sumonst21/gce_kms_notes.sh

## gce_kms_notes.sh
# These are my notes, circa Jan 17, 2017 for full volume encryption using customer supplied encryption keys (CSEK)
# Caveat emptor.

# Install Google Cloud Platform (GCP) SDK command line tools
curl -s -L -O -J https://sdk.cloud.google.com/

# (inspect and run it)

# Cloud KMS/keyring not needed for one-off volume encryption with CSEKs
# gcloud beta kms keyrings create KEYRING_NAME --location LOCATION
# gcloud beta kms keyrings create test_ring --location us-east1  # or: global


# End-to-end steps for: creating keys -> volume -> instance -> startup

# Download GCP's public key, follow redirects, keep same name
curl -s -L -O -J https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem

# Create 32-byte random binary key (not sure why GCP docs swap newlines in a raw keystream file)
head -c 32 /dev/urandom | LC_CTYPE=C tr '\n' '=' > mykey.bin

# Convert binary key to b64 encoded (safe to print), "raw" key in GCP parlance
openssl enc -base64 -in mykey.bin > encodedmykey.txt

# Extract GCP's RSA public cert
openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > pubkey.pem

# Wrap my raw binary key with GCP's RSA cert
openssl rsautl -oaep -encrypt -pubin -inkey pubkey.pem -in mykey.bin -out rsawrappedkey.bin

# Convert wrapped key to b64 encoded, "rsa-wrapped" (Console) or "rsa-encrypted" (API) in GCP parlance
openssl enc -base64 -in rsawrappedkey.bin | tr -d '\n' | sed -e '$a\' > rsawrapencodedkey.txt

$ cat zzz.json # (these are valid, but bogus keys)
[
  {
  "uri": "https://www.googleapis.com/compute/beta/projects/MYPROJECT/zones/us-central1-b/disks/enc-disk-1",
  "key": "Sznt5GBBAJky3BgBVbDOMLY3TlStz7RikXujsFQ0GlA=",
  "key-type": "raw"
  }
]

$ cat xxx.json # (these are valid, but bogus keys)
[
  {
  "uri": "https://www.googleapis.com/compute/beta/projects/MYPROJECT/zones/us-central1-b/disks/enc-disk-1",
  "key": "MivLKWq+/DSlqWGz6SfIj4mevEPuTk7Hf0rx8FiNQce6rZDdT6qY1UMH2qpZ156iTXJ9DgeBoIr/QexhPB5U9Uq/xixQ4k9zylHaKCugr4Ao/zqxpiTm9MaeYUQGxCG27w8U0hfr2X4ET0qYe5gDer8XqwVHZEqqQHdyrQEZOgpQIFvi6Zbw6qvkBlHVwTrcT3OctNyx3mjWakpSH25p1FoO5J5WMVWPW7DFIu9ENZ982WhjCYlA4Y6ahDUrt7uClKkGNitERwHip5GhQ5dUyobPeT4gI1Xn3OmallU4uiNO8n0GdxEBhMSbyF+bVXFNsSJlLoQvepSlYJ/divoRug==",
  "key-type": "rsa-encrypted"
  }
]


# Create CSEK full volume encrypted disk
gcloud beta compute --project "MYPROJECT" disks create "enc-disk-1" --size "30" \
--zone "us-central1-b" --type "pd-standard" --csek-key-file "volume-keyfile.json" \
--image "https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-1404-trusty-v20170110"


# Create instance

gcloud beta compute --project "MYPROJECT" instances create "MYINSTANCE" \
--machine-type "f1-micro" --disk "name=enc-disk-1,device-name=enc-disk-1,mode=rw,boot=yes" \
--csek-key-file "volume-keyfile.json"


# Stop instance
gcloud beta compute instances stop MYINSTANCE

# Start instance
gcloud beta compute instances start MYINSTANCE --csek-key-file "volume-keyfile.json"
	# These are my notes, circa Jan 17, 2017 for full volume encryption using customer supplied encryption keys (CSEK)
	# Caveat emptor.

	# Install Google Cloud Platform (GCP) SDK command line tools
	curl -s -L -O -J https://sdk.cloud.google.com/

	# (inspect and run it)

	# Cloud KMS/keyring not needed for one-off volume encryption with CSEKs
	# gcloud beta kms keyrings create KEYRING_NAME --location LOCATION
	# gcloud beta kms keyrings create test_ring --location us-east1 # or: global


	# End-to-end steps for: creating keys -> volume -> instance -> startup

	# Download GCP's public key, follow redirects, keep same name
	curl -s -L -O -J https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem

	# Create 32-byte random binary key (not sure why GCP docs swap newlines in a raw keystream file)
	head -c 32 /dev/urandom \| LC_CTYPE=C tr '\n' '=' > mykey.bin

	# Convert binary key to b64 encoded (safe to print), "raw" key in GCP parlance
	openssl enc -base64 -in mykey.bin > encodedmykey.txt

	# Extract GCP's RSA public cert
	openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > pubkey.pem

	# Wrap my raw binary key with GCP's RSA cert
	openssl rsautl -oaep -encrypt -pubin -inkey pubkey.pem -in mykey.bin -out rsawrappedkey.bin

	# Convert wrapped key to b64 encoded, "rsa-wrapped" (Console) or "rsa-encrypted" (API) in GCP parlance
	openssl enc -base64 -in rsawrappedkey.bin \| tr -d '\n' \| sed -e '$a\' > rsawrapencodedkey.txt

	$ cat zzz.json # (these are valid, but bogus keys)
	[
	{
	"uri": "https://www.googleapis.com/compute/beta/projects/MYPROJECT/zones/us-central1-b/disks/enc-disk-1",
	"key": "Sznt5GBBAJky3BgBVbDOMLY3TlStz7RikXujsFQ0GlA=",
	"key-type": "raw"
	}
	]

	$ cat xxx.json # (these are valid, but bogus keys)
	[
	{
	"uri": "https://www.googleapis.com/compute/beta/projects/MYPROJECT/zones/us-central1-b/disks/enc-disk-1",
	"key": "MivLKWq+/DSlqWGz6SfIj4mevEPuTk7Hf0rx8FiNQce6rZDdT6qY1UMH2qpZ156iTXJ9DgeBoIr/QexhPB5U9Uq/xixQ4k9zylHaKCugr4Ao/zqxpiTm9MaeYUQGxCG27w8U0hfr2X4ET0qYe5gDer8XqwVHZEqqQHdyrQEZOgpQIFvi6Zbw6qvkBlHVwTrcT3OctNyx3mjWakpSH25p1FoO5J5WMVWPW7DFIu9ENZ982WhjCYlA4Y6ahDUrt7uClKkGNitERwHip5GhQ5dUyobPeT4gI1Xn3OmallU4uiNO8n0GdxEBhMSbyF+bVXFNsSJlLoQvepSlYJ/divoRug==",
	"key-type": "rsa-encrypted"
	}
	]


	# Create CSEK full volume encrypted disk
	gcloud beta compute --project "MYPROJECT" disks create "enc-disk-1" --size "30" \
	--zone "us-central1-b" --type "pd-standard" --csek-key-file "volume-keyfile.json" \
	--image "https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-1404-trusty-v20170110"


	# Create instance

	gcloud beta compute --project "MYPROJECT" instances create "MYINSTANCE" \
	--machine-type "f1-micro" --disk "name=enc-disk-1,device-name=enc-disk-1,mode=rw,boot=yes" \
	--csek-key-file "volume-keyfile.json"


	# Stop instance
	gcloud beta compute instances stop MYINSTANCE

	# Start instance
	gcloud beta compute instances start MYINSTANCE --csek-key-file "volume-keyfile.json"