Upload an object by using CSEK

  namespace 
  
 gcs 
  
 = 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 storage 
 ; 
 using 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 StatusOr 
 ; 
 []( 
 gcs 
 :: 
 Client 
  
 client 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 bucket_name 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 object_name 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 base64_aes256_key 
 ) 
  
 { 
  
 StatusOr<gcs 
 :: 
 ObjectMetadata 
>  
 object_metadata 
  
 = 
  
 client 
 . 
 InsertObject 
 ( 
  
 bucket_name 
 , 
  
 object_name 
 , 
  
 "top secret" 
 , 
  
 gcs 
 :: 
 EncryptionKey 
 :: 
 FromBase64Key 
 ( 
 base64_aes256_key 
 )); 
  
 if 
  
 ( 
 ! 
 object_metadata 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 object_metadata 
 ). 
 status 
 (); 
  
 std 
 :: 
 cout 
 << 
 "The object " 
 << 
 object_metadata 
 - 
> name 
 () 
 << 
 " was created in bucket " 
 << 
 object_metadata 
 - 
> bucket 
 () 
 << 
 " 
 \n 
 Full metadata: " 
 << 
 * 
 object_metadata 
 << 
 " 
 \n 
 " 
 ; 
 } 
 

  using 
  
  Google.Cloud.Storage.V1 
 
 ; 
 using 
  
 System 
 ; 
 using 
  
 System.IO 
 ; 
 public 
  
 class 
  
 UploadEncryptedFileSample 
 { 
  
 public 
  
 void 
  
 UploadEncryptedFile 
 ( 
  
 string 
  
 key 
  
 = 
  
 "3eFsTXPvqi3BpT2ipFCGirslh1Jgc6ikjoAu2oQ5JcI=" 
 , 
  
 string 
  
 bucketName 
  
 = 
  
 "your-unique-bucket-name" 
 , 
  
 string 
  
 localPath 
  
 = 
  
 "my-local-path/my-file-name" 
 , 
  
 string 
  
 objectName 
  
 = 
  
 "my-file-name" 
 ) 
  
 { 
  
 var 
  
 storage 
  
 = 
  
  StorageClient 
 
 . 
  Create 
 
 (); 
  
 using 
  
 var 
  
 fileStream 
  
 = 
  
 File 
 . 
 OpenRead 
 ( 
 localPath 
 ); 
  
 storage 
 . 
 UploadObject 
 ( 
 bucketName 
 , 
  
 objectName 
 , 
  
 null 
 , 
  
 fileStream 
 , 
  
 new 
  
  UploadObjectOptions 
 
  
 { 
  
 EncryptionKey 
  
 = 
  
  EncryptionKey 
 
 . 
  Create 
 
 ( 
 Convert 
 . 
 FromBase64String 
 ( 
 key 
 )) 
  
 }); 
  
 Console 
 . 
 WriteLine 
 ( 
 $"Uploaded {objectName}." 
 ); 
  
 } 
 } 
 

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 "time" 
  
 "cloud.google.com/go/storage" 
 ) 
 // uploadEncryptedFile writes an object using AES-256 encryption key. 
 func 
  
 uploadEncryptedFile 
 ( 
 w 
  
 io 
 . 
  Writer 
 
 , 
  
 bucket 
 , 
  
 object 
  
 string 
 , 
  
 secretKey 
  
 [] 
 byte 
 ) 
  
 error 
  
 { 
  
 // bucket := "bucket-name" 
  
 // object := "object-name" 
  
 // secretKey := []byte("secret-key") 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 storage 
 . 
 NewClient 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "storage.NewClient: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
 Close 
 () 
  
 ctx 
 , 
  
 cancel 
  
 := 
  
 context 
 . 
 WithTimeout 
 ( 
 ctx 
 , 
  
 time 
 . 
 Second 
 * 
 50 
 ) 
  
 defer 
  
 cancel 
 () 
  
 o 
  
 := 
  
 client 
 . 
  Bucket 
 
 ( 
 bucket 
 ). 
  Object 
 
 ( 
 object 
 ) 
  
 // Optional: set a generation-match precondition to avoid potential race 
  
 // conditions and data corruptions. The request to upload is aborted if the 
  
 // object's generation number does not match your precondition. 
  
