Test encryption and decryption

6 min

perform the tasks in this section to test encryption and decryption by using an externally managed key download and install the google cloud sdk follow the instructions at this url to download, install, and configure the google cloud sdk https //cloud google com/sdk/docs/install verify google jwks reachability from the cryptohub network, verify reachability from your network to google's jwks endpoint curl i https //www googleapis com/oauth2/v3/certs expect 200 ok encrypt a test file before proceeding, ensure the google cloud user that is calling the encrypt and decrypt methods has the cloudkms cryptokeyversions usetoencrypt and cloudkms cryptokeyversions usetodecrypt permissions on the key being used to permit a user to encrypt or decrypt, add the user to the roles/cloudkms cryptokeyencrypter and roles/cloudkms cryptokeydecrypter iam roles, or the roles/cloudkms cryptokeyencrypterdecrypter iam role for that key for more information, see https //cloud google com/kms/docs/reference/permissions and roles run the following gcloud kms command to encrypt a test file by using the externally managed key gcloud kms encrypt \\ \ key \[key] \\ \ keyring \[key ring] \\ \ location \[location] \\ \ plaintext file \[file with data to encrypt] \\ \ ciphertext file \[file to store encrypted data] to use this command, perform the following actions replace \[key] with the name of the key to use for encryption replace \[key ring] with the name of the key ring where the key is located replace \[location] with the cloud kms location for the key ring replace \[file with data to encrypt] and \[file to store encrypted data] with the local file paths for reading the plaintext data and saving the encrypted output if the command is successful, it returns no output decrypt the encrypted file run the following gcloud kms command to decrypt the file you encrypted in the previous step, using the externally managed key gcloud kms decrypt \\ \ key \[key] \\ \ keyring \[key ring] \\ \ location \[location] \\ \ ciphertext file \[encrypted file] \ plaintext file \[path to store decrypted file] \\ to use this command, perform the following actions replace \[key] with the name of the key to use for decryption replace \[key ring] with the name of the key ring where the key is located replace \[location] with the cloud kms location for the key ring replace \[encrypted file] and \[path to store decrypted file] with the local file paths for reading the encrypted data and saving the decrypted output if the command is successful, it returns no output view the contents of the plaintext file output from the decryption command and confirm it is identical to the original file you encrypted if the two files are identical, that fact confirms the externally managed key successfully performed encryption and decryption operations troubleshooting (auth) invalid audience / "jwt validation failed" > re deploy the google ekm service after opening cryptohub at the correct fqdn so the audience matches google's token (google id tokens must match issuer/jwks and the exact aud ) jwks fetch failed / timeouts > allow outbound https from cryptohub (or via proxy) to https //www googleapis com/oauth2/v3/certs