Cloud KMS
gRPC · port 8091
Configuration
No env var. Cloud KMS has no official
*_EMULATOR_HOST environment variable. You must configure the endpoint manually in your client code.
Go SDK example
Create a key ring, create a symmetric crypto key, encrypt, and decrypt:
package main import ( "context" "encoding/base64" "fmt" "log" kms "cloud.google.com/go/kms/apiv1" kmspb "cloud.google.com/go/kms/apiv1/kmspb" "google.golang.org/api/option" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" ) func main() { ctx := context.Background() // Connect to localgcp (no TLS, no auth) client, err := kms.NewKeyManagementClient(ctx, option.WithEndpoint("localhost:8091"), option.WithoutAuthentication(), option.WithGRPCDialOption(grpc.WithTransportCredentials( insecure.NewCredentials(), )), ) if err != nil { log.Fatal(err) } defer client.Close() location := "projects/my-project/locations/us-east1" // Create a key ring keyRing, err := client.CreateKeyRing(ctx, &kmspb.CreateKeyRingRequest{ Parent: location, KeyRingId: "my-key-ring", }) if err != nil { log.Fatal(err) } // Create a symmetric encrypt/decrypt key key, err := client.CreateCryptoKey(ctx, &kmspb.CreateCryptoKeyRequest{ Parent: keyRing.Name, CryptoKeyId: "my-symmetric-key", CryptoKey: &kmspb.CryptoKey{ Purpose: kmspb.CryptoKey_ENCRYPT_DECRYPT, VersionTemplate: &kmspb.CryptoKeyVersionTemplate{ Algorithm: kmspb.CryptoKeyVersion_GOOGLE_SYMMETRIC_ENCRYPTION, }, }, }) if err != nil { log.Fatal(err) } // Encrypt encResp, err := client.Encrypt(ctx, &kmspb.EncryptRequest{ Name: key.Name, Plaintext: []byte("hello, localgcp"), }) if err != nil { log.Fatal(err) } fmt.Printf("Ciphertext: %s\n", base64.StdEncoding.EncodeToString(encResp.Ciphertext)) // Decrypt decResp, err := client.Decrypt(ctx, &kmspb.DecryptRequest{ Name: key.Name, Ciphertext: encResp.Ciphertext, }) if err != nil { log.Fatal(err) } fmt.Printf("Plaintext: %s\n", decResp.Plaintext) }
Features
- KeyRing/CryptoKey CRUD -- create, get, list key rings and crypto keys
- Symmetric encrypt/decrypt -- encrypt and decrypt data with symmetric keys
- Asymmetric sign -- sign data with EC P256 and RSA 2048 keys
- GetPublicKey -- retrieve the public key for asymmetric keys
- HMAC sign/verify -- create and verify HMAC signatures
- CryptoKeyVersion management -- create, list, and destroy key versions
Not yet supported
- Key import
- Rotation schedules
- Raw encrypt/decrypt
- Asymmetric decrypt
- Key rings per location