Method: cryptoKeys.encrypt

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
Try it!

Full name: projects.locations.keyRings.cryptoKeys.encrypt

Encrypts data, so that it can only be recovered by a call to cryptoKeys.decrypt . The CryptoKey.purpose must be ENCRYPT_DECRYPT .

HTTP request

Choose a location:

The URLs use gRPC Transcoding syntax.

Path parameters

Parameters

name

string

Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption.

If a CryptoKey is specified, the server will use its primary version .

Authorization requires the following IAM permission on the specified resource name :

cloudkms.cryptoKeyVersions.useToEncrypt

Request body

The request body contains data with the following structure:

JSON representation
{ "plaintext" : string , "additionalAuthenticatedData" : string , "plaintextCrc32c" : string , "additionalAuthenticatedDataCrc32c" : string }

Fields
`plaintext`	`string ( bytes format)` Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's `protectionLevel` . For `SOFTWARE` , `EXTERNAL` , and `EXTERNAL_VPC` keys, the plaintext must be no larger than 64KiB. For `HSM` keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB. A base64-encoded string.
`additionalAuthenticatedData`	`string ( bytes format)` Optional. Optional data that, if specified, must also be provided during decryption through `DecryptRequest.additional_authenticated_data` . The maximum size depends on the key version's `protectionLevel` . For `SOFTWARE` , `EXTERNAL` , and `EXTERNAL_VPC` keys the AAD must be no larger than 64KiB. For `HSM` keys, the combined length of the plaintext and additionalAuthenticatedData fields must be no larger than 8KiB. A base64-encoded string.
`plaintextCrc32c`	`string ( Int64Value format)` Optional. An optional CRC32C checksum of the `EncryptRequest.plaintext` . If specified, `KeyManagementService` will verify the integrity of the received `EncryptRequest.plaintext` using this checksum. `KeyManagementService` will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C( `EncryptRequest.plaintext` ) is equal to `EncryptRequest.plaintext_crc32c` , and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`additionalAuthenticatedDataCrc32c`	`string ( Int64Value format)` Optional. An optional CRC32C checksum of the `EncryptRequest.additional_authenticated_data` . If specified, `KeyManagementService` will verify the integrity of the received `EncryptRequest.additional_authenticated_data` using this checksum. `KeyManagementService` will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C( `EncryptRequest.additional_authenticated_data` ) is equal to `EncryptRequest.additional_authenticated_data_crc32c` , and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

Response body

Response message for KeyManagementService.Encrypt .

If successful, the response body contains data with the following structure:

JSON representation

JSON representation
{ "name" : string , "ciphertext" : string , "ciphertextCrc32c" : string , "verifiedPlaintextCrc32c" : boolean , "verifiedAdditionalAuthenticatedDataCrc32c" : boolean , "protectionLevel" : enum ( `ProtectionLevel` ) }

 { 
 "name" 
 : 
 string 
 , 
 "ciphertext" 
 : 
 string 
 , 
 "ciphertextCrc32c" 
 : 
 string 
 , 
 "verifiedPlaintextCrc32c" 
 : 
 boolean 
 , 
 "verifiedAdditionalAuthenticatedDataCrc32c" 
 : 
 boolean 
 , 
 "protectionLevel" 
 : 
 enum (  ProtectionLevel 
 
) 
 }

Fields
`name`	`string` The resource name of the `CryptoKeyVersion` used in encryption. Check this field to verify that the intended resource was used for encryption.
`ciphertext`	`string ( bytes format)` The encrypted data. A base64-encoded string.
`ciphertextCrc32c`	`string ( Int64Value format)` Integrity verification field. A CRC32C checksum of the returned `EncryptResponse.ciphertext` . An integrity check of `EncryptResponse.ciphertext` can be performed by computing the CRC32C checksum of `EncryptResponse.ciphertext` and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`verifiedPlaintextCrc32c`	`boolean` Integrity verification field. A flag indicating whether `EncryptRequest.plaintext_crc32c` was received by `KeyManagementService` and used for the integrity verification of the `plaintext` . A false value of this field indicates either that `EncryptRequest.plaintext_crc32c` was left unset or that it was not delivered to `KeyManagementService` . If you've set `EncryptRequest.plaintext_crc32c` but this field is still false, discard the response and perform a limited number of retries.
`verifiedAdditionalAuthenticatedDataCrc32c`	`boolean` Integrity verification field. A flag indicating whether `EncryptRequest.additional_authenticated_data_crc32c` was received by `KeyManagementService` and used for the integrity verification of the `AAD` . A false value of this field indicates either that `EncryptRequest.additional_authenticated_data_crc32c` was left unset or that it was not delivered to `KeyManagementService` . If you've set `EncryptRequest.additional_authenticated_data_crc32c` but this field is still false, discard the response and perform a limited number of retries.
`protectionLevel`	`enum ( ProtectionLevel )` The `ProtectionLevel` of the `CryptoKeyVersion` used in encryption.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .