Google Associate Cloud Engineer – Encryption in Google Cloud with Cloud KMS

1. Step 00 – Understanding Data States

Welcome back. Welcome to this new section on Encryption. In last few sections, we played around with a number of Compute services and before we go into storage and databases, we need to understand encryption. Whenever we’re moving data to the cloud, we want it to be secure and one of the options is to encrypt the data. Let’s understand encryption and the service which is offered by GCP for encrypting your data. In this specific section, let’s get started with understanding the different data states. Let’s consider an example. You have a hard disk. You might have multiple hard disks, and you have a Compute Engine which is writing data to those hard disks.

What are the different states? Data can be in? Data can be addressed. So this is stored on a device or a backup. So while the data is in a hard disk, it is at rest. Examples are data on a hard disk, data inside a database, data inside a database backup, or a database archive. The other state in which data can be is data in motion. So let’s say I am writing some data from my Compute Engine instance to a disk. Then that data is being transferred across the network. This is also called data in transit. Examples are data copied from on premise storage to cloud storage. You’re copying something from on premise to cloud. That data is in motion right now. An application talking to a database. You have an application which talks to a database.

Data flows from application to the database and the database to the application. So that’s an example of data in motion. Whenever we talk about data in motion, there are two types. One is in and out of the cloud. So you’re sending data from the cloud to Internet and Internet back to the cloud. The other type of data is within the cloud. So you might have multiple devices which are inside the cloud, and these devices are talking to each other. Now, why do you need to differentiate between these two types? Why do you need to understand them? The reason it is very important is within the cloud, you can control everything.

So security for that data might not be as important as it is when you are sending data in and out of the cloud. So you can have security at a lower level compared to in and out of the cloud from Internet. When all your data is going on the Internet, then you should be really, really secure. That’s the reason why we distinguish between these two types. The another state of data is data in use, active data processed in a non persistent state. Let’s say you have some data in your Ram. That’s non persistent, but that’s active data, so that’s data in use. In this quick step, we got started with the different data states, data at rest, data in motion, and data in use. Let’s see more about encrypting this data in the next steps.

2. Step 01 – Understanding Encryption – Symmetric and Asymmetric

Welcome back. In this step, let’s talk about encryption. If you store the data as ease, what would happen if an unauthorized entity gets access to the data? Imagine losing an unencrypted hard disk. So the first law of security always is defense in depth. And that’s the reason why we go in and encrypt all the data. The data on the hard disk is encrypted. The data in your databases is encrypted. Data on your file servers is encrypted. But is it sufficient if we just encrypt data at rest? The answer is no. You need to also encrypt data in transit. You also need to encrypt data from the application to the database.

If the application is on a separate network and the database is on a separate network, somebody might be listening on the communication channel and they might intercept the data. And you don’t want that to happen. And that’s the reason why you need to encrypt data even in transit. Now, how can you encrypt data? There are two approaches for encrypting data. The first one is symmetric key encryption. Symmetric key encryption algorithms use the same key for encryption and decryption. So you have plain text, which is the actual data, and you want to encrypt it. The one with the key on it is encrypted data. When you’re using the symmetric key encryption, you’d use the same key for encryption and decryption. So when I’m converting plain text into encrypted text, I use the same key.

And when I’m converting the encrypted text back to plain text, again, I’ll use the same key. So whenever we talk about symmetric key encryption, the key factor is choosing the right encryption algorithm. Make sure that you use a strong encryption algorithm. The second factor, which is very, very important, is how do you secure the encryption key? If somebody is able to get the encrypted data and the encryption key, they’ll be able to find the plain text. The third factor is how do we share the encryption key? Both the system, which is encrypting the data and decrypting the data need the data encryption key. How do you ensure that the encryption key is securely shared? Typically, sharing an encryption key securely is a tricky thing, and that’s where we go into something called asymmetric key encryption.

How about using a different key for encryption and a different key for decryption? In asymmetric key encryption, you have two keys public key and private key. And that’s why this is also called public key cryptography. You would encrypt the data with your public key and you decrypt the data with your private key. You can share your public key with everybody. So this public key, which you have, you can actually share it with everybody. However, ensure that your private key is only with you. Now, you might be wondering, will somebody not figure out the private key using the public key? The answer to that is private key and public key are indeed related and given sufficient amount of time, you will be able to calculate the private key from a public key.

However, if you are using some of the popular public key cryptography algorithms like RSA, for example, with sufficient strength, finding out private key from a public key might take a few years. So until we talked about the fact that there are two types of encryption symmetric key encryption, asymmetric key encryption. In symmetric key encryption, we use the same key to encrypt and decrypt and in asymmetric key encryption, we use different keys a public key and a private key. Now, the question is how do you create these keys? Whether it’s symmetric or asymmetric keys, how do you create them? That’s what we’ve will be looking at in the next step.

3. Step 02 – Getting Started with Cloud KMS

Welcome back. In this step, let’s look at Cloud Kms. Cloud Kms is the service in Google Cloud to create and manage cryptographic keys. You can create symmetric and asymmetric keys using Cloud Kms. Kms stands for Key Management Service. You can not only create and manage cryptographic keys, but also control their use in your applications and GCP service services. For example, if you would want to encrypt data which is present on a disk, or you want to encrypt data which is present in cloud storage, or you’d want to encrypt data in a database, you can configure Kms to allow the use of the key in specific applications and specific GCP services. Kms also provides an API to encrypt, decrypt and sign data. Kms also allows you to use cryptographic keys which are created on premises.

So you can create cryptographic keys inside Google Cloud, or you can actually create cryptographic keys on premises and you can use them as part of your Kms. Kms also integrates with almost all the GCP services that need data encryption. Three typical options are number one is Google managed key? The key is entirely managed by Google, and when you are using a Google managed key, you don’t really need any configuration. The other option is customer managed key. This is where you manage your keys in Kms. You go to Kms, you create a cryptographic key and you would manage it in there. The third option is customer supplied key. This is where you actually use a cryptographic key that is created on premises.

You have a cryptographic key which is created on premises and you use it to encrypt your data. So Google Managed Key is when you don’t really want to worry about the keys at all. Google will automatically manage it for you. Customer Managed Key is when you want to create a key in Kms and use it. Customer Supplied Key is when you want to bring a key from outside, let’s say from your on premise, and you’d want to use it as part of your Kms. The idea behind this step is to give a quick introduction to Cloud Kms. Cloud Kms is used to manage your cryptographic keys and manage the encryption and decryption processes. I’m sure you’re having a wonderful time and I’ll see you in the next step.

4. Step 03 – Playing with Cloud KMS

Welcome back. In this demo, let’s quickly look at Kms or the Key Management Service. So if you type in Kms, you would go for cryptographic keys. So that’s what we need to click. Once you click cryptographic keys, it would take us to the Kms service. And as usual, before we make use of any service, we need to enable the APIs for them. And that’s what we’d be doing right now. So we want to start with enabling the Cloud Key Management Service APIs. Cloud Kms extends customer control over encryption keys. Cloud Kms allows customers to manage encryption keys and perform cryptographic operations with those keys. So let’s wait for the Kms API to be enabled. It’s enabled and you are taken NAV to the place where we can manage our cryptographic keys.

So Cloud Key Management Service lets you create, use, rotate and manage cryptographic keys for cryptographic operations. When you are actually starting with creating cryptographic keys, what you need to first do is to create a key ring. This key ring is very, very similar to a key holder that we make use of. To a key holder, you can attach multiple keys. Similar to that, you create a key ring and then you can attach multiple keys. So let’s go ahead and create a key ring. So I’ll call this my first key ring and I’ll say I want a global. You can either create a regional one or a global one. Let’s go ahead and say I would want a global one and say create. So the key ring is now created. So we can go ahead and create a key. Whenever we are creating a key, we have multiple options.

Either you can generate a key right here, this is where Kms would create an encryption key for you, or you can actually import a key which is created externally into Kms. The other option is to actually integrate Kms with an external key manager. External managed keys are not available for global keys. However, if we created a specific regional key, we could have used the external managed keys. And when we are generating a key, you can give the key a name. My first key, for example, over here is where you can actually choose between two different protection levels. Do you want software protection or hardware protection? A number of enterprises have regulatory needs where they have to use a hardware security module.

In those kind of situations, you’d go for a HSM. Otherwise you can go for a software protection level. The next thing you would configure is the purpose. Whether you’d want to do symmetric encryption that’s basically symmetric encrypt and decrypt, or do you want to actually do signing? Do you want to create a digital signature or you’d want to do a decryption or encryption using asymmetric keys. What do you want to generate? Do you want to generate symmetric keys or do you want to generate asymmetric keys for signing? All encryption decryption let’s say I would go for symmetric Encrypt or decrypt. I can go ahead and say create. So this would create a Kms key for us. And once we create a Kms key, we can use that for encryption.

Where can we use that for encryption? Let’s say I’m creating a new instance. So let’s go to VM instances and let’s say I’m going to create a new VM instance. And when we are creating a VM instance, you can actually choose what kind of encryption you would want. If you go to Management, Security Disks, Networking and Soltency and you go to Disks, this is where you can actually configure the encryption that you’d want to make use of. The default is Google managed key. By default, you don’t really need to worry about configuring a key. But if you’d want to actually manage the key in Kms, you can do that as well. You can say, I would want to go for a Customer Managed Key and you can select an encryption key. When you go and select an encryption key, you can pick up the key that we have picked up earlier.

So we created a key earlier. Now I can start making use of that key. When I selected the key, I get a warning. It’s saying Service account does not have permissions to encrypt decrypt with the selected key whenever we are running a VM instance. And the VM instance needs to access any resources, for example, keys, or it needs to access a database, it needs permissions. The permissions are assigned to a VM instance using something called a Service account. And what it’s saying in here is the Service account of the VM instance does not have access to encrypt or decrypt with the selected key. If you want to make use of this key, what we can do is to grant the permission.

So you can go ahead and click Grant and this would give us permissions to use the selected key for encryption and decryption. In the step, we saw how we can actually create a Kms key and we saw how we can use it to encrypt data in a disk that is attached with the VM instance. I’m sure you’re having a wonderful time and I’ll see you in the next.