<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">C.J.,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pub/Sub & Data Flow would require us to have a larger “footprint” on-prem that we wanted. We want to keep our on-prem environment as small as possible. Additionally, most of our data will be transferred using flat files that do not lend
themselves to being sent via pub-sub.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For the on-prem encrypting, could I have the GKE container(s), shell out to GnuPG to do the encrypting and then “send” the encrypted file to Cloud Storage? Would I then use Secret Manager or Cloud KMS to store my keys or would there be
a way to use Kleopatra?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We need to encrypt the data all stages because it contains PII information and we don’t want it un-encrypted at any stage especially when it is being sent to GCP.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">David<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> C.J. Collier <cjac@colliertech.org> <br>
<b>Sent:</b> Tuesday, August 16, 2022 4:29 PM<br>
<b>To:</b> David Gordon <DavidWGordon1011@outlook.com><br>
<b>Cc:</b> gnupg-users@gnupg.org<br>
<b>Subject:</b> Re: GNUPG and Google Cloud<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi David,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I would take a look at Secret Manager[1] as a way to store your private key material confidentially. Perhaps consider Cloud Run[2] as a mechanism for execution of arbitrary code, in this case for instance with the encryption/decryption
pipeline using the python runtime and python-gnupg[3] library.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">You might instead find Cloud Pub/Sub[4] and Dataflow[5] to be useful for streaming the data from your on-prem environment to GCS, and from GCS to BigQuery.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In short, yes, there are a variety of ways to perform the steps that you're talking about on GCP. You should be able to develop a proof of concept on a small scale while staying within the limits of the free tier[6]. I'm not quite clear
on why you would want to encrypt the data when you will eventually decrypt it for storage into BigQuery, but yes, it is feasible.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">C.J.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">[1] <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloud.google.com%2Fsecret-manager&data=05%7C01%7C%7C5c9de3dd8dd740ffbe1408da7fc6064a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637962785758109746%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qlEFZ5Eo49fcqhJnDeZN90nPWiyEeX6RMr7Ia7Cngtc%3D&reserved=0">
https://cloud.google.com/secret-manager</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[2] <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloud.google.com%2Frun&data=05%7C01%7C%7C5c9de3dd8dd740ffbe1408da7fc6064a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637962785758265995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TTIQBdbbyrjjALfzBxARfFBLA1XoKXzd85uFhz%2FzQvg%3D&reserved=0">https://cloud.google.com/run</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[3] <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpypi.org%2Fproject%2Fpython-gnupg%2F&data=05%7C01%7C%7C5c9de3dd8dd740ffbe1408da7fc6064a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637962785758265995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7KAaWdaGK8x2RC9BTfdNoTbmfVcJbWFhQpM7PYxaKgs%3D&reserved=0">
https://pypi.org/project/python-gnupg/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[4] <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloud.google.com%2Fpubsub&data=05%7C01%7C%7C5c9de3dd8dd740ffbe1408da7fc6064a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637962785758265995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TzOZ%2B7P46bfYd12qK4%2Fs5r7ZJiZqUWkK4UJii9nFBss%3D&reserved=0">https://cloud.google.com/pubsub</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[5] <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloud.google.com%2Fdataflow&data=05%7C01%7C%7C5c9de3dd8dd740ffbe1408da7fc6064a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637962785758265995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tUjsrNg%2FN2CKLA6%2BGy45I02Hx2kfeRVF27zIwPi0NWE%3D&reserved=0">https://cloud.google.com/dataflow</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[6] <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloud.google.com%2Ffree&data=05%7C01%7C%7C5c9de3dd8dd740ffbe1408da7fc6064a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637962785758265995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HlLFA9mwijkPHNbJf38gG3e1lI3YtCP9skCfnWxxrYw%3D&reserved=0">https://cloud.google.com/free</a><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Aug 16, 2022 at 11:33 AM David Gordon <<a href="mailto:DavidWGordon1011@outlook.com">DavidWGordon1011@outlook.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">CJ,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">We were looking for a server-less solution. What we want to do is take data from a legacy mainframe system, encrypt it via PGP, and then via GKE transfer it to Cloud Storage. From
there we want to decrypt it via GnuPG, save it in Cloud Storage and then load it into Big Query.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">David
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b> C.J. Collier <<a href="mailto:cjac@colliertech.org" target="_blank">cjac@colliertech.org</a>>
<br>
<b>Sent:</b> Tuesday, August 16, 2022 10:23 AM<br>
<b>To:</b> David Gordon <<a href="mailto:DavidWGordon1011@outlook.com" target="_blank">DavidWGordon1011@outlook.com</a>><br>
<b>Cc:</b> <a href="mailto:gnupg-users@gnupg.org" target="_blank">gnupg-users@gnupg.org</a><br>
<b>Subject:</b> Re: GNUPG and Google Cloud<o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi there!<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Are you looking for a server-less solution or will a Debian instance on GCE or GKE suffice?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">You can "deploy" GNUPG with apt-get. Decrypting content would require getting a private key or an agent onto the system.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Can you give more details about what you're looking for?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">C.J. in Cloud Support, Seattle<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">GCP Technical Solutions Engineer<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Tue, Aug 16, 2022, 05:49 David Gordon via Gnupg-users <<a href="mailto:gnupg-users@gnupg.org" target="_blank">gnupg-users@gnupg.org</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Can GnuPG be deployed to GCP to decrypt files? If so, is there a recommended approach?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">David<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Sent from
<a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D550986&data=05%7C01%7C%7C5c9de3dd8dd740ffbe1408da7fc6064a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637962785758265995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WeUmiEJmJohnRrW%2FJ6hhmwYVpM%2FrBGc0ZT94bA2iwOI%3D&reserved=0" target="_blank">
Mail</a> for Windows<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">_______________________________________________<br>
Gnupg-users mailing list<br>
<a href="mailto:Gnupg-users@gnupg.org" target="_blank">Gnupg-users@gnupg.org</a><br>
<a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.gnupg.org%2Fmailman%2Flistinfo%2Fgnupg-users&data=05%7C01%7C%7C5c9de3dd8dd740ffbe1408da7fc6064a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637962785758265995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZjDyXV5qlDMlZEMT9Z9XR6C%2Br17h3JbWjU5RmY6grJs%3D&reserved=0" target="_blank">https://lists.gnupg.org/mailman/listinfo/gnupg-users</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</body>
</html>