Encrypting data using Google Tink
Tink is Google's cryptographic library, an alternative to AWS Encryption. The library helps you focus on encrypting and decrypting data without the need to choose the correct encryption algorithm and parameters.
It supports Java and Go Tink client versions, which provide encryption and decryption of data using Yandex.Cloud KMS keys. Data is encrypted using envelope encryption (the size of plaintext is not limited).
Adding dependencies
Before you start, you need to add dependencies.
Java
Go
Add dependencies using Apache Maven:
<dependency>
<groupId>com.yandex.cloud</groupId>
<artifactId>kms-provider-tink</artifactId>
<version>1.0</version>
</dependency>
Run the command:
go get github.com/yandex-cloud/kms-clients-go/yckmstink
Encryption and decryption
The code uses the following variables:
credentials: Determines the authentication method (for more information, see Authentication in the Yandex.Cloud SDK).keyId: ID of the key in KMS.plaintext: Unencrypted text.ciphertext: Encrypted text.aad: AAD context.
Java
Go
Create an Aead object and use the encrypt and decrypt methods for data encryption and decryption:
AeadConfig.register();
KmsClients.add(new YcKmsClient(() -> credentials));
String keyUri = "yc-kms://" + keyId;
Aead kmsAead = KmsClients.get(keyUri).getAead(keyUri);
Aead aead = new KmsEnvelopeAead(AeadKeyTemplates.AES256_GCM, kmsAead);
...
byte[] ciphertext = aead.encrypt(plaintext, aad);
...
byte[] plaintext = aead.decrypt(ciphertext, aad);
Create an Aead object and use the encrypt and decrypt methods for data encryption and decryption:
sdk, err := ycsdk.Build(context, ycsdk.Config{
Credentials: credentials,
})
if err != nil {...}
kmsAead := yckmstink.NewYCAEAD(keyId, sdk)
aead := aead.NewKMSEnvelopeAEAD(*aead.AES256GCMKeyTemplate(), kmsAead)
...
ciphertext, err := aead.Encrypt(plaintext, aad)
if err != nil {...}
...
plaintext, err := aead.Decrypt(ciphertext, aad)
if err != nil {...}