Skip to content
This repository has been archived by the owner on Sep 16, 2021. It is now read-only.

CloudKms

Jump to bottom
Maxim Ermilov edited this page Sep 7, 2017 · 4 revisions

Cloud Key Managment System Backend

Set up

  1. Enable API in cloud console for your project
  2. Create encryption key.
APPENGINE_SERVICE_ACCOUNT=""
if [ -z "$APPENGINE_SERVICE_ACCOUNT" ]; then
    echo "APPENGINE_SERVICE_ACCOUNT is empty. copy from pantheon console"
    exit 1
fi

# constants from cloud_kms.py
KEYRING_NAME="keyring2"

gcloud components update alpha beta -q
gcloud auth login -q

gcloud kms keyrings create $KEYRING_NAME

for KEY_NAME in provisioning luks duplicity bitlocker filevault; do
  gcloud kms keys create $KEY_NAME \
    --keyring $KEYRING_NAME \
    --purpose encryption

  gcloud kms keys add-iam-policy-binding \
    $KEY_NAME --keyring $KEYRING_NAME \
    --member serviceAccount:$APPENGINE_SERVICE_ACCOUNT \
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter
done
  1. Your App Engine service account has to be able access the API.
  2. change DEFAULT_CRYPTO_BACKEND to 'envelope_cloud_kms' in cauliflowervest/server/settings.py
Clone this wiki locally