GCP - DLP - Decryption failed: the ciphertext is invalid error when using KMS wrapped key

Question

While trying out on a POC with GCP DLP, facing the below issue:

log:

Received the following error message from Cloud KMS when unwrapping KmsWrappedCryptoKey
 "projects/<<PROJECT_ID>>/locations/global/keyRings/<<KMS_KEY_RING>>/cryptoKeys
/<<KMS_KEY_NAME>>": Decryption failed: the ciphertext is invalid. 

I have just created the key and key ring using the generate key option in KMS and a basic DLP template to Pseudoanaonymize the data with cryptographic deterministic token. The wrapped key I gave is a simple base-64 format key. When testing out this template in console with the data, I am facing this issue. The same issue is replicated in the application logs when trying to encrypt the data.

P.S: We have tried out generating a manual key using Open SSL and importing it into the KMS. We are still facing this issue.

Attaching a screen shot for reference :

Answer 1

Figured out the issue in this case.

The issue was with the way we created the wrapped key which we gave in the DLP template. Below are the steps to generate the wrapped key:

1. Choose the wrapped key (could be anything. A string, random text etc)
2. Encrypt the wrapped key in above step using the KMS key that you are going to use in the DLP template.
3. Convert the above encrypted key into base 64 format and use this in the DLP template.

Below are the commands for above steps in the same order:

openssl rand 16 > secret.txt

This generates random string of 16 bytes. The size had to be one of 16,24,32 (mandatory)

gcloud kms encrypt --location global --keyring <key-ring-name> --key \
<key-name> --plaintext-file secret.txt --ciphertext-file \
mysecret.txt.encrypted

This encrpts the random string.

base64 mysecret.txt.encrypted

Use this in the DLP template.

This answer helped me figure out the issue : https://stackoverflow.com/a/60513800/6908062