HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/394/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/394/help/man/man1/gcloud_kms_raw-encrypt.1
.TH "GCLOUD_KMS_RAW\-ENCRYPT" 1



.SH "NAME"
.HP
gcloud kms raw\-encrypt \- encrypt a plaintext file using a raw key



.SH "SYNOPSIS"
.HP
\f5gcloud kms raw\-encrypt\fR \fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR \fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR \fB\-\-version\fR=\fIVERSION\fR [\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR] [\fB\-\-initialization\-vector\-file\fR=\fIINITIALIZATION_VECTOR_FILE\fR] [\fB\-\-key\fR=\fIKEY\fR] [\fB\-\-keyring\fR=\fIKEYRING\fR] [\fB\-\-location\fR=\fILOCATION\fR] [\fB\-\-skip\-integrity\-verification\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

Encrypts the given plaintext file using the given CryptoKey containing a raw key
and writes the result to the named ciphertext file. The plaintext file must not
be larger than 64KiB. For the AES\-CBC algorithms, no server\-side padding is
being done, so the plaintext must be a multiple of the block size.

The supported algorithms are: \f5AES\-128\-GCM\fR, \f5AES\-256\-GCM\fR,
\f5AES\-128\-CBC\fR, \f5AES\-256\-CBC\fR, \f5AES\-128\-CTR\fR, \f5and
AES\-256\-CTR\fR.

\f5AES\-GCM\fR provides authentication which means that it accepts additional
authenticated data (AAD). So, the flag
\f5\-\-additional\-authenticated\-data\-file\fR is only valid with
\f5AES\-128\-GCM\fR and \f5AES\-256\-GCM\fR algorithms.

The initialization vector (flag \f5\-\-initialization\-vector\-file\fR) is only
supported for \f5AES\-CBC\fR and \f5AES\-CTR\fR algorithms, and must be 16B in
length.

Therefore, both additional authenticated data and initialization vector can't be
provided during encryption. If an additional authenticated data file is
provided, its contents must also be provided during decryption. The file must
not be larger than 64KiB.

The flag \f5\-\-version\fR indicates the version of the key to use for
encryption.

If \f5\-\-plaintext\-file\fR or \f5\-\-additional\-authenticated\-data\-file\fR
or \f5\-\-initialization\-vector\-file\fR is set to '\-', that file is read from
stdin. Similarly, if \f5\-\-ciphertext\-file\fR is set to '\-', the ciphertext
is written to stdout.

By default, the command performs integrity verification on data sent to and
received from Cloud KMS. Use \f5\-\-skip\-integrity\-verification\fR to disable
integrity verification.



.SH "EXAMPLES"

The following command reads and encrypts the file \f5path/to/input/plaintext\fR.
The file will be encrypted using the \f5AES\-GCM\fR CryptoKey \f5KEYNAME\fR from
the KeyRing \f5KEYRING\fR in the \f5global\fR location using the additional
authenticated data file \f5path/to/input/aad\fR. The resulting ciphertext will
be written to \f5path/to/output/ciphertext\fR.

.RS 2m
$ gcloud kms raw\-encrypt \-\-key=KEYNAME \-\-keyring=KEYRING \e
    \-\-location=global \-\-plaintext\-file=path/to/input/plaintext \e
    \-\-additional\-authenticated\-data\-file=path/to/input/aad \e
    \-\-ciphertext\-file=path/to/output/ciphertext
.RE

The following command reads and encrypts the file \f5path/to/input/plaintext\fR.
The file will be encrypted using the \f5AES\-CBC\fR CryptoKey \f5KEYNAME\fR from
the KeyRing \f5KEYRING\fR in the \f5global\fR location using the initialization
vector stored at \f5path/to/input/aad\fR. The resulting ciphertext will be
written to \f5path/to/output/ciphertext\fR.

.RS 2m
$ gcloud kms raw\-encrypt \-\-key=KEYNAME \-\-keyring=KEYRING \e
    \-\-location=global \-\-plaintext\-file=path/to/input/plaintext \e
    \-\-initialization\-vector\-file=path/to/input/iv \e
    \-\-ciphertext\-file=path/to/output/ciphertext
.RE



.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR

File path of the ciphertext file to output.

.TP 2m
\fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR

File path of the plaintext file to encrypt.

.TP 2m
\fB\-\-version\fR=\fIVERSION\fR

Version to use for encryption.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR

File path to the optional file containing the additional authenticated data.

.TP 2m
\fB\-\-initialization\-vector\-file\fR=\fIINITIALIZATION_VECTOR_FILE\fR

File path to the optional file containing the initialization vector for
encryption.

.TP 2m
\fB\-\-key\fR=\fIKEY\fR

The key to use for encryption.

.TP 2m
\fB\-\-keyring\fR=\fIKEYRING\fR

Key ring of the key.

.TP 2m
\fB\-\-location\fR=\fILOCATION\fR

Location of the keyring.

.TP 2m
\fB\-\-skip\-integrity\-verification\fR

Skip integrity verification on request and response API fields.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

These variants are also available:

.RS 2m
$ gcloud alpha kms raw\-encrypt
.RE

.RS 2m
$ gcloud beta kms raw\-encrypt
.RE
@ Telegram