Tinkey

Tinkey is Tink's command line utility for managing keys. Tinkey lets you encrypt or decrypt keysets with key encryption keys stored in a remote KMS. Tinkey has built-in support for AWS KMS and Google Cloud KMS. Adding support for other KMS doesn't require modifying Tinkey.

Installation

You can install Tinkey from prebuilt binaries, use Homebrew, or build Tinkey from the Tink source:

Prebuilt binaries

The latest release of Tinkey is 1.11.0 (download). It works on Linux, macOS, and Windows.

Homebrew

To install Tinkey with Homebrew, run the following command:

brew tap tink-crypto/tink-tinkey https://github.com/tink-crypto/tink-tinkey
brew install tinkey

From source

To build the latest version of Tinkey from Tink's source code, use Bazel with Bazelisk:

 TINKEY_URL="https://github.com/tink-crypto/tink-tinkey/archive/refs/tags/v1.11.0.zip"
 TINKEY_SHA256="d89cdcf90e77887017d938e96f4a6144d54ed8f98788f15efcf8c31195474a9d"
 curl -LsS "${TINKEY_URL}" -o tinkey.zip
 echo "${TINKEY_SHA256} tinkey.zip" | sha256sum -c
 unzip tinkey.zip && cd "tink-tinkey-1.11.0"
 bazelisk build //:tinkey

This produces the binary bazel-bin/tinkey.

Command reference

Tinkey can be used to generate keys and do other management tasks like encrypting, decrypting, or rotating keys.

The syntax for using the commands listed in the table is tinkey <command> [<args>].

Command Action
help Prints a help message for all available commands.
add-key Generates and adds a new key to a keyset.
convert-keyset Changes format, encrypts, decrypts a keyset.
create-keyset Creates a new keyset.
create-public-keyset Creates a public keyset from a private keyset.
list-key-templates Lists all supported key templates.
delete-key Deletes a specified key in a keyset.
destroy-key Deprecated. Destroys the key material of a specified key in a keyset. (This is deprecated: the behavior of Tink with keysets containing destroyed keys may depend on the Tink version)
disable-key Disables a specified key in a keyset.
enable-key Enables a specified key in a keyset.
list-keyset Lists keys in a keyset.
promote-key Promotes a specified key to primary.
rotate-keyset [Deprecated] Adds a new key and makes it the primary. (Instead, we recommend first adding a new key with add-key and later explicitly making it the primary with promote-key. In distributed systems, one needs to make sure the newly added key is available on every server before promoting it to primary.)