 // For an object that does not yet exist, set the DoesNotExist precondition. 
  
 o 
  
 = 
  
 o 
 . 
 If 
 ( 
 storage 
 . 
  Conditions 
 
 { 
 DoesNotExist 
 : 
  
 true 
 }) 
  
 // If the live object already exists in your bucket, set instead a 
  
 // generation-match precondition using the live object's generation number. 
  
 // attrs, err := o.Attrs(ctx) 
  
 // if err != nil { 
  
 // 	return fmt.Errorf("object.Attrs: %w", err) 
  
 // } 
  
 // o = o.If(storage.Conditions{GenerationMatch: attrs.Generation}) 
  
 // Encrypt the object's contents. 
  
 wc 
  
 := 
  
 o 
 . 
  Key 
 
 ( 
 secretKey 
 ). 
  NewWriter 
 
 ( 
 ctx 
 ) 
  
 if 
  
 _ 
 , 
  
 err 
  
 := 
  
 wc 
 . 
  Write 
 
 ([] 
 byte 
 ( 
 "top secret" 
 )); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "Writer.Write: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 if 
  
 err 
  
 := 
  
 wc 
 . 
 Close 
 (); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "Writer.Close: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Uploaded encrypted object %v.\n" 
 , 
  
 object 
 ) 
  
 return 
  
 nil 
 } 
 

  import 
  
 com.google.cloud.storage. BlobId 
 
 ; 
 import 
  
 com.google.cloud.storage. BlobInfo 
 
 ; 
 import 
  
 com.google.cloud.storage. Storage 
 
 ; 
 import 
  
 com.google.cloud.storage. StorageOptions 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 import 
  
 java.nio.file.Files 
 ; 
 import 
  
 java.nio.file.Paths 
 ; 
 public 
  
 class 
 UploadEncryptedObject 
  
 { 
  
 public 
  
 static 
  
 void 
  
 uploadEncryptedObject 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 bucketName 
 , 
  
 String 
  
 objectName 
 , 
  
 String 
  
 filePath 
 , 
  
 String 
  
 encryptionKey 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // The ID of your GCP project 
  
 // String projectId = "your-project-id"; 
  
 // The ID of your GCS bucket 
  
 // String bucketName = "your-unique-bucket-name"; 
  
 // The ID of your GCS object 
  
 // String objectName = "your-object-name"; 
  
 // The path to your file to upload 
  
 // String filePath = "path/to/your/file" 
  
 // The key to encrypt the object with 
  
 // String encryptionKey = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g="; 
  
  Storage 
 
  
 storage 
  
 = 
  
  StorageOptions 
 
 . 
 newBuilder 
 (). 
 setProjectId 
 ( 
 projectId 
 ). 
 build 
 (). 
  getService 
 
 (); 
  
  BlobId 
 
  
 blobId 
  
 = 
  
  BlobId 
 
 . 
 of 
 ( 
 bucketName 
 , 
  
 objectName 
 ); 
  
  BlobInfo 
 
  
 blobInfo 
  
 = 
  
  BlobInfo 
 
 . 
 newBuilder 
 ( 
 blobId 
 ). 
 build 
 (); 
  
 // Optional: set a generation-match precondition to avoid potential race 
  
 // conditions and data corruptions. The request returns a 412 error if the 
  
 // preconditions are not met. 
  
  Storage 
 
 . 
 BlobTargetOption 
  
 precondition 
 ; 
  
 if 
  
 ( 
 storage 
 . 
  get 
 
 ( 
 bucketName 
 , 
  
 objectName 
 ) 
  
 == 
  
 null 
 ) 
  
 { 
  
 // For a target object that does not yet exist, set the DoesNotExist precondition. 
  
