public async Task ProtectsKeysWithKeyVaultKey()
{
var credential = new ClientSecretCredential(TenantId, ClientId, ClientSecret);
var client = new KeyClient(new Uri(KeyVaultUrl), credential);
var key = await client.CreateKeyAsync("TestEncryptionKey", KeyType.Rsa);
var serviceCollection = new ServiceCollection();
var testKeyRepository = new TestKeyRepository();
serviceCollection.AddDataProtection().ProtectKeysWithAzureKeyVault(key.Value.Id.ToString(), credential);
serviceCollection.Configure <KeyManagementOptions>(options =>
{
options.XmlRepository = testKeyRepository;
});
var services = serviceCollection.BuildServiceProvider();
var dataProtector = services.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose");
var protectedText = dataProtector.Protect("Hello world!");
var anotherServices = serviceCollection.BuildServiceProvider();
var anotherDataProtector = anotherServices.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose");
var unprotectedText = anotherDataProtector.Unprotect(protectedText);
Assert.AreEqual("Hello world!", unprotectedText);
// double check that keys were protected with KeyVault
foreach (var element in testKeyRepository.GetAllElements())
{
StringAssert.Contains("This key is encrypted with Azure KeyVault", element.ToString());
}
}
public async Task CanUprotectExistingKeys()
{
var credential = new ClientSecretCredential(
DataProtectionTestEnvironment.Instance.TenantId,
DataProtectionTestEnvironment.Instance.ClientId,
DataProtectionTestEnvironment.Instance.ClientSecret);
var client = new KeyClient(new Uri(DataProtectionTestEnvironment.Instance.KeyVaultUrl), credential);
var key = await client.CreateKeyAsync("TestEncryptionKey2", KeyType.Rsa);
var serviceCollection = new ServiceCollection();
var testKeyRepository = new TestKeyRepository();
AzureDataProtectionBuilderExtensions.ProtectKeysWithAzureKeyVault(
serviceCollection.AddDataProtection(),
key.Value.Id.AbsoluteUri,
DataProtectionTestEnvironment.Instance.ClientId,
DataProtectionTestEnvironment.Instance.ClientSecret);
serviceCollection.Configure <KeyManagementOptions>(options =>
{
options.XmlRepository = testKeyRepository;
});
var servicesOld = serviceCollection.BuildServiceProvider();
var serviceCollectionNew = new ServiceCollection();
serviceCollectionNew.AddDataProtection().ProtectKeysWithAzureKeyVault(key.Value.Id, credential);
serviceCollectionNew.Configure <KeyManagementOptions>(options =>
{
options.XmlRepository = testKeyRepository;
});
var dataProtector = servicesOld.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose");
var protectedText = dataProtector.Protect("Hello world!");
var newServices = serviceCollectionNew.BuildServiceProvider();
var newDataProtectionProvider = newServices.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose");
var unprotectedText = newDataProtectionProvider.Unprotect(protectedText);
Assert.AreEqual("Hello world!", unprotectedText);
// double check that keys were protected with KeyVault
foreach (var element in testKeyRepository.GetAllElements())
{
StringAssert.Contains("This key is encrypted with Azure", element.ToString());
}
}
