Cloud HSM

 using Google.Cloud.Kms.V1; using Google.Protobuf.WellKnownTypes;  public class CreateKeyHsmSample {     public CryptoKey CreateKeyHsm(       string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",       string id = "my-hsm-encryption-key")     {         // Create the client.         KeyManagementServiceClient client = KeyManagementServiceClient.Create();          // Build the parent key ring name.         KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);          // Build the key.         CryptoKey key = new CryptoKey         {             Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,             VersionTemplate = new CryptoKeyVersionTemplate             {                 ProtectionLevel = ProtectionLevel.Hsm,                 Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,             },              // Optional: customize how long key versions should be kept before destroying.             DestroyScheduledDuration = new Duration             {                 Seconds = 24 * 60 * 60,             }         };          // Call the API.         CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);          // Return the result.         return result;     } }

import ( 	"context" 	"fmt" 	"io" 	"time"  	kms "cloud.google.com/go/kms/apiv1" 	"cloud.google.com/go/kms/apiv1/kmspb" 	"google.golang.org/protobuf/types/known/durationpb" )  // createKeyHSM creates a new symmetric encrypt/decrypt key on Cloud KMS. func createKeyHSM(w io.Writer, parent, id string) error { 	// parent := "projects/my-project/locations/us-east1/keyRings/my-key-ring" 	// id := "my-hsm-encryption-key"  	// Create the client. 	ctx := context.Background() 	client, err := kms.NewKeyManagementClient(ctx) 	if err != nil { 		return fmt.Errorf("failed to create kms client: %w", err) 	} 	defer client.Close()  	// Build the request. 	req := &kmspb.CreateCryptoKeyRequest{ 		Parent:      parent, 		CryptoKeyId: id, 		CryptoKey: &kmspb.CryptoKey{ 			Purpose: kmspb.CryptoKey_ENCRYPT_DECRYPT, 			VersionTemplate: &kmspb.CryptoKeyVersionTemplate{ 				ProtectionLevel: kmspb.ProtectionLevel_HSM, 				Algorithm:       kmspb.CryptoKeyVersion_GOOGLE_SYMMETRIC_ENCRYPTION, 			},  			// Optional: customize how long key versions should be kept before destroying. 			DestroyScheduledDuration: durationpb.New(24 * time.Hour), 		}, 	}  	// Call the API. 	result, err := client.CreateCryptoKey(ctx, req) 	if err != nil { 		return fmt.Errorf("failed to create key: %w", err) 	} 	fmt.Fprintf(w, "Created key: %s\n", result.Name) 	return nil } 

import com.google.cloud.kms.v1.CryptoKey; import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose; import com.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm; import com.google.cloud.kms.v1.CryptoKeyVersionTemplate; import com.google.cloud.kms.v1.KeyManagementServiceClient; import com.google.cloud.kms.v1.KeyRingName; import com.google.cloud.kms.v1.ProtectionLevel; import com.google.protobuf.Duration; import java.io.IOException;  public class CreateKeyHsm {    public void createKeyHsm() throws IOException {     // TODO(developer): Replace these variables before running the sample.     String projectId = "your-project-id";     String locationId = "us-east1";     String keyRingId = "my-key-ring";     String id = "my-hsm-key";     createKeyHsm(projectId, locationId, keyRingId, id);   }    // Create a new key that is stored in an HSM.   public void createKeyHsm(String projectId, String locationId, String keyRingId, String id)       throws IOException {     // Initialize client that will be used to send requests. This client only     // needs to be created once, and can be reused for multiple requests. After     // completing all of your requests, call the "close" method on the client to     // safely clean up any remaining background resources.     try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {       // Build the parent name from the project, location, and key ring.       KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);        // Build the hsm key to create.       CryptoKey key =           CryptoKey.newBuilder()               .setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)               .setVersionTemplate(                   CryptoKeyVersionTemplate.newBuilder()                       .setProtectionLevel(ProtectionLevel.HSM)                       .setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION))                // Optional: customize how long key versions should be kept before destroying.               .setDestroyScheduledDuration(Duration.newBuilder().setSeconds(24 * 60 * 60))               .build();        // Create the key.       CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);       System.out.printf("Created hsm key %s%n", createdKey.getName());     }   } }

