Skip to content

Instantly share code, notes, and snippets.

@wvanderdeijl

wvanderdeijl/gcp-key-wrapping.md

Last active June 10, 2021 08:49
Show Gist options
  • Save wvanderdeijl/4ac992115b65ee8d148f0cc01bb59713 to your computer and use it in GitHub Desktop.
Save wvanderdeijl/4ac992115b65ee8d148f0cc01bb59713 to your computer and use it in GitHub Desktop.
Download ZIP
Google key wrapping
Raw
gcp-key-wrapping.md

Task 1. Creating the encryption key

Important: When using customer-supplied encryption keys, it is up to you to generate and manage your encryption keys. You must provide Compute Engine a key that is a 256-bit string encoded in RFC 4648 standard base64. For this lab, you will just generate a key with a random number.

  1. On the Google Cloud Platform menu, click Activate Cloud Shell to open Cloud Shell. If prompted, click Continue.
  2. Enter the following single command in Cloud Shell to create a 256 bit (32 byte) random number to use as a key:
openssl rand 32 > mykey.txt
  1. View the mykey.txt to verify the key was created:
more mykey.txt

Task 2. Protecting your new key with RSA key wrapping

Important: You can optionally wrap your key using an RSA public key certificate provided by Google, and then use that wrapped key in your requests. In this section you will wrap the key just created. This is a recommended best practice. RSA key wrapping is a process in which you use a public key to encrypt your data. After that data has been encrypted with the public key, it can only be decrypted by the respective private key. In this case, the private key is known only to Google Cloud Platform services. By wrapping your key using the RSA certificate, you ensure that only Google Cloud Platform services can unwrap your key and use it to protect your data.

Note: The following steps will use openssl to wrap your key. There are many ways to RSA-wrap keys and you can alternatively use a method that is familiar to you.

  1. From the cloud shell command prompt, use the following command to download the Google Compute Engine public certificate:
curl \
    https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem \
    > gce-cert.pem
  1. Extract the public key from the certificate with the following command:
openssl x509 -pubkey -noout -in gce-cert.pem > pubkey.pem
  1. RSA-wrap your key with the following command:
openssl rsautl -oaep -encrypt -pubin -inkey pubkey.pem -in \
    mykey.txt -out rsawrappedkey.txt

The key must now be encoded in base64 before it can be used. 4. Encode your RSA-wrapped key in base64:

openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e \
    '$a\' > rsawrapencodedkey.txt
  1. View your encoded, wrapped key to verify it was created:
cat rsawrapencodedkey.txt

Example output (Do not copy)

c0NSz0/t2THGdPfsS0sDokR8KIioUNLoJLR/HvP/XCsbBNoQjyUKrm9th/kAYCsIdLU/A/rS4W2wUXpmoSqi4Lf8HQqaP3zfuH6xH2UklxGZ04LhpmtRdG9zC81Hpzkw+NnOSIslO9rLtvVaX8qaPsSnSM7YgfTYCzB4ESuMlc3xMzBD6B2LxXyDRSw6muNdz3Kpp5YhBA41Zz4ljrkzcOse38dLEY3Q7Y+zjK/+H4P6PO3vllUFjgeZWgIFNcad4KU69Bb3m5cYM1eOpxm7WRsuMNuN7/gZj1aLXL+tvsJVwrzjPHQFDajf7jgotu0YiZNs07Yw3UrHZFKIWhYNrw==

Note: You need to copy this key value, but it needs to be copied as a single line. If you copy it from the console output, newlines are often introduced which alters the encoding. You will use the code editor to copy the key value.

  1. To open code editor, click on the Open Editor icon.

  2. Click on the rsawrapencodedkey.txt file to display it in the editor pane.

  3. Highlight the entire line in the rsawrapencodedkey.txt and select Edit > Copy.

Note: Your key is now ready to use!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment