Refactor KmsKeyring and KmsUpdater to use a centralized serializer

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=151853998
2025-05-14 08:27:14 +02:00 · 2017-03-31 12:27:10 -07:00 · 2017-03-31 12:27:10 -07:00 · bb70fcb66d
commit bb70fcb66d
parent ff9c72097c
7 changed files with 377 additions and 195 deletions
--- a/java/google/registry/keyring/api/KeySerializer.java
+++ b/java/google/registry/keyring/api/KeySerializer.java
@ -0,0 +1,134 @@
 // Copyright 2017 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package google.registry.keyring.api;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import org.bouncycastle.bcpg.ArmoredOutputStream;
 import org.bouncycastle.bcpg.HashAlgorithmTags;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
 import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
 import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
 import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder;
 /**
 * Collection of tools to serialize / deserialize PGP types.
 *
 * <p>There is no way to serialize / deserialize a PGPPrivateKey on its own, you have to pair it
 * with the public key.
 */
 public final class KeySerializer {
  private KeySerializer() {}
  /**
   * Serialize a PGPPublicKey
   *
   * <p>The reason we're not using {@link PGPPublicKey#getEncoded()} is to use {@link
   * ArmoredOutputStream}.
   */
  public static byte[] serializePublicKey(PGPPublicKey publicKey) throws IOException {
    try (ByteArrayOutputStream byteStream = new ByteArrayOutputStream()) {
      // NOTE: We have to close the ArmoredOutputStream before calling the underlying OutputStream's
      // "toByteArray". Failing to do so would result in a truncated serialization as we took the
      // byte array before the ArmoredOutputStream wrote all the data.
      //
      // Even "flushing" the ArmoredOutputStream isn't enough - as there are parts that are only
      // written by the ArmoredOutputStream when it is closed: the "-----END PGP PRIVATE KEY
      // BLOCK-----" (or similar) footer.
      try (ArmoredOutputStream out = new ArmoredOutputStream(byteStream)) {
        publicKey.encode(out);
      }
      return byteStream.toByteArray();
    }
  }
  /** Deserialize a PGPPublicKey */
  public static PGPPublicKey deserializePublicKey(byte[] serialized) throws IOException {
    return
        new BcPGPPublicKeyRing(
            PGPUtil.getDecoderStream(
                new ByteArrayInputStream(serialized))).getPublicKey();
  }
  /** Serializes a string */
  public static byte[] serializeString(String key) {
    return key.getBytes(UTF_8);
  }
  /** Deserializes a string */
  public static String deserializeString(byte[] serialized) {
    return new String(serialized, UTF_8);
  }
  /**
   * Serialize a PGPKeyPair
   *
   * <p>Use this to serialize a PGPPrivateKey as well (pairing it with the corresponding
   * PGPPublicKey), as private keys can't be serialized on their own.
   */
  public static byte[] serializeKeyPair(PGPKeyPair keyPair) throws IOException, PGPException {
    try (ByteArrayOutputStream byteStream = new ByteArrayOutputStream()) {
      // NOTE: We have to close the ArmoredOutputStream before calling the underlying OutputStream's
      // "toByteArray". Failing to do so would result in a truncated serialization as we took the
      // byte array before the ArmoredOutputStream wrote all the data.
      //
      // Even "flushing" the ArmoredOutputStream isn't enough - as there are parts that are only
      // written by the ArmoredOutputStream when it is closed: the "-----END PGP PRIVATE KEY
      // BLOCK-----" (or similar) footer.
      try (ArmoredOutputStream out = new ArmoredOutputStream(byteStream)) {
        new PGPSecretKey(
            keyPair.getPrivateKey(),
            keyPair.getPublicKey(),
            new JcaPGPDigestCalculatorProviderBuilder()
                .setProvider("BC")
                .build()
                .get(HashAlgorithmTags.SHA256),
            true,
            null).encode(out);
      }
      return byteStream.toByteArray();
    }
  }
  /** Deserialize a PGPKeyPair */
  public static PGPKeyPair deserializeKeyPair(byte[] serialized)
      throws IOException, PGPException {
    PGPSecretKey secretKey =
        new BcPGPSecretKeyRing(
            PGPUtil.getDecoderStream(
                new ByteArrayInputStream(serialized))).getSecretKey();
    return new PGPKeyPair(
        secretKey.getPublicKey(),
        secretKey.extractPrivateKey(createSecretKeyDecryptor()));
  }
  private static PBESecretKeyDecryptor createSecretKeyDecryptor() {
    // There shouldn't be a passphrase on the key
    return new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
        .build(new char[0]);
  }
 }
--- a/java/google/registry/keyring/kms/KmsKeyring.java
+++ b/java/google/registry/keyring/kms/KmsKeyring.java
@ -14,31 +14,23 @@
 package google.registry.keyring.kms;
 import static com.google.common.base.CaseFormat.LOWER_HYPHEN;
 import static com.google.common.base.CaseFormat.UPPER_UNDERSCORE;
 import static com.google.common.base.Preconditions.checkState;
