Skip to main content
Perform the tasks in this section to test encryption and decryption by using an externally managed key.

Download and install the Google Cloud SDK

Follow the instructions at this URL to download, install, and configure the Google Cloud SDK: https://cloud.google.com/sdk/docs/install

Verify Google JWKS reachability

From the CryptoHub network, verify reachability from your network to Google’s JWKS endpoint: 
curl -I 

[**https://www.googleapis.com/oauth2/v3/certs**](https://www.googleapis.com/oauth2/v3/certs)
Expect 200 OK.

Encrypt a test file

Before proceeding, ensure the Google Cloud user that is calling the encrypt and decrypt methods has the cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt`` permissions on the key being used.To permit a user to encrypt or decrypt, add the user to the roles/cloudkms.cryptoKeyEncrypter and roles/cloudkms.cryptoKeyDecrypter IAM roles, or the roles/cloudkms.cryptoKeyEncrypterDecrypter IAM role for that key. For more information, seePermissions and Roles.
Run the followinggcloud kms command to encrypt a test file by using the externally managed key: 
gcloud kms encrypt \\
      \--key *[key]* \\
      \--keyring *[key-ring]* \\
      \--location *[location]* \\
      \--plaintext-file *[file-with-data-to-encrypt]* \\
      \--ciphertext-file *[file-to-store-encrypted-data]*
To use this command, perform the following actions:
  • Replace [key] with the name of the key to use for encryption.
  • Replace [key-ring] with the name of the key ring where the key is located.
  • Replace **[location]**with the Cloud KMS location for the key ring.
  • Replace [file-with-data-to-encrypt] and [file-to-store-encrypted-data] with the local file paths for reading the plaintext data and saving the encrypted output.
If the command is successful, it returns no output.

Decrypt the encrypted file

Run the following gcloud kms command to decrypt the file you encrypted in the previous step, using the externally managed key: 
gcloud kms decrypt \\
      \--key *[key]* \\
      \--keyring *[key-ring]* \\
      \--location *[location]* \\
      \--ciphertext-file *[encrypted-file]*
      \--plaintext-file *[path-to-store-decrypted-file]* \\
To use this command, perform the following actions:
  • Replace** [key]** with the name of the key to use for decryption.
  • Replace [key-ring] with the name of the key ring where the key is located.
  • Replace [location] with the Cloud KMS location for the key ring.
  • Replace [encrypted-file] and [path-to-store-decrypted-file] with the local file paths for reading the encrypted data and saving the decrypted output.
If the command is successful, it returns no output.
View the contents of the plaintext file output from the decryption command and confirm it is identical to the original file you encrypted. If the two files are identical, that fact confirms the externally managed key successfully performed encryption and decryption operations.

Troubleshooting (Auth)

  • invalid audience** / “JWT validation failed”** -> Re-deploy the Google EKM service after opening CryptoHub at the correct FQDN so the audience matches Google’s token. (Google ID tokens must match issuer/JWKS and the exact aud.)
  • JWKS fetch failed** / timeouts** -> Allow outbound HTTPS from CryptoHub (or via proxy) to https://www.googleapis.com/oauth2/v3/certs.