Google Cloud Platform – Key management service

How to Install MySQL 8.0 on Ubuntu 18.04

Cloud KMS is a hosted KMS that lets you manage your encryption keys in the cloud. You can create/generate, rotate, use, and destroy AES256 encryption keys just like you would in your on-premises environments. You can also use the cloud KMS REST API to encrypt and decrypt data. Before we explore Cloud KMS, we need to understand the object hierarchy structure. Let’s briefly go over the object hierarchy and then explore Cloud KMS on the GCP console.

To enhance access control management, Cloud KMS stores keys in a hierarchical structure. There are different levels in the hierarchical structure:

  1. Project: Like every other GCP resource, Cloud KMS resources belong to a project. All primitive IAM roles that are applied to a project also apply to your KMS.
  2. Location: You can create Cloud KMS resources in multiple locations within a project. These locations are where Cloud KMS handles requests and also stores the keys. However, when you create your keys in a global location, Cloud KMS resources are available from multiple data centers.
  3. Key ring: An application can have multiple keys, which will be used for different resources. A key ring is a grouping of keys for easier management purposes. A key ring belongs to a project and is always placed in a specific location. All the keys in a key ring inherit permissions from the key ring that contains them. You can now easily alter permissions to all keys at the key ring level rather than having to do it at the per-key level.
  4. Key: A key is an object representing a cryptographic key. All keys are 256-bit Advanced Encryption Standard (AES-256) keys and using the same key, version to encrypt the same plain text will result in two different cipher texts. As a security measure, you can only use the key to encrypt or decrypt but can never view, copy, or export. As you create new keys, the key’s “material”—the bits used to encrypt data—can change over time as new key versions are created. As a key version changes, the key changes as well. You use a key to encrypt your data without worrying about the version. Cloud KMS can easily identify which key version was used and can decrypt the data upon request; the key version data is stored in the encrypted data (cipher text). Key versions have states: enabled, disabled, scheduled for destruction, or destroyed. A key at any point in time will have a primary version, which is used by Cloud KMS to encrypt data. As you create a new key version and make that version the primary version, you can rotate keys. After creating a new key version and marking it as the primary version, the older versions do not get deleted or destroyed, and are still available for decrypting data:

It is important to regularly rotate keys by creating new versions. This way, all data will be encrypted by a variety of keys and the threat of exposure is greatly reduced. You can provide a rotation schedule, which includes a rotation period—the time between key rotations—and a next rotation time—when the key rotation can happen.

It is important to remember that key rings and key resources cannot be deleted. Key versions cannot be deleted either, but the key material (the key bits that encrypt data) can be destroyed. Key rings and keys do not have any quota limitations or billable costs, so they can be used and created without any impact on performance or price.

Let’s go ahead and create some cryptographic keys using the GCP Console.

Open up your GCP console and log in. On the left-hand tab, go to Security and click on Cryptographic keys:

You will see a notification that shows that you need to enable the KMS API before you start creating the keys:

Click S e tup on the right-hand side of the screen to enable the API and set up billing. Once the API is enabled, click on the  Create key ring button in the center of the screen. Remember, a key ring is a grouping of keys that is created at the P roject level. All keys in a key ring remain in a specific location:

Click C reate to begin creating a key in this key ring:

Click Create.

You will now see your key available. Click on the key name to see its version number and also options to rotate it:

When you click on ROTATE, you will see the following:

When you rotate the keys, you will see a new version created and the state set to Enabled & Primary. The older version state is Enabled. Now that you have the key, you can encrypt and decrypt any file using this key.

Comments are closed.