/// <summary> /// Wraps a symmetric key and then unwrapps the wrapped key /// </summary> /// <param name="key"> key bundle </param> private static void WrapUnwrap(KeyBundle key) { KeyOperationResult wrappedKey; var algorithm = inputValidator.GetEncryptionAlgorithm(); byte[] symmetricKey = inputValidator.GetSymmetricKey(); string keyVersion = inputValidator.GetKeyVersion(); if (keyVersion != string.Empty) { var vaultAddress = inputValidator.GetVaultAddress(); string keyName = inputValidator.GetKeyName(true); wrappedKey = keyVaultClient.WrapKeyAsync(vaultAddress, keyName, keyVersion, algorithm, symmetricKey).GetAwaiter().GetResult(); } else { // If the key ID is not initialized get the key id from args var keyId = (key != null) ? key.Key.Kid : inputValidator.GetKeyId(); // Wrap the symmetric key wrappedKey = keyVaultClient.WrapKeyAsync(keyId, algorithm, symmetricKey).GetAwaiter().GetResult(); } Console.Out.WriteLine(string.Format("The symmetric key is wrapped using key id {0} and algorithm {1}", wrappedKey.Kid, algorithm)); // Unwrap the symmetric key var unwrappedKey = keyVaultClient.UnwrapKeyAsync(wrappedKey.Kid, algorithm, wrappedKey.Result).GetAwaiter().GetResult(); Console.Out.WriteLine(string.Format("The unwrapped key is{0}the same as the original key!", symmetricKey.SequenceEqual(unwrappedKey.Result) ? " " : " not ")); }
public async Task <string> UnwrapAsync(string encryptedKey) { var encryptedBytes = Convert.FromBase64String(encryptedKey); var decryptionResult = await client.UnwrapKeyAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, encryptedBytes); var decryptedKey = Encoding.Unicode.GetString(decryptionResult.Result); return(decryptedKey); }
/// <summary> /// Unwraps a symmetric key using the specified wrapping key and algorithm. /// </summary> /// <param name="wrappingKey">The wrapping key</param> /// <param name="wrappedKey">The symmetric key to unwrap</param> /// <param name="algorithm">The algorithm to use. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param> /// <returns>The unwrapped key</returns> public static async Task <KeyOperationResult> UnwrapKeyAsync(this KeyVaultClient client, KeyBundle wrappingKey, byte[] wrappedKey, string algorithm) { if (wrappingKey == null) { throw new ArgumentNullException("wrappingKey"); } return(await client.UnwrapKeyAsync(wrappingKey.Key, wrappedKey, algorithm).ConfigureAwait(false)); }
/// <summary> /// Use symmetric encryption, then wrap the key using Key Vault /// </summary> /// <returns></returns> private static async Task EncryptAndWrap() { // In real-world, these could be concatenated and stored. byte[] iv; byte[] wrappedKey; Stream encryptedData = new MemoryStream(); string wrappingKeyIdentifier; string keyWrappingEncryptionAlgorithm = JsonWebKeyEncryptionAlgorithm.RSA15; // TODO: This (probably) doesn't use "AE" - update accordingly. // This creates a random key and initialisation vector (IV) and encrypts the data using (var encryptingAes = Aes.Create()) { iv = encryptingAes.IV; var encryptor = encryptingAes.CreateEncryptor(); using (var encryptingStream = new CryptoStream(encryptedData, encryptor, CryptoStreamMode.Write, true)) using (var writer = new StreamWriter(encryptingStream)) // NOTE: This is a text writer! Shouldn't do this if we're dealing with binary data! { writer.Write(inputText); writer.Flush(); encryptingStream.Flush(); } var wrappingResult = await keyVaultClient.WrapKeyAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key); wrappedKey = wrappingResult.Result; wrappingKeyIdentifier = wrappingResult.Kid; // TODO: Test if "wrap" and "encrypt" produce the same resul;t var encryptTest = await keyVaultClient.EncryptAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key); } encryptedData.Position = 0; // Decrypt var unwrapKeyResult = await keyVaultClient.UnwrapKeyAsync(wrappingKeyIdentifier, keyWrappingEncryptionAlgorithm, wrappedKey); var symmetricKey = unwrapKeyResult.Result; string decrypted; using (var decryptingAes = Aes.Create()) { decryptingAes.IV = iv; decryptingAes.Key = symmetricKey; var decryptor = decryptingAes.CreateDecryptor(); using (var decryptingStream = new CryptoStream(encryptedData, decryptor, CryptoStreamMode.Read)) using (var reader = new StreamReader(decryptingStream)) { decrypted = reader.ReadToEnd(); } } if (inputText != decrypted) { throw new Exception("Decrypted does not match encrypted"); } }
/// <summary> /// Wraps and unwraps symmetric key /// </summary> /// <param name="algorithm"> the wrao and unwrap algorithm </param> private void WrapAndUnwrap(KeyVaultClient client, KeyIdentifier keyIdentifier, string algorithm, byte[] symmetricKeyBytes) { var wrapResult = client.WrapKeyAsync(keyIdentifier.BaseIdentifier, algorithm, symmetricKeyBytes).GetAwaiter().GetResult(); Assert.NotNull(wrapResult); Assert.NotNull(wrapResult.Kid); Assert.NotNull(wrapResult.Result); var unwrapResult = client.UnwrapKeyAsync(wrapResult.Kid, algorithm, wrapResult.Result).GetAwaiter().GetResult(); Assert.NotNull(unwrapResult); Assert.NotNull(unwrapResult.Kid); Assert.True(unwrapResult.Result.SequenceEqual(symmetricKeyBytes), "the symmetric key after unwrap should match the initial key"); }
public async Task <byte[]> UnwrapSymmetricKeyAsync(string keyId, byte[] wrappedSymmetricKey) { if (string.IsNullOrEmpty(keyId)) { throw new ArgumentNullException(keyId, "Key NickName is Null."); } if (wrappedSymmetricKey == null) { throw new ArgumentNullException(nameof(wrappedSymmetricKey), "Wrapped symetric key is Null."); } if (wrappedSymmetricKey.Length == 0) { throw new ArgumentNullException(nameof(wrappedSymmetricKey), "Wrapped symmetric key is Empty."); } var unwrappedKey = await KeyVaultClient.UnwrapKeyAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, wrappedSymmetricKey); return(unwrappedKey.Result); }
private static async Task Process(string textToEncrypt) { var plainTextBytes = Encoding.UTF8.GetBytes(textToEncrypt); Console.WriteLine("\n===Encrypt Data==="); Console.WriteLine("- Generate data access key"); var dataAccessKey = new byte[32]; using (var random = new RNGCryptoServiceProvider()) { random.GetBytes(dataAccessKey); } Console.WriteLine("- Encrypt data using data access key"); byte[] encryptedBytes; using (var aes = new AesManaged()) { try { aes.GenerateIV(); aes.Key = dataAccessKey; aes.Mode = CipherMode.CBC; using (var cipherStream = new MemoryStream()) using (var encryptor = aes.CreateEncryptor(aes.Key, aes.IV)) using (var cryptostream = new CryptoStream(cipherStream, encryptor, CryptoStreamMode.Write)) { cipherStream.Write(aes.IV, 0, aes.IV.Length); cryptostream.Write(plainTextBytes, 0, plainTextBytes.Length); cryptostream.FlushFinalBlock(); encryptedBytes = cipherStream.ToArray(); } } finally { aes.Clear(); } } Console.WriteLine("- Wrap the data access key using public master key"); var wrappedKey = await _rsaKey.WrapKeyAsync(dataAccessKey, JsonWebKeyEncryptionAlgorithm.RSAOAEP); Console.WriteLine("- Serialize data to store in database"); var serializedData = JsonConvert.SerializeObject(encryptedBytes); var serializedWrappedKey = JsonConvert.SerializeObject(wrappedKey.Item1); Console.WriteLine("- Remove references to keys and data"); wrappedKey = null; encryptedBytes = null; Console.WriteLine("\n===Encryption Result==="); Console.WriteLine($"Encrypted data: {serializedData}"); Console.WriteLine($"KeyId: {_masterKeyId}"); Console.WriteLine($"Wrapped key: {serializedWrappedKey}"); Console.WriteLine("\n===Decrypt Data==="); Console.WriteLine("- Deserialize data and wrapped key from storage"); var dataBytes = JsonConvert.DeserializeObject <byte[]>(serializedData); var wrappedKeyBytes = JsonConvert.DeserializeObject <byte[]>(serializedWrappedKey); Console.WriteLine("- Get unwrapped data access key rom key vault"); var xyz = await _keyVaultClient.UnwrapKeyAsync(VaultBaseUrl, KeyName, _masterKeyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, wrappedKeyBytes); Console.WriteLine("- Decrypt data"); byte[] decryptedBytes; using (var aes = new AesManaged()) { try { byte[] iv = new byte[16]; Array.Copy(dataBytes, iv, 16); aes.Key = xyz.Result; aes.Mode = CipherMode.CBC; using (var plainTextStream = new MemoryStream()) using (var cryptoTransform = aes.CreateDecryptor(aes.Key, iv)) using (var cryptoStream = new CryptoStream(plainTextStream, cryptoTransform, CryptoStreamMode.Write)) { cryptoStream.Write(dataBytes, 16, dataBytes.Length - 16); cryptoStream.FlushFinalBlock(); decryptedBytes = plainTextStream.ToArray(); } } finally { aes.Clear(); } } var decryptedText = Encoding.UTF8.GetString(decryptedBytes); Console.WriteLine("\n===Decryption Result==="); Console.WriteLine($"{decryptedText}"); }
