I want to use client-side encryption with a cloud KMS

Tink lets you perform client-side encryption of some data, and to protect your keys using a cloud Key Management System (KMS). This works as follows:

  1. The client generates a Data Encryption Key (DEK).
  2. Data is encrypted using the DEK by the client.
  3. The DEK is encrypted by a Key Encryption Key (KEK) that is stored in a cloud KMS.

By using a cloud KMS, your KEK resides safely in the cloud, where you can rotate, deactivate, or destroy it, depending on your needs.

Refer to the key management overview section for more information about what Tink needs to interact with a cloud KMS.

With Tink you can perform client-side encryption with a cloud KMS in two ways:

  • Using the KMS envelope AEAD primitive (KmsEnvelopeAead) – Using the KmsEnvelopeAead primitive, for every encryption Tink creates a new AEAD DEK, encrypts it with a cloud KMS KEK, and stores it as part of the ciphertext, so you don't need to handle the DEK yourself. As a consequence, the ciphertext is a bit longer because it includes the encrypted DEK. Furthermore, every time you encrypt or decrypt, Tink makes an RPC to the KMS (the actual decryption or encryption of the data is performed locally).

  • Using another primitive and encrypt the keyset with the cloud KMS – This is more flexible in that you can use different primitives other than AEAD, and you can limit the calls to the cloud KMS.

KMS envelope AEAD

When you encrypt data with the KmsEnvelopeAead primitive, Tink does the following for you:

  1. Generates a random DEK and locally encrypts your data with it.
  2. Makes a request to your KMS to encrypt the DEK with the KMS KEK.
  3. Concatenates the KEK-encrypted encryption DEK with the encrypted data.

Both the DEK type and the KEK URI are specified in the KmsEnvelopeAead key. When decrypting, Tink does the reverse operations:

  1. Extracts the KEK-encrypted DEK key.
  2. Makes a request to your KMS to decrypt the KEK-encrypted DEK.
  3. Decrypts the ciphertext locally using the DEK.

The following example showcases how you can use the KmsEnvelopeAead primitive.


For this example you need the Google Cloud KMS extension tink-cc-gcpkms.

// A command-line utility for testing Tink Envelope AEAD with Google Cloud KMS.
#include <fstream>
#include <iostream>
#include <memory>
#include <ostream>
#include <sstream>
#include <string>
#include <utility>

#include "absl/flags/flag.h"
#include "absl/flags/parse.h"
#include "absl/log/check.h"
#include "absl/log/log.h"
#include "absl/status/status.h"
#include "absl/strings/str_cat.h"
#include "absl/strings/string_view.h"
#include "tink/aead.h"
#include "tink/aead/aead_config.h"
#include "tink/aead/aead_key_templates.h"
#include "tink/aead/kms_envelope_aead.h"
#include "tink/integration/gcpkms/gcp_kms_client.h"
#include "tink/util/status.h"
#include "tink/util/statusor.h"
#include "proto/tink.pb.h"

ABSL_FLAG(std::string, mode, "", "Mode of operation {encrypt|decrypt}");
ABSL_FLAG(std::string, kek_uri, "", "URI of the KMS Key Encryption Key to use");
ABSL_FLAG(std::string, input_filename, "", "Input file name");
ABSL_FLAG(std::string, output_filename, "", "Output file name");
ABSL_FLAG(std::string, credentials, "",
          "Optional Google Cloud KMS credentials file path; if not specified, "
          "use the default credentials");
ABSL_FLAG(std::string, associated_data, "", "Optional associated data");

namespace {

using ::crypto::tink::Aead;
using ::crypto::tink::AeadKeyTemplates;
using ::crypto::tink::integration::gcpkms::GcpKmsClient;
using ::crypto::tink::util::Status;
using ::crypto::tink::util::StatusOr;
using ::google::crypto::tink::KeyTemplate;

constexpr absl::string_view kEncrypt = "encrypt";
constexpr absl::string_view kDecrypt = "decrypt";

void ValidateParams() {
  // ...

absl::StatusOr<std::string> ReadFile(absl::string_view filename) {
  // ...

absl::Status WriteToFile(absl::string_view data_to_write,
                         absl::string_view filename) {
  // ...

