Exporting keys from SmartKey to Cloud Providers for BYOK - Google Cloud

Overview

This topic describes how to export keys from SmartKey to Google Cloud for server-side encryption.

Prerequisite: Download SmartKey CLI

Google Cloud

GCS (Cloud Storage)

For GCS, actual base64 customer keys are needed to be provided for every upload and download of objects to GCS.

  1. Create a 256-bit AES key in SmartKey with the EXPORT key operation enabled.

    $ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable

  2. Export this key on your application environment.

    $ python sdkms-cli export-object --name Google-Cloud-Master-Key

  3. Add the following option to the GSUtil section of GSUtil boto configuration file:

    encryption_key = [YOUR_ENCRYPTION_KEY]

    decryption_key1 = [YOUR_ENCRYPTION_KEY]

  4. Now you can upload and download objects in GCS with encryption with your own keys.

    $ gsutil cp [LOCAL_OBJECT_LOCATION] gs://[DESTINATION_BUCKET_NAME]/

    $ gsutil cp gs://[BUCKET_NAME]/[OBJECT_NAME] [OBJECT_DESTINATION]

  5. GCS browser shows that the object is customer encrypted.

GCE (Compute Engine)

GCE supports import of customer keys wrapped by a Google public key. Since SmartKey supports wrapping, actual material of the customer keys are never exposed.

  1. Create a 256-bit AES key in SmartKey with the EXPORT key operation enabled.

    $ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable

  2. Fetch Google public key.

    $ curl "https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem" -o google-cloud-csek-ingress.pem

    $ openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > google-cloud-csek-public.pem

  3. Import the Google public key in SmartKey.

    $ python sdkms-cli import-key --obj-type RSA --in google-cloud-csek-public.pem --name Google-Cloud-Public-Key

  4. Wrap SmartKey master key with Google public key, using SmartKey.

    $ sdkms-cli wrap-key --kid (kid of master key) --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid (kid of the Google public key) --out rsawrappedkey.txt

    $ openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e '$a\' > rsawrappedbase64key.txt

  5. Set the key data in GCE as a wrapped key.

  6. The disk says that it is encrypted with customer keys.