GCP Cloud Key Management KMS module

[eadmundo]

RONSEAL

Note:

https://github.com/autotelic/envelope-encryptor/issues/54 is higher priority

We would like ultimately to support GCP. This will look something like:

• a module that exports a function e.g. gcpKms(configObject)
• when instantiated with config for GCP, returns an object with getDataKey and decryptDataKey properties
• getDataKey returns a promise which when resolved gives an object with the encrypted data key and plaintext data key. e.g.

  const { encryptedKey, plaintextKey } = await getDataKey()

• decryptDataKey takes an encrypted data key and returns a promise that resolves to the plaintext data key to be used for decryption e.g.

  const dataKey = await decryptDataKey(key)

client library: https://cloud.google.com/nodejs/docs/reference/kms/latest

[eadmundo]

I don't think GCP has a generateDataKey equivalent, so we will need to generate our own and then encrypt it ourselves using the KEK (as per https://cloud.google.com/kms/docs/envelope-encryption which advises generating a DEK locally).