Password Management on Google Cloud Platform

Password Encryption at Rest and in Transit

Soumendra Mishra
Jul 30, 2020 · 3 min read

Problem Statement

Securing sensitive information begins with a proper understanding of security controls and the protection of passwords using modern encryption algorithms. Over the past decades, we have seen major security breaches exposing numerous usernames and passwords. As a result, millions of accounts impacted, and data compromised. With every password breach raises an inevitable question: Were the passwords stored securely? Unfortunately, this simple question has no simple answer.


There are many encryption algorithms adopted by various organizations to tackle security breach and resulted in, many success & failure stories. For the vast majority of situations, Hashing and Symmetric Encryption is implemented. In this Blog, Symmetric Encrypt/Decrypt technique using Google Cloud Key Management Service (KMS) is elaborated in detail.

Step-1: Create Cryptographic Keys

Cloud Key Management Service stores cryptographic keys in an organized structure designed for elegant access control management. It includes Location, Key Ring and Keys.

# Create KMS Key Ring
$ gcloud kms keyrings create kms-keyring --location global
# Create KMS Key
$ gcloud kms keys create kms-key \
--location global \
--keyring kms-keyring \
--purpose encryption

Step-2: Encrypt Plain-Text Password

Key Management Service encrypt command encrypts the given plain-text file using the given crypto-key (key-ring & key) and writes the result to the named cipher-text file. The plain-text file must not be larger than 64 KB. It is always recommended to delete the plain-text file as soon as password encryption process is completed.

# Add Plain-Text Password to a Text File
$ echo "**********" > password.txt
# Password Encrypt
$ gcloud kms encrypt \
--location global \
--keyring kms-keyring \
--key kms-key \
--plaintext-file password.txt \
--ciphertext-file password.encrypt

Step-3: Create Storage Bucket & Copy Encrypted Password

The encrypted password file is copied to storage bucket, so that it can be accessed by other applications or services.

# Create a Storage Bucket
$ gsutil mb -p data-lab gs://kms-store-202007
# Copy Encrypted Password to Storage Bucket
$ gsutil cp password.encrypt gs://kms-store-202007

Step-4: Install Python Modules

Install below python packages or modules using “pip install” command in-order to access Google cloud key management service and cloud storage objects.


Step-5: Password Decrypt

Password decryption process is implemented through code base solution. In this blog, source code is written in Python language, but it can be written in multiple languages like Go, Java, Node.js, Ruby. A configuration file (config.json) is used for input parameters for dynamic changes without impacting source code.

Configuration Parameters
Code Snippet for Password Decryption

Sequence Diagram

Sequence Diagram for End-to-End Process Flow


Managing Cryptographic Key is an integral part of an organization to safeguard sensitive information and it is a fundamental need for smooth functioning of business processes. The solution depicted in this blog emphasizes on implementing stringent security policies to prevent unfortunate incidents.


Imagine the future of data