public async Task HelloWorldAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to call the service. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create a RSA key valid for 1 year. If the key // already exists in the Key Vault, then a new version of the key is created. string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; await client.CreateRsaKeyAsync(rsaKey); // Let's Get the Cloud RSA Key from the Key Vault. KeyVaultKey cloudRsaKey = await client.GetKeyAsync(rsaKeyName); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}"); // After one year, the Cloud RSA Key is still required, we need to update the expiry time of the key. // The update method can be used to update the expiry attribute of the key. cloudRsaKey.Properties.ExpiresOn.Value.AddYears(1); KeyVaultKey updatedKey = await client.UpdateKeyPropertiesAsync(cloudRsaKey.Properties, cloudRsaKey.KeyOperations); Debug.WriteLine($"Key's updated expiry time is {updatedKey.Properties.ExpiresOn}"); // We need the Cloud RSA key with bigger key size, so you want to update the key in Key Vault to ensure // it has the required size. // Calling CreateRsaKey on an existing key creates a new version of the key in the Key Vault // with the new specified size. var newRsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 4096, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; await client.CreateRsaKeyAsync(newRsaKey); // The Cloud RSA Key is no longer needed, need to delete it from the Key Vault. DeleteKeyOperation operation = await client.StartDeleteKeyAsync(rsaKeyName); #region Snippet:KeysSample1PurgeKeyAsync // You only need to wait for completion if you want to purge or recover the key. await operation.WaitForCompletionAsync(); await client.PurgeDeletedKeyAsync(rsaKeyName); #endregion }
public async Task HelloWorldASync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to call the service. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create a RSA key valid for 1 year. If the key // already exists in the Key Vault, then a new version of the key is created. string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new RsaKeyCreateOptions(rsaKeyName, hsm: false, keySize: 2048) { Expires = DateTimeOffset.Now.AddYears(1) }; await client.CreateRsaKeyAsync(rsaKey); // Let's Get the Cloud RSA Key from the Key Vault. Key cloudRsaKey = await client.GetKeyAsync(rsaKeyName); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyMaterial.KeyType}"); // After one year, the Cloud RSA Key is still required, we need to update the expiry time of the key. // The update method can be used to update the expiry attribute of the key. cloudRsaKey.Expires.Value.AddYears(1); KeyBase updatedKey = await client.UpdateKeyAsync(cloudRsaKey, cloudRsaKey.KeyMaterial.KeyOps); Debug.WriteLine($"Key's updated expiry time is {updatedKey.Expires}"); // We need the Cloud RSA key with bigger key size, so you want to update the key in Key Vault to ensure // it has the required size. // Calling CreateRsaKey on an existing key creates a new version of the key in the Key Vault // with the new specified size. var newRsaKey = new RsaKeyCreateOptions(rsaKeyName, hsm: false, keySize: 4096) { Expires = DateTimeOffset.Now.AddYears(1) }; await client.CreateRsaKeyAsync(newRsaKey); // The Cloud RSA Key is no longer needed, need to delete it from the Key Vault. await client.DeleteKeyAsync(rsaKeyName); // To ensure secret is deleted on server side. Assert.IsTrue(await WaitForDeletedKeyAsync(client, rsaKeyName)); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged. await client.PurgeDeletedKeyAsync(rsaKeyName); }
public async Task <string> createEncryptionRSAKey() { try { //Get the new Guid guidObject = Guid.NewGuid(); //Keyname to be stored in the database string keyName = guidObject.ToString(); //Getting the configuration from the azure app configuration string KeyVaultUrl = System.Configuration.ConfigurationManager.AppSettings["SecureDeskKeyVaultUrl"]; string clientid = System.Configuration.ConfigurationManager.AppSettings["SecureDeskAccessPoclicyClientId"]; string tenantId = System.Configuration.ConfigurationManager.AppSettings["SecureDeskAccessPolicyTenantId"]; string client_secret = System.Configuration.ConfigurationManager.AppSettings["SecureDeskAccessPolicyPassword"]; //Create the Client for the KeyVault var client = new KeyClient(vaultUri: new Uri(KeyVaultUrl), credential: new ClientSecretCredential(tenantId, clientid, client_secret)); // Create a software RSA key with the KeyName variable var rsaCreateKey = new CreateRsaKeyOptions(keyName, hardwareProtected: false); //Create and store the key KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(rsaCreateKey); //return the key and save to the database return(keyName); } catch (Exception ex) { throw new Exception(ex.Message.ToString()); } }
