luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity

Adding gcpkms docs (#5590)

Browse source 
* adding gcpkms docs

* adding detail links

* adding 1.0 Beta badge
This commit is contained in:
Chris Hoffman 2018-10-23 12:14:32 -07:00 committed by GitHub
parent 8a274fba51
commit fc85623b5f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 1312 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
website/assets/package.json
View file

@ -1,7 +1,6 @@
{
"name": "middleman-spike-assets",
"description":
"simple config to use postcss and webpack for asset processing",
"description": "simple config to use postcss and webpack for asset processing",
"version": "0.0.0",
"author": "Jeff Escalante",
"main": "app.js",

1
website/data/api_detailed_categories.yml
View file

@ -28,6 +28,7 @@
- api/secret/cubbyhole/index.html
- api/secret/databases/index.html
- api/secret/gcp/index.html
- api/secret/gcpkms/index.html
- api/secret/kv/index.html
- api/secret/identity/index.html
- api/secret/nomad/index.html

1
website/data/docs_detailed_categories.yml
View file

@ -77,6 +77,7 @@
- docs/secrets/cubbyhole/index.html
- docs/secrets/databases/index.html
- docs/secrets/gcp/index.html
- docs/secrets/gcpkms/index.html
- docs/secrets/kv/index.html
- docs/secrets/identity/index.html
- docs/secrets/nomad/index.html

865
website/source/api/secret/gcpkms/index.html.md Normal file
View file

@ -0,0 +1,865 @@
---
layout: "api"
page_title: "Google Cloud KMS - Secrets Engines - HTTP API"
sidebar_title: "Google Cloud KMS <sup>1.0 BETA</sup>"
sidebar_current: "api-http-secret-gcpkms"
description: |-
This is the API documentation for the Vault Google Cloud KMS secrets engine.
---
# Google Cloud KMS Secrets Engine (API)
This is the API documentation for the Vault Google Cloud KMS secrets engine. For
general information about the usage and operation of the Google Cloud KMS
secrets engine, please see the
[Google Cloud KMS documentation](/docs/secrets/gcpkms/index.html).
This documentation assumes the Google Cloud KMS secrets engine is enabled at the
`/gcpkms` path in Vault. Since it is possible to enable secrets engines at any
location, please update your API calls accordingly.
## Configure Credentials
This endpoint configures the Google Cloud KMS secrets engine with credentials
and manages the requested scope(s) for authentication.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `POST` | `gcpkms/config` | `204 (empty body)` |
### Example Policy
```hcl
path "gcpkms/config" {
capabilities = ["create", "update"]
}
```
### Parameters
- `credentials` (`string: ""`) -
The credentials to use for authenticating to Google Cloud. Leave this blank to
use the Default Application Credentials or instance metadata authentication.
- `scopes` (`array<string>: []`) -
The list of full-URL scopes to request when authenticating. By default, this
requests https://www.googleapis.com/auth/cloudkms.
### Sample Payload
```json
{
"credentials": "< JSON credentials... >"
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcpkms/config
```
## Read Configuration
This endpoint returns the configuration endpoint for the Google Cloud KMS
secrets engine. The credentials are not returned.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `GET` | `gcpkms/config` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/config" {
capabilities = ["read"]
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
https://127.0.0.1:8200/v1/gcpkms/config
```
### Sample Response
```json
{
"data": {
"scopes": [
"https://www.googleapis.com/auth/cloudkms"
]
}
}
```
## Delete Configuration
This endpoint deletes any configuration for the Google Cloud KMS secrets engine.
If there is no configuration, the endpoint still returns successfully.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `DELETE` | `gcpkms/config` | `204 (empty body)` |
### Example Policy
```hcl
path "gcpkms/config" {
capabilities = ["delete"]
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://127.0.0.1:8200/v1/gcpkms/config
```
## Decrypt Ciphertext
This endpoint uses the named encryption key to decrypt the ciphertext string. For symmetric key types, the provided ciphertext must come from a previous invocation of the `/encrypt` endpoint. For asymmetric key types, the provided ciphertext must be from the encrypt operation against the corresponding key version's public key.
| Method | Path | Produces |
| :------- | :--------------------------| :------------------------ |
| `POST` | `gcpkms/decrypt/:key` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/decrypt/my-key" {
capabilities = ["create", "update"]
}
```
### Parameters
- `key` (`string: ""`) -
Name of the key in Vault to use for decryption. This key must already exist in
Vault and must map back to a Google Cloud KMS key.
This is specified as part of the URL.
- `additional_authenticated_data` (`string: ""`) -
Optional data that was specified during encryption of this payload.
- `ciphertext` (`string: ""`) -
Ciphertext to decrypt as previously returned from an encrypt operation. This
must be base64-encoded ciphertext as previously returned from an encrypt
operation.
- `key_version` (`int: 0`) -
Integer version of the crypto key version to use for decryption. This is
required for asymmetric keys. For symmetric keys, Cloud KMS will choose the
correct version automatically.
### Sample Payload
```json
{
"ciphertext": "CiQAuMv0..."
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcpkms/decrypt/my-key
```
### Sample Response
```json
{
"data": {
"plaintext": "hello world"
}
}
```
## Encrypt Plaintext
This endpoint uses the named encryption key to encrypt arbitrary plaintext
string data. The response will be base64-encoded encrypted ciphertext.
| Method | Path | Produces |
| :------- | :--------------------------| :------------------------ |
