Encryption Demonstration with KMS

Length: 00:10:21

Lesson Summary:

We are now going to demonstrate using the Cloud Key Management Service to create a new keyring+key. We will then encrypt a text file before decrypting it into a new file.

The below link is a PDF version of Google’s quick start to follow along at your own pace:

https://linuxacademy.com/cp/guides/download/refsheets/guides/refsheets/quickstart---cloud-kms-documentation---google-cloud_1521842513.pdf

Below are the encoding and encrypt/decrypt commands I used in this lesson:

Encode top-secret.txt into base64 format

cat top-secret.txt | base64

Encrypt our base64 string into a new encrypted file called top-secret.encrypted. You would need to update the project, keyring, key, and base64 string if you’re following along on your end:

curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/pwnet-nms/locations/global/keyRings/pwnet-keyring/cryptoKeys/key1:encrypt" \
-d "{\"plaintext\":\"VE9QIFNFQ1JFVApUaGUgcGFzc3dvcmQgaXMgImJhbmFuYXMiLgo=\"}" \
  -H "Authorization:Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type:application/json" \
| jq .ciphertext -r > top-secret.encrypted

This is the command used to decrypt the above file, and then output it into a new unencrypted file:

curl -v "https://cloudkms.googleapis.com/v1/projects/pwnet-nms/locations/global/keyRings/pwnet-keyring/cryptoKeys/key1:decrypt" \
  -d "{\"ciphertext\":\"$(cat top-secret.encrypted)\"}" \
  -H "Authorization:Bearer $(gcloud auth application-default print-access-token)"\
  -H "Content-Type:application/json" \
| jq .plaintext -r | base64 -d > newfile.txt


This lesson is only available to Linux Academy members.

Sign Up To View This Lesson
Or Log In

Looking For Team Training?

Learn More