public BlobDemo(string storageConnectionString) { this.storageConnectionString = storageConnectionString; // This creates a "key resolver" that we can use to to encrypt and decrypt blobs keyResolver = new KeyVaultKeyResolver(GetAuthToken); }
private BlobEncryptionPolicy GetEncryptionPolicyForDownload() { var keyResolver = new KeyVaultKeyResolver(_keyVaultClient); var blobEncryptionPolicy = new BlobEncryptionPolicy(null, keyResolver); return(blobEncryptionPolicy); }
public FileStreamResult File(string filename) { var stockpickFormsAzurequeueConnectionstring = "Stockpick.Forms.AzureQueue.Connectionstring"; var connectionstring = Sitecore.Configuration.Settings.GetSetting(stockpickFormsAzurequeueConnectionstring); Microsoft.WindowsAzure.Storage.CloudStorageAccount storageAccount = Microsoft.WindowsAzure.Storage.CloudStorageAccount.Parse(connectionstring); var cloudBlobClient = storageAccount.CreateCloudBlobClient(); var blobContainer = cloudBlobClient.GetContainerReference("stockpickformsblob"); blobContainer.CreateIfNotExists(); var cloudResolver = new KeyVaultKeyResolver(Keyvault.GetToken); var url = Sitecore.Configuration.Settings.GetSetting("Stockpick.Forms.KeyFault.Key.URL"); if (string.IsNullOrEmpty(url)) { Log.Error("config key Stockpick.Forms.KeyFault.Key.URL is emty", this); } var key = cloudResolver.ResolveKeyAsync(url, CancellationToken.None).GetAwaiter().GetResult(); CloudBlockBlob blob = blobContainer.GetBlockBlobReference(filename); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; Stream blobStream = blob.OpenRead(null, options); return(new FileStreamResult(blobStream, "application/x-binary")); }
public async Task <KeyValuePair <string, MemoryStream> > DownloadDocumentAsync(Guid documentId, Guid customerId) { var storageAccount = CloudStorageAccount.Parse(ConfigurationManager.ConnectionStrings["DocumentStore"].ConnectionString); var blobClient = storageAccount.CreateCloudBlobClient(); var container = blobClient.GetContainerReference(customerId.ToString().ToLower()); var dbContext = new DashDocsContext(); var document = await dbContext.Documents.SingleAsync(d => d.Id == documentId); var keyvaultResolver = new KeyVaultKeyResolver(GetToken); var encryptionPolicy = new BlobEncryptionPolicy(null, keyvaultResolver); var requestOptions = new BlobRequestOptions { EncryptionPolicy = encryptionPolicy }; var block = container.GetBlockBlobReference(document.BlobPath); var stream = new MemoryStream(); await block.DownloadToStreamAsync(stream, null, requestOptions, null); var content = new KeyValuePair <string, MemoryStream>(document.DocumentName, stream); return(content); }
public async Task KeyVault_KeyVaultKeyResolver_Secret256Base64() { // Arrange var client = CreateKeyVaultClient(); var vault = ConfigurationManager.AppSettings["VaultUrl"]; var keyBytes = new byte[256 >> 3]; new RNGCryptoServiceProvider().GetNonZeroBytes(keyBytes); var secret = await client.SetSecretAsync(vault, "TestSecret", Convert.ToBase64String(keyBytes), null, "application/octet-stream").ConfigureAwait(false); if (secret != null) { try { // ctor with client var resolver = new KeyVaultKeyResolver(client); var baseKey = await resolver.ResolveKeyAsync(secret.SecretIdentifier.BaseIdentifier, default(CancellationToken)).ConfigureAwait(false); var versionKey = await resolver.ResolveKeyAsync(secret.SecretIdentifier.Identifier, default(CancellationToken)).ConfigureAwait(false); Assert.Equal(baseKey.Kid, versionKey.Kid); // ctor with authentication callback resolver = new KeyVaultKeyResolver(GetAccessToken); baseKey = await resolver.ResolveKeyAsync(secret.SecretIdentifier.BaseIdentifier, default(CancellationToken)).ConfigureAwait(false); versionKey = await resolver.ResolveKeyAsync(secret.SecretIdentifier.Identifier, default(CancellationToken)).ConfigureAwait(false); Assert.Equal(baseKey.Kid, versionKey.Kid); // ctor with vault name and client resolver = new KeyVaultKeyResolver(vault, client); baseKey = await resolver.ResolveKeyAsync(secret.SecretIdentifier.BaseIdentifier, default(CancellationToken)).ConfigureAwait(false); versionKey = await resolver.ResolveKeyAsync(secret.SecretIdentifier.Identifier, default(CancellationToken)).ConfigureAwait(false); Assert.Equal(baseKey.Kid, versionKey.Kid); // ctor with vault name and authentication callback resolver = new KeyVaultKeyResolver(vault, GetAccessToken); baseKey = await resolver.ResolveKeyAsync(secret.SecretIdentifier.BaseIdentifier, default(CancellationToken)).ConfigureAwait(false); versionKey = await resolver.ResolveKeyAsync(secret.SecretIdentifier.Identifier, default(CancellationToken)).ConfigureAwait(false); Assert.Equal(baseKey.Kid, versionKey.Kid); } finally { // Delete the key client.DeleteSecretAsync(vault, "TestSecret").GetAwaiter().GetResult(); } } }
