Secure Data on Google Cloud Storage

Securing Application Data in Google Cloud Storage using the Virtru SDK

Chad Sigler
Feb 21 · 3 min read
Image for post
Image for post
Photo by Iñaki del Olmo on Unsplash

Hello! Today I will be talking about securing application data stored on Google Cloud Storage(GCS) using the Virtru Developer Platform, specifically the Virtru Python SDK. This is the second post on securing application data in a cloud environment. The first post dealt with the Amazon AWS platform, S3. Encrypting application data at creation can easily prevent issues and data leakage related to bucket misconfigurations similar to the Fresh Films Production leak.

Business Problem

Like many developers, I use Google Cloud Platform and with it, Google Cloud Storage to store application data. But what if I have sensitive data? How can I secure it? How hard will it be to integrate? What does the protection look like over time? In searching for answers I decided to use the Virtru Data Protection Platform to protect my data, which in turn offers the entire Virtru Developer Platform. Application data in this scenario is generated by either the client or application layer and the encryption will occur when the application layer calls the storage layer (GCS) to persist the data.

Image for post
Image for post

Why Virtru

The Virtru SDK is easy to integrate and once implemented provides a way to manage data-centric protection at-scale. Using the Virtru SDK unlocks the entire Virtru Developer Platform and all of the associated tools.

Environment

The environment for this simple demo will be Python, GCP SDK and the Virtru SDK.

Requirements

GCP Authentication and Authorization

For this example, the account will have too many permissions, but it will get the example working. In production, you will want to minimize project rights.

GCP Service Account

We must create a service account that will be granted access to the bucket. Once the account is created we will download the JSON file that we will reference for authentication. I have created a video to illustrate the steps.

GCP Bucket Rights

We must grant the service accounts rights to the bucket to allow it to upload and download files. I have created a video to illustrate the steps.

Update Keys

The following steps are necessary to facilitate authentication to the Virtru Platform and GCP but they are fairly straight forward.

Virtru Keys

Virtru Keys are in the .virtru file

[{
"virtru_appid":"85daa043-1e63-4406-920f-706d527b0d7d",
"virtru_owner":"email@example.com"
}
]

GCP Keys

GCP Keys are in the .gcp file

{
"type": "service_account",
"project_id": "bucket",
"private_key_id": "00000000000000000000",
"private_key": "PRIVATE KEY",
"client_email": "serviceaccount@bucket.iam.gserviceaccount.com",
"client_id": "000000000000",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/serviceaccount%40bucket.iam.gserviceaccount.com"
}

Bucket Name

GCP Bucket Name is in the .bucket file

[{
"bucket":"bucket name"
}
]

Execution

Prerequisites

pip3 install -r requirements.txt

Execution

python3 virtru-gcp.py

Output

Should be similar to:

Upload File: test.jpg
Encrypt File: test.jpg
Policy ID: 088b4fdd-dec2-400b-b9ea-a55fce84fa20
Upload File: test.jpg.tdf.html
Download File: plain-test.jpg
Not a TDF: plain-test.jpg
Download File: decrypted-test.jpg

Conclusion

In just a few lines of Python, I was able to encrypt the files at both at-rest and in transit. These simple steps enable the full power of the Virtru Data Protection Platform.

While all cloud storage providers offer some level of native encryption capabilities, and developer who stores sensitive data in the cloud should consider adding this extra layer of protection. It’s easy to execute and provides peace of mind against misconfigurations and any other type of mistake that can lead to a costly breach.

Virtru Technology Blog

Building developer tools in the interest of data protection…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store