| `POST` | `gcpkms/encrypt/:key` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/encrypt/my-key" {
capabilities = ["create", "update"]
}
```
### Parameters
- `key` (`string: ""`) -
Name of the key in Vault to use for encryption. This key must already exist in
Vault and must map back to a Google Cloud KMS key.
This is specified as part of the URL.
- `additional_authenticated_data` (`string: ""`) -
Optional base64-encoded data that, if specified, must also be provided to
decrypt this payload.
- `key_version` (`int: 0`) -
Integer version of the crypto key version to use for encryption. If unspecified,
this defaults to the latest active crypto key version.
- `plaintext` (`string: ""`) -
Plaintext value to be encrypted. This can be a string or binary, but the size
is limited. See the Google Cloud KMS documentation for information on size
limitations by key types.
### Sample Payload
```json
{
"plaintext": "hello world"
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcpkms/encrypt/my-key
```
### Sample Response
```json
{
"data": {
"ciphertext": "CiQAuMv0...",
"key_version": "1"
}
}
```
## Re-Encrypt Existing Ciphertext
This endpoint uses the named encryption key to re-encrypt the underlying
cryptokey to the latest version for this ciphertext without disclosing the
original plaintext value to the requestor. This is similar to "rewrapping" in
Vault's transit secrets engine.
| Method | Path | Produces |
| :------- | :--------------------------| :------------------------ |
| `POST` | `gcpkms/reencrypt/:key` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/reencrypt/my-key" {
capabilities = ["create", "update"]
}
```
### Parameters
- `key` (`string: ""`) -
Name of the key to use for encryption. This key must already exist in Vault and
Google Cloud KMS.
This is specified as part of the URL.
- `additional_authenticated_data` (`string: ""`) -
Optional data that, if specified, must also be provided during decryption.
- `ciphertext` (`string: ""`) -
Ciphertext to be re-encrypted to the latest key version. This must be ciphertext
that Vault previously generated for this named key.
- `key_version` (`int: 0`) -
Integer version of the crypto key version to use for re-encryption. If unspecified,
this defaults to the latest active crypto key version.
### Sample Payload
```json
{
"ciphertext": "CiQAuMv0..."
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcpkms/reencrypt/my-key
```
### Sample Response
```json
{
"data": {
"ciphertext": "0lX848IG...",
"key_version": "3"
},
}
```
## Sign Digest
This endpoint uses the named encryption key to sign digest string data. The
response will include the base64-encoded signature.
| Method | Path | Produces |
| :------- | :--------------------------| :------------------------ |
| `POST` | `gcpkms/sign/:key` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/sign/my-key" {
capabilities = ["create", "update"]
}
```
### Parameters
- `key` (`string: ""`) -
Name of the key in Vault to use for signing. This key must already exist in
Vault and must map back to a Google Cloud KMS key.
This is specified as part of the URL.
- `key_version` (`int: <required>`) -
Integer version of the crypto key version to use for signing.
- `digest` (`string: <required>`) -
Digest to sign. This digest is the base64 encoded binary value, and must match
the signing algorithm digest of the Cloud KMS key, for example:
```text
$ openssl dgst -sha256 -binary /my/file | base64
```
### Sample Payload
```json
{
"key_version": "1",
"digest": "LoM6lxd8YS+hUynZwrlCG20ViUUqqbNNNmh7HCtOkSc="
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcpkms/sign/my-key
```
### Sample Response
```json
{
"data": {
"signature": "MGYCMQCOfWMc21jBevoRRo4zGjYsCXer8s..."
}
}
```
## Verify Digest
This endpoint uses the named encryption key to verify a signature and digest
string data.
| Method | Path | Produces |
| :------- | :--------------------------| :------------------------ |
| `POST` | `gcpkms/verify/:key` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/verify/my-key" {
capabilities = ["create", "update"]
}
```
### Parameters
- `key` (`string: ""`) -
Name of the key in Vault to use for verifying. This key must already exist in
Vault and must map back to a Google Cloud KMS key.
This is specified as part of the URL.
- `key_version` (`int: <required>`) -
Integer version of the crypto key version to use for verifying.
- `digest` (`string: <required>`) -
Digest that was signed. This digest is the base64 encoded binary value, and must match