public static IActionResult RunDecryptBlobFile( [HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req, ILogger log, ExecutionContext executionContext) { log.LogInformation("DecryptBlobFile Custom Skill: C# HTTP trigger function processed a request."); string skillName = executionContext.FunctionName; IEnumerable <WebApiRequestRecord> requestRecords = WebApiSkillHelpers.GetRequestRecords(req); if (requestRecords == null) { return(new BadRequestObjectResult($"{skillName} - Invalid request record array.")); } // Set up access to keyvault to retrieve the key to decrypt the document with // Requires that this Azure Function has access via managed identity to the Keyvault where the key is stored. var azureServiceTokenProvider1 = new AzureServiceTokenProvider(); var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider1.KeyVaultTokenCallback)); KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(kv); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; WebApiSkillResponse response = WebApiSkillHelpers.ProcessRequestRecords(skillName, requestRecords, (inRecord, outRecord) => { string blobUrl = (inRecord.Data.TryGetValue("blobUrl", out object blobUrlObject) ? blobUrlObject : null) as string; string sasToken = (inRecord.Data.TryGetValue("sasToken", out object sasTokenObject) ? sasTokenObject : null) as string; if (string.IsNullOrWhiteSpace(blobUrl)) { outRecord.Errors.Add(new WebApiErrorWarningContract() { Message = $"Parameter '{nameof(blobUrl)}' is required to be present and a valid uri." }); return(outRecord); } CloudBlockBlob blob = new CloudBlockBlob(new Uri(WebApiSkillHelpers.CombineSasTokenWithUri(blobUrl, sasToken))); byte[] decryptedFileData; using (var np = new MemoryStream()) { blob.DownloadToStream(np, null, options, null); decryptedFileData = np.ToArray(); } FileReference decryptedFileReference = new FileReference() { data = Convert.ToBase64String(decryptedFileData) }; JObject jObject = JObject.FromObject(decryptedFileReference); jObject["$type"] = "file"; outRecord.Data["decrypted_file_data"] = jObject; return(outRecord); });
public async override Task ExecutePostProcessingAsync() { KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken); IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None); foreach (var file in FileData) { string fileName = Path.GetFileName(file.Headers.ContentDisposition.FileName.Trim('"')); var blob = _container.GetBlockBlobReference(Path.Combine(currentFilePath, fileName)); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; using (var stream = File.OpenRead(file.LocalFileName)) { await blob.UploadFromStreamAsync(stream, stream.Length, null, options, null); } Urls.Add(blob.Uri.AbsoluteUri); string ext = Path.GetExtension(fileName); if (ext == ".jpeg" || ext == ".jpg") { Image original = Image.FromFile(file.LocalFileName); float ratio = (float)original.Width / (float)original.Height; SizeF newSize = new SizeF(350 * ratio, 350); Image thumb = original.GetThumbnailImage((int)newSize.Width, (int)newSize.Height, null, IntPtr.Zero); string thumbName = Path.GetFileNameWithoutExtension(fileName) + "_thumb.jpg"; var thumbBlob = _container.GetBlockBlobReference(Path.Combine(currentFilePath, thumbName)); MemoryStream thumbStream = new MemoryStream(); thumb.Save(thumbStream, System.Drawing.Imaging.ImageFormat.Jpeg); thumbStream.Position = 0; await thumbBlob.UploadFromStreamAsync(thumbStream, thumbStream.Length, null, options, null); Urls.Add(thumbBlob.Uri.AbsoluteUri); } try { File.Delete(file.LocalFileName); } catch (Exception e) { } } }
public async Task KeyVault_KeyVaultKeyResolver_Key() { // Arrange var client = CreateKeyVaultClient(); var vault = ConfigurationManager.AppSettings["VaultUrl"]; var key = await client.CreateKeyAsync(vault, "TestKey", JsonWebKeyType.Rsa).ConfigureAwait(false); if (key != null) { try { // ctor with client var resolver = new KeyVaultKeyResolver(client); var baseKey = await resolver.ResolveKeyAsync(key.KeyIdentifier.BaseIdentifier, default(CancellationToken)).ConfigureAwait(false); var versionKey = await resolver.ResolveKeyAsync(key.KeyIdentifier.Identifier, default(CancellationToken)).ConfigureAwait(false); Assert.Equal(baseKey.Kid, versionKey.Kid); // ctor with authentication callback resolver = new KeyVaultKeyResolver(GetAccessToken); baseKey = await resolver.ResolveKeyAsync(key.KeyIdentifier.BaseIdentifier, default(CancellationToken)).ConfigureAwait(false); versionKey = await resolver.ResolveKeyAsync(key.KeyIdentifier.Identifier, default(CancellationToken)).ConfigureAwait(false); Assert.Equal(baseKey.Kid, versionKey.Kid); // ctor with vault name and client resolver = new KeyVaultKeyResolver(vault, client); baseKey = await resolver.ResolveKeyAsync(key.KeyIdentifier.BaseIdentifier, default(CancellationToken)).ConfigureAwait(false); versionKey = await resolver.ResolveKeyAsync(key.KeyIdentifier.Identifier, default(CancellationToken)).ConfigureAwait(false); Assert.Equal(baseKey.Kid, versionKey.Kid); // ctor with vault name and authentication callback resolver = new KeyVaultKeyResolver(vault, GetAccessToken); baseKey = await resolver.ResolveKeyAsync(key.KeyIdentifier.BaseIdentifier, default(CancellationToken)).ConfigureAwait(false); versionKey = await resolver.ResolveKeyAsync(key.KeyIdentifier.Identifier, default(CancellationToken)).ConfigureAwait(false); Assert.Equal(baseKey.Kid, versionKey.Kid); } finally { // Delete the key client.DeleteKeyAsync(vault, "TestKey").GetAwaiter().GetResult(); } } }
