1*e7b1675dSTing-Kang Chang# Java encrypted keysets example 2*e7b1675dSTing-Kang Chang 3*e7b1675dSTing-Kang ChangThis example shows how to generate or load an encrypted keyset, obtain a 4*e7b1675dSTing-Kang Changprimitive, and use the primitive to do crypto. 5*e7b1675dSTing-Kang Chang 6*e7b1675dSTing-Kang Chang## Build and run 7*e7b1675dSTing-Kang Chang 8*e7b1675dSTing-Kang Chang### Prequisite 9*e7b1675dSTing-Kang Chang 10*e7b1675dSTing-Kang ChangThis example uses a Cloud KMS key as a key-encryption key (KEK) to 11*e7b1675dSTing-Kang Changencrypt/decrypt a keyset, which in turn is used to encrypt files. 12*e7b1675dSTing-Kang Chang 13*e7b1675dSTing-Kang ChangIn order to run this example, you need to: 14*e7b1675dSTing-Kang Chang 15*e7b1675dSTing-Kang Chang* Create a symmetric key on Cloud KMs. Copy the key URI which is in this 16*e7b1675dSTing-Kang Chang format: 17*e7b1675dSTing-Kang Chang `projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>`. 18*e7b1675dSTing-Kang Chang 19*e7b1675dSTing-Kang Chang* Create and download a service account that is allowed to encrypt and decrypt 20*e7b1675dSTing-Kang Chang with the above key. 21*e7b1675dSTing-Kang Chang 22*e7b1675dSTing-Kang Chang### Bazel 23*e7b1675dSTing-Kang Chang 24*e7b1675dSTing-Kang Chang```shell 25*e7b1675dSTing-Kang Changgit clone https://github.com/google/tink 26*e7b1675dSTing-Kang Changcd tink/examples/java_src 27*e7b1675dSTing-Kang Changbazel build ... 28*e7b1675dSTing-Kang Chang``` 29*e7b1675dSTing-Kang Chang 30*e7b1675dSTing-Kang ChangGenerate an encrypted keyset: 31*e7b1675dSTing-Kang Chang 32*e7b1675dSTing-Kang Chang```shell 33*e7b1675dSTing-Kang Chang# Replace `<my-key-uri>` in `gcp-kms://<my-key-uri>` with your key URI, and 34*e7b1675dSTing-Kang Chang# my-service-account.json with your service account's credential JSON file. 35*e7b1675dSTing-Kang Chang./bazel-bin/encryptedkeyset/encrypted_keyset_example \ 36*e7b1675dSTing-Kang Chang generate \ 37*e7b1675dSTing-Kang Chang aes128_gcm_test_encrypted_keyset.json \ 38*e7b1675dSTing-Kang Chang gcp-kms://<my-key-uri> \ 39*e7b1675dSTing-Kang Chang my-service-account.json 40*e7b1675dSTing-Kang Chang``` 41*e7b1675dSTing-Kang Chang 42*e7b1675dSTing-Kang ChangEncrypt a file: 43*e7b1675dSTing-Kang Chang 44*e7b1675dSTing-Kang Chang```shell 45*e7b1675dSTing-Kang Changecho "some data" > testdata.txt 46*e7b1675dSTing-Kang Chang 47*e7b1675dSTing-Kang Chang./bazel-bin/encryptedkeyset/encrypted_keyset_example \ 48*e7b1675dSTing-Kang Chang encrypt \ 49*e7b1675dSTing-Kang Chang aes128_gcm_test_encrypted_keyset.json \ 50*e7b1675dSTing-Kang Chang gcp-kms://<my-key-uri> \ 51*e7b1675dSTing-Kang Chang my-service-account.json \ 52*e7b1675dSTing-Kang Chang testdata.txt testdata.txt.encrypted 53*e7b1675dSTing-Kang Chang``` 54*e7b1675dSTing-Kang Chang 55*e7b1675dSTing-Kang ChangDecrypt a file: 56*e7b1675dSTing-Kang Chang 57*e7b1675dSTing-Kang Chang```shell 58*e7b1675dSTing-Kang Chang./bazel-bin/encryptedkeyset/encrypted_keyset_example \ 59*e7b1675dSTing-Kang Chang decrypt \ 60*e7b1675dSTing-Kang Chang aes128_gcm_test_encrypted_keyset.json \ 61*e7b1675dSTing-Kang Chang gcp-kms://<my-key-uri> \ 62*e7b1675dSTing-Kang Chang my-service-account.json \ 63*e7b1675dSTing-Kang Chang testdata.txt.encrypted testdata.txt.decrypted 64*e7b1675dSTing-Kang Chang 65*e7b1675dSTing-Kang Changdiff testdata.txt testdata.txt.decrypted 66*e7b1675dSTing-Kang Chang``` 67