private async Task <CryptoKey> DecryptAsync(KeyInfo key) { Ensure.NotNull(key, nameof(key)); switch (key.Status) { case KeyStatus.Deactivated: throw new Exception($"key#{key.Id} is deactivated"); case KeyStatus.Compromised: throw new Exception($"key#{key.Id} was compromised and may not longer be used"); case KeyStatus.Destroyed: throw new Exception($"key#{key.Id} is destroyed"); case KeyStatus.Suspended: throw new Exception($"key#{key.Id} is suspended"); } if (key.Expires != null && key.Expires <= clock.Observe()) { throw new KeyExpiredException(key, key.Expires.Value); } var kek = await protectorFactory.GetAsync( keyId : key.KekId.ToString(), aad : key.GetAad() ); // use the key encryption key to decrypt it var result = await kek.DecryptAsync(key.Data); return(new CryptoKey( id: key.Id.ToString(), value: result )); }