 import static google.registry.keyring.api.PgpHelper.KeyRequirement.ENCRYPT;
 import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import com.googlecode.objectify.Key;
 import google.registry.keyring.api.KeySerializer;
 import google.registry.keyring.api.Keyring;
 import google.registry.keyring.api.KeyringException;
 import google.registry.keyring.api.PgpHelper;
 import google.registry.model.server.KmsSecret;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import javax.inject.Inject;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
 import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
 import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
 import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
 /**
 * A {@link Keyring} implementation which stores encrypted secrets in Datastore and decrypts them
@ -49,22 +41,42 @@ import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
 */
 public class KmsKeyring implements Keyring {
-  static final String BRAINTREE_PRIVATE_KEY_NAME = "braintree-private-key";
+  static enum PrivateKeyLabel {
-  static final String BRDA_RECEIVER_PUBLIC_NAME = "brda-receiver-public";
+    BRDA_SIGNING_PRIVATE,
-  static final String BRDA_SIGNING_PRIVATE_NAME = "brda-signing-private";
+    RDE_SIGNING_PRIVATE,
-  static final String BRDA_SIGNING_PUBLIC_NAME = "brda-signing-public";
+    RDE_STAGING_PRIVATE;
-  static final String ICANN_REPORTING_PASSWORD_NAME = "icann-reporting-password";
+
-  static final String JSON_CREDENTIAL_NAME = "json-credential";
+    String getLabel() {
-  static final String MARKSDB_DNL_LOGIN_NAME = "marksdb-dnl-login";
+      return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
-  static final String MARKSDB_LORDN_PASSWORD_NAME = "marksdb-lordn-password";
+    }
-  static final String MARKSDB_SMDRL_LOGIN_NAME = "marksdb-smdrl-login";
+  }
-  static final String RDE_RECEIVER_PUBLIC_NAME = "rde-receiver-public";
+
-  static final String RDE_SIGNING_PRIVATE_NAME = "rde-signing-private";
+  static enum PublicKeyLabel {
-  static final String RDE_SIGNING_PUBLIC_NAME = "rde-signing-public";
+    BRDA_RECEIVER_PUBLIC,
-  static final String RDE_SSH_CLIENT_PRIVATE_NAME = "rde-ssh-client-private";
+    BRDA_SIGNING_PUBLIC,
-  static final String RDE_SSH_CLIENT_PUBLIC_NAME = "rde-ssh-client-public";
+    RDE_RECEIVER_PUBLIC,
-  static final String RDE_STAGING_PRIVATE_NAME = "rde-staging-private";
+    RDE_SIGNING_PUBLIC,
-  static final String RDE_STAGING_PUBLIC_NAME = "rde-staging-public";
+    RDE_STAGING_PUBLIC;
    String getLabel() {
      return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
    }
  }
  static enum StringKeyLabel {
    BRAINTREE_PRIVATE_KEY_STRING,
    ICANN_REPORTING_PASSWORD_STRING,
    JSON_CREDENTIAL_STRING,
    MARKSDB_DNL_LOGIN_STRING,
    MARKSDB_LORDN_PASSWORD_STRING,
    MARKSDB_SMDRL_LOGIN_STRING,
    RDE_SSH_CLIENT_PRIVATE_STRING,
    RDE_SSH_CLIENT_PUBLIC_STRING;
    String getLabel() {
      return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
    }
  }
  private final KmsConnection kmsConnection;
@ -75,118 +87,101 @@ public class KmsKeyring implements Keyring {
  @Override
  public PGPKeyPair getRdeSigningKey() {
-    return getKeyPair(RDE_SIGNING_PUBLIC_NAME, RDE_SIGNING_PRIVATE_NAME);
+    return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);
  }
  @Override
  public PGPPublicKey getRdeStagingEncryptionKey() {
-    return getPublicKeyForEncrypting(RDE_STAGING_PUBLIC_NAME);
+    return getPublicKey(PublicKeyLabel.RDE_STAGING_PUBLIC);
  }
  @Override
  public PGPPrivateKey getRdeStagingDecryptionKey() {
-    return getPrivateKey(RDE_STAGING_PRIVATE_NAME);
+    return getPrivateKey(PrivateKeyLabel.RDE_STAGING_PRIVATE);
  }
  @Override
  public PGPPublicKey getRdeReceiverKey() {
-    return getPublicKeyForEncrypting(RDE_RECEIVER_PUBLIC_NAME);
+    return getPublicKey(PublicKeyLabel.RDE_RECEIVER_PUBLIC);
  }
  @Override
  public PGPKeyPair getBrdaSigningKey() {
-    return getKeyPair(BRDA_SIGNING_PUBLIC_NAME, BRDA_SIGNING_PRIVATE_NAME);
+    return getKeyPair(PrivateKeyLabel.BRDA_SIGNING_PRIVATE);
  }
  @Override
  public PGPPublicKey getBrdaReceiverKey() {
-    return getPublicKeyForEncrypting(BRDA_RECEIVER_PUBLIC_NAME);
+    return getPublicKey(PublicKeyLabel.BRDA_RECEIVER_PUBLIC);
  }
  @Override
  public String getRdeSshClientPublicKey() {
-    return new String(getDecryptedData((RDE_SSH_CLIENT_PUBLIC_NAME)), UTF_8);
+    return getString(StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING);
  }
  @Override
  public String getRdeSshClientPrivateKey() {
-    return new String(getDecryptedData(RDE_SSH_CLIENT_PRIVATE_NAME), UTF_8);
+    return getString(StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING);
  }
  @Override
  public String getIcannReportingPassword() {
-    return new String(getDecryptedData(ICANN_REPORTING_PASSWORD_NAME), UTF_8);
+    return getString(StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING);
  }
  @Override
  public String getMarksdbDnlLogin() {
-    return new String(getDecryptedData(MARKSDB_DNL_LOGIN_NAME), UTF_8);
