Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
AO melakukan operasi enkripsi dan dekripsi melalui CLI dengan air gap Google Distributed Cloud (GDC) ke KMS melalui klien gRPC.
Sebelum memulai
Sebelum melakukan operasi kripto, download, instal, dan konfigurasi gdcloud CLI untuk mengakses server Management API. Untuk melakukannya, ikuti
ringkasan gdcloud CLI.
Untuk mendapatkan izin yang diperlukan untuk melakukan operasi kriptografi, minta Admin IAM Organisasi Anda untuk memberi Anda peran KMS Developer (kms-developer).
Mengenkripsi data
Untuk mengenkripsi data, gunakan perintah gdcloud kms keys encrypt. Perintah ini mengenkripsi file teks biasa tertentu menggunakan kunci AEAD, dan menuliskannya ke file ciphertext bernama.
Untuk mengenkripsi data, teruskan nama kunci dan hal berikut:
KEY_NAME: nama kunci yang digunakan untuk mengenkripsi
teks biasa—misalnya: key-1.
PLAINTEXT_PATH: jalur ke file yang berisi
plaintext yang akan dienkripsi.
ADDITIONAL_AUTHENTICATED_DATA_FILE: file opsional
yang berisi data terautentikasi tambahan (AAD). AAD digunakan untuk
pemeriksaan integritas dan melindungi data Anda dari serangan
wakil yang bingung. AAD dan teks biasa masing-masing memiliki batas ukuran 64 KB.
CIPHERTEXT_PATH: jalur ke file yang berisi
teks biasa terenkripsi.
Setelah menjalankan perintah, Anda akan melihat file yang Anda tentukan di tanda
--ciphertext-file yang berisi konten terenkripsi dari file teks biasa.
Mendekripsi data
Untuk mendekripsi data, gunakan perintah gdcloud kms keys decrypt. Perintah ini mendekripsi file ciphertext
tertentu menggunakan kunci AEAD, dan menuliskannya ke file plaintext
bernama.
Untuk mendekripsi ciphertext, teruskan nama kunci dan hal berikut:
KEY_NAME: nama kunci yang digunakan untuk mengenkripsi teks biasa.
CIPHERTEXT_PATH: jalur file yang ingin Anda
dekripsi.
ADDITIONAL_AUTHENTICATED_DATA_FILE: file opsional
yang berisi data terautentikasi tambahan (AAD). AAD digunakan untuk
pemeriksaan integritas dan melindungi data Anda dari serangan
wakil yang bingung. AAD dan teks biasa masing-masing memiliki batas ukuran 64 KB.
PLAINTEXT_PATH: jalur ke file yang berisi
teks biasa yang didekripsi.
Setelah menjalankan perintah, Anda akan melihat file yang ditentukan di tanda
--plaintext-file yang berisi data yang didekripsi.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eThe AO (air-gapped operations) utilizes the Google Distributed Cloud (GDC) air-gapped CLI and a gRPC client to perform encryption and decryption operations via the KMS.\u003c/p\u003e\n"],["\u003cp\u003eBefore starting cryptographic operations, users must download, install, and configure the \u003ccode\u003egdcloud\u003c/code\u003e CLI to access the Management API server as detailed in the \u003ccode\u003egdcloud\u003c/code\u003e CLI overview.\u003c/p\u003e\n"],["\u003cp\u003eEncrypting data requires the \u003ccode\u003egdcloud kms keys encrypt\u003c/code\u003e command, where you must specify the key name, plaintext file path, an optional additional authenticated data file path, and a ciphertext file path.\u003c/p\u003e\n"],["\u003cp\u003eDecrypting data requires the \u003ccode\u003egdcloud kms keys decrypt\u003c/code\u003e command, specifying the key name, ciphertext file path, and the path for the decrypted plaintext file, in addition to the optional additional authenticated data file path.\u003c/p\u003e\n"],["\u003cp\u003eTo complete cryptographic operations, users must be granted the KMS Developer (\u003ccode\u003ekms-developer\u003c/code\u003e) role by their Organization IAM Admin.\u003c/p\u003e\n"]]],[],null,["# Encrypt and decrypt data\n\nThe AO performs encrypt and decrypt operations through the\nGoogle Distributed Cloud (GDC) air-gapped CLI to the KMS through a gRPC client.