GCP DLP(Data Loss prevention) getting “Decryption failed: the ciphertext is invalid.”

Question

I am implementing the standard implementation of Google Cloud Platforms- Data Loss Prevention API in Python for De-Identifying text. This is from the example in https://gith

Answer 1

Most likely, the key is not wrapped correctly. Can you please try the following commands to see that the decryption of the wrapped key generates the right output?

cat wrapped_key.txt | base64 -d > ciphertext.txt

gcloud kms decrypt --location global --keyring <key-ring-name> --key <key-name> --plaintext-file unwrapped_secret.txt --ciphertext-file ciphertext.txt

stat --printf="%s\n" unwrapped_secret.txt

Here are the steps to generate the KMS wrapped key for use with Google Cloud DLP API.

Basic Terminology:

DEK: Key to be wrapped.

KEK: Key with which DEK would be wrapped. This key does not leave Google Cloud KMS.

Go to your Google cloud console project > cryptographic keys and create a keyring and a KEK (if not already done so).

Commands

In order to execute the following commands, Google Cloud Shell might be the best option as it takes care of gcloud credential setup for you.

Step 1. Generate a 32 Byte random value. This would be your DEK.

openssl rand 32 > secret.txt

Step 2. Encrypt using Cloud KMS

gcloud kms encrypt --location global --keyring <key-ring-name> --key \
<key-name> --plaintext-file secret.txt --ciphertext-file \
mysecret.txt.encrypted

Step 3: Convert to base64

base64 mysecret.txt.encrypted

Step 4: Use this generated value in your request to Google Cloud DLP API.

Let me know if this doesn't help. If you could provide details on how you are wrapping the key, we could triage this further.