Metadata-Version: 2.1
Name: gkms
Version: 0.0.1
Summary: A simple utility for using GCP Cloud KMS to encrypt and decrypt secrets and storing them in GCS.
Home-page: https://github.com/getsentry/gkms
Author: zylphrex
Author-email: zylphrex@gmail.com
Maintainer: zylphrex
Maintainer-email: zylphrex@gmail.com
License: UNKNOWN
Keywords: cloudgcp,gcs,google,google-cloud-kms,google-cloud-storage,kms,encrypt,decrypt
Platform: Posix; MacOS X; Windows
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Topic :: Security
Description-Content-Type: text/markdown
Requires-Dist: google-cloud-storage (<2,>=1.16.1)
Requires-Dist: google-cloud-kms (<2,>=1.1.0)
Provides-Extra: dev
Requires-Dist: pytest (<6,>=5.0.1) ; extra == 'dev'

# gkms

`gkms` is a simple utility for using GCP Cloud KMS to encrypt and decrypt secrets and storing them in GCS.

## Installation

```shell
pip install gkms
```

## Setup

Please see [https://googleapis.github.io/google-cloud-python/latest/core/auth.html](https://googleapis.github.io/google-cloud-python/latest/core/auth.html) for authentication with Google Cloud SDK.

## Usage

### CLI

```shell
gkms encrypt \
    --project my-project \
    --location global \
    --ring my-key-ring \
    --key my-crypto-key \
    --bucket my-bucket \
    --target my-target.txt \
    --secret my-secret.txt

gkms decrypt \
    --project my-project \
    --bucket my-bucket \
    --target my-target.txt

gkms reencrypt \
    --project my-project \
    --bucket my-bucket \
    --target my-target.txt
```

### Python

```python
import gkms

gkms.encrypt(
    project='my-project',
    location='global',
    keyring='my-key-ring',
    cryptokey='my-crypto-key',
    bucket='my-bucket',
    target='my-secret.txt',
    secret_name='my-secret.txt',
)

decrypted = gkms.decrypt(
    project='my-project',
    bucket='my-bucket',
    target='my-secret.txt',
)

gkms.reencrypt(
    project='my-project',
    bucket='my-bucket',
    target='my-secret.txt',
)
```

## Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

### Getting Started

Set up your virual environment however you like.

```shell
pip install -e .[dev]
```

You're ready to start developing!

### Running Tests

```shell
pytest
```

## Disclaimer

`gkms` merely allows you to keep your secrets in GCS buckets allowing you to specify permissions via IAM roles. _This does **not** replace projects like HashiCorp Vault!_ Attackers who gain access to your service accounts will have access to the secrets.


