Encrypting data using Google Tink
Written by
Updated at September 19, 2024
Tink
It supports Java
Adding dependencies
Before you start, you need to add dependencies.
Java
Go
Add dependencies using Apache Maven
<dependency>
<groupId>com.yandex.cloud</groupId>
<artifactId>kms-provider-tink</artifactId>
<version>2.6</version>
</dependency>
Run this command:
go get github.com/yandex-cloud/kms-clients-go/yckmstink
Encryption and decryption
The code uses the following variables:
endpoint
:api.cloud.yandex.net:443
.credentialProvider
orcredentials
: Determines the authentication method (for more information, see Authentication in the Yandex Cloud SDK).keyId
: ID of the KMS key.plaintext
: Unencrypted text.ciphertext
: Ciphertext.aad
: AAD context.
Java
Go
Create an AEAD
AeadConfig.register();
KmsClients.add(new YcKmsClient(credentialProvider).withEndpoint(endpoint));
String keyUri = "yc-kms://" + keyId;
Aead kmsAead = KmsClients.get(keyUri).getAead(keyUri);
Aead aead = new KmsEnvelopeAead(AeadKeyTemplates.AES256_GCM, kmsAead);
...
byte[] ciphertext = aead.encrypt(plaintext, aad);
...
byte[] plaintext = aead.decrypt(ciphertext, aad);
Create an AEAD
sdk, err := ycsdk.Build(context, ycsdk.Config{
Endpoint: endpoint,
Credentials: credentials,
})
if err != nil {...}
kmsAead := yckmstink.NewYCAEAD(keyId, sdk)
aead := aead.NewKMSEnvelopeAEAD(*aead.AES256GCMKeyTemplate(), kmsAead)
...
ciphertext, err := aead.Encrypt(plaintext, aad)
if err != nil {...}
...
plaintext, err := aead.Decrypt(ciphertext, aad)
if err != nil {...}