Encrypting and Decrypting Data

This topic show you how to do the following:

  • Encrypt text or binary content (plaintext) by using a Cloud KMS key.
  • Decrypt ciphertext that was encrypted with a Cloud KMS key.

Setup

  • Before you encrypt or decrypt data, you must create a KeyRing and a CryptoKey as described in Creating KeyRings and CryptoKeys.

    For security reasons, the raw cryptographic key material represented by a Cloud KMS key can never be viewed or exported. It can only be used by an authorized user to encrypt or decrypt data when they invoke the Cloud KMS API.

  • Ensure the user that is calling the encrypt and decrypt methods has the cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt permissions on the key used to encrypt or decrypt.

    One way to permit a user to encrypt or decrypt using a key is to add the user to the roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, or roles/cloudkms.cryptoKeyEncrypterDecrypter IAM roles for that key. For more information, see Permissions and Roles.

  • If you are going to use the client libraries for Cloud KMS, then install the client library for your preferred language.

  • If you are going to use the gcloud command-line tool for Cloud KMS, then install the Google Cloud SDK.

Encrypt

Command-line

To encrypt data, provide the appropriate key information, specify the name of the plaintext file to encrypt, and specify the name of the file that will contain the encrypted content.

gcloud kms encrypt \
    --location=global  \
    --keyring=my-key-ring \
    --key=my-key \
    --plaintext-file=YOUR_FILEPATH_AND_FILENAME_TO_ENCRYPT \
    --ciphertext-file=YOUR_FILEPATH_AND_FILENAME.enc

The plaintext file must not be larger than 64 KiB.

The encrypt command supports an optional --additional-authenticated-data- file flag to specify a file that contains additional authenticated data. The additional authenticated data file must not be larger than 64 KiB.

If --plaintext-file or --additional-authenticated-data-file is set to -, that file is read from stdin. Similarly, if --ciphertext-file is set to -, the ciphertext is written to stdout.

The encrypt command supports an optional --version flag to indicate the version of the key to use for encryption. By default, the primary version is used.

The following encrypt example shows how to specify a version key and additional authenticated data.

gcloud kms encrypt \
    --location=global  \
    --keyring=my-key-ring \
    --key=my-key \
    --version=my-key-version \
    --additional-authenticated-data-file=YOUR_ADDITIONAL_AUTHENTICATED_DATA_FILEPATH_AND_FILENAME \
    --plaintext-file=YOUR_FILEPATH_AND_FILENAME_TO_ENCRYPT \
    --ciphertext-file=YOUR_FILEPATH_AND_FILENAME.enc

Protocol

Content to be encrypted that is sent to Cloud KMS in JSON must be base64-encoded. For information on encoding and decoding using base64, see Base64 Encoding.

To encrypt data, make a POST request and provide the appropriate project and key information and specify the base64-encoded text to be encrypted in the plaintext field of the request body. Replace YOUR_API_KEY with a valid API key. For information on generating an API key, see Accessing the API.

POST https://cloudkms.googleapis.com/v1/projects/project_id/locations/global/keyRings/keyring_name/cryptoKeys/cryptoKey_name:encrypt&key=YOUR_API_KEY
{
  "plaintext": "U3VwZXIgc2VjcmV0IHRleHQgdGhhdCBtdXN0IGJlIGVuY3J5cHRlZAo=",
}

Here is an example using curl:

curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/YOUR_PROJECT_ID/locations/global/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_CRYPTOKEY_NAME:encrypt" \
  -d "{\"plaintext\":\"BASE64_ENCODED_INPUT\"}" \
  -H "Authorization:Bearer YOUR_API_KEY"\
  -H "Content-Type:application/json"

