This recipe will be of two parts. The first part is to set up the Cloud KMS key, which will be part of a keyring. Then, we'll use the generated key to encrypt and decrypt our secret data. For the secret data, let us take a sensitive financial data for a credit card: 1234 4321 2342 9084 and save it to a text file. We'll use the key generated to encrypt the file and push the encrypted file to be stored on a public data store, for this we'll use a Google Storage bucket. Later, we can pull the encrypted file and use the KMS key to decrypt the data:

1. First, let us create a keyring called fin-keyring:

gcloud kms keyrings create fin-keyring --location global

2. With the fin-keyring, create a key named fin-encrypt-key:

gcloud kms ...