英文:
How to rotate keys?
问题
我在查看Tink文档,但我没有看到清楚的方法来旋转密钥。基本上,我想做类似这样的事情:
KeyTemplate keyTemplate = AeadKeyTemplates.AES256_GCM;
KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
// 做一些操作... 然后
keysetHandle.rotateKey(); // 如何实现这个的等效操作呢?
文档提到密钥旋转是该库的核心功能。然而,文档中没有关于如何执行此操作的示例。使用该库进行密钥旋转的“正确”方法是什么?我还希望将密钥的旋转和激活分开。
英文:
I'm looking at the Tink documentation, but I don't see a clear way how to rotate a key. Basically, I would like to do somethink like:
KeyTemplate keyTemplate = AeadKeyTemplates.AES256_GCM;
KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
// Do some stuff... and then
keysetHandle.rotateKey(); // How to do the equivalent of this??
The documentation talks about how key rotation is a core feature of the library. However, there are no examples in the documentation for how to do this. What's the "correct" way to rotate keys using the library? I would also prefer to separate rotate and activate the new key.
答案1
得分: 1
开发人员改进了 GitHub 文档上的文档(请参阅 https://github.com/google/tink/blob/master/docs/JAVA-HOWTO.md#key-rotation):
- Tink 中支持密钥轮换,通过 KeysetManager 类实现。
您需要提供一个包含应进行轮换的密钥集的 KeysetHandle 对象,以及通过 KeyTemplate 消息指定的新密钥的规范。
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KeysetManager;
import com.google.crypto.tink.proto.KeyTemplate;
KeysetHandle keysetHandle = ...; // 现有密钥集
KeyTemplate keyTemplate = ...; // 新密钥的模板
KeysetHandle rotatedKeysetHandle = KeysetManager
.withKeysetHandle(keysetHandle)
.rotate(keyTemplate)
.getKeysetHandle();
- 一些常见的规范在 examples/keytemplates 中作为预生成的模板可用,并可以通过各自原语的...KeyTemplates.java 类访问。成功轮换后,生成的密钥集将包含根据 keyTemplate 中的规范生成的新密钥,并且新密钥将成为密钥集的主密钥。要成功进行轮换,注册表必须包含针对 keyTemplate 中指定的密钥类型的密钥管理器。或者,您可以使用 Tinkey 来轮换或管理密钥集。
以下是一个简短示例以及此程序生成的文件:
keyset_original.json 是(第一个)原始密钥:
{
"primaryKeyId": 937652358,
"key": [{
"keyData": {
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"keyMaterialType": "SYMMETRIC",
"value": "GhC1iBVcPeQwNp9GcXfqpm8G"
},
"outputPrefixType": "TINK",
"keyId": 937652358,
"status": "ENABLED"
}]
}
keyset_rotated.json 是轮换后的密钥集 - primaryKeyId 已更改,(第一个)密钥仍然可用且已启用,但不再是主密钥:
{
"primaryKeyId": 138119043,
"key": [
{
"keyData": {
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"keyMaterialType": "SYMMETRIC",
"value": "GhC1iBVcPeQwNp9GcXfqpm8G"
},
"outputPrefixType": "TINK",
"keyId": 937652358,
"status": "ENABLED"
},
{
"keyData": {
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"keyMaterialType": "SYMMETRIC",
"value": "GhBrr2JLPAMMi36n56RHGF2A"
},
"outputPrefixType": "TINK",
"keyId": 138119043,
"status": "ENABLED"
}
]
}
代码:
import com.google.crypto.tink.*;
import com.google.crypto.tink.aead.AeadKeyTemplates;
import com.google.crypto.tink.config.TinkConfig;
import com.google.crypto.tink.proto.KeyTemplate;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
public class KeyRotation {
public static void main(String[] args) throws GeneralSecurityException, IOException {
System.out.println("Google Tink 密钥轮换");
TinkConfig.register();
// 密钥生成
KeyTemplate keyTemplate = AeadKeyTemplates.AES128_GCM;
KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
// 写入文件
String originalKeysetFilename = "keyset_original.json";
CleartextKeysetHandle.write(keysetHandle, JsonKeysetWriter.withFile(
new File(originalKeysetFilename)));
// 加载现有密钥集
KeysetHandle keysetHandleLoaded = CleartextKeysetHandle.read(
JsonKeysetReader.withFile(new File(originalKeysetFilename)));
// 生成新密钥并将其设置为主密钥
KeysetHandle rotatedKeysetHandle = KeysetManager
.withKeysetHandle(keysetHandleLoaded)
.rotate(keyTemplate)
.getKeysetHandle();
// 写入文件
String rotatedKeysetFilename = "keyset_rotated.json";
CleartextKeysetHandle.write(rotatedKeysetHandle, JsonKeysetWriter.withFile(
new File(rotatedKeysetFilename)));
System.out.println("密钥轮换完成,新密钥集位于 " + rotatedKeysetFilename);
}
}
英文:
The developers improved the documentation on the GitHub-docs (see https://github.com/google/tink/blob/master/docs/JAVA-HOWTO.md#key-rotation):
*Support for key rotation in Tink is provided via the KeysetManager class.