public async Task CreateKeyAsync() { #region Snippet:CreateKeyAsync // Create a key of any type KeyVaultKey key = await client.CreateKeyAsync("key-name", KeyType.Rsa); Console.WriteLine(key.Name); Console.WriteLine(key.KeyType); // Create a software RSA key var rsaCreateKey = new CreateRsaKeyOptions("rsa-key-name", hardwareProtected: false); KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(rsaCreateKey); Console.WriteLine(rsaKey.Name); Console.WriteLine(rsaKey.KeyType); // Create a hardware Elliptic Curve key // Because only premium Azure Key Vault supports HSM backed keys , please ensure your Azure Key Vault // SKU is premium when you set "hardwareProtected" value to true var echsmkey = new CreateEcKeyOptions("ec-key-name", hardwareProtected: true); KeyVaultKey ecKey = await client.CreateEcKeyAsync(echsmkey); Console.WriteLine(ecKey.Name); Console.WriteLine(ecKey.KeyType); #endregion }
public async Task <(string, string)> DecryptAsync() { //string keyVaultName = "myfavouritekeyvault"; string keyVaultUri = "https://joeycrackvault.vault.azure.net"; string keyVaultKeyName = "TestVaultKey"; string textToEncrypt = "cnbTestString"; var defaultAzurecredentialsOption = new DefaultAzureCredentialOptions() { ExcludeManagedIdentityCredential = true, ExcludeVisualStudioCredential = true, ExcludeAzurePowerShellCredential = true, }; var client = new KeyClient(new Uri(keyVaultUri), new DefaultAzureCredential(defaultAzurecredentialsOption)); await client.CreateRsaKeyAsync(new CreateRsaKeyOptions(keyVaultKeyName)).ConfigureAwait(false); KeyVaultKey key = await client.GetKeyAsync(keyVaultKeyName).ConfigureAwait(false); var cryptoClient = new CryptographyClient(key.Id, new DefaultAzureCredential()); string encryptedString = await EncryptStringAsync(cryptoClient, textToEncrypt).ConfigureAwait(false); Console.WriteLine($"Encrypted string: {encryptedString}"); //return $"Encrypted string: {encryptedString}"; string decryptedString = await DecryptStringAsync(cryptoClient, encryptedString).ConfigureAwait(false); Console.WriteLine($"Decrypted string: {decryptedString}"); return($"Encrypted string: {encryptedString}", $"Decrypted string: {decryptedString}"); }
public static async Task <IActionResult> Run( [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req, ILogger log) { var vaultUri = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL") ?? "https://heathskv.vault.azure.net"; var client = new KeyClient( new Uri(vaultUri), new DefaultAzureCredential()); try { var response = await client.CreateRsaKeyAsync( new CreateRsaKeyOptions("issue20942") { KeySize = 2048, }); log.LogInformation($"Created {response.Value.Name}"); return(new OkResult()); } catch (Exception ex) { log.LogWarning(ex, $"System.Text.Json version {typeof(JsonEncodedText).Assembly.GetName().Version}"); throw; } }
public async Task BackupAndRestoreAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = TestEnvironment.KeyVaultUrl; // Instantiate a key client that will be used to call the service. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create a RSA key valid for 1 year. If the key // already exists in the Key Vault, then a new version of the key is created. string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; KeyVaultKey storedKey = await client.CreateRsaKeyAsync(rsaKey); // You might make backups in case keys get accidentally deleted. // For long term storage, it is ideal to write the backup to a file, disk, database, etc. // For the purposes of this sample, we are storing the back up in a temporary memory area. byte[] byteKey = await client.BackupKeyAsync(rsaKeyName); using (var memoryStream = new MemoryStream()) { memoryStream.Write(byteKey, 0, byteKey.Length); // The storage account key is no longer in use, so you delete it. DeleteKeyOperation operation = await client.StartDeleteKeyAsync(rsaKeyName); // To ensure the key is deleted on server before we