public async Task ProtectsKeysWithKeyVaultKey() { var credential = new ClientSecretCredential(TenantId, ClientId, ClientSecret); var client = new KeyClient(new Uri(KeyVaultUrl), credential); var key = await client.CreateKeyAsync("TestEncryptionKey", KeyType.Rsa); var serviceCollection = new ServiceCollection(); var testKeyRepository = new TestKeyRepository(); serviceCollection.AddDataProtection().ProtectKeysWithAzureKeyVault(key.Value.Id.ToString(), credential); serviceCollection.Configure <KeyManagementOptions>(options => { options.XmlRepository = testKeyRepository; }); var services = serviceCollection.BuildServiceProvider(); var dataProtector = services.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose"); var protectedText = dataProtector.Protect("Hello world!"); var anotherServices = serviceCollection.BuildServiceProvider(); var anotherDataProtector = anotherServices.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose"); var unprotectedText = anotherDataProtector.Unprotect(protectedText); Assert.AreEqual("Hello world!", unprotectedText); // double check that keys were protected with KeyVault foreach (var element in testKeyRepository.GetAllElements()) { StringAssert.Contains("This key is encrypted with Azure KeyVault", element.ToString()); } }
public async Task CanUprotectExistingKeys() { var credential = new ClientSecretCredential( DataProtectionTestEnvironment.Instance.TenantId, DataProtectionTestEnvironment.Instance.ClientId, DataProtectionTestEnvironment.Instance.ClientSecret); var client = new KeyClient(new Uri(DataProtectionTestEnvironment.Instance.KeyVaultUrl), credential); var key = await client.CreateKeyAsync("TestEncryptionKey2", KeyType.Rsa); var serviceCollection = new ServiceCollection(); var testKeyRepository = new TestKeyRepository(); AzureDataProtectionBuilderExtensions.ProtectKeysWithAzureKeyVault( serviceCollection.AddDataProtection(), key.Value.Id.AbsoluteUri, DataProtectionTestEnvironment.Instance.ClientId, DataProtectionTestEnvironment.Instance.ClientSecret); serviceCollection.Configure <KeyManagementOptions>(options => { options.XmlRepository = testKeyRepository; }); var servicesOld = serviceCollection.BuildServiceProvider(); var serviceCollectionNew = new ServiceCollection(); serviceCollectionNew.AddDataProtection().ProtectKeysWithAzureKeyVault(key.Value.Id, credential); serviceCollectionNew.Configure <KeyManagementOptions>(options => { options.XmlRepository = testKeyRepository; }); var dataProtector = servicesOld.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose"); var protectedText = dataProtector.Protect("Hello world!"); var newServices = serviceCollectionNew.BuildServiceProvider(); var newDataProtectionProvider = newServices.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose"); var unprotectedText = newDataProtectionProvider.Unprotect(protectedText); Assert.AreEqual("Hello world!", unprotectedText); // double check that keys were protected with KeyVault foreach (var element in testKeyRepository.GetAllElements()) { StringAssert.Contains("This key is encrypted with Azure", element.ToString()); } }