Get the version of Google KMS key used when decrypting ciphertext

Question

When encrypting symmetrically with Google Cloud's KMS, Google Cloud automatically chooses the primary key version:

Each symmetric encryption key has a designated primary version which is used at that point in time to encrypt data. In order for a key to be available for use to encrypt data, it needs to have a primary key version which is enabled.

When a key is used to encrypt plaintext, its primary key version is used to encrypt that data. The information as to which version was used to encrypt data is stored in the ciphertext of the data. Only one version of a key can be primary at any given point in time.

The EncryptResponse includes the ciphertext and the version of the key that was used.

If you haven't saved the version of the key at the time of encryption, is it possible to determine the key version later? The key version is stored in the ciphertext, and the KMS service is able to determine the key version to decrypt with, but the DecryptResponse only includes the plaintext, not the key version.

Answer 1

This is not currently possible but we've taken a feature request to provide the version when decrypting. Thanks for the suggestion and thanks for using GCP and Cloud KMS!