Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are the difference between the KMS and secret manager in GCP?

I am wondering if you please help me out with the following question. What are the differences between the KMS and the secret manager in GCP? Thank you in advance. https://cloud.google.com/secret-manager/docs/ HB

like image 718
H.Bustam Avatar asked Jan 04 '20 05:01

H.Bustam


People also ask

What is the difference between KMS and secrets Manager?

AWS KMS returns a plaintext data key and a copy of that data key encrypted under the KMS key. Secrets Manager uses the plaintext data key and the Advanced Encryption Standard (AES) algorithm to encrypt the secret value outside of AWS KMS. It removes the plaintext key from memory as soon as possible after using it.

What is secret Manager in GCP?

Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.

What is KMS GCP?

Cloud KMS is a REST API that can use a key to encrypt, decrypt, or sign data such as secrets for storage. High global availability. Cloud KMS is available in several global locations and across multi-regions, allowing you to place your service where you want for low latency and high availability.

How does a secrets Manager work?

Secrets Manager uses the plaintext data key to encrypt the secret in memory. AWS Secrets Manager stores and maintains the encrypted secret and encrypted data key. When a secret is retrieved, Secrets Manager decrypts the data key (using the AWS KMS default keys) and uses the plaintext data key to decrypt the secret.


2 Answers

Cloud KMS is designed as a cryptographic oracle system: nobody, including yourself, can get the keys out: this means they're locked inside the system and you don't have to worry in practice about them leaking. The tradeoff is that the only thing you can do with those keys is encrypt, decrypt, and other cryptographic operations: useful for protecting data, or even for encrypting secrets, but if you have a database password or something else which you want to keep secret, but then actually be able to use or send elsewhere, you have to store the encrypted version, then use Cloud KMS to decrypt it.

When you do have configuration info like a database password, where your software actually needs the secret, not cryptographic operations, then Secret Manager is designed for that use case. The tradeoff is that if you get a copy of the secret out, it's harder to keep it from leaking and be certain it's controlled.

Thanks for using GCP!

like image 148
Tim Dierks Avatar answered Sep 20 '22 13:09

Tim Dierks


Cloud KMS encrypts data and returns the encrypted ciphertext. Cloud KMS does not store the secret, only the keys to encrypt/decrypt.

Secret Manager actually stores the secret material. Secret Manager also keeps a history (versions) of secret material. All data in Secret Manager is encrypted. By default, it is encrypted with a Google-managed key. You can actually use Cloud KMS to encrypt Secret Manager secrets (this is called "CMEK"), in which case the user controls the keys.

like image 25
sethvargo Avatar answered Sep 20 '22 13:09

sethvargo