1*e7b1675dSTing-Kang Chang# Python envelope encryption example 2*e7b1675dSTing-Kang Chang 3*e7b1675dSTing-Kang ChangThis example shows how to encrypt data with Tink using 4*e7b1675dSTing-Kang Chang[Envelope Encryption](https://cloud.google.com/kms/docs/envelope-encryption). 5*e7b1675dSTing-Kang Chang 6*e7b1675dSTing-Kang ChangIt shows how you can use Tink to encrypt data with a newly generated *data 7*e7b1675dSTing-Kang Changencryption key* (DEK) which is wrapped with a KMS key. The data will be 8*e7b1675dSTing-Kang Changencrypted with AES256 GCM using the DEK and the DEK will be encrypted with the 9*e7b1675dSTing-Kang ChangKMS key and stored alongside the ciphertext. 10*e7b1675dSTing-Kang Chang 11*e7b1675dSTing-Kang ChangThe CLI takes 5 arguments: 12*e7b1675dSTing-Kang Chang 13*e7b1675dSTing-Kang Chang* mode: "encrypt" or "decrypt" to indicate if you want to encrypt or decrypt. 14*e7b1675dSTing-Kang Chang* kek-uri: The URI for the key to be used for envelope encryption. 15*e7b1675dSTing-Kang Chang* gcp-credential-file: Name of the file with the GCP credentials in JSON 16*e7b1675dSTing-Kang Chang format. 17*e7b1675dSTing-Kang Chang* input-file: Read the input from this file. 18*e7b1675dSTing-Kang Chang* output-file: Write the result to this file. 19*e7b1675dSTing-Kang Chang 20*e7b1675dSTing-Kang Chang## Build and Run 21*e7b1675dSTing-Kang Chang 22*e7b1675dSTing-Kang Chang### Prequisite 23*e7b1675dSTing-Kang Chang 24*e7b1675dSTing-Kang ChangThis envelope encryption example uses a Cloud KMS key as a key-encryption key 25*e7b1675dSTing-Kang Chang(KEK). In order to run it, you need to: 26*e7b1675dSTing-Kang Chang 27*e7b1675dSTing-Kang Chang* Create a symmetric key on Cloud KMs. Copy the key URI which is in this 28*e7b1675dSTing-Kang Chang format: 29*e7b1675dSTing-Kang Chang `projects/<my-project>/locations/global/keyRings/<my-key-ring>/cryptoKeys/<my-key>`. 30*e7b1675dSTing-Kang Chang 31*e7b1675dSTing-Kang Chang* Create a service account that is allowed to encrypt and decrypt with the 32*e7b1675dSTing-Kang Chang above key and download a JSON credentials file. 33*e7b1675dSTing-Kang Chang 34*e7b1675dSTing-Kang Chang### Bazel 35*e7b1675dSTing-Kang Chang 36*e7b1675dSTing-Kang Chang```shell 37*e7b1675dSTing-Kang Chang$ git clone https://github.com/google/tink 38*e7b1675dSTing-Kang Chang$ cd tink/python/examples 39*e7b1675dSTing-Kang Chang$ bazel build ... 40*e7b1675dSTing-Kang Chang``` 41*e7b1675dSTing-Kang Chang 42*e7b1675dSTing-Kang ChangYou can then encrypt a file: 43*e7b1675dSTing-Kang Chang 44*e7b1675dSTing-Kang Chang```shell 45*e7b1675dSTing-Kang Chang$ echo "some data" > testdata.txt 46*e7b1675dSTing-Kang Chang 47*e7b1675dSTing-Kang Chang# Replace `<my-key-uri>` in `gcp-kms://<my-key-uri>` with your key URI, and 48*e7b1675dSTing-Kang Chang# my-service-account.json with your service account's credential JSON file. 49*e7b1675dSTing-Kang Chang 50*e7b1675dSTing-Kang Chang$ ./bazel-bin/envelope/envelope --mode encrypt \ 51*e7b1675dSTing-Kang Chang --gcp_credential_path my-service-account.json \ 52*e7b1675dSTing-Kang Chang --kek_uri gcp-kms://<my-key-uri> \ 53*e7b1675dSTing-Kang Chang --input_path testdata.txt --output_path testdata.txt.encrypted 54*e7b1675dSTing-Kang Chang``` 55*e7b1675dSTing-Kang Chang 56*e7b1675dSTing-Kang ChangOr decrypt the file with: 57*e7b1675dSTing-Kang Chang 58*e7b1675dSTing-Kang Chang```shell 59*e7b1675dSTing-Kang Chang$ ./bazel-bin/envelope/envelope --mode decrypt \ 60*e7b1675dSTing-Kang Chang --gcp_credential_path my-service-account.json \ 61*e7b1675dSTing-Kang Chang --kek_uri gcp-kms://<my-key-uri> \ 62*e7b1675dSTing-Kang Chang --input_path testdata.txt.encrypted --output_path testdata.txt 63*e7b1675dSTing-Kang Chang``` 64*e7b1675dSTing-Kang Chang 65*e7b1675dSTing-Kang Chang### Pip package 66*e7b1675dSTing-Kang Chang 67*e7b1675dSTing-Kang Chang```shell 68*e7b1675dSTing-Kang Chang$ git clone https://github.com/google/tink 69*e7b1675dSTing-Kang Chang$ cd tink/python 70*e7b1675dSTing-Kang Chang$ pip3 install . 71*e7b1675dSTing-Kang Chang``` 72*e7b1675dSTing-Kang Chang 73*e7b1675dSTing-Kang ChangYou can then encrypt the file: 74*e7b1675dSTing-Kang Chang 75*e7b1675dSTing-Kang Chang```shell 76*e7b1675dSTing-Kang Chang$ echo "some data" > testdata.txt 77*e7b1675dSTing-Kang Chang$ python3 envelope.py --mode encrypt \ 78*e7b1675dSTing-Kang Chang --gcp_credential_path my-service-account.json \ 79*e7b1675dSTing-Kang Chang --kek_uri gcp-kms://<my-key-uri> \ 80*e7b1675dSTing-Kang Chang --input_path testdata.txt --output_path testdata.txt.encrypted 81*e7b1675dSTing-Kang Chang``` 82