// </Main> private static CosmosClient CreateClientInstance( IConfigurationRoot configuration, AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider) { string endpoint = configuration["EndPointUrl"]; if (string.IsNullOrEmpty(endpoint)) { throw new ArgumentNullException("Please specify a valid endpoint in the appSettings.json"); } string authKey = configuration["AuthorizationKey"]; if (string.IsNullOrEmpty(authKey) || string.Equals(authKey, "Super secret key")) { throw new ArgumentException("Please specify a valid AuthorizationKey in the appSettings.json"); } CosmosClientOptions options = new CosmosClientOptions { AllowBulkExecution = true, }; CosmosClient encryptionCosmosClient = new CosmosClient(endpoint, authKey, options); // enable encryption support on the cosmos client. return(encryptionCosmosClient.WithEncryption(azureKeyVaultKeyWrapProvider)); }
// <Main> public static async Task Main(string[] _) { try { // Read the Cosmos endpointUrl and authorizationKey from configuration. // These values are available from the Azure Management Portal on the Cosmos Account Blade under "Keys". // Keep these values in a safe and secure location. Together they provide administrative access to your Cosmos account. IConfigurationRoot configuration = new ConfigurationBuilder() .AddJsonFile("appSettings.json") .Build(); // Get the Source Database name. SourceDatabase = configuration["SourceDatabase"]; if (string.IsNullOrEmpty(SourceDatabase)) { throw new ArgumentNullException("Please specify a valid database name. "); } // Get the Source Container name. SourceContainer = configuration["SourceContainer"]; if (string.IsNullOrEmpty(SourceContainer)) { throw new ArgumentNullException("Please specify a valid container name. "); } // Get the Destination Container name. DestinationContainer = configuration["DestinationContainer"]; if (string.IsNullOrEmpty(DestinationContainer)) { throw new ArgumentNullException("Please specify a valid container name. "); } // Get the Token Credential that is capable of providing an OAuth Token. TokenCredential tokenCredential = Program.GetTokenCredential(configuration); AzureKeyVaultKeyWrapProvider azureKeyVaultWrapProvider = new AzureKeyVaultKeyWrapProvider(tokenCredential); Program.client = Program.CreateClientInstance(configuration, azureKeyVaultWrapProvider); await Program.CreateAndRunReEncryptionTasks(); } catch (CosmosException cosmosException) { Console.WriteLine(cosmosException.ToString()); } catch (Exception e) { Exception baseException = e.GetBaseException(); Console.WriteLine("Message: {0} Error: {1}", baseException.Message, e); } finally { Console.WriteLine("ReEncryption activity has been stopped successfully."); Console.ReadKey(); } }
// <Main> public static async Task Main(string[] _) { try { // Read the Cosmos endpointUrl and authorizationKey from configuration. // These values are available from the Azure Management Portal on the Cosmos Account Blade under "Keys". // Keep these values in a safe and secure location. Together they provide administrative access to your Cosmos account. IConfigurationRoot configuration = new ConfigurationBuilder() .AddJsonFile("appSettings.json") .Build(); // Get the Akv Master Key Path. MasterKeyUrl = configuration["MasterKeyUrl"]; if (string.IsNullOrEmpty(MasterKeyUrl)) { throw new ArgumentNullException("Please specify a valid Azure Key Path in the appSettings.json"); } // Get the Token Credential that is capable of providing an OAuth Token. TokenCredential tokenCredential = GetTokenCredential(configuration); AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider = new AzureKeyVaultKeyWrapProvider(tokenCredential); Program.client = Program.CreateClientInstance(configuration, azureKeyVaultKeyWrapProvider); await Program.AdminSetupAsync(client, azureKeyVaultKeyWrapProvider); await Program.RunDemoAsync(); } catch (CosmosException cre) { Console.WriteLine(cre.ToString()); } catch (Exception e) { Exception baseException = e.GetBaseException(); Console.WriteLine("Message: {0} Error: {1}", baseException.Message, e); } finally { Console.WriteLine("End of demo, press any key to exit."); Console.ReadKey(); await Program.CleanupAsync(); } }
/// <summary> /// Administrative operations - create the database, container, and generate the necessary client encryption keys. /// These are initializations and are expected to be invoked only once - do not invoke these before every item request. /// </summary> private static async Task AdminSetupAsync(CosmosClient client, AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider) { Database database = await client.CreateDatabaseIfNotExistsAsync(Program.encryptedDatabaseId); // Delete the existing container to prevent create item conflicts. using (await database.GetContainer(Program.encryptedContainerId).DeleteContainerStreamAsync()) { } Console.WriteLine("The demo will create a 1000 RU/s container, press any key to continue."); Console.ReadKey(); // Create the Client Encryption Keys for Encrypting the configured Paths. await database.CreateClientEncryptionKeyAsync( "key1", DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256, new EncryptionKeyWrapMetadata(azureKeyVaultKeyWrapProvider.ProviderName, "akvMasterKey", MasterKeyUrl)); await database.CreateClientEncryptionKeyAsync( "key2", DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256, new EncryptionKeyWrapMetadata(azureKeyVaultKeyWrapProvider.ProviderName, "akvMasterKey", MasterKeyUrl)); // Configure the required Paths to be Encrypted with appropriate settings. ClientEncryptionIncludedPath path1 = new ClientEncryptionIncludedPath() { Path = "/SubTotal", ClientEncryptionKeyId = "key1", EncryptionType = EncryptionType.Deterministic, EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256 }; // non primitive data type.Leaves get encrypted. ClientEncryptionIncludedPath path2 = new ClientEncryptionIncludedPath() { Path = "/Items", ClientEncryptionKeyId = "key2", EncryptionType = EncryptionType.Deterministic, EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256 }; ClientEncryptionIncludedPath path3 = new ClientEncryptionIncludedPath() { Path = "/OrderDate", ClientEncryptionKeyId = "key1", EncryptionType = EncryptionType.Deterministic, EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256 }; // Create a container with the appropriate partition key definition (we choose the "AccountNumber" property here) and throughput (we choose 1000 here). // Configure the Client Encryption Key Policy with required paths to be encrypted. await database.DefineContainer(Program.encryptedContainerId, "/AccountNumber") .WithClientEncryptionPolicy() .WithIncludedPath(path1) .WithIncludedPath(path2) .WithIncludedPath(path3) .Attach() .CreateAsync(throughput: 1000); // gets a Container with Encryption Support. containerWithEncryption = await database.GetContainer(Program.encryptedContainerId).InitializeEncryptionAsync(); }