/// <summary>
/// Wraps a symmetric key and then unwrapps the wrapped key
/// </summary>
/// <param name="key"> key bundle </param>
private static void WrapUnwrap(KeyBundle key)
{
KeyOperationResult wrappedKey;
var algorithm = inputValidator.GetEncryptionAlgorithm();
byte[] symmetricKey = inputValidator.GetSymmetricKey();
string keyVersion = inputValidator.GetKeyVersion();
if (keyVersion != string.Empty)
{
var vaultAddress = inputValidator.GetVaultAddress();
string keyName = inputValidator.GetKeyName(true);
wrappedKey = keyVaultClient.WrapKeyAsync(vaultAddress, keyName, keyVersion, algorithm, symmetricKey).GetAwaiter().GetResult();
}
else
{
// If the key ID is not initialized get the key id from args
var keyId = (key != null) ? key.Key.Kid : inputValidator.GetKeyId();
// Wrap the symmetric key
wrappedKey = keyVaultClient.WrapKeyAsync(keyId, algorithm, symmetricKey).GetAwaiter().GetResult();
}
Console.Out.WriteLine(string.Format("The symmetric key is wrapped using key id {0} and algorithm {1}", wrappedKey.Kid, algorithm));
// Unwrap the symmetric key
var unwrappedKey = keyVaultClient.UnwrapKeyAsync(wrappedKey.Kid, algorithm, wrappedKey.Result).GetAwaiter().GetResult();
Console.Out.WriteLine(string.Format("The unwrapped key is{0}the same as the original key!",
symmetricKey.SequenceEqual(unwrappedKey.Result) ? " " : " not "));
}
public async Task <string> UnwrapAsync(string encryptedKey)
{
var encryptedBytes = Convert.FromBase64String(encryptedKey);
var decryptionResult = await client.UnwrapKeyAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, encryptedBytes);
var decryptedKey = Encoding.Unicode.GetString(decryptionResult.Result);
return(decryptedKey);
}
/// <summary>
/// Unwraps a symmetric key using the specified wrapping key and algorithm.
/// </summary>
/// <param name="wrappingKey">The wrapping key</param>
/// <param name="wrappedKey">The symmetric key to unwrap</param>
/// <param name="algorithm">The algorithm to use. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <returns>The unwrapped key</returns>
public static async Task <KeyOperationResult> UnwrapKeyAsync(this KeyVaultClient client, KeyBundle wrappingKey, byte[] wrappedKey, string algorithm)
{
if (wrappingKey == null)
{
throw new ArgumentNullException("wrappingKey");
}
return(await client.UnwrapKeyAsync(wrappingKey.Key, wrappedKey, algorithm).ConfigureAwait(false));
}
/// <summary>
/// Use symmetric encryption, then wrap the key using Key Vault
/// </summary>
/// <returns></returns>
private static async Task EncryptAndWrap()
{
// In real-world, these could be concatenated and stored.
byte[] iv;
byte[] wrappedKey;
Stream encryptedData = new MemoryStream();
string wrappingKeyIdentifier;
string keyWrappingEncryptionAlgorithm = JsonWebKeyEncryptionAlgorithm.RSA15;
// TODO: This (probably) doesn't use "AE" - update accordingly.
// This creates a random key and initialisation vector (IV) and encrypts the data
using (var encryptingAes = Aes.Create())
{
iv = encryptingAes.IV;
var encryptor = encryptingAes.CreateEncryptor();
using (var encryptingStream = new CryptoStream(encryptedData, encryptor, CryptoStreamMode.Write, true))
using (var writer = new StreamWriter(encryptingStream)) // NOTE: This is a text writer! Shouldn't do this if we're dealing with binary data!
{
writer.Write(inputText);
writer.Flush();
encryptingStream.Flush();
}
var wrappingResult = await keyVaultClient.WrapKeyAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key);
wrappedKey = wrappingResult.Result;
wrappingKeyIdentifier = wrappingResult.Kid;
// TODO: Test if "wrap" and "encrypt" produce the same resul;t
var encryptTest = await keyVaultClient.EncryptAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key);
}
encryptedData.Position = 0;
// Decrypt
var unwrapKeyResult = await keyVaultClient.UnwrapKeyAsync(wrappingKeyIdentifier, keyWrappingEncryptionAlgorithm, wrappedKey);
var symmetricKey = unwrapKeyResult.Result;
string decrypted;
using (var decryptingAes = Aes.Create())
{
decryptingAes.IV = iv;
decryptingAes.Key = symmetricKey;
var decryptor = decryptingAes.CreateDecryptor();
using (var decryptingStream = new CryptoStream(encryptedData, decryptor, CryptoStreamMode.Read))
using (var reader = new StreamReader(decryptingStream))
{
decrypted = reader.ReadToEnd();
}
}
if (inputText != decrypted)
{
throw new Exception("Decrypted does not match encrypted");
}
}
/// <summary>
/// Wraps and unwraps symmetric key
/// </summary>
/// <param name="algorithm"> the wrao and unwrap algorithm </param>
private void WrapAndUnwrap(KeyVaultClient client, KeyIdentifier keyIdentifier, string algorithm, byte[] symmetricKeyBytes)
{
var wrapResult = client.WrapKeyAsync(keyIdentifier.BaseIdentifier, algorithm, symmetricKeyBytes).GetAwaiter().GetResult();
Assert.NotNull(wrapResult);
Assert.NotNull(wrapResult.Kid);
Assert.NotNull(wrapResult.Result);
var unwrapResult = client.UnwrapKeyAsync(wrapResult.Kid, algorithm, wrapResult.Result).GetAwaiter().GetResult();
Assert.NotNull(unwrapResult);
Assert.NotNull(unwrapResult.Kid);
Assert.True(unwrapResult.Result.SequenceEqual(symmetricKeyBytes), "the symmetric key after unwrap should match the initial key");
}
public async Task <byte[]> UnwrapSymmetricKeyAsync(string keyId, byte[] wrappedSymmetricKey)
{
if (string.IsNullOrEmpty(keyId))
{
throw new ArgumentNullException(keyId, "Key NickName is Null.");
}
if (wrappedSymmetricKey == null)
{
throw new ArgumentNullException(nameof(wrappedSymmetricKey), "Wrapped symetric key is Null.");
}
if (wrappedSymmetricKey.Length == 0)
{
throw new ArgumentNullException(nameof(wrappedSymmetricKey), "Wrapped symmetric key is Empty.");
}
var unwrappedKey = await KeyVaultClient.UnwrapKeyAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, wrappedSymmetricKey);
return(unwrappedKey.Result);
}
private static async Task Process(string textToEncrypt)
{
var plainTextBytes = Encoding.UTF8.GetBytes(textToEncrypt);
Console.WriteLine("\n===Encrypt Data===");
Console.WriteLine("- Generate data access key");
var dataAccessKey = new byte[32];
using (var random = new RNGCryptoServiceProvider())
{
random.GetBytes(dataAccessKey);
}
Console.WriteLine("- Encrypt data using data access key");
byte[] encryptedBytes;
using (var aes = new AesManaged())
{
try
{
aes.GenerateIV();
aes.Key = dataAccessKey;
aes.Mode = CipherMode.CBC;
using (var cipherStream = new MemoryStream())
using (var encryptor = aes.CreateEncryptor(aes.Key, aes.IV))
using (var cryptostream = new CryptoStream(cipherStream, encryptor, CryptoStreamMode.Write))
{
cipherStream.Write(aes.IV, 0, aes.IV.Length);
cryptostream.Write(plainTextBytes, 0, plainTextBytes.Length);
cryptostream.FlushFinalBlock();
encryptedBytes = cipherStream.ToArray();
}
}
finally
{
aes.Clear();
}
}
Console.WriteLine("- Wrap the data access key using public master key");
var wrappedKey = await _rsaKey.WrapKeyAsync(dataAccessKey, JsonWebKeyEncryptionAlgorithm.RSAOAEP);
Console.WriteLine("- Serialize data to store in database");
var serializedData = JsonConvert.SerializeObject(encryptedBytes);
var serializedWrappedKey = JsonConvert.SerializeObject(wrappedKey.Item1);
Console.WriteLine("- Remove references to keys and data");
wrappedKey = null;
encryptedBytes = null;
Console.WriteLine("\n===Encryption Result===");
Console.WriteLine($"Encrypted data: {serializedData}");
Console.WriteLine($"KeyId: {_masterKeyId}");
Console.WriteLine($"Wrapped key: {serializedWrappedKey}");
Console.WriteLine("\n===Decrypt Data===");
Console.WriteLine("- Deserialize data and wrapped key from storage");
var dataBytes = JsonConvert.DeserializeObject <byte[]>(serializedData);
var wrappedKeyBytes = JsonConvert.DeserializeObject <byte[]>(serializedWrappedKey);
Console.WriteLine("- Get unwrapped data access key rom key vault");
var xyz = await _keyVaultClient.UnwrapKeyAsync(VaultBaseUrl, KeyName, _masterKeyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, wrappedKeyBytes);
Console.WriteLine("- Decrypt data");
byte[] decryptedBytes;
using (var aes = new AesManaged())
{
try