 // This will cause the request to fail if the object is created before the request runs. 
  
 precondition 
  
 = 
  
  Storage 
 
 . 
 BlobTargetOption 
 . 
 doesNotExist 
 (); 
  
 } 
  
 else 
  
 { 
  
 // If the destination already exists in your bucket, instead set a generation-match 
  
 // precondition. This will cause the request to fail if the existing object's generation 
  
 // changes before the request runs. 
  
 precondition 
  
 = 
  
  Storage 
 
 . 
 BlobTargetOption 
 . 
 generationMatch 
 ( 
  
 storage 
 . 
  get 
 
 ( 
 bucketName 
 , 
  
 objectName 
 ). 
 getGeneration 
 ()); 
  
 } 
  
 storage 
 . 
  create 
 
 ( 
  
 blobInfo 
 , 
  
 Files 
 . 
 readAllBytes 
 ( 
 Paths 
 . 
 get 
 ( 
 filePath 
 )), 
  
 Storage 
 . 
 BlobTargetOption 
 . 
 encryptionKey 
 ( 
 encryptionKey 
 ), 
  
 precondition 
 ); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
  
 "File " 
  
 + 
  
 filePath 
  
 + 
  
 " uploaded to bucket " 
  
 + 
  
 bucketName 
  
 + 
  
 " as " 
  
 + 
  
 objectName 
  
 + 
  
 " with supplied encryption key" 
 ); 
  
 } 
 } 
 

  /** 
 * TODO(developer): Uncomment the following lines before running the sample. 
 */ 
 // The ID of your GCS bucket 
 // const bucketName = 'your-unique-bucket-name'; 
 // The path to your file to upload 
 // const filePath = 'path/to/your/file'; 
 // The new ID for your GCS file 
 // const destFileName = 'your-new-file-name'; 
 // The key to encrypt the object with 
 // const key = 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g='; 
 // Imports the Google Cloud client library 
 const 
  
 { 
 Storage 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/storage 
' 
 ); 
 // Creates a client 
 const 
  
 storage 
  
 = 
  
 new 
  
 Storage 
 (); 
 async 
  
 function 
  
 uploadEncryptedFile 
 () 
  
 { 
  
 const 
  
 options 
  
 = 
  
 { 
  
 destination 
 : 
  
 destFileName 
 , 
  
 encryptionKey 
 : 
  
 Buffer 
 . 
 from 
 ( 
 key 
 , 
  
 ' base64 
' 
 ), 
  
 // Optional: 
  
 // Set a generation-match precondition to avoid potential race conditions 
  
 // and data corruptions. The request to upload is aborted if the object's 
  
 // generation number does not match your precondition. For a destination 
  
 // object that does not yet exist, set the ifGenerationMatch precondition to 0 
  
 // If the destination object already exists in your bucket, set instead a 
  
 // generation-match precondition using its generation number. 
  
 preconditionOpts 
 : 
  
 { 
 ifGenerationMatch 
 : 
  
 generationMatchPrecondition 
 }, 
  
 }; 
  
 await 
  
 storage 
 . 
 bucket 
 ( 
 bucketName 
 ). 
  upload 
 
 ( 
 filePath 
 , 
  
 options 
 ); 
  
 console 
 . 
 log 
 ( 
  
 `File 
 ${ 
 filePath 
 } 
 uploaded to gs:// 
 ${ 
 bucketName 
 } 
 / 
 ${ 
 destFileName 
 } 
 ` 
  
 ); 
 } 
 uploadEncryptedFile 
 (). 
 catch 
 ( 
 console 
 . 
 error 
 ); 
 

  use Google\Cloud\Storage\StorageClient; 
 /** 
 * Upload an encrypted file. 
 * 
 * @param string $bucketName The name of your Cloud Storage bucket. 
 *        (e.g. 'my-bucket') 
 * @param string $objectName The name of your Cloud Storage object. 
 *        (e.g. 'my-object') 
 * @param string $source The path to the file to upload. 
 *        (e.g. '/path/to/your/file') 
 * @param string $base64EncryptionKey The base64 encoded encryption key. 
 *        (e.g. 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=') 
 */ 
 function upload_encrypted_object(string $bucketName, string $objectName, string $source, string $base64EncryptionKey): void 
 { 
 $storage = new StorageClient(); 
 $file = fopen($source, 'r'); 
 $bucket = $storage->bucket($bucketName); 
 $object = $bucket->upload($file, [ 
 'name' => $objectName, 
 'encryptionKey' => $base64EncryptionKey, 
 ]); 
 printf('Uploaded encrypted %s to gs://%s/%s' . PHP_EOL, 
 basename($source), $bucketName, $objectName); 
 } 
 

  import 
  
 base64 
 from 
  
 google.cloud 
  
 import 
  storage 
 
 def 
  
 upload_encrypted_blob 
 ( 
 bucket_name 
 , 
 source_file_name 
 , 
 destination_blob_name 
 , 
 base64_encryption_key 
 , 
 ): 
  
 """Uploads a file to a Google Cloud Storage bucket using a custom 
 encryption key. 
 The file will be encrypted by Google Cloud Storage and only 
 retrievable using the provided encryption key. 
 """ 
 # bucket_name = "your-bucket-name" 
 # source_file_name = "local/path/to/file" 
 # destination_blob_name = "storage-object-name" 
 # base64_encryption_key = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=" 
 storage_client 
 = 
  storage 
 
 . 
  Client 
 
 () 
 bucket 
 = 
 storage_client 
 . 
  bucket 
 
 ( 
 bucket_name 
 ) 
 # Encryption key must be an AES256 key represented as a bytestring with 
 # 32 bytes. Since it's passed in as a base64 encoded string, it needs 
 # to be decoded. 
 encryption_key 
 = 
 base64 
 . 
 b64decode 
 ( 
 base64_encryption_key 
 ) 
 blob 
 = 
 bucket 
 . 
 blob 
 ( 
 destination_blob_name 
 , 
 encryption_key 
 = 
 encryption_key 
 ) 
 # Optional: set a generation-match precondition to avoid potential race conditions 
 # and data corruptions. The request to upload is aborted if the object's 
 # generation number does not match your precondition. For a destination 
 # object that does not yet exist, set the if_generation_match precondition to 0. 
 # If the destination object already exists in your bucket, set instead a 
 # generation-match precondition using its generation number. 
 generation_match_precondition 
 = 
 0 
 blob 
 . 
  upload_from_filename 
 
 ( 
 source_file_name 
 , 
 if_generation_match 
 = 
 generation_match_precondition 
 ) 
 print 
 ( 
 f 
 "File 
 { 
 source_file_name 
 } 
 uploaded to 
 { 
 destination_blob_name 
 } 
 ." 
 ) 
 

  def 
  
 upload_encrypted_file 
  
 bucket_name 
 :, 
  
 local_file_path 
 :, 
  
 file_name 
 : 
  
 nil 
 , 
  
 encryption_key 
 : 
  
 # The ID of your GCS bucket 
  
 # bucket_name = "your-unique-bucket-name" 
  
 # The path to your file to upload 
  
 # local_file_path = "/local/path/to/file.txt" 
  
 # The ID of your GCS object 
  
 # file_name = "your-file-name" 
  
 # The encryption key used for securing the object must be a 32-byte key consisting of raw encrypted data. 
  
 # Key used should not be base64 encoded. 
  
 # encryption_key = "your-encryption-key" 
  
 require 
  
 "google/cloud/storage" 
  
 storage 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  Storage 
 
 . 
  new 
 
  
 bucket 
  
 = 
  
 storage 
 . 
 bucket 
  
 bucket_name 
 , 
  
 skip_lookup 
 : 
  
 true 
  
 file 
  
 = 
  
 bucket 
 . 
  create_file 
 
  
 local_file_path 
 , 
  
 file_name 
 , 
  
 encryption_key 
 : 
  
 encryption_key 
  
 puts 
  
 "Uploaded 
 #{ 
 file 
 . 
 name 
 } 
 with encryption key" 
 end