public static void AddKeyManagement(
this IServiceCollection services,
IConfiguration configuration,
ILogger logger)
{
services.AddSingleton <IKeyManagement>(s =>
{
var provider = configuration.GetValue <string>("KeyManagement:Provider");
logger.Information("Selected KeyManagement: {provider}", provider);
switch (provider)
{
case "AwsKms":
return(GetAwsKeyManagement(logger, configuration));
case "GoogleKms":
return(GetGoogleCloudKeyManagment(configuration));
case "AzureKeyVault":
return(GetAzurKeyVaultKeyManagement(configuration));
case "AESKey":
var key = configuration.GetValue <string>("KeyManagement:AES:Key");
if (string.IsNullOrEmpty(key))
{
logger.Warning("Random key was created for SymmetricKeyManagement, it might break distributed deployments");
return(new SymmetricKeyManagement(RijndaelUtils.GenerateKey(256)));
}
return(new SymmetricKeyManagement(Convert.FromBase64String(key)));
default:
throw new InvalidOperationException($"Unsupported provider type: {provider}");
}
});
}
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
{
if (data.Length <= mMaximumDataLength)
{
return(await mMasterKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing));
}
mLogger.Information("Encryption data too length, using envelope encryption");
var dataKey = RijndaelUtils.GenerateKey(256);
var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey, Encoding.UTF8.GetBytes(data));
var encryptedDataKey = await mMasterKeyManagement.Encrypt(Convert.ToBase64String(dataKey), serviceAccountId, createKeyIfMissing);
return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData));
}
