Asymmetric encryption
Asymmetric encryption is the process of using a public key from apublic/private key pair to encrypt plaintext, and then using the correspondingprivate key to decrypt the ciphertext. Asymmetric encryption relies onasymmetric cryptography, also known as public key cryptography.
Symmetric encryption, on the other hand, uses the same key to encrypt anddecrypt data.
Asymmetric encryption workflow
The following describes the flow for using an asymmetric key to encrypt anddecrypt data. The two participants in this workflow consists of a sender and arecipient. The sender creates ciphertext using the recipient's public key, andthen the recipient decrypts the ciphertext using the recipient's private key.Only someone with knowledge of the private key can decrypt the ciphertext.
The sender retrieves the recipient's public key.
The sender uses the public key to encrypt plaintext.
The sender sends the ciphertext to the recipient.
The recipient uses the recipient's private key to decrypt the ciphertext. Therecipient can now view the plaintext.
Example use case for asymmetric encryption
Asymmetric encryption only supports a very small plaintext size, soasymmetric encryption is generally used for encryption keys, not large pieces ofdata. As an example, you can use asymmetric encryption as a variation ofenvelope encryption. In this scenario, anyone with access to the public keycan encrypt the data encryption key (DEK). Only Cloud KMS can thendecrypt the encrypted DEK, on behalf of the owner of the asymmetric key.
Asymmetric encryption algorithms
Cloud Key Management Service supports RSA algorithms for asymmetric encryption. RSA isan industry standard algorithm and offers choices of key size and digestalgorithm. RSA cryptography relies on the difficulty in factoring a largeinteger into two or more factors. The larger the key size, the more difficult itis to factor the integers.
Cloud KMS asymmetric encryption functionality
Cloud KMS provides the following functionality related toasymmetric encryption.
Ability tocreate an asymmetric key withkey purpose of
ASYMMETRIC_DECRYPT. For information about which algorithmsCloud KMS supports, seeasymmetric encryption algorithms.Ability toretrieve the public key for an asymmetric key. You use thepublic key toencrypt data. Cloud KMS does not directlyprovide a method to asymmetrically encrypt data. Instead, you encrypt data usingopenly available SDKs and tools, such asOpenSSL. These SDKs and toolsrequire the public key that you retrieve from Cloud KMS.
Ability todecrypt data with an asymmetric key.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.