bartprokop
diff --git a/‎cloud-sql/mysql/client-side-encryption/example.envrc‎
Lines changed: 16 additions & 0 deletions b/‎cloud-sql/mysql/client-side-encryption/example.envrc‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎cloud-sql/mysql/client-side-encryption/pom.xml‎
Lines changed: 1 addition & 0 deletions b/‎cloud-sql/mysql/client-side-encryption/pom.xml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/CloudKmsEnvelopeAead.java‎
Lines changed: 3 additions & 1 deletion b/‎cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/CloudKmsEnvelopeAead.java‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/CloudSqlConnectionPool.java‎
Lines changed: 1 addition & 2 deletions b/‎cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/CloudSqlConnectionPool.java‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/EncryptAndInsertData.java‎
Lines changed: 6 additions & 1 deletion b/‎cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/EncryptAndInsertData.java‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/QueryAndDecryptData.java‎
Lines changed: 6 additions & 1 deletion b/‎cloud-sql/mysql/client-side-encryption/src/main/java/cloudsql/tink/QueryAndDecryptData.java‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎cloud-sql/postgres/client-side-encryption/README.md‎
Lines changed: 40 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/README.md‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎cloud-sql/postgres/client-side-encryption/example.envrc‎
Lines changed: 22 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/example.envrc‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎cloud-sql/postgres/client-side-encryption/pom.xml‎
Lines changed: 102 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/pom.xml‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎cloud-sql/postgres/client-side-encryption/src/main/java/cloudsql/tink/CloudKmsEnvelopeAead.java‎
Lines changed: 46 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/src/main/java/cloudsql/tink/CloudKmsEnvelopeAead.java‎
Lines changed: 46 additions & 0 deletions
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 GOOGLE_APPLICATION_CREDENTIALS='path/to/service-account-key.json'
 DB_USER='your-database-username'
 DB_PASS='your-database-password'
 
@@ -84,6 +84,7 @@
       <artifactId>HikariCP</artifactId>
       <version>4.0.2</version>
     </dependency>
+
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
 
@@ -37,7 +37,9 @@ public static Aead get(String kmsUri) throws GeneralSecurityException {
     // Create an AEAD primitive using the Cloud KMS key
     Aead gcpAead = client.getAead(kmsUri);
 
-    // Create an envelope AEAD primitive
+    // Create an envelope AEAD primitive.
+    // This key should only be used for client-side encryption to ensure authenticity and integrity
+    // of data.
     return new KmsEnvelopeAead(AeadKeyTemplates.AES128_GCM, gcpAead);
   }
 }
 
@@ -20,7 +20,6 @@
 
 import com.zaxxer.hikari.HikariConfig;
 import com.zaxxer.hikari.HikariDataSource;
-import java.security.GeneralSecurityException;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.SQLException;
@@ -29,7 +28,7 @@
 public class CloudSqlConnectionPool {
 
   public static DataSource createConnectionPool(String dbUser, String dbPass, String dbName,
-      String cloudSqlConnectionName) throws GeneralSecurityException {
+      String cloudSqlConnectionName) {
     HikariConfig config = new HikariConfig();
     config.setJdbcUrl(String.format("jdbc:mysql:///%s", dbName));
     config.setUsername(dbUser);
 
@@ -38,6 +38,9 @@ public static void main(String[] args) throws GeneralSecurityException, SQLExcep
     String cloudSqlConnectionName =
         System.getenv("CLOUD_SQL_CONNECTION_NAME"); // e.g. "project-name:region:instance-name"
     String kmsUri = System.getenv("CLOUD_KMS_URI"); // e.g. "gcp-kms://projects/...path/to/key
+    // Tink uses the "gcp-kms://" prefix for paths to keys stored in Google Cloud KMS. For more
+    // info on creating a KMS key and getting its path, see
+    // https://cloud.google.com/kms/docs/quickstart
 
     String team = "TABS";
     String tableName = "votes";
@@ -68,7 +71,9 @@ public static void encryptAndInsertData(DataSource pool, Aead envAead, String ta
         voteStmt.setTimestamp(2, new Timestamp(new Date().getTime()));
 
