1*e7b1675dSTing-Kang Chang# Python example: working with encrypted keysets 2*e7b1675dSTing-Kang Chang 3*e7b1675dSTing-Kang ChangThis example shows how to generate or load an encrypted keyset, obtain a 4*e7b1675dSTing-Kang Changprimitive, and use the primitive to do crypto. 5*e7b1675dSTing-Kang Chang 6*e7b1675dSTing-Kang Chang## Build and run 7*e7b1675dSTing-Kang Chang 8*e7b1675dSTing-Kang Chang### Prequisite 9*e7b1675dSTing-Kang Chang 10*e7b1675dSTing-Kang ChangThis example uses a Cloud KMS key as a key-encryption key (KEK) to 11*e7b1675dSTing-Kang Changencrypt/decrypt a keyset, which in turn is used to encrypt files. 12*e7b1675dSTing-Kang Chang 13*e7b1675dSTing-Kang ChangIn order to run this example, you need to: 14*e7b1675dSTing-Kang Chang 15*e7b1675dSTing-Kang Chang* Create a symmetric key on Cloud KMs. Copy the key URI which is in this 16*e7b1675dSTing-Kang Chang format: 17*e7b1675dSTing-Kang Chang `projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>`. 18*e7b1675dSTing-Kang Chang 19*e7b1675dSTing-Kang Chang* Create service account that is allowed to encrypt and decrypt with the above 20*e7b1675dSTing-Kang Chang key and download a JSON credentials file. 21*e7b1675dSTing-Kang Chang 22*e7b1675dSTing-Kang Chang### Bazel 23*e7b1675dSTing-Kang Chang 24*e7b1675dSTing-Kang Chang```shell 25*e7b1675dSTing-Kang Chang$ git clone https://github.com/google/tink 26*e7b1675dSTing-Kang Chang$ cd tink/python/examples 27*e7b1675dSTing-Kang Chang$ bazel build ... 28*e7b1675dSTing-Kang Chang``` 29*e7b1675dSTing-Kang Chang 30*e7b1675dSTing-Kang ChangYou can generate an encrypted keyset: 31*e7b1675dSTing-Kang Chang 32*e7b1675dSTing-Kang Chang```shell 33*e7b1675dSTing-Kang Chang# Replace `<my-key-uri>` in `gcp-kms://<my-key-uri>` with your key URI, and 34*e7b1675dSTing-Kang Chang# my-service-account.json with your service account's credential JSON file. 35*e7b1675dSTing-Kang Chang$ ./bazel-bin/encrypted_keyset/encrypted_keyset --mode generate \ 36*e7b1675dSTing-Kang Chang --keyset_path aes128_gcm_test_encrypted_keyset.json \ 37*e7b1675dSTing-Kang Chang --kek_uri gcp-kms://<my-key-uri> \ 38*e7b1675dSTing-Kang Chang --gcp_credential_path my-service-account.json 39*e7b1675dSTing-Kang Chang``` 40*e7b1675dSTing-Kang Chang 41*e7b1675dSTing-Kang ChangYou can then encrypt a file: 42*e7b1675dSTing-Kang Chang 43*e7b1675dSTing-Kang Chang```shell 44*e7b1675dSTing-Kang Chang$ echo "some data" > testdata.txt 45*e7b1675dSTing-Kang Chang$ ./bazel-bin/encrypted_keyset/encrypted_keyset --mode encrypt \ 46*e7b1675dSTing-Kang Chang --keyset_path aes128_gcm_test_encrypted_keyset.json \ 47*e7b1675dSTing-Kang Chang --kek_uri gcp-kms://<my-key-uri> \ 48*e7b1675dSTing-Kang Chang --gcp_credential_path my-service-account.json \ 49*e7b1675dSTing-Kang Chang --input_path testdata.txt --output_path testdata.txt.encrypted 50*e7b1675dSTing-Kang Chang``` 51*e7b1675dSTing-Kang Chang 52*e7b1675dSTing-Kang ChangOr decrypt the file with: 53*e7b1675dSTing-Kang Chang 54*e7b1675dSTing-Kang Chang```shell 55*e7b1675dSTing-Kang Chang$ ./bazel-bin/encrypted_keyset/encrypted_keyset --mode decrypt \ 56*e7b1675dSTing-Kang Chang --keyset_path aes128_gcm_test_encrypted_keyset.json \ 57*e7b1675dSTing-Kang Chang --kek_uri gcp-kms://<my-key-uri> \ 58*e7b1675dSTing-Kang Chang --gcp_credential_path my-service-account.json \ 59*e7b1675dSTing-Kang Chang --input_path testdata.txt.encrypted --output_path testdata.txt.decrypted 60*e7b1675dSTing-Kang Chang$ diff testdata.txt testdata.txt.decrypted 61*e7b1675dSTing-Kang Chang``` 62