public async Task CreateKey()
{
#region Snippet:CreateKey
// Create a key. Note that you can specify the type of key
// i.e. Elliptic curve, Hardware Elliptic Curve, RSA
KeyVaultKey key = await client.CreateKeyAsync("key-name", KeyType.Rsa);
Console.WriteLine(key.Name);
Console.WriteLine(key.KeyType);
// Create a software RSA key
var rsaCreateKey = new CreateRsaKeyOptions("rsa-key-name", hardwareProtected: false);
KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(rsaCreateKey);
Console.WriteLine(rsaKey.Name);
Console.WriteLine(rsaKey.KeyType);
// Create a hardware Elliptic Curve key
// Because only premium key vault supports HSM backed keys , please ensure your key vault
// SKU is premium when you set "hardwareProtected" value to true
var echsmkey = new CreateEcKeyOptions("ec-key-name", hardwareProtected: true);
KeyVaultKey ecKey = await client.CreateEcKeyAsync(echsmkey);
Console.WriteLine(ecKey.Name);
Console.WriteLine(ecKey.KeyType);
#endregion
}
public async Task ProtectsKeysWithKeyVaultKey()
{
var credential = new ClientSecretCredential(TenantId, ClientId, ClientSecret);
var client = new KeyClient(new Uri(KeyVaultUrl), credential);
var key = await client.CreateKeyAsync("TestEncryptionKey", KeyType.Rsa);
var serviceCollection = new ServiceCollection();
var testKeyRepository = new TestKeyRepository();
serviceCollection.AddDataProtection().ProtectKeysWithAzureKeyVault(key.Value.Id.ToString(), credential);
serviceCollection.Configure <KeyManagementOptions>(options =>
{
options.XmlRepository = testKeyRepository;
});
var services = serviceCollection.BuildServiceProvider();
var dataProtector = services.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose");
var protectedText = dataProtector.Protect("Hello world!");
var anotherServices = serviceCollection.BuildServiceProvider();
var anotherDataProtector = anotherServices.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose");
var unprotectedText = anotherDataProtector.Unprotect(protectedText);
Assert.AreEqual("Hello world!", unprotectedText);
// double check that keys were protected with KeyVault
foreach (var element in testKeyRepository.GetAllElements())
{
StringAssert.Contains("This key is encrypted with Azure KeyVault", element.ToString());
}
}
private static async Task StoreKey()
{
var client = new KeyClient(new Uri(string.Format(AzureKeyVaultUri, vaultSetting.KeyVaultName)), credential);
Console.WriteLine("Storing key...");
Console.Write("> Name: ");
var name = Console.ReadLine();
var keyTypesValues = new List <KeyType>()
{
KeyType.Ec,
KeyType.EcHsm,
KeyType.Rsa,
KeyType.RsaHsm,
};
var keyTypes = string.Join(", ", keyTypesValues);
Console.Write($"> Type ({keyTypes}): ");
var rawKeyType = Console.ReadLine().ToUpper();
while (!keyTypesValues.Contains(rawKeyType))
{
Console.Write("Invalid key type");
Console.Write($"> Type ({keyTypes}): ");
rawKeyType = Console.ReadLine();
}
var keyType = keyTypesValues.Single(kt => kt == rawKeyType);
var result = await client.CreateKeyAsync(name, keyType);
PrintResult(result);
}
public async Task CreateRoleAssignmentAsync()
{
// Replace client with the Instrumented Client.
client = Client;
List <KeyVaultRoleDefinition> definitions = await client.GetRoleDefinitionsAsync(KeyVaultRoleScope.Global).ToEnumerableAsync().ConfigureAwait(false);
_roleDefinitionId = definitions.First(d => d.RoleName == RoleName).Id;
// Replace roleDefinitionId with a role definition Id from the definitions returned from GetRoleDefinitionsAsync.
string definitionIdToAssign = _roleDefinitionId;
// Replace objectId with the service principal object id.
string servicePrincipalObjectId = _objectId;
#region Snippet:CreateRoleAssignmentKeysScope
#if SNIPPET
string definitionIdToAssign = "<roleDefinitionId>";
string servicePrincipalObjectId = "<objectId>";
KeyVaultRoleAssignment keysScopedAssignment = await client.CreateRoleAssignmentAsync(KeyVaultRoleScope.Global, definitionIdToAssign, servicePrincipalObjectId);
#else
Guid roleAssignmentName = Recording.Random.NewGuid();
KeyVaultRoleAssignment keysScopedAssignment = await client.CreateRoleAssignmentAsync(KeyVaultRoleScope.Keys, definitionIdToAssign, servicePrincipalObjectId, roleAssignmentName).ConfigureAwait(false);
#endif
#endregion
RegisterForCleanup(keysScopedAssignment);
// Make sure we have a key to secure.
