/// <summary> /// Wraps a symmetric key and then unwrapps the wrapped key /// </summary> /// <param name="key"> key bundle </param> private static void WrapUnwrap(KeyBundle key) { KeyOperationResult wrappedKey; var algorithm = inputValidator.GetEncryptionAlgorithm(); byte[] symmetricKey = inputValidator.GetSymmetricKey(); string keyVersion = inputValidator.GetKeyVersion(); if (keyVersion != string.Empty) { var vaultAddress = inputValidator.GetVaultAddress(); string keyName = inputValidator.GetKeyName(true); wrappedKey = keyVaultClient.WrapKeyAsync(vaultAddress, keyName, keyVersion, algorithm, symmetricKey).GetAwaiter().GetResult(); } else { // If the key ID is not initialized get the key id from args var keyId = (key != null) ? key.Key.Kid : inputValidator.GetKeyId(); // Wrap the symmetric key wrappedKey = keyVaultClient.WrapKeyAsync(keyId, algorithm, symmetricKey).GetAwaiter().GetResult(); } Console.Out.WriteLine(string.Format("The symmetric key is wrapped using key id {0} and algorithm {1}", wrappedKey.Kid, algorithm)); // Unwrap the symmetric key var unwrappedKey = keyVaultClient.UnwrapKeyAsync(wrappedKey.Kid, algorithm, wrappedKey.Result).GetAwaiter().GetResult(); Console.Out.WriteLine(string.Format("The unwrapped key is{0}the same as the original key!", symmetricKey.SequenceEqual(unwrappedKey.Result) ? " " : " not ")); }
public async Task <string> WrapKeyAsync(string key) { var keyAsBytes = Encoding.Unicode.GetBytes(key); var wrapResult = await client.WrapKeyAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, keyAsBytes); var encodedText = Convert.ToBase64String(wrapResult.Result); return(encodedText); }
/// <summary> /// Wraps a symmetric key using the specified wrapping key and algorithm. /// </summary> /// <param name="wrappingKey">The wrapping key</param> /// <param name="key">The key to wrap</param> /// <param name="algorithm">The algorithm to use. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param> /// <returns>The wrapped key</returns> public static async Task <KeyOperationResult> WrapKeyAsync(this KeyVaultClient client, KeyBundle wrappingKey, byte[] key, string algorithm) { if (wrappingKey == null) { throw new ArgumentNullException("keyBundle"); } return(await client.WrapKeyAsync(wrappingKey.Key, key, algorithm).ConfigureAwait(false)); }
/// <summary> /// Use symmetric encryption, then wrap the key using Key Vault /// </summary> /// <returns></returns> private static async Task EncryptAndWrap() { // In real-world, these could be concatenated and stored. byte[] iv; byte[] wrappedKey; Stream encryptedData = new MemoryStream(); string wrappingKeyIdentifier; string keyWrappingEncryptionAlgorithm = JsonWebKeyEncryptionAlgorithm.RSA15; // TODO: This (probably) doesn't use "AE" - update accordingly. // This creates a random key and initialisation vector (IV) and encrypts the data using (var encryptingAes = Aes.Create()) { iv = encryptingAes.IV; var encryptor = encryptingAes.CreateEncryptor(); using (var encryptingStream = new CryptoStream(encryptedData, encryptor, CryptoStreamMode.Write, true)) using (var writer = new StreamWriter(encryptingStream)) // NOTE: This is a text writer! Shouldn't do this if we're dealing with binary data! { writer.Write(inputText); writer.Flush(); encryptingStream.Flush(); } var wrappingResult = await keyVaultClient.WrapKeyAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key); wrappedKey = wrappingResult.Result; wrappingKeyIdentifier = wrappingResult.Kid; // TODO: Test if "wrap" and "encrypt" produce the same resul;t var encryptTest = await keyVaultClient.EncryptAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key); } encryptedData.Position = 0; // Decrypt var unwrapKeyResult = await keyVaultClient.UnwrapKeyAsync(wrappingKeyIdentifier, keyWrappingEncryptionAlgorithm, wrappedKey); var symmetricKey = unwrapKeyResult.Result; string decrypted; using (var decryptingAes = Aes.Create()) { decryptingAes.IV = iv; decryptingAes.Key = symmetricKey; var decryptor = decryptingAes.CreateDecryptor(); using (var decryptingStream = new CryptoStream(encryptedData, decryptor, CryptoStreamMode.Read)) using (var reader = new StreamReader(decryptingStream)) { decrypted = reader.ReadToEnd(); } } if (inputText != decrypted) { throw new Exception("Decrypted does not match encrypted"); } }
/// <summary> /// Wraps and unwraps symmetric key /// </summary> /// <param name="algorithm"> the wrao and unwrap algorithm </param> private void WrapAndUnwrap(KeyVaultClient client, KeyIdentifier keyIdentifier, string algorithm, byte[] symmetricKeyBytes) { var wrapResult = client.WrapKeyAsync(keyIdentifier.BaseIdentifier, algorithm, symmetricKeyBytes).GetAwaiter().GetResult(); Assert.NotNull(wrapResult); Assert.NotNull(wrapResult.Kid); Assert.NotNull(wrapResult.Result); var unwrapResult = client.UnwrapKeyAsync(wrapResult.Kid, algorithm, wrapResult.Result).GetAwaiter().GetResult(); Assert.NotNull(unwrapResult); Assert.NotNull(unwrapResult.Kid); Assert.True(unwrapResult.Result.SequenceEqual(symmetricKeyBytes), "the symmetric key after unwrap should match the initial key"); }
