Required. The data to encrypt. Must be no larger than 64KiB.
The maximum size depends on the key version'sprotectionLevel. ForSOFTWARE,EXTERNAL, andEXTERNAL_VPCkeys, the plaintext must be no larger than 64KiB. ForHSMkeys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB.
The maximum size depends on the key version'sprotectionLevel. ForSOFTWARE,EXTERNAL, andEXTERNAL_VPCkeys the AAD must be no larger than 64KiB. ForHSMkeys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB.
Optional. An optional CRC32C checksum of theEncryptRequest.plaintext. If specified,KeyManagementServicewill verify the integrity of the receivedEncryptRequest.plaintextusing this checksum.KeyManagementServicewill report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(EncryptRequest.plaintext) is equal toEncryptRequest.plaintext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
Optional. An optional CRC32C checksum of theEncryptRequest.additional_authenticated_data. If specified,KeyManagementServicewill verify the integrity of the receivedEncryptRequest.additional_authenticated_datausing this checksum.KeyManagementServicewill report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(EncryptRequest.additional_authenticated_data) is equal toEncryptRequest.additional_authenticated_data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
Integrity verification field. A CRC32C checksum of the returnedEncryptResponse.ciphertext. An integrity check ofEncryptResponse.ciphertextcan be performed by computing the CRC32C checksum ofEncryptResponse.ciphertextand comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
verifiedPlaintextCrc32c
boolean
Integrity verification field. A flag indicating whetherEncryptRequest.plaintext_crc32cwas received byKeyManagementServiceand used for the integrity verification of theplaintext. A false value of this field indicates either thatEncryptRequest.plaintext_crc32cwas left unset or that it was not delivered toKeyManagementService. If you've setEncryptRequest.plaintext_crc32cbut this field is still false, discard the response and perform a limited number of retries.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-06-23 UTC."],[],[],null,["# Method: cryptoKeys.encrypt\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Request body](#body.request_body)\n - [JSON representation](#body.request_body.SCHEMA_REPRESENTATION)\n- [Response body](#body.response_body)\n - [JSON representation](#body.EncryptResponse.SCHEMA_REPRESENTATION)\n- [Authorization scopes](#body.aspect)\n- [Try it!](#try-it)\n\n**Full name**: projects.locations.keyRings.cryptoKeys.encrypt\n\nEncrypts data, so that it can only be recovered by a call to [cryptoKeys.decrypt](/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/decrypt#google.cloud.kms.v1.KeyManagementService.Decrypt). The [CryptoKey.purpose](/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKey.FIELDS.purpose) must be [ENCRYPT_DECRYPT](/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose.ENUM_VALUES.ENCRYPT_DECRYPT).\n\n### HTTP request\n\nChoose a location: \nglobal europe-west3 europe-west8 europe-west9 me-central2 us-east1 us-east4 us-west2 us-west1 us-east7 us-central1 us-west3 us-central2 us-west4 us-west8 us-east5 us-south1 us in \n\n\u003cbr /\u003e\n\nThe URLs use [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Path parameters\n\n### Request body\n\nThe request body contains data with the following structure:\n\n### Response body\n\nResponse message for [KeyManagementService.Encrypt](/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/encrypt#google.cloud.kms.v1.KeyManagementService.Encrypt).\n\nIf successful, the response body contains data with the following structure:\n\n### Authorization scopes\n\nRequires one of the following OAuth scopes:\n\n- `https://www.googleapis.com/auth/cloudkms`\n- `https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp)."]]