KeyClient keyClient = KeyClient;
KeyVaultKey createdKey = await keyClient.CreateKeyAsync(Recording.GenerateId(), KeyType.Oct);
string keyName = createdKey.Name;
RegisterKeyForCleanup(keyName);
#region Snippet:CreateRoleAssignmentKeyScope
#if SNIPPET
string keyName = "<your-key-name>";
#endif
KeyVaultKey key = await keyClient.GetKeyAsync(keyName);
#if SNIPPET
KeyVaultRoleAssignment keyScopedAssignment = await client.CreateRoleAssignmentAsync(new KeyVaultRoleScope(key.Id), definitionIdToAssign, servicePrincipalObjectId);
#else
KeyVaultRoleAssignment keyScopedAssignment = await client.CreateRoleAssignmentAsync(new KeyVaultRoleScope(key.Id), definitionIdToAssign, servicePrincipalObjectId, roleAssignmentName).ConfigureAwait(false);
#endif
#endregion
RegisterForCleanup(keyScopedAssignment);
}
public async Task CanUprotectExistingKeys()
{
var credential = new ClientSecretCredential(
DataProtectionTestEnvironment.Instance.TenantId,
DataProtectionTestEnvironment.Instance.ClientId,
DataProtectionTestEnvironment.Instance.ClientSecret);
var client = new KeyClient(new Uri(DataProtectionTestEnvironment.Instance.KeyVaultUrl), credential);
var key = await client.CreateKeyAsync("TestEncryptionKey2", KeyType.Rsa);
var serviceCollection = new ServiceCollection();
var testKeyRepository = new TestKeyRepository();
AzureDataProtectionBuilderExtensions.ProtectKeysWithAzureKeyVault(
serviceCollection.AddDataProtection(),
key.Value.Id.AbsoluteUri,
DataProtectionTestEnvironment.Instance.ClientId,
DataProtectionTestEnvironment.Instance.ClientSecret);
serviceCollection.Configure <KeyManagementOptions>(options =>
{
options.XmlRepository = testKeyRepository;
});
var servicesOld = serviceCollection.BuildServiceProvider();
var serviceCollectionNew = new ServiceCollection();
serviceCollectionNew.AddDataProtection().ProtectKeysWithAzureKeyVault(key.Value.Id, credential);
serviceCollectionNew.Configure <KeyManagementOptions>(options =>
{
options.XmlRepository = testKeyRepository;
});
var dataProtector = servicesOld.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose");
var protectedText = dataProtector.Protect("Hello world!");
var newServices = serviceCollectionNew.BuildServiceProvider();
var newDataProtectionProvider = newServices.GetService <IDataProtectionProvider>().CreateProtector("Fancy purpose");
var unprotectedText = newDataProtectionProvider.Unprotect(protectedText);
Assert.AreEqual("Hello world!", unprotectedText);
// double check that keys were protected with KeyVault
foreach (var element in testKeyRepository.GetAllElements())
{
StringAssert.Contains("This key is encrypted with Azure", element.ToString());
}
}
public async Task BackupAndRestoreSampleAsync()
{
var blobStorageUrl = TestEnvironment.StorageUri;
var blobContainerName = BlobContainerName;
var sasToken = "?" + SasToken;
// Create a Uri with the storage container.
UriBuilder builder = new UriBuilder(blobStorageUrl)
{
Path = blobContainerName,
};
// Make sure we have a key to back up and restore.
KeyVaultKey key = await KeyClient.CreateKeyAsync(Recording.GenerateId(), KeyType.Oct);
string keyName = key.Name;
RegisterKeyForCleanup(keyName);
// Start the backup.
BackupOperation backupOperation = await Client.StartBackupAsync(builder.Uri, sasToken);
// Wait for completion of the BackupOperation.
Response <Uri> backupResult = await backupOperation.WaitForCompletionAsync();
await WaitForOperationAsync();
// Get the Uri for the location of you backup blob.
Uri backupFolderUri = backupResult.Value;
Assert.That(backupFolderUri, Is.Not.Null);
Assert.That(backupOperation.HasValue, Is.True);
#region Snippet:SelectiveRestoreAsync
//@@ string keyName = "<key name to restore>";
// Start the restore for a specific key that was previously backed up using the backupBlobUri returned from a previous BackupOperation.
RestoreOperation restoreOperation = await Client.StartSelectiveRestoreAsync(keyName, backupFolderUri, sasToken);
// Wait for completion of the RestoreOperation.
