Add Cloud KMS based secret storage

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=147791972
2025-07-22 18:55:58 +02:00 · 2017-02-16 17:55:19 -08:00 · 2017-02-16 17:55:19 -08:00 · be30ecdf66
commit be30ecdf66
parent ab6e7b177a
24 changed files with 2255 additions and 0 deletions
--- a/java/google/registry/config/RegistryConfig.java
+++ b/java/google/registry/config/RegistryConfig.java
@ -867,6 +867,24 @@ public final class RegistryConfig {
      return config.registryPolicy.greetingServerId;
    }

+    /**
+     * The name to use for the Cloud KMS KeyRing containing encryption keys for Nomulus secrets.
+     *
+     * @see <a
+     *     href="https://cloud.google.com/kms/docs/reference/rest/v1beta1/projects.locations.keyRings#KeyRing">projects.locations.keyRings</a>
+     */
+    @Provides
+    @Config("cloudKmsKeyRing")
+    public static String provideCloudKmsKeyRing(RegistryConfigSettings config) {
+      return config.kms.keyringName;
+    }
+
+    @Provides
+    @Config("cloudKmsProjectId")
+    public static String provideCloudKmsProjectId(RegistryConfigSettings config) {
+      return config.kms.projectId;
+    }
+
    @Provides
    @Config("customLogicFactoryClass")
    public static String provideCustomLogicFactoryClass(RegistryConfigSettings config) {
--- a/java/google/registry/config/RegistryConfigSettings.java
+++ b/java/google/registry/config/RegistryConfigSettings.java
@ -31,6 +31,7 @@ public class RegistryConfigSettings {
  public Misc misc;
  public Rdap rdap;
  public Braintree braintree;
+  public Kms kms;

  /** Configuration options that apply to the entire App Engine project. */
  public static class AppEngine {
@ -78,6 +79,12 @@ public class RegistryConfigSettings {
    public int baseOfyRetryMillis;
  }

+  /** Configuration for Cloud KMS. */
+  public static class Kms {
+    public String keyringName;
+    public String projectId;
+  }
+
  /** Configuration for caching. */
  public static class Caching {
    public int singletonCacheRefreshSeconds;
--- a/java/google/registry/config/files/default-config.yaml
+++ b/java/google/registry/config/files/default-config.yaml
@ -182,3 +182,11 @@ braintree:
  # currency). For example, one entry might be:
  #   USD: accountIdUsingUSD
  merchantAccountIdsMap: {}
+
+kms:
+  # GCP project containing the KMS keyring. Should only be used for KMS in
+  # order to keep a simple locked down IAM configuration.
+  projectId: registry-kms-project-id
+  # The name to use for the Cloud KMS KeyRing which will store encryption keys
+  # for Nomulus secrets.
+  keyringName: nomulus
--- a/java/google/registry/keyring/api/KeyringException.java
+++ b/java/google/registry/keyring/api/KeyringException.java
@ -0,0 +1,29 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.keyring.api;
+
+/** Base class for all {@link Keyring} specific unchecked exceptions. */
+public class KeyringException extends RuntimeException {
+
+  /** @see RuntimeException#RuntimeException(String) */
+  public KeyringException(String msg) {
+    super(msg);
+  }
+
+  /** @see RuntimeException#RuntimeException(String, Throwable) */
+  public KeyringException(String msg, Throwable cause) {
+    super(msg, cause);
+  }
+}
--- a/java/google/registry/keyring/kms/BUILD
+++ b/java/google/registry/keyring/kms/BUILD
@ -0,0 +1,25 @@
+package(
+    default_visibility = ["//visibility:public"],
+)
+
+licenses(["notice"])  # Apache 2.0
+
+java_library(
+    name = "kms",
+    srcs = glob(["*.java"]),
+    deps = [
+        "//java/google/registry/config",
+        "//java/google/registry/keyring/api",
+        "//java/google/registry/model",
+        "//java/google/registry/util",
+        "//third_party/java/objectify:objectify-v4_1",
+        "@com_google_api_client",
+        "@com_google_apis_google_api_services_cloudkms",
+        "@com_google_code_findbugs_jsr305",
+        "@com_google_dagger",
+        "@com_google_guava",
+        "@com_google_http_client",
+        "@org_bouncycastle_bcpg_jdk15on",
+        "@org_bouncycastle_bcpkix_jdk15on",
+    ],
+)
--- a/java/google/registry/keyring/kms/KmsKeyring.java
+++ b/java/google/registry/keyring/kms/KmsKeyring.java
@ -0,0 +1,243 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.keyring.kms;
+
+import static com.google.common.base.Preconditions.checkState;
+import static google.registry.keyring.api.PgpHelper.KeyRequirement.ENCRYPT;
+import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
+import static google.registry.model.ofy.ObjectifyService.ofy;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.api.services.cloudkms.v1beta1.CloudKMS;
+import com.google.api.services.cloudkms.v1beta1.model.DecryptRequest;
+import com.googlecode.objectify.Key;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.keyring.api.Keyring;
+import google.registry.keyring.api.KeyringException;
+import google.registry.keyring.api.PgpHelper;
+import google.registry.model.server.KmsSecret;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import javax.inject.Inject;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPKeyPair;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
+import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
+import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
+
+/**
+ * A {@link Keyring} implementation which stores encrypted secrets in Datastore and decrypts them
+ * using encryption keys stored in Cloud KMS.
