Encrypting and decrypting data with an asymmetric key  |  Cloud KMS Documentation  |  Google Cloud (2024)

using Google.Cloud.Kms.V1;using System;using System.Security.Cryptography;using System.Text;public class EncryptAsymmetricSample{ public byte[] EncryptAsymmetric( string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring", string keyId = "my-key", string keyVersionId = "123", string message = "Sample message") { // Create the client. KeyManagementServiceClient client = KeyManagementServiceClient.Create(); // Build the key version name. CryptoKeyVersionName keyVersionName = new CryptoKeyVersionName(projectId, locationId, keyRingId, keyId, keyVersionId); // Get the public key. PublicKey publicKey = client.GetPublicKey(keyVersionName); // Split the key into blocks and base64-decode the PEM parts. string[] blocks = publicKey.Pem.Split("-", StringSplitOptions.RemoveEmptyEntries); byte[] pem = Convert.FromBase64String(blocks[1]); // Create a new RSA key. RSA rsa = RSA.Create(); rsa.ImportSubjectPublicKeyInfo(pem, out _); // Convert the message into bytes. Cryptographic plaintexts and // ciphertexts are always byte arrays. byte[] plaintext = Encoding.UTF8.GetBytes(message); // Encrypt the data. byte[] ciphertext = rsa.Encrypt(plaintext, RSAEncryptionPadding.OaepSHA256); return ciphertext; }}

import ("context""crypto/rand""crypto/rsa""crypto/sha256""crypto/x509""encoding/pem""fmt""io"kms "cloud.google.com/go/kms/apiv1""cloud.google.com/go/kms/apiv1/kmspb")// encryptAsymmetric encrypts data on your local machine using an// 'RSA_DECRYPT_OAEP_2048_SHA256' public key retrieved from Cloud KMS.func encryptAsymmetric(w io.Writer, name string, message string) error {// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/123"// message := "Sample message"// Create the client.ctx := context.Background()client, err := kms.NewKeyManagementClient(ctx)if err != nil {return fmt.Errorf("failed to create kms client: %w", err)}defer client.Close()// Retrieve the public key from Cloud KMS. This is the only operation that// involves Cloud KMS. The remaining operations take place on your local// machine.response, err := client.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{Name: name,})if err != nil {return fmt.Errorf("failed to get public key: %w", err)}// Parse the public key. Note, this example assumes the public key is in the// RSA format.block, _ := pem.Decode([]byte(response.Pem))publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)if err != nil {return fmt.Errorf("failed to parse public key: %w", err)}rsaKey, ok := publicKey.(*rsa.PublicKey)if !ok {return fmt.Errorf("public key is not rsa")}// Convert the message into bytes. Cryptographic plaintexts and// ciphertexts are always byte arrays.plaintext := []byte(message)// Encrypt data using the RSA public key.ciphertext, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, rsaKey, plaintext, nil)if err != nil {return fmt.Errorf("rsa.EncryptOAEP: %w", err)}fmt.Fprintf(w, "Encrypted ciphertext: %s", ciphertext)return nil}