public async Task <byte[]> WrapSymmetricKeyAsync(string keyId, byte[] symmetricKey) { if (string.IsNullOrEmpty(keyId)) { throw new ArgumentNullException(keyId, "Key NickName is Null."); } if (symmetricKey == null) { throw new ArgumentNullException(nameof(symmetricKey), "Symetric key is Null."); } if (symmetricKey.Length == 0) { throw new ArgumentNullException(nameof(symmetricKey), "Symmetric key is Empty."); } var wrappedKey = await KeyVaultClient.WrapKeyAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, symmetricKey); return(wrappedKey.Result); }
public Task <KeyOperationResult> WrapKeyAsync(string keyIdentifier, string algorithm, byte[] cipherText) { return(_client.WrapKeyAsync(keyIdentifier, algorithm, cipherText)); }
private async Task KeysMigrationGuide() { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create AzureServiceTokenProvider provider = new AzureServiceTokenProvider(); KeyVaultClient client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback)); #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions using (HttpClient httpClient = new HttpClient()) { //@@AzureServiceTokenProvider provider = new AzureServiceTokenProvider(); /*@@*/ provider = new AzureServiceTokenProvider(); //@@KeyVaultClient client = new KeyVaultClient( /*@@*/ client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback), httpClient); } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey // Create RSA key. NewKeyParameters createRsaParameters = new NewKeyParameters { Kty = JsonWebKeyType.Rsa, KeySize = 4096 }; KeyBundle rsaKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "rsa-key-name", createRsaParameters); // Create Elliptic-Curve key. NewKeyParameters createEcParameters = new NewKeyParameters { Kty = JsonWebKeyType.EllipticCurve, CurveName = "P-256" }; KeyBundle ecKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "ec-key-name", createEcParameters); #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys IPage <KeyItem> page = await client.GetKeysAsync("https://myvault.vault.azure.net"); foreach (KeyItem item in page) { KeyIdentifier keyId = item.Identifier; KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name); } while (page.NextPageLink != null) { page = await client.GetKeysNextAsync(page.NextPageLink); foreach (KeyItem item in page) { KeyIdentifier keyId = item.Identifier; KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name); } } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey // Delete the key. DeletedKeyBundle deletedKey = await client.DeleteKeyAsync("https://myvault.vault.azure.net", "key-name"); // Purge or recover the deleted key if soft delete is enabled. if (deletedKey.RecoveryId != null) { DeletedKeyIdentifier deletedKeyId = deletedKey.RecoveryIdentifier; // Deleting a key does not happen immediately. Wait a while and check if the deleted key exists. while (true) { try { await client.GetDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name); // Finally deleted. break; } catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound) { // Not yet deleted... } } // Purge the deleted key. await client.PurgeDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name); // You can also recover the deleted key using RecoverDeletedKeyAsync. } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt // Encrypt a message. The plaintext must be small enough for the chosen algorithm. byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt"); KeyOperationResult encrypted = await client.EncryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, plaintext); // Decrypt the message. KeyOperationResult decrypted = await client.DecryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, encrypted.Result); string message = Encoding.UTF8.GetString(decrypted.Result); #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap using (Aes aes = Aes.Create()) { // Use a symmetric key to encrypt large amounts of data, possibly streamed... // Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data. KeyOperationResult wrapped = await client.WrapKeyAsync( "https://myvault.vault.azure.net", "rsa-key-name", null, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, aes.Key); // Read the IV and the encrypted key from the payload, then unwrap the key. KeyOperationResult unwrapped = await client.UnwrapKeyAsync( "https://myvault.vault.azure.net", "rsa-key-name", null, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, wrapped.Result); aes.Key = unwrapped.Result; // Decrypt the payload with the symmetric key. } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap } }
public async Task <byte[]> WrapKey(byte[] unwrappedKey) { var wrappedKey = await _keyVaultClient.WrapKeyAsync(_vaultURL, ALGORITHM, unwrappedKey); return(wrappedKey.Result); }