密钥管理
更新时间:2025-08-21
创建MasterKey
如下代码可以创建MasterKey,返回MasterKeyId,创建时间等等。
Plain Text
1public void createKey(KmsClient client) {
2 try {
3 CreateKeyRequest createKeyRequest = new CreateKeyRequest(
4 "[DESCRIPTION]", //密钥描述
5 Constants.ProtectedBy.SOFTWARE.toString(), //密钥保护类型
6 "ENCRYPT_DECRYPT", // 密钥应用场景
7 Constants.KeySpec.AES_128.toString(), // 密钥类型
8 Constants.Origin.BAIDU_KMS.toString(), // 密钥来源
9 100); // 轮转天数,0为不开启,其他填7-365
10 // 执行创建master key请求
11 CreateKeyResponse createKeyResponse = client.createKey(createKeyRequest);
12 // 打印 master key Id
13 System.out.println(createKeyResponse.getKeyMetadata().getKeyId());
14 // 打印 master key 创建日期
15 System.out.println(createKeyResponse.getKeyMetadata().getCreationDate());
16 } catch (BceServiceException e) {
17 System.out.println(e.getMessage());
18 } catch (BceClientException e) {
19 System.out.println(e.getMessage());
20 } catch (Exception e) {
21 System.out.println(e.getMessage());
22 }
23}列举MasterKey
使用如下代码可以列举出该账号所创建的MasterKey
Plain Text
1public void listKeys(KmsClient client) {
2 try {
3 ListKeysRequest listKeysRequest = new ListKeysRequest();
4 // 设置返回的KeyId的数目
5 listKeysRequest.setLimit(100);
6 // 设置master key id位置的标记
7 listKeysRequest.setMarker("");
8 // 请求枚举 master key
9 ListKeysResponse listKeysResponse = client.listKeys(listKeysRequest);
10 // 打印出返回的master key Id
11 List<ListKeysResponse.Key> keys = listKeysResponse.getKeys();
12 for (ListKeysResponse.Key key : keys) {
13 System.out.println(key.getKeyId());
14 }
15 } catch (BceServiceException e) {
16 System.out.println(e.getMessage());
17 } catch (BceClientException e) {
18 System.out.println(e.getMessage());
19 } catch (Exception e) {
20 System.out.println(e.getMessage());
21 }
22}加密数据
如下代码可以对原文进行加密
Plain Text
1public void encrypt(KmsClient client) {
2 try {
3 EncryptRequest encryptRequest = new EncryptRequest();
4 // 设置待加密的明文数据,注意这里的原文一定是base64编码的
5 encryptRequest.setPlaintext("Q2FybFN1biBpcyBnZW5pdXMh");
6 // 设置master key Id
7 encryptRequest.setKeyId("your Master Key Id");
8 // 请求加密
9 EncryptResponse encryptResponse = client.encrypt(encryptRequest);
10 // 输出密文
11 System.out.println(encryptResponse.getCiphertext());
12 // 输出master key id
13 System.out.println(encryptResponse.getKeyId());
14 } catch (Exception e) {
15 System.out.println(e.getMessage());
16 }
17}解密数据
如下代码对密文进行解密
Plain Text
1public void decrypt(KmsClient client) {
2 try {
3 DecryptRequest decryptRequest = new DecryptRequest();
4 // 设置密文内容
5 decryptRequest.setCiphertext("your ciphertext");
6 // 设置master key Id
7 decryptRequest.setKeyId("your Master Key Id");
8 // 请求解密
9 DecryptResponse decryptResponse = client.decrypt(decryptRequest);
10 // 打印出master key id
11 System.out.println(decryptResponse.getKeyId());
12 // 打印出原文
13 System.out.println(decryptResponse.getPlaintext());
14 } catch (Exception e) {
15 System.out.println(e.getMessage());
16 }
17}生成Datakey
如下代码可以生成DataKey的原文和密文
Plain Text
1public void generateDataKey(KmsClient client) {
2 try {
3 GenerateDataKeyRequest generateDataKeyRequest = new GenerateDataKeyRequest();
4 // 设置master key Id
5 generateDataKeyRequest.setKeyId("your master key id");
6 // 设置data key 的长度
7 generateDataKeyRequest.setKeySpec(Constants.KeySpec.AES_256);
8 // 设置data key明文的长度
9 generateDataKeyRequest.setNumberOfBytes(20);
10 // 请求生成data key
11 GenerateDataKeyResponse generateDataKeyResponse = client.generateDataKey(generateDataKeyRequest);
12 // 打印data key 密文
13 System.out.println(generateDataKeyResponse.getCiphertext());
