Encrypt customer private key with Google public key
Stay organized with collections
Save and categorize content based on your preferences.
This sample demonstrates how to encrypt a customer private key with the Google public key, ensuring that only Google can decrypt it.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],[],[[["\u003cp\u003eThis sample code demonstrates encrypting a customer's private key using Google's public key, ensuring only Google can decrypt it.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves downloading Google's public certificate, which is then used to encrypt the customer's private key.\u003c/p\u003e\n"],["\u003cp\u003eThe Python script utilizes the \u003ccode\u003ecryptography\u003c/code\u003e library to manage encryption, and the resulting encrypted key is encoded in base64 format.\u003c/p\u003e\n"],["\u003cp\u003eThe script can either use a user-provided private key or generate a new 256-bit key if one isn't supplied.\u003c/p\u003e\n"]]],[],null,["# Encrypt customer private key with Google public key\n\nThis sample demonstrates how to encrypt a customer private key with the Google public key, ensuring that only Google can decrypt it.\n\nExplore further\n---------------\n\n\nFor detailed documentation that includes this code sample, see the following:\n\n- [Encrypt disks with customer-supplied encryption keys](/compute/docs/disks/customer-supplied-encryption)\n\nCode sample\n-----------\n\n### Python\n\n\nBefore trying this sample, follow the Python setup instructions in the\n[Compute Engine quickstart using\nclient libraries](/compute/docs/api/using-libraries).\n\n\nFor more information, see the\n[Compute Engine Python API\nreference documentation](/python/docs/reference/compute/latest).\n\n\nTo authenticate to Compute Engine, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n import argparse\n import base64\n import os\n from typing import Optional\n\n from cryptography import x509\n from cryptography.hazmat.backends import default_backend\n from cryptography.hazmat.primitives import hashes\n from cryptography.hazmat.primitives.asymmetric import padding\n from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey\n import requests\n\n\n GOOGLE_PUBLIC_CERT_URL = (\n \"https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem\"\n )\n\n\n def get_google_public_cert_key() -\u003e RSAPublicKey:\n \"\"\"\n Downloads the Google public certificate.\n\n Returns:\n RSAPublicKey object with the Google public certificate.\n \"\"\"\n r = requests.get(GOOGLE_PUBLIC_CERT_URL)\n r.raise_for_status()\n\n # Load the certificate.\n certificate = x509.load_pem_x509_certificate(r.content, default_backend())\n\n # Get the certicate's public key.\n public_key = certificate.public_key()\n\n return public_key\n\n\n def wrap_rsa_key(public_key: RSAPublicKey, private_key_bytes: bytes) -\u003e bytes:\n \"\"\"\n Use the Google public key to encrypt the customer private key.\n\n This means that only the Google private key is capable of decrypting\n the customer private key.\n\n Args:\n public_key: The public key to use for encrypting.\n private_key_bytes: The private key to be encrypted.\n\n Returns:\n private_key_bytes encrypted using the public_key. Encoded using\n base64.\n \"\"\"\n wrapped_key = public_key.encrypt(\n private_key_bytes,\n padding.OAEP(\n mgf=padding.MGF1(algorithm=hashes.SHA1()),\n algorithm=hashes.SHA1(),\n label=None,\n ),\n )\n encoded_wrapped_key = base64.b64encode(wrapped_key)\n return encoded_wrapped_key\n\n\n def main(key_file: Optional[str]) -\u003e None:\n \"\"\"\n This script will encrypt a private key with Google public key.\n\n Args:\n key_file: path to a file containing your private key. If not\n provided, a new key will be generated (256 bit).\n \"\"\"\n # Generate a new 256-bit private key if no key is specified.\n if not key_file:\n customer_key_bytes = os.urandom(32)\n else:\n with open(key_file, \"rb\") as f:\n customer_key_bytes = f.read()\n\n google_public_key = get_google_public_cert_key()\n wrapped_rsa_key = wrap_rsa_key(google_public_key, customer_key_bytes)\n\n b64_key = base64.b64encode(customer_key_bytes).decode(\"utf-8\")\n\n print(f\"Base-64 encoded private key: {b64_key}\")\n print(f\"Wrapped RSA key: {wrapped_rsa_key.decode('utf-8')}\")\n\n\n if __name__ == \"__main__\":\n parser = argparse.ArgumentParser(\n description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter\n )\n parser.add_argument(\"--key_file\", help=\"File containing your binary private key.\")\n\n args = parser.parse_args()\n\n main(args.key_file)\n\nWhat's next\n-----------\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=compute)."]]
