Use Tink’s envelope encryption support to perform encryption client-side (before storing data in services like Cloud Storage or Cloud SQL), and protect your Tink-generated keys with a Key Encryption Key (KEK) that resides in your cloud provider’s Key Management System (KMS). This scheme, encrypting one key with another, is known as an envelope.
To encrypt data with envelope encryption, you provide Tink with the following:
- A key URI pointing to your KEK.
- Credentials to use the KEK.
Tink generates a Data Encryption Key (DEK) and encrypts your data with it, then calls your KMS to encrypt the DEK with your KEK. Tink returns the encrypted data and encrypted DEK for storage.
By using a remote KMS, your KEK resides safely in the cloud, where you can rotate, deactivate, or destroy it, depending on your needs. Tink automatically encrypts the DEKs you generate with your KEK and stores them as part of the encrypted data.
The following examples assume you have already created a KEK in your cloud provider’s KMS and have a key URI and credentials to pass to Tink.
Python
Java
What's next
See more examples of using client-side encryption to encrypt your data before adding it to a Cloud SQL database.
Learn more about using Client-side encryption with Tink and Cloud KMS to encrypt data before uploading it to Google Cloud Storage.