GCP KMS docs

README.rst

@@ -163,6 +163,35 @@ the example files and pgp key provided with the repository::
 
 This last step will decrypt `example.yaml` using the test private key.
 
+
+Encrypting using GCP KMS
+~~~~~~~~~~~~~~~~~~~~~~~~
+GCP KMS uses `Application Default Credentials
+<https://developers.google.com/identity/protocols/application-default-credentials>`_.
+If you aleady logged-ing using `gcloud auth login` you can enable appication
+default credentials using the sdk::
+
+	$ gcloud auth application-default login
+
+Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the
+cloud console the get the ResourceID or you can create one using the gcloud
+sdk:
+
+.. code:: bash
+
+	$ gcloud kms keyrings create sops --location global
+	$ gcloud kms keys create sops-key --location global --keyring sops --purpose encryption
+	$ gcloud kms keys list --location global --keyring sops
+
+	# you should see
+	NAME                                                                   PURPOSE          PRIMARY_STATE
+	projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key ENCRYPT_DECRYPT  ENABLED
+
+Now you can encrypt a file using::
+	$ sops --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key test.yaml
+
+
+
 Adding and removing keys
 ~~~~~~~~~~~~~~~~~~~~~~~~