         // Use the envelope AEAD primitive to encrypt the email, using the team name as
-        // associated data
+        // associated data. Encryption with associated data ensures authenticity
+        // (who the sender is) and integrity (the data has not been tampered with) of that
+        // data, but not its secrecy. (see RFC 5116 for more info)
         byte[] encryptedEmail = envAead.encrypt(email.getBytes(), team.getBytes());
         voteStmt.setBytes(3, encryptedEmail);
 
 
@@ -38,6 +38,9 @@ public static void main(String[] args) throws GeneralSecurityException, SQLExcep
     String cloudSqlConnectionName =
         System.getenv("CLOUD_SQL_CONNECTION_NAME"); // e.g. "project-name:region:instance-name"
     String kmsUri = System.getenv("CLOUD_KMS_URI"); // e.g. "gcp-kms://projects/...path/to/key
+    // Tink uses the "gcp-kms://" prefix for paths to keys stored in Google Cloud KMS. For more
+    // info on creating a KMS key and getting its path, see
+    // https://cloud.google.com/kms/docs/quickstart
 
     String tableName = "votes123";
 
@@ -74,7 +77,9 @@ public static void queryAndDecryptData(DataSource pool, Aead envAead, String tab
           Timestamp timeCast = voteResults.getTimestamp(2);
 
           // Use the envelope AEAD primitive to decrypt the email, using the team name as
-          // associated data
+          // associated data. Encryption with associated data ensures authenticity
+          // (who the sender is) and integrity (the data has not been tampered with) of that
+          // data, but not its secrecy. (see RFC 5116 for more info)
           String email = new String(envAead.decrypt(voteResults.getBytes(3), team.getBytes()));
 
           System.out.println(String.format("%s\t%s\t%s", team, timeCast, email));
 
