This is a command-line tool that can encrypt files using Envelope Encryption.
It shows how you can use Tink to encrypt data with a newly generated data encryption key (DEK) which is wrapped with a KMS key. The data will be encrypted with AES256 GCM using the DEK and the DEK will be encrypted with the KMS key and stored alongside the ciphertext.
The CLI takes 5 arguments:
git clone https://github.com/google/tink cd tink/examples/python bazel build ...
Using the test credentials you can then encrypt a file
echo "some data" > testdata.txt ./bazel-bin/envelope/envelope encrypt testdata/credential.json gcp-kms://projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key testdata.txt testdata.txt.encrypted``` or decrypt the file with ```shell ./bazel-bin/envelope/envelope decrypt testdata/credential.json gcp-kms://projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key testdata.txt.encrypted testdata.txt decrypt
git clone https://github.com/google/tink cd tink/python pip3 install .
You can then encrypt the file
echo "some data" > testdata.txt python3 envelope.py testdata/credential.json gcp-kms://projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key testdata.txt testdata.txt.encrypted