public static void ReturnSpecifiedVersionOfKeyWhenItIsNotTheMostRecentVersion() { Uri keyPathUri = new Uri(DataTestUtility.AKVOriginalUrl); Uri vaultUri = new Uri(keyPathUri.GetLeftPart(UriPartial.Authority)); //If key version is not specified then we cannot test. if (KeyIsVersioned(keyPathUri)) { string keyName = keyPathUri.Segments[2]; string keyVersion = keyPathUri.Segments[3]; ClientSecretCredential clientSecretCredential = new ClientSecretCredential(DataTestUtility.AKVTenantId, DataTestUtility.AKVClientId, DataTestUtility.AKVClientSecret); KeyClient keyClient = new KeyClient(vaultUri, clientSecretCredential); KeyVaultKey currentVersionKey = keyClient.GetKey(keyName); KeyVaultKey specifiedVersionKey = keyClient.GetKey(keyName, keyVersion); //If specified versioned key is the most recent version of the key then we cannot test. if (!KeyIsLatestVersion(specifiedVersionKey, currentVersionKey)) { SqlColumnEncryptionAzureKeyVaultProvider azureKeyProvider = new SqlColumnEncryptionAzureKeyVaultProvider(clientSecretCredential); // Perform an operation to initialize the internal caches azureKeyProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVOriginalUrl, EncryptionAlgorithm, s_columnEncryptionKey); PropertyInfo keyCryptographerProperty = azureKeyProvider.GetType().GetProperty("KeyCryptographer", BindingFlags.NonPublic | BindingFlags.Instance); var keyCryptographer = keyCryptographerProperty.GetValue(azureKeyProvider); MethodInfo getKeyMethod = keyCryptographer.GetType().GetMethod("GetKey", BindingFlags.NonPublic | BindingFlags.Instance); KeyVaultKey key = (KeyVaultKey)getKeyMethod.Invoke(keyCryptographer, new[] { DataTestUtility.AKVOriginalUrl }); Assert.Equal(keyVersion, key.Properties.Version); } } }
public void RetrieveKey() { // Make sure a key exists. client.CreateKey("key-name", KeyType.Rsa); #region Snippet:RetrieveKey KeyVaultKey key = client.GetKey("key-name"); Console.WriteLine(key.Name); Console.WriteLine(key.KeyType); #endregion }
public override void Configure(IFunctionsHostBuilder builder) { var websiteResourceGroupEnvironmentVariable = GetWebsiteResourceGroupEnvironmentVariable(); var credential = new DefaultAzureCredential(); builder.Services.AddAzureClients((builder) => { builder.UseCredential(credential); var keyVaultUri = new Uri($"https://{websiteResourceGroupEnvironmentVariable}.vault.azure.net"); builder.AddSecretClient(keyVaultUri); var configurationUri = new Uri($"https://{websiteResourceGroupEnvironmentVariable}.azconfig.io/"); builder.AddConfigurationClient(configurationUri); // To inject the cryptography client with the extension helpers // here we need to first find the Key ID. var keyClient = new KeyClient(keyVaultUri, credential); KeyVaultKey key = keyClient.GetKey("github-app-private-key"); builder.AddCryptographyClient(key.Id); }); builder.Services.AddSingleton <IPullRequestTracker, PullRequestTracker>(); builder.Services.AddSingleton <GitHubRateLimiter>(); builder.Services.AddSingleton <IGlobalConfigurationProvider, GlobalConfigurationProvider>(); builder.Services.AddSingleton <IGitHubClientProvider, GitHubClientProvider>(); builder.Services.AddSingleton <IRepositoryConfigurationProvider, RepositoryConfigurationProvider>(); builder.Services.AddSingleton <GitHubWebhookProcessor>(); builder.Services.AddMemoryCache(); }
static void Main(string[] args) { string keyVaultUrl = "https://demovault2090.vault.azure.net/"; var client = new KeyClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential()); // Getting the Encryption key from the key vault KeyVaultKey key = client.GetKey("newkey"); var cryptoClient = new CryptographyClient(keyId: key.Id, credential: new DefaultAzureCredential()); byte[] plaintext = Encoding.UTF8.GetBytes("This is sensitive data"); // Encrypting data EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext); //Decrypting data DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext); Console.WriteLine("Plain text"); string txt = Encoding.UTF8.GetString(decryptResult.Plaintext); Console.WriteLine(txt); Console.ReadLine(); }
