Name | Date | Size | #Lines | LOC | ||
---|---|---|---|---|---|---|
.. | - | - | ||||
BUILD.bazel | H A D | 25-Apr-2025 | 1.7 KiB | 47 | 43 | |
GcsEnvelopeAeadExample.java | H A D | 25-Apr-2025 | 7.4 KiB | 192 | 118 | |
README.md | H A D | 25-Apr-2025 | 2.7 KiB | 84 | 60 | |
gcs_envelope_aead_example_test.sh | H A D | 25-Apr-2025 | 2.5 KiB | 84 | 40 |
README.md
1# Java Google Cloud Storage (GCS) client-side encryption example 2 3This example shows how to encrypt/decrypt GCS blobs with Tink using 4[Envelope Encryption](https://cloud.google.com/kms/docs/envelope-encryption). 5 6It shows how you can use Tink to encrypt data with a newly generated *data 7encryption key* (DEK) which is wrapped with a KMS key. The data will be 8encrypted with AES256 GCM using the DEK and the DEK will be encrypted with the 9KMS key and stored alongside the ciphertext in GCS. 10 11The CLI takes the following required arguments: 12 13* mode: "encrypt" or "decrypt" to indicate if you want to encrypt or decrypt. 14* kek-uri: The URI for the Cloud KMS key to be used for envelope encryption. 15* gcp-credential-file: Name of the file with the Google Cloud Platform (GCP) 16 credentials (in JSON format) that can access the Cloud KMS key and the GCS 17 input/output blobs. 18* gcp-project-id: The ID of the GCP project hosting the GCS blobs that you 19 want to encrypt or decrypt. 20 21When mode is "encrypt", it takes the following additional arguments: 22 23* local-input-file: Read the plaintext from this local file. 24* gcs-output-blob: Write the encryption result to this blob in GCS. The 25 encryption result is bound to the location of this blob. That is, if you 26 rename or move it to a different bucket, decryption will fail. 27 28When mode is "decrypt", it takes the following additional arguments: 29 30* gcs-input-blob: Read the ciphertext from this blob in GCS. 31* local-output-file: Write the decryption result to this local file. 32 33`gcs-input-blob` and `gcs-output-blob` have this format: 34`gs://my-bucket-name/my-object-name`. 35 36## Build and Run 37 38### Prequisite 39 40This envelope encryption example uses a Cloud KMS key as a key-encryption key 41(KEK). In order to run it, you need to: 42 43* Create a symmetric key on Cloud KMS. Copy the key URI which is in this 44 format: 45 `projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>`. 46 47* Create a bucket on GCS. 48 49* Create and download a service account that is allowed to encrypt and decrypt 50 with the Cloud KMS key, and read/write to the GCS bucket. 51 52### Bazel 53 54```shell 55git clone https://github.com/google/tink 56cd tink/examples/java_src 57bazel build ... 58``` 59 60Encrypt a file and upload it to GCS: 61 62```shell 63echo "some data" > testdata.txt 64 65./bazel-bin/gcs/gcs_envelope_aead_example \ 66 encrypt \ 67 gcp-kms://my-cloud-kms-key-uri \ 68 my-service-account.json \ 69 my-gcp-project-id \ 70 testdata.txt gs://my-bucket-name/my-blob-name 71 72``` 73 74Download a file from GCS and decrypt it: 75 76```shell 77./bazel-bin/gcs/gcs_envelope_aead_example \ 78 decrypt \ 79 gcp-kms://my-key-uri \ 80 my-service-account.json \ 81 my-gcp-project-id \ 82 gs://my-bucket-name/my-blob-name testdata.txt.decrypted 83``` 84