Test encryption and decryption with externally managed key

use the following link to download, install, and configure google cloud sdk https //cloud google com/sdk/docs/install https //cloud google com/sdk/docs/install then, perform the following task to test encryption and decryption encrypt a test file by using the externally managed key before proceeding with next two steps, ensure the gcp user that calls the encrypt and decrypt methods has the cloudkms cryptokeyversions usetoencrypt and cloudkms cryptokeyversions usetodecrypt permissions on the key used to encrypt or decrypt one way to permit a user to encrypt or decrypt is to add the user to the following iam roles for that key roles/cloudkms cryptokeyencrypter roles/cloudkms cryptokeydecrypter roles/cloudkms cryptokeyencrypterdecrypter for more information, see permissions and roles run the following gcloud kms command to encrypt a test file using the externally managed key gcloud kms encrypt \\ \ key \[key] \\ \ keyring \[key ring] \\ \ location \[location] \\ \ plaintext file \[file with data to encrypt] \\ \ ciphertext file \[file to store encrypted data] make the following modifications to the preceding command replace \[key] with the name of the key to use for encryption replace \[key ring] with the name of the key ring where the key is located replace \[location] with the cloud kms location for the key ring replace \[file with data to encrypt] and \[file to store encrypted data] with the local file paths for reading the plaintext data and saving the encrypted output if the command is successful, it returns no output decrypt a test file perform the following steps to decrypt a test file by using the externally managed key run the following gcloud kms command to decrypt the file that was encrypted in the previous step, using the externally managed key gcloud kms decrypt \\ \ key \[key] \\ \ keyring \[key ring] \\ \ location \[location] \\ \ ciphertext file \[file path with encrypted data] \\ \ plaintext file \[file path to store plaintext] make the following modifications to the preceding command replace \[key] with the name of the key to use for decryption replace \[key ring] with the name of the key ring where the key is located replace \[location] with the cloud kms location for the key ring replace \[file path with encrypted data] and \[file path to store plaintext] with the local file paths for reading the encrypted data and saving the decrypted output if the command is successful, it returns no output view the contents of the plaintext file that was output from this decryption command and confirm that it is identical to the original file that you encrypted if the two files are identical, then the externally managed key is successfully performing encryption and decryption operations