namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&object_name,std::stringconst&base64_aes256_key){StatusOr<gcs::ObjectMetadata>object_metadata=client.InsertObject(bucket_name,object_name,"top secret",gcs::EncryptionKey::FromBase64Key(base64_aes256_key));if(!object_metadata)throwstd::move(object_metadata).status();std::cout <<"The object " <<object_metadata->name()            <<" was created in bucket " <<object_metadata->bucket()            <<"\nFull metadata: " <<*object_metadata <<"\n";}

usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.IO;publicclassUploadEncryptedFileSample{publicvoidUploadEncryptedFile(stringkey="3eFsTXPvqi3BpT2ipFCGirslh1Jgc6ikjoAu2oQ5JcI=",stringbucketName="your-unique-bucket-name",stringlocalPath="my-local-path/my-file-name",stringobjectName="my-file-name"){varstorage=StorageClient.Create();usingvarfileStream=File.OpenRead(localPath);storage.UploadObject(bucketName,objectName,null,fileStream,newUploadObjectOptions{EncryptionKey=EncryptionKey.Create(Convert.FromBase64String(key))});Console.WriteLine($"Uploaded {objectName}.");}}

import("context""fmt""io""time""cloud.google.com/go/storage")// uploadEncryptedFile writes an object using AES-256 encryption key.funcuploadEncryptedFile(wio.Writer,bucket,objectstring,secretKey[]byte)error{// bucket := "bucket-name"// object := "object-name"// secretKey := []byte("secret-key")ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*50)defercancel()o:=client.Bucket(bucket).Object(object)// Optional: set a generation-match precondition to avoid potential race// conditions and data corruptions. The request to upload is aborted if the// object's generation number does not match your precondition.// For an object that does not yet exist, set the DoesNotExist precondition.o=o.If(storage.Conditions{DoesNotExist:true})// If the live object already exists in your bucket, set instead a// generation-match precondition using the live object's generation number.// attrs, err := o.Attrs(ctx)// if err != nil {// return fmt.Errorf("object.Attrs: %w", err)// }// o = o.If(storage.Conditions{GenerationMatch: attrs.Generation})// Encrypt the object's contents.wc:=o.Key(secretKey).NewWriter(ctx)if_,err:=wc.Write([]byte("top secret"));err!=nil{returnfmt.Errorf("Writer.Write: %w",err)}iferr:=wc.Close();err!=nil{returnfmt.Errorf("Writer.Close: %w",err)}fmt.Fprintf(w,"Uploaded encrypted object %v.\n",object)returnnil}

importcom.google.cloud.storage.BlobId;importcom.google.cloud.storage.BlobInfo;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importjava.io.IOException;importjava.nio.file.Files;importjava.nio.file.Paths;publicclassUploadEncryptedObject{publicstaticvoiduploadEncryptedObject(StringprojectId,StringbucketName,StringobjectName,StringfilePath,StringencryptionKey)throwsIOException{// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// The ID of your GCS object// String objectName = "your-object-name";// The path to your file to upload// String filePath = "path/to/your/file"// The key to encrypt the object with// String encryptionKey = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();BlobIdblobId=BlobId.of(bucketName,objectName);BlobInfoblobInfo=BlobInfo.newBuilder(blobId).build();// Optional: set a generation-match precondition to avoid potential race// conditions and data corruptions. The request returns a 412 error if the// preconditions are not met.Storage.BlobTargetOptionprecondition;if(storage.get(bucketName,objectName)==null){// For a target object that does not yet exist, set the DoesNotExist precondition.// This will cause the request to fail if the object is created before the request runs.precondition=Storage.BlobTargetOption.doesNotExist();}else{// If the destination already exists in your bucket, instead set a generation-match// precondition. This will cause the request to fail if the existing object's generation// changes before the request runs.precondition=Storage.BlobTargetOption.generationMatch(storage.get(bucketName,objectName).getGeneration());}storage.create(blobInfo,Files.readAllBytes(Paths.get(filePath)),Storage.BlobTargetOption.encryptionKey(encryptionKey),precondition);System.out.println("File "+filePath+" uploaded to bucket "+bucketName+" as "+objectName+" with supplied encryption key");}}

/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The path to your file to upload// const filePath = 'path/to/your/file';// The new ID for your GCS file// const destFileName = 'your-new-file-name';// The key to encrypt the object with// const key = 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionuploadEncryptedFile(){constoptions={destination:destFileName,encryptionKey:Buffer.from(key,'base64'),// Optional:// Set a generation-match precondition to avoid potential race conditions// and data corruptions. The request to upload is aborted if the object's// generation number does not match your precondition. For a destination// object that does not yet exist, set the ifGenerationMatch precondition to 0// If the destination object already exists in your bucket, set instead a// generation-match precondition using its generation number.preconditionOpts:{ifGenerationMatch:generationMatchPrecondition},};awaitstorage.bucket(bucketName).upload(filePath,options);console.log(`File${filePath} uploaded to gs://${bucketName}/${destFileName}`);}uploadEncryptedFile().catch(console.error);

use Google\Cloud\Storage\StorageClient;/** * Upload an encrypted file. * * @param string $bucketName The name of your Cloud Storage bucket. *        (e.g. 'my-bucket') * @param string $objectName The name of your Cloud Storage object. *        (e.g. 'my-object') * @param string $source The path to the file to upload. *        (e.g. '/path/to/your/file') * @param string $base64EncryptionKey The base64 encoded encryption key. *        (e.g. 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=') */function upload_encrypted_object(string $bucketName, string $objectName, string $source, string $base64EncryptionKey): void{    $storage = new StorageClient();    $file = fopen($source, 'r');    $bucket = $storage->bucket($bucketName);    $object = $bucket->upload($file, [        'name' => $objectName,        'encryptionKey' => $base64EncryptionKey,    ]);    printf('Uploaded encrypted %s to gs://%s/%s' . PHP_EOL,        basename($source), $bucketName, $objectName);}

importbase64fromgoogle.cloudimportstoragedefupload_encrypted_blob(bucket_name,source_file_name,destination_blob_name,base64_encryption_key,):"""Uploads a file to a Google Cloud Storage bucket using a custom    encryption key.    The file will be encrypted by Google Cloud Storage and only    retrievable using the provided encryption key.    """# bucket_name = "your-bucket-name"# source_file_name = "local/path/to/file"# destination_blob_name = "storage-object-name"# base64_encryption_key = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g="storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)# Encryption key must be an AES256 key represented as a bytestring with# 32 bytes. Since it's passed in as a base64 encoded string, it needs# to be decoded.encryption_key=base64.b64decode(base64_encryption_key)blob=bucket.blob(destination_blob_name,encryption_key=encryption_key)# Optional: set a generation-match precondition to avoid potential race conditions# and data corruptions. The request to upload is aborted if the object's# generation number does not match your precondition. For a destination# object that does not yet exist, set the if_generation_match precondition to 0.# If the destination object already exists in your bucket, set instead a# generation-match precondition using its generation number.generation_match_precondition=0blob.upload_from_filename(source_file_name,if_generation_match=generation_match_precondition)print(f"File{source_file_name} uploaded to{destination_blob_name}.")

defupload_encrypted_filebucket_name:,local_file_path:,file_name:nil,encryption_key:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"# The path to your file to upload# local_file_path = "/local/path/to/file.txt"# The ID of your GCS object# file_name = "your-file-name"# The encryption key used for securing the object must be a 32-byte key consisting of raw encrypted data.# Key used should not be base64 encoded.# encryption_key = "your-encryption-key"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_name,skip_lookup:truefile=bucket.create_filelocal_file_path,file_name,encryption_key:encryption_keyputs"Uploaded#{file.name} with encryption key"end

namespacegcs=::google::cloud::storage;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&object_name,std::stringconst&base64_aes256_key){gcs::ObjectReadStreamstream=client.ReadObject(bucket_name,object_name,gcs::EncryptionKey::FromBase64Key(base64_aes256_key));std::stringdata(std::istreambuf_iterator<char>{stream},{});if(stream.bad())throwgoogle::cloud::Status(stream.status());std::cout <<"The object contents are: " <<data <<"\n";}

usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.IO;publicclassDownloadEncryptedFileSample{publicvoidDownloadEncryptedFile(stringkey="3eFsTXPvqi3BpT2ipFCGirslh1Jgc6ikjoAu2oQ5JcI=",stringbucketName="your-unique-bucket-name",stringobjectName="my-file-name",stringlocalPath="my-local-path/my-file-name"){varstorage=StorageClient.Create();usingvaroutputFile=File.OpenWrite(localPath);storage.DownloadObject(bucketName,objectName,outputFile,newDownloadObjectOptions{EncryptionKey=EncryptionKey.Create(Convert.FromBase64String(key))});Console.WriteLine($"Downloaded {objectName} to {localPath}.");}}

import("context""fmt""io""time""cloud.google.com/go/storage")// downloadEncryptedFile reads an encrypted object.funcdownloadEncryptedFile(wio.Writer,bucket,objectstring,secretKey[]byte)([]byte,error){// bucket := "bucket-name"// object := "object-name"// key := []byte("secret-encryption-key")ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnnil,fmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()obj:=client.Bucket(bucket).Object(object)ctx,cancel:=context.WithTimeout(ctx,time.Second*50)defercancel()rc,err:=obj.Key(secretKey).NewReader(ctx)iferr!=nil{returnnil,fmt.Errorf("Object(%q).Key(%q).NewReader: %w",object,secretKey,err)}deferrc.Close()data,err:=io.ReadAll(rc)iferr!=nil{returnnil,fmt.Errorf("io.ReadAll: %w",err)}fmt.Fprintf(w,"File %v downloaded with encryption key.\n",object)returndata,nil}

importcom.google.cloud.storage.Blob;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importjava.io.IOException;importjava.nio.file.Path;publicclassDownloadEncryptedObject{publicstaticvoiddownloadEncryptedObject(StringprojectId,StringbucketName,StringobjectName,PathdestFilePath,StringdecryptionKey)throwsIOException{// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// The ID of your GCS object// String objectName = "your-object-name";// The path to which the file should be downloaded// Path destFilePath = Paths.get("/local/path/to/file.txt");// The Base64 encoded decryption key, which should be the same key originally used to encrypt// the object// String decryptionKey = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();Blobblob=storage.get(bucketName,objectName);blob.downloadTo(destFilePath,Blob.BlobSourceOption.decryptionKey(decryptionKey));System.out.println("Downloaded object "+objectName+" from bucket name "+bucketName+" to "+destFilePath+" using customer-supplied encryption key");}}

/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The ID of your GCS file// const srcFileName = 'your-file-name';// The path to which the file should be downloaded// const destFileName = '/local/path/to/file.txt';// The Base64 encoded decryption key, which should be the same key originally// used to encrypt the file// const encryptionKey = 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctiondownloadEncryptedFile(){constoptions={destination:destFileName,};// Decrypts and downloads the file. This can only be done with the key used// to encrypt and upload the file.awaitstorage.bucket(bucketName).file(srcFileName).setEncryptionKey(Buffer.from(encryptionKey,'base64')).download(options);console.log(`File${srcFileName} downloaded to${destFileName}`);}downloadEncryptedFile().catch(console.error);

use Google\Cloud\Storage\StorageClient;/** * Download an encrypted file * * @param string $bucketName The name of your Cloud Storage bucket. *        (e.g. 'my-bucket') * @param string $objectName The name of your Cloud Storage object. *        (e.g. 'my-object') * @param string $destination The local destination to save the encrypted file. *        (e.g. '/path/to/your/file') * @param string $base64EncryptionKey The base64 encoded encryption key. Should *        (e.g. 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=') *     be the same key originally used to encrypt the object. */function download_encrypted_object(string $bucketName, string $objectName, string $destination, string $base64EncryptionKey): void{    $storage = new StorageClient();    $bucket = $storage->bucket($bucketName);    $object = $bucket->object($objectName);    $object->downloadToFile($destination, [        'encryptionKey' => $base64EncryptionKey,    ]);    printf('Encrypted object gs://%s/%s downloaded to %s' . PHP_EOL,        $bucketName, $objectName, basename($destination));}

importbase64fromgoogle.cloudimportstoragedefdownload_encrypted_blob(bucket_name,source_blob_name,destination_file_name,base64_encryption_key,):"""Downloads a previously-encrypted blob from Google Cloud Storage.    The encryption key provided must be the same key provided when uploading    the blob.    """# bucket_name = "your-bucket-name"# source_blob_name = "storage-object-name"# destination_file_name = "local/path/to/file"# base64_encryption_key = "base64-encoded-encryption-key"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)# Encryption key must be an AES256 key represented as a bytestring with# 32 bytes. Since it's passed in as a base64 encoded string, it needs# to be decoded.encryption_key=base64.b64decode(base64_encryption_key)blob=bucket.blob(source_blob_name,encryption_key=encryption_key)blob.download_to_filename(destination_file_name)print(f"Blob{source_blob_name} downloaded to{destination_file_name}.")

defdownload_encrypted_filebucket_name:,file_name:,local_file_path:,encryption_key:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"# The ID of your GCS object# file_name = "your-file-name"# The path to which the file should be downloaded# local_file_path = "/local/path/to/file.txt"# The Base64 encoded decryption key, which should be the same key originally used to encrypt the object# encryption_key = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g="require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_name,skip_lookup:truefile=bucket.filefile_name,encryption_key:encryption_keyfile.downloadlocal_file_path,encryption_key:encryption_keyputs"Downloaded encrypted#{file.name} to#{local_file_path}"end

namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&object_name,std::stringconst&old_key_base64,std::stringconst&new_key_base64){StatusOr<gcs::ObjectMetadata>object_metadata=client.RewriteObjectBlocking(bucket_name,object_name,bucket_name,object_name,gcs::SourceEncryptionKey::FromBase64Key(old_key_base64),gcs::EncryptionKey::FromBase64Key(new_key_base64));if(!object_metadata)throwstd::move(object_metadata).status();std::cout <<"Rotated key on object " <<object_metadata->name()            <<" in bucket " <<object_metadata->bucket()            <<"\nFull Metadata: " <<*object_metadata <<"\n";}

usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.IO;publicclassObjectRotateEncryptionKeySample{publicvoidObjectRotateEncryptionKey(stringbucketName="your-unique-bucket-name",stringobjectName="your-object-name",stringcurrrentEncryptionKey="TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=",stringnewEncryptionKey="ARbt/judaq+VmtXzAsc83J4z5kFmWJ6NdAPQuleuB7g="){varstorage=StorageClient.Create();usingvaroutputStream=newMemoryStream();storage.DownloadObject(bucketName,objectName,outputStream,newDownloadObjectOptions(){EncryptionKey=EncryptionKey.Create(Convert.FromBase64String(currrentEncryptionKey))});outputStream.Position=0;storage.UploadObject(bucketName,objectName,null,outputStream,newUploadObjectOptions(){EncryptionKey=EncryptionKey.Create(Convert.FromBase64String(newEncryptionKey))});Console.WriteLine($"Rotated encryption key for object  {objectName} in bucket {bucketName}");}}

import("context""fmt""io""time""cloud.google.com/go/storage")// rotateEncryptionKey encrypts an object with the newKey.funcrotateEncryptionKey(wio.Writer,bucket,objectstring,key,newKey[]byte)error{// bucket := "bucket-name"// object := "object-name"// key := []byte("encryption-key")// newKey := []byte("new-encryption-key")ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()o:=client.Bucket(bucket).Object(object)// Optional: set a generation-match precondition to avoid potential race// conditions and data corruptions. The request to copy is aborted if the// object's generation number does not match your precondition.attrs,err:=o.Attrs(ctx)iferr!=nil{returnfmt.Errorf("object.Attrs: %w",err)}o=o.If(storage.Conditions{GenerationMatch:attrs.Generation})// You can't change an object's encryption key directly, you must rewrite the// object using the new key._,err=o.Key(newKey).CopierFrom(o.Key(key)).Run(ctx)iferr!=nil{returnfmt.Errorf("Key(%q).CopierFrom(%q).Run: %w",newKey,key,err)}fmt.Fprintf(w,"Key rotation complete for blob %v.\n",object)returnnil}

importcom.google.cloud.storage.Blob;importcom.google.cloud.storage.BlobId;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;publicclassRotateObjectEncryptionKey{publicstaticvoidrotateObjectEncryptionKey(StringprojectId,StringbucketName,StringobjectName,StringoldEncryptionKey,StringnewEncryptionKey){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// The ID of your GCS object// String objectName = "your-object-name";// The Base64 encoded AES-256 encryption key originally used to encrypt the object. See the// documentation// on Customer-Supplied Encryption keys for more info:// https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys// String oldEncryptionKey = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g="// The new encryption key to use// String newEncryptionKey = "0mMWhFvQOdS4AmxRpo8SJxXn5MjFhbz7DkKBUdUIef8="Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();BlobIdblobId=BlobId.of(bucketName,objectName);Blobblob=storage.get(blobId);if(blob==null){System.out.println("The object "+objectName+" wasn't found in "+bucketName);return;}// Optional: set a generation-match precondition to avoid potential race// conditions and data corruptions. The request to upload returns a 412 error if// the object's generation number does not match your precondition.Storage.BlobSourceOptionprecondition=Storage.BlobSourceOption.generationMatch(blob.getGeneration());// You can't change an object's encryption key directly, the only way is to overwrite the objectStorage.CopyRequestrequest=Storage.CopyRequest.newBuilder().setSource(blobId).setSourceOptions(Storage.BlobSourceOption.decryptionKey(oldEncryptionKey),precondition).setTarget(blobId,Storage.BlobTargetOption.encryptionKey(newEncryptionKey)).build();storage.copy(request);System.out.println("Rotated encryption key for object "+objectName+"in bucket "+bucketName);}}