public static async Task <IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req, ILogger log) { log.LogInformation("C# HTTP trigger function processed a request."); string name = req.Query["name"]; //var credential = new ClientSecretCredential("231dd9cd-ddc7-4fba-ae78-9f4ac3c912e7", "5f43fe5c-1c2b-4afa-97e6-fda41302e28b", "5ZlLakKHA:DE.6Jq-GbJWF=icJaCwW32"); var credential = new ManagedIdentityCredential(); var kvUri = "https://kvswapana.vault.azure.net/"; var secretClient = new SecretClient(new Uri(kvUri), credential); var encryptedDEK = secretClient.GetSecret("DEK"); var keyClient = new KeyClient(new Uri(kvUri), credential); var encryptedKEY = keyClient.GetKey("KEK"); var cryptoClient = new CryptographyClient(encryptedKEY.Value.Id, credential); DecryptResult decryptDek = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, Convert.FromBase64String(encryptedDEK.Value.Value)); string requestBody = await new StreamReader(req.Body).ReadToEndAsync(); dynamic data = JsonConvert.DeserializeObject(requestBody); name = name ?? data?.name; return(name != null // Create MemoryStream ? (ActionResult) new OkObjectResult($"Hello, {name}, {encryptedKEY.Value.Id}, {Encoding.UTF8.GetString(decryptDek.Plaintext)}") : new BadRequestObjectResult("Please pass a name on the query string or in the request body")); }
public void CreateClient() { // Environment variable with the Key Vault endpoint. string vaultUrl = TestEnvironment.KeyVaultUrl; #region Snippet:CreateKeyClient // Create a new key client using the default credential from Azure.Identity using environment variables previously set, // including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID. var client = new KeyClient(vaultUri: new Uri(vaultUrl), credential: new DefaultAzureCredential()); // Create a new key using the key client. KeyVaultKey key = client.CreateKey("key-name", KeyType.Rsa); // Retrieve a key using the key client. key = client.GetKey("key-name"); #endregion #region Snippet:CreateCryptographyClient // Create a new cryptography client using the same Key Vault or Managed HSM endpoint, service version, // and options as the KeyClient created earlier. var cryptoClient = client.GetCryptographyClient(key.Name, key.Properties.Version); #endregion this.client = client; this.cryptoClient = cryptoClient; }
public void DeleteKeyFromVault_Purge_CompletelyRemovedKey() { var storeLogger = _loggerFactory.CreateLogger <KeyVaultKeyStorer>(); var storer = new KeyVaultKeyStorer(_client, storeLogger); var deleteLogger = _loggerFactory.CreateLogger <KeyVaultKeyDeleter>(); var deleter = new KeyVaultKeyDeleter(_client, deleteLogger); storer.Store(_keyName, KeyType.Ec); deleter.Delete(new KeyVaultKeyDeleteEvent { Name = _keyName, Purge = true }); Action action = () => _client.GetKey(_keyName); action.Should().ThrowExactly <RequestFailedException>().Where(e => e.Message.Contains($"A key with (name/id) {_keyName} was not found in this key vault.", StringComparison.InvariantCultureIgnoreCase)); action = () => _client.GetDeletedKey(_keyName); action.Should().ThrowExactly <RequestFailedException>(); }
public void CreateClient() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = TestEnvironment.KeyVaultUrl; #region Snippet:CreateKeyClient // Create a new key client using the default credential from Azure.Identity using environment variables previously set, // including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID. var client = new KeyClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential()); // Create a new key using the key client. KeyVaultKey key = client.CreateKey("key-name", KeyType.Rsa); // Retrieve a key using the key client. key = client.GetKey("key-name"); #endregion #region Snippet:CreateCryptographyClient // Create a new certificate client using the default credential from Azure.Identity using environment variables previously set, // including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID. var cryptoClient = new CryptographyClient(keyId: key.Id, credential: new DefaultAzureCredential()); #endregion this.client = client; this.cryptoClient = cryptoClient; }