+ *
+ * @see <a href="https://cloud.google.com/kms/docs/">Google Cloud Key Management Service
+ *     Documentation</a>
+ */
+public class KmsKeyring implements Keyring {
+
+  private static final String KMS_KEYRING_NAME_FORMAT = "projects/%s/locations/global/keyRings/%s";
+  private static final String KMS_CRYPTO_KEY_NAME_FORMAT =
+      "projects/%s/locations/global/keyRings/%s/cryptoKeys/%s";
+  private static final String KMS_CRYPTO_KEY_VERSION_NAME_FORMAT =
+      "projects/%s/locations/global/keyRings/%s/cryptoKeys/%s/cryptoKeyVersions";
+
+  static final String BRAINTREE_PRIVATE_KEY_NAME = "braintree-private-key";
+  static final String BRDA_RECEIVER_PUBLIC_NAME = "brda-receiver-public";
+  static final String BRDA_SIGNING_PRIVATE_NAME = "brda-signing-private";
+  static final String BRDA_SIGNING_PUBLIC_NAME = "brda-signing-public";
+  static final String ICANN_REPORTING_PASSWORD_NAME = "icann-reporting-password";
+  static final String JSON_CREDENTIAL_NAME = "json-credential";
+  static final String MARKSDB_DNL_LOGIN_NAME = "marksdb-dnl-login";
+  static final String MARKSDB_LORDN_PASSWORD_NAME = "marksdb-lordn-password";
+  static final String MARKSDB_SMDRL_LOGIN_NAME = "marksdb-smdrl-login";
+  static final String RDE_RECEIVER_PUBLIC_NAME = "rde-receiver-public";
+  static final String RDE_SIGNING_PRIVATE_NAME = "rde-signing-private";
+  static final String RDE_SIGNING_PUBLIC_NAME = "rde-signing-public";
+  static final String RDE_SSH_CLIENT_PRIVATE_NAME = "rde-ssh-client-private";
+  static final String RDE_SSH_CLIENT_PUBLIC_NAME = "rde-ssh-client-public";
+  static final String RDE_STAGING_PRIVATE_NAME = "rde-staging-private";
+  static final String RDE_STAGING_PUBLIC_NAME = "rde-staging-public";
+
+  private final CloudKMS kms;
+  private final String kmsKeyRingName;
+  private final String projectId;
+
+  @Inject
+  KmsKeyring(
+      @Config("cloudKmsProjectId") String projectId,
+      @Config("cloudKmsKeyRing") String kmsKeyringName,
+      CloudKMS kms) {
+    this.projectId = projectId;
+    this.kmsKeyRingName = kmsKeyringName;
+    this.kms = kms;
+  }
+
+  @Override
+  public PGPKeyPair getRdeSigningKey() {
+    return getKeyPair(RDE_SIGNING_PUBLIC_NAME, RDE_SIGNING_PRIVATE_NAME);
+  }
+
+  @Override
+  public PGPPublicKey getRdeStagingEncryptionKey() {
+    return getPublicKeyForEncrypting(RDE_STAGING_PUBLIC_NAME);
+  }
+
+  @Override
+  public PGPPrivateKey getRdeStagingDecryptionKey() {
+    return getPrivateKey(RDE_STAGING_PRIVATE_NAME);
+  }
+
+  @Override
+  public PGPPublicKey getRdeReceiverKey() {
+    return getPublicKeyForEncrypting(RDE_RECEIVER_PUBLIC_NAME);
+  }
+
+  @Override
+  public PGPKeyPair getBrdaSigningKey() {
+    return getKeyPair(BRDA_SIGNING_PUBLIC_NAME, BRDA_SIGNING_PRIVATE_NAME);
+  }
+
+  @Override
+  public PGPPublicKey getBrdaReceiverKey() {
+    return getPublicKeyForEncrypting(BRDA_RECEIVER_PUBLIC_NAME);
+  }
+
+  @Override
+  public String getRdeSshClientPublicKey() {
+    return new String(getDecryptedData((RDE_SSH_CLIENT_PUBLIC_NAME)), UTF_8);
+  }
+
+  @Override
+  public String getRdeSshClientPrivateKey() {
+    return new String(getDecryptedData(RDE_SSH_CLIENT_PRIVATE_NAME), UTF_8);
+  }
+
+  @Override
+  public String getIcannReportingPassword() {
+    return new String(getDecryptedData(ICANN_REPORTING_PASSWORD_NAME), UTF_8);
+  }
+
+  @Override
+  public String getMarksdbDnlLogin() {
+    return new String(getDecryptedData(MARKSDB_DNL_LOGIN_NAME), UTF_8);
+  }
+
+  @Override
+  public String getMarksdbLordnPassword() {
+    return new String(getDecryptedData(MARKSDB_LORDN_PASSWORD_NAME), UTF_8);
+  }
+
+  @Override
+  public String getMarksdbSmdrlLogin() {