try to purge it. await operation.WaitForCompletionAsync(); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged. await client.PurgeDeletedKeyAsync(rsaKeyName); // After sometime, the key is required again. We can use the backup value to restore it in the Key Vault. KeyVaultKey restoredKey = await client.RestoreKeyBackupAsync(memoryStream.ToArray()); AssertKeysEqual(storedKey.Properties, restoredKey.Properties); // Delete and purge the restored key. operation = await client.StartDeleteKeyAsync(rsaKeyName); // You only need to wait for completion if you want to purge or recover the key. await operation.WaitForCompletionAsync(); await client.PurgeDeletedKeyAsync(rsaKeyName); } }
public async Task EncryptDecryptAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to create a key. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // First we create a RSA key which will be used to encrypt and decrypt string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, }; KeyVaultKey cloudRsaKey = await keyClient.CreateRsaKeyAsync(rsaKey); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}"); // Then we create the CryptographyClient which can perform cryptographic operations with the key we just created. // Again we are using the default Azure credential as above. var cryptoClient = new CryptographyClient(cloudRsaKey.Id, new DefaultAzureCredential()); // Next we'll encrypt some arbitrary plain text with the key using the CryptographyClient. Note that RSA encryption // algorithms have no chaining so they can only encrypt a single block of plaintext securely. For RSAOAEP this can be // calculated as (keysize / 8) - 42, or in our case (2048 / 8) - 42 = 214 bytes. byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext"); // First encrypt the data using RSAOAEP with the created key. EncryptResult encryptResult = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep, plaintext); Debug.WriteLine($"Encrypted data using the algorithm {encryptResult.Algorithm}, with key {encryptResult.KeyId}. The resulting encrypted data is {Convert.ToBase64String(encryptResult.Ciphertext)}"); // Now decrypt the encrypted data. Note that the same algorithm must always be used for both encrypt and decrypt DecryptResult decryptResult = await cryptoClient.DecryptAsync(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext); Debug.WriteLine($"Decrypted data using the algorithm {decryptResult.Algorithm}, with key {decryptResult.KeyId}. The resulting decrypted data is {Encoding.UTF8.GetString(decryptResult.Plaintext)}"); // The Cloud RSA Key is no longer needed, need to delete it from the Key Vault. await keyClient.DeleteKeyAsync(rsaKeyName); // To ensure key is deleted on server side. Assert.IsTrue(await WaitForDeletedKeyAsync(keyClient, rsaKeyName)); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged. await keyClient.PurgeDeletedKeyAsync(rsaKeyName); }
public async Task WrapUnwrapAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to create a key. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // First create a RSA key which will be used to wrap and unwrap another key string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, }; KeyVaultKey cloudRsaKey = await keyClient.CreateRsaKeyAsync(rsaKey); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}"); // Let's create the CryptographyClient which can perform cryptographic operations with the key we just created. // Again we are using the default Azure credential as above. var cryptoClient = new CryptographyClient(cloudRsaKey.Id, new DefaultAzureCredential()); // Next we'll generate a symmetric key which we will wrap byte[] keyData = AesManaged.Create().Key; Debug.WriteLine($"Generated Key: {Convert.ToBase64String(keyData)}"); // Wrap the key using RSAOAEP with the created key. WrapResult wrapResult = await cryptoClient.WrapKeyAsync(KeyWrapAlgorithm.RsaOaep, keyData); Debug.WriteLine($"Encrypted data using the algorithm {wrapResult.Algorithm}, with key {wrapResult.KeyId}. The resulting encrypted data is {Convert.ToBase64String(wrapResult.EncryptedKey)}"); // Now unwrap the encrypted key. Note that the same algorithm must always be used for both wrap and unwrap UnwrapResult unwrapResult = await cryptoClient.UnwrapKeyAsync(KeyWrapAlgorithm.RsaOaep, wrapResult.EncryptedKey); Debug.WriteLine($"Decrypted data using the algorithm {unwrapResult.Algorithm}, with key {unwrapResult.KeyId}. The resulting decrypted data is {Encoding.UTF8.GetString(unwrapResult.Key)}"); // The Cloud RSA Key is no longer needed, need to delete it from the Key Vault. DeleteKeyOperation operation = await keyClient.StartDeleteKeyAsync(rsaKeyName); // To ensure the key is deleted on server before we try to purge it. await operation.WaitForCompletionAsync(); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged. await keyClient.PurgeDeletedKeyAsync(rsaKeyName); }