C#

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

        public static object Encrypt(string projectId, string location, string keyRing, string cryptoKeyName,
string fileToEncrypt, string fileToOutput)
        {
            var cloudKms = CreateAuthorizedClient();
            // Generate the full path of the crypto key to use for encryption.
            var cryptoKey = $"projects/{projectId}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKeyName}";
            EncryptRequest dataToEncrypt = new EncryptRequest();
            byte[] bytes = File.ReadAllBytes(fileToEncrypt);
            string contents = Convert.ToBase64String(bytes);
            dataToEncrypt.Plaintext = contents;
            Console.WriteLine($"dataToEncrypt.Plaintext: {dataToEncrypt.Plaintext}");
            var result = cloudKms.Projects.Locations.KeyRings.CryptoKeys.Encrypt(body: dataToEncrypt, name: cryptoKey).Execute();
            // Output encypted data to a file.
            File.WriteAllBytes(fileToOutput, Convert.FromBase64String(result.Ciphertext));
            Console.Write($"Encypted file created: {fileToOutput}");
            return 0;
        }

Go

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

func encrypt(projectID, keyRing, cryptoKey string, plaintext []byte) ([]byte, error) {
	ctx := context.Background()
	client, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope)
	if err != nil {
		log.Fatal(err)
	}

	cloudkmsService, err := cloudkms.New(client)
	if err != nil {
		log.Fatal(err)
	}

	parentName := fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s",
		projectID, "global", keyRing, cryptoKey)

	resp, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.
		Encrypt(parentName, &cloudkms.EncryptRequest{
			Plaintext: base64.StdEncoding.EncodeToString(plaintext),
		}).Do()
	if err != nil {
		return nil, err
	}

	return base64.StdEncoding.DecodeString(resp.Ciphertext)
}

Java

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

/**
 * Encrypts the given bytes, using the specified crypto key version.
 */
public static byte[] encrypt(
    String projectId, String ringId, String keyId, String version, byte[] plaintext)
    throws IOException {
  String location = "global";
  // The resource name of the cryptoKey
  String cryptoKeyName = String.format(
      "projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s",
      projectId, location, ringId, keyId);
  if (null != version) {
    cryptoKeyName += "/cryptoKeyVersions/" + version;
  }
  // Create the Cloud KMS client.
  CloudKMS kms = createAuthorizedClient();

  EncryptRequest request = new EncryptRequest().encodePlaintext(plaintext);
  EncryptResponse response = kms.projects().locations().keyRings().cryptoKeys()
          .encrypt(cryptoKeyName, request)
          .execute();

  return response.decodeCiphertext();
}

Node.js

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

const fs = require('fs');

// Your Google Cloud Platform project ID
// const projectId = 'YOUR_PROJECT_ID';

// The location of the crypto key's key ring, e.g. "global"
// const location = 'global';

// The name of the crypto key's key ring, e.g. "my-key-ring"
// const keyRingName = 'my-key-ring';

// The name of the crypto key, e.g. "my-key"
// const keyName = 'my-key';

// The path to the file to encrypt, e.g. "./path/to/plaintext.txt"
// const infile = './path/to/plaintext.txt';

// The path where the encrypted file should be written, e.g. "./path/to/plaintext.txt.encrypted"
// const outfile = './path/to/plaintext.txt.encrypted';

// Builds and authorizes a Cloud KMS client
buildAndAuthorizeService((err, cloudkms) => {
  if (err) {
    console.log(err);
    return;
  }

  // Reads the file to be encrypted
  fs.readFile(infile, (err, contentsBuffer) => {
    if (err) {
      console.log(err);
      return;
    }

    const request = {
      // This will be a path parameter in the request URL
      name: `projects/${projectId}/locations/${location}/keyRings/${keyRingName}/cryptoKeys/${keyName}`,
      // This will be the request body
      resource: {
        plaintext: contentsBuffer.toString('base64')
      }
    };

    // Encrypts the file using the specified crypto key
    cloudkms.projects.locations.keyRings.cryptoKeys.encrypt(request, (err, result) => {
      if (err) {
        console.log(err);
        return;
      }