You have to provide a KeysetHandle-object that contains the keyset that should be rotated, and a specification of the new key via a KeyTemplate message.
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KeysetManager;
import com.google.crypto.tink.proto.KeyTemplate;
KeysetHandle keysetHandle = ...; // existing keyset
KeyTemplate keyTemplate = ...; // template for the new key
KeysetHandle rotatedKeysetHandle = KeysetManager
.withKeysetHandle(keysetHandle)
.rotate(keyTemplate)
.getKeysetHandle();
Some common specifications are available as pre-generated templates in examples/keytemplates, and can be accessed via the
...KeyTemplates.java classes of the respective primitives. After a successful rotation, the resulting keyset contains a new key
generated according to the specification in keyTemplate, and the new key becomes the primary key of the keyset. For the rotation
to succeed the Registry must contain a key manager for the key type specified in keyTemplate. Alternatively, you can use Tinkey
to rotate or manage a keyset.*
Below you find a short example and the files generated by this program:
<u>keyset_original.json</u> is the (first) original key:
{
"primaryKeyId": 937652358,
"key": [{
"keyData": {
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"keyMaterialType": "SYMMETRIC",
"value": "GhC1iBVcPeQwNp9GcXfqpm8G"
},
"outputPrefixType": "TINK",
"keyId": 937652358,
"status": "ENABLED"
}]
}
<u>keyset_rotated.json</u> is the rotated keyset - the primaryKeyId has changed and the (first) key is still
available <u>and</u> enabled but no longer primary key:
{
"primaryKeyId": 138119043,
"key": [
{
"keyData": {
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"keyMaterialType": "SYMMETRIC",
"value": "GhC1iBVcPeQwNp9GcXfqpm8G"
},
"outputPrefixType": "TINK",
"keyId": 937652358,
"status": "ENABLED"
},
{
"keyData": {
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"keyMaterialType": "SYMMETRIC",
"value": "GhBrr2JLPAMMi36n56RHGF2A"
},
"outputPrefixType": "TINK",
"keyId": 138119043,
"status": "ENABLED"
}
]
}
code:
import com.google.crypto.tink.*;
import com.google.crypto.tink.aead.AeadKeyTemplates;
import com.google.crypto.tink.config.TinkConfig;
import com.google.crypto.tink.proto.KeyTemplate;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
public class KeyRotation {
public static void main(String[] args) throws GeneralSecurityException, IOException {
System.out.println("Google Tink key rotation");
TinkConfig.register();
// key generation
KeyTemplate keyTemplate = AeadKeyTemplates.AES128_GCM;
KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
// write it to a file
String originalKeysetFilename = "keyset_original.json";
CleartextKeysetHandle.write(keysetHandle, JsonKeysetWriter.withFile(
new File(originalKeysetFilename)));
// load the existing keysetHandle
KeysetHandle keysetHandleLoaded = CleartextKeysetHandle.read(
JsonKeysetReader.withFile(new File(originalKeysetFilename)));
// generate a new key and make it primary key
KeysetHandle rotatedKeysetHandle = KeysetManager
.withKeysetHandle(keysetHandleLoaded)
.rotate(keyTemplate)
.getKeysetHandle();
// write it to a file
String rotatedKeysetFilename = "keyset_rotated.json";
CleartextKeysetHandle.write(rotatedKeysetHandle, JsonKeysetWriter.withFile(
new File(rotatedKeysetFilename)));
System.out.println("key rotation done, new keyset in " + rotatedKeysetFilename);
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论