We are excited to announce the launch of lockboxkms, released on October 20, 2024. lockboxkms is a lightweight, web-based utility designed to simplify how you encrypt sensitive data using the Google Cloud Key Management Service (KMS). By providing a streamlined interface for encryption, lockboxkms removes the friction of interacting with complex cloud consoles or command-line tools for everyday encryption tasks.

What it does

lockboxkms serves as a dedicated “encryption portal” for your team. It is intentionally designed as a one-way utility: it allows users to encrypt data but does not provide a way to decrypt it. This architecture ensures that while encryption is accessible to authorized users, the decryption keys remain protected and usable only by your secure backend processes.

Key capabilities include:

  • Seamless Key Selection: Easily browse and select the appropriate symmetric encryption key from your configured GCP KMS key ring.
  • Instant Encryption: Encrypt plaintext (up to 64 KiB) with a few clicks.
  • Ready-to-Use Output: Receive your encrypted data as a base64-encoded string, perfectly formatted for storage in configuration files, environment variables, or databases.
  • Responsive Experience: Built with Go and HTMX, the interface is fast and responsive, ensuring a smooth workflow.

Why it matters

Managing secrets often involves a trade-off between security and convenience. Manually using the GCP Console or CLI to encrypt values for deployment can be tedious and error-prone. lockboxkms bridges this gap by providing a user-friendly frontend that leverages the enterprise-grade security of Google Cloud KMS.

By decoupling the encryption interface from the decryption process, lockboxkms helps organizations maintain a strict security posture. Your developers or operators can securely encrypt secrets for the system without ever having the ability to decrypt them, adhering to the principle of least privilege.

Getting Started

lockboxkms is distributed as a Docker image, making it easy to deploy within your existing infrastructure.

To get started, configure the application using the following environment variables:

  • GCP_PROJECT: Your Google Cloud project ID.
  • KMS_LOCATION: The location of your KMS resources (defaults to us).
  • KMS_KEY_RING: The name of your KMS key ring (defaults to lockboxkms).

Security Recommendation: Since lockboxkms does not include built-in authentication, we strongly recommend deploying it behind a security layer such as Google Cloud Identity-Aware Proxy (IAP) or a similar reverse proxy to ensure only authorized personnel can access the encryption interface.

This post was AI-generated using the model unsloth/gemma-4-31B-it-GGUF:UD-Q5_K_XL. It was generated on April 12, 2026, based on the lockboxkms repository and the v0.1.0 release. Author: release-storyteller