import com.google.cloud.kms.v1.CryptoKeyVersionName;import com.google.cloud.kms.v1.KeyManagementServiceClient;import com.google.cloud.kms.v1.PublicKey;import java.io.BufferedReader;import java.io.IOException;import java.io.StringReader;import java.nio.charset.StandardCharsets;import java.security.GeneralSecurityException;import java.security.KeyFactory;import java.security.spec.MGF1ParameterSpec;import java.security.spec.X509EncodedKeySpec;import java.util.Base64;import java.util.stream.Collectors;import javax.crypto.Cipher;import javax.crypto.spec.OAEPParameterSpec;import javax.crypto.spec.PSource;public class EncryptAsymmetric { public void encryptAsymmetric() throws IOException, GeneralSecurityException { // TODO(developer): Replace these variables before running the sample. String projectId = "your-project-id"; String locationId = "us-east1"; String keyRingId = "my-key-ring"; String keyId = "my-key"; String keyVersionId = "123"; String plaintext = "Plaintext to encrypt"; encryptAsymmetric(projectId, locationId, keyRingId, keyId, keyVersionId, plaintext); } // Encrypt data that was encrypted using the public key component of the given // key version. public void encryptAsymmetric( String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, String plaintext) throws IOException, GeneralSecurityException { // Initialize client that will be used to send requests. This client only // needs to be created once, and can be reused for multiple requests. After // completing all of your requests, call the "close" method on the client to // safely clean up any remaining background resources. try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) { // Build the key version name from the project, location, key ring, key, // and key version. CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId); // Get the public key. PublicKey publicKey = client.getPublicKey(keyVersionName); // Convert the public PEM key to a DER key (see helper below). byte[] derKey = convertPemToDer(publicKey.getPem()); X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey); java.security.PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec); // Encrypt plaintext for the 'RSA_DECRYPT_OAEP_2048_SHA256' key. // For other key algorithms: // https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding"); OAEPParameterSpec oaepParams = new OAEPParameterSpec( "SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT); cipher.init(Cipher.ENCRYPT_MODE, rsaKey, oaepParams); byte[] ciphertext = cipher.doFinal(plaintext.getBytes(StandardCharsets.UTF_8)); System.out.printf("Ciphertext: %s%n", ciphertext); } } // Converts a base64-encoded PEM certificate like the one returned from Cloud // KMS into a DER formatted certificate for use with the Java APIs. private byte[] convertPemToDer(String pem) { BufferedReader bufferedReader = new BufferedReader(new StringReader(pem)); String encoded = bufferedReader .lines() .filter(line -> !line.startsWith("-----BEGIN") && !line.startsWith("-----END")) .collect(Collectors.joining()); return Base64.getDecoder().decode(encoded); }}

//// TODO(developer): Uncomment these variables before running the sample.//// const projectId = 'my-project';// const locationId = 'us-east1';// const keyRingId = 'my-key-ring';// const keyId = 'my-key';// const versionId = '123';// const plaintextBuffer = Buffer.from('...');// Imports the Cloud KMS libraryconst {KeyManagementServiceClient} = require('@google-cloud/kms');// Instantiates a clientconst client = new KeyManagementServiceClient();// Build the key version nameconst versionName = client.cryptoKeyVersionPath( projectId, locationId, keyRingId, keyId, versionId);async function encryptAsymmetric() { // Get public key from Cloud KMS const [publicKey] = await client.getPublicKey({ name: versionName, }); // Optional, but recommended: perform integrity verification on publicKey. // For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit: // https://cloud.google.com/kms/docs/data-integrity-guidelines const crc32c = require('fast-crc32c'); if (publicKey.name !== versionName) { throw new Error('GetPublicKey: request corrupted in-transit'); } if (crc32c.calculate(publicKey.pem) !== Number(publicKey.pemCrc32c.value)) { throw new Error('GetPublicKey: response corrupted in-transit'); } // Import and setup crypto const crypto = require('crypto'); // Encrypt plaintext locally using the public key. This example uses a key // that was configured with sha256 hash with OAEP padding. Update these // values to match the Cloud KMS key. // // NOTE: In Node < 12, this function does not properly consume the OAEP // padding and thus produces invalid ciphertext. If you are using Node to do // public key encryption, please use version 12+. const ciphertextBuffer = crypto.publicEncrypt( { key: publicKey.pem, oaepHash: 'sha256', padding: crypto.constants.RSA_PKCS1_OAEP_PADDING, }, plaintextBuffer ); console.log(`Ciphertext: ${ciphertextBuffer.toString('base64')}`); return ciphertextBuffer;}return encryptAsymmetric();

function encrypt_asymmetric( string $projectId = 'my-project', string $locationId = 'us-east1', string $keyRingId = 'my-key-ring', string $keyId = 'my-key', string $versionId = '123', string $plaintext = '...'): void { // PHP has limited support for asymmetric encryption operations. // Specifically, openssl_public_encrypt() does not allow customizing // algorithms or padding. Thus, it is not currently possible to use PHP // core for asymmetric operations on RSA keys. // // Third party libraries like phpseclib may provide the required // functionality. Google does not endorse this external library.}