public EncryptedFileContentRepository( string fileStorageKey, CloudBlobClient cloudBlobClient, IKeyVaultClient keyVaultClient, IBlobStorage blobStorage) { _fileStorageKey = fileStorageKey; _cloudBlobClient = cloudBlobClient; _blobStorage = blobStorage; _cloudResolver = new KeyVaultKeyResolver(keyVaultClient); }
private static async Task UploadAndDownloadBlobAsync(TenantInfo tenant) { var container = await GetBlobContainerAsync(tenant.ContainerName); var cloudResolver = new KeyVaultKeyResolver(GetTokenAsync); IKey key = await cloudResolver.ResolveKeyAsync(GetKeyUrl(tenant.KeyName), CancellationToken.None); CloudBlob blob = await UploadBlobAsync(container, key); await DownloadBlobAsync(blob, cloudResolver); }
private async Task <BlobEncryptionPolicy> GetEncryptionPolicyForUpload(EncryptedBlobAttribute config, string keyName, CancellationToken cancellationToken) { var kid = await _keyVaultClient.GetKidByName(config, keyName, cancellationToken) ?? throw new ArgumentException(nameof(EncryptedBlobAttribute.KeyName)); var keyResolver = new KeyVaultKeyResolver(_keyVaultClient); var key = await keyResolver.ResolveKeyAsync(kid, cancellationToken); var blobEncryptionPolicy = new BlobEncryptionPolicy(key, null); return(blobEncryptionPolicy); }
public async Task <HttpResponseMessage> Get(string imageId, bool thumb = false) { int id; if (string.IsNullOrEmpty(imageId) || !Int32.TryParse(imageId, out id)) { return(Request.CreateResponse(HttpStatusCode.BadRequest)); } ServiceData.Models.Photo found = _photoRepository.GetById(id); if (found == null) { return(Request.CreateResponse(HttpStatusCode.NotFound)); } ServiceData.Models.UserCondition foundCond = _conditionRepository.GetById(found.UserCondition.Id); if (foundCond.Owner.Email != User.Identity.Name) { return(Request.CreateResponse(HttpStatusCode.Forbidden)); } string target = (thumb) ? found.ThumbUrl : found.Url; CloudBlobContainer container = await GetBlobContainer(); Stream blobStream = new MemoryStream(); CloudBlob photoBlob = container.GetBlobReference(target.Replace(ConfidentialData.BlobStorageUrl, "")); KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken); IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; await photoBlob.DownloadToStreamAsync(blobStream, null, options, null); blobStream.Position = 0; HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK); response.Content = new StreamContent(blobStream); response.Content.Headers.ContentDisposition = new System.Net.Http.Headers.ContentDispositionHeaderValue("attachment"); response.Content.Headers.ContentDisposition.FileName = imageId + Path.GetExtension(target); string eventName = thumb ? "DownloadThumb" : "DownloadImage"; ServerUtils.LogTelemetryEvent(User.Identity.Name, eventName); return(response); }
private static async Task DownloadBlobAsync(CloudBlob blob, KeyVaultKeyResolver cloudResolver) { BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions { EncryptionPolicy = policy }; using (var np = File.Open("DownloadedData.txt", FileMode.Create)) { await blob.DownloadToStreamAsync(np, null, options, null); } }
static void Main(string[] args) { // This is standard code to interact with Blob storage. StorageCredentials creds = new StorageCredentials( CloudConfigurationManager.GetSetting("accountName"), CloudConfigurationManager.GetSetting("accountKey")); CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true); CloudBlobClient client = account.CreateCloudBlobClient(); CloudBlobContainer contain = client.GetContainerReference(CloudConfigurationManager.GetSetting("container")); contain.CreateIfNotExists(); // The Resolver object is used to interact with Key Vault for Azure Storage. // This is where the GetToken method from above is used. KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken); //Encrypt Blob and upload // Retrieve the key that you created previously. // The IKey that is returned here is an RsaKey. var rsa = cloudResolver.ResolveKeyAsync( "https://phupaa-vault.vault.azure.net/keys/key01", CancellationToken.None).GetAwaiter().GetResult(); // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy. BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; // Reference a block blob. CloudBlockBlob blob = contain.GetBlockBlobReference("MyFile.txt"); // Upload using the UploadFromStream method. using (var stream = System.IO.File.OpenRead(@"C:\Temp\MyFile.txt")) blob.UploadFromStream(stream, stream.Length, null, options, null); //Decrypt blob // In this case, we will not pass a key and only pass the resolver because // this policy will only be used for downloading / decrypting. BlobEncryptionPolicy policy2 = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options2 = new BlobRequestOptions() { EncryptionPolicy = policy }; using (var np = File.Open(@"C:\temp\MyFileDecrypted.txt", FileMode.Create)) blob.DownloadToStream(np, null, options, null); }
public void uploadBlob() { // This is standard code to interact with Blob storage. StorageCredentials creds = new StorageCredentials( ConfigurationManager.AppSettings["accountName"], ConfigurationManager.AppSettings["accountKey"]); CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true); CloudBlobClient client = account.CreateCloudBlobClient(); CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]); contain.CreateIfNotExistsAsync(); // The Resolver object is used to interact with Key Vault for Azure Storage. // This is where the GetToken method from above is used. cloudResolver = new KeyVaultKeyResolver(GetToken); }
//Read Encrypted blob to a Stream from a container public Stream GetBlobStream(string BlobName, string ContainerName, KeyVaultKeyResolver KeyResolver) { CloudBlobContainer container = GetContainerRefference(ContainerName); // In this case, we will not pass a key and only pass the resolver because // this policy will only be used for downloading / decrypting. BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, KeyResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; // Retrieve reference to a blob named "myblob". CloudBlockBlob blob = container.GetBlockBlobReference(BlobName); return(blob.OpenRead(null, options, null)); }
internal static T Decrypt <T>(string encryptedData, KeyVaultKeyResolver cloudResolver, string keyId) { CipherData cb = Deserialize <CipherData>(encryptedData); IKey keyEncryptionKey = null; try { keyEncryptionKey = cloudResolver.ResolveKeyAsync(keyId, CancellationToken.None).GetAwaiter().GetResult(); var currentKeyVersion = new Uri(keyEncryptionKey.Kid).Segments.Last(); if (!currentKeyVersion.Equals(cb.KeyVersion)) { Console.WriteLine("Data encrypted with different key version: {0} vs {1}", currentKeyVersion, cb.KeyVersion); // version doesn't match - go get the correct key version to unwrap with. string newKey = keyId + "/" + cb.KeyVersion; Console.WriteLine("Retrieving different key: " + newKey); try { keyEncryptionKey = cloudResolver.ResolveKeyAsync(newKey, CancellationToken.None).GetAwaiter().GetResult(); } catch (AggregateException ae) { Console.WriteLine("Cloudresolver could not retrieve key, version '" + cb.KeyVersion + "': " + ae.Message); return(default(T)); } } // Unwrap Key using KeyVault byte[] aesKey = keyEncryptionKey.UnwrapKeyAsync(Convert.FromBase64String(cb.WrapedKey), cb.AlgorithmName, CancellationToken.None).GetAwaiter().GetResult(); string plainJson = Decrypt(Convert.FromBase64String(cb.CipherText), aesKey); using (var streamReader = new StringReader(plainJson)) { JsonReader jreader = new JsonTextReader(streamReader); return(new JsonSerializer().Deserialize <T>(jreader)); } } finally { if (keyEncryptionKey != null) { keyEncryptionKey.Dispose(); } } }
public async Task <ActionResult> Download(string imageId, bool thumb = false) { int id; if (string.IsNullOrEmpty(imageId) || !Int32.TryParse(imageId, out id)) { return(new HttpUnauthorizedResult()); } IReadWriteRepository <ServiceData.Models.Photo> _photoRepository = new PhotoRepository(); IReadWriteRepository <ServiceData.Models.UserCondition> _condRepository = new UserConditionsRepository(); ServiceData.Models.Photo found = _photoRepository.GetById(id); if (found == null) { return(new HttpNotFoundResult()); } ServiceData.Models.UserCondition foundCond = _condRepository.GetById(found.UserCondition.Id); if (!IsSharedOrOwned(foundCond)) { return(new HttpUnauthorizedResult()); } string target = (thumb) ? found.ThumbUrl : found.Url; CloudBlobContainer container = await UploadController.GetBlobContainer(); Stream blobStream = new MemoryStream(); CloudBlob photoBlob = container.GetBlobReference(target.Replace(ConfidentialData.BlobStorageUrl, "")); KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken); IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; await photoBlob.DownloadToStreamAsync(blobStream, null, options, null); blobStream.Position = 0; return(File(blobStream, "image/jpeg")); }
private static async Task <string> RetrieveAndDecrypt(CloudBlobContainer blobContainer, string id) { var azureServiceTokenProvider = new AzureServiceTokenProvider(); var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var resolver = new KeyVaultKeyResolver(client); //no need to provide key vault key id - stored in blob meta data var policy = new BlobEncryptionPolicy(null, resolver); var options = new BlobRequestOptions() { EncryptionPolicy = policy }; var blobRef = blobContainer.GetBlockBlobReference(id); var ms = new MemoryStream(); await blobRef.DownloadToStreamAsync(ms, null, options, null); return(Encoding.UTF8.GetString(ms.ToArray())); }
private void VerifyResolver(KeyVaultClient client, string vault, string baseIdentifier, string identifier) { // ctor with client var resolver = new KeyVaultKeyResolver(client); var baseKey = resolver.ResolveKeyAsync(baseIdentifier, default(CancellationToken)).GetAwaiter().GetResult(); var versionKey = resolver.ResolveKeyAsync(identifier, default(CancellationToken)).GetAwaiter().GetResult(); Assert.Equal(baseKey.Kid, versionKey.Kid); // NOTE: ctor with authentication callback. We cannot test this ctor unless // we are running in live mode as it will create a new KeyVaultClient. if (HttpMockServer.Mode == HttpRecorderMode.Record) { resolver = new KeyVaultKeyResolver(fixture.GetAccessToken); baseKey = resolver.ResolveKeyAsync(baseIdentifier, default(CancellationToken)).GetAwaiter().GetResult(); versionKey = resolver.ResolveKeyAsync(identifier, default(CancellationToken)).GetAwaiter().GetResult(); Assert.Equal(baseKey.Kid, versionKey.Kid); } // ctor with vault name and client