// // TODO(developer): Uncomment these variables before running the sample. // // const projectId = 'my-project'; // const locationId = 'us-east1'; // const keyRingId = 'my-key-ring'; // const id = 'my-hsm-encryption-key';  // Imports the Cloud KMS library const {KeyManagementServiceClient} = require('@google-cloud/kms');  // Instantiates a client const client = new KeyManagementServiceClient();  // Build the parent key ring name const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);  async function createKeyHsm() {   const [key] = await client.createCryptoKey({     parent: keyRingName,     cryptoKeyId: id,     cryptoKey: {       purpose: 'ENCRYPT_DECRYPT',       versionTemplate: {         algorithm: 'GOOGLE_SYMMETRIC_ENCRYPTION',         protectionLevel: 'HSM',       },        // Optional: customize how long key versions should be kept before       // destroying.       destroyScheduledDuration: {seconds: 60 * 60 * 24},     },   });    console.log(`Created hsm key: ${key.name}`);   return key; }  return createKeyHsm();

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient; use Google\Cloud\Kms\V1\CreateCryptoKeyRequest; use Google\Cloud\Kms\V1\CryptoKey; use Google\Cloud\Kms\V1\CryptoKey\CryptoKeyPurpose; use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm; use Google\Cloud\Kms\V1\CryptoKeyVersionTemplate; use Google\Cloud\Kms\V1\ProtectionLevel; use Google\Protobuf\Duration;  function create_key_hsm(     string $projectId = 'my-project',     string $locationId = 'us-east1',     string $keyRingId = 'my-key-ring',     string $id = 'my-hsm-key' ): CryptoKey {     // Create the Cloud KMS client.     $client = new KeyManagementServiceClient();      // Build the parent key ring name.     $keyRingName = $client->keyRingName($projectId, $locationId, $keyRingId);      // Build the key.     $key = (new CryptoKey())         ->setPurpose(CryptoKeyPurpose::ENCRYPT_DECRYPT)         ->setVersionTemplate((new CryptoKeyVersionTemplate())             ->setAlgorithm(CryptoKeyVersionAlgorithm::GOOGLE_SYMMETRIC_ENCRYPTION)             ->setProtectionLevel(ProtectionLevel::HSM)         )          // Optional: customize how long key versions should be kept before destroying.         ->setDestroyScheduledDuration((new Duration())             ->setSeconds(24 * 60 * 60)         );      // Call the API.     $createCryptoKeyRequest = (new CreateCryptoKeyRequest())         ->setParent($keyRingName)         ->setCryptoKeyId($id)         ->setCryptoKey($key);     $createdKey = $client->createCryptoKey($createCryptoKeyRequest);     printf('Created hsm key: %s' . PHP_EOL, $createdKey->getName());      return $createdKey; }

import datetime  from google.cloud import kms from google.protobuf import duration_pb2  # type: ignore   def create_key_hsm(     project_id: str, location_id: str, key_ring_id: str, key_id: str ) -> kms.CryptoKey:     """     Creates a new key in Cloud KMS backed by Cloud HSM.      Args:         project_id (string): Google Cloud project ID (e.g. 'my-project').         location_id (string): Cloud KMS location (e.g. 'us-east1').         key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').         key_id (string): ID of the key to create (e.g. 'my-hsm-key').      Returns:         CryptoKey: Cloud KMS key.      """      # Create the client.     client = kms.KeyManagementServiceClient()      # Build the parent key ring name.     key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)      # Build the key.     purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT     algorithm = (         kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION     )     protection_level = kms.ProtectionLevel.HSM     key = {         "purpose": purpose,         "version_template": {             "algorithm": algorithm,             "protection_level": protection_level,         },         # Optional: customize how long key versions should be kept before         # destroying.         "destroy_scheduled_duration": duration_pb2.Duration().FromTimedelta(             datetime.timedelta(days=1)         ),     }      # Call the API.     created_key = client.create_crypto_key(         request={"parent": key_ring_name, "crypto_key_id": key_id, "crypto_key": key}     )     print(f"Created hsm key: {created_key.name}")     return created_key  