+    return new String(getDecryptedData(MARKSDB_SMDRL_LOGIN_NAME), UTF_8);
+  }
+
+  @Override
+  public String getJsonCredential() {
+    return new String(getDecryptedData(JSON_CREDENTIAL_NAME), UTF_8);
+  }
+
+  @Override
+  public String getBraintreePrivateKey() {
+    return new String(getDecryptedData(BRAINTREE_PRIVATE_KEY_NAME), UTF_8);
+  }
+
+  /** No persistent resources are maintained for this Keyring implementation. */
+  @Override
+  public void close() {}
+
+  private PGPKeyPair getKeyPair(String publicKeyName, String privateKeyName) {
+    try {
+      PGPPublicKey publicKey =
+          new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)).getPublicKey();
+      return new PGPKeyPair(publicKey, getPrivateKey(privateKeyName));
+    } catch (IOException e) {
+      throw new KeyringException(
+          String.format(
+              "Could not parse public key %s and private key %s", publicKeyName, privateKeyName),
+          e);
+    }
+  }
+
+  private PGPPublicKey getPublicKeyForEncrypting(String publicKeyName) {
+    try {
+      return PgpHelper.lookupPublicSubkey(
+              new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)), ENCRYPT)
+          .get();
+    } catch (IOException e) {
+      throw new KeyringException(String.format("Could not parse public key %s", publicKeyName), e);
+    }
+  }
+
+  private PGPPrivateKey getPrivateKey(String privateKeyName) {
+    try {
+      PGPSecretKeyRing privateKeyRing = new BcPGPSecretKeyRing(getPgpInputStream(privateKeyName));
+      // There shouldn't be a passphrase on the key
+      return privateKeyRing
+          .getSecretKey()
+          .extractPrivateKey(
+              new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
+                  .build(new char[0]));
+    } catch (IOException | PGPException e) {
+      throw new KeyringException(
+          String.format("Could not parse private key %s", privateKeyName), e);
+    }
+  }
+
+  private InputStream getPgpInputStream(String privateKeyName) throws IOException {
+    return PGPUtil.getDecoderStream(new ByteArrayInputStream(getDecryptedData(privateKeyName)));
+  }
+
+  private byte[] getDecryptedData(String keyName) {
+    KmsSecret secret =
+        ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, keyName)).now();
+    checkState(secret != null, "Requested secret '%s' does not exist.", keyName);
+    String encryptedData = ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue();
+
+    try {
+      return kms.projects()
+          .locations()
+          .keyRings()
+          .cryptoKeys()
+          .decrypt(
+              getCryptoKeyName(projectId, kmsKeyRingName, secret.getName()),
+              new DecryptRequest().setCiphertext(encryptedData))
+          .execute()
+          .decodePlaintext();
+    } catch (IOException e) {
+      throw new KeyringException(
+          String.format("CloudKMS decrypt operation failed for secret %s", keyName), e);
+    }
+  }
+
+  static String getKeyRingName(String projectId, String kmsKeyRingName) {
+    return String.format(KMS_KEYRING_NAME_FORMAT, projectId, kmsKeyRingName);
+  }
+
+  static String getCryptoKeyName(String projectId, String kmsKeyRingName, String cryptoKeyName) {
+    return String.format(KMS_CRYPTO_KEY_NAME_FORMAT, projectId, kmsKeyRingName, cryptoKeyName);
+  }
+
+  static String getCryptoKeyVersionName(
+      String projectId, String kmsKeyRingName, String cryptoKeyName) {
+    return String.format(
+        KMS_CRYPTO_KEY_VERSION_NAME_FORMAT, projectId, kmsKeyRingName, cryptoKeyName);
+  }
+}
--- a/java/google/registry/keyring/kms/KmsModule.java
+++ b/java/google/registry/keyring/kms/KmsModule.java
@ -0,0 +1,42 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.keyring.kms;
