This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Cloud KMS - Key Version in use

Posted on 12-18-2023 09:38 AM
ilyas83
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

 
Is there a way to get the version of Google KMS key used by the application encrypted?
How to control the key version on the application itself to check whether it uses the latest key version or not?
 
 
1 6 382
Topic Labels
6 REPLIES 6

Posted on --/--/---- --:-- AM
Tabindanoor
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Yes, you can retrieve the version of the Google KMS key used by your application programmatically. To control the key version within the application, implement logic to check and log the key version being used. Google Cloud Key Management Service (KMS) typically provides APIs or SDKs for such tasks, allowing you to verify if your application is using the latest key version or take appropriate actions if not. This ensures your application remains aligned with the intended cryptographic keys for security and version control.

Posted on --/--/---- --:-- AM
ilyas83
Bronze 1
Bronze 1
In response to Tabindanoor
Reply posted on --/--/---- --:-- AM

What is the API/SDKs from Google KMS to check the key version on other service such as GKE, Dataproc etc..?

Posted on --/--/---- --:-- AM
Tabindanoor
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Google Cloud Key Management Service (KMS) provides APIs and SDKs that allow you to check the key version from other services like GKE (Google Kubernetes Engine), Dataproc, etc. You can use the Cloud KMS API or the relevant client libraries in various programming languages (e.g., Python, Java, Go) to programmatically query and retrieve information about key versions associated with your cryptographic keys. This enables seamless integration and version management across multiple Google Cloud services.

Posted on --/--/---- --:-- AM
ilyas83
Bronze 1
Bronze 1
In response to Tabindanoor
Reply posted on --/--/---- --:-- AM

It's still not clear on how to get the version of Google KMS key used when decrypting ciphertext within the application.

In Cloud KMS it's easy to know the latest version of the key. The question is which version of the key is being used by other services

A similar question was asked to google back in late 2019 and they said it was not possible to do that at that time

Posted on --/--/---- --:-- AM
Tabindanoor
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

As of late 2019, it's not possible to directly determine the version of a Google Cloud KMS key being used by other services when decrypting ciphertext within an application. While it's straightforward to identify the latest version of a key within Cloud KMS, tracking the specific version used externally by other services is not currently supported. It's recommended to check the latest documentation or inquire with Google Cloud support for any updates on this capability.

Posted on --/--/---- --:-- AM
ilyas83
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Isn't there an KMS Autopilot in the work in preview that has this capacity?

Top Labels in this Space
Top Solution Authors
View all