Google Cloud Data Loss Prevention (DLP) Decrypt Transformation

The Google Cloud Data Loss Prevention (DLP) Decrypt transformation is available in the Hub.

This plugin uses Google’s Data Loss Prevention APIs which charge the user depending on the volume of data analyzed (not transformed). More details on the exact costs can be found here.

Plugin version: 1.4.0

This plugin decrypts sensitive data that was encrypted by DLP using a reversible encryption transform, such as Format Preserving Encryption. The plugin works by reversing the encryption specified in the config. Therefore, you must provide the same configuration properties that were used to encrypt the data. In other words, the configuration in this plugin and the DLP Redaction plugin must be identical for the decrypt to function correctly.

Permissions

In order for this plugin to function, it requires permissions to access the Data Loss Prevention APIs. These permissions granted through the service account that is provided in the plugin configuration. If the service account path is set to auto-detect then it will use a service account with the name service-<project-number>@gcp-sa-datafusion.iam.gserviceaccount.com.

The DLP Administrator role must be granted to the service account to allow this plugin to access the DLP APIs.

While using Deterministic Encryption with KMS Wrapped Key, the Cloud KMS CryptoKey Encrypter/Decrypter role must be granted to Cloud Data Loss Prevention Service Agent.

Metrics

This plugin records three metrics:

  • dlp.requests.count: Total number of requests sent to Data Loss Prevention API.

  • dlp.requests.success: Number of requests that were successfully processed by Data Loss Prevention API.

  • dlp.requests.fail: Number of requests that failed

Custom Template Path

The option to use a custom template path which is located in a different project other than the one specified in Project Id.

Configuration

Property

Macro Enabled?

Version Introduced

Description

Property

Macro Enabled?

Version Introduced

Description

Use custom template

No

 

Required. Enabling this option will allow you to define a custom DLP inspection Template to use for matching during the transformation.

Default is No.

Template ID

Yes

 

Optional. ID of the Inspection Template found in DLP.

Custom Template Path

Yes

6.7.0/1.3.0

Optional. Custom template path of the DLP inspection template.

Resource Location

Yes

6.7.0/1.3.0

Optional. Use this property to specify the resource location for the DLP Service. For more information, see https://cloud.google.com/dlp/docs/specifying-location.

Default is global.

Fields to Transform

Yes

 

Required. This field contains the rules for which fields should be transformed, as well as the configurations for the transforms.

Service Account Path

Yes

 

Optional. Path on the local file system of the service account key used for authorization. Can be set to auto-detect when running on a Dataproc cluster. When running on other clusters, the file must be present on every node in the cluster.

Default is auto-detect.

Project Id

Yes

 

Optional. Google Cloud project ID, which uniquely identified a project. It can be found on the Dashboard in the Google Cloud Platform console.

Default is auto-detect.




Created in 2020 by Google Inc.