resolver = new KeyVaultKeyResolver(vault, client); baseKey = resolver.ResolveKeyAsync(baseIdentifier, default(CancellationToken)).GetAwaiter().GetResult(); versionKey = resolver.ResolveKeyAsync(identifier, default(CancellationToken)).GetAwaiter().GetResult(); Assert.Equal(baseKey.Kid, versionKey.Kid); // NOTE: ctor with authentication callback. We cannot test this ctor unless // we are running in live mode as it will create a new KeyVaultClient. if (HttpMockServer.Mode == HttpRecorderMode.Record) { resolver = new KeyVaultKeyResolver(vault, fixture.GetAccessToken); baseKey = resolver.ResolveKeyAsync(baseIdentifier, default(CancellationToken)).GetAwaiter().GetResult(); versionKey = resolver.ResolveKeyAsync(identifier, default(CancellationToken)).GetAwaiter().GetResult(); Assert.Equal(baseKey.Kid, versionKey.Kid); } baseKey.Dispose(); versionKey.Dispose(); }
//carregar blog e chave do keyvault public void Start() { try { log.LogInformation("iniciando procesos de criação da chave base64"); log.LogInformation("recebendo parametros [accounteName] e [accountKey]"); // This is standard code to interact with Blob storage. var creds = new StorageCredentials(app.AccountName, app.AccountKey); var account = new CloudStorageAccount(creds, useHttps: true); log.LogInformation($"credencial validada para a conta {app.AccountName}"); log.LogInformation("criando cliente de conexão ao storage"); var client = account.CreateCloudBlobClient(); log.LogInformation("cliente conectado"); log.LogInformation("localizando container de referencia"); log.LogInformation("recebendo parametros [container]"); var contain = client.GetContainerReference(app.Container); contain.CreateIfNotExists(); log.LogInformation($"container localizado para {app.Container}"); // The Resolver object is used to interact with Key Vault for Azure Storage. // This is where the GetToken method from above is used. var cloudResolver = new KeyVaultKeyResolver(GetToken); RetriveRSA(cloudResolver, contain); } catch (Exception e) { log.LogError(e, "falha ao processar informações da chave, verifique os dados e tente novamente"); } }
// Encrypts an Object and retunrs a JSON object holding the encryption internal static string Encrypt(object o, KeyVaultKeyResolver cloudResolver, string keyId) { string jsonStringToEncrypt = Utils.Serialize(o); // Generate Client Encryption Key (CEK) using (var random = new RNGCryptoServiceProvider()) { var aeskey = new byte[KEY_SIZE_BYTES]; try { // Generate an 256 bit AES Key random.GetBytes(aeskey); // Encrypt the plaintext string cipherText = Convert.ToBase64String(Encrypt(jsonStringToEncrypt, aeskey)); Console.WriteLine("Retrieving key: " + keyId); using (var keyEncryptionKey = cloudResolver.ResolveKeyAsync(keyId, CancellationToken.None).GetAwaiter().GetResult()) { Console.WriteLine("Retrived key: " + keyEncryptionKey.Kid); // Take the AES Key we Generated and Encrypt it using KeyVault to wrap it. Tuple <byte[], string> wrappedKey = keyEncryptionKey.WrapKeyAsync(aeskey, null /* algorithm */, CancellationToken.None).GetAwaiter().GetResult(); string keyVersion = new Uri(keyEncryptionKey.Kid).Segments.Last(); CipherData cb = new CipherData { AlgorithmName = wrappedKey.Item2, WrapedKey = Convert.ToBase64String(wrappedKey.Item1), CipherText = cipherText, KeyVersion = keyVersion }; // TODO: Determine if the CipherData should contain a signature to prevent tampering. // Need to enumerate the risks. return(Utils.Serialize(cb)); } } finally { // Clear out the key material from memory Array.Clear(aeskey, 0, aeskey.Length); } } }
private void RetriveRSA(KeyVaultKeyResolver cloudResolver, CloudBlobContainer contain) { log.LogInformation($"validando chave externa de integração rsa"); log.LogInformation("recebendo parametros [endpoint]"); // Retrieve the key that you created previously. // The IKey that is returned here is an RsaKey. var rsa = cloudResolver.ResolveKeyAsync(app.Endpoint, CancellationToken.None) .GetAwaiter().GetResult(); log.LogInformation($"chave rsa gerada com sucesso"); log.LogInformation($"algoritimo {rsa.DefaultEncryptionAlgorithm}"); log.LogInformation($"hash {rsa.DefaultKeyWrapAlgorithm}"); log.LogInformation($"assinatura {rsa.DefaultSignatureAlgorithm}"); // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy. var policy = new BlobEncryptionPolicy(rsa, null); var options = new BlobRequestOptions() { EncryptionPolicy = policy }; log.LogInformation($"iniciando teste de upload no blob com autenticação segura"); log.LogInformation($"validando referencia do blob para File.txt"); // Reference a block blob. CloudBlockBlob blob = contain.GetBlockBlobReference("File.txt"); log.LogInformation($"iniciando processo de upload"); // Upload using the UploadFromStream method. using var stream = File.OpenRead(Directory.GetCurrentDirectory() + "\\File.txt"); blob.UploadFromStream(stream, stream.Length, null, options, null); log.LogInformation($"valide se o arquivo File.txt é "); }
