Encrypting data using Google Tink

Tink is Google's cryptographic library, an alternative to AWS Encryption. The library helps you focus on encrypting and decrypting data without the need to choose the correct encryption algorithm and parameters.

It supports Java and Go Tink client versions, which provide encryption and decryption of data using KMS Yandex Cloud keys. Data is encrypted using envelope encryption (the size of plaintext is not limited).

Adding dependenciesAdding dependencies

Before you start, you need to add dependencies.

<dependency>
    <groupId>com.yandex.cloud</groupId>
    <artifactId>kms-provider-tink</artifactId>
    <version>2.6</version>
</dependency>

go get github.com/yandex-cloud/kms-clients-go/yckmstink

Encryption and decryptionEncryption and decryption

The code uses the following variables:

• endpoint: api.cloud.yandex.net:443.
• credentialProvider or credentials: Determines the authentication method (for more information, see Authentication in the Yandex Cloud SDK).
• keyId: ID of the KMS key.
• plaintext: Unencrypted text.
• ciphertext: Ciphertext.
• aad: AAD context.

AeadConfig.register();
KmsClients.add(new YcKmsClient(credentialProvider).withEndpoint(endpoint));

String keyUri = "yc-kms://" + keyId;
Aead kmsAead = KmsClients.get(keyUri).getAead(keyUri);
Aead aead = new KmsEnvelopeAead(AeadKeyTemplates.AES256_GCM, kmsAead);

...

byte[] ciphertext = aead.encrypt(plaintext, aad);

...

byte[] plaintext = aead.decrypt(ciphertext, aad);

sdk, err := ycsdk.Build(context, ycsdk.Config{
  Endpoint:    endpoint,
  Credentials: credentials,
})
if err != nil {...}

kmsAead := yckmstink.NewYCAEAD(keyId, sdk)
aead := aead.NewKMSEnvelopeAEAD(*aead.AES256GCMKeyTemplate(), kmsAead)

...

ciphertext, err := aead.Encrypt(plaintext, aad)
if err != nil {...}

...

plaintext, err := aead.Decrypt(ciphertext, aad)
if err != nil {...}

See alsoSee also

• Google Tink.
• Java client for Tink.
• Examples of using the Java client for Tink.
• Go client for Tink.
• Examples of using the Go client for Tink.