IssueTracker

Description:

Currently, the Cloud KMS Encrypt/Decrypt API does not explicitly return the encryption method used by the corresponding CryptoKeyVersion. This information is good for applications to ensure they are using the correct key type (symmetric or asymmetric) for the intended cryptographic operation.

Justification:

• Improved application security: By explicitly including the encryption method in the response, applications can verify if the CryptoKeyVersion used for encryption/decryption is of the expected type (symmetric or asymmetric) based on the chosen algorithm (AES-256, RSA-2048). This additional validation step helps mitigate potential security risks associated with using the wrong key type.
• Simplified development and debugging: Developers can easily confirm the encryption method used during the operation, streamlining development and debugging processes.

Current Behavior:

The Cloud KMS Encrypt/Decrypt API response provides details about the CryptoKeyVersion used, including its name and state, but it lacks information about the specific encryption method associated with that version.

Desired Behavior:

The API response should include an additional field indicating the encryption method supported by the CryptoKeyVersion. This field could be a string value such as "SYMMETRIC" or "ASYMMETRIC".

Reference:

For reference, the CryptoKeyVersion resource schema does contain the algorithm field, which specifies the supported algorithm (e.g., "GOOGLE_SYMMETRIC_ENCRYPTION" or "RSA"). However, this information is not currently exposed through the Encrypt/Decrypt API.

https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions#resource:-cryptokeyversion

Benefits:

• Enhanced application security through explicit validation of key type.
• Streamlined development and debugging workflows.
• Improved clarity and control for developers using Cloud KMS.