Auto Unseal was developed to aid in reducing the operational complexity of keeping the unseal key secure. Here is a sample GCP KMS stanza from Vault configuration file:
seal "gcpckms" {
credentials = "/Users/owen/vault_gcp/cluster_A/owen-gcp-seal-test-47cdc5f058c6.json"
project = "hc-65bxxxxx"
region = "global"
key_ring = "key-ring-1"
crypto_key = "key-test-1"
}
The gcpkms parameters are required for using GCP Cloud KMS seal. This article will show where and how to retrieve these parameters from the GCP console. All the related gcpckms parameters.
1. project: Create a new project or use existing GCP project. Cope the project ID value.
2. credentials: This parameter is the path to the credentials JSON file file associated with your service account. Go to IAM & Admins -> Service Account to create an account with at least these minimum permissions on the cryptoKey API:
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeys.get
These permissions can be described with the following role:
roles/cloudkms.cryptoKeyEncrypterDecrypter
cloudkms.cryptoKeys.get
- Create a service account with the above permissions and click on that account in the list
- Select "Create new key"
You will be able to download a credential file in JSON, save it to the directory for the later use of Vault configuration file.
Note: Using service account credentials stores the keys in the local filesystem of the Vault server. To avoid this, Workload Identity Federation is advised.
3. key_ring:
- Enable GCP KMS API
- Go to Security, select Key Management under Data Protection
- Create Key Ring
- Select Create, to generate the crypto_key.
For further details, refer to the Autounseal Using GCP KMS Learn article.
References
- gcpckms Seal
- Auto-unseal using GCP Cloud KMS
- Creating and enabling service accounts for instances
- Creating symmetric encryption keys