Method: cryptoKeys.encrypt

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization Scopes
Try it!

Full name: projects.locations.keyRings.cryptoKeys.encrypt

Encrypts data, so that it can only be recovered by a call to cryptoKeys.decrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

HTTP request

POST https://cloudkms.googleapis.com/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`name`	`string` Required. The resource name of the `CryptoKey` or `CryptoKeyVersion` to use for encryption. If a `CryptoKey` is specified, the server will use its `primary version`. Authorization requires the following IAM permission on the specified resource `name`: `cloudkms.cryptoKeyVersions.useToEncrypt`

name

string

Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption.

If a CryptoKey is specified, the server will use its primary version.

Authorization requires the following IAM permission on the specified resource name:

cloudkms.cryptoKeyVersions.useToEncrypt

Request body

The request body contains data with the following structure:

JSON representation
{ "plaintext": string, "additionalAuthenticatedData": string, "plaintextCrc32c": string, "additionalAuthenticatedDataCrc32c": string }

Fields
`plaintext`	`string (bytes format)` Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's `protectionLevel`. For `SOFTWARE` keys, the plaintext must be no larger than 64KiB. For `HSM` keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB. A base64-encoded string.
`additionalAuthenticatedData`	`string (bytes format)` Optional. Optional data that, if specified, must also be provided during decryption through `DecryptRequest.additional_authenticated_data`. The maximum size depends on the key version's `protectionLevel`. For `SOFTWARE` keys, the AAD must be no larger than 64KiB. For `HSM` keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB. A base64-encoded string.
`plaintextCrc32c`	`string (Int64Value format)` Optional. An optional CRC32C checksum of the `EncryptRequest.plaintext`. If specified, `KeyManagementService` will verify the integrity of the received `EncryptRequest.plaintext` using this checksum. `KeyManagementService` will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(`EncryptRequest.plaintext`) is equal to `EncryptRequest.plaintext_crc32c`, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. NOTE: This field is in Beta.
`additionalAuthenticatedDataCrc32c`	`string (Int64Value format)` Optional. An optional CRC32C checksum of the `EncryptRequest.additional_authenticated_data`. If specified, `KeyManagementService` will verify the integrity of the received `EncryptRequest.additional_authenticated_data` using this checksum. `KeyManagementService` will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(`EncryptRequest.additional_authenticated_data`) is equal to `EncryptRequest.additional_authenticated_data_crc32c`, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. NOTE: This field is in Beta.

Response body

If successful, the response body contains data with the following structure:

Response message for KeyManagementService.Encrypt.

JSON representation
{ "name": string, "ciphertext": string, "ciphertextCrc32c": string, "verifiedPlaintextCrc32c": boolean, "verifiedAdditionalAuthenticatedDataCrc32c": boolean }

Fields
`name`	`string` The resource name of the `CryptoKeyVersion` used in encryption. Check this field to verify that the intended resource was used for encryption.
`ciphertext`	`string (bytes format)` The encrypted data. A base64-encoded string.
`ciphertextCrc32c`	`string (Int64Value format)` Integrity verification field. A CRC32C checksum of the returned `EncryptResponse.ciphertext`. An integrity check of `EncryptResponse.ciphertext` can be performed by computing the CRC32C checksum of `EncryptResponse.ciphertext` and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. NOTE: This field is in Beta.
`verifiedPlaintextCrc32c`	`boolean` Integrity verification field. A flag indicating whether `EncryptRequest.plaintext_crc32c` was received by `KeyManagementService` and used for the integrity verification of the `plaintext`. A false value of this field indicates either that `EncryptRequest.plaintext_crc32c` was left unset or that it was not delivered to `KeyManagementService`. If you've set `EncryptRequest.plaintext_crc32c` but this field is still false, discard the response and perform a limited number of retries. NOTE: This field is in Beta.
`verifiedAdditionalAuthenticatedDataCrc32c`	`boolean` Integrity verification field. A flag indicating whether `EncryptRequest.additional_authenticated_data_crc32c` was received by `KeyManagementService` and used for the integrity verification of the `AAD`. A false value of this field indicates either that `EncryptRequest.additional_authenticated_data_crc32c` was left unset or that it was not delivered to `KeyManagementService`. If you've set `EncryptRequest.additional_authenticated_data_crc32c` but this field is still false, discard the response and perform a limited number of retries. NOTE: This field is in Beta.

Authorization Scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.