0
0
GcpHow-ToBeginner · 4 min read

How to Encrypt Data Using KMS in GCP: Simple Guide

To encrypt data using Google Cloud KMS, you first create a key ring and a crypto key, then use the encrypt method with your plaintext data and the key's resource name. The service returns encrypted ciphertext that you can safely store or transmit.
📐

Syntax

Use the encrypt method of the KMS client with these parts:

  • keyName: The full resource path of the crypto key.
  • plaintext: The data you want to encrypt, in bytes.
  • response: Contains the encrypted ciphertext.
javascript
const [encryptResponse] = await client.encrypt({
  name: keyName,
  plaintext: Buffer.from('your data here'),
});
const ciphertext = encryptResponse.ciphertext;
💻

Example

This example shows how to encrypt a simple text string using Google Cloud KMS in Node.js. It creates a client, specifies the key, encrypts the data, and prints the encrypted result in base64 format.

javascript
import {KeyManagementServiceClient} from '@google-cloud/kms';

async function encryptData() {
  const client = new KeyManagementServiceClient();

  const projectId = 'your-project-id';
  const locationId = 'global';
  const keyRingId = 'my-key-ring';
  const cryptoKeyId = 'my-key';

  const keyName = client.cryptoKeyPath(projectId, locationId, keyRingId, cryptoKeyId);

  const plaintext = 'Hello, encrypt me!';

  const [encryptResponse] = await client.encrypt({
    name: keyName,
    plaintext: Buffer.from(plaintext),
  });

  console.log('Encrypted ciphertext:', encryptResponse.ciphertext.toString('base64'));
}

encryptData().catch(console.error);
Output
Encrypted ciphertext: CiQA7vQx... (base64 string)
⚠️

Common Pitfalls

1. Using incorrect key resource names: Always use the full path format projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{key}.

2. Forgetting to convert plaintext to bytes: KMS expects data as bytes, so use Buffer.from() or equivalent.

3. Not handling async calls properly: Use await or promise handling to get results before proceeding.

javascript
/* Wrong: plaintext as string */
client.encrypt({
  name: keyName,
  plaintext: 'text', // wrong
});

/* Right: plaintext as bytes */
client.encrypt({
  name: keyName,
  plaintext: Buffer.from('text'),
});
📊

Quick Reference

StepDescriptionExample
1Create Key Ring and Crypto Key in GCP Console or CLIgcloud kms keyrings create my-key-ring --location global
2Get full key resource nameprojects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/my-key
3Encrypt data using KMS clientclient.encrypt({name: keyName, plaintext: Buffer.from(data)})
4Store or transmit encrypted ciphertext safelyciphertext.toString('base64')

Key Takeaways

Always use the full resource name for your KMS key when encrypting data.
Convert your plaintext data to bytes before calling the encrypt method.
Handle asynchronous calls properly to get the encrypted result.
Store the encrypted ciphertext securely; it is safe to share or store.
Use Google Cloud Console or CLI to create keys before encrypting data.

Related by keyword

How to Choose GCP Region: Simple Guide for Best LocationGetting StartedHow to Manage Permissions in GCP: Simple GuideIAMHow to Use Workload Identity in GCP: Simple GuideIAMHow to Choose Machine Type in GCP: Simple GuideCompute EngineHow to Set Bucket Permissions in GCP: Simple GuideCloud Storage

Up next

What is Cloud Profiler in GCP: Overview and UsageWhat is Cloud Trace in GCP: Overview and UsageCloud Build vs GitHub Actions: Key Differences and When to Use EachCloud Build vs Jenkins: Key Differences and When to Use Each

More in Security

How to Access Secrets in GCP Secret ManagerHow to Create a Secret in Secret Manager in GCPHow to Use Organization Policy in GCP: Simple GuideHow to Use VPC Service Controls in GCP for Secure Access