Get the version of Google KMS key used when decrypting ciphertext





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







2















When encrypting symmetrically with Google Cloud's KMS, Google Cloud automatically chooses the primary key version:




Each symmetric encryption key has a designated primary version which is used at that point in time to encrypt data. In order for a key to be available for use to encrypt data, it needs to have a primary key version which is enabled.



When a key is used to encrypt plaintext, its primary key version is used to encrypt that data. The information as to which version was used to encrypt data is stored in the ciphertext of the data. Only one version of a key can be primary at any given point in time.




The EncryptResponse includes the ciphertext and the version of the key that was used.



If you haven't saved the version of the key at the time of encryption, is it possible to determine the key version later? The key version is stored in the ciphertext, and the KMS service is able to determine the key version to decrypt with, but the DecryptResponse only includes the plaintext, not the key version.






google-cloud-kms







share|improve this question


















  • 1





    This is a very good question, thank you! I am asking the Cloud KMS team.

    – Tim Dierks
    Jan 3 at 22:33


















2















When encrypting symmetrically with Google Cloud's KMS, Google Cloud automatically chooses the primary key version:




Each symmetric encryption key has a designated primary version which is used at that point in time to encrypt data. In order for a key to be available for use to encrypt data, it needs to have a primary key version which is enabled.



When a key is used to encrypt plaintext, its primary key version is used to encrypt that data. The information as to which version was used to encrypt data is stored in the ciphertext of the data. Only one version of a key can be primary at any given point in time.




The EncryptResponse includes the ciphertext and the version of the key that was used.



If you haven't saved the version of the key at the time of encryption, is it possible to determine the key version later? The key version is stored in the ciphertext, and the KMS service is able to determine the key version to decrypt with, but the DecryptResponse only includes the plaintext, not the key version.






google-cloud-kms







share|improve this question


















  • 1





    This is a very good question, thank you! I am asking the Cloud KMS team.

    – Tim Dierks
    Jan 3 at 22:33














2












2








2


1






When encrypting symmetrically with Google Cloud's KMS, Google Cloud automatically chooses the primary key version:




Each symmetric encryption key has a designated primary version which is used at that point in time to encrypt data. In order for a key to be available for use to encrypt data, it needs to have a primary key version which is enabled.



When a key is used to encrypt plaintext, its primary key version is used to encrypt that data. The information as to which version was used to encrypt data is stored in the ciphertext of the data. Only one version of a key can be primary at any given point in time.




The EncryptResponse includes the ciphertext and the version of the key that was used.



If you haven't saved the version of the key at the time of encryption, is it possible to determine the key version later? The key version is stored in the ciphertext, and the KMS service is able to determine the key version to decrypt with, but the DecryptResponse only includes the plaintext, not the key version.






google-cloud-kms







share|improve this question














When encrypting symmetrically with Google Cloud's KMS, Google Cloud automatically chooses the primary key version:




Each symmetric encryption key has a designated primary version which is used at that point in time to encrypt data. In order for a key to be available for use to encrypt data, it needs to have a primary key version which is enabled.



When a key is used to encrypt plaintext, its primary key version is used to encrypt that data. The information as to which version was used to encrypt data is stored in the ciphertext of the data. Only one version of a key can be primary at any given point in time.




The EncryptResponse includes the ciphertext and the version of the key that was used.



If you haven't saved the version of the key at the time of encryption, is it possible to determine the key version later? The key version is stored in the ciphertext, and the KMS service is able to determine the key version to decrypt with, but the DecryptResponse only includes the plaintext, not the key version.






google-cloud-kms




google-cloud-kms






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 3 at 21:36









Daniel ComptonDaniel Compton

6,61622949




6,61622949








  • 1





    This is a very good question, thank you! I am asking the Cloud KMS team.

    – Tim Dierks
    Jan 3 at 22:33














  • 1





    This is a very good question, thank you! I am asking the Cloud KMS team.

    – Tim Dierks
    Jan 3 at 22:33








1




1





This is a very good question, thank you! I am asking the Cloud KMS team.

