英文:
How to rotate keys?
问题
我在查看Tink文档,但我没有看到清楚的方法来旋转密钥。基本上,我想做类似这样的事情:
KeyTemplate keyTemplate = AeadKeyTemplates.AES256_GCM;KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);// 做一些操作... 然后keysetHandle.rotateKey(); // 如何实现这个的等效操作呢?
文档提到密钥旋转是该库的核心功能。然而,文档中没有关于如何执行此操作的示例。使用该库进行密钥旋转的“正确”方法是什么?我还希望将密钥的旋转和激活分开。
英文:
I'm looking at the Tink documentation, but I don't see a clear way how to rotate a key. Basically, I would like to do somethink like:
KeyTemplate keyTemplate = AeadKeyTemplates.AES256_GCM;KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);// Do some stuff... and thenkeysetHandle.rotateKey(); // How to do the equivalent of this??
The documentation talks about how key rotation is a core feature of the library. However, there are no examples in the documentation for how to do this. What's the "correct" way to rotate keys using the library? I would also prefer to separate rotate and activate the new key.
答案1
得分: 1
开发人员改进了 GitHub 文档上的文档(请参阅 https://github.com/google/tink/blob/master/docs/JAVA-HOWTO.md#key-rotation):
- Tink 中支持密钥轮换,通过 KeysetManager 类实现。
您需要提供一个包含应进行轮换的密钥集的 KeysetHandle 对象,以及通过 KeyTemplate 消息指定的新密钥的规范。
import com.google.crypto.tink.KeysetHandle;import com.google.crypto.tink.KeysetManager;import com.google.crypto.tink.proto.KeyTemplate;KeysetHandle keysetHandle = ...; // 现有密钥集KeyTemplate keyTemplate = ...; // 新密钥的模板KeysetHandle rotatedKeysetHandle = KeysetManager.withKeysetHandle(keysetHandle).rotate(keyTemplate).getKeysetHandle();
- 一些常见的规范在 examples/keytemplates 中作为预生成的模板可用,并可以通过各自原语的...KeyTemplates.java 类访问。成功轮换后,生成的密钥集将包含根据 keyTemplate 中的规范生成的新密钥,并且新密钥将成为密钥集的主密钥。要成功进行轮换,注册表必须包含针对 keyTemplate 中指定的密钥类型的密钥管理器。或者,您可以使用 Tinkey 来轮换或管理密钥集。
以下是一个简短示例以及此程序生成的文件:
keyset_original.json 是(第一个)原始密钥:
{"primaryKeyId": 937652358,"key": [{"keyData": {"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey","keyMaterialType": "SYMMETRIC","value": "GhC1iBVcPeQwNp9GcXfqpm8G"},"outputPrefixType": "TINK","keyId": 937652358,"status": "ENABLED"}]}
keyset_rotated.json 是轮换后的密钥集 - primaryKeyId 已更改,(第一个)密钥仍然可用且已启用,但不再是主密钥:
{"primaryKeyId": 138119043,"key": [{"keyData": {"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey","keyMaterialType": "SYMMETRIC","value": "GhC1iBVcPeQwNp9GcXfqpm8G"},"outputPrefixType": "TINK","keyId": 937652358,"status": "ENABLED"},{"keyData": {"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey","keyMaterialType": "SYMMETRIC","value": "GhBrr2JLPAMMi36n56RHGF2A"},"outputPrefixType": "TINK","keyId": 138119043,"status": "ENABLED"}]}
代码:
import com.google.crypto.tink.*;import com.google.crypto.tink.aead.AeadKeyTemplates;import com.google.crypto.tink.config.TinkConfig;import com.google.crypto.tink.proto.KeyTemplate;import java.io.File;import java.io.IOException;import java.security.GeneralSecurityException;public class KeyRotation {public static void main(String[] args) throws GeneralSecurityException, IOException {System.out.println("Google Tink 密钥轮换");TinkConfig.register();// 密钥生成KeyTemplate keyTemplate = AeadKeyTemplates.AES128_GCM;KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);// 写入文件String originalKeysetFilename = "keyset_original.json";CleartextKeysetHandle.write(keysetHandle, JsonKeysetWriter.withFile(new File(originalKeysetFilename)));// 加载现有密钥集KeysetHandle keysetHandleLoaded = CleartextKeysetHandle.read(JsonKeysetReader.withFile(new File(originalKeysetFilename)));// 生成新密钥并将其设置为主密钥KeysetHandle rotatedKeysetHandle = KeysetManager.withKeysetHandle(keysetHandleLoaded).rotate(keyTemplate).getKeysetHandle();// 写入文件String rotatedKeysetFilename = "keyset_rotated.json";CleartextKeysetHandle.write(rotatedKeysetHandle, JsonKeysetWriter.withFile(new File(rotatedKeysetFilename)));System.out.println("密钥轮换完成,新密钥集位于 " + rotatedKeysetFilename);}}
英文:
The developers improved the documentation on the GitHub-docs (see https://github.com/google/tink/blob/master/docs/JAVA-HOWTO.md#key-rotation):
*Support for key rotation in Tink is provided via the KeysetManager class.
