DEV Community

Cover image for Securing cloud storage files with KMS
Sadhan Sarker
Sadhan Sarker

Posted on • Updated on

Securing cloud storage files with KMS

Cloud Key Management Service (KMS) allows us to create, import & manage cryptographic keys and also perform cryptographic operations in a single centralized cloud service the same way on-premises. By using Cloud KMS, Cloud HSM, or Cloud External Key Manager or Customer-Managed Encryption Keys (CMEK integrations) we can encrypt, decrypt, and verify.

In this post, we are going to deal with Cloud KMS, Cloud Storage, Cloud SDK. Also, learn about encryption and manage encryption keys using KMS. So, let’s a drive-in. Sign-in to Google Cloud Platform (GCP) Console and Create a new project and activate our Cloud Shell.

Alt Text

Click Continue

Alt Text

Create a Cloud Storage Bucket

Create Cloud Storage Bucket, we can do that using gsutil, remember bucket names are globally unique. Run the following command in Cloud Shell to set a variable to our bucket name:

export CLOUD_STORAGE_BUCKET_NAME=put_our_unique_bucket_name
Enter fullscreen mode Exit fullscreen mode

Now, just hit the following command, to create a new cloud storage bucket,

gsutil mb gs://${CLOUD_STORAGE_BUCKET_NAME}
Enter fullscreen mode Exit fullscreen mode

Alt Text

Create a sample data

Create a simple file so that we can encrypt & decrypt that file, Open Cloud Shell and create a new file, Here, I’m using Vim console-based text editor. If we want, we can download the source file from another location. To create a new file, run the following command:

vi hello.txt
Enter fullscreen mode Exit fullscreen mode

Input: to insert content press i,

Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.
Enter fullscreen mode Exit fullscreen mode

Note: To save that hello.txt file press Ctrl+c and type :wq . To read that file content hit below commands,

cat hello.txt
Enter fullscreen mode Exit fullscreen mode

Output:

Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.
Enter fullscreen mode Exit fullscreen mode

Enable Cloud KMS Service

Before using Cloud KMS, we must need to enable that service. It could be done from Cloud Console UI and another is from gcloud CLI command. To enable the Cloud KMS Service, run the following command in our Cloud Shell:

gcloud services enable cloudkms.googleapis.com
Enter fullscreen mode Exit fullscreen mode

Optional, this only needs to be done once per project

gcloud services enable cloudkms.googleapis.com \
    --project "${GOOGLE_CLOUD_PROJECT}"
Enter fullscreen mode Exit fullscreen mode

Create KeyRing and CryptoKey

In order to encrypt & decrypt data, we need to create a KeyRing and a CryptoKey. KeyRings are useful for Grouping keys. To create KeyRing for a global region:

gcloud kms keyrings create "our-keyring" --location "global"
Enter fullscreen mode Exit fullscreen mode

Note: If we want to view that newly created key then Open Web UI.

Next, using the new KeyRing, create a CryptoKey

gcloud kms keys create "our-cryptokey" \
    --location "global" \
    --keyring "our-keyring" \
    --purpose "encryption"
Enter fullscreen mode Exit fullscreen mode

From Web UI We can view that Keys,

Alt Text

Click on our-keyring then we are able to see our-cryptokey, which is group together

Alt Text

Encrypt our file

Encrypt the hello.txt file contents using Cloud KMS. Here, I’m using the gcloud command-line tool. But we can also encrypt data using the Cloud KMS API.

gcloud kms encrypt --location "global" \
    --keyring "our-keyring" --key "our-cryptokey" \
    --plaintext-file ./hello.txt \
    --ciphertext-file ./hello.enc
Enter fullscreen mode Exit fullscreen mode

This will create a hello.enc file which will be encrypted. To open that encrypt file run:

cat hello.enc
Enter fullscreen mode Exit fullscreen mode

Output: Cloud be like an unreadable hash like “6B!h>X7^RR*IRt;_*b~0IrP1<)]'ǞЉt c”

Now, we can upload that encrypted file to the Cloud Storage, run the following command

gsutil cp ./hello.enc gs://${CLOUD_STORAGE_BUCKET_NAME}
Enter fullscreen mode Exit fullscreen mode

We can view our encrypted file which actually uploaded,

Alt Text

Decrypt our file

If we want to decrypt that hello.enc. Or, we have already encrypted data then we can copy that from Cloud Storage bucket by the following command,

gsutil cp gs://${CLOUD_STORAGE_BUCKET_NAME}/hello.enc . 
Enter fullscreen mode Exit fullscreen mode

Note: In this case, we don’t have to do that because we already have our hello.enc file.

Now, We can decrypt that file by the following command below,

gcloud kms decrypt --location "global" \
    --keyring "our-keyring" --key "our-cryptokey" \
    --ciphertext-file ./hello.enc \
    --plaintext-file ./hello-decryped.txt
Enter fullscreen mode Exit fullscreen mode

To open that hello-decryped.txt file run following command

cat hello-decryped.txt
Enter fullscreen mode Exit fullscreen mode

Output:

Hello! From Cloud Storage KMS. We are going to encrypt and decrypt this file using Cloud KMS.
Enter fullscreen mode Exit fullscreen mode

Cleanup environment

To delete cloud storage bucket, which we created earlier, run the following command

gsutil rm -r gs://${CLOUD_STORAGE_BUCKET_NAME}
Enter fullscreen mode Exit fullscreen mode

Note: Cloud KMS resources can’t be deleted. However, we can destroy that by the following command

gcloud kms keys versions destroy "1" \
    --location "global" \
    --key "our-cryptokey" \
    --keyring "our-keyring"
Enter fullscreen mode Exit fullscreen mode

Congratulations

We have successfully encrypted and decrypt data using Cloud KMS and stored encrypted data in Cloud Storage. Thanks for time & passion. Feel free to ask me anything.

Say Hi to me on Twitter, Linkedin, and Medium where I keep on sharing interesting updates.

Original Post

Top comments (0)