# TODO(developer): uncomment these values before running the sample. # project_id  = "my-project" # location_id = "us-east1" # key_ring_id = "my-key-ring" # id          = "my-hsm-key"  # Require the library. require "google/cloud/kms"  # Create the client. client = Google::Cloud::Kms.key_management_service  # Build the parent key ring name. key_ring_name = client.key_ring_path project: project_id, location: location_id, key_ring: key_ring_id  # Build the key. key = {   purpose:          :ENCRYPT_DECRYPT,   version_template: {     algorithm:        :GOOGLE_SYMMETRIC_ENCRYPTION,     protection_level: :HSM   },    # Optional: customize how long key versions should be kept before destroying.   destroy_scheduled_duration: {     seconds: 24 * 60 * 60   } }  # Call the API. created_key = client.create_crypto_key parent: key_ring_name, crypto_key_id: id, crypto_key: key puts "Created hsm key: #{created_key.name}"

 using Google.Cloud.Kms.V1; using Google.Protobuf; using System.Text;  public class EncryptSymmetricSample {     public byte[] EncryptSymmetric(       string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring", string keyId = "my-key",       string message = "Sample message")     {         // Create the client.         KeyManagementServiceClient client = KeyManagementServiceClient.Create();          // Build the key name.         CryptoKeyName keyName = new CryptoKeyName(projectId, locationId, keyRingId, keyId);          // Convert the message into bytes. Cryptographic plaintexts and         // ciphertexts are always byte arrays.         byte[] plaintext = Encoding.UTF8.GetBytes(message);          // Call the API.         EncryptResponse result = client.Encrypt(keyName, ByteString.CopyFrom(plaintext));          // Return the ciphertext.         return result.Ciphertext.ToByteArray();     } }

import ( 	"context" 	"fmt" 	"hash/crc32" 	"io"  	kms "cloud.google.com/go/kms/apiv1" 	"cloud.google.com/go/kms/apiv1/kmspb" 	"google.golang.org/protobuf/types/known/wrapperspb" )  // encryptSymmetric encrypts the input plaintext with the specified symmetric // Cloud KMS key. func encryptSymmetric(w io.Writer, name string, message string) error { 	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key" 	// message := "Sample message"  	// Create the client. 	ctx := context.Background() 	client, err := kms.NewKeyManagementClient(ctx) 	if err != nil { 		return fmt.Errorf("failed to create kms client: %w", err) 	} 	defer client.Close()  	// Convert the message into bytes. Cryptographic plaintexts and 	// ciphertexts are always byte arrays. 	plaintext := []byte(message)  	// Optional but recommended: Compute plaintext's CRC32C. 	crc32c := func(data []byte) uint32 { 		t := crc32.MakeTable(crc32.Castagnoli) 		return crc32.Checksum(data, t) 	} 	plaintextCRC32C := crc32c(plaintext)  	// Build the request. 	req := &kmspb.EncryptRequest{ 		Name:            name, 		Plaintext:       plaintext, 		PlaintextCrc32C: wrapperspb.Int64(int64(plaintextCRC32C)), 	}  	// Call the API. 	result, err := client.Encrypt(ctx, req) 	if err != nil { 		return fmt.Errorf("failed to encrypt: %w", err) 	}  	// Optional, but recommended: perform integrity verification on result. 	// For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit: 	// https://cloud.google.com/kms/docs/data-integrity-guidelines 	if result.VerifiedPlaintextCrc32C == false { 		return fmt.Errorf("Encrypt: request corrupted in-transit") 	} 	if int64(crc32c(result.Ciphertext)) != result.CiphertextCrc32C.Value { 		return fmt.Errorf("Encrypt: response corrupted in-transit") 	}  	fmt.Fprintf(w, "Encrypted ciphertext: %s", result.Ciphertext) 	return nil } 

