Encrypting data using Google Tink
Tink is Google's cryptographic library, an alternative to AWS Encryption. The library helps you focus on encrypting and decrypting data without the need to choose the correct encryption algorithm and parameters.
It supports Java and Go Tink client versions, which provide encryption and decryption of data using Yandex Key Management Service keys. Data is encrypted using envelope encryption (the size of plaintext is not limited).
Adding dependencies
Before you start, you need to add dependencies.
Add dependencies using Apache Maven:
<dependency>
<groupId>com.yandex.cloud</groupId>
<artifactId>kms-provider-tink</artifactId>
<version>2.6</version>
</dependency>
Run the following command:
go get github.com/yandex-cloud/kms-clients-go/yckmstink
Encryption and decryption
The code uses the following variables:
endpoint:api.cloud.yandex.net:443.credentialProviderorcredentials: Determines the authentication method. For more information, see Authentication in theYandex Cloud SDK.keyId: ID of the KMS key.plaintext: Unencrypted text.ciphertext: Ciphertext.aad: AAD context.
Create an AEAD object and use the encrypt and decrypt methods for data encryption and decryption:
AeadConfig.register();
KmsClients.add(new YcKmsClient(credentialProvider).withEndpoint(endpoint));
String keyUri = "yc-kms://" + keyId;
Aead kmsAead = KmsClients.get(keyUri).getAead(keyUri);
Aead aead = new KmsEnvelopeAead(AeadKeyTemplates.AES256_GCM, kmsAead);
...
byte[] ciphertext = aead.encrypt(plaintext, aad);
...
byte[] plaintext = aead.decrypt(ciphertext, aad);
Create an AEAD object and use the encrypt and decrypt methods for data encryption and decryption:
sdk, err := ycsdk.Build(context, ycsdk.Config{
Endpoint: endpoint,
Credentials: credentials,
})
if err != nil {...}
kmsAead := yckmstink.NewYCAEAD(keyId, sdk)
aead := aead.NewKMSEnvelopeAEAD(*aead.AES256GCMKeyTemplate(), kmsAead)
...
ciphertext, err := aead.Encrypt(plaintext, aad)
if err != nil {...}
...
plaintext, err := aead.Decrypt(ciphertext, aad)
if err != nil {...}