Cloud Data Loss Prevention (Cloud DLP) is now a part of Sensitive Data Protection. The API name remains the same: Cloud Data Loss Prevention API (DLP API). For information about the services that make up Sensitive Data Protection, see Sensitive Data Protection overview.

Create a wrapped key

This page describes how to use Cloud Key Management Service (Cloud KMS) to create awrapped key that you can then use to senddeidentify andreidentify requeststo the Cloud Data Loss Prevention API of Sensitive Data Protection.

The process of using a cryptographic key to de-identify and re-identify contentis calledpseudonymization (ortokenization). For conceptual informationabout this process, seePseudonymization.

For an example that shows how to create a wrapped key,tokenize content, and re-identify tokenized content, seeDe-identifying andre-identifying sensitivetextinstead.

You can complete the steps in this document in 5 to 10 minutes, excluding theBefore youbeginsteps.

Note: When you use Cloud KMS for cryptographic operations,charges apply. In addition, when you use aCloud HSM key or aCloud EKM key, you consume Cloud KMS quota on the project that contains the key. In contrast, if you're using a software Cloud KMS key with Sensitive Data Protection, no quota values apply. For more information, seeQuotas in the Cloud KMS documentation.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

Create or select a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Create a Google Cloud project:
```
gcloud projects createPROJECT_ID
```
ReplacePROJECT_ID with a name for the Google Cloud project you are creating.
Select the Google Cloud project that you created:
```
gcloud config set projectPROJECT_ID
```
ReplacePROJECT_ID with your Google Cloud project name.

If you're using an existing project for this guide,verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

Verify that billing is enabled for your Google Cloud project.

Enable the Sensitive Data Protection and Cloud KMS APIs:

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

gcloudservicesenabledlp.googleapis.com cloudkms.googleapis.com

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

Create or select a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Create a Google Cloud project:
```
gcloud projects createPROJECT_ID
```
ReplacePROJECT_ID with a name for the Google Cloud project you are creating.
Select the Google Cloud project that you created:
```
gcloud config set projectPROJECT_ID
```
ReplacePROJECT_ID with your Google Cloud project name.

If you're using an existing project for this guide,verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

Verify that billing is enabled for your Google Cloud project.

Enable the Sensitive Data Protection and Cloud KMS APIs:

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

gcloudservicesenabledlp.googleapis.com cloudkms.googleapis.com

Required roles

To get the permissions that you need to create a wrapped AES key, ask your administrator to grant you the following IAM roles on the project:

Cloud KMS Admin (roles/cloudkms.admin)
Cloud KMS CryptoKey Encrypter (roles/cloudkms.cryptoKeyEncrypter)

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Create a key ring and a key

Before you start this procedure, decide where you want Sensitive Data Protectionto process your de-identification and re-identification requests. When youcreate a Cloud KMS key, you must store it in eitherglobal or in thesame region that you will use for your Sensitive Data Protection requests.Otherwise, the Sensitive Data Protection requests will fail.

You can find a list of supported locations inSensitive Data Protectionlocations. Note the name of yourchosen region (for example,us-west1).

This procedure usesglobal as the location for all API requests. If you wantto use a different region, replaceglobal with the region name.

Create a key ring:

gcloudkmskeyringscreate"dlp-keyring"\--location"global"

Create a key:

gcloudkmskeyscreate"dlp-key"\--location"global"\--keyring"dlp-keyring"\--purpose"encryption"

List your key ring and key:

gcloudkmskeyslist\--location"global"\--keyring"dlp-keyring"

You get the following output:

NAME:projects/<var>PROJECT_ID</var>/locations/global/keyRings/dlp-keyring/cryptoKeys/dlp-keyPURPOSE:ENCRYPT_DECRYPTALGORITHM:GOOGLE_SYMMETRIC_ENCRYPTIONPROTECTION_LEVEL:SOFTWARELABELS:PRIMARY_ID:1PRIMARY_STATE:ENABLED

In this output,PROJECT_ID is the ID of your project.

The value ofNAME is the full resource name of your Cloud KMSkey. Note this value because the de-identify and re-identify requestsrequire it.

Create a base64-encoded AES key

This section describes how to create an Advanced Encryption Standard (AES) keyand encode it in base64 format.

Note: These steps use theopenssl andbase64 commands, but there are many other waysto perform this task.

Create a 128-, 192-, or 256-bit AES key. The following command usesopensslto create a 256-bit key in the current directory:
```
opensslrand-out"./aes_key.bin"32
```
The fileaes_key.bin is added to your current directory.
Encode the AES key as a base64 string:
```
base64-i./aes_key.bin
```
You get an output similar to the following:
```
uEDo6/yKx+zCg2cZ1DBwpwvzMVNk/c+jWs7OwpkMc/s=
```
Warning: Don't use this example key to protect actual sensitive workloads.This key is provided only to serve as an example. Because it's shared here,this key is not safe to use.

Wrap the AES key using the Cloud KMS key

This section describes how to use the Cloud KMS key that you created in Create a key ring and a key to wrap the base64-encoded AESkey that you created inCreate a base64-encoded AES key.

To wrap the AES key, usecurl to send the following request to theCloud KMS APIprojects.locations.keyRings.cryptoKeys.encryptmethod:

curl"https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/global/keyRings/dlp-keyring/cryptoKeys/dlp-key:encrypt"\--request"POST"\--header"Authorization:Bearer$(gcloudauthapplication-defaultprint-access-token)"\--header"content-type: application/json"\--data"{\"plaintext\": \"BASE64_ENCODED_AES_KEY\"}"

Replace the following:

PROJECT_ID: theID of your project.
BASE64_ENCODED_AES_KEY: the base64-encoded stringreturned inCreate a base64-encoded AES key.

The response that you get from Cloud KMS is similar to the followingJSON:

{"name":"projects/<var>PROJECT_ID</var>/locations/global/keyRings/dlp-keyring/cryptoKeys/dlp-key/cryptoKeyVersions/1","ciphertext":"CiQAYuuIGo5DVaqdE0YLioWxEhC8LbTmq7Uy2G3qOJlZB7WXBw0SSQAjdwP8ZusZJ3Kr8GD9W0vaFPMDksmHEo6nTDaW/j5sSYpHa1ym2JHk+lUgkC3Zw5bXhfCNOkpXUdHGZKou1893O8BDby/82HY=","ciphertextCrc32c":"901327763","protectionLevel":"SOFTWARE"}

In this output,PROJECT_ID is the ID of your project.

Note the value ofciphertext in the response.That is your wrapped key.

What's next

Learn more abouttokenizing data through a cryptographickey.
Work through an example that shows how tocreate a wrappedkey, tokenize content, and re-identify tokenizedcontent.
Learn more aboutde-identification methods that use this wrapped key,and look through codesamples.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Create a wrapped key Stay organized with collections Save and categorize content based on your preferences.