Response restoreResult = await restoreOperation.WaitForCompletionAsync();
#endregion
Assert.That(restoreResult, Is.Not.Null);
Assert.That(restoreOperation.HasValue, Is.True);
await WaitForOperationAsync();
}
public async Task CreateKeyAsync()
{
#region CreateKeyAsync
// Create a key of any type
Key key = await client.CreateKeyAsync("key-name", KeyType.Rsa);
Console.WriteLine(key.Name);
Console.WriteLine(key.KeyMaterial.KeyType);
// Create a software RSA key
var rsaCreateKey = new RsaKeyCreateOptions("rsa-key-name", hsm: false);
Key rsaKey = await client.CreateRsaKeyAsync(rsaCreateKey);
Console.WriteLine(rsaKey.Name);
Console.WriteLine(rsaKey.KeyMaterial.KeyType);
// Create a hardware Elliptic Curve key
var echsmkey = new EcKeyCreateOptions("ec-key-name", hsm: true);
Key ecKey = await client.CreateEcKeyAsync(echsmkey);
Console.WriteLine(ecKey.Name);
Console.WriteLine(ecKey.KeyMaterial.KeyType);
#endregion
}
public async Task SetKeyAsync(string key, string value)
{
_ = await KeyClient.CreateKeyAsync(key, value);
}
/**
* Azure SQL sample for managing SQL secrets (Server Keys) using Azure Key Vault -
* - Create a SQL Server with "system assigned" managed service identity.
* - Create an Azure Key Vault with giving access to the SQL Server
* - Create, get, list and delete SQL Server Keys
* - Delete SQL Server
*/
public static async Task RunSample(IAzure azure)
{
try
{
// ============================================================
// Create a SQL Server with system assigned managed service identity.
Utilities.Log("Creating a SQL Server with system assigned managed service identity");
var sqlServer = azure.SqlServers.Define(sqlServerName)
.WithRegion(Region.USSouthCentral)
.WithNewResourceGroup(rgName)
.WithAdministratorLogin(administratorLogin)
.WithAdministratorPassword(administratorPassword)
.WithSystemAssignedManagedServiceIdentity()
.Create();
Utilities.PrintSqlServer(sqlServer);
// ============================================================
// Create an Azure Key Vault and set the access policies.
Utilities.Log("Creating an Azure Key Vault and set the access policies");
InitializeCredentials(Environment.GetEnvironmentVariable("AZURE_AUTH_LOCATION"));
if (Azure_SP_ClientId == null || Azure_SP_Secret == null)
{
throw new ArgumentNullException("Missing Client ID and Secret");
}
var vault = azure.Vaults.Define(vaultName)
.WithRegion(Region.USSouthCentral)
.WithExistingResourceGroup(rgName)
.DefineAccessPolicy()
.ForObjectId(sqlServer.SystemAssignedManagedServiceIdentityPrincipalId)
.AllowKeyPermissions(KeyPermissions.WrapKey, KeyPermissions.UnwrapKey, KeyPermissions.Get, KeyPermissions.List)
.Attach()
.DefineAccessPolicy()
.ForServicePrincipal(Azure_SP_ClientId)
.AllowKeyAllPermissions()
.Attach()
.Create();
SdkContext.DelayProvider.Delay(3 * 60 * 1000);
// ============================================================
// Create a SQL server key with Azure Key Vault key.
Utilities.Log("Creating a SQL server key with Azure Key Vault key");
var kvClient = new KeyClient(new Uri(vault.VaultUri), new DefaultAzureCredential());
var keyBundle = await kvClient.CreateKeyAsync(keyName, KeyType.Rsa);
string keyUri = keyBundle.Value.Key.Id;
// Work around for SQL server key name must be formatted as "vault_key_version"
string serverKeyName = $"{vaultName}_{keyName}_" +
keyUri.Substring(keyUri.LastIndexOf("/") + 1);
var sqlServerKey = sqlServer.ServerKeys.Define()
.WithAzureKeyVaultKey(keyUri)
.Create();
Utilities.PrintSqlServerKey(sqlServerKey);
// Validate key exists by getting key
Utilities.Log("Validating key exists by getting the key");
sqlServerKey = sqlServer.ServerKeys.Get(serverKeyName);
Utilities.PrintSqlServerKey(sqlServerKey);
// Validate key exists by listing keys
Utilities.Log("Validating key exists by listing keys");
var serverKeys = sqlServer.ServerKeys.List();
foreach (var item in serverKeys)
{
Utilities.PrintSqlServerKey(item);
}
// Delete key
Utilities.Log("Deleting the key");
azure.SqlServers.ServerKeys.DeleteBySqlServer(rgName, sqlServerName, serverKeyName);
// Delete the SQL Server.