public void HelloWorldSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to call the service. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create a RSA key valid for 1 year. If the key // already exists in the Key Vault, then a new version of the key is created. string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(rsaKey); // Let's Get the Cloud RSA Key from the Key Vault. KeyVaultKey cloudRsaKey = client.GetKey(rsaKeyName); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}"); // After one year, the Cloud RSA Key is still required, we need to update the expiry time of the key. // The update method can be used to update the expiry attribute of the key. cloudRsaKey.Properties.ExpiresOn.Value.AddYears(1); KeyVaultKey updatedKey = client.UpdateKeyProperties(cloudRsaKey.Properties, cloudRsaKey.KeyOperations); Debug.WriteLine($"Key's updated expiry time is {updatedKey.Properties.ExpiresOn}"); // We need the Cloud RSA key with bigger key size, so you want to update the key in Key Vault to ensure // it has the required size. // Calling CreateRsaKey on an existing key creates a new version of the key in the Key Vault // with the new specified size. var newRsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 4096, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(newRsaKey); // The Cloud RSA Key is no longer needed, need to delete it from the Key Vault. DeleteKeyOperation operation = client.StartDeleteKey(rsaKeyName); // To ensure the key is deleted on server before we try to purge it. while (!operation.HasCompleted) { Thread.Sleep(2000); operation.UpdateStatus(); } // If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged. client.PurgeDeletedKey(rsaKeyName); }
public void HelloWorldSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); #region Snippet:KeysSample1KeyClient var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); #endregion #region Snippet:KeysSample1CreateKey string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(rsaKey); #endregion #region Snippet:KeysSample1GetKey KeyVaultKey cloudRsaKey = client.GetKey(rsaKeyName); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}"); #endregion #region Snippet:KeysSample1UpdateKeyProperties cloudRsaKey.Properties.ExpiresOn.Value.AddYears(1); KeyVaultKey updatedKey = client.UpdateKeyProperties(cloudRsaKey.Properties, cloudRsaKey.KeyOperations); Debug.WriteLine($"Key's updated expiry time is {updatedKey.Properties.ExpiresOn}"); #endregion #region Snippet:KeysSample1UpdateKey var newRsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 4096, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(newRsaKey); #endregion #region Snippet:KeysSample1DeleteKey DeleteKeyOperation operation = client.StartDeleteKey(rsaKeyName); #endregion #region Snippet:KeysSample1PurgeKey // You only need to wait for completion if you want to purge or recover the key. while (!operation.HasCompleted) { Thread.Sleep(2000); operation.UpdateStatus(); } client.PurgeDeletedKey(rsaKeyName); #endregion }
public void RSAKeyTest() { var keyClient = new KeyClient(new Uri("{{your keyvault uri}}"), new DefaultAzureCredential()); Response <KeyVaultKey> response = keyClient.GetKey("SingInCredentialsKey"); RSA rsa = response.Value.Key.ToRSA(); Assert.NotNull(response.Value.Properties.Version); }
//Creates a key in a specified Azure Key Vault to use for customer managed key server side encryption private static KeyVaultKey CreateKeyVaultKey(string keyVaultName, string keyVaultKeyName, TokenCredential credential) { Uri keyVaultUri = new Uri("https://" + keyVaultName + ".vault.azure.net"); KeyClient keyClient = new KeyClient(keyVaultUri, credential); KeyType keyType = new KeyType("RSA"); keyClient.CreateKey(keyVaultKeyName, keyType); return(keyClient.GetKey(keyVaultKeyName)); }
public EncryptResult Encrypt(string keyName, string data, string algorithm) { _logger.LogInformation("Getting Key with name: {keyName}", keyName); var key = _client.GetKey(keyName).Value; _logger.LogInformation("Encrypting data with keyid {Id}", key.Id.ToString()); var client = _factory.CreateCryptographyClient(key.Id.ToString()); return(client.Encrypt(new EncryptionAlgorithm(algorithm ?? "RSA1_5"), data.JsonDataToByteArray())); }
public DecryptResult Decrypt(string keyName, string encryptedData, string algorithm) { _logger.LogInformation("Getting Key with name: {KeyName}", keyName); var key = _keyClient.GetKey(keyName).Value; var cryptoClient = _clientFactory.CreateCryptographyClient(key.Id.ToString()); _logger.LogInformation("Decrypting data with keyid {Id}", key.Id.ToString()); return(cryptoClient.Decrypt(new EncryptionAlgorithm(algorithm ?? "RSA1_5"), encryptedData.GetBytes())); }
