In this tutorial you will learn the process of encrypting and decrypting files using cryptographic keys. Google Cloud’s Key Management Service (Cloud KMS) allows you to generate, use, rotate, and destroy cryptographic keys in a variety of formats. Google Cloud KMS allows you to create keyrings and keys. This tutorial will show you how to create a new keyring and key, use them to encrypt a formerly top-secret file, and then decrypt the encrypted version.
Enable Cloud KMS
- Google Cloud console navigation, choose APIs & Services > Library.
- Search for KMS, and enable the service.
Create a Keyring and Key
1. Activate the Cloud Shell by clicking its icon in the top navigation bar.
2. In the Cloud Shell, create the initial keyring with this command:
gcloud kms keyrings create la-keyring --location global
3. Run the following command to create a key for the new keyring
gcloud kms keys create la-key --location global --keyring la-keyring --purpose encryption
4. Run the following command to list the existing keys
gcloud kms keys list --location global --keyring la-keyring
Retrieve the Example File
1. Clone the GitHub repository:
git clone https://github.com/austinsonger/content-gcpro-security-engineer
2. Change directory to the
3. Open the Cloud Shell Editor by clicking the pencil icon.
4. Review the file
Encrypt and Decrypt the File
1. In Shell run the following command to encrypt the file
gcloud kms encrypt --location global --keyring la-keyring --key la-key --plaintext-file top-secret-ufo-1950.txt --ciphertext-file top-secret-ufo-1950.txt.encrypted
2. Review the file top-secret-ufo-1950.txt.encrypted2. Review the file
3. Run the following command to decrypt the encrypted file
gcloud kms decrypt --location global --keyring la-keyring --key la-key --ciphertext-file top-secret-ufo-1950.txt.encrypted --plaintext-file top-secret-ufo-1950.txt.decrypted
4. Review the file