This quickstart shows you how to create and use encryption keys with Cloud Key Management Service.

This quickstart uses the command line to send requests to the Cloud KMS API. For programming examples that use the client libraries to send requests to the Cloud KMS API, see Encrypting and Decrypting.

Before you begin

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Cloud Console, on the project selector page, select or create a Cloud project.

    Go to the project selector page

  3. Projeniz için faturalandırmanın etkinleştirildiğinden emin olun.

    Faturalandırmayı etkinleştirmeyi öğren

  4. Enable the required API.

    Enable the API

  5. Install and initialize the Cloud SDK.

Key rings and keys

To encrypt and decrypt content you will need a Cloud KMS key, which is part of a key ring.

Create a key ring named test, and a key named quickstart. Refer to the object hierarchy overview for more information about these objects and how they are related.

gcloud kms keyrings create test --location global

gcloud kms keys create quickstart --location global \
  --keyring test \
  --purpose encryption

You can use the list option to view the name and metadata for the key that you just created.

gcloud kms keys list \
  --location global \
  --keyring test

You should see:

NAME                                                                                 PURPOSE          PRIMARY_STATE
projects/project-id/locations/global/keyRings/test/cryptoKeys/quickstart  ENCRYPT_DECRYPT  ENABLED

Encrypt data

Now that you have a key, you can use that key to encrypt text or binary content.

Store some text to be encrypted in a file called "mysecret.txt".

echo -n "Some text to be encrypted" > mysecret.txt

To encrypt the data with gcloud kms encrypt, provide your key information, specify the name of the plaintext file to encrypt, and specify the name of the file that will contain the encrypted content:

gcloud kms encrypt --location global \
  --keyring test --key quickstart \
  --plaintext-file mysecret.txt \
  --ciphertext-file mysecret.txt.encrypted

The encrypt method saves your encrypted content in the file specified by the --ciphertext-file flag.

Decrypt ciphertext

To decrypt the data with gcloud kms decrypt, provide your key information, specify the name of the encrypted file (ciphertext file) to decrypt, and specify the name of the file that will contain the decrypted content:

gcloud kms decrypt \
  --location global \
  --keyring test \
  --key quickstart \
  --ciphertext-file mysecret.txt.encrypted \
  --plaintext-file mysecret.txt.decrypted

The decrypt method saves your decrypted content in the file specified by the --plaintext-file flag.

To decrypt encrypted content, you must use the same key that was used to encrypt the content.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.

List the versions available for your key:

gcloud kms keys versions list --location global \
  --keyring test --key quickstart

To destroy a version, run the following command, replacing key-version with the number of the key version to be destroyed:

gcloud kms keys versions destroy key-version \
  --location global \
  --keyring test \
  --key quickstart

What's next