Google KMS giving error when decrypting data

Question

When i try to decrypt my data using the Google KMS i am getting this error. Below is my code for the decryption. The error is hitting on the line where there is string plaintext. Thanks in advance

Code

    public static string Encrypt(string plaintext)
    {
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();
        //projects/progforthecloudt2020/locations/global/keyRings/pfckeyring001/cryptoKeys/pfckeys
        CryptoKeyName kn = CryptoKeyName.FromUnparsed(new 
        Google.Api.Gax.UnparsedResourceName("GOOGLE RESOURCE ID REMOVED"));
        string cipher = client.Encrypt(kn, ByteString.CopyFromUtf8(plaintext)).Ciphertext.ToBase64();

        return cipher;
    }

    public static string Decrypt(string cipher)
    {
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();
        CryptoKeyName kn = CryptoKeyName.FromUnparsed(new Google.Api.Gax.UnparsedResourceName("GOOGLE RESOURCE ID REMOVED"));
        string plaintext = client.Decrypt(kn, ByteString.CopyFromUtf8(cipher)).Plaintext.ToBase64();

        return plaintext;
    }

Error

Grpc.Core.RpcException: 'Status(StatusCode=InvalidArgument, Detail="Decryption failed: the ciphertext is invalid.")'

Have a look at the documentation [Encrypting and decrypting data with a symmetric key](https://cloud.google.com/kms/docs/encrypt-decrypt) and check examples for C# in section [Decrypt](https://cloud.google.com/kms/docs/encrypt-decrypt#decrypt). — Serhii Rohoza, Apr 15 '20 at 11:58

sethvargo · Answer 1 · 2020-04-15T14:03:26.917

You’re base64 encoding the result of your encryption call, but then you aren’t base64 decoding it in your decrypt call. You shouldn’t need to base64 encode the data.

public static void Encrypt(string projectId, string locationId, string keyRingId, string cryptoKeyId, string plaintextFile, string ciphertextFile)
{
    KeyManagementServiceClient client = KeyManagementServiceClient.Create();
    CryptoKeyName cryptoKeyName =
        new CryptoKeyName(projectId, locationId, keyRingId, cryptoKeyId);

    byte[] plaintext = File.ReadAllBytes(plaintextFile);
    EncryptResponse result = client.Encrypt(cryptoKeyName, ByteString.CopyFrom(plaintext));

    // Output encrypted data to a file.
    File.WriteAllBytes(ciphertextFile, result.Ciphertext.ToByteArray());
    Console.Write($"Encrypted file created: {ciphertextFile}");
}


public static void Decrypt(string projectId, string locationId, string keyRingId, string cryptoKeyId, string ciphertextFile, string plaintextFile)
{
    KeyManagementServiceClient client = KeyManagementServiceClient.Create();
    CryptoKeyName cryptoKeyName =
        new CryptoKeyName(projectId, locationId, keyRingId, cryptoKeyId);

    byte[] ciphertext = File.ReadAllBytes(ciphertextFile);
    DecryptResponse result = client.Decrypt(cryptoKeyName, ByteString.CopyFrom(ciphertext));

    // Output decrypted data to a file.
    File.WriteAllBytes(plaintextFile, result.Plaintext.ToByteArray());
    Console.Write($"Decrypted file created: {plaintextFile}");
}

Can you show me what i need to add exactly or change cause i already saw that Google Example. Thanks — Mark, Apr 19 '20 at 14:24
Either change the return type from string to byte[] and drop all base64, OR change your decrypt function to base64 _DECODE_ the input value first, before attempting to decrypt. — sethvargo, Apr 20 '20 at 18:07

Google KMS giving error when decrypting data

1 Answers1