Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services the same way you do on-premises. It includes support for encryption, decryption, signing, and verification using a variety of key types and sources including Cloud HSM for hardware-backed keys. This tutorial teaches you how to encrypt and decrypt data using symmetric Cloud KMS keys.
You will learnNote: You can easily access Cloud Console by memorizing its URL, which is console.cloud.google.com.
Remember the project ID, a unique name across all Google Cloud projects (the name above has already been taken and will not work for you, sorry!). It will be referred to later in this codelab as PROJECT_ID.
Note: If you're using a Gmail account, you can leave the default location set to No organization. If you're using a G Suite account, then choose a location that makes sense for your organization.
Running through this codelab shouldn't cost much, if anything at all. Be sure to to follow any instructions in the "Cleaning up" section which advises you how to shut down resources so you don't incur billing beyond this tutorial. New users of Google Cloud are eligible for the $300USD Free Trial program.
Start Cloud ShellIn this codelab you will use Cloud Shell, a free virtualized environment running on Google Cloud. From the GCP Console click the Cloud Shell icon on the top right toolbar:
It should only take a few moments to provision and connect to the environment. When it is finished, you should see something like this:
This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on the Google Cloud, greatly enhancing network performance and authentication. Unless otherwise instructed, run all commands from this shell.
3. Enable Cloud KMS ServiceBefore you can use Cloud KMS, you must first enable the service in your project. This only needs to be done once per project. To enable the Cloud KMS service, run the following command:
$ gcloud services enable cloudkms.googleapis.com \
--project "${GOOGLE_CLOUD_PROJECT}"
It can take up to a minute to enable. The command will report success when it finishes.
4. Create KMS KeyCreate a Cloud KMS Key Ring. In Cloud KMS, a Key Ring is a logical collection of cryptographic keys. The Key Ring contains metadata about the keys such as their location. Create a Key Ring named my-keyring in the global region:
$ gcloud kms keyrings create "my-keyring" \
--location "global"
Already Exists
If you have done this tutorial (or other Cloud KMS tutorials) previously, you may see an error that "my-keyring" already exists. You can ignore this error and continue to the next step as you have already created the Key Ring.
Now create a Crypto Key named my-symmetric-key with the purpose encryption inside the Key Ring you just created.
$ gcloud kms keys create "my-symmetric-key" \
--location "global" \
--keyring "my-keyring" \
--purpose "encryption"
Symmetric Keys
This tutorial uses symmetric encryption keys. Cloud KMS also supports asymmetric keys like public-private keypairs, which have different purposes like asymmetric encryption or asymmetric signing.
5. Encrypt DataCreate a file with data to encrypt and use the gcloud command line tool to encrypt the data in the file:
$ echo "my-contents" > ./data.txt
$ gcloud kms encrypt \
--location "global" \
--keyring "my-keyring" \
--key "my-symmetric-key" \
--plaintext-file ./data.txt \
--ciphertext-file ./data.txt.enc
The encrypted data (also known as "ciphertext") is saved in data.txt.enc on disk. If you open the data.txt.enc file, you will notice that it has strange, unprintable characters. That is because the resulting data is in binary format.
When storing the ciphertext in a database or transmitting it as part of an HTTP request, you may need to encode the data. A common encoding mechanism is base64.
Cloud KMS does not store any of the plaintext you provide. You need to save this ciphertext in a secure location as it will be required to retrieve the plaintext value.
Non-Convergent Encryption
Cloud KMS produces a different ciphertext each time it is invoked, even for the same plaintext data. Each invocation of the encrypt command will generate a new ciphertext even if the plaintext data is unchanged. This is because Cloud KMS does not use convergent encryption algorithms.
6. Decrypt DataDecrypt the ciphertext from the file using the gcloud command line tool:
$ gcloud kms decrypt \
--location "global" \
--keyring "my-keyring" \
--key "my-symmetric-key" \
--plaintext-file - \
--ciphertext-file ./data.txt.enc
The gcloud command line tool reads the ciphertext from the file and decrypts it using Cloud KMS. Notice this example specifies the --plaintext-file argument as -. This instructs gcloud to print the result to the terminal.
The console will print my-contents, which is the same plaintext value from the file above.
In Cloud KMS, a Crypto Key is actually a collection of Crypto Key Versions. You can create new Crypto Key Versions to perform key rotation. Cloud KMS can also automatically rotate keys on a schedule.
To rotate a key manually, create a new Crypto Key Version and set it as the primary version:
$ gcloud kms keys versions create \
--location "global" \
--keyring "my-keyring" \
--key "my-symmetric-key" \
--primary
All future requests to encrypt data will use this new key. The older keys are still available to decrypt data that was previously encrypted using those keys. Cloud KMS automatically determines the appropriate decryption key based off of the provided ciphertext - you do not have to specify which Crypto Key Version to use for decryption.
To prevent ciphertext values that were encrypted using an older Crypto Key Version from being decrypted using Cloud KMS, you can disable or destroy that Crypto Key Version. Disabling is a reversible operation whereas destroying is permanent. To disable a version:
$ gcloud kms keys versions disable "1" \
--location "global" \
--keyring "my-keyring" \
--key "my-symmetric-key"
8. Congratulations!
You enabled the Cloud KMS API, created a symmetric encryption key, and encrypted and decrypted data! Cloud KMS is a powerful product and encryption/decryption just scratches the surface of its capabilities.
Clean upIf you are done exploring, please consider deleting your project.
This work is licensed under a Creative Commons Attribution 2.0 Generic License.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],[],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4