{"id":23102271,"url":"https://github.com/evenh/gcloud-kms-import","last_synced_at":"2025-04-03T21:26:05.303Z","repository":{"id":180360786,"uuid":"665012442","full_name":"evenh/gcloud-kms-import","owner":"evenh","description":"Preconfigured patched OpenSSL for Google Cloud KMS manual key wrapping","archived":false,"fork":false,"pushed_at":"2023-08-24T07:50:53.000Z","size":6,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-09T09:27:48.555Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/evenh.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-11T08:44:25.000Z","updated_at":"2023-07-11T08:45:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"14532921-d350-4ad7-9474-1e82600d852b","html_url":"https://github.com/evenh/gcloud-kms-import","commit_stats":null,"previous_names":["evenh/gcloud-kms-import"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evenh%2Fgcloud-kms-import","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evenh%2Fgcloud-kms-import/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evenh%2Fgcloud-kms-import/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evenh%2Fgcloud-kms-import/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/evenh","download_url":"https://codeload.github.com/evenh/gcloud-kms-import/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247080854,"owners_count":20880344,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-16T23:59:09.076Z","updated_at":"2025-04-03T21:26:05.291Z","avatar_url":"https://github.com/evenh.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gcloud-kms-import\n\nIn order to import a key into Cloud KMS, a manual key wrapping is often required. This image can be used for that.\nBased on [these instructions](https://cloud.google.com/kms/docs/configuring-openssl-for-manual-key-wrapping).\n\nUse command `openssl.sh` in order to invoke the patched OpenSSL 1.1.0l. The recipe specifies this for you.\n\n## Notes\n\nCurrent docker image: `evenh/gcloud-kms-import:437.0.1`\n\n1. Mount your private key in unencrypted DER format as `/root/secrets_from_host/input.pkcs8` using `docker cp path/to/key.pkcs8 container_name:/root/secrets_from_host/input.pkcs8`\n2. Authenticate yourself with `gcloud` using `gcloud auth loigin`.\n3. Set the active project using `gcloud config set project project_id`\n4. Follow this recipe:\n\n```shell\n# Set Variables\n\n# Note that these variables are only examples, and should change depending on what is being imported.\nexport KEY_RING=my-keyring\nexport KEY_NAME=my-key\nexport LOCATION=europe-north1\nexport IMPORT_JOB_NAME=key-import\n\n\n# Create import job\ngcloud kms import-jobs create ${IMPORT_JOB_NAME} \\\n  --location ${LOCATION} \\\n  --keyring ${KEY_RING} \\\n  --import-method rsa-oaep-3072-sha256-aes-256 \\\n  --protection-level software\n\n# Verify that the import job has state=ACTIVE\ngcloud kms import-jobs describe ${IMPORT_JOB_NAME} \\\n  --location ${LOCATION} \\\n  --keyring ${KEY_RING} \\\n  --format=\"value(state)\"\n\n\n# Configure env\nexport PUB_WRAPPING_KEY=/root/import/wrapping-key.pem\nexport TARGET_KEY=/root/secrets_from_host/input.pkcs8\nexport TEMP_AES_KEY=/root/import/temp-aes.key\nexport WRAPPED_KEY=/root/import/ready-for-import.key\nmkdir -p import\n\n\n# Download wrapping key for import\ngcloud kms import-jobs describe \\\n--location=${LOCATION} \\\n--keyring=${KEY_RING} \\\n--format=\"value(publicKey.pem)\" \\\n${IMPORT_JOB_NAME} \u003e ${PUB_WRAPPING_KEY}\n\n# Create temporary AES-key\nopenssl rand -out \"${TEMP_AES_KEY}\" 32\n\n# Wrap the key\nopenssl pkeyutl \\\n  -encrypt \\\n  -pubin \\\n  -inkey ${PUB_WRAPPING_KEY} \\\n  -in ${TEMP_AES_KEY} \\\n  -out ${WRAPPED_KEY} \\\n  -pkeyopt rsa_padding_mode:oaep \\\n  -pkeyopt rsa_oaep_md:sha256 \\\n  -pkeyopt rsa_mgf1_md:sha256\n\nopenssl.sh enc \\\n  -id-aes256-wrap-pad \\\n  -iv A65959A6 \\\n  -K $( hexdump -v -e '/1 \"%02x\"' \u003c \"${TEMP_AES_KEY}\" ) \\\n  -in \"${TARGET_KEY}\" \u003e\u003e \"${WRAPPED_KEY}\"\n\n# Do the actual import\ngcloud kms keys versions import \\\n  --import-job ${IMPORT_JOB_NAME} \\\n  --location ${LOCATION} \\\n  --keyring ${KEY_RING} \\\n  --key ${KEY_NAME} \\\n  --algorithm rsa-sign-pkcs1-3072-sha256 \\\n  --wrapped-key-file $WRAPPED_KEY\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevenh%2Fgcloud-kms-import","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fevenh%2Fgcloud-kms-import","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevenh%2Fgcloud-kms-import/lists"}