xref: /aosp_15_r20/external/tink/java_src/examples/envelopeaead/README.md (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1# Java envelope encryption example
2
3This example shows how to encrypt data with Tink using
4[Envelope Encryption](https://cloud.google.com/kms/docs/envelope-encryption).
5
6It shows how you can use Tink to encrypt data with a newly generated *data
7encryption key* (DEK) which is wrapped with a KMS key. The data will be
8encrypted with AES256 GCM using the DEK and the DEK will be encrypted with the
9KMS key and stored alongside the ciphertext.
10
11The CLI takes the following arguments:
12
13*   mode: "encrypt" or "decrypt" to indicate if you want to encrypt or decrypt.
14*   kek-uri: The URI for the key to be used for envelope encryption.
15*   gcp-credential-file: Name of the file with the GCP credentials in JSON
16    format.
17*   input-file: Read the input from this file.
18*   output-file: Write the result to this file.
19*   [optional] associated-data: Associated data used for the encryption or
20    decryption.
21
22## Build and Run
23
24### Prequisite
25
26This envelope encryption example uses a Cloud KMS key as a key-encryption key
27(KEK). In order to run it, you need to:
28
29*   Create a symmetric key on Cloud KMs. Copy the key URI which is in this
30    format:
31    `projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>`.
32
33*   Create and download a service account that is allowed to encrypt and decrypt
34    with the above key.
35
36### Bazel
37
38```shell
39git clone https://github.com/google/tink
40cd tink/examples/java_src
41bazel build ...
42```
43
44You can then encrypt a file:
45
46```shell
47echo "some data" > testdata.txt
48# Replace `<my-key-uri>` in `gcp-kms://<my-key-uri>` with your key URI, and
49# my-service-account.json with your service account's credential JSON file.
50./bazel-bin/envelopeaead/envelope_aead_example encrypt \
51    my-service-account.json \
52    gcp-kms://<my-key-uri> \
53    testdata.txt testdata.txt.encrypted
54```
55
56or decrypt the file with:
57
58```shell
59./bazel-bin/envelopeaead/envelope_aead_example decrypt \
60    my-service-account.json \
61    gcp-kms://<my-key-uri> \
62    testdata.txt.encrypted testdata.txt
63```
64