# Import base64 for printing the ciphertext.import base64# Import cryptographic helpers from the cryptography package.from cryptography.hazmat.backends import default_backendfrom cryptography.hazmat.primitives import hashesfrom cryptography.hazmat.primitives import serializationfrom cryptography.hazmat.primitives.asymmetric import padding# Import the client library.from google.cloud import kmsdef encrypt_asymmetric( project_id: str, location_id: str, key_ring_id: str, key_id: str, version_id: str, plaintext: str,) -> bytes: """ Encrypt plaintext using the public key portion of an asymmetric key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): ID of the key version to use (e.g. '1'). plaintext (string): message to encrypt Returns: bytes: Encrypted ciphertext. """ # Convert the plaintext to bytes. plaintext_bytes = plaintext.encode("utf-8") # Create the client. client = kms.KeyManagementServiceClient() # Build the key version name. key_version_name = client.crypto_key_version_path( project_id, location_id, key_ring_id, key_id, version_id ) # Get the public key. public_key = client.get_public_key(request={"name": key_version_name}) # Extract and parse the public key as a PEM-encoded RSA key. pem = public_key.pem.encode("utf-8") rsa_key = serialization.load_pem_public_key(pem, default_backend()) # Construct the padding. Note that the padding differs based on key choice. sha256 = hashes.SHA256() mgf = padding.MGF1(algorithm=sha256) pad = padding.OAEP(mgf=mgf, algorithm=sha256, label=None) # Encrypt the data using the public key. ciphertext = rsa_key.encrypt(plaintext_bytes, pad) print(f"Ciphertext: {base64.b64encode(ciphertext)!r}") return ciphertext

# Ruby has limited support for asymmetric encryption operations. Specifically,# public_encrypt() does not allow customizing the MGF hash algorithm. Thus, it# is not currently possible to use Ruby core for asymmetric encryption# operations on RSA keys from Cloud KMS.## Third party libraries may provide the required functionality. Google does# not endorse these external libraries.

using Google.Cloud.Kms.V1;using Google.Protobuf;using System.Text;public class DecryptAsymmetricSample{ public string DecryptAsymmetric( string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring", string keyId = "my-key", string keyVersionId = "123", byte[] ciphertext = null) { // Create the client. KeyManagementServiceClient client = KeyManagementServiceClient.Create(); // Build the key version name. CryptoKeyVersionName keyVersionName = new CryptoKeyVersionName(projectId, locationId, keyRingId, keyId, keyVersionId); // Call the API. AsymmetricDecryptResponse result = client.AsymmetricDecrypt(keyVersionName, ByteString.CopyFrom(ciphertext)); // Get the plaintext. Cryptographic plaintexts and ciphertexts are // always byte arrays. byte[] plaintext = result.Plaintext.ToByteArray(); // Return the result. return Encoding.UTF8.GetString(plaintext); }}