public async Task BackupAndRestoreAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to call the service. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create a RSA key valid for 1 year. If the key // already exists in the Key Vault, then a new version of the key is created. string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new RsaKeyCreateOptions(rsaKeyName, hsm: false, keySize: 2048) { Expires = DateTimeOffset.Now.AddYears(1) }; Key storedKey = await client.CreateRsaKeyAsync(rsaKey); // Backups are good to have if in case keys get accidentally deleted by you. // For long term storage, it is ideal to write the backup to a file, disk, database, etc. // For the purposes of this sample, we are storing the bakup in a temporary memory area. byte[] byteKey = await client.BackupKeyAsync(rsaKeyName); using (var memoryStream = new MemoryStream()) { memoryStream.Write(byteKey, 0, byteKey.Length); // The storage account key is no longer in use, so you delete it. await client.DeleteKeyAsync(rsaKeyName); // To ensure the key is deleted on server side. Assert.IsTrue(await WaitForDeletedKeyAsync(client, rsaKeyName)); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged. await client.PurgeDeletedKeyAsync(rsaKeyName); // After sometime, the key is required again. We can use the backup value to restore it in the Key Vault. Key restoredKey = await client.RestoreKeyAsync(memoryStream.ToArray()); AssertKeysEqual(storedKey.Properties, restoredKey.Properties); } }
public async Task KeyRotationAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = TestEnvironment.KeyVaultUrl; var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, }; KeyVaultKey cloudRsaKey = await keyClient.CreateRsaKeyAsync(rsaKey); Debug.WriteLine($"{cloudRsaKey.KeyType} key is returned with name {cloudRsaKey.Name} and version {cloudRsaKey.Properties.Version}"); KeyRotationPolicy policy = new KeyRotationPolicy() { ExpiresIn = TimeSpan.FromDays(90), LifetimeActions = { new KeyRotationLifetimeAction() { Action = KeyRotationPolicyAction.Rotate, TimeBeforeExpiry = TimeSpan.FromDays(30) } } }; await keyClient.UpdateKeyRotationPolicyAsync(rsaKeyName, policy); KeyVaultKey newRsaKey = await keyClient.RotateKeyAsync(rsaKeyName); Debug.WriteLine($"Rotated key {newRsaKey.Name} with version {newRsaKey.Properties.Version}"); DeleteKeyOperation operation = await keyClient.StartDeleteKeyAsync(rsaKeyName); // You only need to wait for completion if you want to purge or recover the key. await operation.WaitForCompletionAsync(); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged. keyClient.PurgeDeletedKey(rsaKeyName); }
public async Task CreateKeyAsync() { #region CreateKeyAsync // Create a key of any type Key key = await client.CreateKeyAsync("key-name", KeyType.Rsa); Console.WriteLine(key.Name); Console.WriteLine(key.KeyMaterial.KeyType); // Create a software RSA key var rsaCreateKey = new RsaKeyCreateOptions("rsa-key-name", hsm: false); Key rsaKey = await client.CreateRsaKeyAsync(rsaCreateKey); Console.WriteLine(rsaKey.Name); Console.WriteLine(rsaKey.KeyMaterial.KeyType); // Create a hardware Elliptic Curve key var echsmkey = new EcKeyCreateOptions("ec-key-name", hsm: true); Key ecKey = await client.CreateEcKeyAsync(echsmkey); Console.WriteLine(ecKey.Name); Console.WriteLine(ecKey.KeyMaterial.KeyType); #endregion }
