[KMS]: Is it working with cryptographic keys on GCP KMS?

[Ahmadre]

I have my own Key on Google Cloud Platform in KMS with Key Rotation and all of that.

Can I use it here as my encryption key?

see: https://www.npmjs.com/package/@google-cloud/kms

[franky47]

I'm not familiar with their API, but if it lets you manage 32 byte keys (for AES 256) and get access to the raw key material, you should be able to format it in a way the underlying encryption library understands:

k1.aesgcm256.{base64url encoded key material}

[Ahmadre]

I'm not familiar with their API, but if it lets you manage 32 byte keys (for AES 256) and get access to the raw key material, you should be able to format it in a way the underlying encryption library understands:

k1.aesgcm256.{base64url encoded key material}

Thank you for your quick answer :).

Actually that's not possible to access the raw key material, because that's the security and controlling of encryption/decryption behind KMS providers. Keys are living encrypted in Google Cloud Server and can never be exposed in any way. Rather you can call encrypt/decrypt methods which will be executed in the GCP KMS.

I forked your repository and added a WIP support for GCP KMS: Ahmadre@b03d2c5

[franky47]

We could envision a way to configure the cryptographic layer to use such external providers, in addition to doing it locally by default.

A sort of plugin architecture would be best suited for this, so other KMS can be added in the future (eg: Hashicorp Vault, AWS, Azure etc). Even better would be to follow an existing common interface, if such a thing exists.

[masterbater]

Please add AWS KMS

[franky47]

Would you like to open a PR?