GCP Cloud SDK not able to decrypt secrets that are created using berglas

Question

GCP Cloud SDK not able to decrypt secrets that are created using berglas

ayush-jain1 opened this issue 3 years ago · 3 comments

We are creating secrets in GCS using berglas and we want to access these secrets in a node application using GCP Cloud SDK

When trying to decrypt the secret using GCP Cloud SDK and we are observing error "CipherText is Invalid", my guess this is something to do with encoding during secret creation by berglas.

Does berglas uses envelope encryption? if so how can we decrypt using Cloud SDK

ERROR
Error: 3 INVALID_ARGUMENT: Decryption failed: the ciphertext is invalid.

Secret Creation
berglas create $bucket_names//certs/crt-tls-test-truststore-tls-test-truststore-alias.pem cert.pem --key projects/my-project/locations/europe-west2/keyRings/my-key-rings/cryptoKeys/my-key

Secret Access & Decryption

const { KeyManagementServiceClient } = require('@google-cloud/kms');
const client = new KeyManagementServiceClient();
const fs = require("fs");
//const crc32c = require('fast-crc32c');

const decryptSymmetric = async (projectId, locationId, kmsKeyRing, kmsKey, ciphertext) => {
    
    return new Promise(async (resolve, reject) => {
        console.log('***** START decrypting contents from KMS');
        const keyName = client.cryptoKeyPath(projectId, locationId, kmsKeyRing, kmsKey);
        const request = {
            name: keyName,
            ciphertext: ciphertext
        }
        client.decrypt(request)
            .then(response => resolve(response[0].plaintext.toString()))
            .catch(error => reject(error));
    })

}


const test= async ()=>{
    const ciphertext = "CiQAJo2e1VzL9dDu9+8VeTbs/m17RTp2qt6nRFKGeRnAJQzV6MsSSQALzq9BWitqoL8kQjcsN2E2ayNrHaZjsRGmr0m93dVvfNF8+9HZv3od/Cpo4ircdMsGhp9glcqy3W47/01t5x465dO6MuRrk38=:vpYFGTyiRUrPgRKmsBY0PjPlYqLJl41qz70qr20FVmYzlqbU/QI14tCcUtK6NwhSf9gFYojedMqoY/wP6iwA6TDpJKlK+Z+EVXJL6pBUCfAFnmL/mQXjm1+Cdh7e9Q2GA+88E/CyO1fPsNI=";
    
    await decryptSymmetric('apigeex-playground-308005','europe-west2','krs-kms-vbp-euwe2-gcs','key-kms-vbp-euwe2-gcs',ciphertext)
    .then(response=>console.log(response))
    .catch(error=>console.log(error));

}


module.exports = {
    decryptSymmetric
}

test()

Answer 1 · 2021-06-19T13:04:18.000Z

Berglas uses envelope encryption, so you'd need to pull the encrypted DEK off the object metadata, decrypt that with the KMS key, then use that key to decrypt the payload.

Answer 2 · 2021-07-04T00:09:11.000Z

This issue is stale because it has been open for 14 days with no
activity. It will automatically close after 7 more days of inactivity.

Answer 3 · 2021-07-26T00:09:01.000Z

This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.