Securing Cloud Storage Files with KMS
Cloud Key Management Service (KMS) allows us to create, import & manage cryptographic keys and also perform cryptographic operations in a single centralized cloud service the same way on-premises. By using Cloud KMS, Cloud HSM, or Cloud External Key Manager or Customer-Managed Encryption Keys (CMEK integrations) we can encrypt, decrypt, and verify.
In this post, we are going to deal with Cloud KMS, Cloud Storage, Cloud SDK. Also, learn about encryption and manage encryption keys using KMS. So, let’s drive-in. Sign-in to Google Cloud Platform (GCP) Console and Create a new project and activate our Cloud Shell.
Click `Continue`
Create a Cloud Storage Bucket
Create Cloud Storage Bucket, we can do that using gsutil, remember bucket names are globally unique. Run the following command in Cloud Shell to set a variable to our bucket name:
$ export CLOUD_STORAGE_BUCKET_NAME=put_our_unique_bucket_nameNow, just hit the following command, to create a new cloud storage bucket,
$ gsutil mb gs://${CLOUD_STORAGE_BUCKET_NAME}Create a sample data
Create a simple file so that we can encrypt & decrypt that file, Open Cloud Shell and create a new file, Here, I’m using `Vim` console-based text editor. If we want, we can download the source file from another location. To create a new file, run the following command:
$ vi hello.txtInput:
Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.To open `hello.txt` content
$ cat hello.txtOutput:
Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.Enable Cloud KMS Service
Before using Cloud KMS, we need to enable that service. It can be done from Cloud Console UI as well as from gcloud CLI command. To enable the Cloud KMS Service, run the following command in the Cloud Shell:
$ gcloud services enable cloudkms.googleapis.comOptional, this only needs to be done once per project
$ gcloud services enable cloudkms.googleapis.com \
— project "${GOOGLE_CLOUD_PROJECT}"Create KeyRing and CryptoKey
In order to encrypt & decrypt data, we need to create a KeyRing and a CryptoKey. KeyRings are useful for Grouping keys. To create KeyRing for a global region:
$ gcloud kms keyrings create "our-keyring" — location "global"Note: If we want to view that newly created key then Open Web UI.
Next, using the new KeyRing, create a CryptoKey
$ gcloud kms keys create "our-cryptokey" \
— location "global" \
— keyring "our-keyring" \
— purpose "encryption"From Web UI We can view the Keys,
By clicking on `our-keyring` we are able to see `our-cryptokey`, which is grouped together
Encrypt our file
Encrypt the `hello.txt` file contents using Cloud KMS. Here, I’m using the gcloud command-line tool. But we can also encrypt data using the Cloud KMS API.
$ gcloud kms encrypt — location "global" \
— keyring "our-keyring" — key "our-cryptokey" \
— plaintext-file ./hello.txt \
— ciphertext-file ./hello.encThis will create a `hello.enc` file which will be encrypted. To open that encrypt file run:
cat hello.encOutput: Cloud be like an unreadable hash like “6B!h>X7^RR*IRt;_*b~0IrP1<)]’ǞЉt c”
Now, we can upload that encrypted file to the Cloud Storage, run the following command
$ gsutil cp ./hello.enc gs://${CLOUD_STORAGE_BUCKET_NAME}We can view our encrypted file which actually uploaded,
Decrypt our file
If we want to decrypt that `hello.enc`. Or, we have already encrypted data then we can copy that from Cloud Storage Bucket by the following command,
$ gsutil cp gs://${CLOUD_STORAGE_BUCKET_NAME}/hello.enc .Note: In this case, we don’t have to do that because we already have our `hello.enc` file.
Now, We can decrypt that file by the following command below,
$ gcloud kms decrypt — location "global" \
— keyring "our-keyring" — key "our-cryptokey" \
— ciphertext-file ./hello.enc \
— plaintext-file ./hello-decryped.txtTo open that `hello-decryped.txt` file run following command
cat hello-decryped.txtOutput:
Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.
Cleanup environment
To delete cloud storage bucket, which we created earlier, run the following command
$ gsutil rm -r gs://${CLOUD_STORAGE_BUCKET_NAME}Note: Cloud KMS resources can’t be deleted. However, we can destroy that by following command
$ gcloud kms keys versions destroy "1" \
— location "global" \
— key "our-cryptokey" \
— keyring "our-keyring"Optionally, Custom Managed Key (CMK)
We can secure cloud storage bucket using Custom Managed Key (CMK)
Create Key Ring
Create Cryptographic Key, we can import or generate key
Cryptographic keys
Example: Resource ID: projects/qwiklabs-gcp-01–7d25585f0538/locations/global/keyRings/our-keyring
Keyring
Example: Resource ID: projects/labs-gcp-01/locations/global/keyRings/our-keying/cryptoKeys/our-cryptokey
Now, create a Cloud Storage Bucket from Web-UI. So follow below steps to create a bucket
From the GCP left navigation panel select Storage then Browser,
Then click CREATE BUCKET button
Now, we have a bucket creation panel. We need to fill up those, GCP offers 4 types of storage classes, for demonstration, we can choose Standard one.
Here, we need to select the Customer-managed key. Selected dropdown might show No Valid Keys Found and Don’t see your key? Enter key resource ID. We need to GRANT permissions for the service account.
Finally, Cloud Storage bucket is encrypted/decrypted via Customer-managed key. Additionally, I like to mention one thing Cloud Identity and Access Management (Cloud IAM) policies cannot be set on individual key versions. If we want to determine who can access, we have Cloud Key Management Service through which we can provide corresponding permission to do so and follow Cloud IAM with Cloud KMS guidelines.
Congratulations
We have successfully encrypted and decrypt data using Cloud KMS and stored encrypted data in Cloud Storage. Thanks for time & passion. Feel free to ask me anything.
Say Hi to me on Twitter, Linkedin and Dev.to where I keep on sharing interesting updates.