the signing algorithm digest of the Cloud KMS key. For example:
```text
$ openssl dgst -sha256 -binary /my/file | base64
```
- `signature` (`string: <required>`) -
Signature of the digest as returned from a signing operation.
### Sample Payload
```json
{
"key_version": "1",
"digest": "LoM6lxd8YS+hUynZwrlCG20ViUUqqbNNNmh7HCtOkSc=",
"signature": "MGQCMEN2rgg6sj2vUEC3IcKDD+UprtMnxDoB3..."
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcpkms/verify/my-key
```
### Sample Response
```json
{
"data": {
"valid": true
}
}
```
## List Keys
This endpoint lists the named keys available for use in Vault. It does not list
all Google Cloud KMS keys.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `LIST` | `gcpkms/keys` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/keys" {
capabilities = ["list"]
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://127.0.0.1:8200/v1/gcpkms/keys
```
### Sample Response
```json
{
"data": {
"keys": [
"my-key"
]
}
}
```
## Create/Update Google Cloud KMS key
This endpoint is used to create or update a Google Cloud KMS key. In addition to
registering the key in Vault, this endpoint will also create the corresponding
Google Cloud KMS key with the given configuration options.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `POST` | `gcpkms/keys/:key` | `204 (empty body)` |
### Example Policy
```hcl
path "gcpkms/keys/my-key" {
capabilities = ["create", "update"]
}
```
### Parameters
- `key` (`string: ""`) -
Name of the key in Vault.
This is specified as part of the URL.
- `crypto_key` (`string: ""`) -
Name of the crypto key to use. If the given crypto key does not exist, Vault
will try to create it. This defaults to the name of the key given to Vault as
the parameter if unspecified.
- `key_ring` (`string: ""`) -
Full Google Cloud resource ID of the key ring with the project and location
(e.g. projects/my-project/locations/global/keyRings/my-keyring). If the given
key ring does not exist, Vault will try to create it during a create operation.
- `label` (`map<string>string: nil`) -
Arbitrary key=value label to apply to the crypto key. To specify multiple
labels, specify this argument multiple times (e.g. label="a=b" label="c=d").
- `rotation_period` (`string: ""`) -
Amount of time between crypto key version rotations. This is specified as a
time duration value like 72h (72 hours). The smallest possible value is 24h.
### Sample Payload
```json
{
"key_ring": "projects/my-project/locations/my-location/keyRings/my-keyring",
"labels": {
"foo": "bar"
},
"rotation_period": "72h",
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcpkms/keys/my-key
```
## Delete Google Cloud KMS Key
This endpoint deletes a key from both Vault and Google Cloud KMS. This will
disable all crypto key versions for this crypto key in Google Cloud KMS and
delete Vault's reference to the crypto key.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `DELETE` | `gcpkms/keys/:key` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/keys/my-key" {
capabilities = ["delete"]
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
https://127.0.0.1:8200/v1/gcpkms/keys/my-key
```
## Read Google Cloud KMS Key
This endpoint reads data about a Google Cloud KMS crypto key, including the key
status and current primary key version.
| Method | Path | Produces |
| :------- | :------------------------| :------------------------ |
| `GET` | `gcpkms/keys/:key` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/keys/my-key" {
capabilities = ["read"]
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
https://127.0.0.1:8200/v1/gcpkms/keys/my-key
```
### Sample Response
```json
{
"data": {
"id": "projects/my-project/locations/my-location/keyRings/my-keyring/cryptoKeys/my-crypto-key",
"labels": {
"foo": "bar"
},
"next_rotation_time_seconds": 1536613424,
"primary_version": "3",
"purpose": "encrypt_decrypt",
"rotation_schedule_seconds": 259200,
"state": "enabled"
}
}
```
## Read Vault Key Configuration
This endpoint reads data about a Vault's configuration of the key.
| Method | Path | Produces |
| :------- | :-------------------------| :------------------------ |
| `GET` | `gcpkms/keys/config/:key` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/keys/config/my-key" {
capabilities = ["read"]
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
https://127.0.0.1:8200/v1/gcpkms/keys/config/my-key
```
### Sample Response
```json
{
"data": {
"name": "my-key",
