In this tutorial, you learn how to encrypt and decrypt data using Outscale Key Management Service (OKMS).

This tutorial assumes you are working in a Linux or macOS operating system.

Encrypting Data Using OSC-CLI

Create a CMK

Before you begin: See Installing and Configuring OSC CLI to set up OSC CLI.


  • (optional) Create a customer master key (CMK) using the CreateKey command:

    $> osc-cli okms CreateKey

    For more information about this command, see Creating a CMK.

    If you want to use an existing CMK, see Getting Information About Your CMKs to get its ID.


Encode Your File in Base64

  • Encode your file in base64, for example using the openssl command:

    $> openssl enc -base64 -in myfile.txt -out myfile.txt.base64

    where myfile.txt is the path to a file containing the data to encode.


Encrypt the Base64-encoded File

  1. Get the content of your base64-encoded file, for example using the cat command:

    $> cat myfile.txt.base64
    Result sample
    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQoxMjM0NTY3ODkwMTIzNDU2
    Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0
    NTY3ODkwMTIzNDU2Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t
  2. Encrypt this content using the Encrypt command:

    $> osc-cli okms Encrypt \
        --KeyId cmk-12345678 \
        --Plaintext "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQoxMjM0NTY3ODkwMTIzNDU2
    > Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0
    > NTY3ODkwMTIzNDU2Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t"
    Result sample
    {
        "KeyId": "cmk-12345678",
        "CiphertextBlob": "NDQ4ODlFMDE4RkY0NUM1RTUyQkEwQzU3ODE3RkRBQzk2MTczMzc4MTYyOTQ1NTUyNzQ2NzgyMTNFQUFRSFR4SUxwbmkybDBoWEZoZ0E2N2ZiS0FRVXJ2VnJwb0djL1pHM1RldmFTNzlxUldlMTdESUZzNmd6eHByQ0MwbmJqdDNiL1dySklYbXFYS1QwendUZWgrNGIzZlkvdG1mZjU4Tjh4TlNtbktvbFpYeFd4T09MT3FXNHV5VWI1bGFUa0U9RUFBUVdSTXdpcnBZV1hReDluSzZVYlB6R3NmazN3WFFVNW5WOTB5YlpGVWlFdkRwam14VDc1c2ZOT1Rnb0g2MUVGVUpURGsrbnRwZklQL1ZENFJ6L3hqZlhUYmk1RFVIWFJmdTFaV011TGtTYmR4bXM2bzE2dHdjOVJOY0RhZUs2NytrbThLL3JuZ21FOU9ZeDFXRlplamd3WDM2Tmo4aXEvRjkvQUZVTmZoT1c4alNnMnZNVUNYYU9XN1k="
    }

    For more information about this command, see Encrypting Data.

    The value of CiphertextBlob is the encrypted data.


Decrypting Data Using OSC CLI

  1. To decrypt data that was previously encrypted with a CMK, use the Decrypt command:

    $> osc-cli okms Decrypt \
        --CiphertextBlob "NDQ4ODlFMDE4RkY0NUM1RTUyQkEwQzU3ODE3RkRBQzk2MTczMzc4MTYyOTQ1NTUyNzQ2NzgyMTNFQUFRSFR4SUxwbmkybDBoWEZoZ0E2N2ZiS0FRVXJ2VnJwb0djL1pHM1RldmFTNzlxUldlMTdESUZzNmd6eHByQ0MwbmJqdDNiL1dySklYbXFYS1QwendUZWgrNGIzZlkvdG1mZjU4Tjh4TlNtbktvbFpYeFd4T09MT3FXNHV5VWI1bGFUa0U9RUFBUVdSTXdpcnBZV1hReDluSzZVYlB6R3NmazN3WFFVNW5WOTB5YlpGVWlFdkRwam14VDc1c2ZOT1Rnb0g2MUVGVUpURGsrbnRwZklQL1ZENFJ6L3hqZlhUYmk1RFVIWFJmdTFaV011TGtTYmR4bXM2bzE2dHdjOVJOY0RhZUs2NytrbThLL3JuZ21FOU9ZeDFXRlplamd3WDM2Tmo4aXEvRjkvQUZVTmZoT1c4alNnMnZNVUNYYU9XN1k="
    Result sample
    {
        "KeyId": "cmk-12345678",
        "Plaintext": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t"
    }

    For more information about this command, see Decrypting Data.

    The value of Plaintext is the decrypted data, in base64 form.

  2. To decode the base64-encoded data, use for example the following commands:

    $> echo "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQoxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t" > pt.base64
    $> openssl enc -base64 -d -in pt.base64

    The decoded data is returned.


Corresponding API Methods