      // Writes the encrypted file to disk
      fs.writeFile(outfile, Buffer.from(result.ciphertext), (err) => {
        if (err) {
          console.log(err);
          return;
        }

        console.log(`Encrypted ${infile} using ${result.name}.`);
        console.log(`Result saved to ${outfile}.`);
      });
    });
  });
});

function buildAndAuthorizeService (callback) {
  // Imports the Google APIs client library
  const google = require('googleapis');

  // Acquires credentials
  google.auth.getApplicationDefault((err, authClient) => {
    if (err) {
      callback(err);
      return;
    }

    if (authClient.createScopedRequired && authClient.createScopedRequired()) {
      authClient = authClient.createScoped([
        'https://www.googleapis.com/auth/cloud-platform'
      ]);
    }

    // Instantiates an authorized client
    const cloudkms = google.cloudkms({
      version: 'v1',
      auth: authClient
    });

    callback(null, cloudkms);
  });
}

PHP

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

/**
 * Encrypt a text file.
 *
 * @param string $projectId
 * @param string $ring
 * @param string $key
 * @param string $infile The path to a text file.
 * @param string $outfile The path to write the encrypted file.
 * @param string $location [optional]
 * @return null
 */
function encrypt($projectId, $ring, $key, $infile, $outfile, $location = 'global')
{
    // Instantiate the client, authenticate, and add scopes.
    $client = new Google_Client();
    $client->useApplicationDefaultCredentials();
    $client->addScope('https://www.googleapis.com/auth/cloud-platform');

    // Create the Cloud KMS client.
    $kms = new Google_Service_CloudKMS($client);

    // The resource name of the cryptokey.
    $name = sprintf('projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s',
        $projectId,
        $location,
        $ring,
        $key
    );

    // Use the KMS API to encrypt the text.
    $encoded = base64_encode(file_get_contents($infile));
    $request = new Google_Service_CloudKMS_EncryptRequest();
    $request->setPlaintext($encoded);
    $response = $kms->projects_locations_keyRings_cryptoKeys->encrypt(
        $name,
        $request
    );

    // Write the encrypted text to a file.
    file_put_contents($outfile, $response['ciphertext']);
    printf('Saved encrypted text to %s' . PHP_EOL, $outfile);
}

Python

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

def encrypt(project_id, location, keyring, cryptokey, plaintext_file_name,
            encrypted_file_name):
    """Encrypts data from a plaintext_file_name using the provided CryptoKey
    and saves it to an encrypted_file_name so it can only be recovered with a
    call to decrypt."""

    # Creates an API client for the KMS API.
    kms_client = googleapiclient.discovery.build('cloudkms', 'v1')

    # The resource name of the CryptoKey.
    name = 'projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(
        project_id, location, keyring, cryptokey)

    # Read text from the input file.
    with io.open(plaintext_file_name, 'rb') as plaintext_file:
        plaintext = plaintext_file.read()

    # Use the KMS API to encrypt the text.
    cryptokeys = kms_client.projects().locations().keyRings().cryptoKeys()
    request = cryptokeys.encrypt(
        name=name,
        body={'plaintext': base64.b64encode(plaintext).decode('ascii')})
    response = request.execute()
    ciphertext = base64.b64decode(response['ciphertext'].encode('ascii'))

    # Write the encrypted text to a file.
    with io.open(encrypted_file_name, 'wb') as encrypted_file:
        encrypted_file.write(ciphertext)

    print('Saved encrypted text to {}.'.format(encrypted_file_name))

Ruby

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

# project_id  = "Your Google Cloud project ID"
# key_ring_id = "The ID of the key ring"
# crypto_key  = "Name of the crypto key"
# location    = "The location of the key ring"
# input_file  = "File to encrypt"
# output_file = "File name to use for encrypted input file"

require "google/apis/cloudkms_v1"

# Initialize the client and authenticate with the specified scope
Cloudkms = Google::Apis::CloudkmsV1
kms_client = Cloudkms::CloudKMSService.new
kms_client.authorization = Google::Auth.get_application_default(
  "https://www.googleapis.com/auth/cloud-platform"
)