{
byte[] iv = new byte[16];
Array.Copy(dataBytes, iv, 16);
aes.Key = xyz.Result;
aes.Mode = CipherMode.CBC;
using (var plainTextStream = new MemoryStream())
using (var cryptoTransform = aes.CreateDecryptor(aes.Key, iv))
using (var cryptoStream = new CryptoStream(plainTextStream, cryptoTransform, CryptoStreamMode.Write))
{
cryptoStream.Write(dataBytes, 16, dataBytes.Length - 16);
cryptoStream.FlushFinalBlock();
decryptedBytes = plainTextStream.ToArray();
}
}
finally
{
aes.Clear();
}
}
var decryptedText = Encoding.UTF8.GetString(decryptedBytes);
Console.WriteLine("\n===Decryption Result===");
Console.WriteLine($"{decryptedText}");
}
public Task <KeyOperationResult> UnwrapKeyAsync(string keyIdentifier, string algorithm, byte[] cipherText)
{
return(_client.UnwrapKeyAsync(keyIdentifier, algorithm, cipherText));
}
private async Task KeysMigrationGuide()
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create
AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
KeyVaultClient client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback));
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
//@@AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
/*@@*/ provider = new AzureServiceTokenProvider();
//@@KeyVaultClient client = new KeyVaultClient(
/*@@*/ client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback),
httpClient);
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey
// Create RSA key.
NewKeyParameters createRsaParameters = new NewKeyParameters
{
Kty = JsonWebKeyType.Rsa,
KeySize = 4096
};
KeyBundle rsaKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "rsa-key-name", createRsaParameters);
// Create Elliptic-Curve key.
NewKeyParameters createEcParameters = new NewKeyParameters
{
Kty = JsonWebKeyType.EllipticCurve,
CurveName = "P-256"
};
KeyBundle ecKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "ec-key-name", createEcParameters);
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
IPage <KeyItem> page = await client.GetKeysAsync("https://myvault.vault.azure.net");
foreach (KeyItem item in page)
{
KeyIdentifier keyId = item.Identifier;
KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name);
}
while (page.NextPageLink != null)
{
page = await client.GetKeysNextAsync(page.NextPageLink);
foreach (KeyItem item in page)
{
KeyIdentifier keyId = item.Identifier;
KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name);
}
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
// Delete the key.
DeletedKeyBundle deletedKey = await client.DeleteKeyAsync("https://myvault.vault.azure.net", "key-name");
// Purge or recover the deleted key if soft delete is enabled.
if (deletedKey.RecoveryId != null)
{
DeletedKeyIdentifier deletedKeyId = deletedKey.RecoveryIdentifier;
// Deleting a key does not happen immediately. Wait a while and check if the deleted key exists.
while (true)
{
try
{
await client.GetDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name);
// Finally deleted.
break;
}
catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound)
{
// Not yet deleted...
}
}
// Purge the deleted key.
await client.PurgeDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name);
// You can also recover the deleted key using RecoverDeletedKeyAsync.
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
// Encrypt a message. The plaintext must be small enough for the chosen algorithm.
byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt");
KeyOperationResult encrypted = await client.EncryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, plaintext);
// Decrypt the message.
KeyOperationResult decrypted = await client.DecryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, encrypted.Result);
string message = Encoding.UTF8.GetString(decrypted.Result);
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap
using (Aes aes = Aes.Create())
{
// Use a symmetric key to encrypt large amounts of data, possibly streamed...
// Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data.
KeyOperationResult wrapped = await client.WrapKeyAsync(
"https://myvault.vault.azure.net",
"rsa-key-name",
null,
JsonWebKeyEncryptionAlgorithm.RSAOAEP256,
aes.Key);
// Read the IV and the encrypted key from the payload, then unwrap the key.
KeyOperationResult unwrapped = await client.UnwrapKeyAsync(
"https://myvault.vault.azure.net",
"rsa-key-name",
null,
JsonWebKeyEncryptionAlgorithm.RSAOAEP256,
wrapped.Result);
aes.Key = unwrapped.Result;
// Decrypt the payload with the symmetric key.
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap
}
}
public async Task <byte[]> UnwrapKey(byte[] wrappedKey)
{
var unwrappedKey = await _keyVaultClient.UnwrapKeyAsync(_vaultURL, ALGORITHM, wrappedKey);
return(unwrappedKey.Result);
}
