This topic shows how to re-encrypt data using a Cloud Key Management Service symmetric key. You can adapt these examples for asymmetric keys. If you suspect unauthorized use of a key, you should re-encrypt the data protected by that key and then disable or schedule destruction of the prior key version.
Before you begin
This scenario requires the following conditions.
You have already encrypted data using Cloud KMS.
The key version used for the encryption is not disabled, scheduled for destruction, or destroyed. You use this key version to decrypt the encrypted data.
You have already rotated keys. A key rotation creates a new primary key version. You use the new primary key version to re-encrypt the data.
Re-encrypting data using asymmetric keys
The examples in this topic show how to re-encrypt data using a symmetric key. When you use a symmetric key, Cloud KMS automatically infers the key version to use for decryption. When you use an asymmetric key, you must specify the key version.
- When following instructions for using the Google Cloud CLI, always include
the
--version
flag. - When following instructions for using the API, you use
CryptoKeyVersions
instead ofCryptoKeys
. You can read more about encrypting and decrypting data with an asymmetric key.
The workflow for re-encrypting data with asymmetric keys is similar to the one described in this topic.
Re-encrypting data workflow
Use the following steps to re-encrypt data and disable or schedule destruction of the key version used for the original encryption.
Decrypt the data using the prior key version
Cloud KMS automatically uses the correct key version to decrypt data, as long as the key version is not disabled, scheduled for destruction, or destroyed. The following examples show how to decrypt the data. This is the same decryption code used in Encrypting and Decrypting.
gcloud
To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.
gcloud kms decrypt \ --key KEY_NAME \ --keyring KEY_RING \ --location LOCATION \ --ciphertext-file FILE_TO_DECRYPT \ --plaintext-file DECRYPTED_OUTPUT
Replace the following:
KEY_NAME
: the name of the key that you want to use for decryption.KEY_RING
: the name of the key ring that contains the key.LOCATION
: the Cloud KMS location that contains the key ring.FILE_TO_DECRYPT
: the path to the file that you want to decrypt.DECRYPTED_OUTPUT
: the path where you want to save the decrypted output.
For information on all flags and possible values, run the command with the
--help
flag.
C#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
Go
To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
Java
To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
Python
To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
API
These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.
Decrypted text that is returned in the JSON from Cloud KMS is base64 encoded.
To decrypt encrypted data, make a POST
request and provide the appropriate
project and key information and specify the encrypted text (also known as
ciphertext) to be decrypted in the ciphertext
field of the request body.
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME:decrypt" \ --request "POST" \ --header "authorization: Bearer TOKEN" \ --header "content-type: application/json" \ --data "{\"ciphertext\": \"ENCRYPTED_DATA\"}"
Replace the following:
PROJECT_ID
: the ID of the project that contains the key ring and key that you want to use for decryption.LOCATION
: the Cloud KMS location that contains the key ring.KEY_RING
: the key ring that contains the key that you want to use for decryption.KEY_NAME
: the name of the key that you want to use for decryption.ENCRYPTED_DATA
: the encrypted data that you want to decrypt.
Here is an example payload with base64 encoded data:
{ "ciphertext": "CiQAhMwwBo61cHas7dDgifrUFs5zNzBJ2uZtVFq4ZPEl6fUVT4kSmQ...", }
Re-encrypt the data using the new primary key version
Cloud KMS automatically uses the new primary key version to encrypt data. The following examples show how to encrypt the data. This is the same encryption code used in Encrypting and Decrypting.
gcloud
To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.
gcloud kms encrypt \ --key KEY_NAME \ --keyring KEY_RING \ --location LOCATION \ --plaintext-file FILE_TO_ENCRYPT \ --ciphertext-file ENCRYPTED_OUTPUT
Replace the following:
KEY_NAME
: the name of the key that you want to use for encryption.KEY_RING
: the name of the key ring that contains the key.LOCATION
: the Cloud KMS location that contains the key ring.FILE_TO_ENCRYPT
: the path to the file that you want to encrypt.ENCRYPTED_OUTPUT
: the path where you want to save the encrypted output.
For information on all flags and possible values, run the command with the
--help
flag.
C#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
Go
To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
Java
To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
Python
To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
API
These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.
When using JSON and the REST API, content must be base64 encoded before it can be encrypted by Cloud KMS.
To encrypt data, make a POST
request and provide the appropriate project and
key information and specify the base64 encoded text to be encrypted in the
plaintext
field of the request body.
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME:encrypt" \ --request "POST" \ --header "authorization: Bearer TOKEN" \ --header "content-type: application/json" \ --data "{\"plaintext\": \"PLAINTEXT_TO_ENCRYPT\"}"
Replace the following:
PROJECT_ID
: the ID of the project that contains the key ring and key that you want to use for encryption.LOCATION
: the Cloud KMS location that contains the key ring.KEY_RING
: the key ring that contains the key that you want to use for encryption.KEY_NAME
: the name of the key that you want to use for encryption.PLAINTEXT_TO_ENCRYPT
: the plaintext data that you want to encrypt. The plaintext must be base64 encoded before you call theencrypt
method.
Here is an example payload with base64 encoded data:
{ "plaintext": "U3VwZXIgc2VjcmV0IHRleHQgdGhhdCBtdXN0IGJlIGVuY3J5cHRlZAo=", }
Disable or schedule destruction of the prior key version
If you rotated your key in response to a suspected incident, after you have re-encrypted the data, disable or schedule destruction of the prior key version.
Disable an enabled key version
Only a key version which is Enabled can be Disabled. This is done with the
method UpdateCryptoKeyVersion
.
Console
Go to the Key Management page in the Google Cloud console.
Click the name of the key ring that contains the key whose key version you will disable.
Click the key whose key version you want to disable.
Check the box next to the key version(s) that you want to disable.
Click Disable in the header.
In the confirmation prompt, click Disable.
gcloud
To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.
gcloud kms keys versions disable key-version \ --key key \ --keyring key-ring \ --location location
Replace key-version with the version of the key to disable. Replace key with the name of the key. Replace key-ring with the name of the key ring where the key is located. Replace location with the Cloud KMS location for the key ring.
For information on all flags and possible values, run the command with the
--help
flag.
C#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
Go
To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
Java
To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
Python
To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
Schedule a key version for destruction
Only key versions which are Enabled or Disabled can be Scheduled for
destruction. This
is done with the method
DestroyCryptoKeyVersion
.
Console
In the Google Cloud console, go to the Key Management page.
Check the box next to the key version that you want to schedule for destruction.
Click Destroy in the header.
In the confirmation prompt, enter the key name and then click Schedule Destruction.
gcloud
To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.
gcloud kms keys versions destroy KEY_VERSION \ --key KEY_NAME \ --keyring KEY_RING \ --location LOCATION
Replace the following:
KEY_VERSION
: the version number of the key version that you want to destroy.KEY_NAME
: the name of the key for which you want to destroy a key version.KEY_RING
: the name of the key ring that contains the key.LOCATION
: the Cloud KMS location of the key ring.
For information on all flags and possible values, run the command with the
--help
flag.
C#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
Go
To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
Java
To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
Python
To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
API
These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.
Destroy a key version by calling the CryptoKeyVersions.destroy method.
curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/KEY_VERSION:destroy" \ --request "POST" \ --header "authorization: Bearer TOKEN"