HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/396/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/396/help/man/man1/gcloud_alpha_kms_raw-encrypt.1
.TH "GCLOUD_ALPHA_KMS_RAW\-ENCRYPT" 1



.SH "NAME"
.HP
gcloud alpha kms raw\-encrypt \- encrypt a plaintext file using a raw key



.SH "SYNOPSIS"
.HP
\f5gcloud alpha kms raw\-encrypt\fR \fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR \fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR \fB\-\-version\fR=\fIVERSION\fR [\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR] [\fB\-\-initialization\-vector\-file\fR=\fIINITIALIZATION_VECTOR_FILE\fR] [\fB\-\-key\fR=\fIKEY\fR] [\fB\-\-keyring\fR=\fIKEYRING\fR] [\fB\-\-location\fR=\fILOCATION\fR] [\fB\-\-skip\-integrity\-verification\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(ALPHA)\fR Encrypts the given plaintext file using the given CryptoKey
containing a raw key and writes the result to the named ciphertext file. The
plaintext file must not be larger than 64KiB. For the AES\-CBC algorithms, no
server\-side padding is being done, so the plaintext must be a multiple of the
block size.

The supported algorithms are: \f5AES\-128\-GCM\fR, \f5AES\-256\-GCM\fR,
\f5AES\-128\-CBC\fR, \f5AES\-256\-CBC\fR, \f5AES\-128\-CTR\fR, \f5and
AES\-256\-CTR\fR.

\f5AES\-GCM\fR provides authentication which means that it accepts additional
authenticated data (AAD). So, the flag
\f5\-\-additional\-authenticated\-data\-file\fR is only valid with
\f5AES\-128\-GCM\fR and \f5AES\-256\-GCM\fR algorithms.

The initialization vector (flag \f5\-\-initialization\-vector\-file\fR) is only
supported for \f5AES\-CBC\fR and \f5AES\-CTR\fR algorithms, and must be 16B in
length.

Therefore, both additional authenticated data and initialization vector can't be
provided during encryption. If an additional authenticated data file is
provided, its contents must also be provided during decryption. The file must
not be larger than 64KiB.

The flag \f5\-\-version\fR indicates the version of the key to use for
encryption.

If \f5\-\-plaintext\-file\fR or \f5\-\-additional\-authenticated\-data\-file\fR
or \f5\-\-initialization\-vector\-file\fR is set to '\-', that file is read from
stdin. Similarly, if \f5\-\-ciphertext\-file\fR is set to '\-', the ciphertext
is written to stdout.

By default, the command performs integrity verification on data sent to and
received from Cloud KMS. Use \f5\-\-skip\-integrity\-verification\fR to disable
integrity verification.



.SH "EXAMPLES"

The following command reads and encrypts the file \f5path/to/input/plaintext\fR.
The file will be encrypted using the \f5AES\-GCM\fR CryptoKey \f5KEYNAME\fR from
the KeyRing \f5KEYRING\fR in the \f5global\fR location using the additional
authenticated data file \f5path/to/input/aad\fR. The resulting ciphertext will
be written to \f5path/to/output/ciphertext\fR.

.RS 2m
$ gcloud alpha kms raw\-encrypt \-\-key=KEYNAME \-\-keyring=KEYRING \e
    \-\-location=global \-\-plaintext\-file=path/to/input/plaintext \e
    \-\-additional\-authenticated\-data\-file=path/to/input/aad \e
    \-\-ciphertext\-file=path/to/output/ciphertext
.RE

The following command reads and encrypts the file \f5path/to/input/plaintext\fR.
The file will be encrypted using the \f5AES\-CBC\fR CryptoKey \f5KEYNAME\fR from
the KeyRing \f5KEYRING\fR in the \f5global\fR location using the initialization
vector stored at \f5path/to/input/aad\fR. The resulting ciphertext will be
written to \f5path/to/output/ciphertext\fR.

.RS 2m
$ gcloud alpha kms raw\-encrypt \-\-key=KEYNAME \-\-keyring=KEYRING \e
    \-\-location=global \-\-plaintext\-file=path/to/input/plaintext \e
    \-\-initialization\-vector\-file=path/to/input/iv \e
    \-\-ciphertext\-file=path/to/output/ciphertext
.RE



.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-ciphertext\-file\fR=\fICIPHERTEXT_FILE\fR

File path of the ciphertext file to output.

.TP 2m
\fB\-\-plaintext\-file\fR=\fIPLAINTEXT_FILE\fR

File path of the plaintext file to encrypt.

.TP 2m
\fB\-\-version\fR=\fIVERSION\fR

Version to use for encryption.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-additional\-authenticated\-data\-file\fR=\fIADDITIONAL_AUTHENTICATED_DATA_FILE\fR

File path to the optional file containing the additional authenticated data.

.TP 2m
\fB\-\-initialization\-vector\-file\fR=\fIINITIALIZATION_VECTOR_FILE\fR

File path to the optional file containing the initialization vector for
encryption.

.TP 2m
\fB\-\-key\fR=\fIKEY\fR

The key to use for encryption.

.TP 2m
\fB\-\-keyring\fR=\fIKEYRING\fR

Key ring of the key.

.TP 2m
\fB\-\-location\fR=\fILOCATION\fR

Location of the keyring.

.TP 2m
\fB\-\-skip\-integrity\-verification\fR

Skip integrity verification on request and response API fields.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation\-only early access
allowlist. These variants are also available:

.RS 2m
$ gcloud kms raw\-encrypt
.RE

.RS 2m
$ gcloud beta kms raw\-encrypt
.RE
@ Telegram