Overview:
Cloud-native systems are becoming increasingly interconnected. Whether you’re building microservices, cross-cloud pipelines, or hybrid applications, secure message delivery is a critical requirement.
Google Cloud Pub/Sub is a fantastic messaging backbone, but by default, messages rely on IAM and TLS in transit — which is great, but not always enough for sensitive workloads that demand end-to-end encryption.
That’s where secure-pubsub-bridge comes in.
It’s a lightweight Node.js library that adds an extra layer of security by encrypting Pub/Sub messages with RSA public-key cryptography before publishing. On the subscriber side, you decrypt messages with your private key, ensuring that only trusted consumers can see the payload.
Features
RSA-based Encryption — Protects sensitive data beyond standard TLS.
Encrypted Publish — Seamlessly publish encrypted messages to Pub/Sub topics.
Secure Subscribe & Decrypt — Automatically decrypt messages when subscribing.
Key Management — Generate RSA key pairs for your apps.
Cloud-Native — Ideal for GCP services, Cloud Run, or multi-cloud bridges.
Installation
npm install secure-pubsub-bridge
Usage
- Generate RSA Key Pair
const { generateKeyPair } = require('secure-pubsub-bridge');
const keys = generateKeyPair();
console.log("Public Key:", keys.publicKey);
console.log("Private Key:", keys.privateKey);
This gives you PEM-formatted RSA keys. You’ll typically store them in Secret Manager or as environment variables.
- Publish an Encrypted Message
const { publishEncryptedMessage } = require('secure-pubsub-bridge');
await publishEncryptedMessage('my-topic', { secret: 'data' });
Instead of plain JSON, your payload is encrypted before it leaves your service.
- Subscribe and Decrypt
const { subscribeAndDecrypt } = require('secure-pubsub-bridge');
subscribeAndDecrypt('my-subscription', (data) => {
console.log('Decrypted Data:', data);
});
Consumers automatically decrypt messages using their private key, giving you true end-to-end confidentiality.
Environment Variables
PUBLIC_KEY="-----BEGIN PUBLIC KEY-----..."
PRIVATE_KEY="-----BEGIN PRIVATE KEY-----..."
Set these before running your service so the library knows how to encrypt/decrypt.
Why Use This?
Defense in Depth: Even if Pub/Sub logs, IAM roles, or transport security are compromised, your payloads stay safe.
Regulatory Compliance: Helps meet requirements for HIPAA, PCI-DSS, or GDPR by ensuring sensitive data isn’t transmitted in the clear.
Multi-Cloud Messaging: Securely bridge Google Cloud services with AWS, Azure, or on-prem systems.
Simplicity: Just drop in a few lines of code — no need to reinvent crypto pipelines.
Example Use Cases
Healthcare: Transmitting patient data between cloud services securely.
Finance: Sending transaction events without exposing raw payloads.
IoT: Encrypting device telemetry before it hits your processing pipeline.
Hybrid Cloud: Secure messaging between on-prem systems and GCP Pub/Sub.
License
MIT © 2025 Raghava Chellu
gitHub
https://github.com/RaghavaCh440/secure-pubsub-bridge
Try integrating it with Cloud Run or Workflows for secure, automated pipelines.
Contribute! PRs are welcome for adding support for AES session keys or KMS integration.
Top comments (0)