0

I would like to use Tink's envelope encription with Deterministic AEAD on GCP. I want to use it in python. I want to store a KEK key in GCP KMS and and encrypt the DEK key with it.

There is an example how to use Deterministic AEAD, but it doesn't use envelop encryption: https://developers.google.com/tink/deterministic-encryption

There is an example for envelop encryption, but it uses AEAD: https://cloud.google.com/kms/docs/client-side-encryption

But there is no example how to use Tink's envelope encription with Deterministic AEAD on GCP.

Does somebody has an example for this scenario written in python?

Balázs Tóth
  • 1
  • 1

1 Answers1

2

Cloud KMS does not currently offer deterministic encryption. However, you can

  1. Create an AES256_SIV Tink key, and use Cloud KMS to encrypt that Tink key (i.e., envelope encryption), and then
  2. Use the AES256_SIV Tink key to do deterministic encryption.

If you can provide more details about your use case (e.g., why you want to use Deterministic AEAD on GCP), we may be able to

  • Suggest a better-supported alternative to meet your needs or
  • Consider adding Determinstic AEAD support to Cloud KMS to better support your use case.
Jimmy
  • 21
  • 2