This tag is for questions about Google Cloud KMS, a Google Cloud Platform service which allows developers to store and make use of encryption keys to secure data.
Questions tagged [google-cloud-kms]
230 questions
0
votes
1 answer
Data Encryption Keys and Key Encryption Keys
I hope someone can help me to understand how DEK and KEK works in layman term.
This is my understanding so far
Part 1
Uploaded data is stored in chunks. Each chunk is encrypted with DEK. DEK is stored near the chunked data.
Part 2 DEK of the data…
FlyingPenguin
- 231
- 1
- 9
0
votes
1 answer
Reading a KMS encrypted file from Google Cloud Dataflow
I went through this Google Cloud Documentation, which mentions that :-
Dataflow can access sources and sinks that are protected by Cloud KMS keys without you having to specify the Cloud KMS key of those sources and sinks, as long as you are not…
Krish
- 752
- 3
- 10
0
votes
1 answer
GCP policy to enforce to use EKM (externally managed key) in KMS
Anyone knows how can we enforce the use of EKM (externally managed key) in the GCP KMS?
I would like to avoid using Google-generated keys in the KMS as per our company policy.
Thanks
PJS
- 141
- 3
- 13
0
votes
1 answer
How to implement BigQuery for the Google EKM?
I want to implement BigQuery which interacts with an external key management using HYOK function.
I have not found any guides about the configuration of BigQuery with EKM (and then using HYOK) but just the configuration of it with the CMEK (that use…
Dexter
- 1
0
votes
1 answer
How do I check if key rotation is enabled for each key in every keyring in GCP using the cloud client library or clientapi?
Is there a way to get key rotation using the cloud client library or the googleapiclient instead of having to check it manually for each keyring and key. I want a script that will go through all the keyring and give me a list of keys that do not…
Ajay Ghale
- 3
- 1
0
votes
0 answers
How to send encoded KMS keyring information in google signed URL
How to send KMS keyring information in encoded format in google signed URL for customer managed encryption key
I have added "x-goog-encryption-kms-key-name": "projects/{PROJECT_ID}/locations/us/keyRings/{KEYRING_NAME}/cryptoKeys/{KEY_VERSION}"
But…
Sushma Kundapur
- 21
- 2
0
votes
1 answer
List the keys (key name and versions) based on keyring using java
I'm using a java client to retreive available keyrings from google KMS based on https://cloud.google.com/kms/docs/samples/kms-quickstart#kms_quickstart-java
below gcould command will list the available beys and versions for a specific keyRing
gcloud…
Vikas
- 13
- 3
0
votes
0 answers
Can I encrypt a string in springboot using google cloud KMS. If so how can we provide an encryption?
Below is the data, which is being logged. I need to encrypt string (Numbermr), so that it doesn't show the value in logs as plain txt. Any idea on how to encrypt this string(Numbermr) in java using google cloud KMS?
** * To log data
*/
…
usertj
- 21
- 4
0
votes
1 answer
Application-layer Secrets in Google Kubernates is not supporting Asymmetric keys
I have created a RSA key (Asymmetric Key) in Google KMS. while trying to use it in GKE using Application-layer Secrets. the asymmetric keys are not getting loaded.
enter image description here
Vikas
- 13
- 3
0
votes
2 answers
How do I store a private key using Google Cloud's Cloud KMS?
I've been trying to read documentation, and watching a few of their videos but I'm not entirely clear on how I store a private key using GCP's Cloud KMS.
Is the idea for me to store the private key in storage, then use Cloud KMS to encrypt it? How…
nkhil
- 1,452
- 1
- 18
- 37
0
votes
1 answer
Share GCP KMS key among projects
I created a keyring and key in one of my GCP projects and I would like to share the key to others project i.e. the key can be used to encrypt the storage bucket.
Does anyone know the steps to share the key among GCP projects?
PJS
- 141
- 3
- 13
0
votes
1 answer
How to keep secrets hidden from gcloud project administrator?
I am devops engineer and project admin in Google Cloud project.
Organization has some super sensitive keys that should be accessed by containers running in Kubernetes or Cloud Run, but they should not be accessible by me.
So far I see Secrets…
Dmitriy Zhukov
- 372
- 2
- 12
0
votes
1 answer
actual data encryption key is used to encrypt PV in GKE
In GKE cluster, I get to encrypt a dynamically provisioned PV using customer supplied key (using Cloud KMS).
I specify KMS resource name in storage class, and create PVC out of this.
It is unclear to me, which key is used to encrypt data in PV.
Is…
C. Derx
- 326
- 2
- 13
0
votes
1 answer
Different behaviour in GKE between etcd and PV storage for same key action
GKE natively works with customer supplied key (using KMS), including actions like key rotation, key disabling/enabling for etcd / content in control plane.
While customer supplied key (using KMS) also works for encryption of dynamic PV mounts (using…
C. Derx
- 326
- 2
- 13
0
votes
1 answer
PV encryption using customer key in GKE (GCP), EKS (AWS)
Both GKE (GCP) and EKS (AWS) support encryption of dynamically provisioned PV, using customer's own encryption key. This customer key sits in Cloud KMS (GCP) / AWS KMS.
Native integration means, I simply point to KMS ID in storage class.
But the…
C. Derx
- 326
- 2
- 13