是否可以使用相同的云KMS键在CSV中解密加密的CSV列?
我在Cloud KMS中创建一个对称键,然后使用Python加密CSV数据中的某些列(作为字符串,通过解码Ciphertext)。
然后,我将此CSV文件加载到BQ表。我有一个想法可以通过SQL使用KMS解密列,并且我从此 link ,
但我不确定只有与所提供的数据只有可能SQL函数与否(看起来像是这样),
有些字段我实际上不知道是否要放置一些
DECLARE KMS_RESOURCE_NAME STRING;
SET KMS_RESOURCE_NAME ="gcp-kms://projects/<project>locations/<location/keyRings/<keyring>/cryptoKeys/<key>"
;
select id
, AEAD.DECRYPT_STRING(KEYS.KEYSET_CHAIN(
KMS_RESOURCE_NAME,
first_level_keyset,
name
additional_authenticated_data)
FROM
mydataset.mytable
我应该为first_level_keyset 和附加_authenticaticed_data只需要解密我以前在CSV中所做的预加密列吗?
编辑:
我必须事先加密数据的原因是因为我首先将这些数据存储在GCS中的数据湖中,我希望它加密,并且GCS和BQ中都没有PII数据
I create a symmetric key in Cloud KMS and I used Python to encrypt some of the column in my CSV data (as a string by decoding the ciphertext).
Then, I load this CSV file to a BQ table. I have an idea to decrypt the column using KMS via SQL and I found this document about column-level encryption from this link
But I am not sure that it only possible for the data that encrypted with the provided SQL function or not (seems like it)
There are some field that I don't actually know whether to put something
DECLARE KMS_RESOURCE_NAME STRING;
SET KMS_RESOURCE_NAME ="gcp-kms://projects/<project>locations/<location/keyRings/<keyring>/cryptoKeys/<key>"
;
select id
, AEAD.DECRYPT_STRING(KEYS.KEYSET_CHAIN(
KMS_RESOURCE_NAME,
first_level_keyset,
name
additional_authenticated_data)
FROM
mydataset.mytable
What actually I should put for first_level_keyset and additional_authenticated_data if I just need only to decrypt a pre-encrypted column that I did previously in CSV?
Edit:
The reason I have to encrypt data beforehand is because I store these data in my data lake in GCS first which I want it to be encrypted and no PII data in both GCS and BQ
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论