Asymmetric encryption

Asymmetric encryption is the process of using a public key from a public/private key pair to encrypt plaintext, and then using the corresponding private key to decrypt the ciphertext. Asymmetric encryption relies on asymmetric cryptography, also known as public key cryptography.

Symmetric encryption, on the other hand, uses the same key to encrypt and decrypt data.

Asymmetric encryption workflow

The following describes the flow for using an asymmetric key to encrypt and decrypt data. The two participants in this workflow consists of a sender and a recipient. The sender creates ciphertext using the recipient's public key, and then the recipient decrypts the ciphertext using the recipient's private key. Only someone with knowledge of the private key can decrypt the ciphertext.

1. The sender retrieves the recipient's public key.

2. The sender uses the public key to encrypt plaintext.

3. The sender sends the ciphertext to the recipient.

4. The recipient uses the recipient's private key to decrypt the ciphertext. The recipient can now view the plaintext.

Example use case for asymmetric encryption

Asymmetric encryption only supports a very small plaintext size, so asymmetric encryption is generally used for encryption keys, not large pieces of data. As an example, you can use asymmetric encryption as a variation of envelope encryption. In this scenario, anyone with access to the public key can encrypt the data encryption key (DEK). Only Cloud KMS can then decrypt the encrypted DEK, on behalf of the owner of the asymmetric key.

Asymmetric encryption algorithms

Cloud Key Management Service supports RSA algorithms for asymmetric encryption. RSA is an industry standard algorithm and offers choices of key size and digest algorithm. RSA cryptography relies on the difficulty in factoring a large integer into two or more factors. The larger the key size, the more difficult it is to factor the integers.

Cloud KMS asymmetric encryption functionality

Cloud KMS provides the following functionality related to asymmetric encryption.

• Ability to create an asymmetric key with key purpose of ASYMMETRIC_DECRYPT. For information about which algorithms Cloud KMS supports, see asymmetric encryption algorithms.

• Ability to retrieve the public key for an asymmetric key. You use the public key to encrypt data. Cloud KMS does not directly provide a method to asymmetrically encrypt data. Instead, you encrypt data using openly available SDKs and tools, such as OpenSSL. These SDKs and tools require the public key that you retrieve from Cloud KMS.

• Ability to decrypt data with an asymmetric key.