View a markdown version of this page

在 Connect Customer 中加密敏感的客戶輸入 - Amazon Connect 客戶
如何解密 Connect Customer 加密的資料

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

在 Connect Customer 中加密敏感的客戶輸入

您可以加密由流程收集的敏感資料。若要執行此作業,您需要使用公有金鑰加密。

設定 Connect Customer 時,請先提供公有金鑰。這是加密資料時使用的金鑰。稍後,您會提供 X.509 憑證,其中包含可證明您擁有私密金鑰的簽章。

在蒐集資料的流程中,您會提供 X.509 憑證來加密使用儲存的客戶輸入系統屬性所擷取的資料。您必須以 .pem 格式上傳一個金鑰以使用此功能。加密金鑰會用來驗證流程內所用憑證的簽章。

注意

您一次最多可啟用兩個加密金鑰,以協助輪換。

若要在儲存的客戶輸入屬性中解密資料,請使用 AWS Encryption SDK。如需詳細資訊,請參閱《AWS Encryption SDK 開發人員指南》https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/

如何解密 Connect Customer 加密的資料

下列程式碼範例示範如何使用 AWS 加密 SDK 解密資料。


package com.amazonaws;
 
import com.amazonaws.encryptionsdk.AwsCrypto;
import com.amazonaws.encryptionsdk.CryptoResult;
import com.amazonaws.encryptionsdk.jce.JceMasterKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.Security;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
 
public class AmazonConnectDecryptionSample {
 
    // The Provider 'AmazonConnect' is used during encryption, this must be used during decryption for key
    // to be found
    private static final String PROVIDER = "AmazonConnect";
 
    // The wrapping algorithm used during encryption
    private static final String WRAPPING_ALGORITHM = "RSA/ECB/OAEPWithSHA-512AndMGF1Padding";
 
    /**
     * This sample show how to decrypt data encrypted by Amazon Connect.
     * To use, provide the following command line arguments: [path-to-private-key] [key-id] [cyphertext]
     * Where:
     *  path-to-private-key is a file containing the PEM encoded private key to use for decryption
     *  key-id is the key-id specified during encryption in your flow
     *  cyphertext is the result of the encryption operation from Amazon Connect
     */
    public static void main(String[] args) throws IOException, GeneralSecurityException {
        String privateKeyFile = args[0]; // path to PEM encoded private key to use for decryption
        String keyId = args[1]; // this is the id used for key in your flow
        String cypherText = args[2]; // the result from flow
 
        Security.addProvider(new BouncyCastleProvider());
 
        // read the private key from file
        String privateKeyPem = new String(Files.readAllBytes(Paths.get(privateKeyFile)), Charset.forName("UTF-8"));
        RSAPrivateKey privateKey =  getPrivateKey(privateKeyPem);
 
        AwsCrypto awsCrypto = new AwsCrypto();
        JceMasterKey decMasterKey =
                JceMasterKey.getInstance(null,privateKey, PROVIDER, keyId, WRAPPING_ALGORITHM);
        CryptoResult<String, JceMasterKey> result = awsCrypto.decryptString(decMasterKey, cypherText);
 
        System.out.println("Decrypted: " + result.getResult());
    }
 
    public static RSAPrivateKey getPrivateKey(String privateKeyPem) throws IOException, GeneralSecurityException {
        String privateKeyBase64 = privateKeyPem
                .replace("-----BEGIN RSA PRIVATE KEY-----\n", "")
                .replace("-----END RSA PRIVATE KEY-----", "")
                .replaceAll("\n", "");
        byte[] decoded = Base64.getDecoder().decode(privateKeyBase64);
        KeyFactory kf = KeyFactory.getInstance("RSA");
        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(decoded);
        RSAPrivateKey privKey = (RSAPrivateKey) kf.generatePrivate(keySpec);
        return privKey;
    }
}