@@ -0,0 +1,40 @@
+# Encrypting fields in Cloud SQL - Postgres with Tink
+
+## Before you begin
+
+1. If you haven't already, set up a Java Development Environment (including google-cloud-sdk and
+maven utilities) by following the [java setup guide](https://cloud.google.com/java/docs/setup) and
+[create a project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project).
+
+1. Create a 2nd Gen Cloud SQL Instance by following these 
+[instructions](https://cloud.google.com/sql/docs/postgres/create-instance). Note the connection string,
+database user, and database password that you create.
+
+1. Create a database for your application by following these 
+[instructions](https://cloud.google.com/sql/docs/postgres/create-manage-databases). Note the database
+name.
+
+1. Create a KMS key for your application by following these
+[instructions](https://cloud.google.com/kms/docs/creating-keys). Copy the resource name of your
+created key.
+
+1. Create a service account with the 'Cloud SQL Client' permissions by following these 
+[instructions](https://cloud.google.com/sql/docs/postgres/connect-external-app#4_if_required_by_your_authentication_method_create_a_service_account).
+Then, add the 'Cloud KMS CryptoKey Encrypter/Decrypter' permission for the key to your service account 
+by following these [instructions](https://cloud.google.com/kms/docs/iam).
+
+## Running Locally
+
+Before running, copy the `example.envrc` file to `.envrc` and replace the values for 
+`GOOGLE_APPLICATION_CREDENTIALS`, `DB_USER`, `DB_PASS`, `DB_NAME`, `CLOUD_SQL_CONNECTION_NAME`,
+and `CLOUD_KMS_URI` with the values from your project. Then run `source .envrc` or optionally use 
+[direnv](https://direnv.net/).
+
+Once the environment variables have been set, run:
+```
+mvn exec:java -Dexec.mainClass=cloudsql.tink.EncryptAndInsertData
+```
+and 
+```
+mvn exec:java -Dexec.mainClass=cloudsql.tink.QueryAndDecryptData
+```
@@ -0,0 +1,22 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+GOOGLE_APPLICATION_CREDENTIALS='path/to/service-account-key.json'
+DB_USER='your-database-username'
+DB_PASS='your-database-password'
+DB_NAME='your_database_name'
+CLOUD_SQL_CONNECTION_NAME='project:region:instance-name'
+CLOUD_KMS_URI='gcp-kms://your-kms-uri`
@@ -0,0 +1,102 @@
+<!--
+  Copyright 2021 Google LLC
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <packaging>jar</packaging>
+  <version>1.0-SNAPSHOT</version>
+  <groupId>com.google.cloud</groupId>
+  <artifactId>cloud-sql-tink-postgres</artifactId>
+  <name>Cloud SQL Client Side Encryption Samples</name>
+
+  <!--
+    The parent pom defines common style checks and testing strategies for our samples.
+    Removing or replacing it should not affect the execution of the samples in anyway.
+  -->
+  <parent>
+    <groupId>com.google.cloud.samples</groupId>
+    <artifactId>shared-configuration</artifactId>
+    <version>1.0.21</version>
+  </parent>
+
+  <properties>
+    <maven.compiler.target>1.8</maven.compiler.target>
+    <maven.compiler.source>1.8</maven.compiler.source>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+        <dependency>
+          <groupId>com.google.cloud</groupId>
+          <artifactId>libraries-bom</artifactId>
+          <version>18.0.0</version>
+          <type>pom</type>
+          <scope>import</scope>
+        </dependency>
+      <dependency>
+        <groupId>com.google.api-client</groupId>
+        <artifactId>google-api-client</artifactId>
+        <version>1.31.3</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.google.http-client</groupId>
+      <artifactId>google-http-client-jackson2</artifactId>
+      <version>1.39.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.cloud.sql</groupId>
+      <artifactId>postgres-socket-factory</artifactId>
+      <version>1.2.1</version>
+    </dependency>
+        <dependency>
+      <groupId>org.postgresql</groupId>
+      <artifactId>postgresql</artifactId>
+      <version>42.2.19</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.crypto.tink</groupId>
+      <artifactId>tink</artifactId>
+      <version>1.5.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.crypto.tink</groupId>
+      <artifactId>tink-gcpkms</artifactId>
+      <version>1.5.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.zaxxer</groupId>
+      <artifactId>HikariCP</artifactId>
+      <version>4.0.2</version>
+    </dependency>
+
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13.2</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.google.truth</groupId>
+      <artifactId>truth</artifactId>
+      <version>1.1.2</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+</project>
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cloudsql.tink;
+
+// [START cloud_sql_postgres_cse_key]
+
+import com.google.crypto.tink.Aead;
+import com.google.crypto.tink.KmsClient;
+import com.google.crypto.tink.aead.AeadConfig;
+import com.google.crypto.tink.aead.AeadKeyTemplates;
+import com.google.crypto.tink.aead.KmsEnvelopeAead;
+import com.google.crypto.tink.integration.gcpkms.GcpKmsClient;
+import java.security.GeneralSecurityException;
+
+public class CloudKmsEnvelopeAead {
+
+  public static Aead get(String kmsUri) throws GeneralSecurityException {
+    AeadConfig.register();
+
+    // Create a new KMS Client
+    KmsClient client = new GcpKmsClient().withDefaultCredentials();
+
+    // Create an AEAD primitive using the Cloud KMS key
+    Aead gcpAead = client.getAead(kmsUri);
+
+    // Create an envelope AEAD primitive.
+    // This key should only be used for client-side encryption to ensure authenticity and integrity
+    // of data.
+    return new KmsEnvelopeAead(AeadKeyTemplates.AES128_GCM, gcpAead);
+  }
+}
+// [END cloud_sql_postgres_cse_key]
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,9 @@ public static Aead get(String kmsUri) throws GeneralSecurityException {`
`37`	`37`	`// Create an AEAD primitive using the Cloud KMS key`
`38`	`38`	`Aead gcpAead = client.getAead(kmsUri);`
`39`	`39`
`40`		`- // Create an envelope AEAD primitive`
	`40`	`+ // Create an envelope AEAD primitive.`
	`41`	`+ // This key should only be used for client-side encryption to ensure authenticity and integrity`
	`42`	`+ // of data.`
`41`	`43`	`return new KmsEnvelopeAead(AeadKeyTemplates.AES128_GCM, gcpAead);`
`42`	`44`	`}`
`43`	`45`	`}`