14 // 打印 Master key id
15 System.out.println(generateDataKeyResponse.getKeyId());
16 // 打印data key原文
17 System.out.println(generateDataKeyResponse.getPlaintext());
18 } catch (Exception e) {
19 System.out.println(e.getMessage());
20 }
21}使MasterKey处于可用状态
如下代码可以enable master key
Plain Text
1public void enableKey(KmsClient client) {
2 try {
3 // 初始化EnableKeyRequest并且设置master key id
4 EnableKeyRequest enableKeyRequest = new EnableKeyRequest("your master key id");
5 // 请求使Master Key 可用
6 client.enableKey(enableKeyRequest);
7 } catch (Exception e) {
8 System.out.println(e.getMessage());
9 }
10}使MasterKey处于不可用状态
如下代码可以disable master key
Plain Text
1public void disableKey(KmsClient client) {
2 try {
3 DisableKeyRequest disableKeyRequset = new DisableKeyRequest();
4 // 设计master key id
5 disableKeyRequset.setKeyId("your master key id");
6 // 请求是Master Key 不可用
7 client.disableKey(disableKeyRequset);
8 } catch (Exception e) {
9 System.out.println(e.getMessage());
10 }
11}删除MasterKey
如下代码可以删除MasterKey,等待删除的时间,最少7天,最多30天,默认30天。会在到达指定时间后的24小时内删除
Plain Text
1public void scheduleKeyDeletion(KmsClient client) {
2 try {
3 ScheduleKeyDeletionRequest request = new ScheduleKeyDeletionRequest();
4 // 设置等待删除的时间
5 request.setPendingWindowInDays(8);
6 // 设置master key id
7 request.setKeyId("your master key id");
8 // 请求删除master key
9 ScheduleKeyDeletionResponse response = client.scheduleKeyDeletion(request);
10 // 打印master key
11 System.out.println(response.getKeyId());
12 // 打印该master key 删除的时间
13 System.out.println(response.getDeletionDate().toString());
14 } catch (Exception e) {
15 System.out.println(e.getMessage());
16 }
17}取消删除MasterKey
如下代码可以取消对MasterKey的删除操作
Plain Text
1public void cancelKeyDeletion(KmsClient client) {
2 try {
3 CancelKeyDeletionRequest request = new CancelKeyDeletionRequest();
4 // 设计master key id
5 request.setKeyId("your master key id");
6 // 请求取消对master key的删除
7 client.cancelKeyDeletion(request);
8 } catch (Exception e) {
9 System.out.println(e.getMessage());
10 }
11}获取MasterKey详细信息
如下代码可以获取MasterKey的详细信息
Plain Text
1public void describeKey(KmsClient client) {
2 try {
3 DescribeKeyRequest request = new DescribeKeyRequest();
4 // 设计master key id
5 request.setKeyId("your master key id");
6 // 请求放回该master key的详细信息
7 DescribeKeyResponse response = client.describeKey(request);
8 // 打印master key id
9 System.out.println(response.getKeyMetadata().getKeyId());
10 // 打印master key的创建时间
11 System.out.println(response.getKeyMetadata().getCreationDate().toString());
12 // 打印master key 的状态(disabled or enabled)
13 System.out.println(response.getKeyMetadata().getKeyState());
14 // 打印master key的描述信息
15 System.out.println(response.getKeyMetadata().getDescription());
16 // 打印master key的使用方式
17 System.out.println(response.getKeyMetadata().getKeyUsage());
18 // 打印master key所在的地区
19 System.out.println(response.getKeyMetadata().getRegion());
20 // 打印master key被删除的时间
21 System.out.println(response.getKeyMetadata().getDeletionDate());
22 // 打印master key来源
23 System.out.println(response.getKeyMetadata().getOrigin());
24 // 打印master key密钥类型
25 System.out.println(response.getKeyMetadata().getKeySpec());
26 // 打印master key保护级别
27 System.out.println(response.getKeyMetadata().getProtectedBy());
28 } catch (BceServiceException e) {
29 System.out.println(e.getMessage());
30 } catch (BceClientException e) {
31 System.out.println(e.getMessage());
32 } catch (Exception e) {
33 System.out.println(e.getMessage());
34 }
