google-cloud-platformgoogle-cloud-dataflowgoogle-cloud-kms

Reading a KMS encrypted file from Google Cloud Dataflow


I went through this Google Cloud Documentation, which mentions that :-

Dataflow can access sources and sinks that are protected by Cloud KMS keys without you having to specify the Cloud KMS key of those sources and sinks, as long as you are not creating new objects.

I have a few questions regarding this:

Q.1. Does this mean we don't need to decrypt the encrypted source file within our Beam code ? Does Dataflow has this functionality built-in?

Q.2. If the source file is encrypted, will the output file from Dataflow be encrypted by default with the same key (let us say we have a symmetric key) ?

Q.3. What are the objects that are being referred here?

PS: I want to read from an encrypted AVRO file placed in the GCS bucket, apply my Apache Beam Transforms from my code and write an encrypted file back to the bucket.


Solution

  • Cloud Dataflow is a fully managed service where if encryption is not specified, it automatically applies Cloud KMS encryption. Cloud KMS is cloud hosted key management service that can manage both symmetric and asymmetric cryptographic keys.

    For more information you can check this blog.