import com.google.cloud.kms.v1.CryptoKeyName; import com.google.cloud.kms.v1.EncryptResponse; import com.google.cloud.kms.v1.KeyManagementServiceClient; import com.google.protobuf.ByteString; import java.io.IOException;  public class EncryptSymmetric {    public void encryptSymmetric() throws IOException {     // TODO(developer): Replace these variables before running the sample.     String projectId = "your-project-id";     String locationId = "us-east1";     String keyRingId = "my-key-ring";     String keyId = "my-key";     String plaintext = "Plaintext to encrypt";     encryptSymmetric(projectId, locationId, keyRingId, keyId, plaintext);   }    // Encrypt data with a given key.   public void encryptSymmetric(       String projectId, String locationId, String keyRingId, String keyId, String plaintext)       throws IOException {     // Initialize client that will be used to send requests. This client only     // needs to be created once, and can be reused for multiple requests. After     // completing all of your requests, call the "close" method on the client to     // safely clean up any remaining background resources.     try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {       // Build the key version name from the project, location, key ring, key,       // and key version.       CryptoKeyName keyVersionName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);        // Encrypt the plaintext.       EncryptResponse response = client.encrypt(keyVersionName, ByteString.copyFromUtf8(plaintext));       System.out.printf("Ciphertext: %s%n", response.getCiphertext().toStringUtf8());     }   } }

// // TODO(developer): Uncomment these variables before running the sample. // // const projectId = 'my-project'; // const locationId = 'us-east1'; // const keyRingId = 'my-key-ring'; // const keyId = 'my-key'; // const plaintextBuffer = Buffer.from('...');  // Imports the Cloud KMS library const {KeyManagementServiceClient} = require('@google-cloud/kms');  // Instantiates a client const client = new KeyManagementServiceClient();  // Build the key name const keyName = client.cryptoKeyPath(projectId, locationId, keyRingId, keyId);  // Optional, but recommended: compute plaintext's CRC32C. const crc32c = require('fast-crc32c'); const plaintextCrc32c = crc32c.calculate(plaintextBuffer);  async function encryptSymmetric() {   const [encryptResponse] = await client.encrypt({     name: keyName,     plaintext: plaintextBuffer,     plaintextCrc32c: {       value: plaintextCrc32c,     },   });    const ciphertext = encryptResponse.ciphertext;    // Optional, but recommended: perform integrity verification on encryptResponse.   // For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:   // https://cloud.google.com/kms/docs/data-integrity-guidelines   if (!encryptResponse.verifiedPlaintextCrc32c) {     throw new Error('Encrypt: request corrupted in-transit');   }   if (     crc32c.calculate(ciphertext) !==     Number(encryptResponse.ciphertextCrc32c.value)   ) {     throw new Error('Encrypt: response corrupted in-transit');   }    console.log(`Ciphertext: ${ciphertext.toString('base64')}`);   return ciphertext; }  return encryptSymmetric();

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient; use Google\Cloud\Kms\V1\EncryptRequest;  function encrypt_symmetric(     string $projectId = 'my-project',     string $locationId = 'us-east1',     string $keyRingId = 'my-key-ring',     string $keyId = 'my-key',     string $plaintext = '...' ) {     // Create the Cloud KMS client.     $client = new KeyManagementServiceClient();      // Build the key name.     $keyName = $client->cryptoKeyName($projectId, $locationId, $keyRingId, $keyId);      // Call the API.     $encryptRequest = (new EncryptRequest())         ->setName($keyName)         ->setPlaintext($plaintext);     $encryptResponse = $client->encrypt($encryptRequest);     printf('Ciphertext: %s' . PHP_EOL, $encryptResponse->getCiphertext());      return $encryptResponse; }