+    return getString(StringKeyLabel.MARKSDB_DNL_LOGIN_STRING);
  }
  @Override
  public String getMarksdbLordnPassword() {
-    return new String(getDecryptedData(MARKSDB_LORDN_PASSWORD_NAME), UTF_8);
+    return getString(StringKeyLabel.MARKSDB_LORDN_PASSWORD_STRING);
  }
  @Override
  public String getMarksdbSmdrlLogin() {
-    return new String(getDecryptedData(MARKSDB_SMDRL_LOGIN_NAME), UTF_8);
+    return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING);
  }
  @Override
  public String getJsonCredential() {
-    return new String(getDecryptedData(JSON_CREDENTIAL_NAME), UTF_8);
+    return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);
  }
  @Override
  public String getBraintreePrivateKey() {
-    return new String(getDecryptedData(BRAINTREE_PRIVATE_KEY_NAME), UTF_8);
+    return getString(StringKeyLabel.BRAINTREE_PRIVATE_KEY_STRING);
  }
  /** No persistent resources are maintained for this Keyring implementation. */
  @Override
  public void close() {}
-  private PGPKeyPair getKeyPair(String publicKeyName, String privateKeyName) {
+  private String getString(StringKeyLabel keyLabel) {
-    try {
+    return KeySerializer.deserializeString(getDecryptedData(keyLabel.getLabel()));
      PGPPublicKey publicKey =
          new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)).getPublicKey();
      return new PGPKeyPair(publicKey, getPrivateKey(privateKeyName));
    } catch (IOException e) {
      throw new KeyringException(
          String.format(
              "Could not parse public key %s and private key %s", publicKeyName, privateKeyName),
          e);
    }
  }
-  private PGPPublicKey getPublicKeyForEncrypting(String publicKeyName) {
+  private PGPKeyPair getKeyPair(PrivateKeyLabel keyLabel) {
    try {
-      return PgpHelper.lookupPublicSubkey(
+      return KeySerializer.deserializeKeyPair(getDecryptedData(keyLabel.getLabel()));
              new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)), ENCRYPT)
          .get();
    } catch (IOException e) {
      throw new KeyringException(String.format("Could not parse public key %s", publicKeyName), e);
    }
  }
  private PGPPrivateKey getPrivateKey(String privateKeyName) {
    try {
      PGPSecretKeyRing privateKeyRing = new BcPGPSecretKeyRing(getPgpInputStream(privateKeyName));
      // There shouldn't be a passphrase on the key
      return privateKeyRing
          .getSecretKey()
          .extractPrivateKey(
              new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
                  .build(new char[0]));
    } catch (IOException | PGPException e) {
      throw new KeyringException(
-          String.format("Could not parse private key %s", privateKeyName), e);
+          String.format("Could not parse private keyLabel %s", keyLabel), e);
    }
  }
-  private InputStream getPgpInputStream(String privateKeyName) throws IOException {
+  private PGPPublicKey getPublicKey(PublicKeyLabel keyLabel) {
-    return PGPUtil.getDecoderStream(new ByteArrayInputStream(getDecryptedData(privateKeyName)));
+    try {
      return KeySerializer.deserializePublicKey(getDecryptedData(keyLabel.getLabel()));
    } catch (IOException e) {
      throw new KeyringException(String.format("Could not parse public keyLabel %s", keyLabel), e);
    }
  }
  private PGPPrivateKey getPrivateKey(PrivateKeyLabel keyLabel) {
    return getKeyPair(keyLabel).getPrivateKey();
  }
  private byte[] getDecryptedData(String keyName) {
--- a/java/google/registry/keyring/kms/KmsUpdater.java
+++ b/java/google/registry/keyring/kms/KmsUpdater.java
@ -16,37 +16,44 @@ package google.registry.keyring.kms;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkState;
-import static google.registry.keyring.kms.KmsKeyring.BRAINTREE_PRIVATE_KEY_NAME;
+import static google.registry.keyring.kms.KmsKeyring.PrivateKeyLabel.BRDA_SIGNING_PRIVATE;
-import static google.registry.keyring.kms.KmsKeyring.BRDA_RECEIVER_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.PrivateKeyLabel.RDE_SIGNING_PRIVATE;
-import static google.registry.keyring.kms.KmsKeyring.BRDA_SIGNING_PRIVATE_NAME;
+import static google.registry.keyring.kms.KmsKeyring.PrivateKeyLabel.RDE_STAGING_PRIVATE;
-import static google.registry.keyring.kms.KmsKeyring.BRDA_SIGNING_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.BRDA_RECEIVER_PUBLIC;
-import static google.registry.keyring.kms.KmsKeyring.ICANN_REPORTING_PASSWORD_NAME;
+import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.BRDA_SIGNING_PUBLIC;
-import static google.registry.keyring.kms.KmsKeyring.JSON_CREDENTIAL_NAME;
+import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_RECEIVER_PUBLIC;
-import static google.registry.keyring.kms.KmsKeyring.MARKSDB_DNL_LOGIN_NAME;
+import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_SIGNING_PUBLIC;
-import static google.registry.keyring.kms.KmsKeyring.MARKSDB_LORDN_PASSWORD_NAME;
+import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_STAGING_PUBLIC;
-import static google.registry.keyring.kms.KmsKeyring.MARKSDB_SMDRL_LOGIN_NAME;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.BRAINTREE_PRIVATE_KEY_STRING;