"crypto_key": "projects/my-project/locations/my-location/keyRings/my-keyring/cryptoKeys/my-crypto-key",
"min_version": 10
}
}
```
## Update Vault Key Configuration
This endpoint is used to update Vault's information about an existing key.
| Method | Path | Produces |
| :------- | :-------------------------| :------------------------ |
| `POST` | `gcpkms/keys/config/:key` | `204 (empty body)` |
### Example Policy
```hcl
path "gcpkms/keys/my-key" {
capabilities = ["create", "update"]
}
```
### Parameters
- `key` (`string: ""`) -
Name of the key in Vault.
This is specified as part of the URL.
- `min_version` (`int: 0`) -
Minimum allowed crypto key version. If set to a positive value, key versions
less than the given value are not permitted to be used. If set to 0 or a
negative value, there is no minimum key version.
- `max_version` (`int: 0`) -
Maximum allowed crypto key version. If set to a positive value, key versions
greater than the given value are not permitted to be used. If set to 0 or a
negative value, there is no maximum key version.
### Sample Payload
```json
{
"min_version": 10
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcpkms/keys/config/my-key
```
## Deregister Crypto Key
This endpoint deregisters an existing reference Vault has to a crypto key in
Google Cloud KMS. The underlying Google Cloud KMS key remains unchanged.
| Method | Path | Produces |
| :------- | :-----------------------------| :------------------------ |
| `POST` | `gcpkms/keys/deregister/:key` | `204 (empty body)` |
### Example Policy
```hcl
path "gcpkms/keys/deregister/my-key" {
capabilities = ["create", "update"]
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
https://127.0.0.1:8200/v1/gcpkms/keys/deregister/my-key
```
## Register Crypto Key
This endpoint registers an existing crypto key in Google Cloud KMS and makes it
available for encryption and decryption in Vault.
| Method | Path | Produces |
| :------- | :---------------------------| :------------------------ |
| `POST` | `gcpkms/keys/register/:key` | `204 (empty body)` |
### Example Policy
```hcl
path "gcpkms/keys/register/my-key" {
capabilities = ["create", "update"]
}
```
### Parameters
- `key` (`string: ""`) -
Name of the key to register in Vault. This will be the named used to refer to
the underlying crypto key when encrypting or decrypting data.
This is specified as part of the URL.
- `crypto_key` (`string: ""`) -
Full resource ID of the crypto key including the project, location, key ring,
and crypto key like "projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s". This
crypto key must already exist in Google Cloud KMS unless verify is set to
"false".
- `verify` (`bool: true`) -
Verify that the given Google Cloud KMS crypto key exists and is accessible
before creating the storage entry in Vault. Set this to "false" if the key will
not exist at creation time.
### Sample Payload
```json
{
"crypto_key": "projects/my-project/locations/my-location/keyRings/my-keyring/cryptoKeys/my-crypto-key",
"verify": true,
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
https://127.0.0.1:8200/v1/gcpkms/keys/register/my-key
```
## Rotate Crypto Key
This endpoint rotates a crypto key by creating a new crypto key version for the
corresponding Google Cloud KMS key and updates the new crypto key to be the
primary key for future encryptions.
**It can take up to 2 hours for a new crypto key version to become the primary,
so be sure to issue a read operation if you require new data to be encrypted
with this key.**
| Method | Path | Produces |
| :------- | :-------------------------| :------------------------ |
| `POST` | `gcpkms/keys/rotate/:key` | `200 application/json` |
### Example Policy
```hcl
path "gcpkms/keys/rotate/my-key" {
capabilities = ["create", "update"]
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
https://127.0.0.1:8200/v1/gcpkms/keys/rotate/my-key
```
### Sample Response
```json
{
"data": {
"key_version": "3"
}
}
```
## Trim KMS Key Versions
This endpoint deletes old crypto key versions that are older than the key's specified `min_version`.
**Data encrypted with older key versions will be irrecoverable!**
| Method | Path | Produces |
| :------- | :-------------------------| :------------------ |
| `POST` | `gcpkms/keys/trim/:key` | `204 (empty body)` |
### Example Policy
```hcl
path "gcpkms/keys/trim/my-key" {
capabilities = ["create", "update"]
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
https://127.0.0.1:8200/v1/gcpkms/keys/trim/my-key
```

