TNCS-0048 – Accessing Encrypted Google Cloud Files
Created: August 24, 2020
If you encrypted files using a client-supplied encryption key, you’ll have to decrypt them using the Google Cloud console. Unlike Amazon, Google Cloud’s console does not have any provision for decrypting files. You will have to use the ‘gsutil’ and our ‘GenerateGCKey’ command-line tools.
THE STEPS
- Install gsutil. Follow instructions here:
https://cloud.google.com/storage/docs/gsutil_install - Obtain an encoded key based on the customer-supplied encryption key you entered in your connection profile. To do this, you’ll have to use the ‘GenerateGCKey’ command-line tool (see below). Download it here.
- Configure gsutil to use the Encoded Key obtained from the GenerateGCKey tool. To do this, follow the steps here:
https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys
The Encoded Key is supplied wherever you see “[YOUR_ENCRYPTION_KEY].”
GenerateGCKey TOOL
GenerateGCKey is a command line tool used to create the encoded key. The usage is simple: ./GenerateGCKey Your-Encryption-Key(This assumes you’ve already cd’d to the folder where you installed GenerateGCKey.)The output will look something like this: The ‘Encoded Input Key’ is what you will use in gsutil. The ‘Encoded Input Key Hash’ is just a helpful reference value. If you supplied the wrong encryption key for the file you are downloading, gsutil will display the hash value of the encryption key it is expecting. This is useful if you used multiple keys and can’t remember the correct one to use.Download the ‘GenerateGCKey’ tool here.
mbpd@MBPD-Mini Desktop % ./GenerateGCKey bunnies
Input Key: bunnies
Encoded Input Key: YnVubmllc0IyNDQyNjEzMzI0RTY2N0U4QzFDMjgzMjY=
Encoded Input Key Hash: op9oADkxMvDtsJ+fjce3IjaAjmPufBDDPzq4y40KGR4=
REVISION HISTORY
Aug-24-2020 – Created Internally.