public static void AddKeyManagement( this IServiceCollection services, IConfiguration configuration, ILogger logger) { services.AddSingleton <IKeyManagement>(s => { var provider = configuration.GetValue <string>("KeyManagement:Provider"); logger.Information("Selected KeyManagement: {provider}", provider); switch (provider) { case "AwsKms": return(GetAwsKeyManagement(logger, configuration)); case "GoogleKms": return(GetGoogleCloudKeyManagment(configuration)); case "AzureKeyVault": return(GetAzurKeyVaultKeyManagement(configuration)); case "AESKey": var key = configuration.GetValue <string>("KeyManagement:AES:Key"); if (string.IsNullOrEmpty(key)) { logger.Warning("Random key was created for SymmetricKeyManagement, it might break distributed deployments"); return(new SymmetricKeyManagement(RijndaelUtils.GenerateKey(256))); } return(new SymmetricKeyManagement(Convert.FromBase64String(key))); default: throw new InvalidOperationException($"Unsupported provider type: {provider}"); } }); }
public Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true) { var key = mUseKeyDerivation ? DeriveKey(serviceAccountId) : mKey; var(decryptedData, iv) = RijndaelUtils.Encrypt(key, Encoding.UTF8.GetBytes(data)); return(Task.FromResult(Convert.ToBase64String(iv) + ":" + Convert.ToBase64String(decryptedData))); }
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true) { var masterKeyAlias = $"alias/{mCmkPrefix}kamus/{KeyIdCreator.Create(serviceAccountId)}"; var(dataKey, encryptedDataKey) = await GenerateEncryptionKey(masterKeyAlias); var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey.ToArray(), Encoding.UTF8.GetBytes(data)); return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData)); }
public async Task <string> Decrypt(string encryptedData, string serviceAccountId) { var tuple = EnvelopeEncryptionUtils.Unwrap(encryptedData).ValueOrFailure("Invalid encrypted data format"); var(encryptedDataKey, iv, actualEncryptedData) = tuple; var decryptionResult = await mAmazonKeyManagementService.DecryptAsync(new DecryptRequest { CiphertextBlob = new MemoryStream(Convert.FromBase64String(encryptedDataKey)), }); var decrypted = RijndaelUtils.Decrypt(decryptionResult.Plaintext.ToArray(), iv, actualEncryptedData); return(Encoding.UTF8.GetString(decrypted)); }
public Task <string> Decrypt(string encryptedData, string serviceAccountId) { return(EnvelopeEncryptionUtils.Unwrap(encryptedData).Match( some: async t => { (string encryptedDataKey, byte[] iv, byte[] actualEncryptedData) = t; var key = await mMasterKeyManagement.Decrypt(encryptedDataKey, serviceAccountId); var decrypted = RijndaelUtils.Decrypt(Convert.FromBase64String(key), iv, actualEncryptedData); return Encoding.UTF8.GetString(decrypted); }, none: () => mMasterKeyManagement.Decrypt(encryptedData, serviceAccountId) )); }
public Task <string> Decrypt(string encryptedData, string serviceAccountId) { var splitted = encryptedData.Split(':'); if (splitted.Length != 2) { throw new InvalidOperationException("Encrypted data format is invalid"); } var iv = Convert.FromBase64String(splitted[0]); var data = Convert.FromBase64String(splitted[1]); var result = RijndaelUtils.Decrypt(mKey, iv, data); return(Task.FromResult(Encoding.UTF8.GetString(result))); }
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true) { if (data.Length <= mMaximumDataLength) { return(await mMasterKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing)); } mLogger.Information("Encryption data too length, using envelope encryption"); var dataKey = RijndaelUtils.GenerateKey(256); var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey, Encoding.UTF8.GetBytes(data)); var encryptedDataKey = await mMasterKeyManagement.Encrypt(Convert.ToBase64String(dataKey), serviceAccountId, createKeyIfMissing); return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData)); }