# The resource name of the location associated with the key ring crypto key
resource = "projects/#{project_id}/locations/#{location}/" +
           "keyRings/#{key_ring_id}/cryptoKeys/#{crypto_key}"

# Use the KMS API to encrypt the text
plain_text = File.read input_file

request = Cloudkms::EncryptRequest.new plaintext: plain_text

response = kms_client.encrypt_crypto_key resource, request

# Write the encrypted text to a file
File.write output_file, response.ciphertext

puts "Saved encrypted #{input_file} as #{output_file}"

Decrypt

Command-line

To decrypt data, provide the appropriate key information, specify the name of the encrypted file (ciphertext file) to decrypt, and specify the name of the file that will contain the decrypted content.

gcloud kms decrypt \
    --location=global \
    --keyring=my-key-ring \
    --key=my-key \
    --ciphertext-file=YOUR_FILEPATH_AND_FILENAME_TO_DECRYPT \
    --plaintext-file=YOUR_FILEPATH_AND_FILENAME_TO_DECRYPT.dec

The decrypt command supports an optional --additional-authenticated-data- file flag to specify a file that contains additional authenticated data. The additional authenticated data file must not be larger than 64 KiB.

If --ciphertext-file or --additional-authenticated-data-file is set to -, that file is read from stdin. Similarly, if --plaintext-file is set to -, the decrypted plaintext is written to stdout.

The following decrypt example shows how to specify additional authenticated data.

gcloud kms decrypt \
    --location=global \
    --keyring=my-key-ring \
    --key=my-key \
    --additional-authenticated-data-file=YOUR_ADDITIONAL_AUTHENTICATED_DATA_FILEPATH_AND_FILENAME \
    --ciphertext-file=YOUR_FILEPATH_AND_FILENAME_TO_DECRYPT \
    --plaintext-file=YOUR_FILEPATH_AND_FILENAME_TO_DECRYPT.dec

Protocol

Decrypted text that is returned in the JSON from Cloud KMS is base64-encoded. For information on encoding and decoding using base64, see Base64 Encoding.

To decrypt encrypted data, make a POST request and provide the appropriate project and key information and specify the encrypted (cipher) text to be decrypted in the ciphertext field of the request body. Replace YOUR_API_KEY with a valid API key. For information on generating an API key, see Accessing the API.

POST https://cloudkms.googleapis.com/v1/projects/project_id/locations/global/keyRings/keyring_name/cryptoKeys/cryptoKey_name:decrypt&key=YOUR_API_KEY
{
  "ciphertext": "CiQAhMwwBo61cHas7dDgifrUFs5zNzBJ2uZtVFq4ZPEl6fUVT4kSmQ...",
}

Here is an example using curl:

curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/YOUR_PROJECT_ID/locations/global/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_CRYPTOKEY_NAME:decrypt" \
  -d "{\"ciphertext\":\"ENCRYPTED_CONTENT\"}" \
  -H "Authorization:Bearer YOUR_API_KEY"\
  -H "Content-Type:application/json"

C#

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

    public static object Decrypt(string projectId, string location, string keyRing, string cryptoKeyName,
string fileToDecrypt, string fileToOutput)
    {
        var cloudKms = CreateAuthorizedClient();
        // Generate the full path of the crypto key to use for encryption.
        var cryptoKey = $"projects/{projectId}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKeyName}";
        DecryptRequest dataToDecrypt = new DecryptRequest();
        byte[] bytes = File.ReadAllBytes(fileToDecrypt);
        string contents = Convert.ToBase64String(bytes);
        dataToDecrypt.Ciphertext = contents;
        Console.WriteLine($"dataToDecrypt.Ciphertext: {dataToDecrypt.Ciphertext}");
        var result = cloudKms.Projects.Locations.KeyRings.CryptoKeys.Decrypt(dataToDecrypt, cryptoKey).Execute();
        // Output decypted data to a file
        File.WriteAllBytes(fileToOutput, Convert.FromBase64String(result.Plaintext));
        Console.Write($"Encypted file created: {fileToOutput}");
        return 0;
    }