– Tim Dierks
Jan 3 at 22:33





This is a very good question, thank you! I am asking the Cloud KMS team.

– Tim Dierks
Jan 3 at 22:33












1 Answer
1






active

oldest

votes


















2














This is not currently possible but we've taken a feature request to provide the version when decrypting. Thanks for the suggestion and thanks for using GCP and Cloud KMS!






share|improve this answer
























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54030129%2fget-the-version-of-google-kms-key-used-when-decrypting-ciphertext%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    This is not currently possible but we've taken a feature request to provide the version when decrypting. Thanks for the suggestion and thanks for using GCP and Cloud KMS!






    share|improve this answer




























      2














      This is not currently possible but we've taken a feature request to provide the version when decrypting. Thanks for the suggestion and thanks for using GCP and Cloud KMS!






      share|improve this answer


























        2












        2








        2







        This is not currently possible but we've taken a feature request to provide the version when decrypting. Thanks for the suggestion and thanks for using GCP and Cloud KMS!






        share|improve this answer













        This is not currently possible but we've taken a feature request to provide the version when decrypting. Thanks for the suggestion and thanks for using GCP and Cloud KMS!







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 4 at 15:02









        Tim DierksTim Dierks

        964620




        964620
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54030129%2fget-the-version-of-google-kms-key-used-when-decrypting-ciphertext%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Mossoró

            Image
              Nota: Para outros significados, veja Mossoró (desambiguação). Município de Mossoró "Capital do Oeste Potiguar" [ 1 ] "Capital nacional do Semiárido" [ 2 ] [ 3 ] "Capital Cultural do Rio Grande do Norte" [ 1 ] "Terra de Santa Luzia" [ 4 ] "Terra do Sol, do Sal e do Petróleo" [ 5 ] "Terra da Liberdade [ 6 ] " Centro de Mossoró, com a Praça Vigário Antônio Joaquim e, ao fundo, a câmara municipal de vereadores (esquerda) e Catedral de Santa Luzia (direita) Bandeira Brasão Hino Fundação 15 de março de 1852 (166 anos) Gentílico mossoroense Padroeiro(a) Santa Luzia Prefeito(a) Rosalba Ciarlini Rosado (PP) (2017 – 2020 ) Localização Localização de Mossoró no Rio Grande do Norte Mossoró Localização de Mossoró no Brasil 05° 11' 16" S 37° 20' 38" O 05° 11' 16" S 37° 20' 38" O Unidade federativa Rio Grande do No...
            Read more

            Error while reading .h5 file using the rhdf5 package in R

            Image
            0 I'm importing a .h5 file into R by using the rhdf5 package. But a warning message showed and I found the DATE_TIME column of my data is NA when I view the imported file. Warning message: In H5Dread(h5dataset = h5dataset, h5spaceFile = h5spaceFile, h5spaceMem = h5spaceMem, : h5read for type 'TIME' not yet implemented. Values replaced by NA's. It's all normal when I use Vitables (Python) to open the .h5 file. But the DATE_TIME column is NA with HDFViewer open it. My code is: library(rhdf5) test <- h5read("mytestdata.h5", "/results") View(mydatatest) I want to use R to open .h5 file. Please give me some help! Thanks in advance! r hdf5 rhdf5 ...
            Read more

            Pushsharp Apns notification error: 'InvalidToken'

            Image
            1 1 I am currently working on automatic updates for Passbook (wallet) tickets and am experiencing some trouble using the Pushsharp library by Redth. I am using a Push notification certificate from the apple developer portal. I have tried to export my certificate as .p12, .pem and tried to use only the private key as .12 or .pem but nothing works. This is my full certificate (information is blanked out for security reasons): https://cdn.pbrd.co/images/HUJtb7b.png I dont have enough reputation to post images so a link is all i can provide. var succeeded = 0; var failed = 0; var attempted = 0; var config = new ApnsConfiguration(ApnsConfiguration.ApnsServerEnvironment.Sandbox, ConfigManager.CertPath + "PushCertificateV2.p12", ConfigManager.lvppass, fa...
            Read more