 # Import base64 for printing the ciphertext. import base64  # Import the client library. from google.cloud import kms   def encrypt_symmetric(     project_id: str, location_id: str, key_ring_id: str, key_id: str, plaintext: str ) -> bytes:     """     Encrypt plaintext using a symmetric key.      Args:         project_id (string): Google Cloud project ID (e.g. 'my-project').         location_id (string): Cloud KMS location (e.g. 'us-east1').         key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').         key_id (string): ID of the key to use (e.g. 'my-key').         plaintext (string): message to encrypt      Returns:         bytes: Encrypted ciphertext.      """      # Convert the plaintext to bytes.     plaintext_bytes = plaintext.encode("utf-8")      # Optional, but recommended: compute plaintext's CRC32C.     # See crc32c() function defined below.     plaintext_crc32c = crc32c(plaintext_bytes)      # Create the client.     client = kms.KeyManagementServiceClient()      # Build the key name.     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)      # Call the API.     encrypt_response = client.encrypt(         request={             "name": key_name,             "plaintext": plaintext_bytes,             "plaintext_crc32c": plaintext_crc32c,         }     )      # Optional, but recommended: perform integrity verification on encrypt_response.     # For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:     # https://cloud.google.com/kms/docs/data-integrity-guidelines     if not encrypt_response.verified_plaintext_crc32c:         raise Exception("The request sent to the server was corrupted in-transit.")     if not encrypt_response.ciphertext_crc32c == crc32c(encrypt_response.ciphertext):         raise Exception(             "The response received from the server was corrupted in-transit."         )     # End integrity verification      print(f"Ciphertext: {base64.b64encode(encrypt_response.ciphertext)}")     return encrypt_response   def crc32c(data: bytes) -> int:     """     Calculates the CRC32C checksum of the provided data.      Args:         data: the bytes over which the checksum should be calculated.      Returns:         An int representing the CRC32C checksum of the provided bytes.     """     import crcmod  # type: ignore      crc32c_fun = crcmod.predefined.mkPredefinedCrcFun("crc-32c")     return crc32c_fun(data)  

# TODO(developer): uncomment these values before running the sample. # project_id  = "my-project" # location_id = "us-east1" # key_ring_id = "my-key-ring" # key_id      = "my-key" # plaintext  = "..."  # Require the library. require "google/cloud/kms"  # Create the client. client = Google::Cloud::Kms.key_management_service  # Build the parent key name. key_name = client.crypto_key_path project:    project_id,                                   location:   location_id,                                   key_ring:   key_ring_id,                                   crypto_key: key_id  # Call the API. response = client.encrypt name: key_name, plaintext: plaintext puts "Ciphertext: #{Base64.strict_encode64 response.ciphertext}"

 using Google.Cloud.Kms.V1; using Google.Protobuf; using System.Text;  public class DecryptSymmetricSample {     public string DecryptSymmetric(       string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring", string keyId = "my-key",       byte[] ciphertext = null)     {         // Create the client.         KeyManagementServiceClient client = KeyManagementServiceClient.Create();          // Build the key name.         CryptoKeyName keyName = new CryptoKeyName(projectId, locationId, keyRingId, keyId);          // Call the API.         DecryptResponse result = client.Decrypt(keyName, ByteString.CopyFrom(ciphertext));          // Get the plaintext. Cryptographic plaintexts and ciphertexts are         // always byte arrays.         byte[] plaintext = result.Plaintext.ToByteArray();          // Return the result.         return Encoding.UTF8.GetString(plaintext);     } }