+
+import com.google.api.client.http.HttpRequestInitializer;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.api.services.cloudkms.v1beta1.CloudKMS;
+import com.google.api.services.cloudkms.v1beta1.CloudKMSScopes;
+import com.google.common.base.Function;
+import dagger.Module;
+import dagger.Provides;
+import google.registry.config.RegistryConfig.Config;
+import java.util.Set;
+
+/** Dagger module for Cloud KMS connection objects. */
+@Module
+public final class KmsModule {
+
+  @Provides
+  static CloudKMS provideKms(
+      HttpTransport transport,
+      JsonFactory jsonFactory,
+      Function<Set<String>, ? extends HttpRequestInitializer> credential,
+      @Config("cloudKmsProjectId") String projectId) {
+    return new CloudKMS.Builder(transport, jsonFactory, credential.apply(CloudKMSScopes.all()))
+        .setApplicationName(projectId)
+        .build();
+  }
+}
--- a/java/google/registry/keyring/kms/KmsUpdater.java
+++ b/java/google/registry/keyring/kms/KmsUpdater.java
@ -0,0 +1,281 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.keyring.kms;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkState;
+import static google.registry.keyring.kms.KmsKeyring.BRAINTREE_PRIVATE_KEY_NAME;
+import static google.registry.keyring.kms.KmsKeyring.BRDA_RECEIVER_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.BRDA_SIGNING_PRIVATE_NAME;
+import static google.registry.keyring.kms.KmsKeyring.BRDA_SIGNING_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.ICANN_REPORTING_PASSWORD_NAME;
+import static google.registry.keyring.kms.KmsKeyring.JSON_CREDENTIAL_NAME;
+import static google.registry.keyring.kms.KmsKeyring.MARKSDB_DNL_LOGIN_NAME;
+import static google.registry.keyring.kms.KmsKeyring.MARKSDB_LORDN_PASSWORD_NAME;
+import static google.registry.keyring.kms.KmsKeyring.MARKSDB_SMDRL_LOGIN_NAME;
+import static google.registry.keyring.kms.KmsKeyring.RDE_RECEIVER_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.RDE_SIGNING_PRIVATE_NAME;
+import static google.registry.keyring.kms.KmsKeyring.RDE_SIGNING_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.RDE_SSH_CLIENT_PRIVATE_NAME;
+import static google.registry.keyring.kms.KmsKeyring.RDE_SSH_CLIENT_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.RDE_STAGING_PRIVATE_NAME;
+import static google.registry.keyring.kms.KmsKeyring.RDE_STAGING_PUBLIC_NAME;
+import static google.registry.keyring.kms.KmsKeyring.getCryptoKeyName;
+import static google.registry.keyring.kms.KmsKeyring.getCryptoKeyVersionName;
+import static google.registry.keyring.kms.KmsKeyring.getKeyRingName;
+import static google.registry.model.ofy.ObjectifyService.ofy;
+import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import com.google.api.client.googleapis.json.GoogleJsonResponseException;
+import com.google.api.services.cloudkms.v1beta1.CloudKMS;
+import com.google.api.services.cloudkms.v1beta1.model.CryptoKey;
+import com.google.api.services.cloudkms.v1beta1.model.CryptoKeyVersion;
+import com.google.api.services.cloudkms.v1beta1.model.EncryptRequest;
+import com.google.api.services.cloudkms.v1beta1.model.EncryptResponse;
+import com.google.api.services.cloudkms.v1beta1.model.KeyRing;
+import com.google.common.collect.ImmutableMap;
+import com.googlecode.objectify.VoidWork;
+import google.registry.config.RegistryConfig.Config;
+import google.registry.model.server.KmsSecret;
+import google.registry.model.server.KmsSecretRevision;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import javax.inject.Inject;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
+
+/**
+ * The {@link KmsUpdater} accumulates updates to a {@link KmsKeyring} and persists them to KMS and
+ * Datastore when closed.