-import static google.registry.keyring.kms.KmsKeyring.RDE_RECEIVER_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING;
-import static google.registry.keyring.kms.KmsKeyring.RDE_SIGNING_PRIVATE_NAME;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.JSON_CREDENTIAL_STRING;
-import static google.registry.keyring.kms.KmsKeyring.RDE_SIGNING_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_DNL_LOGIN_STRING;
-import static google.registry.keyring.kms.KmsKeyring.RDE_SSH_CLIENT_PRIVATE_NAME;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_LORDN_PASSWORD_STRING;
-import static google.registry.keyring.kms.KmsKeyring.RDE_SSH_CLIENT_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING;
-import static google.registry.keyring.kms.KmsKeyring.RDE_STAGING_PRIVATE_NAME;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING;
-import static google.registry.keyring.kms.KmsKeyring.RDE_STAGING_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import com.google.common.collect.ImmutableMap;
 import com.googlecode.objectify.VoidWork;
 import google.registry.keyring.api.KeySerializer;
 import google.registry.keyring.kms.KmsKeyring.PrivateKeyLabel;
 import google.registry.keyring.kms.KmsKeyring.PublicKeyLabel;
 import google.registry.keyring.kms.KmsKeyring.StringKeyLabel;
 import google.registry.model.server.KmsSecret;
 import google.registry.model.server.KmsSecretRevision;
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import javax.inject.Inject;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
 /**
 * The {@link KmsUpdater} accumulates updates to a {@link KmsKeyring} and persists them to KMS and
@ -65,77 +72,56 @@ public final class KmsUpdater {
    this.secretValues = new LinkedHashMap<>();
  }
-  public KmsUpdater setRdeSigningKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
+  public KmsUpdater setRdeSigningKey(PGPKeyPair keyPair) throws IOException, PGPException {
-    checkArgumentNotNull(secretKeyRing);
+    return setKeyPair(keyPair, RDE_SIGNING_PRIVATE, RDE_SIGNING_PUBLIC);
    setSecret(RDE_SIGNING_PRIVATE_NAME, checkArgumentNotNull(secretKeyRing).getEncoded());
    setSecret(RDE_SIGNING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
    return this;
  }
-  public KmsUpdater setRdeStagingKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
+  public KmsUpdater setRdeStagingKey(PGPKeyPair keyPair) throws IOException, PGPException {
-    checkArgumentNotNull(secretKeyRing);
+    return setKeyPair(keyPair, RDE_STAGING_PRIVATE, RDE_STAGING_PUBLIC);
    setSecret(RDE_STAGING_PRIVATE_NAME, secretKeyRing.getEncoded());
    setSecret(RDE_STAGING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
    return this;
  }
-  public KmsUpdater setRdeReceiverPublicKey(PGPPublicKey rdeReceiverPublicKey) throws IOException {
+  public KmsUpdater setRdeReceiverPublicKey(PGPPublicKey publicKey) throws IOException {
-    setSecret(RDE_RECEIVER_PUBLIC_NAME, checkArgumentNotNull(rdeReceiverPublicKey).getEncoded());
+    return setPublicKey(publicKey, RDE_RECEIVER_PUBLIC);
    return this;
  }
-  public KmsUpdater setBrdaSigningKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
+  public KmsUpdater setBrdaSigningKey(PGPKeyPair keyPair) throws IOException, PGPException {
-    checkArgumentNotNull(secretKeyRing);
+    return setKeyPair(keyPair, BRDA_SIGNING_PRIVATE, BRDA_SIGNING_PUBLIC);
    setSecret(BRDA_SIGNING_PRIVATE_NAME, secretKeyRing.getEncoded());
    setSecret(BRDA_SIGNING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
    return this;
  }
  public KmsUpdater setBrdaReceiverPublicKey(PGPPublicKey publicKey) throws IOException {
-    setSecret(BRDA_RECEIVER_PUBLIC_NAME, checkArgumentNotNull(publicKey).getEncoded());
+    return setPublicKey(publicKey, BRDA_RECEIVER_PUBLIC);
    return this;
  }
  public KmsUpdater setRdeSshClientPublicKey(String asciiPublicKey) {
-    setSecret(RDE_SSH_CLIENT_PUBLIC_NAME, checkArgumentNotNull(asciiPublicKey).getBytes(UTF_8));
+    return setString(asciiPublicKey, RDE_SSH_CLIENT_PUBLIC_STRING);
    return this;
  }
  public KmsUpdater setRdeSshClientPrivateKey(String asciiPrivateKey) {
-    setSecret(RDE_SSH_CLIENT_PRIVATE_NAME, checkArgumentNotNull(asciiPrivateKey).getBytes(UTF_8));
+    return setString(asciiPrivateKey, RDE_SSH_CLIENT_PRIVATE_STRING);
    return this;
  }
  public KmsUpdater setIcannReportingPassword(String password) {
-    setSecret(ICANN_REPORTING_PASSWORD_NAME, checkArgumentNotNull(password).getBytes(UTF_8));
+    return setString(password, ICANN_REPORTING_PASSWORD_STRING);
    return this;
  }
  public KmsUpdater setMarksdbDnlLogin(String login) {
-    setSecret(MARKSDB_DNL_LOGIN_NAME, checkArgumentNotNull(login).getBytes(UTF_8));
+    return setString(login, MARKSDB_DNL_LOGIN_STRING);
    return this;
  }
  public KmsUpdater setMarksdbLordnPassword(String password) {
-    setSecret(MARKSDB_LORDN_PASSWORD_NAME, checkArgumentNotNull(password).getBytes(UTF_8));
+    return setString(password, MARKSDB_LORDN_PASSWORD_STRING);
    return this;
  }