\n\nBefore you begin\n----------------\n\nBefore performing crypto operations, download, install, and configure the\ngdcloud CLI to access the Management API server. To do this, follow the\n[gdcloud CLI overview](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview).\n\nTo get the permissions you need to perform cryptographic operations, ask\nyour Organization IAM Admin to grant you the KMS Developer (`kms-developer`)\nrole.\n\nEncrypt data\n------------\n\nTo encrypt data, use the `gdcloud kms keys encrypt` command. This command encrypts a\ngiven plaintext file using the `AEAD` key, and writes it to a named ciphertext\nfile.\n\n- To encrypt data, pass in the key name and the following:\n\n gdcloud kms keys encrypt namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/aeadKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --plaintext-file=\u003cvar translate=\"no\"\u003ePLAINTEXT_PATH\u003c/var\u003e \\\n --additional-authenticated-data-file=\u003cvar translate=\"no\"\u003eADDITIONAL_AUTHENTICATED_DATA_FILE\u003c/var\u003e \\\n --ciphertext-file=\u003cvar translate=\"no\"\u003eCIPHERTEXT_PATH\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the project namespace---for example: `kms-test1`.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key used to encrypt the plaintext---for example: `key-1`.\n - \u003cvar translate=\"no\"\u003ePLAINTEXT_PATH\u003c/var\u003e: the path to the file that contains the plaintext to encrypt.\n - \u003cvar translate=\"no\"\u003eADDITIONAL_AUTHENTICATED_DATA_FILE\u003c/var\u003e: an optional file that contains additional authenticated data (AAD). AAD is used for integrity checks and protects your data from a confused deputy attack. AAD and the plaintext each have a size limit of 64KB.\n - \u003cvar translate=\"no\"\u003eCIPHERTEXT_PATH\u003c/var\u003e: the path to the file that contains the encrypted plaintext.\n\n After running the command, you see a file you specified in the\n `--ciphertext-file` flag that contains the encrypted contents of the plaintext\n file.\n\nDecrypt data\n------------\n\nTo decrypt data, use the `gdcloud kms keys decrypt` command. This command decrypts a\ngiven ciphertext file using the `AEAD` key, and writes it to a named plaintext\nfile.\n\n- To decrypt ciphertext, pass in the key name and the following:\n\n gdcloud kms keys decrypt namespaces/\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e/aeadKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --ciphertext-file=\u003cvar translate=\"no\"\u003eCIPHERTEXT_PATH\u003c/var\u003e \\\n --additional-authenticated-data-file=\u003cvar translate=\"no\"\u003eADDITIONAL_AUTHENTICATED_DATA_FILE\u003c/var\u003e \\\n --plaintext-file=\u003cvar translate=\"no\"\u003ePLAINTEXT_PATH\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the project namespace.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key used to encrypt the plaintext.\n - \u003cvar translate=\"no\"\u003eCIPHERTEXT_PATH\u003c/var\u003e: the path of the file you want to decrypt.\n - \u003cvar translate=\"no\"\u003eADDITIONAL_AUTHENTICATED_DATA_FILE\u003c/var\u003e: an optional file that contains additional authenticated data (AAD). AAD is used for integrity checks and protects your data from a confused deputy attack. AAD and the plaintext each have a size limit of 64KB. **Note**: You must use the same AAD you passed during the encrypt operation for the decrypt operation.\n - \u003cvar translate=\"no\"\u003ePLAINTEXT_PATH\u003c/var\u003e: the path to the file that contains the decrypted plaintext.\n\n After running the command, you see a file you specified in the\n `--plaintext-file` flag that contains the decrypted data."]]