We have a local historical data source that we want to decommission and move it to BigQuery for storage as well as for analyzing. There are some sensitive fields that we don’t want to be exposed but still want to keep them in BigQuery. We’ve read about the Column level encryption with Cloud KMS in BigQuery and we see it fits for our purpose - we want to encrypt the sensitive fields in BigQuery. BigQuery offers the function
AEAD.ENCRYPT
to encrypt data with Cloud KMS but we don’t want to move the sensitive data into BigQuery then do the encryption - instead we want to do the encryption at our side before we move the encrypted data into BigQuery that still be able to decrypt using BigQuery AEAD functions . Does anyone know if we can do that using Java or Python?
From BigQuery documentation, they mentioned the keyset is in format google.crypto.tink.Keyset so it is somehow related to Google's tinkey library. Does anyone try it if it would work or if there are other ways?
