How does CloudKMS encryption/decryption work securely when being called from a non-Google system?

Question

I need to know that the plaintext/ciphertext being sent to Google CloudKMS, and the public/private key used to authenticate, are secure in transit, but I don't know how to prove that.

As per KMS docs, I created a service account, downloaded the JSON key file, and have hooked it up via the environment variable GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json.

I am using the google-api-client gem (at version 0.10.3, released 13 months old, because I can't install mime-types >= 3.0 whilst using padrino-mailer: see this commit), have tested the Google::Apis::CloudkmsV1::CloudKMSService methods encrypt_crypto_key and decrypt_crypto_key, and they're working nicely.

I have tried reading through the source code of the google-api-client, googleauth, and signet gems. All I'm certain of is:

1. The JSON key file is loaded and the private_key value is used to make OpenSSL::PKey::RSA.new here
2. Signet::OAuth2::Client is given the RSA key as signing_key in this file

I would consider the security proven if the JSON key file is used to encrypt the string sent through encrypt_crypto_key on the calling server, and likewise to decrypt the string received by decrypt_crypto_key, and the CloudKMS server on the other end behaves similarly. This is what I'm assuming the library does – End-to-end encryption – but I must see it to believe it. I attempted to view the traffic in Wireshark but couldn't make any sense of it (maybe that fact proves it? I don't know )

Can anyone help me prove or disprove this method of calling CloudKMS to encrypt/decrypt user data – using the google-api-client gem with a JSON key file downloaded as per the docs – is secure?

---

Related: for those of you who are interested, the CloudKMS API is on the roadmap to be included in the newer google-cloud gem.

Answer 1

The communications between your client and Google are secured via TLS. You can see in Wireshark that the communications are on port 443 and that a TLS connection is negotiated.

Your requests are authenticated using OAuth. In this case (using a service account from outside of GCP), this is done using the flow documented in Using OAuth 2.0 for Server to Server Applications:

• you are responsible for provisioning your off-GCP app with the private key issued to the service account you wish to assert;
• it then uses that private key to sign a JWT and submit it to Google's OAuth server;
• Google replies with an OAuth access token which is a bearer credential which identifies the service account in question;
• You then provide that access token with your requests to KMS to identify the entity making the requests as the service account and using its authority;
• KMS and GCP then use that identity to evaluate IAM access controls to determine whether particular operations are authorized.

This is secured end-to-end (the TLS connection is end-to-end security since the parties to the communication—your service and Google—are the TLS endpoints). Since your question seems to be "are these requests secure in transit, and how can I show this", I think it's sufficient to show that a TLS connection is being negotiated, Wireshark should be able to show you this. (Your connection library also needs to be doing a suitable PKI evaluation of the presented certificate; validating that this is taking place correctly is a little more involved, but it's a reasonable thing to trust is happening correctly if you investigate the tools you're using and their assertions around certificate validation).

Best wishes and thanks for using GCP and Cloud KMS. Let us know if you have any further questions.