Protect Secrets Manager connection details with Google Cloud Key Management
Keeper Secrets Manager integrates with Google Cloud Key Management in order to provide encryption for Keeper Secrets Manager configuration files. With this integration, you can protect connection details on your machine while taking advantage of Keeper's zero-knowledge encryption of all your secret credentials.
Features
Encrypt and Decrypt your Keeper Secrets Manager configuration files with Google Cloud Key Management.
Protect against unauthorized access to your Secrets Manager connections.
Requires only minor changes to code for immediate protection. Works with all Keeper Secrets Manager SDK functionality.
Prerequisites
To configure, Google Cloud Key Management with Keeeper Security you need service account keys ended with .json .
Key structure that is supported by this integration is `projects/<project_name>/locations/<location_name>/keyRings/<key_ring_name>/cryptoKeys/<key_name>/cryptoKeyVersions/<key_version>`
Support the Java/Kotlin Secrets Manager SDK.
Required GCP package google-cloud-kms
Google Cloud Key Management needs ENCRYPT and DECRYPT permissions.
Requires the @google-cloud/kmspackage from GCP SDK.
GCP CKM Key needs ENCRYPT and DECRYPT permissions.
The Secrets Manager oracle KSM module Integration can be installed using
go get github.com/keeper-security/secrets-manager-go/integrations/gcp
2. Configure Google CKM Connection
To enable secure authentication with Google Cloud Platform (GCP), generate a Service Account key in JSON format. This credential file will serve as the authentication mechanism for interacting with GCP services programmatically.
See the Google documentation for more information on generating keys:
Once GCP connection has been configured, You can fetch the Key to encrypt / decrypt KSM configuration using integration and you need to tell the Secrets Manager SDK to utilize the KMS as storage.
Using GCP Key Vault Integration
Once setup, the Secrets Manager GCP Key Vault integration supports all Secrets Manager SDK functionality. Your code will need to be able to access the GCP CKM Keys in order to manage the encryption and decryption of the KSM configuration file.
Using Specified Connection credentials
To do this, create GcpKeyValueStorage instance and use this in SecretManagerOptions constructor.
The GcpKeyValueStorage will require the name of the Secrets Manager configuration file , gcp credential file and key details of Cloud Key Management.
To do this, use GCPKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an keyConfig , gcpsessionConfig(generated by GCPKSMClient) , and the name of the Secrets Manager configuration file which will be encrypted by GCP Cloud Key Management.
To do this, use GCPKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require gcp_key_config (generated by GCPConfig ), gcp_session_config object (generated by GCPKMSClientConfig ) and the name of the Secrets Manager configuration file which will be encrypted by GCP Cloud Key Management.
To do this, use GCPKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an keyConfig (generated by GCPKeyConfig ), gcpSessionConfig object (generated by GCPKMSClient ), and the name of the Secrets Manager configuration file which will be encrypted by GCP Cloud Key Management.
using System;
using System.Linq;
using System.Threading.Tasks;
using SecretsManager;
using GCPKeyManagement;
using Microsoft.Extensions.Logging;
public class Program {
private static async Task getOneIndividualSecret() {
Console.WriteLine("execution started");
string key1ResourceName = "<KEY1ResourceURL>";
string key2ResourceName = "<Key2ResourceURL>";
string gcpConfigFilePath = "<GCP config file path with name>";
var keyConfig = new GCPKeyConfig(key1ResourceName);
var gcpSessionConfig = new GCPKMSClient().CreateClientFromCredentialsFile(gcpConfigFilePath);
var ksmConfigPath = "ksm_config.json";
var dotnet_access_token = "[One_Time_Token]";
var loggerFactory = LoggerFactory.Create(builder => {
builder.SetMinimumLevel(LogLevel.Debug);
builder.AddConsole();
});
var logger = loggerFactory.CreateLogger < GCPKeyValueStorage > ();
var gcp_storage = new GCPKeyValueStorage(keyConfig, gcpSessionConfig, ksmConfigPath, logger);
SecretsManagerClient.InitializeStorage(gcp_storage, dotnet_access_token);
}
static async Task Main() {
await getOneIndividualSecret();
}
}
To do this, use NewGCPKeyVaultStorage as your Secrets Manager storage in the NewSecretsManager
The NewGCPKeyVaultStorage requires the following parameters to encrypt the KSM configuration using GCP Cloud Key Management:
ksmConfigFileName : The file name of KSM configuration.
keyResourceName : ProvidekeyResourceName of Google Cloud Key Management
credentialFileWithPath : Provide file path with name of GCP credential file.
