Method: cryptoKeys.encrypt

Full name: projects.locations.keyRings.cryptoKeys.encrypt

Encrypts data, so that it can only be recovered by a call to cryptoKeys.decrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

HTTP request

POST https://cloudkms.googleapis.com/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
name

string

Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption.

If a CryptoKey is specified, the server will use its primary version.

Authorization requires the following Google IAM permission on the specified resource name:

  • cloudkms.cryptoKeyVersions.useToEncrypt

Request body

The request body contains data with the following structure:

JSON representation
{
  "plaintext": string,
  "additionalAuthenticatedData": string
}
Fields
plaintext

string (bytes format)

Required. The data to encrypt. Must be no larger than 64KiB.

The maximum size depends on the key version's protectionLevel. For SOFTWARE keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB.

A base64-encoded string.

additionalAuthenticatedData

string (bytes format)

Optional data that, if specified, must also be provided during decryption through DecryptRequest.additional_authenticated_data.

The maximum size depends on the key version's protectionLevel. For SOFTWARE keys, the AAD must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB.

A base64-encoded string.

Response body

If successful, the response body contains data with the following structure:

Response message for KeyManagementService.Encrypt.

JSON representation
{
  "name": string,
  "ciphertext": string
}
Fields
name

string

The resource name of the CryptoKeyVersion used in encryption.

ciphertext

string (bytes format)

The encrypted data.

A base64-encoded string.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloudkms
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Try it!

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud KMS Documentation