We have two approaches to Encrypt and Decrypt data in GCP.

Approach-I:

Before we encrypt or decrypt our data we need two Keys: KeyRing and CryptoKey.

Creating KeyRings and CryptoKeys:
Cloud KMS uses an object hierarchy, such that a CryptoKey belongs to a KeyRing, which resides in a particular location.

Syntax to Create a KeyRing:  
gcloud kms keyrings create KEYRING_NAME --location LOCATION

Sampe Code Used:
gcloud kms keyrings create my-key --location global



Description:
Creating a new KeyRing with name "my-key" in location "global"
Create a CryptoKey:
Syntax:  
gcloud kms keys create CRYPTOKEY_NAME --location LOCATION --keyring KEYRING_NAME --purpose encryption 
Sample Code Used:
gcloud kms keys create sree-key --location global --keyring my-key --purpose encryption



Description:
Create a new CryptoKey "sree123-key" for the KeyRing "my-key"

Encrypting the Data:

Syntax:
gcloud kms encrypt \
    --location=global  \
    --keyring=my-key-ring \
    --key=my-key \
    --plaintext-file=YOUR_FILEPATH_AND_FILENAME_TO_ENCRYPT \
    --ciphertext-file=YOUR_FILEPATH_AND_FILENAME.enc

Sample Code Used:
gcloud kms encrypt \
    --location=global  \
    --keyring=my-key \
    --key=sree123-key \
    --plaintext-file= /scripts/sample.txt \
    --ciphertext-file= /scripts/sample.txt.enc

Description:
To encrypt data, we have to provide the appropriate key information, specify the name of the plaintext file to encrypt, and specify the name of the file that will contain the encrypted content



Decrypting the Data:

Syntax:
gcloud kms decrypt \
    --location=global \
    --keyring=my-key-ring \
    --key=my-key \
    --ciphertext-file=YOUR_FILEPATH_AND_FILENAME_TO_DECRYPT \
    --plaintext-file=YOUR_FILEPATH_AND_FILENAME_TO_DECRYPT.dec

Sample Code Used:
gcloud kms decrypt \
    --location=global \
    --keyring=my-key-ring \
    --key=my-key \
    --ciphertext-file=/scripts/sample.txt.enc \
    --plaintext-file=/scripts/sample1.txt.dec

Description:
To decrypt data, we have to provide the appropriate key information, specify the name of the encrypted file (ciphertext file) to decrypt, and specify the name of the file that will contain the decrypted content.

File:




Approach-II:

Encryption & Decription of File can be done by openSSL [Secure Socket Layer] Protocols using key based symmetric Ciphers. Below are the commands to encrypt the file

File:


Encryption: [Commands]

openssl enc -in employee.txt \
-aes-256-cbc \
 -pass stdin > employee.txt.enc

The above Command encrypts Sample.txt to Sample.txt.enc using a 256 bit AES [Advanced Encryption Standard] which is Strong Symentric encryption algorithm. A Secret Key is used for both Encrption & Decryption of the Data. The Command will wait for user to enter the password and use that to generate an appropriate Key.



Copying the Encrypted File to GCP Using Gsutil:

Command: gsutil cp E:\employee.txt.enc gs://emp2/



Copying the Encrypted File to Local Google Shell:
Command: gsutil cp gs://emp2/employee.txt.enc /scripts

Decryption Commands:

openssl enc -in employee.txt.enc \
-d -aes-256-cbc \
 -pass stdin > employee.txt