{"id":21354916,"url":"https://github.com/salrashid123/kmsrand","last_synced_at":"2026-05-17T20:14:10.590Z","repository":{"id":234531016,"uuid":"789089994","full_name":"salrashid123/kmsrand","owner":"salrashid123","description":"KMS backed crypto/rand Reader","archived":false,"fork":false,"pushed_at":"2024-04-22T12:06:09.000Z","size":28,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-05-03T00:53:08.025Z","etag":null,"topics":["aws","cryptography","gcp","kms","random-number-generators"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salrashid123.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-04-19T17:20:44.000Z","updated_at":"2024-04-22T12:06:13.000Z","dependencies_parsed_at":"2024-04-22T13:28:20.233Z","dependency_job_id":"3b38b806-9ba4-4dea-9467-48a67f06dd20","html_url":"https://github.com/salrashid123/kmsrand","commit_stats":null,"previous_names":["salrashid123/kmsrand"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fkmsrand","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fkmsrand/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fkmsrand/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fkmsrand/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salrashid123","download_url":"https://codeload.github.com/salrashid123/kmsrand/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243828587,"owners_count":20354526,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cryptography","gcp","kms","random-number-generators"],"created_at":"2024-11-22T04:15:19.658Z","updated_at":"2026-05-17T20:14:05.571Z","avatar_url":"https://github.com/salrashid123.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## KMS backed crypto/rand Reader   \n\nA [crypto.rand](https://pkg.go.dev/crypto/rand) reader that uses a `Key Management System` (KMS) as the source of randomness.\n\nBasically, its just a source of randomness used to create RSA keys or just get bits for use anywhere else but where you're asking a KMS system's hardware for the random bits.\n\nAs background, the default rand generator with golang uses the following sort-of random sources by default in [rand.go](https://go.dev/src/crypto/rand/rand.go)\n\nbut if you want HSM backed sources, you can use KMS or a TPM:\n\n- [TPM and PKCS-11 backed crypto/rand Reader](https://github.com/salrashid123/tpmrand)\n- [GCP KMS GenerateRandomBytes](https://cloud.google.com/kms/docs/samples/kms-generate-random-bytes)\n- [AWS GenerateRandom](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html)\n\nThis repo implements just GCP and AWS's KMS...\n\nKMS api operations to get random bytes has an associated consumption $ costs.\n\nJust note that asking for random stuff isnt' free...nothing is free\n\n\u003e\u003e this repo is *not* supported by google\n\n\nupdate 4/22:  i realized after i wrote this on friday that the gcp kms backed on already exists [sethvargo/gcpkms-rand](https://github.com/sethvargo/gcpkms-rand).  The difference with this implementation is the interface and support for AWS.