442
website/source/docs/secrets/gcpkms/index.html.md Normal file
View file

@ -0,0 +1,442 @@
---
layout: "docs"
page_title: "Google Cloud KMS - Secrets Engines"
sidebar_title: "Google Cloud KMS <sup>1.0 BETA</sup>"
sidebar_current: "docs-secrets-gcpkms"
description: |-
The Google Cloud KMS secrets engine for Vault interfaces with Google Cloud
KMS for encryption/decryption of data and KMS key management through Vault.
---
# Google Cloud KMS Secrets Engine
The Google Cloud KMS Vault secrets engine provides encryption and key management
via [Google Cloud KMS][kms]. It supports management of keys, including creation,
rotation, and revocation, as well as encrypting and decrypting data with managed
keys. This enables management of KMS keys through Vault's policies and IAM
system.
## Setup
Most secrets engines must be configured in advance before they can perform their
functions. These steps are usually completed by an operator or configuration
management tool.
1. Enable the Google Cloud KMS secrets engine:
```text
$ vault secrets enable gcpkms
Success! Enabled the gcpkms secrets engine at: gcpkms/
```
By default, the secrets engine will mount at the name of the engine. To
enable the secrets engine at a different path, use the `-path` argument.
1. Configure the secrets engine with account credentials and/or scopes:
```text
$ vault write gcpkms/config \
credentials=@my-credentials.json
Success! Data written to: gcpkms/config
```
If you are running Vault from inside [Google Compute Engine][gce] or [Google
Kubernetes Engine][gke], the instance or pod service account can be used in
place or specifying the credentials JSON file. For more information on
authentication, see the [authentication section](#authentication) below.
1. Create a Google Cloud KMS key:
```text
$ vault write gcpkms/keys/my-key \
key_ring=projects/my-project/locations/my-location/keyRings/my-keyring \
rotation_period=72h
```
The `key_ring` parameter is specified in the following format:
```text
projects/<project>/locations/<location>/keyRings/<keyring>
```
where:
- `<project>` - the name of the GCP project (e.g. "my-project")
- `<location>` - the location of the KMS key ring (e.g. "us-east1", "global")
- `<keyring>` - the name of the KMS key ring (e.g. "my-keyring")
## Usage
After the secrets engine is configured and a user/machine has a Vault token with
the proper permission, it can be used to encrypt, decrypt, and manage keys. The
following sections describe the different ways in which keys can be managed.
### Symmetric Encryption/Decryption
This section describes using a Cloud KMS key for symmetric
encryption/decryption. This is probably the most common and familiar type of
encryption. Google Cloud manages the key ring which is used to encrypt and
decrypt data.
<table>
<thead>
<tr>
<th>Purpose</th>
<th>Supported Algorithms</th>
</tr>
<tr>
<td valign="top"><code>encrypt_decrypt</code></td>
<td valign="top">
<code>symmetric_encryption</code>
</td>
</tr>
</thead>
</table>
1. Create or use an existing key eligible for symmetric encryption/decryption:
```text
$ vault write gcpkms/keys/my-key \
key_ring=projects/.../my-keyring \
purpose=encrypt_decrypt \
algorithm=symmetric_encryption
```
1. Encrypt plaintext data using the `/encrypt` endpoint with a named key:
```text
$ vault write gcpkms/encrypt/my-key plaintext="hello world"
Key Value
--- -----
ciphertext CiQAuMv0lTiKjrF43Lgr4...
key_version 1
```
Unlike Vault's transit backend, plaintext data does not need to be base64
encoded. The endpoint will automatically convert data.
Note that Vault is not _storing_ this data. The caller is responsible for
storing the resulting ciphertext.
1. Decrypt ciphertext using the `/decrypt` endpoint with a named key:
```text
$ vault write gcpkms/decrypt/my-key ciphertext=CiQAuMv0lTiKjrF43Lgr4...
Key Value
--- -----
plaintext hello world
```
For easier scripting, it is also possible to extract the plaintext directly:
```text
$ vault write -field=plaintext gcpkms/decrypt/my-key ciphertext=CiQAuMv0lTiKjrF43Lgr4...
hello world
```
1. Rotate the underlying encryption key. This will generate a new crypto key
version on Google Cloud KMS and set that version as the active key.
```text
$ vault write -f gcpkms/keys/rotate/my-key
WARNING! The following warnings were returned from Vault:
* The crypto key version was rotated successfully, but it can take up to 2
hours for the new crypto key version to become the primary. In practice, it
is usually much shorter. Be sure to issue a read operation and verify the
key version if you require new data to be encrypted with this key.
Key Value
--- -----
key_version 2
```
As the message says, rotation is not immediate. Depending on a number of
