Storing secrets

The following steps describe how to store a secret in a Google Cloud Storage bucket encrypted at the application layer with an encryption key from Google Cloud Key Management Service.

The steps presented here show one way of storing secrets using Cloud KMS. Learn more about storing secrets including different options in secret management.

Setup

We recommend using two projects and two users to ensure separation of duties between the individuals and services who use secrets, versus those who manage secrets. One project will use Cloud KMS to manage the keys and the other project will use Cloud Storage buckets to store the secrets.

Create projects

Within the organization (this step is performed by a user that has been granted the roles/resourcemanager.organizationAdmin role):

  1. Create a Google Cloud Platform project that will contain the Cloud Storage bucket used to store the secrets. The secrets will be stored as objects in the bucket. This topic will refer to this project as [MY_STORAGE_PROJECT].
  2. Create a Google Cloud Platform project that will use Cloud KMS to manage the keys that will encrypt and decrypt the secret. This topic will refer to this project as [MY_KMS_PROJECT].

Create users

This step creates two users, one that will have the ability to manage the encryption keys, and one that will have the ability to use the encryption keys.

Using the [MY_KMS_PROJECT] project (this step is performed by the [MY_KMS_PROJECT] project owner, or another a user that has been granted the roles/resourcemanager.organizationAdmin role for the [MY_KMS_PROJECT] project):

  1. Grant the roles/cloudkms.admin role to User1. This user will have the ability to manage the keys.
  2. Grant the roles/cloudkms.cryptoKeyEncrypterDecrypter role to User2. This user will have the ability to use the encryption key for encrypting and decrypting the file that contains the secret.

    Alternatively, if want only some users to encrypt and different users to decrypt, use the roles/cloudkms.cryptoKeyEncrypter role for the encrypters and the roles/cloudkms.cryptoKeyDecrypter role for the decrypters.

Create a storage bucket

Using the [MY_STORAGE_PROJECT] project (this step is performed by the [MY_STORAGE_PROJECT] project owner, or another user that has been granted the roles/storage.admin role for the [MY_STORAGE_PROJECT] project):

  1. Create a storage bucket, which this topic will refer to as [MY_BUCKET].
  2. Grant User2 the roles/storage.objectAdmin role to the [MY_BUCKET] bucket.

Create an encryption key

This step is performed by User1.

  1. Create a KeyRing named storage. The name of a KeyRing is unique to the project. A KeyRing cannot be renamed or deleted. You can use the gcloud command-line tool to create a KeyRing.

    gcloud kms keyrings create storage --location global
    
  2. Using the storage KeyRing, create a CryptoKey named mykey for the purpose of encryption. The name of a CryptoKey is unique to the KeyRing. A CryptoKey cannot be renamed or deleted, but its CryptoKeyVersions can be destroyed. Use the gcloud command-line tool to create a CryptoKey. A first key version will be created automatically.

    gcloud kms keys create mykey --location global --keyring storage --purpose encryption
    

Get more details about creating encryption keys in Creating KeyRings and CryptoKeys.

Encrypt the file that contains the secret

This step is performed by User2.

  1. On your local machine, create the file, for example, mysecret.txt, that contains the secret.
  2. Encrypt mysecret.txt using a key, in this case based on the [MY_KMS_PROJECT] project, the storage KeyRing, and the mykey CryptoKey. Write the encrypted file to mysecret.txt.encrypted.
    For an example of using Cloud KMS to encrypt a file using a key, see the encrypt data quickstart.
  3. Upload the encrypted file, mysecret.txt.encrypted, to the [MY_BUCKET] bucket.
  4. [Optional] Delete the plaintext mysecret.txt file from the local machine.

Decrypt the file that contains the secret

This step is performed by User2.

  1. Download mysecret.txt.encrypted from the [MY_BUCKET] bucket to the local machine.
  2. Decrypt mysecret.txt using the same key as previously used for the encryption. Write the decrypted file to mysecret.txt.decrypted.
    For an example of using Cloud KMS to decrypt a file using a key, see the encrypt data quickstart.
  3. Use the plaintext file, mysecret.txt.decrypted.
  4. [Optional] When you are done using the decrypted file, delete it from the local machine.

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud KMS Documentation