The AO performs encrypt and decrypt operations through the Google Distributed Cloud (GDC) air-gapped CLI to the KMS through a gRPC client.
Before you begin
Before performing crypto operations, download, install, and configure the gdcloud CLI to access the org admin cluster. To do this, follow the gdcloud CLI overview.
To get the permissions you need to perform cryptographic operations, ask
your Organization IAM Admin to grant you the KMS Developer (kms-developer
)
role.
Encrypt data
To encrypt data, use the gdcloud kms keys encrypt
command. This command encrypts a
given plaintext file using the AEAD
key, and writes it to a named ciphertext
file.
To encrypt data, pass in the key name and the following:
gdcloud kms keys encrypt namespaces/NAMESPACE/aeadKeys/KEY_NAME \ --plaintext-file=PLAINTEXT_PATH \ --additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE \ --ciphertext-file=CIPHERTEXT_PATH
Replace the following variables:
- NAMESPACE: the project namespacefor example:
kms-test1
. - KEY_NAME: the name of the key used to encrypt the
plaintextfor example:
key-1
. - PLAINTEXT_PATH: the path to the file that contains the plaintext to encrypt.
- ADDITIONAL_AUTHENTICATED_DATA_FILE: an optional file that contains additional authenticated data (AAD). AAD is used for integrity checks and protects your data from a confused deputy attack. AAD and the plaintext each have a size limit of 64KB.
- CIPHERTEXT_PATH: the path to the file that contains the encrypted plaintext.
After running the command, you see a file you specified in the
--ciphertext-file
flag that contains the encrypted contents of the plaintext file.- NAMESPACE: the project namespacefor example:
Decrypt data
To decrypt data, use the gdcloud kms keys decrypt
command. This command decrypts a
given ciphertext file using the AEAD
key, and writes it to a named plaintext
file.
To decrypt ciphertext, pass in the key name and the following:
gdcloud kms keys decrypt namespaces/NAMESPACE/aeadKeys/KEY_NAME \ --ciphertext-file=CIPHERTEXT_PATH \ --additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE \ --plaintext-file=PLAINTEXT_PATH
Replace the following variables:
- NAMESPACE: the project namespace.
- KEY_NAME: the name of the key used to encrypt the plaintext.
- CIPHERTEXT_PATH: the path of the file you want to decrypt.
- ADDITIONAL_AUTHENTICATED_DATA_FILE: an optional file that contains additional authenticated data (AAD). AAD is used for integrity checks and protects your data from a confused deputy attack. AAD and the plaintext each have a size limit of 64KB.
- PLAINTEXT_PATH: the path to the file that contains the decrypted plaintext.
After running the command, you see a file you specified in the
--plaintext-file
flag that contains the decrypted data.