private static async Task EncryptAndStore(CloudBlobContainer blobContainer, string text, string id) { var azureServiceTokenProvider = new AzureServiceTokenProvider(); var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var resolver = new KeyVaultKeyResolver(client); var rsa = await resolver.ResolveKeyAsync(Environment.GetEnvironmentVariable("RsaVaultKey"), CancellationToken.None); var policy = new BlobEncryptionPolicy(rsa, null); var options = new BlobRequestOptions() { EncryptionPolicy = policy }; var blob = blobContainer.GetBlockBlobReference(id); var bytes = Encoding.UTF8.GetBytes(text); using (Stream stream = new MemoryStream(bytes)) { await blob.UploadFromStreamAsync(stream, bytes.Length, null, options, null); } }
private void StoreFiles(CloudStorageAccount storageAccount, FormSubmitContext formSubmitContext, IEnumerable <Guid> fileIds) { var cloudBlobClient = storageAccount.CreateCloudBlobClient(); var blob = cloudBlobClient.GetContainerReference("stockpickformsblob"); blob.CreateIfNotExists(); var cloudResolver = new KeyVaultKeyResolver(Keyvault.GetToken); var url = Sitecore.Configuration.Settings.GetSetting("Stockpick.Forms.KeyFault.Key.URL"); if (string.IsNullOrEmpty(url)) { Log.Error("config key Stockpick.Forms.KeyFault.Key.URL is emty", this); } var key = cloudResolver.ResolveKeyAsync(url, CancellationToken.None).GetAwaiter().GetResult(); foreach (var gui in fileIds) { var file = FileStorageProvider.GetFile(gui); if (file != null) { Log.Info("Upload to Cloud storage file " + file.FileInfo.FileName + " as " + gui.ToString() + " using key kid:" + key.Kid, this); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(key, null); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; CloudBlockBlob cloudBlockBlob = blob.GetBlockBlobReference(gui.ToString()); using (var filestream = file.File) { cloudBlockBlob.UploadFromStream(filestream, null, options, null); } } } }
public async Task <string> UploadDocumentAsync(HttpPostedFileBase documentFile, Guid customerId, Guid documentId) { var storageAccount = CloudStorageAccount.Parse(ConfigurationManager.ConnectionStrings["DocumentStore"].ConnectionString); var blobClient = storageAccount.CreateCloudBlobClient(); var container = blobClient.GetContainerReference(customerId.ToString().ToLower()); await container.CreateIfNotExistsAsync(); var keyvaultResolver = new KeyVaultKeyResolver(GetToken); var key = await keyvaultResolver.ResolveKeyAsync(KEY_URI, CancellationToken.None); var encryptionPolicy = new BlobEncryptionPolicy(key, null); var requestOptions = new BlobRequestOptions { EncryptionPolicy = encryptionPolicy }; var blobRelativePath = documentId.ToString().ToLower() + "/" + Path.GetFileName(documentFile.FileName).ToLower(); var block = container.GetBlockBlobReference(blobRelativePath); await block.UploadFromStreamAsync(documentFile.InputStream, documentFile.InputStream.Length, null, requestOptions, null); return(blobRelativePath); }
// Required Nuget Pacakges: // // PM> Install-Package Microsoft.Azure.KeyVault // PM> Install-Package Microsoft.Azure.KeyVault.Extensions // PM> This is the latest stable release for ADAL // // (AuthenticationContext, ClientCredential, AuthenticationResult) // // PM> Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202 static void Main(string[] args) { // Get a ref to the cloudResolver used to unwrap AES key using RSA KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(Utils.GetToken); string keyId = ConfigurationManager.AppSettings["KeyUri"]; // Create an object to Serialize to JSON and then Encrypt CredentialData cb = new CredentialData { UserName = "******", Password = "******" }; Console.WriteLine("Object to encrypt..."); Console.WriteLine("UserName: "******" Password: "******"C:\code\temp\Nexosis-Wallpaper"; string fileToEncrypt = baseFileName + ".jpg"; string encryptedOutputFile = baseFileName + ".aes"; Console.WriteLine("Encrypting file: " + fileToEncrypt); string encryptedmetaData = Utils.EncryptFile(fileToEncrypt, encryptedOutputFile, cloudResolver, keyId); Console.WriteLine("Encrypted file: " + encryptedOutputFile); Console.WriteLine(encryptedmetaData); Console.WriteLine(); string decryptedOutput = encryptedOutputFile + "2.jpg"; Console.WriteLine("Decrypting file: " + encryptedOutputFile); Utils.DecryptFile(encryptedOutputFile, encryptedmetaData, decryptedOutput, cloudResolver, keyId); Console.WriteLine("Decrypted file: " + decryptedOutput); Console.WriteLine(); Console.WriteLine("Encrypting object..."); // Serialize and Encrypt string encryptedCredential = Utils.Encrypt(cb, cloudResolver, keyId); Console.WriteLine("Encrypted:"); Console.WriteLine(encryptedCredential); Console.WriteLine(); Console.WriteLine("Decrypting object..."); // Take an encrypted object Decrypt an deserialize back to obj type CredentialData cb2 = Utils.Decrypt <CredentialData>(encryptedCredential, cloudResolver, keyId); Console.WriteLine("UserName: "******" Password: "******"Decrypting stored data that has an older key version."); string decryptThis = File.ReadAllText("creds.json"); // Take an encrypted object Decrypt an deserialize back to obj type with different version CredentialData cb3 = Utils.Decrypt <CredentialData>(decryptThis, cloudResolver, keyId); if (cb3 != null) { Console.WriteLine("UserName: "******" Password: " + cb3.Password); } Console.ReadLine(); }
