RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/kms/docs/re-encrypt-data below:

Re-encrypting data | Cloud KMS

Stay organized with collections Save and categorize content based on your preferences.

This topic shows how to re-encrypt data using a Cloud Key Management Service symmetric key. You can adapt these examples for asymmetric keys. If you suspect unauthorized use of a key, you should re-encrypt the data protected by that key and then disable or schedule destruction of the prior key version.

Before you begin

This scenario requires the following conditions.

You have already encrypted data using Cloud KMS.
The key version used for the encryption is not disabled, scheduled for destruction, or destroyed. You use this key version to decrypt the encrypted data.
You have already rotated keys. A key rotation creates a new primary key version. You use the new primary key version to re-encrypt the data.

Note: Key rotation does not re-encrypt already encrypted data with the newly generated key version. You need to re-encrypt the data yourself, as described in this topic. Re-encrypting data using asymmetric keys

The examples in this topic show how to re-encrypt data using a symmetric key. When you use a symmetric key, Cloud KMS automatically infers the key version to use for decryption. When you use an asymmetric key, you must specify the key version.

When following instructions for using the Google Cloud CLI, always include the --version flag.
When following instructions for using the API, you use CryptoKeyVersions instead of CryptoKeys. You can read more about encrypting and decrypting data with an asymmetric key.

The workflow for re-encrypting data with asymmetric keys is similar to the one described in this topic.

Re-encrypting data workflow

Use the following steps to re-encrypt data and disable or schedule destruction of the key version used for the original encryption.

Decrypt the data using the prior key version

Cloud KMS automatically uses the correct key version to decrypt data, as long as the key version is not disabled, scheduled for destruction, or destroyed. The following examples show how to decrypt the data. This is the same decryption code used in Encrypting and Decrypting.

gcloud

To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.

gcloud kms decrypt \
    --key KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION  \
    --ciphertext-file FILE_TO_DECRYPT \
    --plaintext-file DECRYPTED_OUTPUT

Replace the following:

KEY_NAME: the name of the key that you want to use for decryption.
KEY_RING: the name of the key ring that contains the key.
LOCATION: the Cloud KMS location that contains the key ring.
FILE_TO_DECRYPT: the path to the file that you want to decrypt.
DECRYPTED_OUTPUT: the path where you want to save the decrypted output.

For information on all flags and possible values, run the command with the --help flag.

C#

To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.

Go

To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.

Java

To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.

Node.js

To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.

PHP

To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.

Python

To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.

Ruby

To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.

API

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.

Decrypted text that is returned in the JSON from Cloud KMS is base64 encoded.

Tip: You can base64-encode or decode data using the base64 command on Linux or macOS, or the Base64.exe command on Windows. Programming and scripting languages typically include libraries for base64-encoding. For command-line examples, see Base64 Encoding in the Cloud Vision API documentation.

To decrypt encrypted data, make a POST request and provide the appropriate project and key information and specify the encrypted text (also known as ciphertext) to be decrypted in the ciphertext field of the request body.

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME:decrypt" \
  --request "POST" \
  --header "authorization: Bearer TOKEN" \
  --header "content-type: application/json" \
  --data "{\"ciphertext\": \"ENCRYPTED_DATA\"}"

Replace the following:

PROJECT_ID: the ID of the project that contains the key ring and key that you want to use for decryption.
LOCATION: the Cloud KMS location that contains the key ring.
KEY_RING: the key ring that contains the key that you want to use for decryption.
KEY_NAME: the name of the key that you want to use for decryption.
ENCRYPTED_DATA: the encrypted data that you want to decrypt.

Here is an example payload with base64 encoded data:

{
  "ciphertext": "CiQAhMwwBo61cHas7dDgifrUFs5zNzBJ2uZtVFq4ZPEl6fUVT4kSmQ...",
}

Re-encrypt the data using the new primary key version

Cloud KMS automatically uses the new primary key version to encrypt data. The following examples show how to encrypt the data. This is the same encryption code used in Encrypting and Decrypting.

gcloud

To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.

gcloud kms encrypt \
    --key KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION  \
    --plaintext-file FILE_TO_ENCRYPT \
    --ciphertext-file ENCRYPTED_OUTPUT

Replace the following:

KEY_NAME: the name of the key that you want to use for encryption.
KEY_RING: the name of the key ring that contains the key.
LOCATION: the Cloud KMS location that contains the key ring.
FILE_TO_ENCRYPT: the path to the file that you want to encrypt.
ENCRYPTED_OUTPUT: the path where you want to save the encrypted output.

