Test encryption and decryption with the externally managed key

to verify that the google cloud ekm and {{vc}} integration is working correctly, this section provides instructions for testing the complete encryption and decryption workflow it shows how to use the google cloud sdk command line tools to encrypt a test file with your externally managed key and then decrypt it to confirm that the key operations are functioning properly this validation process ensures that your external key management setup is operational and ready for production use download and install google cloud sdk follow the google instructions ( https //cloud google com/sdk/docs/install ) to download, install, and configure google cloud sdk encrypt a test file before proceeding with the next two steps, ensure the gcp user that is calling the encrypt and decrypt methods has the cloudkms cryptokeyversions usetoencrypt and cloudkms cryptokeyversions usetodecrypt permissions on the key used to encrypt or decrypt one way to permit a user to encrypt or decrypt is to add the user to the roles/cloudkms cryptokeyencrypter , roles/cloudkms cryptokeydecrypter , or roles/cloudkms cryptokeyencrypterdecrypter iam roles for that key for more information, see https //cloud google com/kms/docs/reference/permissions and roles perform the following steps to encrypt a test file using the externally managed key run the following gcloud kms command to encrypt a test file by using the externally managed key gcloud kms encrypt \\ \ key \[key] \\ \ keyring \[key ring] \\ \ location \[location] \\ \ plaintext file \[file with data to encrypt] \\ \ ciphertext file \[file to store encrypted data] replace \[key] with the name of the key to use for encryption replace \[key ring] with the name of the key ring where the key is located replace \[location] with the cloud kms location for the key ring replace \[file with data to encrypt] and \[file to store encrypted data] with the local file paths for reading the plaintext data and saving the encrypted output if the command succeeds, it returns no output decrypt a test file perform the following steps to decrypt a test file by using the externally managed key run the following gcloud kms command with the externally managed key to decrypt the file that you encrypted in the previous step gcloud kms decrypt \\ \ key \[key] \\ \ keyring \[key ring] \\ \ location \[location] \\ \ ciphertext file \[file path with encrypted data] \\ \ plaintext file \[file path to store plaintext] replace \[key] with the name of the key to use for decryption replace \[key ring] with the name of the key ring where the key is located replace \[location] with the cloud kms location for the key ring replace \[file path with encrypted data] and \[file path to store plaintext] with the local file paths for reading the encrypted data and saving the decrypted output if the command succeeds, it returns no output view the contents of the plaintext file output from this decryption command and confirm that it is identical to the original file that was encrypted if the two files are identical, then it confirms that the externally managed key is successfully performing encryption and decryption operations