// Performs a complex set of operations to ensure a backup and restore of a key is successful. Including rotating the key // encrypting with the key, etc. // Note this tests when the key already exists. Should Fail. public async Task RestoreKey_KeyAlreadyExists_ReturnsFalse() { string key = await Transit_InitWithKey(TransitEnumKeyType.aes256); // E. Back it up. TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key); Assert.True(tbri.Success); Assert.AreNotEqual(null, tbri.KeyBackup); // B. Rotate the key a few times so we know the keys are different. await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); // Read key, prior to restore. TransitKeyInfo tki = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(tki.Name, key); // G. Restore the key Assert.False(await _transitSecretEngine.RestoreKey(key, tbri)); }
/// <summary> /// Restores the given key to the Vault. /// </summary> /// <param name="keyName">Name of encryption key that should be restored.</param> /// <param name="tbri">TransitBackupRestoreItem containing the backup value.</param> /// <returns>True if success.</returns> public async Task <bool> RestoreKey(string keyName, TransitBackupRestoreItem tbri) { string path = MountPointPath + "restore/" + keyName; // Setup Post Parameters in body. Dictionary <string, string> contentParams = new Dictionary <string, string>(); try { // Build the parameter list. contentParams.Add("backup", tbri.KeyBackup); VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "RestoreKey", contentParams); return(vdro.Success); } catch (VaultInternalErrorException e) { if (e.Message.Contains("already exists")) { return(false); } else { throw e; } } }
// Test that we get an error when trying to backup a key that cannot be backed up. public async Task BackupKey_ThrowsError_WhenNotExportable() { // Cannot use the Transit_InitWithKey function. It sets Backup to true and once set that value cannot be changed. string key = _uniqueKeys.GetKey("Key"); // Create key. bool rc = await _transitSecretEngine.CreateEncryptionKey(key, false, true, TransitEnumKeyType.aes256); Assert.True(rc); // Back it up. TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key); Assert.False(tbri.Success); Assert.True(tbri.ErrorMsg.Contains("Key is not exportable")); }
// Test that we can backup a key that is enabled for backup. public async Task BackupKey_Success() { string key = await Transit_InitWithKey(TransitEnumKeyType.aes256, true); // Allow Backup. Dictionary <string, string> keyconfig = new Dictionary <string, string> { { TransitConstants.KeyConfig_Allow_Backup, "true" } }; TransitKeyInfo tki = await _transitSecretEngine.UpdateKey(key, keyconfig); // Back it up. TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key); Assert.True(tbri.Success); Assert.AreNotEqual(null, tbri.KeyBackup); }
/// <summary> /// Returns a plaintext backup of the requested key. Backups contains all configuration data and all keys of all versions along with the /// HMAC key. The TransitBackupRestoreItem can be used with the RestoreKey method to restore the given key. Callers should check the /// TransitBackupRestoreItem Success flag to determine if it worked and ErrorMsg to identify any errors if it did not. The 2 most common /// errors are: Export is disabled and PlainTextBackup is disabled. These need to be enabled on the key prior to backing up. /// </summary> /// <param name="keyName">Name of the encryption key to backup.</param> /// <returns>TransitBackupRestoreItem containing the full backup of the key.</returns> public async Task <TransitBackupRestoreItem> BackupKey(string keyName) { string path = MountPointPath + "backup/" + keyName; try { VaultDataResponseObjectB vdro = await ParentVault._httpConnector.GetAsync_B(path, "BackupKey"); // Pull out the results and send back. TransitBackupRestoreItem tbri = await vdro.GetDotNetObject <TransitBackupRestoreItem>(); if (tbri.KeyBackup != null) { tbri.Success = true; } return(tbri); } catch (VaultInternalErrorException e) { string errMsg = ""; if (e.Message.Contains("exporting is disallowed")) { errMsg = "Key is not exportable. Must be exportable to be backed up."; } else if (e.Message.Contains("plaintext backup is disallowed on the policy")) { errMsg = "Key has PlainTextBackup disabled. Backup not possible."; } else { throw e; } TransitBackupRestoreItem tbri = new TransitBackupRestoreItem() { Success = false, ErrorMsg = errMsg }; return(tbri); } }
// Performs a complex set of operations to ensure a backup and restore of a key is successful. Including rotating the key // encrypting with the key, etc. public async Task RestoreKey_Success() { string key = await Transit_InitWithKey(TransitEnumKeyType.aes256); // A. Enable deletion of the key. Dictionary <string, string> keyconfig = new Dictionary <string, string> { { TransitConstants.KeyConfig_DeleteAllowed, "true" } }; TransitKeyInfo tki = await _transitSecretEngine.UpdateKey(key, keyconfig); Assert.True(tki.CanDelete); // B. Rotate the key a few times. await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); // C. Encrypt a piece of data. string encryptedValue = "ABCzyx123"; TransitEncryptedItem encItem = await _transitSecretEngine.Encrypt(key, encryptedValue); // D. Rotate Keys a few more times. await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); tki = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(tki.Name, key); // E. Back it up. TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key); Assert.True(tbri.Success); Assert.AreNotEqual(null, tbri.KeyBackup); // F. Delete key. Assert.True(await _transitSecretEngine.DeleteKey(key)); // G. Restore the key Assert.True(await _transitSecretEngine.RestoreKey(key, tbri)); // H. Decrypt an item with restored key. TransitDecryptedItem decItem = await _transitSecretEngine.Decrypt(key, encItem.EncryptedValue); Assert.AreEqual(encryptedValue, decItem.DecryptedValue); // I. Validate the restore. TransitKeyInfo tkiRestore = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(tki.Type, tkiRestore.Type); Assert.AreEqual(tki.LatestVersionNum, tkiRestore.LatestVersionNum); Assert.AreEqual(tki.Name, tkiRestore.Name); Assert.AreEqual(tki.Keys.Count, tkiRestore.Keys.Count); }