Google Cloud Key Management Service

In this chapter, we will look at Google Cloud Key Management Service (KMS). Cloud KMS is a foundational service for all cryptographic operations in Google Cloud. Every workload that you deploy on Google Cloud is going to need the ability to encrypt data and use it for authorized purposes. There are various options presented by Cloud KMS, and it’s essential to understand them and make an informed choice to help with regulatory and audit requirements.

In this chapter, we will cover the following topics:

• Overview of Cloud KMS
• Encryption and key management in Cloud KMS
• Key management options
• Customer-supplied encryption key
• Symmetric and asymmetric key encryption
• Bringing your own key to the cloud
• Key lifecycle management
• Key IAM permissions
• Cloud HSM
• Cloud External Key Manager
• Cloud KMS best practices
• Cloud KMS APIs and logging

Let us start by learning about the capabilities of...

With Cloud KMS, Google’s focus is to provide a scalable, reliable, and performant solution with a wide spectrum of options that you can control on a platform that is straightforward to use. Let us start with a quick overview of the Cloud KMS architecture.

Figure 9.1 – The Cloud KMS architecture

The key components of the Cloud KMS platform are depicted in Figure 9.1. Administrators can access key management services through the Google Cloud console or CLI, as well as through the REST or gRPC APIs. A REST API or gRPC is used by applications to access key management services.

When creating a key on the Cloud KMS platform, you can select a protection level to define which key backend the key should use. The Cloud KMS platform has two backends (excluding Cloud EKM): the software and HSM protection levels. The software protection level is for keys that are protected by the software security module. HSM refers to keys that...

In this section, we will learn the basics of key management as it relates to Cloud KMS.

Figure 9.3 – Key structure

Figure 9.3 shows the structure of keys in Cloud KMS. Let us learn about the terms of key management:

• Key: A named object representing a cryptographic key that is used for a specific purpose. The key material—the actual bits used for cryptographic operations—can change over time as you create new key versions. Key purpose and other attributes of the key are connected with and managed using the key. Thus, the key is the most important object for understanding Cloud KMS usage. Cloud KMS supports both asymmetric keys and symmetric keys. A symmetric key is used for symmetric encryption to protect some corpus of data—for example, using AES-256 in GCM mode to encrypt a block of plaintext. An asymmetric key can be used for asymmetric encryption, or for creating digital...

In this section, we will cover several aspects of key management that are either Google-managed or customer-managed. It is important to know which option is best suited to which scenario so that you can make the right decision for a given use case.

Google Cloud’s default encryption

Google Cloud stores all data encrypted at rest using a Google-managed default encryption key. The key is the AES-256 symmetric encryption key. There is no setup of keys or configuration required to turn on this option; all data by default uses this type of encryption. Google manages the keys and the rotation period of those keys. Google Cloud’s default encryption is best suited for those customers who do not have specific requirements related to compliance or regional requirements for cryptographic key material. It is simple to use and does not require additional configuration to create keys, hence there is no cost to use it.

Customer-managed encryption keys...

Recall that symmetric keys are used for encryption to protect some data—for example, using AES-256 in GCM mode to encrypt a block of plaintext.

Creating a symmetric key

To create a symmetric key, you will first need to create a key ring. The key ring determines the location of the key. Let us start with creating that.

Step 1: Creating a key ring

Here is a gcloud command to create a key ring:

gcloud kms keyrings create key-ring-name \

    --location location

Replace key-ring-name with a name for the key ring to hold the key. Replace location with the Cloud KMS location for the key ring and its keys.

Step 2: Creating a key

Use the following command to create a key in an existing key ring:

gcloud kms keys create key \

    --keyring key-ring-name \

    --location location \

    --purpose "encryption"

Replace key with the name...

The following section describes the flow for using an asymmetric key to encrypt and decrypt data. Asymmetric key encryptions involve a key pair (public and private key pair). As the name suggests, the private key is not shared while the public key is shared. There are two participants in this workflow—a sender and a recipient. The sender creates a ciphertext using the recipient’s public key, and then the recipient decrypts the ciphertext using the private key it holds. Only someone with knowledge of the private key can decrypt the ciphertext.

Cloud KMS provides the following functionality as it relates to asymmetric encryption:

• The ability to create an asymmetric key with the key purpose of ASYMMETRIC_DECRYPT. For information about which algorithms Cloud KMS supports, see asymmetric encryption algorithms in the Google Cloud documentation.
• CloudKMS asymmetric keys also support ASYMMETRIC_SIGN (ECC and RSA).
• The ability to retrieve...

Google allows you to bring your own cryptographic key material. You can import that using the Software or Cloud HSM protection level. We will see step-by-step instructions on how to do this. But before we do that, let us understand the reasons you want to import a key:

• You may be using existing cryptographic keys that were created on your premises or in an external KMS.
• If you migrate an application to Google Cloud or if you add cryptographic support to an existing Google Cloud application, you can import the relevant keys into Cloud KMS.
• As part of key import, Cloud KMS generates a wrapping key, which is a public/private key pair, using one of the supported import methods. Encrypting your key material with this wrapping key protects the key material in transit.
• This Cloud KMS public wrapping key is used to encrypt, on the client, the key to be imported. The private key matching this public key is stored within Google Cloud and is used to...

While operating your workloads, you need to manage the lifecycle of your keys. The US National Information Standards Institute (NIST) special publication (SP) 800-57, Part 1 describes a key management lifecycle that is divided into four phases: pre-operational, operational, post-operational, and destroyed.

The following section provides a mapping of the NIST lifecycle functions from the publication to Google Cloud KMS lifecycle functions.

1. The Pre-operational lifecycle phase is mapped to the following:
   1. NIST section 8.1.4 Keying-Material Installation Function: The equivalent Cloud KMS operation is Key import.
   2. NIST section 8.1.5 Key Establishment Function: The equivalent Cloud KMS operation is Key creation (symmetric, asymmetric).
2. The Operational lifecycle phase is mapped to the following:
   1. NIST section 8.2.1 Normal Operational Storage Function: The equivalent Cloud KMS operation is Key creation in SOFTWARE, HSM, or EXTERNAL protection levels (symmetric...

When considering key permissions, think about the hierarchy in which the key exists. A key exists in a key ring, a project, a folder in another folder, or under “Cloud Organization”.

Recall that there are two fundamental security principles IAM enforces:

• Principle of separation of duties
• Principle of least privilege

A primary role a principal can play is the Cloud KMS CryptoKey Encrypter/Decrypter role at various levels of the hierarchy. There are several other roles Cloud KMS has based on how you structure it. Please refer to the Google Cloud KMS documentation for the list of other IAM roles: https://packt.link/RyY17.

We have looked at various IAM roles and permissions for Cloud KMS; let us now look at some best practices on how to manage access:

• Key management roles can be granted based on the culture and process of your enterprises. Traditionally, this role is played by the IT security team.
• For a large or complex...

Cloud HSM is a cloud-hosted HSM service that allows you to host encryption keys and perform cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs. The Cloud HSM cluster is managed by Google for you; you do not get access to the physical device. You also do not need to patch or scale it for multi-regional applications. Cloud HSM uses Cloud KMS as its frontend; you use Cloud KMS APIs to interact with the Cloud HSM backend. This abstracts the communication with Cloud HSM, so you do not need to use Cloud HSM-specific code.

When you use HSM-backed keys and key versions, the Google Cloud project that makes the cryptographic request incurs cryptographic operation quota usage, and the Google Cloud project that contains the HSM keys incurs HSM QPM quota usage.

Note

You can find more information on Cloud KMS in the Google Cloud documentation for quotas.

Here are some architectural characteristics of Cloud HSM that you should be aware of:

• The...

Cloud EKM is one of the newest offerings for data protection. With Cloud EKM, you use the keys that you manage within an EKM partner.

Cloud EKM provides several benefits:

• Key provenance: You control the location and distribution of your externally managed keys. Externally managed keys are never cached or stored within Google Cloud. Instead, Cloud EKM communicates directly with the external key management partner for each request.
• Access control: You manage access to your externally managed keys. Before you can use an externally managed key to encrypt or decrypt data in Google Cloud, you must grant the Google Cloud project access to use the key. You can revoke this access at any time.
• Centralized key management: You can manage your keys and access policies from a specific location and user interface, whether the data they protect resides in the cloud or on your premises.

In all cases, the key resides on the external system and is never sent to Google...

Key access and key ring access are managed by organizing keys into key rings and projects, and by granting IAM roles on the keys, key rings, and projects. As you build out your cloud environment, follow the guidance in the following list for how to design your key resource hierarchy to reduce risk:

1. Create a dedicated project for Cloud KMS that is separate from workload projects.
2. Add key rings into the dedicated Cloud KMS project. Create key rings as needed to impose a separation of duties.
3. Monitor privileged admin operations: key deletion operations for out-of-band key creation are considered a privileged operation.
4. Review CMEK-related findings in Security Command Center.
5. Use encryption keys with the appropriate key strength and protection level for data sensitivity or classification. For example, for sensitive data, use keys with a higher strength. Additionally, use encryption keys with different protection levels for different data...

The Cloud KMS service has an endpoint of cloudkms.googleapis.com. Here are a few widely used endpoints that you should be aware of:

• projects.locations
• projects.locations.ekmConnections
• projects.locations.keyRings
  • create
  • list
  • get
  • getIamPolicy
  • setIamPolicy
• projects.locations.keyRings.cryptoKeys
  • create
  • decrypt
  • encrypt
  • get
  • getIamPolicy
  • list
  • setIamPolicy
  • updatePrimaryVersion
• projects.locations.keyRings.cryptoKeys.cryptoKeyVersions
• Projects.locations.keyRings.ImportJobs

When interacting with Cloud KMS via a programmatic method, you should have a good understanding of these endpoints. Let us move on and understand the Cloud KMS logging components now.

The following types of audit logs are available for Cloud KMS:

• Admin Activity audit logs: Include admin write operations that write metadata or configuration information. You cannot disable Admin Activity audit logs.

Admin Activity audit logs cover the following Cloud KMS operations:

cloudkms.projects.locations.keyRings.create

cloudkms.projects.locations.keyRings.setIamPolicy

cloudkms.projects.locations.keyRings.cryptoKeys.create

cloudkms.projects.locations.keyRings.cryptoKeys.patch

cloudkms.projects.locations.keyRings.cryptoKeys.setIamPolicy

cloudkms.projects.locations.keyRings.cryptoKeys.updatePrimaryVersion

cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.create

cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.destroy

cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.patch

cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.restore

cloudkms.projects.locations...

In this chapter, we went over the details of Cloud KMS, its supported operations, and how to use them. We also looked at bringing your own encryption key to the cloud. We went over advanced options such as Cloud HSM and Cloud EKM. In addition to this, we saw the best practices and Cloud KMS infrastructure decisions while setting up your project on Google Cloud. As a security engineer, you should be able to define the right architecture for key management for your organization and recommend the right compliance options for project teams.

In the next chapter, we will look at data security, specifically how to use Google Cloud’s Data Loss Prevention (DLP) services. Cloud KMS and DLP should bring you one step closer to creating the right strategy for data security.

For more information on Google Cloud KMS, refer to the following link:

• Key attestations and verifications: https://packt.link/V0Fki