Utilities.Log("Deleting a Sql Server");
azure.SqlServers.DeleteById(sqlServer.Id);
}
finally
{
try
{
Utilities.Log("Deleting Resource Group: " + rgName);
azure.ResourceGroups.DeleteByName(rgName);
Utilities.Log("Deleted Resource Group: " + rgName);
}
catch (Exception e)
{
Utilities.Log(e);
}
}
}
static async Task Main(string[] args)
{
// Create a new key client using the default credential from Azure.Identity using environment variables previously set,
// including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID.
var client = new KeyClient(vaultUri: new Uri(keyVaultUrl), credential: new ClientSecretCredential(tenantId, clientId, clientSecret));
// next two lines are just to recover key in case we stop program after deleting and before recovering / purging
//var recoverOperation1 = await client.StartRecoverDeletedKeyAsync("rsa-key-name");
//await recoverOperation1.WaitForCompletionAsync();
// Create a software RSA key
var rsaCreateKey = new CreateRsaKeyOptions("rsa-key-name", hardwareProtected: false);
KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(rsaCreateKey);
Console.WriteLine("Created the key....");
Console.WriteLine($"rsaKey.Name: {rsaKey.Name}");
Console.WriteLine($"rsaKey.KeyType: {rsaKey.KeyType}");
Console.WriteLine("==================================================");
Console.WriteLine();
// Retrieve
KeyVaultKey key = await client.GetKeyAsync("rsa-key-name");
Console.WriteLine("Retrieve the key");
Console.WriteLine($"key.Name: {key.Name}");
Console.WriteLine($"key.KeyType: {key.KeyType}");
Console.WriteLine("==================================================");
Console.WriteLine();
// Update
KeyVaultKey updateKey = await client.CreateKeyAsync("rsa-key-name", KeyType.Rsa);
// You can specify additional application-specific metadata in the form of tags.
updateKey.Properties.Tags["foo"] = "updated tag";
KeyVaultKey updatedKey = await client.UpdateKeyPropertiesAsync(updateKey.Properties);
Console.WriteLine("Update Initiated.");
Console.WriteLine($"updatedKey.Name: {updatedKey.Name}");
Console.WriteLine($"updatedKey.Properties.Version: {updatedKey.Properties.Version}");
Console.WriteLine($"updatedKey.Properties.UpdatedOn: {updatedKey.Properties.UpdatedOn}");
Console.WriteLine("==================================================");
Console.WriteLine();
/// Delete
DeleteKeyOperation operation = await client.StartDeleteKeyAsync("rsa-key-name");
DeletedKey deletedKey = operation.Value;
Console.WriteLine("Delete operation initialted.");
Console.WriteLine($"deletedKey.Name: {deletedKey.Name}");
Console.WriteLine($"deletedKey.DeletedOn: {deletedKey.DeletedOn}");
Console.WriteLine("==================================================");
Console.WriteLine();
// Wait for deletion to complete
await operation.WaitForCompletionAsync();
// Recover deleted key
var recoverOperation = await client.StartRecoverDeletedKeyAsync("rsa-key-name");
await recoverOperation.WaitForCompletionAsync();
Console.WriteLine("Recovery completed");
Console.WriteLine("==================================================");
Console.WriteLine();
// Create crypto client and demo of encryption / decryption
var cryptoClient = new CryptographyClient(keyId: key.Id, credential: new ClientSecretCredential(tenantId, clientId, clientSecret));
byte[] plaintext = Encoding.UTF8.GetBytes("If you can dream it, you can do it.");
// encrypt the data using the algorithm RSAOAEP
EncryptResult encryptResult = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep, plaintext);
Console.WriteLine("Encryption demo.");
Console.WriteLine("Encrypted Base64: " + Convert.ToBase64String(encryptResult.Ciphertext));
Console.WriteLine("==================================================");
Console.WriteLine();
// decrypt the encrypted data.
DecryptResult decryptResult = await cryptoClient.DecryptAsync(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
Console.WriteLine("Decryption demo.");
Console.WriteLine("Decrypted: " + Encoding.UTF8.GetString(decryptResult.Plaintext));
Console.WriteLine("==================================================");
Console.WriteLine();
// Purge
DeleteKeyOperation deleteOperation = await client.StartDeleteKeyAsync("rsa-key-name");
await deleteOperation.WaitForCompletionAsync();
DeletedKey purgekey = deleteOperation.Value;
await client.PurgeDeletedKeyAsync(purgekey.Name);
Console.WriteLine("Purge Initiated.");
Console.WriteLine($"purgekey.Name: {purgekey.Name}");
Console.WriteLine("==================================================");
Console.WriteLine();
}