import ( 	"context" 	"fmt" 	"hash/crc32" 	"io"  	kms "cloud.google.com/go/kms/apiv1" 	"cloud.google.com/go/kms/apiv1/kmspb" 	"google.golang.org/protobuf/types/known/wrapperspb" )  // decryptSymmetric will decrypt the input ciphertext bytes using the specified symmetric key. func decryptSymmetric(w io.Writer, name string, ciphertext []byte) error { 	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key" 	// ciphertext := []byte("...")  // result of a symmetric encryption call  	// Create the client. 	ctx := context.Background() 	client, err := kms.NewKeyManagementClient(ctx) 	if err != nil { 		return fmt.Errorf("failed to create kms client: %w", err) 	} 	defer client.Close()  	// Optional, but recommended: Compute ciphertext's CRC32C. 	crc32c := func(data []byte) uint32 { 		t := crc32.MakeTable(crc32.Castagnoli) 		return crc32.Checksum(data, t) 	} 	ciphertextCRC32C := crc32c(ciphertext)  	// Build the request. 	req := &kmspb.DecryptRequest{ 		Name:             name, 		Ciphertext:       ciphertext, 		CiphertextCrc32C: wrapperspb.Int64(int64(ciphertextCRC32C)), 	}  	// Call the API. 	result, err := client.Decrypt(ctx, req) 	if err != nil { 		return fmt.Errorf("failed to decrypt ciphertext: %w", err) 	}  	// Optional, but recommended: perform integrity verification on result. 	// For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit: 	// https://cloud.google.com/kms/docs/data-integrity-guidelines 	if int64(crc32c(result.Plaintext)) != result.PlaintextCrc32C.Value { 		return fmt.Errorf("Decrypt: response corrupted in-transit") 	}  	fmt.Fprintf(w, "Decrypted plaintext: %s", result.Plaintext) 	return nil } 

import com.google.cloud.kms.v1.CryptoKeyName; import com.google.cloud.kms.v1.DecryptResponse; import com.google.cloud.kms.v1.KeyManagementServiceClient; import com.google.protobuf.ByteString; import java.io.IOException;  public class DecryptSymmetric {    public void decryptSymmetric() throws IOException {     // TODO(developer): Replace these variables before running the sample.     String projectId = "your-project-id";     String locationId = "us-east1";     String keyRingId = "my-key-ring";     String keyId = "my-key";     byte[] ciphertext = null;     decryptSymmetric(projectId, locationId, keyRingId, keyId, ciphertext);   }    // Decrypt data that was encrypted using a symmetric key.   public void decryptSymmetric(       String projectId, String locationId, String keyRingId, String keyId, byte[] ciphertext)       throws IOException {     // Initialize client that will be used to send requests. This client only     // needs to be created once, and can be reused for multiple requests. After     // completing all of your requests, call the "close" method on the client to     // safely clean up any remaining background resources.     try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {       // Build the key version name from the project, location, key ring, and       // key.       CryptoKeyName keyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);        // Decrypt the response.       DecryptResponse response = client.decrypt(keyName, ByteString.copyFrom(ciphertext));       System.out.printf("Plaintext: %s%n", response.getPlaintext().toStringUtf8());     }   } }

// // TODO(developer): Uncomment these variables before running the sample. // // const projectId = 'my-project'; // const locationId = 'us-east1'; // const keyRingId = 'my-key-ring'; // const keyId = 'my-key'; // Ciphertext must be either a Buffer object or a base-64 encoded string // const ciphertext = Buffer.from('...');  // Imports the Cloud KMS library const {KeyManagementServiceClient} = require('@google-cloud/kms');  // Instantiates a client const client = new KeyManagementServiceClient();  // Build the key name const keyName = client.cryptoKeyPath(projectId, locationId, keyRingId, keyId);  // Optional, but recommended: compute ciphertext's CRC32C. const crc32c = require('fast-crc32c'); const ciphertextCrc32c = crc32c.calculate(ciphertext);  async function decryptSymmetric() {   const [decryptResponse] = await client.decrypt({     name: keyName,     ciphertext: ciphertext,     ciphertextCrc32c: {       value: ciphertextCrc32c,     },   });    // Optional, but recommended: perform integrity verification on decryptResponse.   // For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:   // https://cloud.google.com/kms/docs/data-integrity-guidelines   if (     crc32c.calculate(decryptResponse.plaintext) !==     Number(decryptResponse.plaintextCrc32c.value)   ) {     throw new Error('Decrypt: response corrupted in-transit');   }    const plaintext = decryptResponse.plaintext.toString();    console.log(`Plaintext: ${plaintext}`);   return plaintext; }  return decryptSymmetric();