}  // namespace

namespace tink_cc_gcpkms_examples {

void KmsEnvelopAeadCli(absl::string_view mode, absl::string_view kek_uri,
                       absl::string_view input_filename,
                       absl::string_view output_filename,
                       absl::string_view credentials,
                       absl::string_view associated_data) {
  // Obtain a remote Aead that can use the KEK.
  StatusOr<std::unique_ptr<GcpKmsClient>> gcp_kms_client =
      GcpKmsClient::New(kek_uri, credentials);
  StatusOr<std::unique_ptr<Aead>> remote_aead =
  // Define the DEK template.
  KeyTemplate dek_key_template = AeadKeyTemplates::Aes256Gcm();
  // Create a KmsEnvelopeAead instance.
  StatusOr<std::unique_ptr<Aead>> aead = crypto::tink::KmsEnvelopeAead::New(
      dek_key_template, *std::move(remote_aead));

  StatusOr<std::string> input_file_content = ReadFile(input_filename);
  if (mode == kEncrypt) {
    // Generate the ciphertext.
    StatusOr<std::string> encrypt_result =
        (*aead)->Encrypt(*input_file_content, associated_data);
    CHECK_OK(WriteToFile(encrypt_result.value(), output_filename));
  } else {  // mode == kDecrypt.
    // Recover the plaintext.
    StatusOr<std::string> decrypt_result =
        (*aead)->Decrypt(*input_file_content, associated_data);
    CHECK_OK(WriteToFile(decrypt_result.value(), output_filename));

}  // namespace tink_cc_gcpkms_examples

int main(int argc, char** argv) {
  absl::ParseCommandLine(argc, argv);


  std::string mode = absl::GetFlag(FLAGS_mode);
  std::string kek_uri = absl::GetFlag(FLAGS_kek_uri);
  std::string input_filename = absl::GetFlag(FLAGS_input_filename);
  std::string output_filename = absl::GetFlag(FLAGS_output_filename);
  std::string credentials = absl::GetFlag(FLAGS_credentials);
  std::string associated_data = absl::GetFlag(FLAGS_associated_data);

  LOG(INFO) << "Using kek-uri " << kek_uri << " with "
            << (credentials.empty()
                    ? "default credentials"
                    : absl::StrCat("credentials file ", credentials))
            << " to envelope " << mode << " file " << input_filename
            << " with associated data '" << associated_data << "'." << '\n';
  LOG(INFO) << "The resulting output will be written to " << output_filename
            << '\n';

  tink_cc_gcpkms_examples::KmsEnvelopAeadCli(mode, kek_uri, input_filename,
                                             output_filename, credentials,
  return 0;


import (


// The fake KMS should only be used in tests. It is not secure.
const keyURI = "fake-kms://CM2b3_MDElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEIK75t5L-adlUwVhWvRuWUwYARABGM2b3_MDIAE"

func Example_kmsEnvelopeAEAD() {
	// Get a KEK (key encryption key) AEAD. This is usually a remote AEAD to a KMS. In this example,
	// we use a fake KMS to avoid making RPCs.
	client, err := fakekms.NewClient(keyURI)
	if err != nil {
	kekAEAD, err := client.GetAEAD(keyURI)
	if err != nil {

	// Get the KMS envelope AEAD primitive.
	primitive := aead.NewKMSEnvelopeAEAD2(aead.AES256GCMKeyTemplate(), kekAEAD)

	// Use the primitive.
	plaintext := []byte("message")
	associatedData := []byte("example KMS envelope AEAD encryption")

	ciphertext, err := primitive.Encrypt(plaintext, associatedData)
	if err != nil {

	decrypted, err := primitive.Decrypt(ciphertext, associatedData)
	if err != nil {
	// Output: message


For this example you need the Google Cloud KMS extension tink-java-gcpkms.

package envelopeaead;

import static java.nio.charset.StandardCharsets.UTF_8;

import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.aead.KmsEnvelopeAead;
import com.google.crypto.tink.aead.PredefinedAeadParameters;
import com.google.crypto.tink.integration.gcpkms.GcpKmsClient;
import java.io.File;
import java.io.FileOutputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;