\n\n---\n\nFrom there, the usage is simple:\n\n#### GCP \n\n```golang\npackage main\n\nimport (\n\t//\"github.com/cenkalti/backoff/v4\"\n\tgcpkms \"github.com/salrashid123/kmsrand/gcp\"\n\n\tcloudkms \"cloud.google.com/go/kms/apiv1\"\n\t\"cloud.google.com/go/kms/apiv1/kmspb\"\n\t//kmspb \"cloud.google.com/go/kms/apiv1/kmspb\"\n)\n\nvar (\n\tlocation = flag.String(\"location\", \"projects/srashid-test2/locations/us-central1\", \"location used to generate random\")\n)\n\nfunc main() {\n\n\tctx := context.Background()\n\tkmsClient, err := cloudkms.NewKeyManagementClient(ctx)\n\n\tdefer kmsClient.Close()\n\n\trandomBytes := make([]byte, 32)\n\tr, err := gcpkms.NewGCPRand(\u0026gcpkms.GCPReader{\n\t\tClient:          kmsClient,\n\t\tLocation:        *location,\n\t\tProtectionLevel: kmspb.ProtectionLevel_HSM,\n\t\t//Scheme:    backoff.NewConstantBackOff(time.Millisecond * 10),\n\t})\n\n\t// Rand read\n\t_, err = r.Read(randomBytes)\n\n\n\tfmt.Printf(\"Random String :%s\\n\", base64.StdEncoding.EncodeToString(randomBytes))\n\n\n\tfmt.Println()\n\n\t// /// RSA keygen\n\tprivkey, err := rsa.GenerateKey(r, 512)\n\n\tkeyPEM := pem.EncodeToMemory(\n\t\t\u0026pem.Block{\n\t\t\tType:  \"RSA PRIVATE KEY\",\n\t\t\tBytes: x509.MarshalPKCS1PrivateKey(privkey),\n\t\t},\n\t)\n\tfmt.Printf(\"RSA Key: \\n%s\\n\", keyPEM)\n}\n```\n\nwhich gives:\n\n```bash\n$ gcloud auth application-default login\n\n$ cd example/gcp\n\n$ go run main.go --location=projects/srashid-test2/locations/us-central1\nRandom String :H2ttxPK3Dz+CeHVTmjSa84rVj6n/0nY5Ib8EOWa00W0=\n\nRSA Key: \n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAy3WBNli/nAB8gyJeIFI70xHw2cm7CbUJGfGiSyJQt/HXJkMf\nyAvMdp4vpaBnJagKmhFOHD8V3h3GUMyDnxHd8yF74T+CK1ODjwhoZJVlzJmmSA7L\nMpBlSfqmcO0umyiu3qrqfelwsZab28P4GJN1ipNSqGVYNKF0NAokgZ5Y7W3tMw+H\nG7sKvUsRbVasx79YiVyHCxzCnz+xEpBKkGD+L4dk8+xhkDiCs53ZevoOg8tm4Bhd\n3AGoUJptKJaSfMNxNVkAryHDxaGNV6XOsoffWSY5LYrzk3vPeodwMm7iFJadyThS\nkgdzOxE2GFRxjpZsKiAHp5ivYVEnI25G53wC8QIDAQABAoIBAHYcP6dp+8m3KpEB\nuXyv4FTWfGghyLeI5cCu2lUdlZhDB3AJ1YBPASH3EJfotxhQJd9snlidcrdft4me\nP+Zu+9axoHWRZaJ7N8snyVpitBcDN1lrZSB0XKiGnmq99alTA7j1pWz0wFwHn3ED\noZm6uKh6f6iMNJlRBOFU5f5tCxjBB47hmkw5QAN/kqMNJw5Zo+mnBmaxSpred1fK\nUacIznJL/IiwqtuCUX1ckANTeU5tCFFAu1XtQqylNdBZI5SZwTG2dcVOJL2zbkXO\nsVObQdYB/2gk4gDs1dMHiYL7CDK+ONdqHBq6C32+g3EkT6rGIZuHFLj8tmerdnr9\ncVDQT7ECgYEA7omtMTv9SDAQ4cdq4NXGN8EjHw96VkUtH5NRxdDao2XvwGdeqQd+\n8ioFiS3ZWubYFs7WQlO5eEj+EyNv+NPw6fCA5URpwPlM/fFwSgf8rYy7x0ROKyB6\neUBKAQqjhOFB+x7dEghhhGr+d/GbtTmRsO9jU1IzTXfNieHRCUsvKM0CgYEA2lpu\n4+vzUfj6wkQeShaIfd4NmdGiiR+ZH8wrxNhTCXmd5SDSrm7Pj7EZjzJiSJ/qZFph\nbS7MIwRH3hc31w/rgCj7c1uscZVY974HHyp0qBOs+i7rcYG6pRxqSQT5vP6IdQ9B\nmR/ZXe2XvpPWtRWj/N8005vigNQqDwZqAv5c0rUCgYEAi2YDw4D2PGhyhS8/w1LK\neqywtKcb7CyS+R/jqsGp89FPcdY22Hrb8fMitw8HNXswDuwjBDHfcm7dpBuShQx+\nfoghG1qGntJR7xlYcLsIK/fRiNre/48EY7VxSfiIpM/q+jEIKlChhHvuZ/PW9epF\nvOu41Ol1t7Dqechwm4jHb4UCgYAnhJhvLaPi4RHZGOT2ea+IQCjr/tHQyWQ4KgZ9\n4LzeiSE3d8JJiYqNMfszPGYnSLHuKaFaVk7hw4OSQVd818fCcShZD21dPS9V3xGA\n5Xkpdi4nNVitOVJjUYo23uyn9NUTgohXwzje1AJTnoQMT/dW67qu1ZafxEY8Y+fJ\n1OlNxQKBgQCk+T5QFN5OaReXEa35WMIHKyyCozbhgRcxpOF8oLkcRoY58nrJ22mv\n4OH0CvyFNd4m4epErkgp5G6WwOI2rQTHcTHqCGk0ksZDf4Qz+0aW7XPDJRpN/050\n/IauDTmcwbVKPgKLF4Gqh6sN8mm9pkLSdtjnw9NcUzCEYI3F1vsbsg==\n-----END RSA PRIVATE KEY-----\n```\n\n### AWS\n\n```golang\npackage main\n\nimport (\n\t\"github.com/aws/aws-sdk-go/aws\"\n\t\"github.com/aws/aws-sdk-go/aws/session\"\n\t\"github.com/aws/aws-sdk-go/service/kms\"\n\tawskms \"github.com/salrashid123/kmsrand/aws\"\n)\n\nconst ()\n\nfunc main() {\n\n\tsess, err := session.NewSession(\u0026aws.Config{\n\t\tRegion: aws.String(\"us-east-2\")},\n\t)\n\n\tsvc := kms.New(sess)\n\n\trandomBytes := make([]byte, 32)\n\tr, err := awskms.NewAWSRand(\u0026awskms.AWSReader{\n\t\tService: svc,\n\t\t//Scheme:    backoff.NewConstantBackOff(time.Millisecond * 10),\n\t})\n\n\t// Rand read\n\t_, err = r.Read(randomBytes)\n\n\tfmt.Printf(\"Random String: %s\", base64.StdEncoding.EncodeToString(randomBytes))\n\n\tfmt.Println()\n\n\t/// RSA keygen\n\tprivkey, err := rsa.GenerateKey(r, 2048)\n\n\n\tkeyPEM := pem.EncodeToMemory(\n\t\t\u0026pem.Block{\n\t\t\tType:  \"RSA PRIVATE KEY\",\n\t\t\tBytes: x509.MarshalPKCS1PrivateKey(privkey),\n\t\t},\n\t)\n\tfmt.Printf(\"RSA Key: \\n%s\\n\", keyPEM)\n}\n\n```\n\n```bash\nexport AWS_ACCESS_KEY_ID=AKIAUH3H6...\nexport AWS_SECRET_ACCESS_KEY=FZ2HR...\n\n$ cd example/aws\n$ go run main.go \n\nRandom String: UoEasiXvmV81BCOALLqIZMZ063iYvdo8urmZP8K4kjc=\nRSA Key: \n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA+VFdK/GC75gtYq0MBGHMowmZhApXhxDRyx8mpeC5g2DBAgrz\nzK7Qy3CxWBkMytNjQi7c8iRHUPIy3V5P2i/I4aybQckw/a7JHs1FiB0M1w4itcKv\n404126KEEkhYnrRgBlrHyHJTcYkhCcegFugWw3/fPxFEdic1+A90+J1SluqSedEW\npqha+I9jZwbrbNFH8vMtvK+BJAaqP+Vwkpko+uMukmkONQ8EfFrm8gAAay3x1bwg\nAg4Cik4OHS2hTn4MYgmYwkFBy+2md9Llur0s4Z/1fp46UT/OeaDgxXZjOx+vxA8r\n8UctNpT3z7i9bqkRRSmOtB4/5B52qRYV3y6qfwIDAQABAoIBAQCDa8JDUbGFfqAd\n7b3x6WOnZX4IvjLZPaJ5Adirg8QGXtAetYtCD7x8INE68SlvGPKvhmhtM3ZsUt9B\nFV/eUWYAn63PhbBPaP0XQXkvgLCuBAOD8DYrCaUWO5qG0J/2OHqNnvjEzo7xwCks\nMJBQwtKNBzC02/NMnOqz8eHk03kfl0h2NNuKToWeckwU1Zbu4KRb0nZBda+/KinK\nS3K6rdY9JLBgXDukjXndDgq+iHpvmvWNtaFtBeN+Z/aoBywZWV/Olf2q7skV/JKf\nU2FIS3GEqnun6tF2iNTwB7uiEHcDnuBSTgBeUgx9/mSOj5ep6CkLmOQlC+5PxEIF\nlPyQQZmxAoGBAP+IccPJxUHdZIv8NXxlHrjNWoGxr/Wn+DEoypgA9pinyllJ1VkR\ndYzFJarI4T3rhHi6XsL8EzgJe3LQQBwfj1I1cF23NikZlQMIOoEgkGxL1LNl59l9\nQH0FJx0R3Ngi+dEDuqx6HSbvNzHAihKGckqC8i5SYl2RRbV+5hAwEC5dAoGBAPnG\nAv3qhZRKIpjhPSc0daLt4Pt0F9PGNKyLdDU6Sq8waM9RWK0dfCnum97jkmJ1izri\nVxm/L4jUebQYhc2fphTzt76sv/wDPaUrs3seEyDj1yRguSeBiDjUyopYs/X7P4Z/\n16ClnAj50TV9buoIXJPG3tqJEVxJUAyD2JfWd5aLAoGAFRsK8nXm4gLMPDevnz+m\n4vKrKA0qEGs4N6871IQ32fH555gOlBW6FM9vxgRjfj7GqUYTb51sZPN7i8chlHES\n4GJjjooEYi6nvSFf26x54Uf+IHcpSDBtNCZJzb/c8skowxfAwmAvqjiV4Xkarl8G\nb5sTL7pEP6AxFsWNcQbXP00CgYBtVdBZdh+jGhCq+23Zi40zFQ43BEqp2UmVfjYQ\nVsP6jCZVGjbHEPEZKenxV4zsrKeVzx5xls8oBlqAC3wG1qvM4CK+xMAFgSWq98ZJ\nTpDxBMtYkT57nKgUuJEwnkOomaLlLXEmUVhMVY7O62lx6NcdmSBUaUvAKhdwYwac\n8LTIoQKBgQDujtpdfoV17Y4yfA0W/1KyCxjbLS0XhaNn12/vRNCAo5s3VuXvo2nk\n8krMiRQR9p3D1QEUcbyvjBUH+thUjAWWLwmNJZGhJrxFGMrGac7Kcp0CsZpJr262\nclUulFOR0yB0Em6S8sg99tH8ZrlSefLNWnKRH188qTrV0bHX2K/3Og==\n-----END RSA PRIVATE KEY-----\n\n```\n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fkmsrand","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalrashid123%2Fkmsrand","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fkmsrand/lists"}