  public KmsUpdater setMarksdbSmdrlLogin(String login) {
-    setSecret(MARKSDB_SMDRL_LOGIN_NAME, checkArgumentNotNull(login).getBytes(UTF_8));
+    return setString(login, MARKSDB_SMDRL_LOGIN_STRING);
    return this;
  }
  public KmsUpdater setJsonCredential(String credential) {
-    setSecret(JSON_CREDENTIAL_NAME, checkArgumentNotNull(credential).getBytes(UTF_8));
+    return setString(credential, JSON_CREDENTIAL_STRING);
    return this;
  }
  public KmsUpdater setBraintreePrivateKey(String braintreePrivateKey) {
-    setSecret(
+    return setString(braintreePrivateKey, BRAINTREE_PRIVATE_KEY_STRING);
        BRAINTREE_PRIVATE_KEY_NAME, checkArgumentNotNull(braintreePrivateKey).getBytes(UTF_8));
    return this;
  }
  /**
@ -167,6 +153,31 @@ public final class KmsUpdater {
    return encryptedValues.build();
  }
  private KmsUpdater setString(String key, StringKeyLabel stringKeyLabel) {
    checkArgumentNotNull(key);
    setSecret(stringKeyLabel.getLabel(), KeySerializer.serializeString(key));
    return this;
  }
  private KmsUpdater setPublicKey(PGPPublicKey publicKey, PublicKeyLabel publicKeyLabel)
      throws IOException {
    checkArgumentNotNull(publicKey);
    setSecret(publicKeyLabel.getLabel(), KeySerializer.serializePublicKey(publicKey));
    return this;
  }
  private KmsUpdater setKeyPair(
      PGPKeyPair keyPair, PrivateKeyLabel privateKeyLabel, PublicKeyLabel publicKeyLabel)
      throws IOException, PGPException {
    checkArgumentNotNull(keyPair);
    setSecret(privateKeyLabel.getLabel(), KeySerializer.serializeKeyPair(keyPair));
    setSecret(publicKeyLabel.getLabel(), KeySerializer.serializePublicKey(keyPair.getPublicKey()));
    return this;
  }
  /**
   * Persists encrypted secrets to Datastore as {@link KmsSecretRevision} entities and makes them
   * primary. {@link KmsSecret} entities point to the latest {@link KmsSecretRevision}.
--- a/javatests/google/registry/keyring/kms/BUILD
+++ b/javatests/google/registry/keyring/kms/BUILD
@ -15,6 +15,7 @@ java_library(
        "pgp-public-keyring.asc",
    ],
    deps = [
        "//java/google/registry/keyring/api",
        "//java/google/registry/keyring/kms",
        "//java/google/registry/model",
        "//javatests/google/registry/testing",
--- a/javatests/google/registry/keyring/kms/KmsKeyringTest.java
+++ b/javatests/google/registry/keyring/kms/KmsKeyringTest.java
@ -16,13 +16,13 @@ package google.registry.keyring.kms;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.testing.DatastoreHelper.persistResources;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import com.google.common.collect.ImmutableList;
 import google.registry.keyring.api.KeySerializer;
 import google.registry.model.server.KmsSecret;
 import google.registry.model.server.KmsSecretRevision;
 import google.registry.model.server.KmsSecretRevision.Builder;
 import google.registry.testing.AppEngineRule;
 import google.registry.testing.BouncyCastleProviderRule;
 import java.io.IOException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPrivateKey;
@ -36,6 +36,8 @@ import org.junit.runners.JUnit4;
@RunWith(JUnit4.class)
 public class KmsKeyringTest {
  @Rule public final BouncyCastleProviderRule bouncy = new BouncyCastleProviderRule();
  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
  private KmsKeyring keyring;
@ -51,8 +53,8 @@ public class KmsKeyringTest {
    PGPKeyPair rdeSigningKey = keyring.getRdeSigningKey();
-    assertThat(rdeSigningKey.getKeyID())
+    assertThat(KeySerializer.serializeKeyPair(rdeSigningKey))
-        .isEqualTo(KmsTestHelper.getPublicKeyring().getPublicKey().getKeyID());
+        .isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
  }
  @Test
@ -62,17 +64,20 @@ public class KmsKeyringTest {
    PGPPublicKey rdeStagingEncryptionKey = keyring.getRdeStagingEncryptionKey();
    assertThat(rdeStagingEncryptionKey.getFingerprint())
-        .isEqualTo(KmsTestHelper.getPublicKeyring().getPublicKey().getFingerprint());
+        .isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
  }
  @Test
  public void test_getRdeStagingDecryptionKey() throws Exception {
    savePrivateKeySecret("rde-staging-private");
    savePublicKeySecret("rde-staging-public");
    PGPPrivateKey rdeStagingDecryptionKey = keyring.getRdeStagingDecryptionKey();
    PGPPublicKey rdeStagingEncryptionKey = keyring.getRdeStagingEncryptionKey();
    PGPKeyPair keyPair = new PGPKeyPair(rdeStagingEncryptionKey, rdeStagingDecryptionKey);
-    assertThat(rdeStagingDecryptionKey.getKeyID())
+    assertThat(KeySerializer.serializeKeyPair(keyPair))
-        .isEqualTo(KmsTestHelper.getPrivateKeyring().getSecretKey().getKeyID());
+        .isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
  }
  @Test
@ -82,7 +87,7 @@ public class KmsKeyringTest {
    PGPPublicKey rdeReceiverKey = keyring.getRdeReceiverKey();
    assertThat(rdeReceiverKey.getFingerprint())
-        .isEqualTo(KmsTestHelper.getPublicKeyring().getPublicKey().getFingerprint());
+        .isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
  }
  @Test
@ -91,8 +96,8 @@ public class KmsKeyringTest {
    PGPKeyPair brdaSigningKey = keyring.getBrdaSigningKey();
-    assertThat(brdaSigningKey.getKeyID())
+    assertThat(KeySerializer.serializeKeyPair(brdaSigningKey))
-        .isEqualTo(KmsTestHelper.getPrivateKeyring().getPublicKey().getKeyID());
+        .isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
  }
  @Test
@ -102,80 +107,80 @@ public class KmsKeyringTest {
    PGPPublicKey brdaReceiverKey = keyring.getBrdaReceiverKey();
    assertThat(brdaReceiverKey.getFingerprint())
-        .isEqualTo(KmsTestHelper.getPublicKeyring().getPublicKey().getFingerprint());
+        .isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
  }
  @Test
  public void test_getRdeSshClientPublicKey() throws Exception {
-    saveCleartextSecret("rde-ssh-client-public");
+    saveCleartextSecret("rde-ssh-client-public-string");
    String rdeSshClientPublicKey = keyring.getRdeSshClientPublicKey();
-    assertThat(rdeSshClientPublicKey).isEqualTo("rde-ssh-client-publicmoo");
+    assertThat(rdeSshClientPublicKey).isEqualTo("rde-ssh-client-public-stringmoo");
  }
  @Test
  public void test_getRdeSshClientPrivateKey() throws Exception {
-    saveCleartextSecret("rde-ssh-client-private");
+    saveCleartextSecret("rde-ssh-client-private-string");
    String rdeSshClientPrivateKey = keyring.getRdeSshClientPrivateKey();
-    assertThat(rdeSshClientPrivateKey).isEqualTo("rde-ssh-client-privatemoo");
+    assertThat(rdeSshClientPrivateKey).isEqualTo("rde-ssh-client-private-stringmoo");
  }
  @Test
  public void test_getIcannReportingPassword() throws Exception {
-    saveCleartextSecret("icann-reporting-password");
+    saveCleartextSecret("icann-reporting-password-string");
    String icannReportingPassword = keyring.getIcannReportingPassword();
-    assertThat(icannReportingPassword).isEqualTo("icann-reporting-passwordmoo");
+    assertThat(icannReportingPassword).isEqualTo("icann-reporting-password-stringmoo");
  }
  @Test
  public void test_getMarksdbDnlLogin() throws Exception {
-    saveCleartextSecret("marksdb-dnl-login");
+    saveCleartextSecret("marksdb-dnl-login-string");
    String marksdbDnlLogin = keyring.getMarksdbDnlLogin();
-    assertThat(marksdbDnlLogin).isEqualTo("marksdb-dnl-loginmoo");
+    assertThat(marksdbDnlLogin).isEqualTo("marksdb-dnl-login-stringmoo");
  }
  @Test
  public void test_getMarksdbLordnPassword() throws Exception {
-    saveCleartextSecret("marksdb-lordn-password");
+    saveCleartextSecret("marksdb-lordn-password-string");
    String marksdbLordnPassword = keyring.getMarksdbLordnPassword();
-    assertThat(marksdbLordnPassword).isEqualTo("marksdb-lordn-passwordmoo");
+    assertThat(marksdbLordnPassword).isEqualTo("marksdb-lordn-password-stringmoo");
  }
  @Test
  public void test_getMarksdbSmdrlLogin() throws Exception {
-    saveCleartextSecret("marksdb-smdrl-login");
+    saveCleartextSecret("marksdb-smdrl-login-string");
    String marksdbSmdrlLogin = keyring.getMarksdbSmdrlLogin();
-    assertThat(marksdbSmdrlLogin).isEqualTo("marksdb-smdrl-loginmoo");
+    assertThat(marksdbSmdrlLogin).isEqualTo("marksdb-smdrl-login-stringmoo");
  }
  @Test
  public void test_getJsonCredential() throws Exception {
-    saveCleartextSecret("json-credential");
+    saveCleartextSecret("json-credential-string");
    String jsonCredential = keyring.getJsonCredential();
-    assertThat(jsonCredential).isEqualTo("json-credentialmoo");
+    assertThat(jsonCredential).isEqualTo("json-credential-stringmoo");
  }
  @Test
  public void test_getBraintreePrivateKey() throws Exception {
-    saveCleartextSecret("braintree-private-key");
+    saveCleartextSecret("braintree-private-key-string");
    String braintreePrivateKey = keyring.getBraintreePrivateKey();
-    assertThat(braintreePrivateKey).isEqualTo("braintree-private-keymoo");
+    assertThat(braintreePrivateKey).isEqualTo("braintree-private-key-stringmoo");
  }
  private static void persistSecret(String secretName, byte[] secretValue) throws IOException {
@ -192,15 +197,15 @@ public class KmsKeyringTest {
  }
  private static void saveCleartextSecret(String secretName) throws Exception {
-    persistSecret(secretName, (secretName + "moo").getBytes(UTF_8));
+    persistSecret(secretName, KeySerializer.serializeString(secretName + "moo"));
  }
  private static void savePublicKeySecret(String publicKeyName) throws Exception {
-    persistSecret(publicKeyName, KmsTestHelper.getPublicKeyring().getPublicKey().getEncoded());
+    persistSecret(publicKeyName, KeySerializer.serializePublicKey(KmsTestHelper.getPublicKey()));
  }
  private static void savePrivateKeySecret(String privateKeyName) throws Exception {
-    persistSecret(privateKeyName, KmsTestHelper.getPrivateKeyring().getEncoded());
+    persistSecret(privateKeyName, KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
  }
  private static void saveKeyPairSecret(String publicKeyName, String privateKeyName)
--- a/javatests/google/registry/keyring/kms/KmsTestHelper.java
+++ b/javatests/google/registry/keyring/kms/KmsTestHelper.java
@ -18,9 +18,13 @@ import static com.google.common.io.Resources.getResource;
 import com.google.common.io.ByteSource;
 import com.google.common.io.Resources;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
 import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
 import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
 import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
 /** Stores dummy values for test use in {@link KmsUpdaterTest} and {@link KmsKeyringTest}. */
 final class KmsTestHelper {
@ -28,20 +32,25 @@ final class KmsTestHelper {
  static final String DUMMY_CRYPTO_KEY_VERSION = "cheeseburger";
  static final String DUMMY_ENCRYPTED_VALUE = "meow";
  /** The contents of a dummy PGP public key stored in a file. */
  private static final ByteSource PGP_PUBLIC_KEYRING =
      Resources.asByteSource(getResource(KmsTestHelper.class, "pgp-public-keyring.asc"));
  /** The contents of a dummy PGP private key stored in a file. */
  private static final ByteSource PGP_PRIVATE_KEYRING =
      Resources.asByteSource(getResource(KmsTestHelper.class, "pgp-private-keyring-registry.asc"));
-  static BcPGPPublicKeyRing getPublicKeyring() throws Exception {
+  private static BcPGPSecretKeyRing getPrivateKeyring() throws Exception {
-    return new BcPGPPublicKeyRing(PGPUtil.getDecoderStream(PGP_PUBLIC_KEYRING.openStream()));
+    return new BcPGPSecretKeyRing(PGPUtil.getDecoderStream(PGP_PRIVATE_KEYRING.openStream()));
  }
-  static BcPGPSecretKeyRing getPrivateKeyring() throws Exception {
+  static PGPPublicKey getPublicKey() throws Exception {
-    return new BcPGPSecretKeyRing(PGPUtil.getDecoderStream(PGP_PRIVATE_KEYRING.openStream()));
+    return getPrivateKeyring().getPublicKey();
  }
  static PGPKeyPair getKeyPair() throws Exception {
    PGPSecretKey secretKey = getPrivateKeyring().getSecretKey();
    return new PGPKeyPair(
        secretKey.getPublicKey(),
        secretKey.extractPrivateKey(
            new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
            .build(new char[0])));
  }
  private KmsTestHelper() {}
--- a/javatests/google/registry/keyring/kms/KmsUpdaterTest.java
+++ b/javatests/google/registry/keyring/kms/KmsUpdaterTest.java
@ -17,13 +17,15 @@ package google.registry.keyring.kms;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import com.googlecode.objectify.Key;
 import google.registry.keyring.api.KeySerializer;
 import google.registry.model.server.KmsSecret;
 import google.registry.model.server.KmsSecretRevision;
 import google.registry.testing.AppEngineRule;
 import google.registry.testing.BouncyCastleProviderRule;
 import java.io.IOException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@ -35,6 +37,8 @@ public class KmsUpdaterTest {
  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();
  @Rule public final BouncyCastleProviderRule bouncy = new BouncyCastleProviderRule();
  private KmsUpdater updater;
  @Before
@ -51,11 +55,15 @@ public class KmsUpdaterTest {
        .update();
    verifySecretAndSecretRevisionWritten(
-        "braintree-private-key", "braintree-private-key/foo", getCiphertext("value1"));
+        "braintree-private-key-string",
        "braintree-private-key-string/foo",
        getCiphertext("value1"));
    verifySecretAndSecretRevisionWritten(
-        "icann-reporting-password", "icann-reporting-password/foo", getCiphertext("value2"));
+        "icann-reporting-password-string",
        "icann-reporting-password-string/foo",
        getCiphertext("value2"));
    verifySecretAndSecretRevisionWritten(
-        "json-credential", "json-credential/foo", getCiphertext("value3"));
+        "json-credential-string", "json-credential-string/foo", getCiphertext("value3"));
  }
  @Test
@ -63,31 +71,33 @@ public class KmsUpdaterTest {
    updater.setBraintreePrivateKey("value1").update();
    verifySecretAndSecretRevisionWritten(
-        "braintree-private-key", "braintree-private-key/foo", getCiphertext("value1"));
+        "braintree-private-key-string",
        "braintree-private-key-string/foo",
        getCiphertext("value1"));
  }
  @Test
  public void test_setBrdaReceiverKey() throws Exception {
-    updater.setBrdaReceiverPublicKey(KmsTestHelper.getPublicKeyring().getPublicKey()).update();
+    updater.setBrdaReceiverPublicKey(KmsTestHelper.getPublicKey()).update();
    verifySecretAndSecretRevisionWritten(
        "brda-receiver-public",
        "brda-receiver-public/foo",
-        getCiphertext(KmsTestHelper.getPublicKeyring().getPublicKey().getEncoded()));
+        getCiphertext(KmsTestHelper.getPublicKey()));
  }
  @Test
  public void test_setBrdaSigningKey() throws Exception {
-    updater.setBrdaSigningKey(KmsTestHelper.getPrivateKeyring()).update();
+    updater.setBrdaSigningKey(KmsTestHelper.getKeyPair()).update();
    verifySecretAndSecretRevisionWritten(
        "brda-signing-private",
        "brda-signing-private/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getEncoded()));
+        getCiphertext(KmsTestHelper.getKeyPair()));
    verifySecretAndSecretRevisionWritten(
        "brda-signing-public",