+ */
+public final class KmsUpdater {
+
+  private static final int RESOURCE_NOT_FOUND = 404;
+
+  private final String projectId;
+  private final String kmsKeyRingName;
+  private final CloudKMS kms;
+
+  private final HashMap<String, byte[]> secretValues;
+
+  @Inject
+  public KmsUpdater(
+      @Config("cloudKmsProjectId") String projectId,
+      @Config("cloudKmsKeyRing") String kmsKeyRingName,
+      CloudKMS kms) {
+    this.projectId = projectId;
+    this.kmsKeyRingName = kmsKeyRingName;
+    this.kms = kms;
+
+    // Use LinkedHashMap to preserve insertion order on update() to simplify testing and debugging
+    this.secretValues = new LinkedHashMap<>();
+  }
+
+  public KmsUpdater setRdeSigningKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
+    checkArgumentNotNull(secretKeyRing);
+    setSecret(RDE_SIGNING_PRIVATE_NAME, checkArgumentNotNull(secretKeyRing).getEncoded());
+    setSecret(RDE_SIGNING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
+    return this;
+  }
+
+  public KmsUpdater setRdeStagingKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
+    checkArgumentNotNull(secretKeyRing);
+
+    setSecret(RDE_STAGING_PRIVATE_NAME, secretKeyRing.getEncoded());
+    setSecret(RDE_STAGING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
+    return this;
+  }
+
+  public KmsUpdater setRdeReceiverPublicKey(PGPPublicKey rdeReceiverPublicKey) throws IOException {
+    setSecret(RDE_RECEIVER_PUBLIC_NAME, checkArgumentNotNull(rdeReceiverPublicKey).getEncoded());
+    return this;
+  }
+
+  public KmsUpdater setBrdaSigningKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
+    checkArgumentNotNull(secretKeyRing);
+    setSecret(BRDA_SIGNING_PRIVATE_NAME, secretKeyRing.getEncoded());
+    setSecret(BRDA_SIGNING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
+    return this;
+  }
+
+  public KmsUpdater setBrdaReceiverPublicKey(PGPPublicKey publicKey) throws IOException {
+    setSecret(BRDA_RECEIVER_PUBLIC_NAME, checkArgumentNotNull(publicKey).getEncoded());
+    return this;
+  }
+
+  public KmsUpdater setRdeSshClientPublicKey(String asciiPublicKey) {
+    setSecret(RDE_SSH_CLIENT_PUBLIC_NAME, checkArgumentNotNull(asciiPublicKey).getBytes(UTF_8));
+    return this;
+  }
+
+  public KmsUpdater setRdeSshClientPrivateKey(String asciiPrivateKey) {
+    setSecret(RDE_SSH_CLIENT_PRIVATE_NAME, checkArgumentNotNull(asciiPrivateKey).getBytes(UTF_8));
+    return this;
+  }
+
+  public KmsUpdater setIcannReportingPassword(String password) {
+    setSecret(ICANN_REPORTING_PASSWORD_NAME, checkArgumentNotNull(password).getBytes(UTF_8));
+    return this;
+  }
+
+  public KmsUpdater setMarksdbDnlLogin(String login) {
+    setSecret(MARKSDB_DNL_LOGIN_NAME, checkArgumentNotNull(login).getBytes(UTF_8));
+    return this;
+  }
+
+  public KmsUpdater setMarksdbLordnPassword(String password) {
+    setSecret(MARKSDB_LORDN_PASSWORD_NAME, checkArgumentNotNull(password).getBytes(UTF_8));
+    return this;
+  }
+
+  public KmsUpdater setMarksdbSmdrlLogin(String login) {
+    setSecret(MARKSDB_SMDRL_LOGIN_NAME, checkArgumentNotNull(login).getBytes(UTF_8));
+    return this;
+  }
+
+  public KmsUpdater setJsonCredential(String credential) {
+    setSecret(JSON_CREDENTIAL_NAME, checkArgumentNotNull(credential).getBytes(UTF_8));
+    return this;
+  }
+
+  public KmsUpdater setBraintreePrivateKey(String braintreePrivateKey) {
+    setSecret(
+        BRAINTREE_PRIVATE_KEY_NAME, checkArgumentNotNull(braintreePrivateKey).getBytes(UTF_8));
+    return this;
+  }
+
+  /**
+   * Generates new encryption keys in KMS, encrypts the updated secrets with them, and persists the
+   * encrypted secrets to Datastore.
+   *
+   * <p>The operations in this method are organized so that existing {@link KmsSecretRevision}
+   * entities remain primary and decryptable if a failure occurs.
