Cloud Key Management Service (KMS) allows us to create, import & manage cryptographic keys and also perform cryptographic operations in a single centralized cloud service the same way on-premises. By usingCloud KMS,Cloud HSM, orCloud External Key Manager orCustomer-Managed Encryption Keys (CMEK integrations) we can encrypt, decrypt, and verify.
In this post, we are going to deal withCloud KMS,Cloud Storage,Cloud SDK. Also, learn about encryption and manage encryption keys using KMS. So, let’s a drive-in. Sign-in to Google Cloud Platform(GCP) Console and Create a new project and activate our Cloud Shell.
ClickContinue
Create a Cloud Storage Bucket
Create Cloud Storage Bucket, we can do that usinggsutil, remember bucket names are globally unique. Run the following command in Cloud Shell to set a variable to our bucket name:
exportCLOUD_STORAGE_BUCKET_NAME=put_our_unique_bucket_nameNow, just hit the following command, to create a new cloud storage bucket,
gsutil mb gs://${CLOUD_STORAGE_BUCKET_NAME}
Create a sample data
Create a simple file so that we can encrypt & decrypt that file, Open Cloud Shell and create a new file, Here, I’m usingVim console-based text editor. If we want, we can download the source file from another location. To create a new file, run the following command:
vi hello.txtInput: to insert content pressi,
Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.Note: To save thathello.txt file pressCtrl+c and type:wq . To read that file content hit below commands,
cathello.txtOutput:
Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.Enable Cloud KMS Service
Before using Cloud KMS, we must need to enable that service. It could be done fromCloud Console UI and another is from gcloud CLI command. To enable the Cloud KMS Service, run the following command in our Cloud Shell:
gcloud servicesenablecloudkms.googleapis.comOptional, this only needs to be done once per project
gcloud servicesenablecloudkms.googleapis.com\--project"${GOOGLE_CLOUD_PROJECT}"Create KeyRing and CryptoKey
In order to encrypt & decrypt data, we need to create a KeyRing and a CryptoKey. KeyRings are useful for Grouping keys. To create KeyRing for a global region:
gcloud kms keyrings create"our-keyring"--location"global"Note: If we want to view that newly created key thenOpen Web UI.
Next, using the new KeyRing, create a CryptoKey
gcloud kms keys create"our-cryptokey"\--location"global"\--keyring"our-keyring"\--purpose"encryption"From Web UI We can view that Keys,
Click onour-keyring then we are able to seeour-cryptokey, which is group together
Encrypt our file
Encrypt thehello.txt file contents using Cloud KMS. Here, I’m using the gcloud command-line tool. But we can also encrypt data using theCloud KMS API.
gcloud kms encrypt--location"global"\--keyring"our-keyring"--key"our-cryptokey"\--plaintext-file ./hello.txt\--ciphertext-file ./hello.encThis will create ahello.enc file which will be encrypted. To open that encrypt file run:
cathello.encOutput: Cloud be like an unreadable hash like “6B!h>X7^RR*IRt;_*b~0IrP1<)]'ǞЉt c”
Now, we can upload that encrypted file to the Cloud Storage, run the following command
gsutilcp ./hello.enc gs://${CLOUD_STORAGE_BUCKET_NAME}We can view our encrypted file which actually uploaded,
Decrypt our file
If we want to decrypt thathello.enc. Or, we have already encrypted data then we can copy that from Cloud Storage bucket by the following command,
gsutilcpgs://${CLOUD_STORAGE_BUCKET_NAME}/hello.enc.Note: In this case, we don’t have to do that because we already have ourhello.enc file.
Now, We can decrypt that file by the following command below,
gcloud kms decrypt--location"global"\--keyring"our-keyring"--key"our-cryptokey"\--ciphertext-file ./hello.enc\--plaintext-file ./hello-decryped.txtTo open thathello-decryped.txt file run following command
cathello-decryped.txtOutput:
Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.Cleanup environment
To delete cloud storage bucket, which we created earlier, run the following command
gsutilrm-r gs://${CLOUD_STORAGE_BUCKET_NAME}Note: Cloud KMS resources can’t be deleted. However, we can destroy that by the following command
gcloud kms keys versions destroy"1"\--location"global"\--key"our-cryptokey"\--keyring"our-keyring"Congratulations
We have successfully encrypted and decrypt data using Cloud KMS and stored encrypted data in Cloud Storage. Thanks for time & passion. Feel free to ask me anything.
Say Hi to me onTwitter,Linkedin, andMedium where I keep on sharing interesting updates.
Top comments(0)
For further actions, you may consider blocking this person and/orreporting abuse
