Encrypting and decrypting data with an asymmetric key (original) (raw)

Skip to main content

• Technology areas

  • Overview
  • Guides
  • Reference
  • Samples
  • Resources

• Cross-product tools

• Console

• Discover

• Product overview

• CMEK overview

• Cloud KMS with Autokey

• Compatible services

• Cloud HSM for Google Workspace

• Locations

• Get started

• Cloud KMS resources

• Key purposes and algorithms

• Separation of duties

• Create and use encryption keys

• CMEK best practices

• Create keys

• Create a key ring

• Create a key

• Import keys

  • About key import
  • Key wrapping
  • Format a key for import
  • Set up automatic key wrapping
  • Import a key version
  • Verify an imported key version

• Control access

• Manage IAM roles

• Use Organization Policy Contraints

• Create custom organization policy constraints for Cloud KMS

• CMEK organization policies

• Control key destruction

• Secure data using keys

• Use Cloud KMS keys in Google Cloud

• Encrypt and decrypt data

  • Envelope encryption
  • Additional authenticated data
  • Asymmetric encryption
  • Encrypt and decrypt data with a symmetric key
  • Encrypt and decrypt data with a raw symmetric key
  • Encrypt and decrypt data with an asymmetric key
  • Verify end-to-end data integrity
  • Encrypt application data
  • Set up client-side encryption with Tink

• Onboard to Cloud HSM for Google Workspace

• Manage keys

• Resource consistency

• Key version states

• Label a key

• Create and manage tags

• Enable and disable a key version

• Destroy and restore a key version

• Update external key reference

• Monitor

• Using Cloud Audit Logging

• Cloud KMS Inventory Service audit logging

• Monitor state changes

• Monitor and adjust quotas

• Use Cloud Monitoring

• Monitor EKM usage

• Troubleshoot

• Troubleshoot failed imports

• Troubleshoot EKM via VPC errors

Encrypting and decrypting data with an asymmetric key

This topic provides information about creating and using a key for asymmetric encryption using an RSA key. If you want to use asymmetric keys for creating and validating signatures, see Creating and validating digital signatures. If you want to use symmetric keys for encryption and decryption, seeEncrypting and decrypting data.

Asymmetric encryption uses the public key portion of the asymmetric key and decryption uses the private key portion of the key. Cloud Key Management Service provides functionality to retrieve the public key and functionality to decrypt ciphertext that was encrypted with the public key. Cloud KMS does not allow direct access to the private key.

Before you begin

• This topic provides examples that run at the command line. To simplify using the examples, use Cloud Shell. The encryption example usesOpenSSL, which is pre-installed on Cloud Shell.
• Create an asymmetric key with key purpose of ASYMMETRIC_DECRYPT. To see which algorithms are supported for key purpose ASYMMETRIC_DECRYPT, seeAsymmetric encryption algorithms. You cannot follow this procedure with a key with purpose of ASYMMETRIC_SIGN.
• If you are going to use the command line, install OpenSSL if you do not already have it. If you use Cloud Shell, OpenSSL is already installed.
• **macOS users:**The version of OpenSSL installed on macOS does not support the flags used todecrypt data in this topic. To follow these steps on macOS, install OpenSSL from Homebrew.

Access control to the key

• For a user or service that will retrieve the public key, grant thecloudkms.cryptoKeyVersions.viewPublicKey permission on the asymmetric key. The public key is required for encrypting data.
• For a user or service that will decrypt data that was encrypted with the public key, grant the cloudkms.cryptoKeyVersions.useToDecrypt permission on the asymmetric key.

Learn about permissions and roles in Cloud KMS atPermissions and Roles.

Encrypt data

To encrypt data using an asymmetric encryption key, retrieve the public key and use the public key to encrypt the data.

Decrypt data

Use Cloud KMS to perform the decryption.

gcloud

To use Cloud KMS on the command line, firstInstall or upgrade to the latest version of Google Cloud CLI.

gcloud kms asymmetric-decrypt
--version key-version
--key key
--keyring key-ring
--location location
--ciphertext-file file-path-with-encrypted-data
--plaintext-file file-path-to-store-plaintext

Replace key-version with the key version, or omit the --versionflag to detect the version automatically. Replace key with the name of the key to use for decryption. Replace key-ring with the name of the key ring where the key will be located. Replace location with the Cloud KMS location for the key ring. Replacefile-path-with-encrypted-data and file-path-to-store-plaintextwith the local file paths for reading the encrypted data and saving the decrypted output.

For information on all flags and possible values, run the command with the--help flag.

To display the contents of the decrypted file, open it in your editor or terminal. Here is an example that shows the file contents using the catcommand:

cat ./my-file.txt

C#

To run this code, first set up a C# development environment andinstall the Cloud KMS C# SDK.

Go

To run this code, first set up a Go development environment andinstall the Cloud KMS Go SDK.

Java

To run this code, first set up a Java development environment andinstall the Cloud KMS Java SDK.

Node.js

To run this code, first set up a Node.js development environment andinstall the Cloud KMS Node.js SDK.

PHP

To run this code, first learn about using PHP on Google Cloud andinstall the Cloud KMS PHP SDK.

Python

To run this code, first set up a Python development environment andinstall the Cloud KMS Python SDK.

Ruby

To run this code, first set up a Ruby development environment andinstall the Cloud KMS Ruby SDK.

API

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, seeAccessing the Cloud KMS API.

Use theCryptoKeyVersions.asymmetricDecryptmethod.

Troubleshooting

incorrect key purpose: ASYMMETRIC_SIGN

You can only decrypt data with a key with key purpose ASYMMETRIC_DECRYPT.

invalid parameter when decrypting on macOS

The version of OpenSSL installed on macOS does not support the flags used todecrypt data in this topic. To follow these steps on macOS, install OpenSSL from Homebrew.

data too large for key size

The maximum payload size for RSA decryption depends on the key size and padding algorithm. All RSA encryption formats used by Cloud KMS use OAEP, standardized inRFC 2437. As a quick reference, the following algorithms support the following maximum payload sizes (maxMLen, in bytes):

Asymmetric encryption is not recommended for messages of varying lengths that may be larger than these limits. Consider using hybrid encryption instead.Tink is a cryptographic library that uses this approach.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-16 UTC.