Skip to content

Instantly share code, notes, and snippets.

@ljulliar

ljulliar/encryt_secrets_with_cloud_kms.sh

Created May 20, 2019 09:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ljulliar/dbb643e2330c070a9b5cf2bbcd66c1bf to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ljulliar/dbb643e2330c070a9b5cf2bbcd66c1bf to your computer and use it in GitHub Desktop.
Download ZIP
Encrypt secrets with Cloud KMS (Photo Album on Google Cloud Run)
Raw
encryt_secrets_with_cloud_kms.sh
# Create a key ring where to hook your encrypted keys
gcloud kms keyrings create photo-album --location=us-central1
# Encrypt the credentials of the cloud runner service account
gcloud kms keys create photo_album_runner_key --location us-central1 \
--keyring photo-album --purpose encryption
gcloud kms encrypt - location us-central1 --keyring photo-album \
--key photo_album_runner_key --plaintext-file ./config/photo_album_runner.key \
--ciphertext-file ./config/photo_album_runner.key.enc
# Do the same with the Rails master key file
gcloud kms keys create rails_master_key --location us-central1 \
--keyring photo-album --purpose encryption
gcloud kms encrypt --location us-central1 --keyring photo-album \
--key rails_master_key --plaintext-file ./config/master.key \
--ciphertext-file ./config/master.key.enc
@MohamedAlaa
Copy link
Copy Markdown

MohamedAlaa commented Aug 6, 2019

in this command:

gcloud kms encrypt - location us-central1 --keyring photo-album \
  --key photo_album_runner_key --plaintext-file ./config/photo_album_runner.key \
  --ciphertext-file ./config/photo_album_runner.key.enc

how the chipertext-file got generated? is it the default of rails credentials.yml.enc ?

@MohamedAlaa
Copy link
Copy Markdown

MohamedAlaa commented Aug 6, 2019

Also there is a type in the location argument there is a missing - and unneeded space.

gcloud kms encrypt --location us-central1 --keyring photo-album \
  --key photo_album_runner_key --plaintext-file ./config/photo_album_runner.key \
  --ciphertext-file ./config/photo_album_runner.key.enc

@MohamedAlaa
Copy link
Copy Markdown

MohamedAlaa commented Aug 6, 2019

in this command:

gcloud kms encrypt - location us-central1 --keyring photo-album \
  --key photo_album_runner_key --plaintext-file ./config/photo_album_runner.key \
  --ciphertext-file ./config/photo_album_runner.key.enc

how the chipertext-file got generated? is it the default of rails credentials.yml.enc ?

Got it! posting what I found incase someone stumble up this gist. so the --ciphertext-file gets created by kms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment