{"id":22381946,"url":"https://github.com/googleinterns/cloud-kms-oss-tools","last_synced_at":"2025-07-16T19:33:51.553Z","repository":{"id":72547027,"uuid":"265345033","full_name":"googleinterns/cloud-kms-oss-tools","owner":"googleinterns","description":null,"archived":false,"fork":false,"pushed_at":"2020-08-18T19:53:16.000Z","size":499,"stargazers_count":6,"open_issues_count":26,"forks_count":0,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-06-24T18:11:44.022Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/googleinterns.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/contributing.md","funding":null,"license":"LICENSE","code_of_conduct":"docs/code-of-conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-19T19:31:13.000Z","updated_at":"2023-09-21T15:19:56.000Z","dependencies_parsed_at":"2023-07-20T12:32:21.912Z","dependency_job_id":null,"html_url":"https://github.com/googleinterns/cloud-kms-oss-tools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/googleinterns/cloud-kms-oss-tools","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleinterns%2Fcloud-kms-oss-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleinterns%2Fcloud-kms-oss-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleinterns%2Fcloud-kms-oss-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleinterns%2Fcloud-kms-oss-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/googleinterns","download_url":"https://codeload.github.com/googleinterns/cloud-kms-oss-tools/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleinterns%2Fcloud-kms-oss-tools/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265534730,"owners_count":23783879,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-05T00:11:07.668Z","updated_at":"2025-07-16T19:33:51.547Z","avatar_url":"https://github.com/googleinterns.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cloud KMS Open Source Tools\nThis repository contains open source tools to be used with [Google Cloud Key \nManagement Service][kms]. These tools are described below.\n\n**This is not an officially supported Google product.**\n\n## Cloud KMS OpenSSL Engine\n\nThis repository contains an [OpenSSL Engine][openssl-engine] that uses [Google \nCloud KMS][kms] and [Google Cloud HSM][hsm] to perform cryptographic operations.\n\n### Overview\n\nAn OpenSSL engine enables OpenSSL to delegate cryptographic operations to an \nalternative implementation while still allowing OpenSSL users to use the OpenSSL \nAPI. This allows applications that use OpenSSL to benefit from alternative \ncryptographic implementations without having to be modified.\n\nGoogle Cloud KMS is a cloud-hosted key management service that lets users manage \nand use cryptographic keys for their cloud services the same way they do \non-premises. Google Cloud HSM is a cloud-hosted hardware security module (HSM) \nservice on Google Cloud Platform. With Cloud HSM, users can host encryption keys \nand perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs.\n\nThe repository contains an OpenSSL engine that allows users to use Cloud KMS and \nCloud HSM as a drop-in replacement for OpenSSL's default cryptography \nimplementation. This allows, for example, an HTTPS web server that uses OpenSSL \nto make use of a private key that is protected by and never leaves an HSM \nrunning on Google Cloud Platform.\n\n### Installation\n\nInstallation guide has been tested on a Debian GNU/Linux 9 distribution.\n\n1. Set up a [Google Cloud service account][service-account] with the [`roles/cloudkms/signerVerifier`][roles] permission. Then, follow one of the authentication flows at [\"Authenticating as a service account\"][service-account] to authenticate your engine environment with the service account's credentials.\n\n2. Install Git, Bazel, and the OpenSSL `libcrypto.so` libraries. On Debian, you can use the following commands:\n\n ```bash\n # Install Git and Bazel dependencies.\n sudo apt-get -y install git-all curl gnupg\n # Install Bazel.\n curl https://bazel.build/bazel-release.pub.gpg | sudo apt-key add -\n echo \"deb [arch=amd64] https://storage.googleapis.com/bazel-apt stable jdk1.8\" | sudo tee /etc/apt/sources.list.d/bazel.list\n sudo apt-get update \u0026\u0026 sudo apt-get -y install bazel\n # Install libcrypto.so.\n sudo apt-get -y install libssl-dev\n ```\n\n3. Clone repository and build with Bazel.\n\n ```bash\n git clone https://github.com/googleinterns/cloud-kms-oss-tools.git\n cd cloud-kms-oss-tools/src\n bazel build ...\n ```\n\n The engine libraries are now located in `cloud-kms-oss-tools/bazel-bin/src/bridge/libengine.so` and `cloud-kms-oss-tools/bazel-bin/src/backing/libkms.so`.\n \n _Optional:_ Run all of the Bazel tests.\n \n ```bash\n bazel test ...\n ```\n \n4. Add the engine to the OpenSSL configuration file, `openssl.cnf`. You can find the directory containing the OpenSSL configuration by running `openssl version -d`.\n\n ```bash\n $ openssl version -d\n OPENSSLDIR: \"/usr/lib/ssl\"\n $ sudo vim /usr/lib/ssl/openssl.cnf\n ```\n \n If `openssl.cnf` does not already define an `openssl_conf` section (some distributions will already define it), define it at the top-level of the configuration. For example, this line defines `openssl_conf` to point to the `openssl_init` section:\n \n ```\n openssl_conf = openssl_init\n ```\n\n At the bottom of the configuration file, add the `openssl_init` section and add the engine configuration for the `gcloudkms` engine:\n\n ```\n [ openssl_init ]\n engines = engine_section\n\n [ engine_section ]\n gcloudkms = gcloudkms_section\n\n [ gcloudkms_section ]\n dynamic_path = /my/path/to/bazel-bin/src/bridge/libengine.so # Update as needed\n default_algorithms = ALL\n ```\n \n5. Test that OpenSSL can find the engine by running `openssl engine`. `gcloudkms` should appear in the list.\n\n ```bash\n $ openssl engine\n (rdrand) Intel RDRAND engine\n (dynamic) Dynamic engine loading support\n (gcloudkms) Google Cloud KMS Engine\n ```\n \n Test that OpenSSL can dynamically load the engine by running `openssl engine -t gcloudkms`:\n \n ```bash\n $ openssl engine -t gcloudkms\n (gcloudkms) Google Cloud KMS Engine\n [ available ]\n ```\n \n If `available` appears, the engine is ready to be used.\n\n[kms]: https://cloud.google.com/kms\n[hsm]: https://cloud.google.com/hsm\n[openssl-engine]: \nhttps://raw.githubusercontent.com/openssl/openssl/master/README.ENGINE\n[service-account]:\nhttps://cloud.google.com/docs/authentication/production\n[roles]:\nhttps://cloud.google.com/kms/docs/reference/permissions-and-roles#predefined\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleinterns%2Fcloud-kms-oss-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogleinterns%2Fcloud-kms-oss-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleinterns%2Fcloud-kms-oss-tools/lists"}