Go

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

func decrypt(projectID, keyRing, cryptoKey string, ciphertext []byte) ([]byte, error) {
	ctx := context.Background()
	client, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope)
	if err != nil {
		log.Fatal(err)
	}

	cloudkmsService, err := cloudkms.New(client)
	if err != nil {
		log.Fatal(err)
	}

	parentName := fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s",
		projectID, "global", keyRing, cryptoKey)

	resp, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.
		Decrypt(parentName, &cloudkms.DecryptRequest{
			Ciphertext: base64.StdEncoding.EncodeToString(ciphertext),
		}).Do()
	if err != nil {
		return nil, err
	}
	return base64.StdEncoding.DecodeString(resp.Plaintext)
}

Java

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

/**
 * Decrypts the given encrypted bytes, using the specified crypto key.
 */
public static byte[] decrypt(String projectId, String ringId, String keyId, byte[] encrypted)
    throws IOException {
  String location = "global";
  // Create the Cloud KMS client.
  CloudKMS kms = createAuthorizedClient();

  // The resource name of the cryptoKey
  String cryptoKeyName = String.format(
      "projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s",
      projectId, location, ringId, keyId);

  DecryptRequest request = new DecryptRequest().encodeCiphertext(encrypted);
  DecryptResponse response = kms.projects().locations().keyRings().cryptoKeys()
          .decrypt(cryptoKeyName, request)
          .execute();

  return response.decodePlaintext();
}

Node.js

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

const fs = require('fs');

// Your Google Cloud Platform project ID
// const projectId = 'YOUR_PROJECT_ID';

// The location of the crypto key's key ring, e.g. "global"
// const location = 'global';

// The name of the crypto key's key ring, e.g. "my-key-ring"
// const keyRingName = 'my-key-ring';

// The name of the crypto key, e.g. "my-key"
// const keyName = 'my-key';

// The path to the file to decrypt, e.g. "./path/to/plaintext.txt.encrypted"
// const infile = './path/to/plaintext.txt.encrypted';

// The path where the decrypted file should be written, e.g. "./path/to/plaintext.txt.decrypted"
// const outfile = './path/to/plaintext.txt.decrypted';

// Builds and authorizes a Cloud KMS client
buildAndAuthorizeService((err, cloudkms) => {
  if (err) {
    console.log(err);
    return;
  }

  // Reads the file to be decrypted
  fs.readFile(infile, 'utf8', (err, contentsBuffer) => {
    if (err) {
      console.log(err);
      return;
    }

    const request = {
      // This will be a path parameter in the request URL
      name: `projects/${projectId}/locations/${location}/keyRings/${keyRingName}/cryptoKeys/${keyName}`,
      // This will be the request body
      resource: {
        ciphertext: contentsBuffer
      }
    };

    // Dencrypts the file using the specified crypto key
    cloudkms.projects.locations.keyRings.cryptoKeys.decrypt(request, (err, result) => {
      if (err) {
        console.log(err);
        return;
      }

      // Writes the dencrypted file to disk
      fs.writeFile(outfile, Buffer.from(result.plaintext, 'base64'), (err) => {
        if (err) {
          console.log(err);
          return;
        }

        console.log(`Decrypted ${infile}, result saved to ${outfile}.`);
      });
    });
  });
});

function buildAndAuthorizeService (callback) {
  // Imports the Google APIs client library
  const google = require('googleapis');

  // Acquires credentials
  google.auth.getApplicationDefault((err, authClient) => {
    if (err) {
      callback(err);
      return;
    }

    if (authClient.createScopedRequired && authClient.createScopedRequired()) {
      authClient = authClient.createScoped([
        'https://www.googleapis.com/auth/cloud-platform'
      ]);
    }