static void Main(string[] args) { Console.WriteLine("Blob encryption with Key Vault integration"); Console.WriteLine(); // Get the key ID from App.config if it exists. string keyID = CloudConfigurationManager.GetSetting("KeyID"); // If no key ID was specified, we will create a new secret in Key Vault. // To create a new secret, this client needs full permission to Key Vault secrets. // Once the secret is created, its ID can be added to App.config. Once this is done, // this client only needs read access to secrets. if (string.IsNullOrEmpty(keyID)) { Console.WriteLine("No secret specified in App.config."); Console.WriteLine("Please enter the name of a new secret to create in Key Vault."); Console.WriteLine("WARNING: This will delete any existing secret with the same name."); Console.Write("Name of the new secret to create [{0}]: ", DefaultSecretName); string newSecretName = Console.ReadLine().Trim(); if (string.IsNullOrEmpty(newSecretName)) { newSecretName = DefaultSecretName; } // Although it is possible to use keys (rather than secrets) stored in Key Vault, this prevents caching. // Therefore it is recommended to use secrets along with a caching resolver (see below). keyID = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret(newSecretName); Console.WriteLine(); Console.WriteLine("Created a secret with ID: {0}", keyID); Console.WriteLine("Copy the secret ID to App.config to reuse."); Console.WriteLine(); } // Retrieve storage account information from connection string // How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/ CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString(); CloudBlobClient client = storageAccount.CreateCloudBlobClient(); CloudBlobContainer container = client.GetContainerReference(DemoContainer + Guid.NewGuid().ToString("N")); // Construct a resolver capable of looking up keys and secrets stored in Key Vault. KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(EncryptionShared.KeyVaultUtility.GetAccessToken); // To demonstrate how multiple different types of key can be used, we also create a local key and resolver. // This key is temporary and won't be persisted. RsaKey rsaKey = new RsaKey("rsakey"); LocalResolver resolver = new LocalResolver(); resolver.Add(rsaKey); // If there are multiple key sources like Azure Key Vault and local KMS, set up an aggregate resolver as follows. // This helps users to define a plug-in model for all the different key providers they support. AggregateKeyResolver aggregateResolver = new AggregateKeyResolver() .Add(resolver) .Add(cloudResolver); // Set up a caching resolver so the secrets can be cached on the client. This is the recommended usage // pattern since the throttling targets for Storage and Key Vault services are orders of magnitude // different. CachingKeyResolver cachingResolver = new CachingKeyResolver(2, aggregateResolver); // Create a key instance corresponding to the key ID. This will cache the secret. IKey cloudKey = cachingResolver.ResolveKeyAsync(keyID, CancellationToken.None).GetAwaiter().GetResult(); try { container.Create(); int size = 5 * 1024 * 1024; byte[] buffer = new byte[size]; Random rand = new Random(); rand.NextBytes(buffer); // The first blob will use the key stored in Azure Key Vault. CloudBlockBlob blob = container.GetBlockBlobReference("blockblob1"); // Create the encryption policy using the secret stored in Azure Key Vault to be used for upload. BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(cloudKey, null); // Set the encryption policy on the request options. BlobRequestOptions uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy }; Console.WriteLine("Uploading the 1st encrypted blob."); // Upload the encrypted contents to the blob. using (MemoryStream stream = new MemoryStream(buffer)) { blob.UploadFromStream(stream, size, null, uploadOptions); } // Download the encrypted blob. BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, cachingResolver); // Set the decryption policy on the request options. BlobRequestOptions downloadOptions = new BlobRequestOptions() { EncryptionPolicy = downloadPolicy }; Console.WriteLine("Downloading the 1st encrypted blob."); // Download and decrypt the encrypted contents from the blob. using (MemoryStream outputStream = new MemoryStream()) { blob.DownloadToStream(outputStream, null, downloadOptions); } // Upload second blob using the local key. blob = container.GetBlockBlobReference("blockblob2"); // Create the encryption policy using the local key. uploadPolicy = new BlobEncryptionPolicy(rsaKey, null); // Set the encryption policy on the request options. uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy }; Console.WriteLine("Uploading the 2nd encrypted blob."); // Upload the encrypted contents to the blob. using (MemoryStream stream = new MemoryStream(buffer)) { blob.UploadFromStream(stream, size, null, uploadOptions); } // Download the encrypted blob. The same policy and options created before can be used because the aggregate resolver contains both // resolvers and will pick the right one based on the key ID stored in blob metadata on the service. Console.WriteLine("Downloading the 2nd encrypted blob."); // Download and decrypt the encrypted contents from the blob. using (MemoryStream outputStream = new MemoryStream()) { blob.DownloadToStream(outputStream, null, downloadOptions); } Console.WriteLine("Press enter key to exit"); Console.ReadLine(); } finally { container.DeleteIfExists(); } }
