How to encrypt and decrypt a secret file in the Google Cloud Platform

Let’s save our credentials in a safe way in GCP

Lynn Kwong
4 min readMar 29, 2021


Sometimes we need to store some credential files in the source code repository. For security issues, we should not store plaintext credential files but should encrypt them properly and store the encrypted ones instead. When the credential files are needed in some applications, we can then decrypt them to plaintext files again.

Photo by TheDigitalArtist on Pixabay.

The Google Cloud Key Management Service (KMS) can encrypt and decrypt files in the Google Cloud Platform (GCP) system. To use KMS, we need to understand some basic terminologies.

Location. A location represents the geographical region where a Cloud KMS resource is stored and can be accessed. A key’s location can impact the performance of applications using the key. It is recommended to specify the same location as the applications that require the key. If the impact on performance is minimal or if the applications span multiple regions, you can specify the global location as in this article.

Key ring. A key ring organizes keys in a specific Google Cloud location and allows you to manage access control on groups of keys. A key ring’s name does not need to be unique across a Google Cloud project but must be unique within a given location.

Key. A Cloud KMS key is a named object containing one or more key versions, along with metadata for the key. A key exists on exactly one key ring tied to a specific location.

Key version. A key has multiple versions. A key’s version is represented by an integer, starting at 1. To decrypt data or verify a signature, you must use the same key version that was used to encrypt or sign the data.

Purpose. A key can be used for encryption or for signing. There are two types keys that serve these two purposes. A symmetric key is always used for encryption, while an asymmetric key can be used for both encryption and signing. In symmetric encryption, the entire key is required to encrypt or decrypt data, while in asymmetric encryption/signing, the key consists of a public and private key, which is similar to the SSH RSA key pair. We will focus on the symmetric key in this article because our purpose is to encrypt and decrypt a…



Lynn Kwong

I’m a Software Developer ( keen on sharing thoughts, tutorials, and solutions for the best practice of software development.

Recommended from Medium


See more recommendations