Skip to main content

Handling Encryption Keys with Cloud KMS

Hands-On Lab

 

Photo of Joseph Lowery

Joseph Lowery

Google Cloud Training Architect II in Content

Length

00:30:00

Difficulty

Beginner

The process of encrypting and decrypting files requires cryptographic keys. Google Cloud’s Key Management Service (Cloud KMS) allows you to generate, use, rotate, and destroy cryptographic keys in a variety of formats. Managing the keys is another challenge, one that Cloud KMS meets with its ability to create keyrings as well as keys. In this hands-on lab, we’ll establish a new keyring and key, use them to encrypt a formerly top-secret file, and then decrypt the encrypted version.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Handling Encryption Keys with Cloud KMS

Introduction

The process of encrypting and decrypting files requires cryptographic keys. Google Cloud’s Key Management Service (Cloud KMS) allows you to generate, use, rotate, and destroy cryptographic keys in a variety of formats. Managing the keys is another challenge, one that Cloud KMS meets with its ability to create keyrings as well as keys. In this hands-on lab, we’ll establish a new keyring and key, use them to encrypt a formerly top-secret file, and then decrypt the encrypted version.

Logging In to the Environment

  1. On the lab instructions page, right-click the Open GPC Console button.
  2. From the dropdown, select the option to open the link in a private browser window. (Note: Different browsers have different names for a private browser window. On Chrome, you'll choose Open Link in Incognito Window. If you're using Firefox, click Open Link in New Private Window. Etc.)
  3. On the Google sign-in page, enter the unique username you were provided on the lab instructions page. Click Next.
  4. Enter the unique password you were provided on the lab instructions page. Click Next.
  5. On the Welcome to your new account page, click Accept.
  6. In the Welcome L.A.! menu, check the box under Terms of service.
  7. Choose your country of residence, then click AGREE AND CONTINUE.

Enable Cloud KMS

  1. From the Google Cloud Platform dashboard, click the navigation menu at the top left of the page.
  2. In the dropdown, select APIs & Services > Library.
  3. On the API Library page, enter "KMS" in the search bar.
  4. Select the Cloud Key Management Service (KMS) API.
  5. Click Enable.

Create a Keyring and Key

  1. Click the Cloud Shell icon at the top right of the page.
  2. Click START CLOUD SHELL.
  3. Run the following command in the Cloud Shell to create a new keyring:
    gcloud kms keyrings create la-keyring --location global
  4. Create a new key for the keyring we just created.
    gcloud kms keys create la-key --location global --keyring la-keyring --purpose encryption
  5. List the existing keys to verify that the new keyring and key were successfully created.
    gcloud kms keys list --location global --keyring la-keyring
  6. Refresh the Cryptographic Keys page of the GCP console.
  7. Select la-keyring to open it and view the la-key we just created.

Retrieve the Example File

  1. Clone the GitHub repository.
    git clone https://github.com/linuxacademy/content-gcpro-security-engineer
  2. Change to the content-gcpro-security-engineer/kms-encrypt-lab directory.
    cd content-gcpro-security-engineer/kms-encrypt-lab
  3. List the contents of the current directory.
    ls
  4. Click the pencil icon in the top right corner of the Cloud Shell to open the code editor.
  5. In the left navigation panel, select kms-encrypt-lab > top-secret-ufo-1950.txt.
  6. Review the file top-secret-ufo-1950.txt.

Encrypt and Decrypt the File

  1. Run the following command in the Cloud Shell to encrypt the file:
    gcloud kms encrypt --location global --keyring la-keyring --key la-key --plaintext-file top-secret-ufo-1950.txt --ciphertext-file top-secret-ufo-1950.txt.encrypted
  2. In the left navigation panel, select top-secret-ufo-1950.txt.encrypted to open and review the contents of the encrypted file.
  3. Run the following command in the Cloud Shell to decrypt the encrypted file:
    gcloud kms decrypt --location global --keyring la-keyring --key la-key --ciphertext-file top-secret-ufo-1950.txt.encrypted --plaintext-file top-secret-ufo-1950.txt.decrypted
  4. In the left navigation panel, select top-secret-ufo-1950.txt.decrypted to open and review the contents of the decrypted file.

Conclusion

Congratulations, you've successfully completed this hands-on lab!