UCONN Stamford Google Cloud Development Platform: Encrypt and decrypt data with Cloud KMS

Encrypt and decrypt data

with Cloud KMS

Overview

Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services the same way you do on-premises.

It includes support for encryption, decryption, signing, and verification using a variety of key types and sources including Cloud HSM for hardware-backed keys. This tutorial teaches you how to encrypt and decrypt data using symmetric Cloud KMS keys.

You will learn

How to enable the Cloud KMS API
How to create a Cloud KMS Key Ring
How to create a Cloud KMS Crypto Key for symmetric encryption/decryption
How rotate a symmetric Cloud KMS Crypto Key

Start Cloud Shell

In this codelab you will use Cloud Shell, a free virtualized environment running on Google Cloud. From the GCP Console click the Cloud Shell icon on the top right toolbar:

Enable Cloud KMS Service

Before you can use Cloud KMS, you must first enable the service in your project. This only needs to be done once per project. To enable the Cloud KMS service, run the following command:

gcloud services enable cloudkms.googleapis.com --project "${GOOGLE_CLOUD_PROJECT}"

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$ gcloud services enable cloudkms.googleapis.com --project "${GOOGLE_CLOUD_PROJECT}"

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$

Create KMS Key

Create a Cloud KMS Key Ring. In Cloud KMS, a Key Ring is a logical collection of cryptographic keys. The Key Ring contains metadata about the keys such as their location. Create a Key Ring named my-keyring in the global region:

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$ gcloud kms keyrings create "my-uconnkeyring" --location "global"

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$

Now create a Crypto Key named my-uconn-symmetric-key with the purpose of encryption inside the Key Ring you just created.

gcloud kms keys create "my-uconnsymmetric-key" --location "global" --keyring "my-uconnkeyring" --purpose "encryption"

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$ gcloud kms keys create "my-uconnsymmetric-key" --location "global" --keyring "my-uconnkeyring" --purpose "encryption"

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$

Symmetric Keys

This tutorial uses symmetric encryption keys. Cloud KMS also supports asymmetric keys like public-private key pairs, which have different purposes like asymmetric encryption or asymmetric signing.

In cryptography, a symmetric key is one that is used both to encrypt and decrypt information. This means that to decrypt information, one must have the same key that was used to encrypt it.

Encrypt Data

Create a file with your custom data in it.

Use the shell script from the first lesson to load the data into that file.

Edit the my_profile script to create the file mydata.txt using output redirection > And append data to the end of the file using >>

Redirection is a feature in Linux such that when executing a command, you can change the standard input/output devices.

#!/bin/bash

# my first script

echo "Hello my name is John Iacovacci" > mydata.txt

echo "My major is Computer Science" >> mydata.txt

echo "I want to be a developer" >> mydata.txt

echo "My High School was Christopher Columbus in the Bronx" >> mydata.txt

In order to check the contents I can use the cat command

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$ cat mydata.txt

Hello my name is John Iacovacci

My major is Computer Science

I want to be a developer

My High School was Christopher Columbus in the Bronx

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$

use the gcloud command line tool to encrypt the data in the file:

gcloud kms encrypt --location "global" --keyring "my-uconnkeyring" --key "my-uconnsymmetric-key" --plaintext-file ./mydata.txt --ciphertext-file ./mydata.txt.enc

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$ gcloud kms encrypt --location "global" --keyring "my-uconnkeyring" --key "my-uconnsymmetric-key" --plaintext-file ./mydata.txt --ciphertext-file ./mydata.txt.enc

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$ ls -lt my*

-rw-rw-r-- 1 john_iacovacci1 john_iacovacci1 222 Oct 28 00:37 mydata.txt.enc

-rw-rw-r-- 1 john_iacovacci1 john_iacovacci1 29 Sep 24 01:11 my_info.txt

-rw-rw-r-- 1 john_iacovacci1 john_iacovacci1 27 Aug 30 16:42 my-script.sh

-rwxr-xr-x 1 john_iacovacci1 john_iacovacci1 251 Apr 3 2024 my_profile

-rw-r--r-- 1 john_iacovacci1 john_iacovacci1 139 Apr 3 2024 mydata.txt

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$ cat mydata.txt.enc

$Y2b?G-mq:6A

݉3@v1]!A`؍,]W|&nN83dEvJ*.2x:N7%aIlrW4X6"p*?wCMNzDx`gSb

ג|3dtffv}zĠ8~F9john_iacovacci1@cloudshell:~/scripts (uconn-engr)$

The encrypted data (also known as "ciphertext") is saved in mydata.txt.enc on disk. If you open the mydata.txt.enc file, you will notice that it has strange, unprintable characters. That is because the resulting data is in binary format.

When storing the ciphertext in a database or transmitting it as part of an HTTP request, you may need to encode the data. A common encoding mechanism is base64.

Cloud KMS does not store any of the plaintext you provide. You need to save this ciphertext in a secure location as it will be required to retrieve the plaintext value.

Non-Convergent Encryption

Cloud KMS produces a different ciphertext each time it is invoked, even for the same plaintext data. Each invocation of the encrypt command will generate a new ciphertext even if the plaintext data is unchanged. This is because Cloud KMS does not use convergent encryption algorithms.

Decrypt Data

Decrypt the ciphertext from the file using the gcloud command line tool:

$ gcloud kms decrypt \

--location "global" \

--keyring "my-uconnkeyring" \

--key "my-uconnsymmetric-key" \

--plaintext-file - \

--ciphertext-file ./mydata.txt.enc

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$ gcloud kms decrypt \

> --location "global" \

> --keyring "my-uconnkeyring" \

> --key "my-uconnsymmetric-key" \

> --plaintext-file - \

> --ciphertext-file ./mydata.txt.enc

Hello my name is John Iacovacci

My major is Computer Science

I want to be a developer

My High School was Christopher Columbus in the Bronx

john_iacovacci1@cloudshell:~/scripts (uconn-engr)$

The gcloud command line tool reads the ciphertext from the file and decrypts it using Cloud KMS. Notice this example specifies the --plaintext-file argument as -. This instructs gcloud to print the result to the terminal.

The console will print my-contents, which is the same plaintext value from the file above.

Rotate Keys

In Cloud KMS, a Crypto Key is actually a collection of Crypto Key Versions. You can create new Crypto Key Versions to perform key rotation. Cloud KMS can also automatically rotate keys on a schedule.

To rotate a key manually, create a new Crypto Key Version and set it as the primary version:

$ gcloud kms keys versions create \

--location "global" \

--keyring "my-uconnkeyring" \

--key "my-uconnsymmetric-key" \

--primary

Note: When coping commands bring into an editor and delete blank lines then copy back to linux shell.

All future requests to encrypt data will use this new key. The older keys are still available to decrypt data that was previously encrypted using those keys. Cloud KMS automatically determines the appropriate decryption key based off of the provided ciphertext - you do not have to specify which Crypto Key Version to use for decryption.

To prevent ciphertext values that were encrypted using an older Crypto Key Version from being decrypted using Cloud KMS, you can disable or destroy that Crypto Key Version. Disabling is a reversible operation whereas destroying is permanent. To disable a version:

$ gcloud kms keys versions disable "1" \

--location "global" \

--keyring "my-uconnkeyring" \

--key "my-uconnsymmetric-key"

Congratulations!

You enabled the Cloud KMS API, created a symmetric encryption key, and encrypted and decrypted data! Cloud KMS is a powerful product and encryption/decryption just scratches the surface of its capabilities.