Name Date Size #Lines LOC

..--

BUILD.bazelH A D25-Apr-20251.8 KiB6155

README.mdH A D25-Apr-20252.4 KiB8260

envelope.pyH A D25-Apr-20252.8 KiB9562

envelope_test.shH A D25-Apr-20254.6 KiB15788

README.md

1# Python envelope encryption example
2
3This example shows how to encrypt data with Tink using
4[Envelope Encryption](https://cloud.google.com/kms/docs/envelope-encryption).
5
6It shows how you can use Tink to encrypt data with a newly generated *data
7encryption key* (DEK) which is wrapped with a KMS key. The data will be
8encrypted with AES256 GCM using the DEK and the DEK will be encrypted with the
9KMS key and stored alongside the ciphertext.
10
11The CLI takes 5 arguments:
12
13*   mode: "encrypt" or "decrypt" to indicate if you want to encrypt or decrypt.
14*   kek-uri: The URI for the key to be used for envelope encryption.
15*   gcp-credential-file: Name of the file with the GCP credentials in JSON
16    format.
17*   input-file: Read the input from this file.
18*   output-file: Write the result to this file.
19
20## Build and Run
21
22### Prequisite
23
24This envelope encryption example uses a Cloud KMS key as a key-encryption key
25(KEK). In order to run it, you need to:
26
27*   Create a symmetric key on Cloud KMs. Copy the key URI which is in this
28    format:
29    `projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>`.
30
31*   Create a service account that is allowed to encrypt and decrypt with the
32    above key and download a JSON credentials file.
33
34### Bazel
35
36```shell
37$ git clone https://github.com/google/tink
38$ cd tink/python/examples
39$ bazel build ...
40```
41
42You can then encrypt a file:
43
44```shell
45$ echo "some data" > testdata.txt
46
47# Replace `<my-key-uri>` in `gcp-kms://<my-key-uri>` with your key URI, and
48# my-service-account.json with your service account's credential JSON file.
49
50$ ./bazel-bin/envelope/envelope --mode encrypt \
51    --gcp_credential_path my-service-account.json \
52    --kek_uri gcp-kms://<my-key-uri> \
53    --input_path testdata.txt --output_path testdata.txt.encrypted
54```
55
56Or decrypt the file with:
57
58```shell
59$ ./bazel-bin/envelope/envelope --mode decrypt \
60     --gcp_credential_path my-service-account.json \
61     --kek_uri gcp-kms://<my-key-uri> \
62     --input_path testdata.txt.encrypted --output_path testdata.txt
63```
64
65### Pip package
66
67```shell
68$ git clone https://github.com/google/tink
69$ cd tink/python
70$ pip3 install .
71```
72
73You can then encrypt the file:
74
75```shell
76$ echo "some data" > testdata.txt
77$ python3 envelope.py --mode encrypt \
78    --gcp_credential_path my-service-account.json \
79    --kek_uri gcp-kms://<my-key-uri> \
80    --input_path testdata.txt --output_path testdata.txt.encrypted
81```
82