GSP079 - Getting Started with Cloud KMS

Task 1. Create a Cloud Storage bucket

Buat bucket

BUCKET_NAME="qwiklabs-gcp-01-d8eabfb6ba7b-enron_corpus"

gsutil mb gs://${BUCKET_NAME}

Task 2. Check out the data

Cek Data

gsutil cp gs://enron_emails/allen-p/inbox/1. .

tail 1.

Task 3. Enable Cloud KMS

Enable

gcloud services enable cloudkms.googleapis.com

Task 4. Create a Keyring and Cryptokey

Set environment variable

KEYRING_NAME=test CRYPTOKEY_NAME=qwiklab

Buat keyring

gcloud kms keyrings create $KEYRING_NAME --location global

buat cryptokey

gcloud kms keys create $CRYPTOKEY_NAME --location global \
  --keyring $KEYRING_NAME \
  --purpose encryption

Task 5. Encrypt your data

Ubah email ke base64
```
PLAINTEXT=$(cat 1. | base64 -w0)
```

Encrypt

curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locations/global/keyRings/$KEYRING_NAME/cryptoKeys/$CRYPTOKEY_NAME:encrypt" \
    -d "{\"plaintext\":\"$PLAINTEXT\"}" \
    -H "Authorization:Bearer $(gcloud auth application-default print-access-token)"\
    -H "Content-Type: application/json"

Save and upload

curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locations/global/keyRings/$KEYRING_NAME/cryptoKeys/$CRYPTOKEY_NAME:encrypt" \
    -d "{\"plaintext\":\"$PLAINTEXT\"}" \
    -H "Authorization:Bearer $(gcloud auth application-default print-access-token)"\
    -H "Content-Type:application/json" \
    | jq .ciphertext -r > 1.encrypted

Decrypt

curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locations/global/keyRings/$KEYRING_NAME/cryptoKeys/$CRYPTOKEY_NAME:decrypt" \
    -d "{\"ciphertext\":\"$(cat 1.encrypted)\"}" \
    -H "Authorization:Bearer $(gcloud auth application-default print-access-token)"\
    -H "Content-Type:application/json" \
    | jq .plaintext -r | base64 -d

upload encrypted file

gsutil cp 1.encrypted gs://${BUCKET_NAME}

Task 6. Configure IAM permissions

lihat permission

USER_EMAIL=$(gcloud auth list --limit=1 2>/dev/null | grep '@' | awk '{print $2}')

Give permission

 gcloud kms keyrings add-iam-policy-binding $KEYRING_NAME \
     --location global \
     --member user:$USER_EMAIL \
     --role roles/cloudkms.admin

Assign encrypter/decrypter role

 gcloud kms keyrings add-iam-policy-binding $KEYRING_NAME \
     --location global \
     --member user:$USER_EMAIL \
     --role roles/cloudkms.cryptoKeyEncrypterDecrypter

Task 7. Back up data on the command line

Copy all email

gsutil -m cp -r gs://enron_emails/allen-p .

Encrypt all the file

MYDIR=allen-p
FILES=$(find $MYDIR -type f -not -name "*.encrypted")
for file in $FILES; do
PLAINTEXT=$(cat $file | base64 -w0)
curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locations/global/keyRings/$KEYRING_NAME/cryptoKeys/$CRYPTOKEY_NAME:encrypt" \
    -d "{\"plaintext\":\"$PLAINTEXT\"}" \
    -H "Authorization:Bearer $(gcloud auth application-default print-access-token)" \
    -H "Content-Type:application/json" \
| jq .ciphertext -r > $file.encrypted
done
gsutil -m cp allen-p/inbox/*.encrypted gs://${BUCKET_NAME}/allen-p/inbox

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GSP079.md

GSP079.md

GSP079 - Getting Started with Cloud KMS

Task 1. Create a Cloud Storage bucket

Task 2. Check out the data

Task 3. Enable Cloud KMS

Task 4. Create a Keyring and Cryptokey

Task 5. Encrypt your data

Task 6. Configure IAM permissions

Task 7. Back up data on the command line

Task 8. View Cloud Audit logs

Task 9. Test your knowledge

Files

GSP079.md

Latest commit

History

GSP079.md

File metadata and controls

GSP079 - Getting Started with Cloud KMS

Task 1. Create a Cloud Storage bucket

Task 2. Check out the data

Task 3. Enable Cloud KMS

Task 4. Create a Keyring and Cryptokey

Task 5. Encrypt your data

Task 6. Configure IAM permissions

Task 7. Back up data on the command line

Task 8. View Cloud Audit logs

Task 9. Test your knowledge