GCP KMS Key Management System - ghdrako/doc_snipets GitHub Wiki
In Google Cloud, data at rest is encrypted by default in all platform products. A data is "at rest" when it's not being transferred over the network but simply stored on a GCP service for eventual retrieval. This includes VM disks, disk snapshots, and data stored in Cloud Storage or any other GCP service. Data at rest is encrypted at the storage level using AES256.
There are three options available for server-side encryption:
- Google-Managed Encryption Keys: This is where Cloud Storage will manage encryption keys on behalf of the customer, with no need for further setup.
- Customer-Supplied Encryption Keys (CSEKs): This is where the customer creates and manages their encryption keys.
- Customer-Managed Encryption Keys (CMEKs): This is where the customer generates and manages their encryption keys using GCP's Key Management Service (KMS).
There is also the client-side encryption option, where encryption occurs before data is sent to Cloud Storage and additional encryption takes place at the server side.
The data encryption keys (DEKs) are stored near the data and are themselves encrypted with keys, a processed referred to as key wrapping. You can manage the wrapping key encryption keys (KEKs) using Cloud Key Management Service (KMS) on GCP. KEKs are further encrypted (wrapped) by an internal master key exclusively stored and used within Google's central KMS, which is redundant and globally distributed. The Master Key is distributed in memory for faster retrieval and backed up on hardware devices. Each Cloud KMS server fetches a copy of the Master Key during startup as a hard dependency, and a new copy is retrieved every day. The Master Key is refreshed by Google on a monthly basis.
Google Cloud offers the following services for key management:
- Google Managed Keys
- Customer Managed Keys with Cloud Key Management Service
- Customer Managed keys with a third-party key management system
Create a keyring named pigeonkeyring, and a key named pigeonkey.
gcloud kms keyrings create "pigeonkeyring" \
--location "global"
gcloud kms keys create "pigeonkey" \
--location "global" \
--keyring "pigeonkeyring" \
--purpose "encryption"
You can use the list option to view the name and metadata for the key that you just created.
gcloud kms keys list \
--location "global" \
--keyring "pigeonkeyring"
Let’s store some text to be encrypted in a file called “pigeonsecret.txt”.
echo -n "My super-secret message is encrypted" > pigeonsecret.txt
Now, let us encrypt the data with created key information, specify the name of the plaintext file to encrypt, and specify the name of the file that will contain the encrypted content:
gcloud kms encrypt \
--location "global" \
--keyring "pigeonkeyring" \
--key "pigeonkey" \
--plaintext-file ./pigeonsecret.txt \
--ciphertext-file ./pigeonsecret.txt.encrypted
To decrypt the data with gcloud kms decrypt, provide your key information, specify the name of the encrypted file to decrypt, and specify the name of the file that will contain the decrypted content:
gcloud kms decrypt \
--location "global" \
--keyring "pigeonkeyring" \
--key "pigeonkey" \
--ciphertext-file ./pigeonsecret.txt.encrypted \
--plaintext-file ./pigeonsecret.txt.decrypted
Prepare to enable CMEK integration
- Create a key ring or select an existing key ring
- In the selected key ring, create a key or select an existing key.
- In the selected key ring, create a key or select an existing key.