public static void AddKeyManagement(
this IServiceCollection services,
IConfiguration configuration,
ILogger logger)
{
services.AddSingleton <IKeyManagement>(s =>
{
var provider = configuration.GetValue <string>("KeyManagement:Provider");
logger.Information("Selected KeyManagement: {provider}", provider);
switch (provider)
{
case "AwsKms":
return(GetAwsKeyManagement(logger, configuration));
case "GoogleKms":
return(GetGoogleCloudKeyManagment(configuration));
case "AzureKeyVault":
return(GetAzurKeyVaultKeyManagement(configuration));
case "AESKey":
var key = configuration.GetValue <string>("KeyManagement:AES:Key");
if (string.IsNullOrEmpty(key))
{
logger.Warning("Random key was created for SymmetricKeyManagement, it might break distributed deployments");
return(new SymmetricKeyManagement(RijndaelUtils.GenerateKey(256)));
}
return(new SymmetricKeyManagement(Convert.FromBase64String(key)));
default:
throw new InvalidOperationException($"Unsupported provider type: {provider}");
}
});
}
public Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
{
var key = mUseKeyDerivation ? DeriveKey(serviceAccountId) : mKey;
var(decryptedData, iv) = RijndaelUtils.Encrypt(key, Encoding.UTF8.GetBytes(data));
return(Task.FromResult(Convert.ToBase64String(iv) + ":" + Convert.ToBase64String(decryptedData)));
}
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
{
var masterKeyAlias = $"alias/{mCmkPrefix}kamus/{KeyIdCreator.Create(serviceAccountId)}";
var(dataKey, encryptedDataKey) = await GenerateEncryptionKey(masterKeyAlias);
var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey.ToArray(), Encoding.UTF8.GetBytes(data));
return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData));
}
public async Task <string> Decrypt(string encryptedData, string serviceAccountId)
{
var tuple = EnvelopeEncryptionUtils.Unwrap(encryptedData).ValueOrFailure("Invalid encrypted data format");
var(encryptedDataKey, iv, actualEncryptedData) = tuple;
var decryptionResult = await mAmazonKeyManagementService.DecryptAsync(new DecryptRequest
{
CiphertextBlob = new MemoryStream(Convert.FromBase64String(encryptedDataKey)),
});
var decrypted = RijndaelUtils.Decrypt(decryptionResult.Plaintext.ToArray(), iv, actualEncryptedData);
return(Encoding.UTF8.GetString(decrypted));
}
public Task <string> Decrypt(string encryptedData, string serviceAccountId)
{
return(EnvelopeEncryptionUtils.Unwrap(encryptedData).Match(
some: async t =>
{
(string encryptedDataKey, byte[] iv, byte[] actualEncryptedData) = t;
var key = await mMasterKeyManagement.Decrypt(encryptedDataKey, serviceAccountId);
var decrypted = RijndaelUtils.Decrypt(Convert.FromBase64String(key), iv, actualEncryptedData);
return Encoding.UTF8.GetString(decrypted);
},
none: () => mMasterKeyManagement.Decrypt(encryptedData, serviceAccountId)
));
}
public Task <string> Decrypt(string encryptedData, string serviceAccountId)
{
var splitted = encryptedData.Split(':');
if (splitted.Length != 2)
{
throw new InvalidOperationException("Encrypted data format is invalid");
}
var iv = Convert.FromBase64String(splitted[0]);
var data = Convert.FromBase64String(splitted[1]);
var result = RijndaelUtils.Decrypt(mKey, iv, data);
return(Task.FromResult(Encoding.UTF8.GetString(result)));
}
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
{
if (data.Length <= mMaximumDataLength)
{
return(await mMasterKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing));
}
mLogger.Information("Encryption data too length, using envelope encryption");
var dataKey = RijndaelUtils.GenerateKey(256);
var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey, Encoding.UTF8.GetBytes(data));
var encryptedDataKey = await mMasterKeyManagement.Encrypt(Convert.ToBase64String(dataKey), serviceAccountId, createKeyIfMissing);
return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData));
}
