Method: cryptoKeys.encrypt

Full name: projects.locations.keyRings.cryptoKeys.encrypt

Encrypts data, so that it can only be recovered by a call to cryptoKeys.decrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

HTTP request

POST https://cloudkms.googleapis.com/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
name

string

Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption.

If a CryptoKey is specified, the server will use its primary version.

Authorization requires the following IAM permission on the specified resource name:

  • cloudkms.cryptoKeyVersions.useToEncrypt

Request body

The request body contains data with the following structure:

JSON representation
{
  "plaintext": string,
  "additionalAuthenticatedData": string,
  "plaintextCrc32c": string,
  "additionalAuthenticatedDataCrc32c": string
}
Fields
plaintext

string (bytes format)

Required. The data to encrypt. Must be no larger than 64KiB.

The maximum size depends on the key version's protectionLevel. For SOFTWARE, EXTERNAL, and EXTERNAL_VPC keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB.

A base64-encoded string.

additionalAuthenticatedData

string (bytes format)

Optional. Optional data that, if specified, must also be provided during decryption through DecryptRequest.additional_authenticated_data.

The maximum size depends on the key version's protectionLevel. For SOFTWARE, EXTERNAL, and EXTERNAL_VPC keys the AAD must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB.

A base64-encoded string.

plaintextCrc32c

string (Int64Value format)

Optional. An optional CRC32C checksum of the EncryptRequest.plaintext. If specified, KeyManagementService will verify the integrity of the received EncryptRequest.plaintext using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(EncryptRequest.plaintext) is equal to EncryptRequest.plaintext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

additionalAuthenticatedDataCrc32c

string (Int64Value format)

Optional. An optional CRC32C checksum of the EncryptRequest.additional_authenticated_data. If specified, KeyManagementService will verify the integrity of the received EncryptRequest.additional_authenticated_data using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(EncryptRequest.additional_authenticated_data) is equal to EncryptRequest.additional_authenticated_data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

Response body

Response message for KeyManagementService.Encrypt.

If successful, the response body contains data with the following structure:

JSON representation
{
  "name": string,
  "ciphertext": string,
  "ciphertextCrc32c": string,
  "verifiedPlaintextCrc32c": boolean,
  "verifiedAdditionalAuthenticatedDataCrc32c": boolean,
  "protectionLevel": enum (ProtectionLevel)
}
Fields
name

string

The resource name of the CryptoKeyVersion used in encryption. Check this field to verify that the intended resource was used for encryption.

ciphertext

string (bytes format)

The encrypted data.

A base64-encoded string.

ciphertextCrc32c

string (Int64Value format)

Integrity verification field. A CRC32C checksum of the returned EncryptResponse.ciphertext. An integrity check of EncryptResponse.ciphertext can be performed by computing the CRC32C checksum of EncryptResponse.ciphertext and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

verifiedPlaintextCrc32c

boolean

Integrity verification field. A flag indicating whether EncryptRequest.plaintext_crc32c was received by KeyManagementService and used for the integrity verification of the plaintext. A false value of this field indicates either that EncryptRequest.plaintext_crc32c was left unset or that it was not delivered to KeyManagementService. If you've set EncryptRequest.plaintext_crc32c but this field is still false, discard the response and perform a limited number of retries.

verifiedAdditionalAuthenticatedDataCrc32c

boolean

Integrity verification field. A flag indicating whether EncryptRequest.additional_authenticated_data_crc32c was received by KeyManagementService and used for the integrity verification of the AAD. A false value of this field indicates either that EncryptRequest.additional_authenticated_data_crc32c was left unset or that it was not delivered to KeyManagementService. If you've set EncryptRequest.additional_authenticated_data_crc32c but this field is still false, discard the response and perform a limited number of retries.

protectionLevel

enum (ProtectionLevel)

The ProtectionLevel of the CryptoKeyVersion used in encryption.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloudkms
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.