Name | Date | Size | #Lines | LOC | ||
---|---|---|---|---|---|---|
.. | - | - | ||||
BUILD.bazel | H A D | 25-Apr-2025 | 1.8 KiB | 61 | 55 | |
README.md | H A D | 25-Apr-2025 | 2.4 KiB | 82 | 60 | |
envelope.py | H A D | 25-Apr-2025 | 2.8 KiB | 95 | 62 | |
envelope_test.sh | H A D | 25-Apr-2025 | 4.6 KiB | 157 | 88 |
README.md
1# Python envelope encryption example 2 3This example shows how to encrypt data with Tink using 4[Envelope Encryption](https://cloud.google.com/kms/docs/envelope-encryption). 5 6It shows how you can use Tink to encrypt data with a newly generated *data 7encryption key* (DEK) which is wrapped with a KMS key. The data will be 8encrypted with AES256 GCM using the DEK and the DEK will be encrypted with the 9KMS key and stored alongside the ciphertext. 10 11The CLI takes 5 arguments: 12 13* mode: "encrypt" or "decrypt" to indicate if you want to encrypt or decrypt. 14* kek-uri: The URI for the key to be used for envelope encryption. 15* gcp-credential-file: Name of the file with the GCP credentials in JSON 16 format. 17* input-file: Read the input from this file. 18* output-file: Write the result to this file. 19 20## Build and Run 21 22### Prequisite 23 24This envelope encryption example uses a Cloud KMS key as a key-encryption key 25(KEK). In order to run it, you need to: 26 27* Create a symmetric key on Cloud KMs. Copy the key URI which is in this 28 format: 29 `projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>`. 30 31* Create a service account that is allowed to encrypt and decrypt with the 32 above key and download a JSON credentials file. 33 34### Bazel 35 36```shell 37$ git clone https://github.com/google/tink 38$ cd tink/python/examples 39$ bazel build ... 40``` 41 42You can then encrypt a file: 43 44```shell 45$ echo "some data" > testdata.txt 46 47# Replace `<my-key-uri>` in `gcp-kms://<my-key-uri>` with your key URI, and 48# my-service-account.json with your service account's credential JSON file. 49 50$ ./bazel-bin/envelope/envelope --mode encrypt \ 51 --gcp_credential_path my-service-account.json \ 52 --kek_uri gcp-kms://<my-key-uri> \ 53 --input_path testdata.txt --output_path testdata.txt.encrypted 54``` 55 56Or decrypt the file with: 57 58```shell 59$ ./bazel-bin/envelope/envelope --mode decrypt \ 60 --gcp_credential_path my-service-account.json \ 61 --kek_uri gcp-kms://<my-key-uri> \ 62 --input_path testdata.txt.encrypted --output_path testdata.txt 63``` 64 65### Pip package 66 67```shell 68$ git clone https://github.com/google/tink 69$ cd tink/python 70$ pip3 install . 71``` 72 73You can then encrypt the file: 74 75```shell 76$ echo "some data" > testdata.txt 77$ python3 envelope.py --mode encrypt \ 78 --gcp_credential_path my-service-account.json \ 79 --kek_uri gcp-kms://<my-key-uri> \ 80 --input_path testdata.txt --output_path testdata.txt.encrypted 81``` 82