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient; use Google\Cloud\Kms\V1\DecryptRequest;  function decrypt_symmetric(     string $projectId = 'my-project',     string $locationId = 'us-east1',     string $keyRingId = 'my-key-ring',     string $keyId = 'my-key',     string $ciphertext = '...' ) {     // Create the Cloud KMS client.     $client = new KeyManagementServiceClient();      // Build the key name.     $keyName = $client->cryptoKeyName($projectId, $locationId, $keyRingId, $keyId);      // Call the API.     $decryptRequest = (new DecryptRequest())         ->setName($keyName)         ->setCiphertext($ciphertext);     $decryptResponse = $client->decrypt($decryptRequest);     printf('Plaintext: %s' . PHP_EOL, $decryptResponse->getPlaintext());      return $decryptResponse; }

from google.cloud import kms   def decrypt_symmetric(     project_id: str, location_id: str, key_ring_id: str, key_id: str, ciphertext: bytes ) -> kms.DecryptResponse:     """     Decrypt the ciphertext using the symmetric key      Args:         project_id (string): Google Cloud project ID (e.g. 'my-project').         location_id (string): Cloud KMS location (e.g. 'us-east1').         key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').         key_id (string): ID of the key to use (e.g. 'my-key').         ciphertext (bytes): Encrypted bytes to decrypt.      Returns:         DecryptResponse: Response including plaintext.      """      # Create the client.     client = kms.KeyManagementServiceClient()      # Build the key name.     key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)      # Optional, but recommended: compute ciphertext's CRC32C.     # See crc32c() function defined below.     ciphertext_crc32c = crc32c(ciphertext)      # Call the API.     decrypt_response = client.decrypt(         request={             "name": key_name,             "ciphertext": ciphertext,             "ciphertext_crc32c": ciphertext_crc32c,         }     )      # Optional, but recommended: perform integrity verification on decrypt_response.     # For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:     # https://cloud.google.com/kms/docs/data-integrity-guidelines     if not decrypt_response.plaintext_crc32c == crc32c(decrypt_response.plaintext):         raise Exception(             "The response received from the server was corrupted in-transit."         )     # End integrity verification      print(f"Plaintext: {decrypt_response.plaintext!r}")     return decrypt_response   def crc32c(data: bytes) -> int:     """     Calculates the CRC32C checksum of the provided data.     Args:         data: the bytes over which the checksum should be calculated.     Returns:         An int representing the CRC32C checksum of the provided bytes.     """     import crcmod  # type: ignore      crc32c_fun = crcmod.predefined.mkPredefinedCrcFun("crc-32c")     return crc32c_fun(data)  

# TODO(developer): uncomment these values before running the sample. # project_id  = "my-project" # location_id = "us-east1" # key_ring_id = "my-key-ring" # key_id      = "my-key" # ciphertext  = "..."  # Require the library. require "google/cloud/kms"  # Create the client. client = Google::Cloud::Kms.key_management_service  # Build the parent key name. key_name = client.crypto_key_path project:    project_id,                                   location:   location_id,                                   key_ring:   key_ring_id,                                   crypto_key: key_id  # Call the API. response = client.decrypt name: key_name, ciphertext: ciphertext puts "Plaintext: #{response.plaintext}"