public EncryptionCosmosClient( CosmosClient cosmosClient, IKeyEncryptionKeyResolver keyEncryptionKeyResolver, string keyEncryptionKeyResolverName, TimeSpan?keyCacheTimeToLive) { this.cosmosClient = cosmosClient ?? throw new ArgumentNullException(nameof(cosmosClient)); this.KeyEncryptionKeyResolver = keyEncryptionKeyResolver ?? throw new ArgumentNullException(nameof(keyEncryptionKeyResolver)); this.KeyEncryptionKeyResolverName = keyEncryptionKeyResolverName ?? throw new ArgumentNullException(nameof(keyEncryptionKeyResolverName)); this.clientEncryptionKeyPropertiesCacheByKeyId = new AsyncCache <string, ClientEncryptionKeyProperties>(); this.EncryptionKeyStoreProviderImpl = new EncryptionKeyStoreProviderImpl(keyEncryptionKeyResolver, keyEncryptionKeyResolverName); keyCacheTimeToLive ??= TimeSpan.FromHours(1); if (EncryptionCosmosClient.EncryptionKeyCacheSemaphore.Wait(-1)) { try { // We pick the minimum between the existing and passed in value given this is a static cache. // This also means that the maximum cache duration is the originally initialized value for ProtectedDataEncryptionKey.TimeToLive which is 2 hours. if (keyCacheTimeToLive < ProtectedDataEncryptionKey.TimeToLive) { ProtectedDataEncryptionKey.TimeToLive = keyCacheTimeToLive.Value; } } finally { EncryptionCosmosClient.EncryptionKeyCacheSemaphore.Release(1); } } }
internal AzureKeyVaultXmlEncryptor(IKeyEncryptionKeyResolver client, string keyId, RandomNumberGenerator randomNumberGenerator) { _client = client; _keyId = keyId; _randomNumberGenerator = randomNumberGenerator; }
// </Main> private static CosmosClient CreateClientInstance( IConfigurationRoot configuration, IKeyEncryptionKeyResolver keyResolver) { string endpoint = configuration["EndPointUrl"]; if (string.IsNullOrEmpty(endpoint)) { throw new ArgumentNullException("Please specify a valid endpoint in the appSettings.json"); } string authKey = configuration["AuthorizationKey"]; if (string.IsNullOrEmpty(authKey) || string.Equals(authKey, "Super secret key")) { throw new ArgumentException("Please specify a valid AuthorizationKey in the appSettings.json"); } CosmosClientOptions options = new CosmosClientOptions { AllowBulkExecution = true, }; CosmosClient encryptionCosmosClient = new CosmosClient(endpoint, authKey, options); // enable encryption support on the cosmos client. return(encryptionCosmosClient.WithEncryption(keyResolver, KeyEncryptionKeyResolverName.AzureKeyVault)); }
/// <summary> /// Provides an instance of CosmosClient with support for performing operations involving client-side encryption. /// </summary> /// <param name="cosmosClient">CosmosClient instance on which encryption support is needed.</param> /// <param name="keyEncryptionKeyResolver">Resolver that allows interaction with key encryption keys.</param> /// <param name="keyEncryptionKeyResolverName">Name of the resolver, for example <see cref="KeyEncryptionKeyResolverName.AzureKeyVault" />.</param> /// <param name="keyCacheTimeToLive">Time for which raw data encryption keys are cached in-memory. Defaults to 1 hour.</param> /// <returns>CosmosClient instance with support for performing operations involving client-side encryption.</returns> /// <example> /// This example shows how to get instance of CosmosClient with support for performing operations involving client-side encryption. /// /// <code language="c#"> /// <![CDATA[ /// Azure.Core.TokenCredential tokenCredential = new Azure.Identity.DefaultAzureCredential(); /// Azure.Core.Cryptography.IKeyEncryptionKeyResolver keyResolver = new Azure.Security.KeyVault.Keys.Cryptography.KeyResolver(tokenCredential); /// CosmosClient client = (new CosmosClient(endpoint, authKey)).WithEncryption(keyResolver, KeyEncryptionKeyResolverName.AzureKeyVault); /// Container container = client.GetDatabase("databaseId").GetContainer("containerId"); /// ]]> /// </code> /// </example> /// <remarks> /// See <see href="https://aka.ms/CosmosClientEncryption">client-side encryption documentation</see> for more details. /// </remarks> public static CosmosClient WithEncryption( this CosmosClient cosmosClient, IKeyEncryptionKeyResolver keyEncryptionKeyResolver, string keyEncryptionKeyResolverName, TimeSpan?keyCacheTimeToLive = null) { if (keyEncryptionKeyResolver == null) { throw new ArgumentNullException(nameof(keyEncryptionKeyResolver)); } if (keyEncryptionKeyResolverName == null) { throw new ArgumentNullException(nameof(keyEncryptionKeyResolverName)); } if (cosmosClient == null) { throw new ArgumentNullException(nameof(cosmosClient)); } return(new EncryptionCosmosClient(cosmosClient, keyEncryptionKeyResolver, keyEncryptionKeyResolverName, keyCacheTimeToLive)); }
public EncryptionKeyStoreProviderImpl(IKeyEncryptionKeyResolver keyEncryptionKeyResolver, string providerName) { this.keyEncryptionKeyResolver = keyEncryptionKeyResolver; this.ProviderName = providerName; this.DataEncryptionKeyCacheTimeToLive = TimeSpan.Zero; }
public AzureKeyVaultXmlDecryptor(IServiceProvider serviceProvider) { _client = serviceProvider.GetService <IKeyEncryptionKeyResolver>(); }
private static async Task <byte[]> UnwrapKeyInternal(EncryptionData encryptionData, IKeyEncryptionKeyResolver keyResolver, bool async, CancellationToken cancellationToken) { IKeyEncryptionKey oldKey = async ? await keyResolver.ResolveAsync(encryptionData.WrappedContentKey.KeyId, cancellationToken).ConfigureAwait(false) : keyResolver.Resolve(encryptionData.WrappedContentKey.KeyId, cancellationToken); if (oldKey == default) { throw Errors.ClientSideEncryption.KeyNotFound(encryptionData.WrappedContentKey.KeyId); } return(async ? await oldKey.UnwrapKeyAsync( encryptionData.WrappedContentKey.Algorithm, encryptionData.WrappedContentKey.EncryptedKey, cancellationToken).ConfigureAwait(false) : oldKey.UnwrapKey( encryptionData.WrappedContentKey.Algorithm, encryptionData.WrappedContentKey.EncryptedKey, cancellationToken)); }
/// <summary> /// Configures the data protection system to protect keys with specified key in Azure KeyVault. /// </summary> /// <param name="builder">The builder instance to modify.</param> /// <param name="keyResolver">The <see cref="IKeyEncryptionKeyResolver"/> to use for Key Vault access.</param> /// <param name="keyIdentifier">The Azure Key Vault key identifier used for key encryption.</param> /// <returns>The value <paramref name="builder"/>.</returns> public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, string keyIdentifier, IKeyEncryptionKeyResolver keyResolver) { Argument.AssertNotNull(builder, nameof(builder)); Argument.AssertNotNull(keyResolver, nameof(keyResolver)); Argument.AssertNotNullOrEmpty(keyIdentifier, nameof(keyIdentifier)); builder.Services.AddSingleton <IKeyEncryptionKeyResolver>(keyResolver); builder.Services.Configure <KeyManagementOptions>(options => { options.XmlEncryptor = new AzureKeyVaultXmlEncryptor(keyResolver, keyIdentifier); }); return(builder); }
public AzureKeyVaultXmlEncryptor(IKeyEncryptionKeyResolver client, string keyId) : this(client, keyId, RandomNumberGenerator.Create()) { }
public ClientSideDecryptor(ClientSideEncryptionOptions options) { _potentialCachedIKeyEncryptionKey = options.KeyEncryptionKey; _keyResolver = options.KeyResolver; }