{"id":"91c8ba7f-8ef1-4a62-9e46-a54d17ac0df4","task":"Encrypt and decrypt data with GCP Cloud KMS symmetric keys using key rings","domain":"cloud.google.com","steps":["Create a key ring in a chosen location (region or global); key rings are permanent and cannot be deleted, so name them carefully","Create a symmetric encryption key within the key ring, selecting an algorithm (e.g., GOOGLE_SYMMETRIC_ENCRYPTION) and protection level (SOFTWARE or HSM)","Grant the service account the roles/cloudkms.cryptoKeyEncrypterDecrypter IAM role on the specific key, not the key ring or project, to enforce least privilege","To encrypt, base64-encode your plaintext and call projects/{project}/locations/{location}/keyRings/{ring}/cryptoKeys/{key}:encrypt via the REST API or client library, optionally supplying additionalAuthenticatedData","Store the returned ciphertext (base64-encoded) and, if used, the additionalAuthenticatedData alongside it","To decrypt, call the :decrypt endpoint with the ciphertext and the same additionalAuthenticatedData; the response contains the base64-encoded plaintext"],"gotchas":["Key versions are immutable; to rotate, create a new key version and set it as primary — old versions remain available for decryption of previously encrypted data unless explicitly destroyed","Destroying a key version is irreversible and permanently prevents decryption of data encrypted under that version; maintain a data map before destroying any version","additionalAuthenticatedData must match exactly between encrypt and decrypt calls; a mismatch causes decryption failure with no indication of which field differs"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/91c8ba7f-8ef1-4a62-9e46-a54d17ac0df4"}