internal async Task <InMemoryRawDek> UnwrapAsync( DataEncryptionKeyProperties dekProperties, CosmosDiagnosticsContext diagnosticsContext, CancellationToken cancellationToken) { EncryptionKeyUnwrapResult unwrapResult; if (this.DekProvider.EncryptionKeyWrapProvider == null) { throw new InvalidOperationException($"For use of '{CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized}' algorithm, " + "Encryptor or CosmosDataEncryptionKeyProvider needs to be initialized with EncryptionKeyWrapProvider."); } using (diagnosticsContext.CreateScope("UnwrapDataEncryptionKey")) { unwrapResult = await this.DekProvider.EncryptionKeyWrapProvider.UnwrapKeyAsync( dekProperties.WrappedDataEncryptionKey, dekProperties.EncryptionKeyWrapMetadata, cancellationToken); } DataEncryptionKey dek = DataEncryptionKey.Create( unwrapResult.DataEncryptionKey, dekProperties.EncryptionAlgorithm); return(new InMemoryRawDek(dek, unwrapResult.ClientCacheTimeToLive)); }
internal async Task <InMemoryRawDek> FetchUnwrappedAsync( DataEncryptionKeyProperties dekProperties, CosmosDiagnosticsContext diagnosticsContext, CancellationToken cancellationToken) { try { if (string.Equals(dekProperties.EncryptionAlgorithm, CosmosEncryptionAlgorithm.MdeAeadAes256CbcHmac256Randomized)) { DataEncryptionKey dek = this.InitMdeEncryptionAlgorithm(dekProperties); // TTL is not used since DEK is not cached. return(new InMemoryRawDek(dek, TimeSpan.FromMilliseconds(0))); } return(await this.DekProvider.DekCache.GetOrAddRawDekAsync( dekProperties, this.UnwrapAsync, diagnosticsContext, cancellationToken)); } catch (Exception exception) { throw EncryptionExceptionFactory.EncryptionKeyNotFoundException( $"Failed to unwrap Data Encryption Key with id: '{dekProperties.Id}'.", exception); } }
internal async Task <DataEncryptionKey> FetchUnWrappedLegacySupportedMdeDekAsync( DataEncryptionKeyProperties dekProperties, string encryptionAlgorithm, CosmosDiagnosticsContext diagnosticsContext, CancellationToken cancellationToken) { EncryptionKeyUnwrapResult unwrapResult; if (this.DekProvider.EncryptionKeyStoreProvider == null) { throw new InvalidOperationException($"For use of '{CosmosEncryptionAlgorithm.MdeAeadAes256CbcHmac256Randomized}' algorithm based DEK, " + "Encryptor or CosmosDataEncryptionKeyProvider needs to be initialized with EncryptionKeyStoreProvider."); } try { using (diagnosticsContext.CreateScope("UnwrapDataEncryptionKey")) { unwrapResult = await this.UnWrapDekMdeEncAlgoAsync( dekProperties, diagnosticsContext, cancellationToken); } return(DataEncryptionKey.Create( unwrapResult.DataEncryptionKey, encryptionAlgorithm)); } catch (Exception exception) { throw EncryptionExceptionFactory.EncryptionKeyNotFoundException( $"Failed to unwrap Data Encryption Key with id: '{dekProperties.Id}'.", exception); } }
/// <inheritdoc/> public override async Task <byte[]> EncryptAsync( byte[] plainText, string dataEncryptionKeyId, string encryptionAlgorithm, CancellationToken cancellationToken = default) { DataEncryptionKey dek = await this.DataEncryptionKeyProvider.FetchDataEncryptionKeyAsync( dataEncryptionKeyId, encryptionAlgorithm, cancellationToken); if (dek == null) { throw new InvalidOperationException($"Null {nameof(DataEncryptionKey)} returned from {nameof(this.DataEncryptionKeyProvider.FetchDataEncryptionKeyAsync)}."); } return(dek.EncryptData(plainText)); }
private async Task <(byte[], EncryptionKeyWrapMetadata, InMemoryRawDek)> GenerateAndWrapRawDekForLegacyEncAlgoAsync( string id, string encryptionAlgorithm, EncryptionKeyWrapMetadata encryptionKeyWrapMetadata, CosmosDiagnosticsContext diagnosticsContext, CancellationToken cancellationToken) { if (this.DekProvider.EncryptionKeyWrapProvider == null) { throw new InvalidOperationException($"For use of '{CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized}' algorithm, " + "Encryptor or CosmosDataEncryptionKeyProvider needs to be initialized with EncryptionKeyWrapProvider."); } byte[] rawDek = DataEncryptionKey.Generate(encryptionAlgorithm); return(await this.WrapAsync( id, rawDek, encryptionAlgorithm, encryptionKeyWrapMetadata, diagnosticsContext, cancellationToken)); }
public InMemoryRawDek(DataEncryptionKey dataEncryptionKey, TimeSpan clientCacheTimeToLive) { this.DataEncryptionKey = dataEncryptionKey; this.RawDekExpiry = DateTime.UtcNow + clientCacheTimeToLive; }