This library allows you to use Google Cloud Storage as key/certificate storage backend for your Certmagic-enabled HTTPS server. To protect your keys from unwanted attention, client-side encryption is possible.
In this section, we create an caddy confi using our GCS storage.
- Create a
Caddyfile
{
storage gcs {
bucket some-bucket
}
}
localhost
acme_server
respond "Hello Caddy Storage GCS!"
- Start GCS emulator
docker run -d \
-p 9023:9023 \
--name gcp-storage-emulator \
oittaa/gcp-storage-emulator \
start --default-bucket=some-bucket --port 9023 --in-memory
export STORAGE_EMULATOR_HOST=http://localhost:9023- Start caddy
xcaddy run- Check that it works
open https://localhostThis module supports client side encryption using google Tink, thus providing a simple way to customize the encryption algorithm and handle key rotation. To get started:
-
Install tinkey
-
Create a key set
tinkey create-keyset --key-template AES128_GCM_RAW --out keyset.json
Here is an example keyset.json
{
"primaryKeyId": 1818673287,
"key": [
{
"keyData": {
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"value": "GhDEQ/4v72esAv3rbwZyS+ls",
"keyMaterialType": "SYMMETRIC"
},
"status": "ENABLED",
"keyId": 1818673287,
"outputPrefixType": "RAW"
}
]
}- Start caddy with the following config
{
storage gcs {
bucket-name some-bucket
encryption-key-set ./keyset.json
}
}
localhost
acme_server
respond "Hello Caddy Storage GCS!"
# restart the fake gcs backend to start with an empty bucket
docker restart gcp-storage-emulator
# start caddy
xcaddy run
# to rotate the key-set
tinkey rotate-keyset --in keyset.json --key-template AES128_GCM_RAW