+   */
+  public void update() throws IOException {
+    checkState(!secretValues.isEmpty(), "At least one Keyring value must be persisted");
+
+    persistEncryptedValues(encryptValues(secretValues));
+  }
+
+  /**
+   * Encrypts updated secrets using KMS. If the configured {@code KeyRing} or {@code CryptoKey}
+   * associated with a secret doesn't exist, they will first be created.
+   *
+   * @see google.registry.config.RegistryConfigSettings#kms
+   */
+  private ImmutableMap<String, EncryptResponse> encryptValues(Map<String, byte[]> keyValues)
+      throws IOException {
+    String fullKeyRingName = getKeyRingName(projectId, kmsKeyRingName);
+    try {
+      kms.projects().locations().keyRings().get(fullKeyRingName).execute();
+    } catch (GoogleJsonResponseException jsonException) {
+      if (jsonException.getStatusCode() == RESOURCE_NOT_FOUND) {
+        // Create the KeyRing in the "global" namespace. Encryption keys will be accessible from all
+        // GCP regions.
+        kms.projects()
+            .locations()
+            .keyRings()
+            .create("global", new KeyRing().setName(fullKeyRingName))
+            .execute();
+      } else {
+        throw jsonException;
+      }
+    }
+
+    ImmutableMap.Builder<String, EncryptResponse> encryptedValues = new ImmutableMap.Builder<>();
+    for (Map.Entry<String, byte[]> entry : keyValues.entrySet()) {
+      String keyName = entry.getKey();
+      String fullKeyName = getCryptoKeyName(projectId, kmsKeyRingName, keyName);
+
+      try {
+        kms.projects().locations().keyRings().cryptoKeys().get(fullKeyName).execute();
+      } catch (GoogleJsonResponseException jsonException) {
+        if (jsonException.getStatusCode() == RESOURCE_NOT_FOUND) {
+          kms.projects()
+              .locations()
+              .keyRings()
+              .cryptoKeys()
+              .create(fullKeyName, new CryptoKey().setName(keyName).setPurpose("ENCRYPT_DECRYPT"))
+              .execute();
+        } else {
+          throw jsonException;
+        }
+      }
+
+      CryptoKeyVersion cryptoKeyVersion =
+          kms.projects()
+              .locations()
+              .keyRings()
+              .cryptoKeys()
+              .cryptoKeyVersions()
+              .create(
+                  getCryptoKeyVersionName(projectId, kmsKeyRingName, keyName),
+                  new CryptoKeyVersion())
+              .execute();
+
+      encryptedValues.put(
+          keyName,
+          kms.projects()
+              .locations()
+              .keyRings()
+              .cryptoKeys()
+              .encrypt(
+                  cryptoKeyVersion.getName(),
+                  new EncryptRequest().encodePlaintext(entry.getValue()))
+              .execute());
+    }
+    return encryptedValues.build();
+  }
+
+  /**
+   * Persists encrypted secrets to Datastore as {@link KmsSecretRevision} entities and makes them
+   * primary. {@link KmsSecret} entities point to the latest {@link KmsSecretRevision}.
+   *
+   * <p>The changes are committed transactionally; if an error occurs, all existing {@link
+   * KmsSecretRevision} entities will remain primary.