public Task <KeyOperationResult> UnwrapKeyAsync(string keyIdentifier, string algorithm, byte[] cipherText) { return(_client.UnwrapKeyAsync(keyIdentifier, algorithm, cipherText)); }
private async Task KeysMigrationGuide() { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create AzureServiceTokenProvider provider = new AzureServiceTokenProvider(); KeyVaultClient client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback)); #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions using (HttpClient httpClient = new HttpClient()) { //@@AzureServiceTokenProvider provider = new AzureServiceTokenProvider(); /*@@*/ provider = new AzureServiceTokenProvider(); //@@KeyVaultClient client = new KeyVaultClient( /*@@*/ client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback), httpClient); } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey // Create RSA key. NewKeyParameters createRsaParameters = new NewKeyParameters { Kty = JsonWebKeyType.Rsa, KeySize = 4096 }; KeyBundle rsaKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "rsa-key-name", createRsaParameters); // Create Elliptic-Curve key. NewKeyParameters createEcParameters = new NewKeyParameters { Kty = JsonWebKeyType.EllipticCurve, CurveName = "P-256" }; KeyBundle ecKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "ec-key-name", createEcParameters); #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys IPage <KeyItem> page = await client.GetKeysAsync("https://myvault.vault.azure.net"); foreach (KeyItem item in page) { KeyIdentifier keyId = item.Identifier; KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name); } while (page.NextPageLink != null) { page = await client.GetKeysNextAsync(page.NextPageLink); foreach (KeyItem item in page) { KeyIdentifier keyId = item.Identifier; KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name); } } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey // Delete the key. DeletedKeyBundle deletedKey = await client.DeleteKeyAsync("https://myvault.vault.azure.net", "key-name"); // Purge or recover the deleted key if soft delete is enabled. if (deletedKey.RecoveryId != null) { DeletedKeyIdentifier deletedKeyId = deletedKey.RecoveryIdentifier; // Deleting a key does not happen immediately. Wait a while and check if the deleted key exists. while (true) { try { await client.GetDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name); // Finally deleted. break; } catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound) { // Not yet deleted... } } // Purge the deleted key. await client.PurgeDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name); // You can also recover the deleted key using RecoverDeletedKeyAsync. } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt // Encrypt a message. The plaintext must be small enough for the chosen algorithm. byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt"); KeyOperationResult encrypted = await client.EncryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, plaintext); // Decrypt the message. KeyOperationResult decrypted = await client.DecryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, encrypted.Result); string message = Encoding.UTF8.GetString(decrypted.Result); #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap using (Aes aes = Aes.Create()) { // Use a symmetric key to encrypt large amounts of data, possibly streamed... // Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data. KeyOperationResult wrapped = await client.WrapKeyAsync( "https://myvault.vault.azure.net", "rsa-key-name", null, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, aes.Key); // Read the IV and the encrypted key from the payload, then unwrap the key. KeyOperationResult unwrapped = await client.UnwrapKeyAsync( "https://myvault.vault.azure.net", "rsa-key-name", null, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, wrapped.Result); aes.Key = unwrapped.Result; // Decrypt the payload with the symmetric key. } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap } }
public async Task <byte[]> UnwrapKey(byte[] wrappedKey) { var unwrappedKey = await _keyVaultClient.UnwrapKeyAsync(_vaultURL, ALGORITHM, wrappedKey); return(unwrappedKey.Result); }