factors, the propagation of the new key can take quite some time. If you
have a need to immediately encrypt data with this new key, query the API to
wait for the key to become the primary.
1. Re-encrypt already-encrypted ciphertext to be encrypted with a new version of
the crypto key. Vault will decrypt the value using the appropriate key in the
keyring and then encrypted the resulting plaintext with the newest key in the
keyring.
```text
$ vault write gcpkms/reencrypt/my-key ciphertext=CiQAuMv0lTiKjrF43Lgr4...
Key Value
--- -----
ciphertext CiQAuMv0lZTTozQA/ElqM...
key_version 2
```
This process **does not** reveal the plaintext data. As such, a Vault policy
could grant almost an untrusted process the ability to re-encrypt ciphertext
data, since the process would not be able to get access to the plaintext data.
1. Trim old key versions by deleting Cloud KMS crypto key versions that are
older than the `min_version` allowed on the key.
```text
$ vault write gcpkms/keys/config/my-key min_version=10
```
Then delete all keys older than version 10. This will make it impossible to
encrypt, decrypt, or sign values with the older key by conventional means.
```text
$ vault write -f gcpkms/keys/trim/my-key
```
1. Delete the key to delete all key versions and Vault's record of the key.
```text
$ vault delete gcpkms/keys/my-key
```
This will make it impossible to encrypt, decrypt, or sign values by
conventional means.
### Asymmetric Decryption
This section describes using a Cloud KMS key for asymmetric decryption. In this
model Google Cloud manages the key ring and exposes the public key via an API
endpoint. The public key encrypts data offline to produce ciphertext. When the
plaintext is desired, the user submits the ciphertext to Cloud KMS which
decrypts the value using the corresponding public key.
<table>
<thead>
<tr>
<th>Purpose</th>
<th>Supported Algorithms</th>
</tr>
<tr>
<td valign="top"><code>asymmetric_decrypt</code></td>
<td valign="top">
<code>rsa_decrypt_oaep_2048_sha256</code><br>
<code>rsa_decrypt_oaep_3072_sha256</code><br>
<code>rsa_decrypt_oaep_4096_sha256</code>
</td>
</tr>
</thead>
</table>
1. Create or use an existing key eligible for symmetric encryption/decryption:
```text
$ vault write gcpkms/keys/my-key \
key_ring=projects/.../my-keyring \
purpose=asymmetric_decrypt \
algorithm=rsa_decrypt_oaep_4096_sha256
```
1. Retrieve the public key from Cloud KMS:
```text
$ gcloud alpha kms keys versions get-public-key [CRYPTO_KEY_VERSION] \
--location [LOCATION] \
--keyring [KEY_RING] \
--key [KEY] \
--output-file ~/mykey.pub
```
1. Encrypt plaintext data with the public key. Note this varies widely between
programming languages. The following example uses OpenSSL, but you can use your
language's built-ins as well.
```text
$ openssl pkeyutl -in ~/my-secret-file \
-encrypt -pubin \
-inkey ~/mykey.pub \
-pkeyopt rsa_padding_mode:oaep \
-pkeyopt rsa_oaep_md:sha256 \
-pkeyopt rsa_mgf1_md:sha256
```
Note that this encryption happens offline (meaning outside of Vault), and
the encryption is happening with a _public_ key. Only Cloud KMS has the
corresponding _private_ key.
1. Decrypt ciphertext using the `/decrypt` endpoint with a named key:
```text
$ vault write gcpkms/decrypt/my-key key_verison=1 ciphertext=CiQAuMv0lTiKjrF43Lgr4...
Key Value
--- -----
plaintext hello world
```
### Asymmetric Signing
This section describes using a Cloud KMS key for asymmetric signing. In this
model Google Cloud manages the key ring and exposes the public key via an API
endpoint. A message or digest is signed with the corresponding private key, and
can be verified using the public key.
<table>
<thead>
<tr>
<th>Purpose</th>
<th>Supported Algorithms</th>
</tr>
<tr>
<td valign="top"><code>asymmetric_sign</code></td>
<td valign="top">
<code>rsa_sign_pss_2048_sha256</code><br>
<code>rsa_sign_pss_3072_sha256</code><br>
<code>rsa_sign_pss_4096_sha256</code><br>
<code>rsa_sign_pkcs1_2048_sha256</code><br>
<code>rsa_sign_pkcs1_3072_sha256</code><br>
<code>rsa_sign_pkcs1_4096_sha256</code><br>
<code>ec_sign_p256_sha256</code><br>
<code>ec_sign_p384_sha384</code>
</td>
</tr>
</thead>
</table>
1. Create or use an existing key eligible for symmetric encryption/decryption:
```text
$ vault write gcpkms/keys/my-key \
key_ring=projects/.../my-keyring \
purpose=asymmetric_sign \
algorithm=ec_sign_p384_sha384
```
1. Calculate the base64-encoded binary digest. Use the hashing algorithm that
corresponds to they key type:
```text
$ export DIGEST=$(openssl dgst -sha256 -binary /my/file | base64)
```
Ask Cloud KMS to sign the digest:
```text
$ vault write gcpkms/sign/my-key key_version=1 digest=$DIGEST
Key Value
--- -----
signature MGYCMQDbOS2462SKMsGdh2GQ...
```
1. Verify the signature of the digest:
```text
$ vault write gcpkms/verify/my-key key_version=1 digest=$DIGEST signature=$SIGNATURE
Key Value
--- -----
valid true
```
## Authentication
The Google Cloud KMS Vault secrets backend uses the official Google Cloud Golang
SDK. This means it supports the common ways of [providing credentials to Google
Cloud][cloud-creds]. In addition to specifying `credentials` directly via Vault
configuration, you can also get configuration from the following values **on the
Vault server**:
1. The environment variables `GOOGLE_APPLICATION_CREDENTIALS`. This is specified
as the **path** to a Google Cloud credentials file, typically for a service
account. If this environment variable is present, the resulting credentials are
used. If the credentials are invalid, an error is returned.
1. Default instance credentials. When no environment variable is present, the
default service account credentials are used. This is useful when running Vault
on [Google Compute Engine][gce] or [Google Kubernetes Engine][gke]
For more information on service accounts, please see the [Google Cloud Service
Accounts documentation][service-accounts].
To use this storage backend, the service account must have the following
minimum scope(s):
```text
https://www.googleapis.com/auth/kms
```
### Required Permissions
The credentials given to Vault must have the following permissions:
```text
locations.keyRings.create
locations.keyRings.cryptoKeys.list
locations.keyRings.cryptoKeys.get
locations.keyRings.cryptoKeys.create
locations.keyRings.cryptoKeys.encrypt
locations.keyRings.cryptoKeys.decrypt
locations.keyRings.cryptoKeys.patch
locations.keyRings.cryptoKeys.updatePrimaryVersion
locations.keyRings.cryptoKeys.cryptoKeyVersions.list
locations.keyRings.cryptoKeys.cryptoKeyVersions.get
locations.keyRings.cryptoKeys.cryptoKeyVersions.create
locations.keyRings.cryptoKeys.cryptoKeyVersions.patch
locations.keyRings.cryptoKeys.cryptoKeyVersions.destroy
```
For simplicity, you can use this role instead:
```text
roles/cloudkms.admin
```
If Vault will not be creating keys, you can reduce the permissions. For example,
to create keys out of band and have Vault manage the encryption/decryption, you
only need the following permissions:
```text
roles/cloudkms.cryptoKeyEncrypterDecrypter
```
For more information, please see the [Google Cloud KMS IAM documentation][kms-iam]
## FAQ
**How is this different than Vault's transit secrets engine?**<br>
Vault's [transit][vault-transit] secrets engine uses in-memory keys to
encrypt/decrypt keys. In general it will be faster and more performant. However,
users who need physical, off-site, or out-of-band key management can use the
[Google Cloud KMS][kms] secrets engine to get those benefits while leveraging
Vault's policy and identity system.
**Can Vault use an existing KMS key?**<br>
You can use the `/register` endpoint to configure Vault to talk to an existing
Google Cloud KMS key. As long as the IAM permissions are correct, Vault will be
able to encrypt/decrypt data and rotate the key. See the [api][api] for more
information.
**Can this be used with a hardware key like an HSM?**<br>
Yes! You can set `protection_level` to "hsm" when creating a key, or use an
existing Cloud KMS key that is backed by an HSM.
**How much does this cost?**<br>
The plugin is free and open source. KMS costs vary by key type and the number of
operations. Please see the [Cloud KMS pricing page][kms-pricing] for more
details.
## Help &amp; Support
The Google Cloud KMS Vault secrets engine is written as an external Vault
plugin. The code lives outside the main Vault repository. It is automatically
bundled with Vault releases, but the code is managed separately.
Please report issues, add feature requests, and submit contributions to the
[vault-plugin-secrets-gcpkms repo on GitHub][repo].
## API
The Google Cloud KMS secrets engine has a full HTTP API. Please see the
[Google Cloud KMS secrets engine API docs][api] for more details.
[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
[gce]: https://cloud.google.com/compute/
[gke]: https://cloud.google.com/kubernetes-engine/
[kms]: https://cloud.google.com/kms
[kms-iam]: https://cloud.google.com/kms/docs/reference/permissions-and-roles
[kms-pricing]: https://cloud.google.com/kms/pricing
[repo]: https://github.com/hashicorp/vault-plugin-secrets-gcpkms
[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts
[vault-transit]: /docs/secrets/transit/index.html

1
website/source/layouts/api.erb
View file

@ -34,6 +34,7 @@
]
},
{ category: 'gcp' },
{ category: 'gcpkms' },
{
category: 'kv',
content: ['kv-v1', 'kv-v2']

1
website/source/layouts/docs.erb
View file

@ -215,6 +215,7 @@
]
},
{ category: 'gcp' },
{ category: 'gcpkms' },
{
category: 'kv',
content: ['kv-v1','kv-v2']