Skip to content
Latchkey

gcloud kms encrypt: Encrypt Data with Cloud KMS

gcloud kms encrypt encrypts a plaintext file with a Cloud KMS key, producing ciphertext you can safely commit.

Encrypting a secrets bundle with KMS, committing the ciphertext, and decrypting in CI is a common keyless pattern. The key is referenced by keyring, location, and name.

What it does

gcloud kms encrypt encrypts the contents of --plaintext-file with the named KMS key and writes the result to --ciphertext-file. gcloud kms decrypt reverses it. The key is identified by --location, --keyring, and --key.

Common usage

Terminal
gcloud kms encrypt \
  --location=global --keyring=ci --key=secrets \
  --plaintext-file=secrets.env \
  --ciphertext-file=secrets.env.enc
# decrypt in CI
gcloud kms decrypt \
  --location=global --keyring=ci --key=secrets \
  --ciphertext-file=secrets.env.enc \
  --plaintext-file=secrets.env

Flags

FlagWhat it does
--location <loc>Location of the key ring (e.g. global, us-central1)
--keyring <name>Key ring the key belongs to
--key <name>Crypto key to use
--plaintext-file <file>Input file to encrypt (- for stdin)
--ciphertext-file <file>Output ciphertext file (- for stdout)

In CI

Commit only the ciphertext and decrypt at job time with a Workload Identity Federation identity that holds roles/cloudkms.cryptoKeyDecrypter. Grant encrypt and decrypt separately so a deploy runner can decrypt without being able to re-encrypt.

Common errors in CI

"PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied" means the identity lacks the decrypter role. "NOT_FOUND: ... CryptoKey ... not found" means a wrong location, keyring, or key name. "Cloud KMS API has not been used in project ..." means enable cloudkms.googleapis.com.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →