Google Tink for Asymmetric Encryption

Asymmetric encryption with key stored in Secret Manager

Generate a suitable asymmetric key pair

tinkey create-keyset --key-template ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM --out keyset.json
gcloud secrets create tink-keyset
gcloud secrets versions add tink-keyset --data-file keyset.json
tinkey create-public-keyset --in keyset.json --out pubkey.json
$ cat pubkey.json
{
"primaryKeyId": 415969939,
"key": [
{
"keyData": {
"typeUrl": "type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey",
"value": "...snip...",
"keyMaterialType": "ASYMMETRIC_PUBLIC"
},
"status": "ENABLED",
"keyId": 415969939,
"outputPrefixType": "TINK"
}
]
}

Encrypt with the public key

python encrypt-with-pubkey.py pubkey.json test.txt
ARjLMpME/u59NpDGz0aqw46idARWIv81FIon4VbSLic/rEs97cGq51G2JLFFwSJ+oscfMEtW/tXZPAeKw8LFiv5HEIv0EeGLrkGBLnDL1f+cjNZIlPWR6v57fyUZA/Z+QQrmi73D+WPYHdJ2ANt4

Decrypt with the private key

gcloud secrets versions access latest --secret tink-keyset > keyset.json
$ python decrypt-with-keyset.py keyset.json ARjLMpME/u59NpDGz0aqw46idARWIv81FIon4VbSLic/rEs97cGq51G2JLFFwSJ+oscfMEtW/tXZPAeKw8LFiv5HEIv0EeGLrkGBLnDL1f+cjNZIlPWR6v57fyUZA/Z+QQrmi73D+WPYHdJ2ANt4
super secret

Closing Notes

Next Steps

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store