1*e7b1675dSTing-Kang Chang# Java Google Cloud Storage (GCS) client-side encryption example 2*e7b1675dSTing-Kang Chang 3*e7b1675dSTing-Kang ChangThis example shows how to encrypt/decrypt GCS blobs with Tink using 4*e7b1675dSTing-Kang Chang[Envelope Encryption](https://cloud.google.com/kms/docs/envelope-encryption). 5*e7b1675dSTing-Kang Chang 6*e7b1675dSTing-Kang ChangIt shows how you can use Tink to encrypt data with a newly generated *data 7*e7b1675dSTing-Kang Changencryption key* (DEK) which is wrapped with a KMS key. The data will be 8*e7b1675dSTing-Kang Changencrypted with AES256 GCM using the DEK and the DEK will be encrypted with the 9*e7b1675dSTing-Kang ChangKMS key and stored alongside the ciphertext in GCS. 10*e7b1675dSTing-Kang Chang 11*e7b1675dSTing-Kang ChangThe CLI takes the following required arguments: 12*e7b1675dSTing-Kang Chang 13*e7b1675dSTing-Kang Chang* mode: "encrypt" or "decrypt" to indicate if you want to encrypt or decrypt. 14*e7b1675dSTing-Kang Chang* kek-uri: The URI for the Cloud KMS key to be used for envelope encryption. 15*e7b1675dSTing-Kang Chang* gcp-credential-file: Name of the file with the Google Cloud Platform (GCP) 16*e7b1675dSTing-Kang Chang credentials (in JSON format) that can access the Cloud KMS key and the GCS 17*e7b1675dSTing-Kang Chang input/output blobs. 18*e7b1675dSTing-Kang Chang* gcp-project-id: The ID of the GCP project hosting the GCS blobs that you 19*e7b1675dSTing-Kang Chang want to encrypt or decrypt. 20*e7b1675dSTing-Kang Chang 21*e7b1675dSTing-Kang ChangWhen mode is "encrypt", it takes the following additional arguments: 22*e7b1675dSTing-Kang Chang 23*e7b1675dSTing-Kang Chang* local-input-file: Read the plaintext from this local file. 24*e7b1675dSTing-Kang Chang* gcs-output-blob: Write the encryption result to this blob in GCS. The 25*e7b1675dSTing-Kang Chang encryption result is bound to the location of this blob. That is, if you 26*e7b1675dSTing-Kang Chang rename or move it to a different bucket, decryption will fail. 27*e7b1675dSTing-Kang Chang 28*e7b1675dSTing-Kang ChangWhen mode is "decrypt", it takes the following additional arguments: 29*e7b1675dSTing-Kang Chang 30*e7b1675dSTing-Kang Chang* gcs-input-blob: Read the ciphertext from this blob in GCS. 31*e7b1675dSTing-Kang Chang* local-output-file: Write the decryption result to this local file. 32*e7b1675dSTing-Kang Chang 33*e7b1675dSTing-Kang Chang`gcs-input-blob` and `gcs-output-blob` have this format: 34*e7b1675dSTing-Kang Chang`gs://my-bucket-name/my-object-name`. 35*e7b1675dSTing-Kang Chang 36*e7b1675dSTing-Kang Chang## Build and Run 37*e7b1675dSTing-Kang Chang 38*e7b1675dSTing-Kang Chang### Prequisite 39*e7b1675dSTing-Kang Chang 40*e7b1675dSTing-Kang ChangThis envelope encryption example uses a Cloud KMS key as a key-encryption key 41*e7b1675dSTing-Kang Chang(KEK). In order to run it, you need to: 42*e7b1675dSTing-Kang Chang 43*e7b1675dSTing-Kang Chang* Create a symmetric key on Cloud KMS. Copy the key URI which is in this 44*e7b1675dSTing-Kang Chang format: 45*e7b1675dSTing-Kang Chang `projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>`. 46*e7b1675dSTing-Kang Chang 47*e7b1675dSTing-Kang Chang* Create a bucket on GCS. 48*e7b1675dSTing-Kang Chang 49*e7b1675dSTing-Kang Chang* Create and download a service account that is allowed to encrypt and decrypt 50*e7b1675dSTing-Kang Chang with the Cloud KMS key, and read/write to the GCS bucket. 51*e7b1675dSTing-Kang Chang 52*e7b1675dSTing-Kang Chang### Bazel 53*e7b1675dSTing-Kang Chang 54*e7b1675dSTing-Kang Chang```shell 55*e7b1675dSTing-Kang Changgit clone https://github.com/google/tink 56*e7b1675dSTing-Kang Changcd tink/examples/java_src 57*e7b1675dSTing-Kang Changbazel build ... 58*e7b1675dSTing-Kang Chang``` 59*e7b1675dSTing-Kang Chang 60*e7b1675dSTing-Kang ChangEncrypt a file and upload it to GCS: 61*e7b1675dSTing-Kang Chang 62*e7b1675dSTing-Kang Chang```shell 63*e7b1675dSTing-Kang Changecho "some data" > testdata.txt 64*e7b1675dSTing-Kang Chang 65*e7b1675dSTing-Kang Chang./bazel-bin/gcs/gcs_envelope_aead_example \ 66*e7b1675dSTing-Kang Chang encrypt \ 67*e7b1675dSTing-Kang Chang gcp-kms://my-cloud-kms-key-uri \ 68*e7b1675dSTing-Kang Chang my-service-account.json \ 69*e7b1675dSTing-Kang Chang my-gcp-project-id \ 70*e7b1675dSTing-Kang Chang testdata.txt gs://my-bucket-name/my-blob-name 71*e7b1675dSTing-Kang Chang 72*e7b1675dSTing-Kang Chang``` 73*e7b1675dSTing-Kang Chang 74*e7b1675dSTing-Kang ChangDownload a file from GCS and decrypt it: 75*e7b1675dSTing-Kang Chang 76*e7b1675dSTing-Kang Chang```shell 77*e7b1675dSTing-Kang Chang./bazel-bin/gcs/gcs_envelope_aead_example \ 78*e7b1675dSTing-Kang Chang decrypt \ 79*e7b1675dSTing-Kang Chang gcp-kms://my-key-uri \ 80*e7b1675dSTing-Kang Chang my-service-account.json \ 81*e7b1675dSTing-Kang Chang my-gcp-project-id \ 82*e7b1675dSTing-Kang Chang gs://my-bucket-name/my-blob-name testdata.txt.decrypted 83*e7b1675dSTing-Kang Chang``` 84