Skip to main content
To verify that the Google Cloud EKM and VirtuCrypt integration is working correctly, this section provides instructions for testing the complete encryption and decryption workflow. It shows how to use the Google Cloud SDK command-line tools to encrypt a test file with your externally managed key and then decrypt it to confirm that the key operations are functioning properly. This validation process ensures that your external key management setup is operational and ready for production use.

Download and install Google Cloud SDK

Follow the Google instructions (https://cloud.google.com/sdk/docs/install) to download, install, and configure Google Cloud SDK.

Encrypt a test file

Before proceeding with the next two steps, ensure the GCP user that is calling the encrypt and decrypt methods has the cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt permissions on the key used to encrypt or decrypt. One way to permit a user to encrypt or decrypt is to add the user to the roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, or roles/cloudkms.cryptoKeyEncrypterDecrypter IAM roles for that key. For more information, see Permissions and Roles.
Perform the following steps to encrypt a test file using the externally managed key:
1
Run the following gcloud kms command to encrypt a test file by using the externally managed key:
gcloud kms encrypt \\
  \--key [key] \\
  \--keyring [key-ring] \\
  \--location [location] \\
  \--plaintext-file [file-with-data-to-encrypt] \\
  \--ciphertext-file [file-to-store-encrypted-data]
  • Replace [key] with the name of the key to use for encryption.
  • Replace [key-ring] with the name of the key ring where the key is located.
  • Replace [location] with the Cloud KMS location for the key ring.
  • Replace [file-with-data-to-encrypt] and [file-to-store-encrypted-data] with the local file paths for reading the plaintext data and saving the encrypted output.
If the command succeeds, it returns no output.

Decrypt a test file

Perform the following steps to decrypt a test file by using the externally managed key:
1
Run the following gcloud kms command with the externally managed key to decrypt the file that you encrypted in the previous step.
gcloud kms decrypt \\
  \--key [key] \\
  \--keyring [key-ring] \\
  \--location [location] \\
  \--ciphertext-file [file-path-with-encrypted-data] \\
  \--plaintext-file [file-path-to-store-plaintext]
  • Replace [key] with the name of the key to use for decryption.
  • Replace [key-ring] with the name of the key ring where the key is located.
  • Replace [location] with the Cloud KMS location for the key ring.
  • Replace [file-path-with-encrypted-data] and [file-path-to-store-plaintext] with the local file paths for reading the encrypted data and saving the decrypted output.
If the command succeeds, it returns no output.
2
View the contents of the plaintext file output from this decryption command and confirm that it is identical to the original file that was encrypted.
If the two files are identical, then it confirms that the externally managed key is successfully performing encryption and decryption operations.