35}获取导入密钥参数
如下代码可以获取导入密钥参数
Plain Text
1public void getParametersForImport(KmsClient client) {
2 try {
3 System.out.println("__________getParametersForImport_______");
4 GetParametersForImportRequest request = new GetParametersForImportRequest();
5 request.setKeyId("your master key id");
6 request.setPublicKeyEncoding(Constants.PublicKeyEncoding.BASE64.toString());
7 GetParametersForImportResponse response = client.getParametersForImport(request);
8 System.out.println(response.getImportToken());
9 System.out.println(response.getKeyId());
10 System.out.println(response.getPublicKey());
11 System.out.println(response.getTokenValidTill());
12 } catch (BceServiceException e) {
13 System.out.println(e.getMessage());
14 } catch (BceClientException e) {
15 System.out.println(e.getMessage());
16 } catch (Exception e) {
17 System.out.println(e.getMessage());
18 }
19}导入对称密钥
如下代码可以导入对称密钥
Plain Text
1public void importKey (KmsClient client) {
2 try {
3 System.out.println("__________importKey_______");
4 ImportKeyRequest request = new ImportKeyRequest();
5 request.setKeyId("your master key id");
6 request.setEncryptedKey("your encryped key");
7 request.setImportToken("your token");
8 request.setKeySpec(Constants.KeySpec.AES_128.toString());
9 request.setKeyUsage("ENCRYPT_DECRYPT");
10 KmsResponse response = client.importKey(request);
11 } catch (BceServiceException e) {
12 System.out.println(e.getMessage());
13 } catch (BceClientException e) {
14 System.out.println(e.getMessage());
15 } catch (Exception e) {
16 System.out.println(e.getMessage());
17 }
18}导入非对称密钥
如下代码可以导入RSA非对称密钥
Plain Text
1public void importAsymmetricKey (KmsClient client) {
2 try {
3 System.out.println("__________importKey_______");
4 ImportAsymmetricKeyRequest request = new ImportAsymmetricKeyRequest();
5 request.setKeyId("your master key id");
6 request.setAsymmetricKeySpec(Constants.KeySpec.RSA_1024.toString());
7 request.setAsymmetricKeyUsage("ENCRYPT_DECRYPT");
8 request.setEncryptedKeyEncryptionKey("your EncryptedKey by EncryptionKey");
9 EncryptedRsaKey rsaKey = new EncryptedRsaKey();
10 rsaKey.setEncryptedD("your D encrypted by your EncryptedKey then base64 encode");
11 rsaKey.setEncryptedDp("your Dp encrypted by your EncryptedKey then base64 encode");
12 rsaKey.setEncryptedDq("your Dq encrypted by your EncryptedKey then base64 encode");
13 rsaKey.setEncryptedP("your p encrypted by your EncryptedKey then base64 encode");
14 rsaKey.setEncryptedQ("your Q encrypted by your EncryptedKey then base64 encode");
15 rsaKey.setEncryptedQinv("your Qinv encrypted by your EncryptedKey then base64 encode");
16 rsaKey.setPublicKeyDer("your publickey encrypted by base64");
17 request.setEncryptedRsaKey(rsaKey);
18 request.setImportToken("your token");
19 KmsResponse response = client.importAsymmetricKey(request);
20 } catch (BceServiceException e) {
21 System.out.println(e.getMessage());
22 } catch (BceClientException e) {
23 System.out.println(e.getMessage());
24 } catch (Exception e) {
25 System.out.println(e.getMessage());
26 }
27}配置masterKey轮转间隔时间
如下代码可以配置 master key 轮转间隔时间
Plain Text
1public void updateRotateKey(KmsClient client) {
2 try {
3 // 初始化UpdateRotateKeyRequest并且设置master key id, 轮转时间0为不开启轮转,其他填7-365
4 UpdateRotationRequest updateRotationRequest = new UpdateRotationRequest("your master key id", 360);
5 // 请求使Master Key 可用
6 client.updateRotateKey(updateRotationRequest);
7 } catch (Exception e) {
8 System.out.println(e.getMessage());
9 }
10}