Stay organized with collections Save and categorize content based on your preferences.
This topic provides information about creating and using a key for asymmetric encryption using an RSA key. If you want to use asymmetric keys for creating and validating signatures, see Creating and validating digital signatures. If you want to use symmetric keys for encryption and decryption, see Encrypting and decrypting data.
Asymmetric encryption uses the public key portion of the asymmetric key and decryption uses the private key portion of the key. Cloud Key Management Service provides functionality to retrieve the public key and functionality to decrypt ciphertext that was encrypted with the public key. Cloud KMS does not allow direct access to the private key.
Before you beginThis topic provides examples that run at the command line. To simplify using the examples, use Cloud Shell. The encryption example uses OpenSSL, which is pre-installed on Cloud Shell.
Create an asymmetric key with key purpose of ASYMMETRIC_DECRYPT. To see which algorithms are supported for key purpose ASYMMETRIC_DECRYPT, see Asymmetric encryption algorithms. You cannot follow this procedure with a key with purpose of ASYMMETRIC_SIGN.
If you are going to use the command line, install OpenSSL if you do not already have it. If you use Cloud Shell, OpenSSL is already installed.
For a user or service that will retrieve the public key, grant the cloudkms.cryptoKeyVersions.viewPublicKey permission on the asymmetric key. The public key is required for encrypting data.
For a user or service that will decrypt data that was encrypted with the public key, grant the cloudkms.cryptoKeyVersions.useToDecrypt permission on the asymmetric key.
Learn about permissions and roles in Cloud KMS at Permissions and Roles.
Encrypt dataTo encrypt data using an asymmetric encryption key, retrieve the public key and use the public key to encrypt the data.
Note: The plaintext data you want to encrypt is limited in size depending on the size of the key. For details on supported payload sizes, see data too large for key size. Decrypt dataUse Cloud KMS to perform the decryption.
gcloudTo use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.
gcloud kms asymmetric-decrypt \
--version key-version \
--key key \
--keyring key-ring \
--location location \
--ciphertext-file file-path-with-encrypted-data \
--plaintext-file file-path-to-store-plaintext
Replace key-version with the key version, or omit the --version flag to detect the version automatically. Replace key with the name of the key to use for decryption. Replace key-ring with the name of the key ring where the key will be located. Replace location with the Cloud KMS location for the key ring. Replace file-path-with-encrypted-data and file-path-to-store-plaintext with the local file paths for reading the encrypted data and saving the decrypted output.
For information on all flags and possible values, run the command with the --help flag.
To display the contents of the decrypted file, open it in your editor or terminal. Here is an example that shows the file contents using the cat command:
cat ./my-file.txtC#
To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.
GoTo run this code, first set up a Go development environment and install the Cloud KMS Go SDK.
JavaTo run this code, first set up a Java development environment and install the Cloud KMS Java SDK.
Node.jsTo run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.
PHPTo run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.
PythonTo run this code, first set up a Python development environment and install the Cloud KMS Python SDK.
RubyTo run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.
APIThese examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.
Use the CryptoKeyVersions.asymmetricDecrypt method.
incorrect key purpose: ASYMMETRIC_SIGN
You can only decrypt data with a key with key purpose ASYMMETRIC_DECRYPT.
invalid parameter when decrypting on macOS
The version of OpenSSL installed on macOS does not support the flags used to decrypt data in this topic. To follow these steps on macOS, install OpenSSL from Homebrew.
data too large for key size
The maximum payload size for RSA decryption depends on the key size and padding algorithm. All RSA encryption formats used by Cloud KMS use OAEP, standardized in RFC 2437. As a quick reference, the following algorithms support the following maximum payload sizes (maxMLen, in bytes):
Asymmetric encryption is not recommended for messages of varying lengths that may be larger than these limits. Consider using hybrid encryption instead. Tink is a cryptographic library that uses this approach.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4