 * A command-line utility for encrypting small files with envelope encryption.
 * <p>It requires the following arguments:
 * <ul>
 *   <li>mode: Can be "encrypt" or "decrypt" to encrypt/decrypt the input to the output.
 *   <li>kek-uri: Use this Cloud KMS' key as the key-encrypting-key for envelope encryption.
 *   <li>gcp-credential-file: Use this JSON credential file to connect to Cloud KMS.
 *   <li>input-file: Read the input from this file.
 *   <li>output-file: Write the result to this file.
 *   <li>[optional] associated-data: Associated data used for the encryption or decryption.
public final class EnvelopeAeadExample {
  private static final String MODE_ENCRYPT = "encrypt";
  private static final String MODE_DECRYPT = "decrypt";

  public static void main(String[] args) throws Exception {
    if (args.length != 5 && args.length != 6) {
      System.err.printf("Expected 5 or 6 parameters, got %d\n", args.length);
          "Usage: java EnvelopeAeadExample encrypt/decrypt kek-uri gcp-credential-file"
              + " input-file output-file [associated-data]");
    String mode = args[0];
    String kekUri = args[1];
    String gcpCredentialFilename = args[2];
    byte[] input = Files.readAllBytes(Paths.get(args[3]));
    File outputFile = new File(args[4]);
    byte[] associatedData = new byte[0];
    if (args.length == 6) {
      System.out.println("Associated data!");
      associatedData = args[5].getBytes(UTF_8);
    // Initialise Tink: register all AEAD key types with the Tink runtime

    // Read the GCP credentials and create a remote AEAD object.
    Aead remoteAead = null;
    try {
      KmsClient kmsClient = new GcpKmsClient().withCredentials(gcpCredentialFilename);
      remoteAead = kmsClient.getAead(kekUri);
    } catch (GeneralSecurityException ex) {
      System.err.println("Error initializing GCP client: " + ex);

    // Create envelope AEAD primitive using AES256 GCM for encrypting the data
    Aead aead = KmsEnvelopeAead.create(PredefinedAeadParameters.AES256_GCM, remoteAead);

    // Use the primitive to encrypt/decrypt files.
    if (MODE_ENCRYPT.equals(mode)) {
      byte[] ciphertext = aead.encrypt(input, associatedData);
      try (FileOutputStream stream = new FileOutputStream(outputFile)) {
    } else if (MODE_DECRYPT.equals(mode)) {
      byte[] plaintext = aead.decrypt(input, associatedData);
      try (FileOutputStream stream = new FileOutputStream(outputFile)) {
    } else {
      System.err.println("The first argument must be either encrypt or decrypt, got: " + mode);


  private EnvelopeAeadExample() {}


"""A command-line utility for encrypting small files using envelope encryption with GCP."""

from absl import app
from absl import flags
from absl import logging
import tink
from tink import aead
from tink.integration import gcpkms


    'mode', None, ['encrypt', 'decrypt'], 'The operation to perform.'
    'kek_uri', None, 'The Cloud KMS URI of the key encryption key.'
    'gcp_credential_path', None, 'Path to the GCP credentials JSON file.'
flags.DEFINE_string('input_path', None, 'Path to the input file.')
flags.DEFINE_string('output_path', None, 'Path to the output file.')
    'associated_data', None, 'Optional associated data used for the encryption.'

def main(argv):
  del argv  # Unused.

  associated_data = (
      if not FLAGS.associated_data
      else bytes(FLAGS.associated_data, 'utf-8')

  # Initialise Tink

    # Read the GCP credentials and setup client
    client = gcpkms.GcpKmsClient(FLAGS.kek_uri, FLAGS.gcp_credential_path)
  except tink.TinkError as e:
    logging.exception('Error creating GCP KMS client: %s', e)
    return 1

  # Create envelope AEAD primitive using AES256 GCM for encrypting the data
    remote_aead = client.get_aead(FLAGS.kek_uri)
    env_aead = aead.KmsEnvelopeAead(
        aead.aead_key_templates.AES256_GCM, remote_aead
  except tink.TinkError as e:
    logging.exception('Error creating primitive: %s', e)
    return 1

  with open(FLAGS.input_path, 'rb') as input_file:
    input_data = input_file.read()
    if FLAGS.mode == 'decrypt':
      output_data = env_aead.decrypt(input_data, associated_data)
    elif FLAGS.mode == 'encrypt':
      output_data = env_aead.encrypt(input_data, associated_data)
          'Unsupported mode %s. Please choose "encrypt" or "decrypt".',
      return 1

    with open(FLAGS.output_path, 'wb') as output_file:

if __name__ == '__main__':
      ['mode', 'kek_uri', 'gcp_credential_path', 'input_path', 'output_path']

What's next