w,SrSSKJr SSKJr SSKJr SSKrSSKJr SSK J r SSK J r SSK Jr SSK Jr SS K Jr SS K Jr SS KJr SS KJr SS KJr Sr"SS\ R05rg)z)Encrypt a plaintext file using a raw key.)absolute_import)division)unicode_literalsN) exceptions)base)crc32c) e2e_integrity)flags)log) console_io)filescF\rSrSrSr\S5rSrSrSr Sr Sr S r g ) RawEncrypt$a Encrypt a plaintext file using a raw key. Encrypts the given plaintext file using the given CryptoKey containing a raw key and writes the result to the named ciphertext file. The plaintext file must not be larger than 64KiB. For the AES-CBC algorithms, no server-side padding is being done, so the plaintext must be a multiple of the block size. The supported algorithms are: `AES-128-GCM`, `AES-256-GCM`, `AES-128-CBC`, `AES-256-CBC`, `AES-128-CTR`, `and AES-256-CTR`. `AES-GCM` provides authentication which means that it accepts additional authenticated data (AAD). So, the flag `--additional-authenticated-data-file` is only valid with `AES-128-GCM` and `AES-256-GCM` algorithms. The initialization vector (flag `--initialization-vector-file`) is only supported for `AES-CBC` and `AES-CTR` algorithms, and must be 16B in length. Therefore, both additional authenticated data and initialization vector can't be provided during encryption. If an additional authenticated data file is provided, its contents must also be provided during decryption. The file must not be larger than 64KiB. The flag `--version` indicates the version of the key to use for encryption. If `--plaintext-file` or `--additional-authenticated-data-file` or `--initialization-vector-file` is set to '-', that file is read from stdin. Similarly, if `--ciphertext-file` is set to '-', the ciphertext is written to stdout. By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use `--skip-integrity-verification` to disable integrity verification. ## EXAMPLES The following command reads and encrypts the file `path/to/input/plaintext`. The file will be encrypted using the `AES-GCM` CryptoKey `KEYNAME` from the KeyRing `KEYRING` in the `global` location using the additional authenticated data file `path/to/input/aad`. The resulting ciphertext will be written to `path/to/output/ciphertext`. $ {command} \ --key=KEYNAME \ --keyring=KEYRING \ --location=global \ --plaintext-file=path/to/input/plaintext \ --additional-authenticated-data-file=path/to/input/aad \ --ciphertext-file=path/to/output/ciphertext The following command reads and encrypts the file `path/to/input/plaintext`. The file will be encrypted using the `AES-CBC` CryptoKey `KEYNAME` from the KeyRing `KEYRING` in the `global` location using the initialization vector stored at `path/to/input/aad`. The resulting ciphertext will be written to `path/to/output/ciphertext`. $ {command} \ --key=KEYNAME \ --keyring=KEYRING \ --location=global \ --plaintext-file=path/to/input/plaintext \ --initialization-vector-file=path/to/input/iv \ --ciphertext-file=path/to/output/ciphertext cD[R"US5 [R"USS5 [R"US5 [R"US5 [R "US5 [R "U5 [R"U5 g)NzThe key to use for encryption.zto use for encryptionTz to encryptz to outputzfor encryption)r AddKeyResourceFlagsAddCryptoKeyVersionFlagAddPlaintextFileFlagAddCiphertextFileFlag AddIvFileFlagAddAadFileFlagAddSkipIntegrityVerification)parsers lib/surface/kms/raw_encrypt.pyArgsRawEncrypt.Argsfss f&FG !!&*A4H v|4  4  01   &&v.c[R"USS9n[U5U:a%[R"SR X55eU$)NT)binaryz   c! ''3.  2 2c 9  / / N ''(;(;u'Mi C ..  ##  3 3u$  B &&   " "  + +#  RO #)) * , 3 3O D  44T:N..0H  ` `  ( ( * a C  ))$//y1--#i==%j&88!&)*%.,6 9c J '88!&)9c JE ;;  ' ' 4 ; ;!!1  [[ )) J VD;;Q ?   [[ )) B I I//    sHH 0IJ$ I 0IIJ!,0JJ!$K-80K((K-cURUR:wa?[R"[R"URUR55eUR(d)[R "[R "55eUR(d)[R "[R "55eUR(d)[R "[R "55e[R"URUR5(d)[R "[R"55eg)aCVerifies integrity fields in RawEncryptResponse. Note: This methods assumes that self._PerformIntegrityVerification() is True and that all request CRC32C fields were pupolated. Args: req: messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsRawEncryptRequest() object resp: messages.RawEncryptResponse() object. Returns: Void. Raises: e2e_integrity.ServerSideIntegrityVerificationError if the server reports request integrity verification error. e2e_integrity.ClientSideIntegrityVerificationError if response integrity verification fails. N)r2r ResourceNameVerificationError#GetResourceNameMismatchErrorMessageverifiedPlaintextCrc32c$ClientSideIntegrityVerificationError'GetRequestToServerCorruptedErrorMessage)verifiedAdditionalAuthenticatedDataCrc32c"verifiedInitializationVectorCrc32cr Crc32cMatches ciphertextciphertextCrc32c*GetResponseFromServerCorruptedErrorMessage)r%rLresps r_VerifyResponseIntegrityFields)RawEncrypt._VerifyResponseIntegrityFieldss* xx499  7 7  ; ;CHHdii P   ' '  > >  ? ? A   9 9  > >  ? ? A   2 2  > >  ? ? A    1F1F G G  > >  B B D  Hrc[R"5nURU5nSnURR U5nURU5(aURX45 [R"URURSSS9 UR(dWUR (aES[#[$R&"55SS-n[(R*"UUR SS9 ggg![ R a n[R"U5 SnANSnAff=f![(R,an[.R0"U5eSnAff=f)NT)r overwritez./inialization_vector_)rb)r@GetClientInstancerP8projects_locations_keyRings_cryptoKeys_cryptoKeyVersionsrapitools_exceptionsHttpBadRequestErrorr ProcessHttpBadRequestErrorr.r_r WriteToFileOrStdoutciphertext_filer[r9r4struuiduuid4r WriteBinaryFileContentsr=rr#)r%r-clientrLr^error iv_file_namerGs rRunRawEncrypt.Run s.  , , .F  ' ' -C D6  L L W W d ))$// ))#4+      , ,1J1J/#djjl2CBQ2GG  %%   % % 2K ,  2 26..u556& ;;+  ' ' **+s0D-BD8D5D00D58E' E""E'N) __name__ __module__ __qualname____firstlineno____doc__ staticmethodrr)r.rPr_rr__static_attributes__rtrrrr$s8?B//0Xt0d+rr)ry __future__rrrrlapitools.base.pyrrfgooglecloudsdk.api_lib.cloudkmsrr@googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsrr r googlecloudsdk.corer googlecloudsdk.core.consoler googlecloudsdk.core.utilr r>CommandrrtrrrsK0&' >A(.180#2*C+C+r