Google Tink for Asymmetric Encryption

Asymmetric encryption with key stored in Secret Manager
  1. Use tinkey to generate a new keyset for asymmetric encryption
  2. Upload the key to Google Secret Manager (you can skip these parts if you’re not GCP yet, but you should look into it!)
  3. Get the public key from that keyset
  4. Encrypt a file with the public key
  5. Decrypt the file with the private key

Generate a suitable asymmetric key pair

First you’ll need to download the tinkey command line tool which we’ll use to create the key pair. You can do this via Homebrew or build with Bazel. Then execute the following command to create a keyset suitible for asymmetric encryption.

tinkey create-keyset --key-template ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM --out keyset.json
  • KEM: ECDH over NIST P-256
  • DEM: AES128-GCM
  • KDF: HKDF-HMAC-SHA256 with an empty salt

Upload the Keyset to Secret Manager

gcloud secrets create tink-keyset
gcloud secrets versions add tink-keyset --data-file keyset.json

Create the public key

Now let’s get the public key from the keyset we just created:

tinkey create-public-keyset --in keyset.json --out pubkey.json
$ cat pubkey.json
"primaryKeyId": 415969939,
"key": [
"keyData": {
"typeUrl": "",
"value": "...snip...",
"keyMaterialType": "ASYMMETRIC_PUBLIC"
"status": "ENABLED",
"keyId": 415969939,
"outputPrefixType": "TINK"

Encrypt with the public key

Now that you have the public key in a file of some kind, lets deliver it to the folks who are building an app that encrypts with it.

python pubkey.json test.txt

Decrypt with the private key

Once the application sends encrypted data back to you, you can decrypt it again with the private key you have stored in Secret Manager.

gcloud secrets versions access latest --secret tink-keyset > keyset.json
$ python keyset.json ARjLMpME/u59NpDGz0aqw46idARWIv81FIon4VbSLic/rEs97cGq51G2JLFFwSJ+oscfMEtW/tXZPAeKw8LFiv5HEIv0EeGLrkGBLnDL1f+cjNZIlPWR6v57fyUZA/Z+QQrmi73D+WPYHdJ2ANt4
super secret

Closing Notes

  • The patterns used here with Python can very easily be ported to any other language Tink supports. They might seem a bit odd for a Python dev, but this Reader/Writer paradigm is very common in C/C++, Go and others.
  • You’ll notice that Tink does not care what template you use for the hybrid (or any other) primitive. One of the great things about it, is that it can use the key template from the keyset itself, which makes it much easier to reason about the code.

Next Steps

  • Try out some of the other cryptographic primitives in Google’s Tink such as AEAD, MAC and others!
  • Learn more about Secret Manager in GCP
  • Learn more about practical cryptography by reading Serious Cryptography
  • Encrypt all the things!!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store