You have to provide a KeysetHandle-object that contains the keyset that should be rotated, and a specification of the new key via a KeyTemplate message.
import com.google.crypto.tink.KeysetHandle;import com.google.crypto.tink.KeysetManager;import com.google.crypto.tink.proto.KeyTemplate;KeysetHandle keysetHandle = ...; // existing keysetKeyTemplate keyTemplate = ...; // template for the new keyKeysetHandle rotatedKeysetHandle = KeysetManager.withKeysetHandle(keysetHandle).rotate(keyTemplate).getKeysetHandle();
Some common specifications are available as pre-generated templates in examples/keytemplates, and can be accessed via the
...KeyTemplates.java classes of the respective primitives. After a successful rotation, the resulting keyset contains a new key
generated according to the specification in keyTemplate, and the new key becomes the primary key of the keyset. For the rotation
to succeed the Registry must contain a key manager for the key type specified in keyTemplate. Alternatively, you can use Tinkey
to rotate or manage a keyset.*
Below you find a short example and the files generated by this program:
<u>keyset_original.json</u> is the (first) original key:
{"primaryKeyId": 937652358,"key": [{"keyData": {"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey","keyMaterialType": "SYMMETRIC","value": "GhC1iBVcPeQwNp9GcXfqpm8G"},"outputPrefixType": "TINK","keyId": 937652358,"status": "ENABLED"}]}
<u>keyset_rotated.json</u> is the rotated keyset - the primaryKeyId has changed and the (first) key is still
available <u>and</u> enabled but no longer primary key:
{"primaryKeyId": 138119043,"key": [{"keyData": {"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey","keyMaterialType": "SYMMETRIC","value": "GhC1iBVcPeQwNp9GcXfqpm8G"},"outputPrefixType": "TINK","keyId": 937652358,"status": "ENABLED"},{"keyData": {"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey","keyMaterialType": "SYMMETRIC","value": "GhBrr2JLPAMMi36n56RHGF2A"},"outputPrefixType": "TINK","keyId": 138119043,"status": "ENABLED"}]}
code:
import com.google.crypto.tink.*;import com.google.crypto.tink.aead.AeadKeyTemplates;import com.google.crypto.tink.config.TinkConfig;import com.google.crypto.tink.proto.KeyTemplate;import java.io.File;import java.io.IOException;import java.security.GeneralSecurityException;public class KeyRotation {public static void main(String[] args) throws GeneralSecurityException, IOException {System.out.println("Google Tink key rotation");TinkConfig.register();// key generationKeyTemplate keyTemplate = AeadKeyTemplates.AES128_GCM;KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);// write it to a fileString originalKeysetFilename = "keyset_original.json";CleartextKeysetHandle.write(keysetHandle, JsonKeysetWriter.withFile(new File(originalKeysetFilename)));// load the existing keysetHandleKeysetHandle keysetHandleLoaded = CleartextKeysetHandle.read(JsonKeysetReader.withFile(new File(originalKeysetFilename)));// generate a new key and make it primary keyKeysetHandle rotatedKeysetHandle = KeysetManager.withKeysetHandle(keysetHandleLoaded).rotate(keyTemplate).getKeysetHandle();// write it to a fileString rotatedKeysetFilename = "keyset_rotated.json";CleartextKeysetHandle.write(rotatedKeysetHandle, JsonKeysetWriter.withFile(new File(rotatedKeysetFilename)));System.out.println("key rotation done, new keyset in " + rotatedKeysetFilename);}}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论