf. ByteString
;
import
java.io.IOException
;
public
class
ReIdentifyTextWithFpe
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
// TODO(developer): Replace these variables before running the sample.
String
projectId
=
"your-project-id"
;
String
textToReIdentify
=
"My phone number is PHONE_TOKEN(10):9617256398"
;
String
kmsKeyName
=
"projects/YOUR_PROJECT/"
+
"locations/YOUR_KEYRING_REGION/"
+
"keyRings/YOUR_KEYRING_NAME/"
+
"cryptoKeys/YOUR_KEY_NAME"
;
String
wrappedAesKey
=
"YOUR_ENCRYPTED_AES_256_KEY"
;
reIdentifyTextWithFpe
(
projectId
,
textToReIdentify
,
kmsKeyName
,
wrappedAesKey
);
}
public
static
void
reIdentifyTextWithFpe
(
String
projectId
,
String
textToReIdentify
,
String
kmsKeyName
,
String
wrappedAesKey
)
throws
IOException
{
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try
(
DlpServiceClient
dlp
=
DlpServiceClient
.
create
())
{
// Specify what content you want the service to re-identify.
ContentItem
contentItem
=
ContentItem
.
newBuilder
().
setValue
(
textToReIdentify
).
build
();
// Specify the type of info the inspection will re-identify. This must use the same custom
// into type that was used as a surrogate during the initial encryption.
InfoType
surrogateInfoType
=
InfoType
.
newBuilder
().
setName
(
"PHONE_NUMBER"
).
build
();
CustomInfoType
customInfoType
=
CustomInfoType
.
newBuilder
()
.
setInfoType
(
surrogateInfoType
)
.
setSurrogateType
(
SurrogateType
.
getDefaultInstance
())
.
build
();
InspectConfig
inspectConfig
=
InspectConfig
.
newBuilder
().
addCustomInfoTypes
(
customInfoType
).
build
();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
KmsWrappedCryptoKey
kmsWrappedCryptoKey
=
KmsWrappedCryptoKey
.
newBuilder
()
.
setWrappedKey
(
ByteString
.
copyFrom
(
BaseEncoding
.
base64
().
decode
(
wrappedAesKey
)))
.
setCryptoKeyName
(
kmsKeyName
)
.
build
();
CryptoKey
cryptoKey
=
CryptoKey
.
newBuilder
().
setKmsWrapped
(
kmsWrappedCryptoKey
).
build
();
// Specify how to un-encrypt the previously de-identified information.
CryptoReplaceFfxFpeConfig
cryptoReplaceFfxFpeConfig
=
CryptoReplaceFfxFpeConfig
.
newBuilder
()
.
setCryptoKey
(
cryptoKey
)
// Set of characters in the input text. For more info, see
// https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#DeidentifyTemplate.FfxCommonNativeAlphabet
.
setCommonAlphabet
(
FfxCommonNativeAlphabet
.
NUMERIC
)
.
setSurrogateInfoType
(
surrogateInfoType
)
.
build
();
PrimitiveTransformation
primitiveTransformation
=
PrimitiveTransformation
.
newBuilder
()
.
setCryptoReplaceFfxFpeConfig
(
cryptoReplaceFfxFpeConfig
)
.
build
();
InfoTypeTransformation
infoTypeTransformation
=
InfoTypeTransformation
.
newBuilder
()
.
setPrimitiveTransformation
(
primitiveTransformation
)
.
addInfoTypes
(
surrogateInfoType
)
.
build
();
InfoTypeTransformations
transformations
=
InfoTypeTransformations
.
newBuilder
().
addTransformations
(
infoTypeTransformation
).
build
();
DeidentifyConfig
reidentifyConfig
=
DeidentifyConfig
.
newBuilder
().
setInfoTypeTransformations
(
transformations
).
build
();
// Combine configurations into a request for the service.
