This example shows how to generate or load an encrypted keyset, obtain a primitive, and use the primitive to do crypto.
This example uses a Cloud KMS key as a key-encryption key (KEK) to encrypt/decrypt a keyset, which in turn is used to encrypt files.
In order to run this example, you need to:
Create a symmetric key on Cloud KMs. Copy the key URI which is in this format: projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>.
Create service account that is allowed to encrypt and decrypt with the above key and download a JSON credentials file.
$ git clone https://github.com/google/tink $ cd tink/python/examples $ bazel build ...
You can generate an encrypted keyset:
# Replace `<my-key-uri>` in `gcp-kms://<my-key-uri>` with your key URI, and # my-service-account.json with your service account's credential JSON file. $ ./bazel-bin/encrypted_keyset/encrypted_keyset --mode generate \ --keyset_path aes128_gcm_test_encrypted_keyset.json \ --kek_uri gcp-kms://<my-key-uri> \ --gcp_credential_path my-service-account.json
You can then encrypt a file:
$ echo "some data" > testdata.txt $ ./bazel-bin/encrypted_keyset/encrypted_keyset --mode encrypt \ --keyset_path aes128_gcm_test_encrypted_keyset.json \ --kek_uri gcp-kms://<my-key-uri> \ --gcp_credential_path my-service-account.json \ --input_path testdata.txt --output_path testdata.txt.encrypted
Or decrypt the file with:
$ ./bazel-bin/encrypted_keyset/encrypted_keyset --mode decrypt \ --keyset_path aes128_gcm_test_encrypted_keyset.json \ --kek_uri gcp-kms://<my-key-uri> \ --gcp_credential_path my-service-account.json \ --input_path testdata.txt.encrypted --output_path testdata.txt.decrypted $ diff testdata.txt testdata.txt.decrypted