gcloud kms encrypt: Encrypt Data with Cloud KMS
gcloud kms encrypt encrypts a plaintext file with a Cloud KMS key, producing ciphertext you can safely commit.
Encrypting a secrets bundle with KMS, committing the ciphertext, and decrypting in CI is a common keyless pattern. The key is referenced by keyring, location, and name.
What it does
gcloud kms encrypt encrypts the contents of --plaintext-file with the named KMS key and writes the result to --ciphertext-file. gcloud kms decrypt reverses it. The key is identified by --location, --keyring, and --key.
Common usage
gcloud kms encrypt \
--location=global --keyring=ci --key=secrets \
--plaintext-file=secrets.env \
--ciphertext-file=secrets.env.enc
# decrypt in CI
gcloud kms decrypt \
--location=global --keyring=ci --key=secrets \
--ciphertext-file=secrets.env.enc \
--plaintext-file=secrets.envFlags
| Flag | What it does |
|---|---|
| --location <loc> | Location of the key ring (e.g. global, us-central1) |
| --keyring <name> | Key ring the key belongs to |
| --key <name> | Crypto key to use |
| --plaintext-file <file> | Input file to encrypt (- for stdin) |
| --ciphertext-file <file> | Output ciphertext file (- for stdout) |
In CI
Commit only the ciphertext and decrypt at job time with a Workload Identity Federation identity that holds roles/cloudkms.cryptoKeyDecrypter. Grant encrypt and decrypt separately so a deploy runner can decrypt without being able to re-encrypt.
Common errors in CI
"PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied" means the identity lacks the decrypter role. "NOT_FOUND: ... CryptoKey ... not found" means a wrong location, keyring, or key name. "Cloud KMS API has not been used in project ..." means enable cloudkms.googleapis.com.