/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The ID of your GCS file// const fileName = 'your-file-name';// The Base64 encoded AES-256 encryption key originally used to encrypt the// object. See the documentation on Customer-Supplied Encryption keys for// more info:// https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys// The Base64 encoded AES-256 encryption key originally used to encrypt the// const oldKey = 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=';// The new encryption key to use// const newKey = '0mMWhFvQOdS4AmxRpo8SJxXn5MjFhbz7DkKBUdUIef8=';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionrotateEncryptionKey(){constrotateEncryptionKeyOptions={encryptionKey:Buffer.from(newKey,'base64'),// Optional: set a generation-match precondition to avoid potential race// conditions and data corruptions. The request to copy is aborted if the// object's generation number does not match your precondition.preconditionOpts:{ifGenerationMatch:generationMatchPrecondition,},};awaitstorage.bucket(bucketName).file(fileName,{encryptionKey:Buffer.from(oldKey,'base64'),}).rotateEncryptionKey({rotateEncryptionKeyOptions,});console.log('Encryption key rotated successfully');}rotateEncryptionKey().catch(console.error);

use Google\Cloud\Storage\StorageClient;/** * Change the encryption key used to store an existing object. * * @param string $bucketName The name of your Cloud Storage bucket. *        (e.g. 'my-bucket') * @param string $objectName The name of your Cloud Storage object. *        (e.g. 'my-object') * @param string $oldBase64EncryptionKey The Base64 encoded AES-256 encryption *     key originally used to encrypt the object. See the documentation on *     Customer-Supplied Encryption keys for more info: *     https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys *        (e.g. 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=') * @param string $newBase64EncryptionKey The new base64 encoded encryption key. *        (e.g. '0mMWhFvQOdS4AmxRpo8SJxXn5MjFhbz7DkKBUdUIef8=') */function rotate_encryption_key(    string $bucketName,    string $objectName,    string $oldBase64EncryptionKey,    string $newBase64EncryptionKey): void {    $storage = new StorageClient();    $object = $storage->bucket($bucketName)->object($objectName);    $rewrittenObject = $object->rewrite($bucketName, [        'encryptionKey' => $oldBase64EncryptionKey,        'destinationEncryptionKey' => $newBase64EncryptionKey,    ]);    printf('Rotated encryption key for object gs://%s/%s' . PHP_EOL,        $bucketName, $objectName);}

importbase64fromgoogle.cloudimportstoragedefrotate_encryption_key(bucket_name,blob_name,base64_encryption_key,base64_new_encryption_key):"""Performs a key rotation by re-writing an encrypted blob with a new    encryption key."""storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)current_encryption_key=base64.b64decode(base64_encryption_key)new_encryption_key=base64.b64decode(base64_new_encryption_key)# Both source_blob and destination_blob refer to the same storage object,# but destination_blob has the new encryption key.source_blob=bucket.blob(blob_name,encryption_key=current_encryption_key)destination_blob=bucket.blob(blob_name,encryption_key=new_encryption_key)generation_match_precondition=Nonetoken=None# Optional: set a generation-match precondition to avoid potential race conditions# and data corruptions. The request to rewrite is aborted if the object's# generation number does not match your precondition.source_blob.reload()# Fetch blob metadata to use in generation_match_precondition.generation_match_precondition=source_blob.generationwhileTrue:token,bytes_rewritten,total_bytes=destination_blob.rewrite(source_blob,token=token,if_generation_match=generation_match_precondition)iftokenisNone:breakprint(f"Key rotation complete for Blob{blob_name}")

defrotate_encryption_keybucket_name:,file_name:,current_encryption_key:,new_encryption_key:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"# The ID of your GCS object# file_name = "your-file-name"# The Base64 encoded AES-256 encryption key originally used to encrypt the object.# See the documentation on Customer-Supplied Encryption keys for more info:# https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys# current_encryption_key = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g="# The new encryption key to use# new_encryption_key = "0mMWhFvQOdS4AmxRpo8SJxXn5MjFhbz7DkKBUdUIef8="require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_name,skip_lookup:truefile=bucket.filefile_name,encryption_key:current_encryption_keyfile.rotateencryption_key:current_encryption_key,new_encryption_key:new_encryption_keyputs"The encryption key for#{file.name} in#{bucket.name} was rotated."end