1*e7b1675dSTing-Kang Chang# Java envelope encryption example 2*e7b1675dSTing-Kang Chang 3*e7b1675dSTing-Kang ChangThis example shows how to encrypt data with Tink using 4*e7b1675dSTing-Kang Chang[Envelope Encryption](https://cloud.google.com/kms/docs/envelope-encryption). 5*e7b1675dSTing-Kang Chang 6*e7b1675dSTing-Kang ChangIt shows how you can use Tink to encrypt data with a newly generated *data 7*e7b1675dSTing-Kang Changencryption key* (DEK) which is wrapped with a KMS key. The data will be 8*e7b1675dSTing-Kang Changencrypted with AES256 GCM using the DEK and the DEK will be encrypted with the 9*e7b1675dSTing-Kang ChangKMS key and stored alongside the ciphertext. 10*e7b1675dSTing-Kang Chang 11*e7b1675dSTing-Kang ChangThe CLI takes the following arguments: 12*e7b1675dSTing-Kang Chang 13*e7b1675dSTing-Kang Chang* mode: "encrypt" or "decrypt" to indicate if you want to encrypt or decrypt. 14*e7b1675dSTing-Kang Chang* kek-uri: The URI for the key to be used for envelope encryption. 15*e7b1675dSTing-Kang Chang* gcp-credential-file: Name of the file with the GCP credentials in JSON 16*e7b1675dSTing-Kang Chang format. 17*e7b1675dSTing-Kang Chang* input-file: Read the input from this file. 18*e7b1675dSTing-Kang Chang* output-file: Write the result to this file. 19*e7b1675dSTing-Kang Chang* [optional] associated-data: Associated data used for the encryption or 20*e7b1675dSTing-Kang Chang decryption. 21*e7b1675dSTing-Kang Chang 22*e7b1675dSTing-Kang Chang## Build and Run 23*e7b1675dSTing-Kang Chang 24*e7b1675dSTing-Kang Chang### Prequisite 25*e7b1675dSTing-Kang Chang 26*e7b1675dSTing-Kang ChangThis envelope encryption example uses a Cloud KMS key as a key-encryption key 27*e7b1675dSTing-Kang Chang(KEK). In order to run it, you need to: 28*e7b1675dSTing-Kang Chang 29*e7b1675dSTing-Kang Chang* Create a symmetric key on Cloud KMs. Copy the key URI which is in this 30*e7b1675dSTing-Kang Chang format: 31*e7b1675dSTing-Kang Chang `projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>`. 32*e7b1675dSTing-Kang Chang 33*e7b1675dSTing-Kang Chang* Create and download a service account that is allowed to encrypt and decrypt 34*e7b1675dSTing-Kang Chang with the above key. 35*e7b1675dSTing-Kang Chang 36*e7b1675dSTing-Kang Chang### Bazel 37*e7b1675dSTing-Kang Chang 38*e7b1675dSTing-Kang Chang```shell 39*e7b1675dSTing-Kang Changgit clone https://github.com/google/tink 40*e7b1675dSTing-Kang Changcd tink/examples/java_src 41*e7b1675dSTing-Kang Changbazel build ... 42*e7b1675dSTing-Kang Chang``` 43*e7b1675dSTing-Kang Chang 44*e7b1675dSTing-Kang ChangYou can then encrypt a file: 45*e7b1675dSTing-Kang Chang 46*e7b1675dSTing-Kang Chang```shell 47*e7b1675dSTing-Kang Changecho "some data" > testdata.txt 48*e7b1675dSTing-Kang Chang# Replace `<my-key-uri>` in `gcp-kms://<my-key-uri>` with your key URI, and 49*e7b1675dSTing-Kang Chang# my-service-account.json with your service account's credential JSON file. 50*e7b1675dSTing-Kang Chang./bazel-bin/envelopeaead/envelope_aead_example encrypt \ 51*e7b1675dSTing-Kang Chang my-service-account.json \ 52*e7b1675dSTing-Kang Chang gcp-kms://<my-key-uri> \ 53*e7b1675dSTing-Kang Chang testdata.txt testdata.txt.encrypted 54*e7b1675dSTing-Kang Chang``` 55*e7b1675dSTing-Kang Chang 56*e7b1675dSTing-Kang Changor decrypt the file with: 57*e7b1675dSTing-Kang Chang 58*e7b1675dSTing-Kang Chang```shell 59*e7b1675dSTing-Kang Chang./bazel-bin/envelopeaead/envelope_aead_example decrypt \ 60*e7b1675dSTing-Kang Chang my-service-account.json \ 61*e7b1675dSTing-Kang Chang gcp-kms://<my-key-uri> \ 62*e7b1675dSTing-Kang Chang testdata.txt.encrypted testdata.txt 63*e7b1675dSTing-Kang Chang``` 64