ReidentifyContentRequest
request
=
ReidentifyContentRequest
.
newBuilder
()
.
setParent
(
LocationName
.
of
(
projectId
,
"global"
).
toString
())
.
setItem
(
contentItem
)
.
setInspectConfig
(
inspectConfig
)
.
setReidentifyConfig
(
reidentifyConfig
)
.
build
();
// Send the request and receive response from the service
ReidentifyContentResponse
response
=
dlp
.
reidentifyContent
(
request
);
// Print the results
System
.
out
.
println
(
"Text after re-identification: "
+
response
.
getItem
().
getValue
());
}
}
}
Node.js
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
// Imports the Google Cloud Data Loss Prevention library
const
DLP
=
require
(
' @google-cloud/dlp
'
);
// Instantiates a client
const
dlp
=
new
DLP
.
DlpServiceClient
();
// The project ID to run the API call under
// const projectId = 'my-project';
// The string to reidentify
// const string = 'My phone number is PHONE_TOKEN(10):9617256398';
// The set of characters to replace sensitive ones with
// For more information, see https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#ffxcommonnativealphabet
// const alphabet = 'NUMERIC';
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// The name of the surrogate custom info type to use when reidentifying data
// const surrogateType = 'SOME_INFO_TYPE_DEID';
async
function
reidentifyTextWithFpe
()
{
// Construct deidentification request
const
item
=
{
value
:
string
};
// Construt Crypto Key Configuration
const
cryptoKeyConfig
=
{
kmsWrapped
:
{
wrappedKey
:
wrappedKey
,
cryptoKeyName
:
keyName
,
},
};
// Construct primitive transformation configuration
const
primitiveTransformation
=
{
cryptoReplaceFfxFpeConfig
:
{
cryptoKey
:
cryptoKeyConfig
,
commonAlphabet
:
alphabet
,
surrogateInfoType
:
{
name
:
surrogateType
,
},
},
};
// Combine configurations and construct re-identify request
const
request
=
{
parent
:
`projects/
${
projectId
}
/locations/global`
,
reidentifyConfig
:
{
infoTypeTransformations
:
{
transformations
:
[
{
primitiveTransformation
:
primitiveTransformation
,
},
],
},
},
inspectConfig
:
{
customInfoTypes
:
[
{
infoType
:
{
name
:
surrogateType
,
},
surrogateType
:
{},
},
],
},
item
:
item
,
};
// Run re-identification request
const
[
response
]
=
await
dlp
.
reidentifyContent
(
request
);
const
reidentifiedItem
=
response
.
item
;
// Print results
console
.
log
(
reidentifiedItem
.
value
);
}
await
reidentifyTextWithFpe
();
PHP
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig\FfxCommonNativeAlphabet;
use Google\Cloud\Dlp\V2\CustomInfoType;
use Google\Cloud\Dlp\V2\CustomInfoType\SurrogateType;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\InfoTypeTransformations;
use Google\Cloud\Dlp\V2\InfoTypeTransformations\InfoTypeTransformation;
use Google\Cloud\Dlp\V2\InspectConfig;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\ReidentifyContentRequest;
/**
* Reidentify a deidentified string using Format-Preserving Encryption (FPE).
*
* @param string $callingProjectId The GCP Project ID to run the API call under.
* @param string $string The string to reidentify.
* @param string $keyName The name of the Cloud KMS key used to encrypt (wrap) the AES-256 key.
* @param string $wrappedKey The name of the Cloud KMS key use, encrypted with the KMS key in $keyName.
* @param string $surrogateTypeName Surrogate custom info type to enable reidentification.
*/
function reidentify_text_fpe(
string $callingProjectId,
string $string,
string $keyName,
string $wrappedKey,
string $surrogateTypeName
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
$parent = "projects/$callingProjectId/locations/global";
// Specify what content you want the service to re-identify.
$item = (new ContentItem())
->setValue($string);
// Specify the type of info the inspection will re-identify. This must use the same custom
// into type that was used as a surrogate during the initial encryption.
$surrogateType = (new InfoType())
->setName($surrogateTypeName);
$customInfoType = (new CustomInfoType())
->setInfoType($surrogateType)
->setSurrogateType(new SurrogateType());
// Create the inspect configuration object.
