数据加密架构:TLS与密钥管理
数据加密架构:TLS与密钥管理
TLS传输加密
TLS(Transport Layer Security)是保护数据传输安全的标准协议,确保数据在传输过程中的机密性和完整性。
// TLS配置
@Configuration
public class TLSConfig {
@Bean
public SSLContext sslContext() throws Exception {
// 加载证书和密钥
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(
new FileInputStream("server.p12"),
"password".toCharArray()
);
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(
new FileInputStream("truststore.jks"),
"password".toCharArray()
);
// 配置TLS
SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keyStore, "password".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(trustStore);
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
return sslContext;
}
@Bean
public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
return container -> {
if (container instanceof TomcatServletWebServerFactory) {
TomcatServletWebServerFactory factory =
(TomcatServletWebServerFactory) container;
factory.addConnectorCustomizers(connector -> {
connector.setScheme("https");
connector.setSecure(true);
connector.setPort(8443);
SSLEnabledProtocol[] protocols = {SSLEnabledProtocol.TLS_V1_3};
connector.setProtocols(Arrays.toString(protocols));
});
}
};
}
}
KMS密钥管理
// 密钥管理服务
@Service
public class KeyManagementService {
private final AWSKMS kmsClient;
private final KeyStore keyStore;
// 生成数据加密密钥(DEK)
public DataEncryptionKey generateDEK() {
GenerateDataKeyRequest request = GenerateDataKeyRequest.builder()
.keyId("arn:aws:kms:region:account:key/key-id")
.keySpec("AES_256")
.build();
GenerateDataKeyResponse response = kmsClient.generateDataKey(request);
return DataEncryptionKey.builder()
.plaintextKey(response.plaintext().asByteBuffer())
.encryptedKey(response.ciphertextBlob().asByteBuffer())
.build();
}
// 加密数据
public EncryptedData encrypt(String data, String keyId) {
// 获取或生成DEK
DataEncryptionKey dek = getOrCreateDEK(keyId);
// 使用DEK加密数据
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, dek.getPlaintextKey());
byte[] iv = cipher.getIV();
byte[] ciphertext = cipher.doFinal(data.getBytes(StandardCharsets.UTF_8));
return EncryptedData.builder()
.ciphertext(Base64.getEncoder().encodeToString(ciphertext))
.iv(Base64.getEncoder().encodeToString(iv))
.encryptedKey(Base64.getEncoder().encodeToString(
dek.getEncodedEncryptedKey()))
.algorithm("AES/GCM/NoPadding")
.build();
}
// 解密数据
public String decrypt(EncryptedData encryptedData) {
// 解密DEK
byte[] encryptedKey = Base64.getDecoder().decode(encryptedData.getEncryptedKey());
DecryptRequest request = DecryptRequest.builder()
.ciphertextBlob(ByteBuffer.wrap(encryptedKey))
.build();
DecryptResponse response = kmsClient.decrypt(request);
byte[] plaintextKey = response.plaintext().array();
// 使用DEK解密数据
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
byte[] iv = Base64.getDecoder().decode(encryptedData.getIv());
cipher.init(Cipher.DECRYPT_MODE,
new SecretKeySpec(plaintextKey, "AES"),
new GCMParameterSpec(128, iv));
byte[] plaintext = cipher.doFinal(
Base64.getDecoder().decode(encryptedData.getCiphertext()));
return new String(plaintext, StandardCharsets.UTF_8);
}
}
数据分类加密策略
# 数据加密策略
encryption_policy:
data_classification:
- level: "公开"
encryption: "可选"
key_rotation: "不适用"
examples: "公开文档、营销材料"
- level: "内部"
encryption: "传输加密"
key_rotation: "年度"
examples: "内部文档、配置文件"
- level: "机密"
encryption: "传输+存储加密"
key_rotation: "季度"
examples: "用户数据、业务数据"
- level: "绝密"
encryption: "传输+存储+内存加密"
key_rotation: "月度"
examples: "密钥、证书、财务数据"
algorithms:
symmetric:
primary: "AES-256-GCM"
fallback: "ChaCha20-Poly1305"
asymmetric:
primary: "RSA-4096"
recommended: "ECDSA-P384"
post_quantum: "CRYSTALS-Kyber"
hashing:
password: "Argon2id"
general: "SHA-384"
integrity: "HMAC-SHA-256"
key_management:
hierarchy:
- level: "主密钥(CMK)"
storage: "HSM"
rotation: "年度"
usage: "保护数据加密密钥"
- level: "数据加密密钥(DEK)"
storage: "KMS"
rotation: "季度"
usage: "加密实际数据"
- level: "会话密钥"
storage: "内存"
rotation: "每次会话"
usage: "临时数据加密"
数据加密架构通过TLS传输加密、KMS密钥管理和分级加密策略,确保数据在全生命周期中的安全性。