GCS client-side Stream encryption https://blog.salrashid.dev/articles/2022/gcs_stream_encryption/

asymkek.sh

export PROJECT_ID=`gcloud config get-value core/project`
export BUCKET_NAME=$PROJECT_ID-enctest
gsutil mb gs://$BUCKET_NAME

# create a sample file
openssl rand --base64 1000000 > secrets.txt
sha256sum secrets.txt
  
# generate kek and dek
openssl genrsa -out kek.key 2048
openssl rsa -in kek.key -outform PEM -pubout -out kek_public.pem
openssl rand 32 > dek.key

# encrypt the dek with the kek public key
openssl rsautl -encrypt -inkey kek_public.pem -pubin -in dek.key -out dek.key.enc

export dek_enc=`xxd -p -c 800 dek.key.enc`
export kek_hash=`sha256sum kek_public.pem | cut -d " " -f 1`

# stream encrypt and upload the file...attach the encrypted dek as metadata
openssl enc -pbkdf2 -in secrets.txt -aes-256-cbc -pass file:./dek.key | gcloud storage cp - gs://$BUCKET_NAME/secrets.txt.enc    --custom-metadata="x-goog-meta-dek=$dek_enc,x-goog-meta-kek-hash=$kek_hash"

# view the encrypted file metadata which will include the encrypted DEK
gsutil stat gs://$BUCKET_NAME/secrets.txt.enc

# download the dek key (no, i don't know how to use gsutil stat to just get the dek)
export TOKEN=`gcloud auth print-access-token`
curl -s -H "Authorization: Bearer $TOKEN"   "https://storage.googleapis.com/storage/v1/b/$BUCKET_NAME/o/secrets.txt.enc" | jq -r '.metadata.dek' | xxd -r -p - dek.key.enc

# decrypt the dek with the kek private key
openssl rsautl -decrypt -inkey kek.key -in dek.key.enc -out dek.key.ptext

# stream download the data, decrypt to file
gcloud storage cp  gs://$BUCKET_NAME/secrets.txt.enc - | openssl enc -d -aes-256-cbc -pbkdf2  -out secrets.txt.ptext  -pass file:./dek.key

sha256sum secrets.txt.ptext