mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 02:25:19 +00:00
gcloud: Wed Aug 2 11:22:33 UTC 2023
This commit is contained in:
parent
4558a00e48
commit
678b9afba9
240 changed files with 7837 additions and 521 deletions
|
|
@ -70,6 +70,12 @@ COMMANDS
|
|||
mac-verify
|
||||
Verify a user signature file using a MAC key version.
|
||||
|
||||
raw-decrypt
|
||||
Decrypt a ciphertext file using a raw key.
|
||||
|
||||
raw-encrypt
|
||||
Encrypt a plaintext file using a raw key.
|
||||
|
||||
NOTES
|
||||
These variants are also available:
|
||||
|
||||
|
|
|
|||
|
|
@ -5,8 +5,9 @@ NAME
|
|||
SYNOPSIS
|
||||
gcloud kms inventory search-protected-resources --scope=ORGANIZATION_ID
|
||||
(--keyname=KEYNAME : --keyring=KEYRING --location=LOCATION)
|
||||
[--filter=EXPRESSION] [--limit=LIMIT] [--page-size=PAGE_SIZE]
|
||||
[--sort-by=[FIELD,...]] [--uri] [GCLOUD_WIDE_FLAG ...]
|
||||
[--resource-types=[RESOURCE_TYPES,...]] [--filter=EXPRESSION]
|
||||
[--limit=LIMIT] [--page-size=PAGE_SIZE] [--sort-by=[FIELD,...]] [--uri]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
gcloud kms inventory search-protected-resources returns a list of the
|
||||
|
|
@ -59,6 +60,23 @@ REQUIRED FLAGS
|
|||
specified name;
|
||||
▸ provide the argument --location on the command line.
|
||||
|
||||
FLAGS
|
||||
--resource-types=[RESOURCE_TYPES,...]
|
||||
A list of resource types that this request searches for. If empty, it
|
||||
will search all the trackable resource types
|
||||
(https://cloud.google.com/kms/docs/view-key-usage#tracked-resource-types).
|
||||
|
||||
Regular expressions are also supported. For example:
|
||||
|
||||
◆ compute.googleapis.com.* snapshots resources whose type starts with
|
||||
compute.googleapis.com.
|
||||
◆ .*Image snapshots resources whose type ends with Image.
|
||||
◆ .*Image.* snapshots resources whose type contains Image.
|
||||
|
||||
See RE2 (https://github.com/google/re2/wiki/Syntax) for all supported
|
||||
regular expression syntax. If the regular expression does not match any
|
||||
supported resource type, an INVALID_ARGUMENT error will be returned.
|
||||
|
||||
LIST COMMAND FLAGS
|
||||
--filter=EXPRESSION
|
||||
Apply a Boolean filter EXPRESSION to each resource item to be listed.
|
||||
|
|
|
|||
95
gcloud/kms/raw-decrypt
Normal file
95
gcloud/kms/raw-decrypt
Normal file
|
|
@ -0,0 +1,95 @@
|
|||
NAME
|
||||
gcloud kms raw-decrypt - decrypt a ciphertext file using a raw key
|
||||
|
||||
SYNOPSIS
|
||||
gcloud kms raw-decrypt --ciphertext-file=CIPHERTEXT_FILE
|
||||
--plaintext-file=PLAINTEXT_FILE
|
||||
[--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE]
|
||||
[--initialization-vector-file=INITIALIZATION_VECTOR_FILE] [--key=KEY]
|
||||
[--keyring=KEYRING] [--location=LOCATION]
|
||||
[--skip-integrity-verification] [--version=VERSION]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
gcloud kms raw-decrypt decrypts the given ciphertext file using the given
|
||||
CryptoKey containing a raw key and writes the result to the named plaintext
|
||||
file. The ciphertext file must not be larger than 64KiB.
|
||||
|
||||
The supported algorithms are: AES-128-GCM, AES-256-GCM, AES-128-CBC,
|
||||
AES-256-CBC, AES-128-CTR, and AES-256-CTR.
|
||||
|
||||
AES-GCM provides authentication which means that it accepts additional
|
||||
authenticated data (AAD). So, the flag --additional-authenticated-data-file
|
||||
is only valid with AES-128-GCM and AES-256-GCM algorithms. If AAD is
|
||||
provided during encryption, it must be provided during decryption too. The
|
||||
file must not be larger than 64KiB.
|
||||
|
||||
If --plaintext-file or --additional-authenticated-data-file or
|
||||
--initialization-vector-file is set to '-', that file is read from stdin.
|
||||
Similarly, if --ciphertext-file is set to '-', the ciphertext is written to
|
||||
stdout.
|
||||
|
||||
By default, the command performs integrity verification on data sent to and
|
||||
received from Cloud KMS. Use --skip-integrity-verification to disable
|
||||
integrity verification.
|
||||
|
||||
EXAMPLES
|
||||
The following command reads and decrypts the file path/to/input/ciphertext.
|
||||
The file will be decrypted using the CryptoKey KEYNAME containing a raw
|
||||
key, from the KeyRing KEYRING in the global location. It uses the
|
||||
additional authenticated data file path/to/input/aad (only valid with the
|
||||
AES-GCM algorithms) and the initialization vector file path/to/input/iv.
|
||||
The resulting plaintext will be written to path/to/output/plaintext.
|
||||
|
||||
$ gcloud kms raw-decrypt --key=KEYNAME --keyring=KEYRING \
|
||||
--location=global --ciphertext-file=path/to/input/ciphertext \
|
||||
--additional-authenticated-data-file=path/to/input/aad \
|
||||
--initialization-vector-file=path/to/input/iv \
|
||||
--plaintext-file=path/to/output/plaintext
|
||||
|
||||
REQUIRED FLAGS
|
||||
--ciphertext-file=CIPHERTEXT_FILE
|
||||
File path of the ciphertext file to decrypt.
|
||||
|
||||
--plaintext-file=PLAINTEXT_FILE
|
||||
File path of the plaintext file to store the decrypted data.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE
|
||||
File path to the optional file containing the additional authenticated
|
||||
data.
|
||||
|
||||
--initialization-vector-file=INITIALIZATION_VECTOR_FILE
|
||||
File path to the optional file containing the initialization vector for
|
||||
decryption.
|
||||
|
||||
--key=KEY
|
||||
The (raw) key to use for decryption.
|
||||
|
||||
--keyring=KEYRING
|
||||
Key ring of the key.
|
||||
|
||||
--location=LOCATION
|
||||
Location of the keyring.
|
||||
|
||||
--skip-integrity-verification
|
||||
Skip integrity verification on request and response API fields.
|
||||
|
||||
--version=VERSION
|
||||
Version to use for decryption.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
These variants are also available:
|
||||
|
||||
$ gcloud alpha kms raw-decrypt
|
||||
|
||||
$ gcloud beta kms raw-decrypt
|
||||
|
||||
114
gcloud/kms/raw-encrypt
Normal file
114
gcloud/kms/raw-encrypt
Normal file
|
|
@ -0,0 +1,114 @@
|
|||
NAME
|
||||
gcloud kms raw-encrypt - encrypt a plaintext file using a raw key
|
||||
|
||||
SYNOPSIS
|
||||
gcloud kms raw-encrypt --ciphertext-file=CIPHERTEXT_FILE
|
||||
--plaintext-file=PLAINTEXT_FILE
|
||||
[--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE]
|
||||
[--initialization-vector-file=INITIALIZATION_VECTOR_FILE] [--key=KEY]
|
||||
[--keyring=KEYRING] [--location=LOCATION]
|
||||
[--skip-integrity-verification] [--version=VERSION]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
Encrypts the given plaintext file using the given CryptoKey containing a
|
||||
raw key and writes the result to the named ciphertext file. The plaintext
|
||||
file must not be larger than 64KiB. For the AES-CBC algorithms, no
|
||||
server-side padding is being done, so the plaintext must be a multiple of
|
||||
the block size.
|
||||
|
||||
The supported algorithms are: AES-128-GCM, AES-256-GCM, AES-128-CBC,
|
||||
AES-256-CBC, AES-128-CTR, and AES-256-CTR.
|
||||
|
||||
AES-GCM provides authentication which means that it accepts additional
|
||||
authenticated data (AAD). So, the flag --additional-authenticated-data-file
|
||||
is only valid with AES-128-GCM and AES-256-GCM algorithms.
|
||||
|
||||
The initialization vector (flag --initialization-vector-file) is only
|
||||
supported for AES-CBC and AES-CTR algorithms, and must be 16B in length.
|
||||
|
||||
Therefore, both additional authenticated data and initialization vector
|
||||
can't be provided during encryption. If an additional authenticated data
|
||||
file is provided, its contents must also be provided during decryption. The
|
||||
file must not be larger than 64KiB.
|
||||
|
||||
The flag --version indicates the version of the key to use for encryption.
|
||||
|
||||
If --plaintext-file or --additional-authenticated-data-file or
|
||||
--initialization-vector-file is set to '-', that file is read from stdin.
|
||||
Similarly, if --ciphertext-file is set to '-', the ciphertext is written to
|
||||
stdout.
|
||||
|
||||
By default, the command performs integrity verification on data sent to and
|
||||
received from Cloud KMS. Use --skip-integrity-verification to disable
|
||||
integrity verification.
|
||||
|
||||
EXAMPLES
|
||||
The following command reads and encrypts the file path/to/input/plaintext.
|
||||
The file will be encrypted using the AES-GCM CryptoKey KEYNAME from the
|
||||
KeyRing KEYRING in the global location using the additional authenticated
|
||||
data file path/to/input/aad. The resulting ciphertext will be written to
|
||||
path/to/output/ciphertext.
|
||||
|
||||
$ gcloud kms raw-encrypt --key=KEYNAME --keyring=KEYRING \
|
||||
--location=global --plaintext-file=path/to/input/plaintext \
|
||||
--additional-authenticated-data-file=path/to/input/aad \
|
||||
--ciphertext-file=path/to/output/ciphertext
|
||||
|
||||
The following command reads and encrypts the file path/to/input/plaintext.
|
||||
The file will be encrypted using the AES-CBC CryptoKey KEYNAME from the
|
||||
KeyRing KEYRING in the global location using the initialization vector
|
||||
stored at path/to/input/aad. The resulting ciphertext will be written to
|
||||
path/to/output/ciphertext.
|
||||
|
||||
$ gcloud kms raw-encrypt --key=KEYNAME --keyring=KEYRING \
|
||||
--location=global --plaintext-file=path/to/input/plaintext \
|
||||
--initialization-vector-file=path/to/input/iv \
|
||||
--ciphertext-file=path/to/output/ciphertext
|
||||
|
||||
REQUIRED FLAGS
|
||||
--ciphertext-file=CIPHERTEXT_FILE
|
||||
File path of the ciphertext file to output.
|
||||
|
||||
--plaintext-file=PLAINTEXT_FILE
|
||||
File path of the plaintext file to encrypt.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
--additional-authenticated-data-file=ADDITIONAL_AUTHENTICATED_DATA_FILE
|
||||
File path to the optional file containing the additional authenticated
|
||||
data.
|
||||
|
||||
--initialization-vector-file=INITIALIZATION_VECTOR_FILE
|
||||
File path to the optional file containing the initialization vector for
|
||||
encryption.
|
||||
|
||||
--key=KEY
|
||||
The key to use for encryption.
|
||||
|
||||
--keyring=KEYRING
|
||||
Key ring of the key.
|
||||
|
||||
--location=LOCATION
|
||||
Location of the keyring.
|
||||
|
||||
--skip-integrity-verification
|
||||
Skip integrity verification on request and response API fields.
|
||||
|
||||
--version=VERSION
|
||||
Version to use for encryption.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
These variants are also available:
|
||||
|
||||
$ gcloud alpha kms raw-encrypt
|
||||
|
||||
$ gcloud beta kms raw-encrypt
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue