Managing key rotations with GCP_KMS with BYOK solution

Question

We have RSA key pairs generated on on-prem and plan to sync them to GCP-KMS. There is an yearly key rotation policy which would be done on on-prem and new key_versions would be synced to KMS. My concern is with the KMS API.

Problem: The API always asks for the 'key_version' as an argument to encrypt/decrypt a file.

Desired behaviour: During decryption, is it not possible that the KMS sees the certificate thumbprint and returns the appropriate key version to decrypt a given encrypted file? e.g. a DEK wrapped with the RSA_public when supplied to KMS gets decrypted by the RSA_Private(or KEK) of the correct version.

If yes, is there any documentation that elaborates on this use case?

Hi, Apologies for replying late. I am using the asymmetric-decrypt function of the GCP-KMS python api as explained in this link. https://cloud.google.com/kms/docs/encrypt-decrypt-rsa#decrypt_data — Abhinav Mishra, Oct 04 '21 at 15:27

score 0 · Accepted Answer · answered Oct 06 '21 at 19:28

0

According to the documentation, you can achieve that with symmetric signature (no key version specified), but you can't with the asymetricDecrypt (key version is required in the URL path of the API)

answered Oct 06 '21 at 19:28

guillaume blaquiere

66,369
2
47
76

Yes, exactly. We have encrypted data which consists of enveloped RSA and a symmetric AES inside the envelope for the rest of the encrypted data. Besides this encrypted data also has certificates that are used to find the correct private key to decrypt the RSA encrypted envelope. Our On-prem KMS has the functionality of mapping these thumbprints to correct private key. I am surprised that google cloud KMS does not provide this. – Abhinav Mishra Oct 07 '21 at 07:34

Managing key rotations with GCP_KMS with BYOK solution

1 Answers1