Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for GCP KMS #61

Closed
omerlh opened this issue Dec 31, 2018 · 8 comments · Fixed by #66
Closed

Add support for GCP KMS #61

omerlh opened this issue Dec 31, 2018 · 8 comments · Fixed by #66
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@omerlh
Copy link
Contributor

omerlh commented Dec 31, 2018

For kubernetes cluster running on GCP. Look like there is an SDK for dotnet.
How do we handle authentication?
@omerlh omerlh added enhancement New feature or request help wanted Extra attention is needed labels Dec 31, 2018
@bweston92
Copy link

Service account token mounted on the container should be able to provide access to Google’s KMS.

Or we can store the token file as a secret and mount to the relevant place.

https://cloud.google.com/docs/authentication/getting-started

@omerlh
Copy link
Contributor Author

omerlh commented Jan 6, 2019

Yep, I assumed that is something we can do easily - the same integration can be done for AWS and Azure. Does KMS is the right choice here? I think it does not have the same support for HSM as Azure KeyVault.
Also, is that something you'll be interested at? I can help writing the code, but need help testing it :)

@bweston92
Copy link

Google also supports a HSM.

I would be more then willing to test it.

When I first looked at this with out it I wanted to add it but then noticed it was is in C# which is new to me.

@omerlh
Copy link
Contributor Author

omerlh commented Jan 6, 2019

Cool! What is your preference here? HSM or KMS? From a security point of view, I would say HSM, but it might have additional cost and PKCS11 is not something I would like to do again...

@bweston92
Copy link

I believe they use the same API on GCS. When you create the key ring you specify whether you want to use a HSM or not. I’m fine either way and to be honest I don’t have much experience with crypto beyond using the APIs.

@omerlh
Copy link
Contributor Author

omerlh commented Jan 6, 2019

Ohh I see. This is a bit different than AWS I think. I'll try to find time in the next few days and work on a quick POC so you can test it out :)

@bweston92
Copy link

bweston92 commented Jan 6, 2019 via email

@omerlh omerlh mentioned this issue Jan 6, 2019
Merged
@omerlh
Copy link
Contributor Author

omerlh commented Jan 6, 2019

I had some time tonight, it was a bit harder than I was thinking. I try tomorrow to finish the decryption part (it should take far less time now that I know how the magic is working).
Let's move to talk on Slack? It will be a lot faster to resolve issues. I'll release tests images when I'm done so you can test it out. Use this link to join :)

@omerlh omerlh closed this as completed in #66 Jan 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[WIP] Add support for GCP KMS Soluto/kamus
2 participants
@bweston92 @omerlh