Stay organized with collections
Save and categorize content based on your preferences.
Asymmetric encryption is the process of using a public key from a
public/private key pair to encrypt plaintext, and then using the corresponding
private key to decrypt the ciphertext. Asymmetric encryption relies on
asymmetric cryptography, also known as public key cryptography.
Symmetric encryption, on the other hand, uses the same key to encrypt and
decrypt data.
Asymmetric encryption workflow
The following describes the flow for using an asymmetric key to encrypt and
decrypt data. The two participants in this workflow consists of a sender and a
recipient. The sender creates ciphertext using the recipient's public key, and
then the recipient decrypts the ciphertext using the recipient's private key.
Only someone with knowledge of the private key can decrypt the ciphertext.
The sender retrieves the recipient's public key.
The sender uses the public key to encrypt plaintext.
The sender sends the ciphertext to the recipient.
The recipient uses the recipient's private key to decrypt the ciphertext. The
recipient can now view the plaintext.
Example use case for asymmetric encryption
Asymmetric encryption only supports a very small plaintext size, so
asymmetric encryption is generally used for encryption keys, not large pieces of
data. As an example, you can use asymmetric encryption as a variation of
envelope encryption. In this scenario, anyone with access to the public key
can encrypt the data encryption key (DEK). Only Cloud KMS can then
decrypt the encrypted DEK, on behalf of the owner of the asymmetric key.
Asymmetric encryption algorithms
Cloud Key Management Service supports RSA algorithms for asymmetric encryption. RSA is
an industry standard algorithm and offers choices of key size and digest
algorithm. RSA cryptography relies on the difficulty in factoring a large
integer into two or more factors. The larger the key size, the more difficult it
is to factor the integers.
Cloud KMS asymmetric encryption functionality
Cloud KMS provides the following functionality related to
asymmetric encryption.
Ability to retrieve the public key for an asymmetric key. You use the
public key to encrypt data. Cloud KMS does not directly
provide a method to asymmetrically encrypt data. Instead, you encrypt data using
openly available SDKs and tools, such as OpenSSL. These SDKs and tools
require the public key that you retrieve from Cloud KMS.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Asymmetric encryption\n\n*Asymmetric encryption* is the process of using a public key from a\npublic/private key pair to encrypt plaintext, and then using the corresponding\nprivate key to decrypt the ciphertext. Asymmetric encryption relies on\nasymmetric cryptography, also known as public key cryptography.\n\nSymmetric encryption, on the other hand, uses the same key to encrypt and\ndecrypt data.\n\nAsymmetric encryption workflow\n------------------------------\n\nThe following describes the flow for using an asymmetric key to encrypt and\ndecrypt data. The two participants in this workflow consists of a sender and a\nrecipient. The sender creates ciphertext using the recipient's public key, and\nthen the recipient decrypts the ciphertext using the recipient's private key.\nOnly someone with knowledge of the private key can decrypt the ciphertext.\n\n1. The sender retrieves the recipient's public key.\n\n2. The sender uses the public key to encrypt plaintext.\n\n3. The sender sends the ciphertext to the recipient.\n\n4. The recipient uses the recipient's private key to decrypt the ciphertext. The\n recipient can now view the plaintext.\n\nExample use case for asymmetric encryption\n------------------------------------------\n\nAsymmetric encryption only supports a very small plaintext size, so\nasymmetric encryption is generally used for encryption keys, not large pieces of\ndata. As an example, you can use asymmetric encryption as a variation of\n[envelope encryption](/kms/docs/envelope-encryption). In this scenario, anyone with access to the public key\ncan encrypt the data encryption key (DEK). Only Cloud KMS can then\ndecrypt the encrypted DEK, on behalf of the owner of the asymmetric key.\n\nAsymmetric encryption algorithms\n--------------------------------\n\nCloud Key Management Service supports RSA algorithms for asymmetric encryption. RSA is\nan industry standard algorithm and offers choices of key size and digest\nalgorithm. RSA cryptography relies on the difficulty in factoring a large\ninteger into two or more factors. The larger the key size, the more difficult it\nis to factor the integers.\n\nCloud KMS asymmetric encryption functionality\n---------------------------------------------\n\nCloud KMS provides the following functionality related to\nasymmetric encryption.\n\n- Ability to [create an asymmetric key](/kms/docs/creating-asymmetric-keys) with [key purpose](/kms/docs/algorithms#key_purposes) of\n `ASYMMETRIC_DECRYPT`. For information about which algorithms\n Cloud KMS supports, see [asymmetric encryption algorithms](/kms/docs/algorithms#asymmetric_encryption_algorithms).\n\n- Ability to [retrieve the public key](/kms/docs/retrieve-public-key) for an asymmetric key. You use the\n public key to [encrypt data](/kms/docs/encrypt-decrypt-rsa#encrypt_data). Cloud KMS does not directly\n provide a method to asymmetrically encrypt data. Instead, you encrypt data using\n openly available SDKs and tools, such as [OpenSSL](https://www.openssl.org/). These SDKs and tools\n require the public key that you retrieve from Cloud KMS.\n\n- Ability to [decrypt data with an asymmetric key](/kms/docs/encrypt-decrypt-rsa#decrypt_data)."]]
