Encrypt and decrypt data

The AO performs encrypt and decrypt operations through the Google Distributed Cloud (GDC) air-gapped CLI to the KMS through a gRPC client.

Before you begin

Before performing KMS operations, configure kubectl to access the Management API server and get the necessary permissions.

Configure Management API server access

Configure kubectl to access the Management API server:

If you have not already done so, get a kubeconfig file for the Management API server using the gdcloud CLI-line interface (CLI).
Set the MANAGEMENT_API_SERVER environment variable:
```
export MANAGEMENT_API_SERVER=PATH_TO_KUBECONFIG
```
Replace PATH_TO_KUBECONFIG with the path of the generated kubeconfig file.
If you have not already done so, download, install, and configure the gdcloud CLI. To do this, follow the gdcloud CLI overview.

Required permissions

To get the permissions you need, ask your Organization IAM Admin to grant you the KMS Developer (kms-developer) role in your project.

Encrypt data

To encrypt data, use the gdcloud kms keys encrypt command. This command encrypts a given plaintext file using the AEAD key, and writes it to a named ciphertext file.

To encrypt data, pass in the key name and the following:
```
gdcloud kms keys encrypt namespaces/NAMESPACE/aeadKeys/KEY_NAME \
  --plaintext-file=PLAINTEXT_PATH \
  --additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE \
  --ciphertext-file=CIPHERTEXT_PATH
```
Replace the following variables:
- NAMESPACE: the project namespace—for example: kms-test1.
- KEY_NAME: the name of the key used to encrypt the plaintext—for example: key-1.
- PLAINTEXT_PATH: the path to the file that contains the plaintext to encrypt.
- ADDITIONAL_AUTHENTICATED_DATA_FILE: an optional file that contains additional authenticated data (AAD). AAD is used for integrity checks and protects your data from a confused deputy attack. AAD and the plaintext each have a size limit of 64KB.
- CIPHERTEXT_PATH: the path to the file that contains the encrypted plaintext.
After running the command, you see a file you specified in the --ciphertext-file flag that contains the encrypted contents of the plaintext file.

Decrypt data

To decrypt data, use the gdcloud kms keys decrypt command. This command decrypts a given ciphertext file using the AEAD key, and writes it to a named plaintext file.

To decrypt ciphertext, pass in the key name and the following:
```
gdcloud kms keys decrypt namespaces/NAMESPACE/aeadKeys/KEY_NAME \
 --ciphertext-file=CIPHERTEXT_PATH \
 --additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE \
 --plaintext-file=PLAINTEXT_PATH
```
Replace the following variables:
- NAMESPACE: the project namespace.
- KEY_NAME: the name of the key used to encrypt the plaintext.
- CIPHERTEXT_PATH: the path of the file you want to decrypt.
- ADDITIONAL_AUTHENTICATED_DATA_FILE: an optional file that contains additional authenticated data (AAD). AAD is used for integrity checks and protects your data from a confused deputy attack. AAD and the plaintext each have a size limit of 64KB.
  Note: You must use the same AAD you passed during the encrypt operation for the decrypt operation.
- PLAINTEXT_PATH: the path to the file that contains the decrypted plaintext.
After running the command, you see a file you specified in the --plaintext-file flag that contains the decrypted data.