Method: cryptoKeys.encrypt

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization Scopes
Try it!

Full name: projects.locations.keyRings.cryptoKeys.encrypt

Encrypts data, so that it can only be recovered by a call to cryptoKeys.decrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

HTTP request

POST https://cloudkms.googleapis.com/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`name`	`string` Required. The resource name of the `CryptoKey` or `CryptoKeyVersion` to use for encryption. If a `CryptoKey` is specified, the server will use its `primary version`. Authorization requires the following Google IAM permission on the specified resource `name`: `cloudkms.cryptoKeyVersions.useToEncrypt`

name

string

Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption.

If a CryptoKey is specified, the server will use its primary version.

Authorization requires the following Google IAM permission on the specified resource name:

cloudkms.cryptoKeyVersions.useToEncrypt

Request body

The request body contains data with the following structure:

JSON representation
{ "plaintext": string, "additionalAuthenticatedData": string }

Fields

Fields
`plaintext`	`string (bytes format)` Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's `protectionLevel`. For `SOFTWARE` keys, the plaintext must be no larger than 64KiB. For `HSM` keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB. A base64-encoded string.
`additionalAuthenticatedData`	`string (bytes format)` Optional. Optional data that, if specified, must also be provided during decryption through `DecryptRequest.additional_authenticated_data`. The maximum size depends on the key version's `protectionLevel`. For `SOFTWARE` keys, the AAD must be no larger than 64KiB. For `HSM` keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB. A base64-encoded string.

plaintext

string (bytes format)

Required. The data to encrypt. Must be no larger than 64KiB.

The maximum size depends on the key version's protectionLevel. For SOFTWARE keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB.

A base64-encoded string.

additionalAuthenticatedData

string (bytes format)

Optional. Optional data that, if specified, must also be provided during decryption through DecryptRequest.additional_authenticated_data.

The maximum size depends on the key version's protectionLevel. For SOFTWARE keys, the AAD must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB.

A base64-encoded string.

Response body

If successful, the response body contains data with the following structure:

Response message for KeyManagementService.Encrypt.

JSON representation
{ "name": string, "ciphertext": string }

Fields

Fields
`name`	`string` The resource name of the `CryptoKeyVersion` used in encryption. Check this field to verify that the intended resource was used for encryption.
`ciphertext`	`string (bytes format)` The encrypted data. A base64-encoded string.

name

string

The resource name of the CryptoKeyVersion used in encryption. Check this field to verify that the intended resource was used for encryption.

ciphertext

string (bytes format)

The encrypted data.

A base64-encoded string.

Authorization Scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Method: cryptoKeys.encrypt

HTTP request

Path parameters

Request body

Response body

Authorization Scopes

Try it!