Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google cloud KMS: encryption works but decryption fails

Tags:

google-cloud-kms

I am trying to decrypt a token using the google KMS tool. Running it locally, for some reason, encryption seems to work but not decryption.

I am running the following code:

import base64
import googleapiclient.discovery
kms_client = googleapiclient.discovery.build('cloudkms', 'v1')
crypto_keys = kms_client.projects().locations().keyRings().cryptoKeys()
name = "projects/my-project/locations/my-loc/keyRings/my-kr/cryptoKeys/my-key"
request = crypto_keys.decrypt(name=name, body={'ciphertext': base64.b64encode("my text").decode('ascii')})
response = request.execute()

The last line returns a 400 error: 

HttpError: <HttpError 400 when requesting https://cloudkms.g[...]ion:decrypt?alt=json 
returned "Decryption failed: verify that 'name' refers to the correct CryptoKey.">

The name, however, actually seems to be correct. Surprisingly enough, replacing the call to decrypt by encrypt, I obtain a valid output.

Am I missing an obvious mistake, or should I just open a issue on the project's github ?

EDIT: I was trying to decrypt plain text, which of course does not make much sense (but the error message misled me somewhat).

like image 355
Pascal Delange Avatar asked Jan 09 '18 15:01

Pascal Delange

People also ask

How do I encrypt data to decrypt?

A symmetric key is used during both the encryption and decryption processes. To decrypt a particular piece of ciphertext, the key that was used to encrypt the data must be used. The goal of every encryption algorithm is to make it as difficult as possible to decrypt the generated ciphertext without using the key.

What is CMEK in Google cloud?

If you need more control over the keys used to encrypt data at rest within a Google Cloud project, several Google Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS.

How does GCP kms work?

How Google Cloud KMS works. Cloud KMS stores AES-265 encryption keys in a five level hierarchy. The top level, called GCP Project, manages Identity and Access Management roles for accounts associated with a specific cloud project, which can be linked to an organization or a department within it, for instance.

What service is used to supply encryption keys when users want to manage their own keys?

If you need more control over key operations than what Google-managed encryption keys allows, you can use customer-managed encryption keys. These keys are created and managed using Cloud Key Management Service (Cloud KMS), and you store the keys as software keys, in an HSM cluster, or externally.

1 Answers

Make sure that the ciphertext you're trying to decrypt was encrypted using the same key. In case you used another key to encrypt, KMS tells you that it could not find the key while actually the key was found but couldn't be used to decrypt the cipher.

I think the error message is "a bit" misleading.

like image 140
soupdiver Avatar answered Oct 14 '22 04:10

soupdiver
Sign in to Comment

Related questions

Attempting to convert some code to Go CDK when using KMS
Access environment variables stored in Google Secret Manager from Google Cloud Build
Can you share Google Cloud KMS keys across projects with service roles?
Google Cloud Build doesn't substitute values in secrets section of cloudbuild.yaml
How should I store access tokens generated by another application using Google Cloud KMS?
Google Cloud Function : support for Google Cloud KMS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!