        "brda-signing-public/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getPublicKey().getEncoded()));
+        getCiphertext(KmsTestHelper.getPublicKey()));
  }
  @Test
@ -95,7 +105,9 @@ public class KmsUpdaterTest {
    updater.setIcannReportingPassword("value1").update();
    verifySecretAndSecretRevisionWritten(
-        "icann-reporting-password", "icann-reporting-password/foo", getCiphertext("value1"));
+        "icann-reporting-password-string",
        "icann-reporting-password-string/foo",
        getCiphertext("value1"));
  }
  @Test
@ -103,7 +115,7 @@ public class KmsUpdaterTest {
    updater.setJsonCredential("value1").update();
    verifySecretAndSecretRevisionWritten(
-        "json-credential", "json-credential/foo", getCiphertext("value1"));
+        "json-credential-string", "json-credential-string/foo", getCiphertext("value1"));
  }
  @Test
@ -111,7 +123,7 @@ public class KmsUpdaterTest {
    updater.setMarksdbDnlLogin("value1").update();
    verifySecretAndSecretRevisionWritten(
-        "marksdb-dnl-login", "marksdb-dnl-login/foo", getCiphertext("value1"));
+        "marksdb-dnl-login-string", "marksdb-dnl-login-string/foo", getCiphertext("value1"));
  }
  @Test
@ -119,7 +131,9 @@ public class KmsUpdaterTest {
    updater.setMarksdbLordnPassword("value1").update();
    verifySecretAndSecretRevisionWritten(
-        "marksdb-lordn-password", "marksdb-lordn-password/foo", getCiphertext("value1"));
+        "marksdb-lordn-password-string",
        "marksdb-lordn-password-string/foo",
        getCiphertext("value1"));
  }
  @Test
@ -127,31 +141,32 @@ public class KmsUpdaterTest {
    updater.setMarksdbSmdrlLogin("value1").update();
    verifySecretAndSecretRevisionWritten(
-        "marksdb-smdrl-login", "marksdb-smdrl-login/foo", getCiphertext("value1"));
+        "marksdb-smdrl-login-string", "marksdb-smdrl-login-string/foo", getCiphertext("value1"));
  }
  @Test
  public void test_setRdeReceiverKey() throws Exception {
-    updater.setRdeReceiverPublicKey(KmsTestHelper.getPublicKeyring().getPublicKey()).update();
+    updater.setRdeReceiverPublicKey(KmsTestHelper.getPublicKey()).update();
    verifySecretAndSecretRevisionWritten(
        "rde-receiver-public",
        "rde-receiver-public/foo",
-        getCiphertext(KmsTestHelper.getPublicKeyring().getPublicKey().getEncoded()));
+        getCiphertext(
            KeySerializer.serializePublicKey(KmsTestHelper.getPublicKey())));
  }
  @Test
  public void test_setRdeSigningKey() throws Exception {
-    updater.setRdeSigningKey(KmsTestHelper.getPrivateKeyring()).update();
+    updater.setRdeSigningKey(KmsTestHelper.getKeyPair()).update();
    verifySecretAndSecretRevisionWritten(
        "rde-signing-private",
        "rde-signing-private/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getEncoded()));
+        getCiphertext(KmsTestHelper.getKeyPair()));
    verifySecretAndSecretRevisionWritten(
        "rde-signing-public",
        "rde-signing-public/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getPublicKey().getEncoded()));
+        getCiphertext(KmsTestHelper.getPublicKey()));
  }
  @Test
@ -159,7 +174,9 @@ public class KmsUpdaterTest {
    updater.setRdeSshClientPrivateKey("value1").update();
    verifySecretAndSecretRevisionWritten(
-        "rde-ssh-client-private", "rde-ssh-client-private/foo", getCiphertext("value1"));
+        "rde-ssh-client-private-string",
        "rde-ssh-client-private-string/foo",
        getCiphertext("value1"));
  }
  @Test
@ -167,21 +184,23 @@ public class KmsUpdaterTest {
    updater.setRdeSshClientPublicKey("value1").update();
    verifySecretAndSecretRevisionWritten(
-        "rde-ssh-client-public", "rde-ssh-client-public/foo", getCiphertext("value1"));
+        "rde-ssh-client-public-string",
        "rde-ssh-client-public-string/foo",
        getCiphertext("value1"));
  }
  @Test
  public void test_setRdeStagingKey() throws Exception {
-    updater.setRdeStagingKey(KmsTestHelper.getPrivateKeyring()).update();
+    updater.setRdeStagingKey(KmsTestHelper.getKeyPair()).update();
    verifySecretAndSecretRevisionWritten(
        "rde-staging-private",
        "rde-staging-private/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getEncoded()));
+        getCiphertext(KmsTestHelper.getKeyPair()));
    verifySecretAndSecretRevisionWritten(
        "rde-staging-public",
        "rde-staging-public/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getPublicKey().getEncoded()));
+        getCiphertext(KmsTestHelper.getPublicKey()));
  }
@ -200,6 +219,14 @@ public class KmsUpdaterTest {
  }
  private static String getCiphertext(String plaintext) throws IOException {
-    return getCiphertext(plaintext.getBytes(UTF_8));
+    return getCiphertext(KeySerializer.serializeString(plaintext));
  }
  private static String getCiphertext(PGPPublicKey publicKey) throws IOException {
    return getCiphertext(KeySerializer.serializePublicKey(publicKey));
  }
  private static String getCiphertext(PGPKeyPair keyPair) throws Exception {
    return getCiphertext(KeySerializer.serializeKeyPair(keyPair));
  }
 }