Encrypting keysets with Google Cloud KMS or storing them in Google Secret Manager?

71 views
Skip to first unread message

Jad Boutros

unread,
Jun 10, 2020, 3:14:54 PM6/10/20
to tink-...@googlegroups.com
Hi Folks,

Starting to try out Tink/Tinkey for Java on Google App Engine. Thanks for developing this platform/library.

When Google Secret Manager came out, I converted to it from KMS as it met my needs for storage for secrets and had a much simpler interface (IMHO). You provide support for encrypting keysets in KMS but it means we still have to package the encrypted keyset in source code and deploy it with our application. I imagine it should be possible for us to instead store the (plaintext) keysets in Secret Manager and get it from there when the application starts. That way, we don't need to encrypt with KMS and also package with the application as well.

Unless I am misunderstanding something, since Tinkey provides key rotation support, you're not using the one that comes with Google Cloud KMS so is there any good reason you think for integrating keysets with KMS as opposed to going the simpler route of putting them in Secret Manager directly in plaintext in JSON format?

Thanks,
Jad

--



Jad Boutros
Co-Founder, CEO
1.415.999.5299
San Francisco, CA
terratrue.com

⛷ Thai Duong

unread,
Jun 10, 2020, 10:17:40 PM6/10/20
to Jad Boutros, tink-users
Hi Jad!

I recommend SM, as it's more aligned with our future plans for key management on GCP.

Don't quote me on this, but eventually I think SM will add support for CMEK. This means you'll get Cloud KMS integration for free.

I have a plan to add to Tink native support for SM. For example, I want to provide a SecretManagerKeysetHandle that loads and auto-refresh keys from SM. This should be shipped in Tink 1.5.0.

Next, I think it'd be great if SM provides native support for Tink keysets. Users can tell SM "create a keyset from this key template and rotate it according to this schedule" and the rest will be handled by SM. We had some discussion about this, but there's still no concrete plan, so it may never happen. However, I want to bring this up to see if you think it's useful.

Cheers,
Thai.

Thanks,
Jad

--



Jad Boutros
Co-Founder, CEO
1.415.999.5299
San Francisco, CA
terratrue.com

--
You received this message because you are subscribed to the Google Groups "tink-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tink-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tink-users/CAMkz9zEkqi5ny-xkMGiXA9h-%2Bt_OtUL6tOg1t%2BmKYukmhF%3D_Wg%40mail.gmail.com.


--

Jad Boutros

unread,
Jun 11, 2020, 11:55:42 PM6/11/20
to ⛷ Thai Duong, tink-users
On Wed, Jun 10, 2020 at 7:17 PM ⛷ Thai Duong <tha...@gmail.com> wrote:


On Wed, Jun 10, 2020 at 12:14 PM Jad Boutros <j...@terratrue.com> wrote:
Hi Folks,

Starting to try out Tink/Tinkey for Java on Google App Engine. Thanks for developing this platform/library.

When Google Secret Manager came out, I converted to it from KMS as it met my needs for storage for secrets and had a much simpler interface (IMHO). You provide support for encrypting keysets in KMS but it means we still have to package the encrypted keyset in source code and deploy it with our application. I imagine it should be possible for us to instead store the (plaintext) keysets in Secret Manager and get it from there when the application starts. That way, we don't need to encrypt with KMS and also package with the application as well.

Unless I am misunderstanding something, since Tinkey provides key rotation support, you're not using the one that comes with Google Cloud KMS so is there any good reason you think for integrating keysets with KMS as opposed to going the simpler route of putting them in Secret Manager directly in plaintext in JSON format?

Hi Jad!

I recommend SM, as it's more aligned with our future plans for key management on GCP.

Thai, thanks so much for the great feedback!

It was very helpful, we are now up and running using Tink with Secret Manager and it was pretty straight-forward. 
 

Don't quote me on this, but eventually I think SM will add support for CMEK. This means you'll get Cloud KMS integration for free.

That'll be great. We haven't yet needed CMEK but we are already getting some questions on that from our own customers

I have a plan to add to Tink native support for SM. For example, I want to provide a SecretManagerKeysetHandle that loads and auto-refresh keys from SM. This should be shipped in Tink 1.5.0.

Perfect.
 

Next, I think it'd be great if SM provides native support for Tink keysets. Users can tell SM "create a keyset from this key template and rotate it according to this schedule" and the rest will be handled by SM. We had some discussion about this, but there's still no concrete plan, so it may never happen. However, I want to bring this up to see if you think it's useful.

Yes, it will be very useful particularly for our short-lived encryption tokens. Right now I am uploading the corresponding keys to SM manually which means I have to rotate them manually everywhere – fairly error-prone –, the automation will be an exciting win.

Thank you,
Jad

Cheers,
Thai.

Thanks,
Jad

--



Jad Boutros
Co-Founder, CEO
1.415.999.5299
San Francisco, CA
terratrue.com

--
You received this message because you are subscribed to the Google Groups "tink-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tink-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tink-users/CAMkz9zEkqi5ny-xkMGiXA9h-%2Bt_OtUL6tOg1t%2BmKYukmhF%3D_Wg%40mail.gmail.com.


--
Reply all
Reply to author
Forward
0 new messages