This quickstart uses the command line to send requests to the Cloud KMS API. For programming examples that use the client libraries to send requests to the Cloud KMS API, see Encrypting and Decrypting.
Before you begin
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the GCP Console, on the project selector page, select or create a GCP project.
Make sure that billing is enabled for your Google Cloud Platform project. Learn how to enable billing.
- Enable the Cloud KMS API.
- Install and initialize the Cloud SDK.
Key rings and keys
To encrypt and decrypt content you will need a Cloud KMS key, which is part of a key ring.
Create a key ring named
test, and a key named
quickstart. Refer to the
object hierarchy overview for more
information about these objects and how they are related.
gcloud kms keyrings create test --location global gcloud kms keys create quickstart --location global \ --keyring test --purpose encryption
You can use the
list option to view the name and metadata for the key that you
gcloud kms keys list --location global --keyring test
You should see:
NAME PURPOSE PRIMARY_STATE projects/PROJECT_ID/locations/global/keyRings/test/cryptoKeys/quickstart ENCRYPT_DECRYPT ENABLED
Now that you have a key, you can use that key to encrypt text or binary content.
Store some text to be encrypted in a file called "mysecret.txt".
echo -n "Some text to be encrypted" > mysecret.txt
To encrypt the data with
gcloud kms encrypt, provide your key information,
specify the name of the plaintext file to encrypt, and specify the name of the
file that will contain the encrypted content:
gcloud kms encrypt --location global \ --keyring test --key quickstart \ --plaintext-file mysecret.txt \ --ciphertext-file mysecret.txt.encrypted
encrypt method saves your encrypted content in the file specified by the
To decrypt the data with
gcloud kms decrypt, provide your key information,
specify the name of the encrypted file (ciphertext file) to decrypt, and specify
the name of the file that will contain the decrypted content:
gcloud kms decrypt --location global \ --keyring test --key quickstart \ --ciphertext-file mysecret.txt.encrypted \ --plaintext-file mysecret.txt.decrypted
decrypt method saves your decrypted content in the file specified by the
To decrypt encrypted content, you must use the same key that was used to encrypt the content.
To avoid incurring charges to your GCP account for the resources used in this quickstart, follow these steps.
List the versions available for your key:
gcloud kms keys versions list --location global \ --keyring test --key quickstart
To destroy a version, run the following command, replacing VERSION_NUMBER with the version number to be destroyed:
gcloud kms keys versions destroy VERSION_NUMBER \ --location global --keyring test --key quickstart