public byte[] Sign(string keyId, SignatureAlgorithm algorithm, byte[] digest) { KeyVaultKey cloudRsaKey = client.GetKey(keyId); var rsaCryptoClient = new CryptographyClient(cloudRsaKey.Id, defaultAzureCredential); SignResult rsaSignResult = rsaCryptoClient.Sign(algorithm, digest); Debug.WriteLine($"Signed digest using the algorithm {rsaSignResult.Algorithm}, with key {rsaSignResult.KeyId}. " + $"The resulting signature is {Convert.ToBase64String(rsaSignResult.Signature)}"); return(rsaSignResult.Signature); }
private void HelloWorldSync(string keyVaultUrl) { #region Snippet:KeysSample1KeyClient var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); #endregion #region Snippet:KeysSample1CreateKey string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(rsaKey); #endregion #region Snippet:KeysSample1GetKey KeyVaultKey cloudRsaKey = client.GetKey(rsaKeyName); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}"); #endregion #region Snippet:KeysSample1UpdateKeyProperties cloudRsaKey.Properties.ExpiresOn.Value.AddYears(1); KeyVaultKey updatedKey = client.UpdateKeyProperties(cloudRsaKey.Properties, cloudRsaKey.KeyOperations); Debug.WriteLine($"Key's updated expiry time is {updatedKey.Properties.ExpiresOn}"); #endregion #region Snippet:KeysSample1UpdateKey var newRsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 4096, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(newRsaKey); #endregion #region Snippet:KeysSample1DeleteKey DeleteKeyOperation operation = client.StartDeleteKey(rsaKeyName); #endregion #region Snippet:KeysSample1PurgeKey while (!operation.HasCompleted) { Thread.Sleep(2000); operation.UpdateStatus(); } client.PurgeDeletedKey(rsaKeyName); #endregion }
static void list() { Console.WriteLine("Enter KeyVault URI"); var keyvaultURI = Console.ReadLine(); Console.WriteLine("Enter key name in key vault"); var key = Console.ReadLine(); var client = new KeyClient(new Uri(keyvaultURI), new DefaultAzureCredential()); client.GetKey(key); }
public void HelloWorldSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to call the service. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create a RSA key valid for 1 year. If the key // already exists in the Key Vault, then a new version of the key is created. string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new RsaKeyCreateOptions(rsaKeyName, hsm: false, keySize: 2048) { Expires = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(rsaKey); // Let's Get the Cloud RSA Key from the Key Vault. Key cloudRsaKey = client.GetKey(rsaKeyName); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyMaterial.KeyType}"); // After one year, the Cloud RSA Key is still required, we need to update the expiry time of the key. // The update method can be used to update the expiry attribute of the key. cloudRsaKey.Expires.Value.AddYears(1); KeyBase updatedKey = client.UpdateKey(cloudRsaKey, cloudRsaKey.KeyMaterial.KeyOps); Debug.WriteLine($"Key's updated expiry time is {updatedKey.Expires}"); // We need the Cloud RSA key with bigger key size, so you want to update the key in Key Vault to ensure // it has the required size. // Calling CreateRsaKey on an existing key creates a new version of the key in the Key Vault // with the new specified size. var newRsaKey = new RsaKeyCreateOptions(rsaKeyName, hsm: false, keySize: 4096) { Expires = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(newRsaKey); // The Cloud RSA Key is no longer needed, need to delete it from the Key Vault. client.DeleteKey(rsaKeyName); // To ensure key is deleted on server side. Assert.IsTrue(WaitForDeletedKey(client, rsaKeyName)); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged. client.PurgeDeletedKey(rsaKeyName); }
static void Main(string[] args) { var credential = new InteractiveBrowserCredential(); var kvUri = "[key vault uri]"; var client = new KeyClient(new Uri(kvUri), credential); var key = client.GetKey("[kek key name]"); var cryptoClient = new CryptographyClient(key.Value.Id, credential); var secretClient = new SecretClient(new Uri(kvUri), credential); var encryptedDEK = secretClient.GetSecret("[dek key name]"); DecryptResult decryptDek = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, Convert.FromBase64String(encryptedDEK.Value.Value)); var keynew = decryptDek.Plaintext[0..16];