For information on all flags and possible values, run the command with the --help flag.

C#

To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.

Go

To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.

Java

To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.

Node.js

To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.

PHP

To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.

Python

To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.

Ruby

To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.

API

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.

When using JSON and the REST API, content must be base64 encoded before it can be encrypted by Cloud KMS.

To encrypt data, make a POST request and provide the appropriate project and key information and specify the base64 encoded text to be encrypted in the plaintext field of the request body.

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME:encrypt" \
  --request "POST" \
  --header "authorization: Bearer TOKEN" \
  --header "content-type: application/json" \
  --data "{\"plaintext\": \"PLAINTEXT_TO_ENCRYPT\"}"

Replace the following:

PROJECT_ID: the ID of the project that contains the key ring and key that you want to use for encryption.
LOCATION: the Cloud KMS location that contains the key ring.
KEY_RING: the key ring that contains the key that you want to use for encryption.
KEY_NAME: the name of the key that you want to use for encryption.
PLAINTEXT_TO_ENCRYPT: the plaintext data that you want to encrypt. The plaintext must be base64 encoded before you call the encrypt method.

Here is an example payload with base64 encoded data:

{
  "plaintext": "U3VwZXIgc2VjcmV0IHRleHQgdGhhdCBtdXN0IGJlIGVuY3J5cHRlZAo=",
}

Disable or schedule destruction of the prior key version

If you rotated your key in response to a suspected incident, after you have re-encrypted the data, disable or schedule destruction of the prior key version.

Disable an enabled key version

Only a key version which is Enabled can be Disabled. This is done with the method UpdateCryptoKeyVersion.

Console

Go to the Key Management page in the Google Cloud console.

Go to the Key Management page
Click the name of the key ring that contains the key whose key version you will disable.
Click the key whose key version you want to disable.
Check the box next to the key version(s) that you want to disable.
Click Disable in the header.
In the confirmation prompt, click Disable.

gcloud

To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.

gcloud kms keys versions disable key-version \
    --key key \
    --keyring key-ring \
    --location location

Replace key-version with the version of the key to disable. Replace key with the name of the key. Replace key-ring with the name of the key ring where the key is located. Replace location with the Cloud KMS location for the key ring.

For information on all flags and possible values, run the command with the --help flag.

C#

To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.

Go

To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.

Java

To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.

Node.js

To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.

PHP

To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.

Python

To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.

Ruby

To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.

Schedule a key version for destruction

Only key versions which are Enabled or Disabled can be Scheduled for destruction. This is done with the method DestroyCryptoKeyVersion.

Caution: Key material isn't immediately destroyed. Instead, the key version stays scheduled for destruction for the configured scheduled for destruction duration. After this period has ended, the key material is automatically destroyed. There is no way to override this safety fallback.

If you decide that you don't want the destruction to occur, you can restore the key version. However, after the configured scheduled for destruction duration, destruction isn't reversible. Any data encrypted with this key version can't be decrypted.

Console

In the Google Cloud console, go to the Key Management page.

Go to Key Management
Check the box next to the key version that you want to schedule for destruction.
Click Destroy in the header.
In the confirmation prompt, enter the key name and then click Schedule Destruction.

gcloud

To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.

gcloud kms keys versions destroy KEY_VERSION \
    --key KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION

Replace the following:

KEY_VERSION: the version number of the key version that you want to destroy.
KEY_NAME: the name of the key for which you want to destroy a key version.
KEY_RING: the name of the key ring that contains the key.
LOCATION: the Cloud KMS location of the key ring.

For information on all flags and possible values, run the command with the --help flag.

C#

To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.

Go

To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.

Java

To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.

Node.js

To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.

PHP

To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.

Python

To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.

Ruby

To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.

API

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.

Destroy a key version by calling the CryptoKeyVersions.destroy method.

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/KEY_VERSION:destroy" \
    --request "POST" \
    --header "authorization: Bearer TOKEN"

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4