GCP Cloud KMS - 自定义密钥,可以进行灾难恢复吗?
[英]GCP Cloud KMS - custom key, disaster recovery possible?
问题描述
we are currently getting our heads around gcp cloud kms and how to cater for disaster recovery.
我们目前正在研究 gcp 云 kms 以及如何应对灾难恢复。 this is our current test setup:这是我们当前的测试设置:
Java using Spring boot + Google Tink using KMSEnvelopeAead + AesGcmJce (ie generated DEK by tink that will be encrypted via kms (KEK) and stored alongside the ciphertext), symmetric Java 使用 Spring 启动 + Google Tink 使用 KMSEnvelopeAead + AesGcmJce(即由 tink 生成的 DEK,将通过 kms (KEK) 加密并与密文一起存储),对称
project "A" (the initial project before disaster recovery)
项目“A”(灾难恢复前的初始项目)-> KMS -> keyring "keyringABC" -> key "keyABC" -> imported custom key via import job.
-> KMS -> 密钥环“keyringABC” -> 密钥“keyABC” -> 通过导入作业导入的自定义密钥。 i can successfully encrypt/decrypt some text - all fine, all good我可以成功地加密/解密一些文本 - 一切都好,一切都好
resource: projects/A/locations/eur3/keyRings/keyringABC/cryptoKeys/keyABC/cryptoKeyVersions/1
project "B" (the disaster recovery project) or same project "A" with a new key + keyring (names would be different)
项目“B”(灾难恢复项目)或具有新密钥 + 密钥环的相同项目“A”(名称可能不同)-> KMS -> keyring "keyringABC" -> key "keyABC" -> imported custom key via import job
-> KMS -> 密钥环“keyringABC” -> 密钥“keyABC” -> 通过导入作业导入自定义密钥i reimport the custom key material that i already imported into project "A" before that was used to encrypt the data in project "A".
我重新导入了之前已导入项目“A”的自定义密钥材料,用于加密项目“A”中的数据。 the newly created key mimics the same structure as in project "A".新创建的密钥模仿了与项目“A”中相同的结构。 the only difference is, that it resided in project "B"唯一的区别是,它位于项目“B”中
resource: projects/B/locations/eur3/keyRings/keyringABC/cryptoKeys/keyABC/cryptoKeyVersions/1
Now, when i try to decrypt the data with the newly created key from project "B" that was encrypted in project "A" i does not work.现在,当我尝试使用在项目“A”中加密的项目“B”中新创建的密钥解密数据时,我不起作用。 looking into the cloud logging logs i can see the following error message查看云日志记录我可以看到以下错误消息
Decryption failed: verify that 'name' refers to the correct CryptoKey.
My assumption is (when reading the docs) that the ciphertext, in this case the DEK generated by tink via cloud kms, also contains the exact resource identifer pointing to the key of project "A" and hence the encrypted DEK can't be decrypted anymore when using the newly created key in project "B".我的假设是(在阅读文档时)密文,在这种情况下是 tink 通过云 kms 生成的 DEK,还包含指向项目“A”的密钥的确切资源标识符,因此加密的 DEK 不能被解密在项目“B”中使用新创建的密钥时不再使用。 This would mean that there is no way to recover data in another project even if the underlying (imported) custom key material is the same.这意味着即使底层(导入的)自定义密钥材料相同,也无法恢复另一个项目中的数据。
Can anybody shed some light on this?任何人都可以对此有所了解吗? any help appreciated.任何帮助表示赞赏。
cheers marcel干杯马塞尔
PS: from the google kms docs PS:来自 google kms 文档
when data is encrypted using a symmetric Cloud KMS or Cloud HSM key, extra metadata about the encryption key version is saved, encrypted, along with the encrypted data.
and和
Symmetric keys will always have a primary version.
1 个解决方案
解决方案1
0 2021-11-29 10:39:24
Yes, it has to be the exact same key with the exact same resource id including project id.The ciphertext for decryption should be exactly as returned from the encrypt call.是的,它必须是完全相同的密钥,具有完全相同的资源 id,包括项目 id。解密的密文应该与 encrypt 调用返回的完全相同。 So, you need to make sure it matches the project in which you created the KMS key.因此,您需要确保它与您在其中创建 KMS 密钥的项目相匹配。 When you try to decrypt the data with the newly created key from project-B that was encrypted in project-A , it fails.当您尝试使用在project-A中加密的project-B中新创建的密钥解密数据时,它会失败。
In your use-case the ciphertext you're trying to decrypt was encrypted using a different key.在您的用例中,您尝试解密的密文是使用不同的密钥加密的。 You should use the same key for both encryption and decryption, else KMS tells you that it could not find the key while actually the key was found.您应该对加密和解密使用相同的密钥,否则 KMS 会告诉您它无法找到密钥,而实际上已找到密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.