import ("context""fmt""hash/crc32""io"kms "cloud.google.com/go/kms/apiv1""cloud.google.com/go/kms/apiv1/kmspb""google.golang.org/protobuf/types/known/wrapperspb")// decryptAsymmetric will attempt to decrypt a given ciphertext with an// 'RSA_DECRYPT_OAEP_2048_SHA256' key from Cloud KMS.func decryptAsymmetric(w io.Writer, name string, ciphertext []byte) error {// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/123"// ciphertext := []byte("...") // result of an asymmetric encryption call// Create the client.ctx := context.Background()client, err := kms.NewKeyManagementClient(ctx)if err != nil {return fmt.Errorf("failed to create kms client: %w", err)}defer client.Close()// Optional but recommended: Compute ciphertext's CRC32C.crc32c := func(data []byte) uint32 {t := crc32.MakeTable(crc32.Castagnoli)return crc32.Checksum(data, t)}ciphertextCRC32C := crc32c(ciphertext)// Build the request.req := &kmspb.AsymmetricDecryptRequest{Name: name,Ciphertext: ciphertext,CiphertextCrc32C: wrapperspb.Int64(int64(ciphertextCRC32C)),}// Call the API.result, err := client.AsymmetricDecrypt(ctx, req)if err != nil {return fmt.Errorf("failed to decrypt ciphertext: %w", err)}// Optional, but recommended: perform integrity verification on result.// For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:// https://cloud.google.com/kms/docs/data-integrity-guidelinesif result.VerifiedCiphertextCrc32C == false {return fmt.Errorf("AsymmetricDecrypt: request corrupted in-transit")}if int64(crc32c(result.Plaintext)) != result.PlaintextCrc32C.Value {return fmt.Errorf("AsymmetricDecrypt: response corrupted in-transit")}fmt.Fprintf(w, "Decrypted plaintext: %s", result.Plaintext)return nil}

import com.google.cloud.kms.v1.AsymmetricDecryptResponse;import com.google.cloud.kms.v1.CryptoKeyVersionName;import com.google.cloud.kms.v1.KeyManagementServiceClient;import com.google.protobuf.ByteString;import java.io.IOException;public class DecryptAsymmetric { public void decryptAsymmetric() throws IOException { // TODO(developer): Replace these variables before running the sample. String projectId = "your-project-id"; String locationId = "us-east1"; String keyRingId = "my-key-ring"; String keyId = "my-key"; String keyVersionId = "123"; byte[] ciphertext = null; decryptAsymmetric(projectId, locationId, keyRingId, keyId, keyVersionId, ciphertext); } // Decrypt data that was encrypted using the public key component of the given // key version. public void decryptAsymmetric( String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, byte[] ciphertext) throws IOException { // Initialize client that will be used to send requests. This client only // needs to be created once, and can be reused for multiple requests. After // completing all of your requests, call the "close" method on the client to // safely clean up any remaining background resources. try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) { // Build the key version name from the project, location, key ring, key, // and key version. CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId); // Decrypt the ciphertext. AsymmetricDecryptResponse response = client.asymmetricDecrypt(keyVersionName, ByteString.copyFrom(ciphertext)); System.out.printf("Plaintext: %s%n", response.getPlaintext().toStringUtf8()); } }}

//// TODO(developer): Uncomment these variables before running the sample.//// const projectId = 'my-project';// const locationId = 'us-east1';// const keyRingId = 'my-key-ring';// const keyId = 'my-key';// const versionId = '123';// const ciphertext = Buffer.from('...');// Imports the Cloud KMS libraryconst {KeyManagementServiceClient} = require('@google-cloud/kms');// Instantiates a clientconst client = new KeyManagementServiceClient();// Build the key version nameconst versionName = client.cryptoKeyVersionPath( projectId, locationId, keyRingId, keyId, versionId);// Optional, but recommended: compute plaintext's CRC32C.const crc32c = require('fast-crc32c');const ciphertextCrc32c = crc32c.calculate(ciphertext);async function decryptAsymmetric() { const [decryptResponse] = await client.asymmetricDecrypt({ name: versionName, ciphertext: ciphertext, ciphertextCrc32c: { value: ciphertextCrc32c, }, }); // Optional, but recommended: perform integrity verification on decryptResponse. // For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit: // https://cloud.google.com/kms/docs/data-integrity-guidelines if (!decryptResponse.verifiedCiphertextCrc32c) { throw new Error('AsymmetricDecrypt: request corrupted in-transit'); } if ( crc32c.calculate(decryptResponse.plaintext) !== Number(decryptResponse.plaintextCrc32c.value) ) { throw new Error('AsymmetricDecrypt: response corrupted in-transit'); } // NOTE: The ciphertext must be properly formatted. In Node < 12, the // crypto.publicEncrypt() function does not properly consume the OAEP // padding and thus produces invalid ciphertext. If you are using Node to do // public key encryption, please use version 12+. const plaintext = decryptResponse.plaintext.toString('utf8'); console.log(`Plaintext: ${plaintext}`); return plaintext;}return decryptAsymmetric();

use Google\Cloud\Kms\V1\AsymmetricDecryptRequest;use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;function decrypt_asymmetric( string $projectId = 'my-project', string $locationId = 'us-east1', string $keyRingId = 'my-key-ring', string $keyId = 'my-key', string $versionId = '123', string $ciphertext = '...') { // Create the Cloud KMS client. $client = new KeyManagementServiceClient(); // Build the key version name. $keyVersionName = $client->cryptoKeyVersionName($projectId, $locationId, $keyRingId, $keyId, $versionId); // Call the API. $asymmetricDecryptRequest = (new AsymmetricDecryptRequest()) ->setName($keyVersionName) ->setCiphertext($ciphertext); $decryptResponse = $client->asymmetricDecrypt($asymmetricDecryptRequest); printf('Plaintext: %s' . PHP_EOL, $decryptResponse->getPlaintext()); return $decryptResponse;}

from google.cloud import kmsdef decrypt_asymmetric( project_id: str, location_id: str, key_ring_id: str, key_id: str, version_id: str, ciphertext: bytes,) -> kms.DecryptResponse: """ Decrypt the ciphertext using an asymmetric key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): ID of the key version to use (e.g. '1'). ciphertext (bytes): Encrypted bytes to decrypt. Returns: DecryptResponse: Response including plaintext. """ # Create the client. client = kms.KeyManagementServiceClient() # Build the key version name. key_version_name = client.crypto_key_version_path( project_id, location_id, key_ring_id, key_id, version_id ) # Optional, but recommended: compute ciphertext's CRC32C. # See crc32c() function defined below. ciphertext_crc32c = crc32c(ciphertext) # Call the API. decrypt_response = client.asymmetric_decrypt( request={ "name": key_version_name, "ciphertext": ciphertext, "ciphertext_crc32c": ciphertext_crc32c, } ) # Optional, but recommended: perform integrity verification on decrypt_response. # For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit: # https://cloud.google.com/kms/docs/data-integrity-guidelines if not decrypt_response.verified_ciphertext_crc32c: raise Exception("The request sent to the server was corrupted in-transit.") if not decrypt_response.plaintext_crc32c == crc32c(decrypt_response.plaintext): raise Exception( "The response received from the server was corrupted in-transit." ) # End integrity verification print(f"Plaintext: {decrypt_response.plaintext!r}") return decrypt_responsedef crc32c(data: bytes) -> int: """ Calculates the CRC32C checksum of the provided data. Args: data: the bytes over which the checksum should be calculated. Returns: An int representing the CRC32C checksum of the provided bytes. """ import crcmod # type: ignore crc32c_fun = crcmod.predefined.mkPredefinedCrcFun("crc-32c") return crc32c_fun(data)

# TODO(developer): uncomment these values before running the sample.# project_id = "my-project"# location_id = "us-east1"# key_ring_id = "my-key-ring"# key_id = "my-key"# version_id = "123"# ciphertext = "..."# Require the library.require "google/cloud/kms"# Create the client.client = Google::Cloud::Kms.key_management_service# Build the key version name.key_version_name = client.crypto_key_version_path project: project_id, location: location_id, key_ring: key_ring_id, crypto_key: key_id, crypto_key_version: version_id# Call the API.response = client.asymmetric_decrypt key_version_name, ciphertextputs "Plaintext: #{response.plaintext}"