$inspectConfig = (new InspectConfig())
->setCustomInfoTypes([$customInfoType]);
// Set of characters in the input text. For more info, see
// https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#DeidentifyTemplate.FfxCommonNativeAlphabet
$commonAlphabet = FfxCommonNativeAlphabet::NUMERIC;
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedKey))
->setCryptoKeyName($keyName);
// Create the crypto key configuration object.
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Specify how to un-encrypt the previously de-identified information.
$cryptoReplaceFfxFpeConfig = (new CryptoReplaceFfxFpeConfig())
->setCryptoKey($cryptoKey)
->setCommonAlphabet($commonAlphabet)
->setSurrogateInfoType($surrogateType);
// Create the information transform configuration objects.
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoReplaceFfxFpeConfig($cryptoReplaceFfxFpeConfig);
$infoTypeTransformation = (new InfoTypeTransformation())
->setPrimitiveTransformation($primitiveTransformation);
$infoTypeTransformations = (new InfoTypeTransformations())
->setTransformations([$infoTypeTransformation]);
// Create the reidentification configuration object.
$reidentifyConfig = (new DeidentifyConfig())
->setInfoTypeTransformations($infoTypeTransformations);
// Run request.
$reidentifyContentRequest = (new ReidentifyContentRequest())
->setParent($parent)
->setReidentifyConfig($reidentifyConfig)
->setInspectConfig($inspectConfig)
->setItem($item);
$response = $dlp->reidentifyContent($reidentifyContentRequest);
// Print the results.
printf($response->getItem()->getValue());
}
Python
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
base64
import
google.cloud.dlp
def
reidentify_text_with_fpe
(
project
:
str
,
input_str
:
str
,
key_name
:
str
=
None
,
wrapped_key
:
str
=
None
,
)
-
> None
:
"""
Uses the Data Loss Prevention API to re-identify sensitive data in a
string using Format Preserving Encryption (FPE).
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to re-identify (will be treated as text).
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The encrypted ('wrapped') AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
"""
# Instantiate a client.
dlp
=
google
.
cloud
.
dlp_v2
.
DlpServiceClient
()
# The wrapped key is base64-encoded, but the library expects a binary
# string, so decode it here.
wrapped_key
=
base64
.
b64decode
(
wrapped_key
)
# Specify the type of info the inspection will re-identify.
# This must use the same custom infoType that was used as a
# surrogate during the initial encryption.
surrogate_info_type
=
{
"name"
:
"PHONE_NUMBER"
}
# Construct FPE configuration dictionary
crypto_replace_ffx_fpe_config
=
{
"crypto_key"
:
{
"kms_wrapped"
:
{
"wrapped_key"
:
wrapped_key
,
"crypto_key_name"
:
key_name
}
},
"common_alphabet"
:
"NUMERIC"
,
"surrogate_info_type"
:
surrogate_info_type
,
}
# Construct re-identify configuration dictionary
reidentify_config
=
{
"info_type_transformations"
:
{
"transformations"
:
[
{
"primitive_transformation"
:
{
"crypto_replace_ffx_fpe_config"
:
crypto_replace_ffx_fpe_config
,
},
"info_types"
:
[
surrogate_info_type
],
}
]
}
}
# Construct inspect configuration dictionary
inspect_config
=
{
"custom_info_types"
:
[{
"info_type"
:
surrogate_info_type
,
"surrogate_type"
:
{}}]
}
# Construct the `item`.
item
=
{
"value"
:
input_str
}
# Convert the project id into a full resource id.
parent
=
f
"projects/
{
project
}
/locations/global"
# Call the API.
response
=
dlp
.
reidentify_content
(
request
=
{
"parent"
:
parent
,
"reidentify_config"
:
reidentify_config
,
"inspect_config"
:
inspect_config
,
"item"
:
item
,
}
)
# Print results
print
(
f
"Text after re-identification:
{
response
.
item
.
value
}
"
)
What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .
