Use Cloud KMS To Encrypt Passphrase Part 1

Scenario: User requiring application to encrypt “passphrase” before it is stored in database

Tech stack: Firestore, Cloud KMS, Cloud Run, Cloud Code , Flask, Python, Visual Studio Code (VS Code)

Requirements:

(1) Create API service to (a) Retrieve all user profiles (b) Retrieve user profile by Id (c) Add user profile

(2) Encrypt the “passphrase” attribute using Cloud KMS (Key Management Service) before saving to Firestore document database

(3) Develop and test locally using VS Code and then deploy to Google cloud using Cloud Code and Cloud Run

Outcome:

Encrypted passphrase stored in Firestore

Step 1: Prerequisites

• Setup Google Cloud (GCP) account
• Download VS Code. Install extensions for Python and Cloud Code

Step 2: Create new GCP Project and enable API for Firestore database

• Project Name — KMSTESTPROJ; Project ID — kmstestproj

click on create after providing project name/project id

• From Navigation Menu select “Firestore”

(1) Select Native Mode (2) On next page select location from dropdown eg “us-east1” and click on Create Database

Step 4: Create Cloud KMS Credentials

• Enable Access to APIs for your Google Project (KMSTESTPROJ)
• Create symmetric encryption keys using console or gcloud option
• Note the following information: region = us-east1
• key ring name = kmstestprojkeyring
• key name = kmstestkeyname

Step 5: Setup local development environment

• Install Cloud SDK to your local (skip if already installed)
• Create new folder “kmstest”. Open folder in VS Code
• In new terminal type command “gcloud init” and on prompt select google email/region/project
• Authorize access by typing “gcloud auth login”
• Screen after successful login

Lets Code => Continue to Part 2