- NAME
-
- gcloud kms raw-encrypt - encrypt a plaintext file using a raw key
- SYNOPSIS
-
-
gcloud kms raw-encrypt
--ciphertext-file
=CIPHERTEXT_FILE
--plaintext-file
=PLAINTEXT_FILE
--version
=VERSION
[--additional-authenticated-data-file
=ADDITIONAL_AUTHENTICATED_DATA_FILE
] [--initialization-vector-file
=INITIALIZATION_VECTOR_FILE
] [--key
=KEY
] [--keyring
=KEYRING
] [--location
=LOCATION
] [--skip-integrity-verification
] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
-
Encrypts the given plaintext file using the given CryptoKey containing a raw key
and writes the result to the named ciphertext file. The plaintext file must not
be larger than 64KiB. For the AES-CBC algorithms, no server-side padding is
being done, so the plaintext must be a multiple of the block size.
The supported algorithms are:
AES-128-GCM
,AES-256-GCM
,AES-128-CBC
,AES-256-CBC
,AES-128-CTR
,and AES-256-CTR
.AES-GCM
provides authentication which means that it accepts additional authenticated data (AAD). So, the flag--additional-authenticated-data-file
is only valid withAES-128-GCM
andAES-256-GCM
algorithms.The initialization vector (flag
--initialization-vector-file
) is only supported forAES-CBC
andAES-CTR
algorithms, and must be 16B in length.Therefore, both additional authenticated data and initialization vector can't be provided during encryption. If an additional authenticated data file is provided, its contents must also be provided during decryption. The file must not be larger than 64KiB.
The flag
--version
indicates the version of the key to use for encryption.If
--plaintext-file
or--additional-authenticated-data-file
or--initialization-vector-file
is set to '-', that file is read from stdin. Similarly, if--ciphertext-file
is set to '-', the ciphertext is written to stdout.By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use
--skip-integrity-verification
to disable integrity verification. - EXAMPLES
-
The following command reads and encrypts the file
path/to/input/plaintext
. The file will be encrypted using theAES-GCM
CryptoKeyKEYNAME
from the KeyRingKEYRING
in theglobal
location using the additional authenticated data filepath/to/input/aad
. The resulting ciphertext will be written topath/to/output/ciphertext
.gcloud kms raw-encrypt --key=KEYNAME --keyring=KEYRING --location=global --plaintext-file=path/to/input/plaintext --additional-authenticated-data-file=path/to/input/aad --ciphertext-file=path/to/output/ciphertext
The following command reads and encrypts the file
path/to/input/plaintext
. The file will be encrypted using theAES-CBC
CryptoKeyKEYNAME
from the KeyRingKEYRING
in theglobal
location using the initialization vector stored atpath/to/input/aad
. The resulting ciphertext will be written topath/to/output/ciphertext
.gcloud kms raw-encrypt --key=KEYNAME --keyring=KEYRING --location=global --plaintext-file=path/to/input/plaintext --initialization-vector-file=path/to/input/iv --ciphertext-file=path/to/output/ciphertext
- REQUIRED FLAGS
-
--ciphertext-file
=CIPHERTEXT_FILE
- File path of the ciphertext file to output.
--plaintext-file
=PLAINTEXT_FILE
- File path of the plaintext file to encrypt.
--version
=VERSION
- Version to use for encryption.
- OPTIONAL FLAGS
-
--additional-authenticated-data-file
=ADDITIONAL_AUTHENTICATED_DATA_FILE
- File path to the optional file containing the additional authenticated data.
--initialization-vector-file
=INITIALIZATION_VECTOR_FILE
- File path to the optional file containing the initialization vector for encryption.
--key
=KEY
- The key to use for encryption.
--keyring
=KEYRING
- Key ring of the key.
--location
=LOCATION
- Location of the keyring.
--skip-integrity-verification
- Skip integrity verification on request and response API fields.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - NOTES
-
These variants are also available:
gcloud alpha kms raw-encrypt
gcloud beta kms raw-encrypt
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-02-06 UTC.