package main
import (
"encoding/json"
"fmt"
"github.com/keeper-security/secrets-manager-go/core"
gcpkv "github.com/keeper-security/secrets-manager-go/integrations/gcp"
)
func main() {
credentialFileWithPath := "<Location of credential file ending with .json>"
keyResourceName := "<Key_Resource_Name>"
ksmConfigFileName := "ksmConfig.json"
oneTimeToken := "<One_Time_Access_Token>"
cfg := gcpkv.NewGCPKeyVaultStorage(ksmConfigFileName, keyResourceName, credentialFileWithPath)
client_options := &core.ClientOptions{
Token: oneTimeToken,
Config: cfg,
}
fmt.Printf("Client ID Value: %s", cfg.Get(core.KEY_CLIENT_ID))
secrets_manager := core.NewSecretsManager(client_options)
secrets, err := secrets_manager.GetSecrets([]string{})
if err != nil {
// do something
fmt.Printf("Error while fetching secrets: %v\n", err)
}
for _, record := range secrets {
fmt.Printf("Records: %v\n", record)
}
}
Additional Options
Change Key
We can change key that is used for encrypting the KSM configuration, examples below show the code needed to use it
//The method changeKey(keyID) will be used to encrypt the KSM config file with new Key and version.
GcpKeyValueStorage storage = new GcpKeyValueStorage(configFileLocation, sessionConfig);
String newKeyID = "<new Key ID>";
boolean isChanged = storage.changeKey(keyId);
System.out.println("Key Changed: "+isChanged); // Change the key for encryption/decryption
// To change the GCP CKM key used for encryption, you can call the `changeKey` method on the `OciKeyValueStorage` instance.
const storage = await new GCPKeyValueStorage(configPath,keyConfig,gcpSessionConfig).init();
await storage.changeKey(keyConfig2);
// To change the Google CKM key used for encryption, you can call the `ChangeKeyAsync` method on the `GCPKeyValueStorage` instance.
// using Microsoft.Extensions.Logging;
var gcp_storage = new GCPKeyValueStorage(keyConfig2, gcpSessionConfig, path,logger);
bool isChanged = gcp_storage.ChangeKeyAsync(keyConfig1).Wait();
Console.WriteLine(isChanged)
// If you want to change the key not gcpp config, then pass nil in place of oracle config.
cfg := gcpkv.NewGCPKeyVaultStorage(ksmConfigFileName, keyResourceName, credentialFileWithPath)
updatedResourceName := "<Updated Key Resource Name>"
isChanged, err := cfg.ChangeKey(updatedResourceName, "")
if err != nil {
// do something
}
fmt.Printf("Key changed: %v\n", isChanged)
Decrypt Config
We can decrypt the config if current implementation is to be migrated onto a different cloud or if you want your raw credentials back. The function accepts a boolean which when set to true will save the decrypted configuration to file and if it is false, will just return decrypted configuration.
GcpKeyValueStorage storage = new GcpKeyValueStorage(configFileLocation, sessionConfig);
storage.decryptConfig(false); // Set false as a parameter to extract only plaintext.
//OR
storage.decryptConfig(true); // Set true as a parameter to extract plaintext and save config as a plaintext.
const storage = await new GCPKeyValueStorage(configPath,keyConfig,gcpSessionConfig).init();
await storage.decryptConfig(true); // Set true as a parameter to extract plaintext and save config as a plaintext.
// OR
await storage.decryptConfig(false); // Set false as a parameter to extract only plaintext.
storage = GCPKeyValueStorage(config_path, gcp_key_config_2, gcp_session_config)ig_file_location=config_path, oci_session_config=oci_session_config,logger=None)
plaintext = storage.decrypt_config(False) # Set false as a parameter to extract only plaintext.
print(plaintext)
# OR
plaintext = storage.decrypt_config(True) # Set true as a parameter to extract plaintext and save config as a plaintext.
print(plaintext)
# To decrypt the config file and save it again in plaintext, you can call the `DecryptConfigAsync` method on the `OracleKeyValueStorage` instance.
var gcp_storage = new GCPKeyValueStorage(keyConfig2, gcpSessionConfig, path,logger);
var conf = await gcp_storage.DecryptConfigAsync(false); # Set false as a parameter to extract only plaintext.
Console.WriteLine(conf);
# OR
var conf = await gcp_storage.DecryptConfigAsync(true); # Set true as a parameter to extract plaintext and save config as a plaintext.
Console.WriteLine(conf);
cfg := gcpkv.NewGCPKeyVaultStorage(ksmConfigFileName, keyResourceName, credentialFileWithPath)
plainText, err := cfg.DecryptConfig(false)
if err != nil {
// do something
fmt.Printf("Error while decrypting config: %v", err)
}
plainText, err := cfg.DecryptConfig(true) // Set true as a parameter to extract plaintext and save config as a plaintext.
if err != nil {
// do something
fmt.Printf("Error while decrypting config: %v", err)
}