IDataProtector IDataProtectionProvider.CreateProtector(string purpose)
{
IDataProtector cached;
if (_dataProtectorCache.TryGetValue(purpose, out cached))
{
return(cached);
}
// Create the crypto key:
var keyRingName = string.Format(
"projects/{0}/locations/{1}/keyRings/{2}",
_options.Value.ProjectId, _options.Value.Location,
_options.Value.KeyRing);
string rotationPeriod = string.Format("{0}s",
TimeSpan.FromDays(7).TotalSeconds);
CryptoKey cryptoKeyToCreate = new CryptoKey()
{
Purpose = "ENCRYPT_DECRYPT",
NextRotationTime = DateTime.UtcNow.AddDays(7),
RotationPeriod = rotationPeriod
};
var request = new ProjectsResource.LocationsResource
.KeyRingsResource.CryptoKeysResource.CreateRequest(
_kms, cryptoKeyToCreate, keyRingName);
string keyId = EscapeKeyId(purpose);
request.CryptoKeyId = keyId;
string keyName;
try
{
keyName = request.Execute().Name;
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
keyName = string.Format("{0}/cryptoKeys/{1}",
keyRingName, keyId);
}
var newProtector = new KmsDataProtector(_kms, keyName,
(string innerPurpose) =>
this.CreateProtector($"{purpose}.{innerPurpose}"));
_dataProtectorCache.TryAdd(purpose, newProtector);
return(newProtector);
}
// [END kms_get_cryptokey]
// [START kms_create_cryptokey]
public static object CreateCryptoKey(string projectId, string location, string keyRing, string cryptoKey)
{
var cloudKms = CreateAuthorizedClient();
// Generate the full path of the parent to use for creating the crypto key.
var parent = $"projects/{projectId}/locations/{location}/keyRings/{keyRing}";
CryptoKey cryptoKeyToCreate = new CryptoKey();
cryptoKeyToCreate.Purpose = "ENCRYPT_DECRYPT";
var request = new ProjectsResource.LocationsResource.KeyRingsResource.CryptoKeysResource.CreateRequest(
cloudKms, cryptoKeyToCreate, parent);
request.CryptoKeyId = cryptoKey;
var result = request.Execute();
Console.Write($"Created Crypto Key: {result.Name}");
return(0);
}
public KmsDataProtectionProvider(IOptions <KmsDataProtectionProviderOptions> options)
{
_options = options;
GoogleCredential credential = GoogleCredential.GetApplicationDefaultAsync().Result;
if (credential.IsCreateScopedRequired)
{
credential = credential.CreateScoped(new[] { CloudKMSService.Scope.CloudPlatform });
}
_kms = new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credential,
GZipEnabled = false
});
var parent = string.Format("projects/{0}/locations/{1}", options.Value.ProjectId, options.Value.Location);
KeyRing keyRingToCreate = new KeyRing();
var request = new ProjectsResource.LocationsResource.KeyRingsResource.CreateRequest(_kms, keyRingToCreate, parent);
request.KeyRingId = options.Value.KeyRing;
try
{
request.Execute();
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict) /* Already exists. Ok.*/ }
{
}
IDataProtector IDataProtectionProvider.CreateProtector(string purpose)
{
IDataProtector cached;
if (_dataProtectorCache.TryGetValue(purpose, out cached))
{
return(cached);
}
var keyRingName = string.Format(
"projects/{0}/locations/{1}/keyRings/{2}",
_options.Value.ProjectId, _options.Value.Location,
_options.Value.KeyRing);
string rotationPeriod = string.Format("{0}s", TimeSpan.FromDays(7).TotalSeconds);
CryptoKey cryptoKeyToCreate = new CryptoKey()
{
Purpose = "ENCRYPT_DECRYPT",
NextRotationTime = DateTime.UtcNow.AddDays(7),
RotationPeriod = rotationPeriod
};
var request = new ProjectsResource.LocationsResource.KeyRingsResource.CryptoKeysResource.CreateRequest(_kms, cryptoKeyToCreate, keyRingName);
string keyId = EscapeKeyId(purpose);
request.CryptoKeyId = keyId;
string keyName;
try
{
keyName = request.Execute().Name;
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
keyName = string.Format("{0}/cryptoKeys/{1}", keyRingName, keyId);
}
var newProtector = new KmsDataProtector(_kms, keyName, (string innerPurpose) => this.CreateProtector($"{purpose}.{innerPurpose}"));
_dataProtectorCache.TryAdd(purpose, newProtector);
return(newProtector);
}
public static int Main(string[] args)
{
// Your Google Cloud Platform project ID.
string projectId = "YOUR-PROJECT-ID";
if (projectId == "YOUR-" + "PROJECT-ID")
{
Console.Error.WriteLine("Modify Program.cs and replace YOUR-"
+ "PROJECT-ID with your google project id.");
return(-1);
}
// Authorize the client using Application Default Credentials.
// See: https://developers.google.com/identity/protocols/application-default-credentials
GoogleCredential credential =
GoogleCredential.GetApplicationDefaultAsync().Result;
// Specify the Cloud Key Management Service scope.
if (credential.IsCreateScopedRequired)
{
credential = credential.CreateScoped(new[]
{
CloudKMSService.Scope.CloudPlatform
});
}
var cloudKms =
new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credential,
GZipEnabled = false
});
// Create the key ring.
string location = "global";
// The resource name of the location associated with the key rings.
string parent = $"projects/{projectId}/locations/{location}";
KeyRing keyRingToCreate = new KeyRing();
var request = new ProjectsResource.LocationsResource
.KeyRingsResource.CreateRequest(cloudKms, keyRingToCreate, parent);
string keyRingId = request.KeyRingId = "QuickStartCore";
try
{
request.Execute();
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
}
// Create the crypto key:
var keyRingName = string.Format(
"projects/{0}/locations/{1}/keyRings/{2}",
projectId, location, keyRingId);
string rotationPeriod = string.Format("{0}s",
TimeSpan.FromDays(7).TotalSeconds);
CryptoKey cryptoKeyToCreate = new CryptoKey()
{
Purpose = "ENCRYPT_DECRYPT",
NextRotationTime = DateTime.UtcNow.AddDays(7),
RotationPeriod = rotationPeriod
};
string keyId = "Key1";
string keyName;
try
{
keyName = new ProjectsResource.LocationsResource
.KeyRingsResource.CryptoKeysResource.CreateRequest(
cloudKms, cryptoKeyToCreate, keyRingName)
{
CryptoKeyId = keyId
}.Execute().Name;
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
keyName = string.Format("{0}/cryptoKeys/{1}",
keyRingName, keyId);
}
// Encrypt a string.
var encryptResult = cloudKms.Projects.Locations.KeyRings.CryptoKeys
.Encrypt(new EncryptRequest()
{
Plaintext = Convert.ToBase64String(Encoding.UTF8.GetBytes("Hello World."))
}, keyName).Execute();
var cipherText =
Convert.FromBase64String(encryptResult.Ciphertext);
// Decrypt the string.
var result = cloudKms.Projects.Locations.KeyRings.CryptoKeys
.Decrypt(new DecryptRequest()
{
Ciphertext = Convert.ToBase64String(cipherText)
}, keyName).Execute();
Console.WriteLine(Encoding.UTF8.GetString(Convert.FromBase64String(result.Plaintext)));
return(0);
}
