Skip to content

syslogic/google-cloud-kms-gradle-plugin

Repository files navigation

Google Cloud KMS Plugin

Social Media Preview


Features

  • It encrypts and decrypts multiple files with Cloud KMS.
  • It only overwrites destination files, when they're empty.

Development

The plugin source code can be swiftly installed into any Android Gradle project with git clone:

git clone https://github.com/syslogic/google-cloud-kms-gradle-plugin.git ./buildSrc

Package Installation

The plugin depends on the Google Cloud CLI gcloud command.

A) The plugin can either be set up in the buildscript block of the root project's build.gradle:

buildscript {
    repositories {
        maven { url 'https://jitpack.io' }
    }
    dependencies {
        classpath 'io.syslogic:google-cloud-kms-gradle-plugin:1.0.0'
    }
}

B) Or the repository has to be defined in the root project's settings.gradle:

pluginManagement {
    repositories {
        gradlePluginPortal()
        maven { url 'https://jitpack.io' }
    }
}

Then it can be loaded in the plugins block of the root project's build.gradle:

plugins {
    id 'io.syslogic.cloudkms' version '1.0.0' apply false
}

C) Finally, it has to be applied in the module's build.gradle:

plugins {
    id 'io.syslogic.cloudkms'
}

Configuration

The CloudKmsExtension can be configured with the following properties:

Property Default
String kmsKeyPath null
String[] plaintextFiles []
String[] ciphertextFiles []

Usage Example

Properties plaintextFiles and ciphertextFiles must match; they are being used for both directions.

/** Google Cloud KMS */
cloudKms {

    // The leading underscore is required due to the CloudBuild environment.
    kmsKeyPath = System.getenv('_CLOUD_KMS_KEY_PATH')

    // local files to be ignored by version control:
    plaintextFiles = [
            /* 0 */ System.getProperty("user.home") + File.separator + ".android" + File.separator + "debug.keystore",
            /* 1 */ System.getProperty("user.home") + File.separator + ".android" + File.separator + "release.keystore",
            /* 2 */ getRootDir().absolutePath + File.separator + 'keystore.properties',
            /* 3 */ getRootDir().absolutePath + File.separator + 'credentials/google-service-account.json',
            /* 4 */ getProjectDir().absolutePath + File.separator + 'google-services.json'
    ]
    
    // encrypted files can be checked in to version control:
    ciphertextFiles = [
            /* 0 */ getRootDir().absolutePath + File.separator + 'credentials/debug.keystore.enc',
            /* 1 */ getRootDir().absolutePath + File.separator + 'credentials/release.keystore.enc',
            /* 2 */ getRootDir().absolutePath + File.separator + 'credentials/keystore.properties.enc',
            /* 3 */ getRootDir().absolutePath + File.separator + 'credentials/google-service-account.json.enc',
            /* 4 */ getRootDir().absolutePath + File.separator + 'credentials/google-services.json.enc'
    ]
}

Gradle Tasks

  • :cloudKmsEncrypt is meant to run locally, in order to encrypt relevant files.
    When having done so, one can check in these files to version control.
  • :cloudKmsDecrypt is meant to run remotely, in order to decrypt relevant files.
    The encrypted files will come from version control.

With task :cloudKmsEncrypt

  • plaintextFiles is the local source,
  • ciphertextFiles is the local destination.

With task :cloudKmsDecrypt

  • ciphertextFiles is the remote source,
  • plaintextFiles is the remote destination.

Known Issues

  • In case the key cannot be found:
ERROR: (gcloud.kms.encrypt) NOT_FOUND: CryptoKey projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY not found.``

It may help to switch the account ID and/or the project ID.

gcloud auth login
gcloud projects list
gcloud config set project PROJECT_ID

One can also list all the available keys of a project.

gcloud kms keyrings list --location=global
gcloud kms keys list --keyring=projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING

Support

Status

Gradle CI

Release

MIT License