Encryption & Decryption in GCP
We have two approaches to Encrypt and Decrypt data in GCP.
Approach-I:
Before we encrypt or decrypt our data we need two Keys: KeyRing and CryptoKey.
Creating KeyRings and CryptoKeys:
Cloud KMS uses an object hierarchy, such that a CryptoKey belongs to a KeyRing, which resides in a particular location.
Syntax to Create a KeyRing:
gcloud kms keyrings create KEYRING_NAME --location LOCATION
Sampe Code Used:
gcloud kms keyrings create my-key --location global
Description:
Creating a new KeyRing with name "my-key" in location "global"
Create a CryptoKey:
Syntax:
gcloud kms keys create CRYPTOKEY_NAME --location LOCATION --keyring KEYRING_NAME --purpose encryption
Sample Code Used:
gcloud kms keys create sree-key --location global --keyring my-key --purpose encryption
Description:
Create a new CryptoKey "sree123-key" for the KeyRing "my-key"
Encrypting the Data:
Syntax:
gcloud kms encrypt \
--location=global \
--keyring=my-key-ring \
--key=my-key \
--plaintext-file=YOUR_FILEPATH_AND_FILENAME_TO_ENCRYPT \
--ciphertext-file=YOUR_FILEPATH_AND_FILENAME.enc
Sample Code Used:
gcloud kms encrypt \
--location=global \
--keyring=my-key \
--key=sree123-key \
--plaintext-file= /scripts/sample.txt \
--ciphertext-file= /scripts/sample.txt.enc
Description:
To encrypt data, we have to provide the appropriate key information, specify the name of the plaintext file to encrypt, and specify the name of the file that will contain the encrypted content
Decrypting the Data:
Syntax:
gcloud kms decrypt \
--location=global \
--keyring=my-key-ring \
--key=my-key \
--ciphertext-file=YOUR_FILEPATH_AND_FILENAME_TO_DECRYPT \
--plaintext-file=YOUR_FILEPATH_AND_FILENAME_TO_DECRYPT.dec
Sample Code Used:
gcloud kms decrypt \
--location=global \
--keyring=my-key-ring \
--key=my-key \
--ciphertext-file=/scripts/sample.txt.enc \
--plaintext-file=/scripts/sample1.txt.dec
Description:
To decrypt data, we have to provide the appropriate key information, specify the name of the encrypted file (ciphertext file) to decrypt, and specify the name of the file that will contain the decrypted content.
File:
Approach-II:
Encryption & Decription of File can be done by openSSL [Secure Socket Layer] Protocols using key based symmetric Ciphers. Below are the commands to encrypt the file
File:
Encryption: [Commands]
openssl enc -in employee.txt \
-aes-256-cbc \
-pass stdin > employee.txt.enc
The above Command encrypts Sample.txt to Sample.txt.enc using a 256 bit AES [Advanced Encryption Standard] which is Strong Symentric encryption algorithm. A Secret Key is used for both Encrption & Decryption of the Data. The Command will wait for user to enter the password and use that to generate an appropriate Key.
Copying the Encrypted File to GCP Using Gsutil:
Command: gsutil cp E:\employee.txt.enc gs://emp2/
Copying the Encrypted File to Local Google Shell:
Command: gsutil cp gs://emp2/employee.txt.enc /scripts
Decryption Commands:
openssl enc -in employee.txt.enc \
-d -aes-256-cbc \
-pass stdin > employee.txt
0 Comments