+   */
+  private static void persistEncryptedValues(
+      final ImmutableMap<String, EncryptResponse> encryptedValues) {
+    ofy()
+        .transact(
+            new VoidWork() {
+              @Override
+              public void vrun() {
+                for (Map.Entry<String, EncryptResponse> entry : encryptedValues.entrySet()) {
+                  String secretName = entry.getKey();
+                  EncryptResponse revisionData = entry.getValue();
+
+                  KmsSecretRevision secretRevision =
+                      new KmsSecretRevision.Builder()
+                          .setEncryptedValue(revisionData.getCiphertext())
+                          .setKmsCryptoKeyVersionName(revisionData.getName())
+                          .setParent(secretName)
+                          .build();
+                  ofy()
+                      .save()
+                      .entities(secretRevision, KmsSecret.create(secretName, secretRevision));
+                }
+              }
+            });
+  }
+
+  private void setSecret(String secretName, byte[] value) {
+    checkArgument(!secretValues.containsKey(secretName), "Attempted to set %s twice", secretName);
+    secretValues.put(secretName, value);
+  }
+}
--- a/java/google/registry/model/EntityClasses.java
+++ b/java/google/registry/model/EntityClasses.java
@ -48,6 +48,8 @@ import google.registry.model.registry.Registry;
 import google.registry.model.registry.label.PremiumList;
 import google.registry.model.registry.label.ReservedList;
 import google.registry.model.reporting.HistoryEntry;
+import google.registry.model.server.KmsSecret;
+import google.registry.model.server.KmsSecretRevision;
 import google.registry.model.server.Lock;
 import google.registry.model.server.ServerSecret;
 import google.registry.model.smd.SignedMarkRevocationList;
@ -90,6 +92,8 @@ public final class EntityClasses {
          GaeUserIdConverter.class,
          HistoryEntry.class,
          HostResource.class,
+          KmsSecret.class,
+          KmsSecretRevision.class,
          Lock.class,
          LogsExportCursor.class,
          LrpTokenEntity.class,
--- a/java/google/registry/model/server/KmsSecret.java
+++ b/java/google/registry/model/server/KmsSecret.java
@ -0,0 +1,57 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.model.server;
+
+import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
+import static google.registry.model.ofy.Ofy.RECOMMENDED_MEMCACHE_EXPIRATION;
+
+import com.googlecode.objectify.Key;
+import com.googlecode.objectify.annotation.Cache;
+import com.googlecode.objectify.annotation.Entity;
+import com.googlecode.objectify.annotation.Id;
+import com.googlecode.objectify.annotation.Parent;
+import google.registry.model.ImmutableObject;
+import google.registry.model.annotations.ReportedOn;
+import google.registry.model.common.EntityGroupRoot;
+
+/** Pointer to the latest {@link KmsSecretRevision}. */
+@Entity
+@ReportedOn
+@Cache(expirationSeconds = RECOMMENDED_MEMCACHE_EXPIRATION)
+public class KmsSecret extends ImmutableObject {
+
+  /** The unique name of this {@link KmsSecret}. */
+  @Id String name;
+
+  @Parent Key<EntityGroupRoot> parent = getCrossTldKey();
+
+  /** The pointer to the latest {@link KmsSecretRevision}. */
+  Key<KmsSecretRevision> latestRevision;
+
+  public String getName() {
+    return name;
+  }
+
+  public Key<KmsSecretRevision> getLatestRevision() {
+    return latestRevision;
+  }
+
+  public static KmsSecret create(String name, KmsSecretRevision latestRevision) {
+    KmsSecret instance = new KmsSecret();
+    instance.name = name;
+    instance.latestRevision = Key.create(latestRevision);
+    return instance;
+  }
+}
--- a/java/google/registry/model/server/KmsSecretRevision.java
+++ b/java/google/registry/model/server/KmsSecretRevision.java
@ -0,0 +1,117 @@
+// Copyright 2017 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.model.server;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
+import static google.registry.model.ofy.Ofy.RECOMMENDED_MEMCACHE_EXPIRATION;
+
+import com.googlecode.objectify.Key;
+import com.googlecode.objectify.annotation.Cache;
+import com.googlecode.objectify.annotation.Entity;
+import com.googlecode.objectify.annotation.Id;
+import com.googlecode.objectify.annotation.Parent;
+import google.registry.model.Buildable;
+import google.registry.model.CreateAutoTimestamp;
+import google.registry.model.ImmutableObject;
+import google.registry.model.annotations.ReportedOn;
+
+/**
+ * An encrypted value.
+ *
+ * <p>Used to store passwords and other sensitive information in Datastore. Multiple versions of a
+ * {@link KmsSecretRevision} may be persisted but only the latest version is primary. A key to the
+ * primary version is stored by {@link KmsSecret#latestRevision}.
+ *
+ * <p>The value can be encrypted and decrypted using Cloud KMS.
+ *
+ * @see <a href="https://cloud.google.com/kms/docs/">Google Cloud Key Management Service
+ *     Documentation</a>
+ * @see google.registry.keyring.kms.KmsKeyring
+ */
+@Entity
+@ReportedOn
+@Cache(expirationSeconds = RECOMMENDED_MEMCACHE_EXPIRATION)
+public class KmsSecretRevision extends ImmutableObject {
+
+  /**
+   * The maximum allowable secret size. Although Datastore allows entities up to 1 MB in size,
+   * BigQuery imports of Datastore backups limit individual columns (entity attributes) to 64 KB.
+   */
+  private static final int MAX_SECRET_SIZE_BYTES = 64 * 1024 * 1024;
+
+  /** The revision of this secret. */
+  @Id long revisionKey;
+
+  /** The parent {@link KmsSecret} which contains metadata about this {@link KmsSecretRevision}. */
+  @Parent Key<KmsSecret> parent;
+
+  /**
+   * The name of the {@code cryptoKeyVersion} associated with this {@link KmsSecretRevision}.
