GCP - KMS Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
The Cloud Key Management Service serves as a secure storage for cryptographic keys, which are essential for operations like encrypting and decrypting sensitive data. These keys are organized within key rings, allowing for structured management. Furthermore, access control can be meticulously configured, either at the individual key level or for the entire key ring, ensuring that permissions are precisely aligned with security requirements.
KMS key rings are by default created as global, which means that the keys inside that key ring are accessible from any region. However, it's possible to create specific key rings in specific regions.
Software keys: Software keys are created and managed by KMS entirely in software. These keys are not protected by any hardware security module (HSM) and can be used for testing and development purposes. Software keys are not recommended for production use because they provide low security and are susceptible to attacks.
Cloud-hosted keys: Cloud-hosted keys are created and managed by KMS in the cloud using a highly available and reliable infrastructure. These keys are protected by HSMs, but the HSMs are not dedicated to a specific customer. Cloud-hosted keys are suitable for most production use cases.
External keys: External keys are created and managed outside of KMS, and are imported into KMS for use in cryptographic operations. External keys can be stored in a hardware security module (HSM) or a software library, depending on the customer's preference.
Symmetric encryption/decryption: Used to encrypt and decrypt data using a single key for both operations. Symmetric keys are fast and efficient for encrypting and decrypting large volumes of data.
Supported: cryptoKeys.encrypt, cryptoKeys.decrypt
Asymmetric Signing: Used for secure communication between two parties without sharing the key. Asymmetric keys come in a pair, consisting of a public key and a private key. The public key is shared with others, while the private key is kept secret.
Asymmetric Decryption: Used to verify the authenticity of a message or data. A digital signature is created using a private key and can be verified using the corresponding public key.
MAC Signing: Used to ensure data integrity and authenticity by creating a message authentication code (MAC) using a secret key. HMAC is commonly used for message authentication in network protocols and software applications.
Supported: cryptoKeyVersions.macSign, cryptoKeyVersions.macVerify
By default, each 90 days but it can be easily and completely customized.
The "Programmed for destruction" period is the time since the user ask for deleting the key and until the key is deleted. It cannot be changed after the key is created (default 1 day).
Each KMS key can have several versions, one of them must be the default one, this will be the one used when a version is not specified when interacting with the KMs key.
Having permissions to list the keys this is how you can access them:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)