Skip to main content
Use the following link to download, install, and configure Google Cloud SDK: https://cloud.google.com/sdk/docs/install Then, perform the following task to test encryption and decryption:

Encrypt a test file by using the externally managed key

Before proceeding with next two steps, ensure the GCP user that calls the encrypt and decrypt methods has the cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt permissions on the key used to encrypt or decrypt. One way to permit a user to encrypt or decrypt is to add the user to the following IAM roles for that key:
  • roles/cloudkms.cryptoKeyEncrypter
  • roles/cloudkms.cryptoKeyDecrypter
  • roles/cloudkms.cryptoKeyEncrypterDecrypter
For more information, see Permissions and Roles.
1
Run the following gcloud kms command to encrypt a test file using the externally managed key:
None
gcloud kms encrypt \
    --key [key] \
    --keyring [key-ring] \
    --location [location]  \
    --plaintext-file [file-with-data-to-encrypt] \
    --ciphertext-file [file-to-store-encrypted-data]
Make the following modifications to the preceding command:
  • Replace [key] with the name of the key to use for encryption.
  • Replace [key-ring] with the name of the key ring where the key is located.
  • Replace [location] with the Cloud KMS location for the key ring.
  • Replace [file-with-data-to-encrypt] and [file-to-store-encrypted-data] with the local file paths for reading the plaintext data and saving the encrypted output.
If the command is successful, it returns no output.

Decrypt a test file

Perform the following steps to decrypt a test file by using the externally managed key:
1
Run the following gcloud kms command to decrypt the file that was encrypted in the previous step, using the externally managed key:
None
gcloud kms decrypt \
    --key [key] \
    --keyring [key-ring] \
    --location [location]  \
    --ciphertext-file [file-path-with-encrypted-data] \
    --plaintext-file [file-path-to-store-plaintext]
Make the following modifications to the preceding command:
  • Replace [key] with the name of the key to use for decryption.
  • Replace [key-ring] with the name of the key ring where the key is located.
  • Replace [location] with the Cloud KMS location for the key ring.
  • Replace [file-path-with-encrypted-data] and [file-path-to-store-plaintext] with the local file paths for reading the encrypted data and saving the decrypted output.
If the command is successful, it returns no output.
2
View the contents of the plaintext file that was output from this decryption command and confirm that it is identical to the original file that you encrypted. If the two files are identical, then the externally managed key is successfully performing encryption and decryption operations.