protected void DefaultInit() { string tenantId = _configuration["Azure:Tenant_ID"]; string clientId = _configuration["Azure:Client_ID"]; string clientSecret = _configuration["Azure:Client_Secret"]; var clientCredentials = new ClientSecretCredential(tenantId, clientId, clientSecret); var keyClient = new KeyClient(new Uri(_keyVaultUri), clientCredentials); keyClient.CreateRsaKey(new CreateRsaKeyOptions(_keyVaultKeyName)); KeyVaultKey key = keyClient.GetKey(_keyVaultKeyName); _cryptoClient = new CryptographyClient(key.Id, new DefaultAzureCredential()); }
protected override Jwks GetKeysFromSource() { var keys = new List <Jwk>(); foreach (var keyProperties in _client.GetPropertiesOfKeys()) { var kvKey = _client.GetKey(keyProperties.Name); Jwk?key = null; if (kvKey.Value.KeyType == KeyType.Oct) { key = SymmetricJwk.FromByteArray(kvKey.Value.Key.K, false); } else if (kvKey.Value.KeyType == KeyType.Rsa || kvKey.Value.KeyType == KeyType.RsaHsm) { key = RsaJwk.FromParameters(kvKey.Value.Key.ToRSA(true).ExportParameters(true), false); } #if !NETFRAMEWORK else if (kvKey.Value.KeyType == KeyType.Ec || kvKey.Value.KeyType == KeyType.EcHsm) { ECJwk.FromParameters(ConvertToECParameters(kvKey.Value), computeThumbprint: false); } #endif if (!(key is null)) { key.Kid = JsonEncodedText.Encode(kvKey.Value.Key.Id); if (kvKey.Value.Key.KeyOps != null) { foreach (var operation in kvKey.Value.Key.KeyOps) { key.KeyOps.Add(JsonEncodedText.Encode(operation.ToString())); } } keys.Add(key); } } return(new Jwks(_client.VaultUri.ToString(), keys)); }
static void Main(string[] args) { Console.WriteLine("Read from keyvault"); // Setup in Azure: // -> Create a Service Principal in Azure AD using Azure CLI // az ad sp create-for-rbac -n {keyvaultname} --skip-assignemtn // The above generates a result that should be set an environment variables // appId = AZURE_CLIENT_ID // password = AZURE_CLIENT_SECRET // tenant = AZURE_TENANT_ID // Set access policy on KeyVault // az keyvault set-policy --name {keyvaultname} --spn "{appId from above}" --secret-permissions get list delete (etc, etc) var keyVaultUrl = "https://trainingvaultdrb.vault.azure.net/"; // DefaultAzureCredentials will get the settings from above from the environment variables var secretClient = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential()); // Get a Secret KeyVaultSecret secret = secretClient.GetSecret("apppwd"); Console.WriteLine($"{secret.Name}, {secret.Value}"); // Get a Key var keyClient = new KeyClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential()); KeyVaultKey key = keyClient.GetKey("drbenckey"); // Encrypts using the key - these are Azure libraries var cyptoClient = new CryptographyClient(key.Id, credential: new DefaultAzureCredential()); byte[] plaintext = Encoding.UTF8.GetBytes("text to encrypt"); EncryptResult result = cyptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext); Console.WriteLine(Encoding.UTF8.GetString(result.Ciphertext)); }
public KeyVaultKey Get(string name) { return(_client.GetKey(name)); }
private async Task MigrationGuide() { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create KeyClient client = new KeyClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential()); CryptographyClient cryptoClient = new CryptographyClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential()); #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions using (HttpClient httpClient = new HttpClient()) { KeyClientOptions options = new KeyClientOptions { Transport = new HttpClientTransport(httpClient) }; #if SNIPPET KeyClient client = new KeyClient( #else client = new KeyClient( #endif new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential(), options); CryptographyClientOptions cryptoOptions = new CryptographyClientOptions { Transport = new HttpClientTransport(httpClient) }; #if SNIPPET CryptographyClient cryptoClient = new CryptographyClient( #else cryptoClient = new CryptographyClient( #endif new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential(), cryptoOptions); } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys // Create RSA key. CreateRsaKeyOptions createRsaOptions = new CreateRsaKeyOptions("rsa-key-name") { KeySize = 4096 }; KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(createRsaOptions); // Create Elliptic-Curve key. CreateEcKeyOptions createEcOptions = new CreateEcKeyOptions("ec-key-name") { CurveName = KeyCurveName.P256 }; KeyVaultKey ecKey = await client.CreateEcKeyAsync(createEcOptions); #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys // List all keys asynchronously. await foreach (KeyProperties item in client.GetPropertiesOfKeysAsync()) { KeyVaultKey key = await client.GetKeyAsync(item.Name); } // List all keys synchronously. foreach (KeyProperties item in client.GetPropertiesOfKeys()) { KeyVaultKey key = client.GetKey(item.Name); } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey // Delete the key. DeleteKeyOperation deleteOperation = await client.StartDeleteKeyAsync("key-name"); // Purge or recover the deleted key if soft delete is enabled. if (deleteOperation.Value.RecoveryId != null) { // Deleting a key does not happen immediately. Wait for the key to be deleted. DeletedKey deletedKey = await deleteOperation.WaitForCompletionAsync(); // Purge the deleted key. await client.PurgeDeletedKeyAsync(deletedKey.Name); // You can also recover the deleted key using StartRecoverDeletedKeyAsync, // which returns RecoverDeletedKeyOperation you can await like DeleteKeyOperation above. } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt // Encrypt a message. The plaintext must be small enough for the chosen algorithm. byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt"); EncryptResult encrypted = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep256, plaintext); // Decrypt the message. DecryptResult decrypted = await cryptoClient.DecryptAsync(encrypted.Algorithm, encrypted.Ciphertext); string message = Encoding.UTF8.GetString(decrypted.Plaintext); #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap using (Aes aes = Aes.Create()) { // Use a symmetric key to encrypt large amounts of data, possibly streamed... // Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data. WrapResult wrapped = await cryptoClient.WrapKeyAsync(KeyWrapAlgorithm.RsaOaep256, aes.Key); // Read the IV and the encrypted key from the payload, then unwrap the key. UnwrapResult unwrapped = await cryptoClient.UnwrapKeyAsync(wrapped.Algorithm, wrapped.EncryptedKey); aes.Key = unwrapped.Key; // Decrypt the payload with the symmetric key. } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap } }
public void GetKeysSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = TestEnvironment.KeyVaultUrl; #region Snippet:KeysSample3KeyClient var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); #endregion #region Snippet:KeysSample3CreateKey string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(rsaKey); string ecKeyName = $"CloudECKey-{Guid.NewGuid()}"; var ecKey = new CreateEcKeyOptions(ecKeyName, hardwareProtected: false) { ExpiresOn = DateTimeOffset.Now.AddYears(1) }; client.CreateEcKey(ecKey); #endregion #region Snippet:KeysSample3ListKeys IEnumerable <KeyProperties> keys = client.GetPropertiesOfKeys(); foreach (KeyProperties key in keys) { #if !SNIPPET if (key.Managed) { continue; } #endif KeyVaultKey keyWithType = client.GetKey(key.Name); Debug.WriteLine($"Key is returned with name {keyWithType.Name} and type {keyWithType.KeyType}"); } #endregion #region Snippet:KeysSample3UpdateKey var newRsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 4096, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(newRsaKey); #endregion #region Snippet:KeysSample3ListKeyVersions IEnumerable <KeyProperties> keysVersions = client.GetPropertiesOfKeyVersions(rsaKeyName); foreach (KeyProperties key in keysVersions) { Debug.WriteLine($"Key's version {key.Version} with name {key.Name}"); } #endregion #region Snippet:KeysSample3DeletedKeys DeleteKeyOperation rsaKeyOperation = client.StartDeleteKey(rsaKeyName); DeleteKeyOperation ecKeyOperation = client.StartDeleteKey(ecKeyName); // You only need to wait for completion if you want to purge or recover the key. while (!rsaKeyOperation.HasCompleted || !ecKeyOperation.HasCompleted) { Thread.Sleep(2000); rsaKeyOperation.UpdateStatus(); ecKeyOperation.UpdateStatus(); } #endregion #region Snippet:KeysSample3ListDeletedKeys IEnumerable <DeletedKey> keysDeleted = client.GetDeletedKeys(); foreach (DeletedKey key in keysDeleted) { Debug.WriteLine($"Deleted key's recovery Id {key.RecoveryId}"); } #endregion // You only need to wait for completion if you want to purge or recover the key. // If the keyvault is soft-delete enabled, then for permanent deletion, deleted keys needs to be purged. client.PurgeDeletedKey(rsaKeyName); client.PurgeDeletedKey(ecKeyName); }
