This tag is for questions about Google Cloud KMS, a Google Cloud Platform service which allows developers to store and make use of encryption keys to secure data.
Questions tagged [google-cloud-kms]
230 questions
4
votes
0 answers
Digital signatures in pdf
I'm trying to digitally sign a pdf file using a PKCS#7 formatted signature in NodeJS.
The setup:
Node-forge does a great job at generating PKCS#7 format. I've already validated that the end output of the library fits my needs. By default pkcs7…
Ivaylo Atanasov
- 215
- 1
- 6
4
votes
1 answer
Mutual TLS in Python using Google Cloud KMS
Is there a way to make HTTP requests over mTLS with private keys stored in Google Cloud Key Management Service?
In this blog post what we need is done in Go. Is it possible to achieve the same in Python? I was hoping that Tink library provides some…
Fedor
- 1,392
- 1
- 17
- 30
4
votes
1 answer
Sops unable to gcp kms decrypt file on Circleci despite GOOGLE_APPLICATION_CREDENTIALS successfully set to service account json
I am trying to configure a job on my local circleci (using docker executor, image: google/cloud-sdk:latest), and that job requires a sops gcp kms encrypted file to be decrypted. I have setup a google service account for the gcp kms decrypt service…
ltcolumb
- 73
- 1
- 7
4
votes
1 answer
How to specify secretEnv to cloudbuild.yaml via gcloud cli args or environment variables
If I follow the cloud build document, I have to specify encrypted secret on cloudbuild.yaml.
secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
secretEnv:
MY_SECRET:
Takato Horikoshi
- 363
- 5
- 15
4
votes
1 answer
Can't decrypt property from spring cloud config or environment variable
I'm trying to get my KMS library, found here, to decrypt items from my application.yml that come from either the google cloud config server or an environment variable.
In playing around I've tried a number of scenarios to get this to work. Ideally…
Puttzy
- 156
- 1
- 3
- 13
4
votes
1 answer
Using Google Cloud Key Management Service to sign an Ethereum transaction
I've been working on writing a signer service for an Ethereum transaction manager and I need to sign Ethereum transactions using Google KMS Golang APIs. I'll try and summarise the problems I'm facing below.
Ethereum requires compact RLP encoded…
Samikshan Bairagya
- 71
- 1
- 5
4
votes
2 answers
Best practice for Firebase Realtime Database encryption using Google Cloud KMS
We are using Firebase Database Rules to secure our database. We also would like to add additional security by encrypting sensitive user information. Right now our encryption approach is:
Encrypting user data client side with a public key before the…
Tamay Eser Uysal
- 97
- 3
- 5
4
votes
2 answers
Google's Key Management System: data unencryption after key rotation
Context
I am following GCP's instructions for Storing Secrets in Storage Bucket. KMS is used for file encryption before it's being uploaded to Storage Bucket.
Since data encryption happens outside of Google's storage I am a bit confused with one…
Igor Soloydenko
- 11,067
- 11
- 47
- 90
3
votes
1 answer
Allow sops encryption, but not decryption?
I'm trying to create a secrets.json file that can be checked into git. I want for my entire team to be able to add / encrypt a value to the secrets file, but not decrypt a value. We're using Google Cloud to manage access to the encryption key. When…
Scott Pierce
- 61
- 4
3
votes
1 answer
Can we save wrapped keys generated with cloud KMS keys in DLP deidentification templates(using Python Api)?
I am working on a PII de-identification project and using google cloud's data loss prevention api.
Use case: To encrypt a field with cloud KMS key.
Created a dlp-deidentification template, here is the snippet:
{
"deidentify_template":{
…
Arnab Mukherjee
- 190
- 3
- 18
3
votes
2 answers
403 Error on KMS Permissions for Uploading Content to GCP Storage Bucket
Figured it out
So there's two ways to solve this:
Option 1:
I was not enabling the project to have access to the KMS Key that was being used to encrypt/decrypt the storage bucket. I was able to test by running the following command in the cli while…
Brian Truman
- 91
- 8
3
votes
0 answers
How to use Google cloud KMS to encrypt and decrypt properties in yml file?
I am trying to understand whether it is possible to use Google cloud KMS to encrypt and decrypt sensitive properties in yml file? So on application start up it will decrypt the values and uses in application. For e.g., database username and password…
akreddy.21
- 626
- 3
- 8
- 21
3
votes
2 answers
Permission denied on Cloud KMS key when using cloud storage
I am using cloud storage upload a file with kms key. Here is my code:
await storage.bucket(config.bucket).upload(file, {
kmsKeyName: `projects/${process.env.PROJECT_ID}/locations/global/keyRings/test/cryptoKeys/nodejs-gcp`,
destination:…
Lin Du
- 88,126
- 95
- 281
- 483
3
votes
1 answer
Google Cloud Key Management Service to sign JSON Web Tokens
First of all I tried the solution at: Using Google Cloud Key Management Service to sign JSON Web Tokens
But it doesn't work.
Creating signature:
const TimeStamp = Math.floor(new Date().getTime() / 1000)
let body = base64url(
JSON.stringify({
…
Niket Malik
- 1,075
- 1
- 14
- 23
3
votes
1 answer
Is it useful to encrypt Terraform state stored on a remote backend (like GCS bucket)?
I'm using Terraform to manage Google Cloud Platform (GCP) resources. I use Google Cloud Storage backend to store the state file. GCP provides a managed Key Management Service, therefore it is possible to manage keys and easily enable encryption on a…
norbjd
- 10,166
- 4
- 45
- 80