I am trying to decrypt a token using the google KMS tool. Running it locally, for some reason, encryption seems to work but not decryption.
I am running the following code:
import base64
import googleapiclient.discovery
kms_client = googleapiclient.discovery.build('cloudkms', 'v1')
crypto_keys = kms_client.projects().locations().keyRings().cryptoKeys()
name = "projects/my-project/locations/my-loc/keyRings/my-kr/cryptoKeys/my-key"
request = crypto_keys.decrypt(name=name, body={'ciphertext': base64.b64encode("my text").decode('ascii')})
response = request.execute()
The last line returns a 400 error:
HttpError: <HttpError 400 when requesting https://cloudkms.g[...]ion:decrypt?alt=json
returned "Decryption failed: verify that 'name' refers to the correct CryptoKey.">
The name, however, actually seems to be correct.
Surprisingly enough, replacing the call to decrypt
by encrypt
, I obtain a valid output.
Am I missing an obvious mistake, or should I just open a issue on the project's github ?
EDIT: I was trying to decrypt plain text, which of course does not make much sense (but the error message misled me somewhat).
A symmetric key is used during both the encryption and decryption processes. To decrypt a particular piece of ciphertext, the key that was used to encrypt the data must be used. The goal of every encryption algorithm is to make it as difficult as possible to decrypt the generated ciphertext without using the key.
If you need more control over the keys used to encrypt data at rest within a Google Cloud project, several Google Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS.
How Google Cloud KMS works. Cloud KMS stores AES-265 encryption keys in a five level hierarchy. The top level, called GCP Project, manages Identity and Access Management roles for accounts associated with a specific cloud project, which can be linked to an organization or a department within it, for instance.
If you need more control over key operations than what Google-managed encryption keys allows, you can use customer-managed encryption keys. These keys are created and managed using Cloud Key Management Service (Cloud KMS), and you store the keys as software keys, in an HSM cluster, or externally.
Make sure that the ciphertext you're trying to decrypt was encrypted using the same key. In case you used another key to encrypt, KMS tells you that it could not find the key while actually the key was found but couldn't be used to decrypt the cipher.
I think the error message is "a bit" misleading.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With