public void GetKeysSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to call the service. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create EC and RSA keys valid for 1 year. If the key // already exists in the Key Vault, then a new version of the key is created. string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new RsaKeyCreateOptions(rsaKeyName, hsm: false, keySize: 2048) { Expires = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(rsaKey); string ecKeyName = $"CloudECKey-{Guid.NewGuid()}"; var ecKey = new EcKeyCreateOptions(ecKeyName, hsm: false) { Expires = DateTimeOffset.Now.AddYears(1) }; client.CreateEcKey(ecKey); // You need to check the type of keys that already exist in your Key Vault. // Let's list the keys and print their types. // List operations don't return the keys with key material information. // So, for each returned key we call GetKey to get the key with its key material information. IEnumerable <Response <KeyProperties> > keys = client.GetKeys(); foreach (KeyProperties key in keys) { Key keyWithType = client.GetKey(key.Name); Debug.WriteLine($"Key is returned with name {keyWithType.Name} and type {keyWithType.KeyMaterial.KeyType}"); } // We need the Cloud RSA key with bigger key size, so you want to update the key in Key Vault to ensure // it has the required size. // Calling CreateRsaKey on an existing key creates a new version of the key in the Key Vault // with the new specified size. var newRsaKey = new RsaKeyCreateOptions(rsaKeyName, hsm: false, keySize: 4096) { Expires = DateTimeOffset.Now.AddYears(1) }; client.CreateRsaKey(newRsaKey); // You need to check all the different versions Cloud RSA key had previously. // Lets print all the versions of this key. IEnumerable <Response <KeyProperties> > keysVersions = client.GetKeyVersions(rsaKeyName); foreach (KeyProperties key in keysVersions) { Debug.WriteLine($"Key's version {key.Version} with name {key.Name}"); } // The Cloud RSA Key and the Cloud EC Key are no longer needed. // You need to delete them from the Key Vault. client.DeleteKey(rsaKeyName); client.DeleteKey(ecKeyName); // To ensure secrets are deleted on server side. Assert.IsTrue(WaitForDeletedKey(client, rsaKeyName)); Assert.IsTrue(WaitForDeletedKey(client, ecKeyName)); // You can list all the deleted and non-purged keys, assuming Key Vault is soft-delete enabled. IEnumerable <Response <DeletedKey> > keysDeleted = client.GetDeletedKeys(); foreach (DeletedKey key in keysDeleted) { Debug.WriteLine($"Deleted key's recovery Id {key.RecoveryId}"); } // If the keyvault is soft-delete enabled, then for permanent deletion, deleted keys needs to be purged. client.PurgeDeletedKey(rsaKeyName); client.PurgeDeletedKey(ecKeyName); }
private PSKeyVaultKey GetKey(KeyClient client, string keyName, string keyVersion) { return(new PSKeyVaultKey(client.GetKey(keyName, keyVersion).Value, _vaultUriHelper)); }
public void ConfigureServices(IServiceCollection services) { services.AddControllersWithViews(); var keyClient = new KeyClient( new Uri(""), // e.g. https://scottbrady91-test.vault.azure.net/ new ClientSecretCredential( tenantId: "", clientId: "", clientSecret: "")); Response <KeyVaultKey> response = keyClient.GetKey(""); // e.g. IdentityServerSigningKeyEcc AsymmetricSecurityKey key; string algorithm; if (response.Value.KeyType == KeyType.Ec) { ECDsa ecDsa = response.Value.Key.ToECDsa(); key = new ECDsaSecurityKey(ecDsa) { KeyId = response.Value.Properties.Version }; // parse from curve if (response.Value.Key.CurveName == KeyCurveName.P256) { algorithm = "ES256"; } else if (response.Value.Key.CurveName == KeyCurveName.P384) { algorithm = "ES384"; } else if (response.Value.Key.CurveName == KeyCurveName.P521) { algorithm = "ES521"; } else { throw new NotSupportedException(); } } else if (response.Value.KeyType == KeyType.Rsa) { RSA rsa = response.Value.Key.ToRSA(); key = new RsaSecurityKey(rsa) { KeyId = response.Value.Properties.Version }; // you define algorithm = "PS256"; } else { throw new NotSupportedException(); } services.AddIdentityServer() .AddTestUsers(TestUsers.Users) .AddInMemoryIdentityResources(Config.Ids) .AddInMemoryApiResources(Config.Apis) .AddInMemoryClients(Config.Clients) .AddSigningCredential(key, algorithm); services.AddTransient <ITokenCreationService, KeyVaultTokenCreationService>(); }