public GlobalKeyResolver(KeyVaultProvider provider) { _provider = provider; _resolver = new KeyVaultKeyResolver(_provider.Client); }
static void Main(string[] args) { Console.WriteLine("Blob encryption with Key Vault integration demonstrating key rotation from Key 1 to Key 2"); Console.WriteLine(); // Create two secrets and obtain their IDs. This is normally a one-time setup step. // Although it is possible to use keys (rather than secrets) stored in Key Vault, this prevents caching. // Therefore it is recommended to use secrets along with a caching resolver (see below). string keyID1 = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret("KeyRotationSampleSecret1"); string keyID2 = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret("KeyRotationSampleSecret2"); // Retrieve storage account information from connection string // How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/ CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString(); CloudBlobClient client = storageAccount.CreateCloudBlobClient(); CloudBlobContainer container = client.GetContainerReference(DemoContainer + Guid.NewGuid().ToString("N")); // Construct a resolver capable of looking up keys and secrets stored in Key Vault. KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(EncryptionShared.KeyVaultUtility.GetAccessToken); // Set up a caching resolver so the secrets can be cached on the client. This is the recommended usage // pattern since the throttling targets for Storage and Key Vault services are orders of magnitude // different. CachingKeyResolver cachingResolver = new CachingKeyResolver(2, cloudResolver); // Create key instances corresponding to the key IDs. This will cache the secrets. IKey cloudKey1 = cachingResolver.ResolveKeyAsync(keyID1, CancellationToken.None).GetAwaiter().GetResult(); IKey cloudKey2 = cachingResolver.ResolveKeyAsync(keyID2, CancellationToken.None).GetAwaiter().GetResult(); // We begin with cloudKey1, and a resolver capable of resolving and caching Key Vault secrets. BlobEncryptionPolicy encryptionPolicy = new BlobEncryptionPolicy(cloudKey1, cachingResolver); client.DefaultRequestOptions.EncryptionPolicy = encryptionPolicy; client.DefaultRequestOptions.RequireEncryption = true; try { container.Create(); int size = 5 * 1024 * 1024; byte[] buffer1 = new byte[size]; byte[] buffer2 = new byte[size]; Random rand = new Random(); rand.NextBytes(buffer1); rand.NextBytes(buffer2); // Upload the first blob using the secret stored in Azure Key Vault. CloudBlockBlob blob = container.GetBlockBlobReference("blockblob1"); Console.WriteLine("Uploading Blob 1 using Key 1."); // Upload the encrypted contents to the first blob. using (MemoryStream stream = new MemoryStream(buffer1)) { blob.UploadFromStream(stream, size); } Console.WriteLine("Downloading and decrypting Blob 1."); // Download and decrypt the encrypted contents from the first blob. using (MemoryStream outputStream = new MemoryStream()) { blob.DownloadToStream(outputStream); } // At this point we will rotate our keys so new encrypted content will use the // second key. Note that the same resolver is used, as this resolver is capable // of decrypting blobs encrypted using either key. Console.WriteLine("Rotating the active encryption key to Key 2."); client.DefaultRequestOptions.EncryptionPolicy = new BlobEncryptionPolicy(cloudKey2, cachingResolver); // Upload the second blob using the key stored in Azure Key Vault. CloudBlockBlob blob2 = container.GetBlockBlobReference("blockblob2"); Console.WriteLine("Uploading Blob 2 using Key 2."); // Upload the encrypted contents to the second blob. using (MemoryStream stream = new MemoryStream(buffer2)) { blob2.UploadFromStream(stream, size); } Console.WriteLine("Downloading and decrypting Blob 2."); // Download and decrypt the encrypted contents from the second blob. using (MemoryStream outputStream = new MemoryStream()) { blob2.DownloadToStream(outputStream); } // Here we download and re-upload the first blob. This has the effect of updating // the blob to use the new key. using (MemoryStream memoryStream = new MemoryStream()) { Console.WriteLine("Downloading and decrypting Blob 1."); blob.DownloadToStream(memoryStream); memoryStream.Seek(0, SeekOrigin.Begin); Console.WriteLine("Re-uploading Blob 1 using Key 2."); blob.UploadFromStream(memoryStream); } // For the purposes of demonstration, we now override the encryption policy to only recognize key 2. BlobEncryptionPolicy key2OnlyPolicy = new BlobEncryptionPolicy(cloudKey2, null); BlobRequestOptions key2OnlyOptions = new BlobRequestOptions() { EncryptionPolicy = key2OnlyPolicy }; Console.WriteLine("Downloading and decrypting Blob 1."); // The first blob can still be decrypted because it is using the second key. using (MemoryStream outputStream = new MemoryStream()) { blob.DownloadToStream(outputStream, options: key2OnlyOptions); } Console.WriteLine("Press enter key to exit"); Console.ReadLine(); } finally { container.DeleteIfExists(); } }