Securing Cloud Storage Files with KMS

Md. Sadhan Sarker
6 min readJul 19, 2020

--

Cloud Key Management Service (KMS) allows us to create, import & manage cryptographic keys and also perform cryptographic operations in a single centralized cloud service the same way on-premises. By using Cloud KMS, Cloud HSM, or Cloud External Key Manager or Customer-Managed Encryption Keys (CMEK integrations) we can encrypt, decrypt, and verify.

Image: https://cloud.google.com/kms

In this post, we are going to deal with Cloud KMS, Cloud Storage, Cloud SDK. Also, learn about encryption and manage encryption keys using KMS. So, let’s drive-in. Sign-in to Google Cloud Platform (GCP) Console and Create a new project and activate our Cloud Shell.

Click `Continue`

Create a Cloud Storage Bucket

Create Cloud Storage Bucket, we can do that using gsutil, remember bucket names are globally unique. Run the following command in Cloud Shell to set a variable to our bucket name:

$ export CLOUD_STORAGE_BUCKET_NAME=put_our_unique_bucket_name

Now, just hit the following command, to create a new cloud storage bucket,

$ gsutil mb gs://${CLOUD_STORAGE_BUCKET_NAME}

Create a sample data

Create a simple file so that we can encrypt & decrypt that file, Open Cloud Shell and create a new file, Here, I’m using `Vim` console-based text editor. If we want, we can download the source file from another location. To create a new file, run the following command:

$ vi hello.txt

Input:

Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.

To open `hello.txt` content

$ cat hello.txt

Output:

Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.

Enable Cloud KMS Service

Before using Cloud KMS, we need to enable that service. It can be done from Cloud Console UI as well as from gcloud CLI command. To enable the Cloud KMS Service, run the following command in the Cloud Shell:

$ gcloud services enable cloudkms.googleapis.com

Optional, this only needs to be done once per project

$ gcloud services enable cloudkms.googleapis.com \
— project "${GOOGLE_CLOUD_PROJECT}"

Create KeyRing and CryptoKey

In order to encrypt & decrypt data, we need to create a KeyRing and a CryptoKey. KeyRings are useful for Grouping keys. To create KeyRing for a global region:

$ gcloud kms keyrings create "our-keyring" — location "global"

Note: If we want to view that newly created key then Open Web UI.

Next, using the new KeyRing, create a CryptoKey

$ gcloud kms keys create "our-cryptokey" \
— location "global" \
— keyring "our-keyring" \
— purpose "encryption"

From Web UI We can view the Keys,

By clicking on `our-keyring` we are able to see `our-cryptokey`, which is grouped together

Encrypt our file

Encrypt the `hello.txt` file contents using Cloud KMS. Here, I’m using the gcloud command-line tool. But we can also encrypt data using the Cloud KMS API.

$ gcloud kms encrypt — location "global" \
— keyring "our-keyring" — key "our-cryptokey" \
— plaintext-file ./hello.txt \
— ciphertext-file ./hello.enc

This will create a `hello.enc` file which will be encrypted. To open that encrypt file run:

cat hello.enc

Output: Cloud be like an unreadable hash like “6B!h>X7^RR*IRt;_*b~0IrP1<)]’ǞЉt c”

Now, we can upload that encrypted file to the Cloud Storage, run the following command

$ gsutil cp ./hello.enc gs://${CLOUD_STORAGE_BUCKET_NAME}

We can view our encrypted file which actually uploaded,

Decrypt our file

If we want to decrypt that `hello.enc`. Or, we have already encrypted data then we can copy that from Cloud Storage Bucket by the following command,

$ gsutil cp gs://${CLOUD_STORAGE_BUCKET_NAME}/hello.enc .

Note: In this case, we don’t have to do that because we already have our `hello.enc` file.

Now, We can decrypt that file by the following command below,

$ gcloud kms decrypt — location "global" \
— keyring "our-keyring" — key "our-cryptokey" \
— ciphertext-file ./hello.enc \
— plaintext-file ./hello-decryped.txt

To open that `hello-decryped.txt` file run following command

cat hello-decryped.txt

Output:

Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.

Cleanup environment

To delete cloud storage bucket, which we created earlier, run the following command

$ gsutil rm -r gs://${CLOUD_STORAGE_BUCKET_NAME}

Note: Cloud KMS resources can’t be deleted. However, we can destroy that by following command

$ gcloud kms keys versions destroy "1" \
— location "global" \
— key "our-cryptokey" \
— keyring "our-keyring"

Optionally, Custom Managed Key (CMK)

We can secure cloud storage bucket using Custom Managed Key (CMK)

Create Key Ring

Create Cryptographic Key, we can import or generate key

Cryptographic keys

Example: Resource ID: projects/qwiklabs-gcp-01–7d25585f0538/locations/global/keyRings/our-keyring

Keyring

Example: Resource ID: projects/labs-gcp-01/locations/global/keyRings/our-keying/cryptoKeys/our-cryptokey

Now, create a Cloud Storage Bucket from Web-UI. So follow below steps to create a bucket

From the GCP left navigation panel select Storage then Browser,

Then click CREATE BUCKET button

Now, we have a bucket creation panel. We need to fill up those, GCP offers 4 types of storage classes, for demonstration, we can choose Standard one.

Here, we need to select the Customer-managed key. Selected dropdown might show No Valid Keys Found and Don’t see your key? Enter key resource ID. We need to GRANT permissions for the service account.

Finally, Cloud Storage bucket is encrypted/decrypted via Customer-managed key. Additionally, I like to mention one thing Cloud Identity and Access Management (Cloud IAM) policies cannot be set on individual key versions. If we want to determine who can access, we have Cloud Key Management Service through which we can provide corresponding permission to do so and follow Cloud IAM with Cloud KMS guidelines.

Congratulations

We have successfully encrypted and decrypt data using Cloud KMS and stored encrypted data in Cloud Storage. Thanks for time & passion. Feel free to ask me anything.

Say Hi to me on Twitter, Linkedin and Dev.to where I keep on sharing interesting updates.

--

--