    // Instantiates an authorized client
    const cloudkms = google.cloudkms({
      version: 'v1',
      auth: authClient
    });

    callback(null, cloudkms);
  });
}

PHP

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

/**
 * Decrypt a text file.
 *
 * @param string $projectId
 * @param string $ring
 * @param string $key
 * @param string $infile The path to an encrypted file.
 * @param string $outfile The path to write the decrypted file.
 * @param string $location [optional]
 * @return null
 */
function decrypt($projectId, $ring, $key, $infile, $outfile, $location = 'global')
{
    // Instantiate the client, authenticate, and add scopes.
    $client = new Google_Client();
    $client->useApplicationDefaultCredentials();
    $client->addScope('https://www.googleapis.com/auth/cloud-platform');

    // Create the Cloud KMS client.
    $kms = new Google_Service_CloudKMS($client);

    // The resource name of the cryptokey.
    $name = sprintf('projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s',
        $projectId,
        $location,
        $ring,
        $key
    );

    // Use the KMS API to decrypt the text.
    $ciphertext = file_get_contents($infile);
    $request = new Google_Service_CloudKMS_DecryptRequest();
    $request->setCiphertext($ciphertext);
    $response = $kms->projects_locations_keyRings_cryptoKeys->decrypt(
        $name,
        $request
    );

    // Write the decrypted text to a file.
    $plaintext = base64_decode($response['plaintext']);
    file_put_contents($outfile, $plaintext);
    printf('Saved decrypted text to %s' . PHP_EOL, $outfile);
}

Python

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

def decrypt(project_id, location, keyring, cryptokey, encrypted_file_name,
            decrypted_file_name):
    """Decrypts data from encrypted_file_name that was previously encrypted
    using the CryptoKey with a call to encrypt. Outputs decrypted data to
    decrpyted_file_name."""

    # Creates an API client for the KMS API.
    kms_client = googleapiclient.discovery.build('cloudkms', 'v1')

    # The resource name of the CryptoKey.
    name = 'projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(
        project_id, location, keyring, cryptokey)

    # Read cipher text from the input file.
    with io.open(encrypted_file_name, 'rb') as encrypted_file:
        ciphertext = encrypted_file.read()

    # Use the KMS API to decrypt the text.
    cryptokeys = kms_client.projects().locations().keyRings().cryptoKeys()
    request = cryptokeys.decrypt(
        name=name,
        body={'ciphertext': base64.b64encode(ciphertext).decode('ascii')})
    response = request.execute()
    plaintext = base64.b64decode(response['plaintext'].encode('ascii'))

    # Write the plain text to a file.
    with io.open(decrypted_file_name, 'wb') as decrypted_file:
        decrypted_file.write(plaintext)

    print('Saved decrypted text to {}.'.format(decrypted_file_name))

Ruby

For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.

# project_id  = "Your Google Cloud project ID"
# key_ring_id = "The ID of the key ring"
# crypto_key  = "Name of the crypto key"
# location    = "The location of the key ring"
# input_file  = "The path to an encrypted file"
# output_file = "The path to write the decrypted file"

require "google/apis/cloudkms_v1"

# Initialize the client and authenticate with the specified scope
Cloudkms = Google::Apis::CloudkmsV1
kms_client = Cloudkms::CloudKMSService.new
kms_client.authorization = Google::Auth.get_application_default(
  "https://www.googleapis.com/auth/cloud-platform"
)

# The resource name of the location associated with the key ring crypto key
resource = "projects/#{project_id}/locations/#{location}/" +
           "keyRings/#{key_ring_id}/cryptoKeys/#{crypto_key}"

# Use the KMS API to decrypt the text
encrypted_text = File.read input_file

request = Cloudkms::DecryptRequest.new ciphertext: encrypted_text

response = kms_client.decrypt_crypto_key resource, request

# Write the decrypted text to a file
File.write output_file, response.plaintext

puts "Saved decrypted #{input_file} as #{output_file}"

What's next

Send feedback about...

Cloud KMS Documentation