Test encryption and decryption with externally managed key

3min

Use the following link to download, install, and configure Google Cloud SDK: https://cloud.google.com/sdk/docs/install﻿
Then, perform the following task to test encryption and decryption:
Encrypt a test file by using the externally managed key
Before proceeding with next two steps, ensure the GCP user that calls the encrypt and decrypt methods has the cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt permissions on the key used to encrypt or decrypt. One way to permit a user to encrypt or decrypt is to add the user to the roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, or roles/cloudkms.cryptoKeyEncrypterDecrypter IAM roles for that key. For more information, see Permissions and Roles.
1
Run the following gcloud kms command to encrypt a test file using the externally managed key:
Text
gcloud kms encrypt \
    --key [key] \
    --keyring [key-ring] \
    --location [location]  \
    --plaintext-file [file-with-data-to-encrypt] \
    --ciphertext-file [file-to-store-encrypted-data]
gcloud kms encrypt \
    --key [key] \
    --keyring [key-ring] \
    --location [location]  \
    --plaintext-file [file-with-data-to-encrypt] \
    --ciphertext-file [file-to-store-encrypted-data]
﻿
Replace [key] with the name of the key to use for encryption. 
Replace [key-ring] with the name of the key ring where the key is located. 
Replace [location] with the Cloud KMS location for the key ring. 
Replace [file-with-data-to-encrypt] and [file-to-store-encrypted-data] with the local file paths for reading the plaintext data and saving the encrypted output.
If the command is successful it returns no output.
Decrypt a test file by using the externally managed key
1
Run the following gcloud kms command to decrypt the file that was encrypted in the previous step, using the externally managed key:
Text
gcloud kms decrypt \
    --key [key] \
    --keyring [key-ring] \
    --location [location]  \
    --ciphertext-file [file-path-with-encrypted-data] \
    --plaintext-file [file-path-to-store-plaintext]
gcloud kms decrypt \
    --key [key] \
    --keyring [key-ring] \
    --location [location]  \
    --ciphertext-file [file-path-with-encrypted-data] \
    --plaintext-file [file-path-to-store-plaintext]
﻿
Replace [key] ith the name of the key to use for decryption. 
Replace [key-ring] with the name of the key ring where the key is located. 
Replace [location] with the Cloud KMS location for the key ring. 
Replace [file-path-with-encrypted-data] and [file-path-to-store-plaintext] with the local file paths for reading the encrypted data and saving the decrypted output.
If the command is successful it returns no output.
2
View the contents of the plaintext file that was output from this decryption command and confirm that it is identical to the original file that you encrypted. If the two files are identical, then the externally managed key is successfully performing encryption and decryption operations.
﻿

Updated 01 Feb 2024

Did this page help you?

Create an externally managed key in Google Cloud

Appendix: Configure Google VPC and KMS infrastructure