-
-
Save sumonst21/0267b107df571901c2f948726aa10b86 to your computer and use it in GitHub Desktop.
Using Customer-supplied encryption keys with GCP for new full disk encryption in GCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# These are my notes, circa Jan 17, 2017 for full volume encryption using customer supplied encryption keys (CSEK) | |
# Caveat emptor. | |
# Install Google Cloud Platform (GCP) SDK command line tools | |
curl -s -L -O -J https://sdk.cloud.google.com/ | |
# (inspect and run it) | |
# Cloud KMS/keyring not needed for one-off volume encryption with CSEKs | |
# gcloud beta kms keyrings create KEYRING_NAME --location LOCATION | |
# gcloud beta kms keyrings create test_ring --location us-east1 # or: global | |
# End-to-end steps for: creating keys -> volume -> instance -> startup | |
# Download GCP's public key, follow redirects, keep same name | |
curl -s -L -O -J https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem | |
# Create 32-byte random binary key (not sure why GCP docs swap newlines in a raw keystream file) | |
head -c 32 /dev/urandom | LC_CTYPE=C tr '\n' '=' > mykey.bin | |
# Convert binary key to b64 encoded (safe to print), "raw" key in GCP parlance | |
openssl enc -base64 -in mykey.bin > encodedmykey.txt | |
# Extract GCP's RSA public cert | |
openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > pubkey.pem | |
# Wrap my raw binary key with GCP's RSA cert | |
openssl rsautl -oaep -encrypt -pubin -inkey pubkey.pem -in mykey.bin -out rsawrappedkey.bin | |
# Convert wrapped key to b64 encoded, "rsa-wrapped" (Console) or "rsa-encrypted" (API) in GCP parlance | |
openssl enc -base64 -in rsawrappedkey.bin | tr -d '\n' | sed -e '$a\' > rsawrapencodedkey.txt | |
$ cat zzz.json # (these are valid, but bogus keys) | |
[ | |
{ | |
"uri": "https://www.googleapis.com/compute/beta/projects/MYPROJECT/zones/us-central1-b/disks/enc-disk-1", | |
"key": "Sznt5GBBAJky3BgBVbDOMLY3TlStz7RikXujsFQ0GlA=", | |
"key-type": "raw" | |
} | |
] | |
$ cat xxx.json # (these are valid, but bogus keys) | |
[ | |
{ | |
"uri": "https://www.googleapis.com/compute/beta/projects/MYPROJECT/zones/us-central1-b/disks/enc-disk-1", | |
"key": "MivLKWq+/DSlqWGz6SfIj4mevEPuTk7Hf0rx8FiNQce6rZDdT6qY1UMH2qpZ156iTXJ9DgeBoIr/QexhPB5U9Uq/xixQ4k9zylHaKCugr4Ao/zqxpiTm9MaeYUQGxCG27w8U0hfr2X4ET0qYe5gDer8XqwVHZEqqQHdyrQEZOgpQIFvi6Zbw6qvkBlHVwTrcT3OctNyx3mjWakpSH25p1FoO5J5WMVWPW7DFIu9ENZ982WhjCYlA4Y6ahDUrt7uClKkGNitERwHip5GhQ5dUyobPeT4gI1Xn3OmallU4uiNO8n0GdxEBhMSbyF+bVXFNsSJlLoQvepSlYJ/divoRug==", | |
"key-type": "rsa-encrypted" | |
} | |
] | |
# Create CSEK full volume encrypted disk | |
gcloud beta compute --project "MYPROJECT" disks create "enc-disk-1" --size "30" \ | |
--zone "us-central1-b" --type "pd-standard" --csek-key-file "volume-keyfile.json" \ | |
--image "https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-1404-trusty-v20170110" | |
# Create instance | |
gcloud beta compute --project "MYPROJECT" instances create "MYINSTANCE" \ | |
--machine-type "f1-micro" --disk "name=enc-disk-1,device-name=enc-disk-1,mode=rw,boot=yes" \ | |
--csek-key-file "volume-keyfile.json" | |
# Stop instance | |
gcloud beta compute instances stop MYINSTANCE | |
# Start instance | |
gcloud beta compute instances start MYINSTANCE --csek-key-file "volume-keyfile.json" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment