- It encrypts and decrypts multiple files with Cloud KMS.
- It only overwrites destination files, when they're empty.
The plugin source code can be swiftly installed into any Android Gradle project with git clone:
git clone https://github.com/syslogic/google-cloud-kms-gradle-plugin.git ./buildSrcThe plugin depends on the Google Cloud CLI gcloud command.
A) The plugin can either be set up in the buildscript block of the root project's build.gradle:
buildscript {
repositories {
maven { url 'https://jitpack.io' }
}
dependencies {
classpath 'io.syslogic:google-cloud-kms-gradle-plugin:1.0.0'
}
}B) Or the repository has to be defined in the root project's settings.gradle:
pluginManagement {
repositories {
gradlePluginPortal()
maven { url 'https://jitpack.io' }
}
}Then it can be loaded in the plugins block of the root project's build.gradle:
plugins {
id 'io.syslogic.cloudkms' version '1.0.0' apply false
}C) Finally, it has to be applied in the module's build.gradle:
plugins {
id 'io.syslogic.cloudkms'
}The CloudKmsExtension can be configured with the following properties:
| Property | Default |
|---|---|
String kmsKeyPath |
null |
String[] plaintextFiles |
[] |
String[] ciphertextFiles |
[] |
Properties plaintextFiles and ciphertextFiles must match; they are being used for both directions.
/** Google Cloud KMS */
cloudKms {
// The leading underscore is required due to the CloudBuild environment.
kmsKeyPath = System.getenv('_CLOUD_KMS_KEY_PATH')
// local files to be ignored by version control:
plaintextFiles = [
/* 0 */ System.getProperty("user.home") + File.separator + ".android" + File.separator + "debug.keystore",
/* 1 */ System.getProperty("user.home") + File.separator + ".android" + File.separator + "release.keystore",
/* 2 */ getRootDir().absolutePath + File.separator + 'keystore.properties',
/* 3 */ getRootDir().absolutePath + File.separator + 'credentials/google-service-account.json',
/* 4 */ getProjectDir().absolutePath + File.separator + 'google-services.json'
]
// encrypted files can be checked in to version control:
ciphertextFiles = [
/* 0 */ getRootDir().absolutePath + File.separator + 'credentials/debug.keystore.enc',
/* 1 */ getRootDir().absolutePath + File.separator + 'credentials/release.keystore.enc',
/* 2 */ getRootDir().absolutePath + File.separator + 'credentials/keystore.properties.enc',
/* 3 */ getRootDir().absolutePath + File.separator + 'credentials/google-service-account.json.enc',
/* 4 */ getRootDir().absolutePath + File.separator + 'credentials/google-services.json.enc'
]
}:cloudKmsEncryptis meant to run locally, in order to encrypt relevant files.
When having done so, one can check in these files to version control.:cloudKmsDecryptis meant to run remotely, in order to decrypt relevant files.
The encrypted files will come from version control.
With task :cloudKmsEncrypt
plaintextFilesis the local source,ciphertextFilesis the local destination.
With task :cloudKmsDecrypt
ciphertextFilesis the remote source,plaintextFilesis the remote destination.
- In case the key cannot be found:
ERROR: (gcloud.kms.encrypt) NOT_FOUND: CryptoKey projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY not found.``
It may help to switch the account ID and/or the project ID.
gcloud auth login
gcloud projects list
gcloud config set project PROJECT_ID
One can also list all the available keys of a project.
gcloud kms keyrings list --location=global
gcloud kms keys list --keyring=projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING
