Encrypting and decrypting data with a symmetric key (original) (raw)

Technology areas
- Overview
- Guides
- Reference
- Samples
- Resources
Cross-product tools
Console
Discover
Product overview
CMEK overview
Cloud KMS with Autokey
Compatible services
Cloud HSM for Google Workspace
Locations
Get started
Cloud KMS resources
Key purposes and algorithms
Separation of duties
Create and use encryption keys
CMEK best practices
Create keys
Create a key ring
Create a key
Import keys
- About key import
- Key wrapping
- Format a key for import
- Set up automatic key wrapping
- Import a key version
- Verify an imported key version
Control access
Manage IAM roles
Use Organization Policy Contraints
Create custom organization policy constraints for Cloud KMS
CMEK organization policies
Control key destruction
Secure data using keys
Use Cloud KMS keys in Google Cloud
Encrypt and decrypt data
- Envelope encryption
- Additional authenticated data
- Asymmetric encryption
- Encrypt and decrypt data with a symmetric key
- Encrypt and decrypt data with a raw symmetric key
- Encrypt and decrypt data with an asymmetric key
- Verify end-to-end data integrity
- Encrypt application data
- Set up client-side encryption with Tink
Onboard to Cloud HSM for Google Workspace
Manage keys
Resource consistency
Key version states
Label a key
Create and manage tags
Enable and disable a key version
Destroy and restore a key version
Update external key reference
Monitor
Using Cloud Audit Logging
Cloud KMS Inventory Service audit logging
Monitor state changes
Monitor and adjust quotas
Use Cloud Monitoring
Monitor EKM usage
Troubleshoot
Troubleshoot failed imports
Troubleshoot EKM via VPC errors

Encrypting and decrypting data with a symmetric key

This page shows you how to use Cloud Key Management Service (Cloud KMS) to do the following symmetric key operations:

Encrypt text or binary content (plaintext) by using a Cloud KMS key.
Decrypt ciphertext that was encrypted with a Cloud KMS key.

If you want to use an asymmetric key for encryption, see Encrypting and decrypting data with an asymmetric key. To learn about raw symmetric encryption, see raw symmetric encryption.

Before you begin

Create a key ring and create a key.
Ensure the user that is calling the encrypt and decrypt methods has thecloudkms.cryptoKeyVersions.useToEncrypt andcloudkms.cryptoKeyVersions.useToDecrypt permissions on the key.
One way to permit a user to encrypt or decrypt is to add the user to theroles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, orroles/cloudkms.cryptoKeyEncrypterDecrypter IAM roles for that key. The roles/cloudkms.admin role does notprovide these two permissions. For more information, seePermissions and Roles.

Encrypt

gcloud

To use Cloud KMS on the command line, firstInstall or upgrade to the latest version of Google Cloud CLI.

gcloud kms encrypt
--key KEY_NAME
--keyring KEY_RING
--location LOCATION
--plaintext-file FILE_TO_ENCRYPT
--ciphertext-file ENCRYPTED_OUTPUT

Replace the following:

KEY_NAME: the name of the key that you want to use for encryption.
KEY_RING: the name of the key ring that contains the key.
LOCATION: the Cloud KMS location that contains the key ring.
FILE_TO_ENCRYPT: the path to the file that you want to encrypt.
ENCRYPTED_OUTPUT: the path where you want to save the encrypted output.

For information on all flags and possible values, run the command with the--help flag.

API

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, seeAccessing the Cloud KMS API.

When using JSON and the REST API, content must be base64 encoded before it can be encrypted by Cloud KMS.

To encrypt data, make a POST request and provide the appropriate project and key information and specify the base64 encoded text to be encrypted in theplaintext field of the request body.

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME:encrypt"
--request "POST"
--header "authorization: Bearer TOKEN"
--header "content-type: application/json"
--data "{"plaintext": "PLAINTEXT_TO_ENCRYPT"}"

Replace the following:

PROJECT_ID: the ID of the project that contains the key ring and key that you want to use for encryption.
LOCATION: the Cloud KMS location that contains the key ring.
KEY_RING: the key ring that contains the key that you want to use for encryption.
KEY_NAME: the name of the key that you want to use for encryption.
PLAINTEXT_TO_ENCRYPT: the plaintext data that you want to encrypt. The plaintext must be base64 encoded before you call theencrypt method.

Here is an example payload with base64 encoded data:

{ "plaintext": "U3VwZXIgc2VjcmV0IHRleHQgdGhhdCBtdXN0IGJlIGVuY3J5cHRlZAo=", }

Decrypt

gcloud

To use Cloud KMS on the command line, firstInstall or upgrade to the latest version of Google Cloud CLI.

gcloud kms decrypt
--key KEY_NAME
--keyring KEY_RING
--location LOCATION
--ciphertext-file FILE_TO_DECRYPT
--plaintext-file DECRYPTED_OUTPUT

Replace the following:

KEY_NAME: the name of the key that you want to use for decryption.
KEY_RING: the name of the key ring that contains the key.
LOCATION: the Cloud KMS location that contains the key ring.
FILE_TO_DECRYPT: the path to the file that you want to decrypt.
DECRYPTED_OUTPUT: the path where you want to save the decrypted output.

For information on all flags and possible values, run the command with the--help flag.

C#

To run this code, first set up a C# development environment andinstall the Cloud KMS C# SDK.

Go

To run this code, first set up a Go development environment andinstall the Cloud KMS Go SDK.

Java

To run this code, first set up a Java development environment andinstall the Cloud KMS Java SDK.

Node.js

To run this code, first set up a Node.js development environment andinstall the Cloud KMS Node.js SDK.

PHP

To run this code, first learn about using PHP on Google Cloud andinstall the Cloud KMS PHP SDK.

Python

To run this code, first set up a Python development environment andinstall the Cloud KMS Python SDK.

Ruby

To run this code, first set up a Ruby development environment andinstall the Cloud KMS Ruby SDK.

API

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, seeAccessing the Cloud KMS API.

Decrypted text that is returned in the JSON from Cloud KMS is base64 encoded.

To decrypt encrypted data, make a POST request and provide the appropriate project and key information and specify the encrypted text (also known as_ciphertext_) to be decrypted in the ciphertext field of the request body.

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME:decrypt"
--request "POST"
--header "authorization: Bearer TOKEN"
--header "content-type: application/json"
--data "{"ciphertext": "ENCRYPTED_DATA"}"

Replace the following:

PROJECT_ID: the ID of the project that contains the key ring and key that you want to use for decryption.
LOCATION: the Cloud KMS location that contains the key ring.
KEY_RING: the key ring that contains the key that you want to use for decryption.
KEY_NAME: the name of the key that you want to use for decryption.
ENCRYPTED_DATA: the encrypted data that you want to decrypt.

Here is an example payload with base64 encoded data:

{ "ciphertext": "CiQAhMwwBo61cHas7dDgifrUFs5zNzBJ2uZtVFq4ZPEl6fUVT4kSmQ...", }

What's next

Read more about raw symmetric encryption.
Read more about envelope encryption.
Try the Encrypt and decrypt data with Cloud KMS Codelab.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-16 UTC.