+   *
+   * @see <a
+   *     href="https://cloud.google.com/kms/docs/reference/rest/v1beta1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions">projects.locations.keyRings.cryptoKeys.cryptoKeyVersions</a>
+   */
+  String kmsCryptoKeyVersionName;
+
+  /**
+   * The base64-encoded encrypted value of this {@link KmsSecretRevision} as returned by the Cloud
+   * KMS API.
+   *
+   * @see <a
+   *     href="https://cloud.google.com/kms/docs/reference/rest/v1beta1/projects.locations.keyRings.cryptoKeys/encrypt">projects.locations.keyRings.cryptoKeys.encrypt</a>
+   */
+  String encryptedValue;
+
+  /** An automatically managed creation timestamp. */
+  CreateAutoTimestamp creationTime = CreateAutoTimestamp.create(null);
+
+  public String getKmsCryptoKeyVersionName() {
+    return kmsCryptoKeyVersionName;
+  }
+
+  public String getEncryptedValue() {
+    return encryptedValue;
+  }
+
+  /** A builder for constructing {@link KmsSecretRevision} entities, since they are immutable. */
+  public static class Builder extends Buildable.Builder<KmsSecretRevision> {
+
+    public Builder setKmsCryptoKeyVersionName(String kmsCryptoKeyVersionName) {
+      getInstance().kmsCryptoKeyVersionName = kmsCryptoKeyVersionName;
+      return this;
+    }
+
+    public Builder setEncryptedValue(String encryptedValue) {
+      checkArgument(
+          encryptedValue.length() <= MAX_SECRET_SIZE_BYTES,
+          "Secret is greater than %s bytes",
+          MAX_SECRET_SIZE_BYTES);
+
+      getInstance().encryptedValue = encryptedValue;
+      return this;
+    }
+
+    /**
+     * Set the parent {@link KmsSecret}.
+     *
+     * <p>The secret may not exist yet, so it is referred to by name rather than by reference.
+     */
+    public Builder setParent(String secretName) {
+      getInstance().parent = Key.create(getCrossTldKey(), KmsSecret.class, secretName);
+      return this;
+    }
+  }
+}
--- a/java/google/registry/repositories.bzl
+++ b/java/google/registry/repositories.bzl
@ -32,6 +32,7 @@ def domain_registry_repositories(
    omit_com_google_api_client_servlet=False,
    omit_com_google_apis_google_api_services_admin_directory=False,
    omit_com_google_apis_google_api_services_bigquery=False,
+    omit_com_google_apis_google_api_services_cloudkms=False,
    omit_com_google_apis_google_api_services_dns=False,
    omit_com_google_apis_google_api_services_drive=False,
    omit_com_google_apis_google_api_services_groupssettings=False,
@ -129,6 +130,8 @@ def domain_registry_repositories(
    com_google_apis_google_api_services_admin_directory()
  if not omit_com_google_apis_google_api_services_bigquery:
    com_google_apis_google_api_services_bigquery()
+  if not omit_com_google_apis_google_api_services_cloudkms:
+    com_google_apis_google_api_services_cloudkms()
  if not omit_com_google_apis_google_api_services_dns:
    com_google_apis_google_api_services_dns()
  if not omit_com_google_apis_google_api_services_drive:
@ -424,6 +427,18 @@ def com_google_apis_google_api_services_bigquery():
      deps = ["@com_google_api_client"],
  )

+def com_google_apis_google_api_services_cloudkms():
+  java_import_external(
+      name = "com_google_apis_google_api_services_cloudkms",
+      licenses = ["notice"],  # The Apache Software License, Version 2.0
+      jar_sha256 = "82e5995e9dd248d24edfeace90261c1be0e905ecbae0b2c5ee19bb06a3e7dfdf",
+      jar_urls = [
+          "http://domain-registry-maven.storage.googleapis.com/repo1.maven.org/maven2/com/google/apis/google-api-services-cloudkms/v1beta1-rev409-1.22.0/google-api-services-cloudkms-v1beta1-rev409-1.22.0.jar",
+          "http://repo1.maven.org/maven2/com/google/apis/google-api-services-cloudkms/v1beta1-rev409-1.22.0/google-api-services-cloudkms-v1beta1-rev409-1.22.0.jar",
+      ],
+      deps = ["@com_google_api_client"],
+  )
+
 def com_google_apis_google_api_services_dns():
  java_import_external(
      name = "com_google_apis_google_api_services_dns",