|
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 |
- # Encryption
-
- The example for encryption includes two individual examples for TLS and ALTS
- encryption mechanism respectively.
-
- ## Try it
-
- In each example's subdirectory:
-
- ```
- go run server/main.go
- ```
-
- ```
- go run client/main.go
- ```
-
- ## Explanation
-
- ### TLS
-
- TLS is a commonly used cryptographic protocol to provide end-to-end
- communication security. In the example, we show how to set up a server
- authenticated TLS connection to transmit RPC.
-
- In our `grpc/credentials` package, we provide several convenience methods to
- create grpc
- [`credentials.TransportCredentials`](https://godoc.org/google.golang.org/grpc/credentials#TransportCredentials)
- base on TLS. Refer to the
- [godoc](https://godoc.org/google.golang.org/grpc/credentials) for details.
-
- In our example, we use the public/private keys created ahead:
- * "server1.pem" contains the server certificate (public key).
- * "server1.key" contains the server private key.
- * "ca.pem" contains the certificate (certificate authority)
- that can verify the server's certificate.
-
- On server side, we provide the paths to "server1.pem" and "server1.key" to
- configure TLS and create the server credential using
- [`credentials.NewServerTLSFromFile`](https://godoc.org/google.golang.org/grpc/credentials#NewServerTLSFromFile).
-
- On client side, we provide the path to the "ca.pem" to configure TLS and create
- the client credential using
- [`credentials.NewClientTLSFromFile`](https://godoc.org/google.golang.org/grpc/credentials#NewClientTLSFromFile).
- Note that we override the server name with "x.test.youtube.com", as the server
- certificate is valid for *.test.youtube.com but not localhost. It is solely for
- the convenience of making an example.
-
- Once the credentials have been created at both sides, we can start the server
- with the just created server credential (by calling
- [`grpc.Creds`](https://godoc.org/google.golang.org/grpc#Creds)) and let client dial
- to the server with the created client credential (by calling
- [`grpc.WithTransportCredentials`](https://godoc.org/google.golang.org/grpc#WithTransportCredentials))
-
- And finally we make an RPC call over the created `grpc.ClientConn` to test the secure
- connection based upon TLS is successfully up.
-
- ### ALTS
-
- ALTS is the Google's Application Layer Transport Security, which supports mutual
- authentication and transport encryption. Note that ALTS is currently only
- supported on Google Cloud Platform, and therefore you can only run the example
- successfully in a GCP environment. In our example, we show how to initiate a
- secure connection that is based on ALTS.
-
- Unlike TLS, ALTS makes certificate/key management transparent to user. So it is
- easier to set up.
-
- On server side, first call
- [`alts.DefaultServerOptions`](https://godoc.org/google.golang.org/grpc/credentials/alts#DefaultServerOptions)
- to get the configuration for alts and then provide the configuration to
- [`alts.NewServerCreds`](https://godoc.org/google.golang.org/grpc/credentials/alts#NewServerCreds)
- to create the server credential based upon alts.
-
- On client side, first call
- [`alts.DefaultClientOptions`](https://godoc.org/google.golang.org/grpc/credentials/alts#DefaultClientOptions)
- to get the configuration for alts and then provide the configuration to
- [`alts.NewClientCreds`](https://godoc.org/google.golang.org/grpc/credentials/alts#NewClientCreds)
- to create the client credential based upon alts.
-
- Next, same as TLS, start the server with the server credential and let client
- dial to server with the client credential.
-
- Finally, make an RPC to test the secure connection based upon ALTS is
- successfully up.
|