This example shows how to encrypt/decrypt GCS blobs with Tink using Envelope Encryption.
It shows how you can use Tink to encrypt data with a newly generated data encryption key (DEK) which is wrapped with a KMS key. The data will be encrypted with AES256 GCM using the DEK and the DEK will be encrypted with the KMS key and stored alongside the ciphertext in GCS.
The CLI takes the following required arguments:
When mode is “encrypt”, it takes the following additional arguments:
When mode is “decrypt”, it takes the following additional arguments:
gcs-input-blob
and gcs-output-blob
have this format: gs://my-bucket-name/my-object-name
.
This envelope encryption example uses a Cloud KMS key as a key-encryption key (KEK). In order to run it, you need to:
Create a symmetric key on Cloud KMS. Copy the key URI which is in this format: projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>
.
Create a bucket on GCS.
Create and download a service account that is allowed to encrypt and decrypt with the Cloud KMS key, and read/write to the GCS bucket.
git clone https://github.com/google/tink cd tink/examples/java_src bazel build ...
Encrypt a file and upload it to GCS:
echo "some data" > testdata.txt ./bazel-bin/gcs/gcs_envelope_aead_example \ encrypt \ gcp-kms://my-cloud-kms-key-uri \ my-service-account.json \ my-gcp-project-id \ testdata.txt gs://my-bucket-name/my-blob-name
Download a file from GCS and decrypt it:
./bazel-bin/gcs/gcs_envelope_aead_example \ decrypt \ gcp-kms://my-key-uri \ my-service-account.json \ my-gcp-project-id \ gs://my-bucket-name/my-blob-name testdata.txt.decrypted