public async Task GetKeysAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to call the service. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create EC and RSA keys valid for 1 year. If the key // already exists in the Key Vault, then a new version of the key is created. string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; await client.CreateRsaKeyAsync(rsaKey); string ecKeyName = $"CloudECKey-{Guid.NewGuid()}"; var ecKey = new CreateEcKeyOptions(ecKeyName, hardwareProtected: false) { ExpiresOn = DateTimeOffset.Now.AddYears(1) }; await client.CreateEcKeyAsync(ecKey); // You need to check the type of keys that already exist in your Key Vault. // Let's list the keys and print their types. // List operations don't return the actual key, but only properties of the key. // So, for each returned key we call GetKey to get the actual key. await foreach (KeyProperties key in client.GetPropertiesOfKeysAsync()) { KeyVaultKey keyWithType = await client.GetKeyAsync(key.Name); Debug.WriteLine($"Key is returned with name {keyWithType.Name} and type {keyWithType.KeyType}"); } // We need the Cloud RSA key with bigger key size, so you want to update the key in Key Vault to ensure // it has the required size. // Calling CreateRsaKey on an existing key creates a new version of the key in the Key Vault // with the new specified size. var newRsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 4096, ExpiresOn = DateTimeOffset.Now.AddYears(1) }; await client.CreateRsaKeyAsync(newRsaKey); // You need to check all the different versions Cloud RSA key had previously. // Lets print all the versions of this key. await foreach (KeyProperties key in client.GetPropertiesOfKeyVersionsAsync(rsaKeyName)) { Debug.WriteLine($"Key's version {key.Version} with name {key.Name}"); } // The Cloud RSA Key and the Cloud EC Key are no longer needed. // You need to delete them from the Key Vault. DeleteKeyOperation rsaKeyOperation = await client.StartDeleteKeyAsync(rsaKeyName); DeleteKeyOperation ecKeyOperation = await client.StartDeleteKeyAsync(ecKeyName); // You only need to wait for completion if you want to purge or recover the key. await Task.WhenAll( rsaKeyOperation.WaitForCompletionAsync().AsTask(), ecKeyOperation.WaitForCompletionAsync().AsTask()); // You can list all the deleted and non-purged keys, assuming Key Vault is soft-delete enabled. await foreach (DeletedKey key in client.GetDeletedKeysAsync()) { Debug.WriteLine($"Deleted key's recovery Id {key.RecoveryId}"); } // If the keyvault is soft-delete enabled, then for permanent deletion, deleted keys needs to be purged. await Task.WhenAll( client.PurgeDeletedKeyAsync(rsaKeyName), client.PurgeDeletedKeyAsync(ecKeyName)); }
private async Task MigrationGuide() { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create KeyClient client = new KeyClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential()); CryptographyClient cryptoClient = new CryptographyClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential()); #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions using (HttpClient httpClient = new HttpClient()) { KeyClientOptions options = new KeyClientOptions { Transport = new HttpClientTransport(httpClient) }; #if SNIPPET KeyClient client = new KeyClient( #else client = new KeyClient( #endif new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential(), options); CryptographyClientOptions cryptoOptions = new CryptographyClientOptions { Transport = new HttpClientTransport(httpClient) }; #if SNIPPET CryptographyClient cryptoClient = new CryptographyClient( #else cryptoClient = new CryptographyClient( #endif new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential(), cryptoOptions); } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys // Create RSA key. CreateRsaKeyOptions createRsaOptions = new CreateRsaKeyOptions("rsa-key-name") { KeySize = 4096 }; KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(createRsaOptions); // Create Elliptic-Curve key. CreateEcKeyOptions createEcOptions = new CreateEcKeyOptions("ec-key-name") { CurveName = KeyCurveName.P256 }; KeyVaultKey ecKey = await client.CreateEcKeyAsync(createEcOptions); #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys // List all keys asynchronously. await foreach (KeyProperties item in client.GetPropertiesOfKeysAsync()) { KeyVaultKey key = await client.GetKeyAsync(item.Name); } // List all keys synchronously. foreach (KeyProperties item in client.GetPropertiesOfKeys()) { KeyVaultKey key = client.GetKey(item.Name); } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey // Delete the key. DeleteKeyOperation deleteOperation = await client.StartDeleteKeyAsync("key-name"); // Purge or recover the deleted key if soft delete is enabled. if (deleteOperation.Value.RecoveryId != null) { // Deleting a key does not happen immediately. Wait for the key to be deleted. DeletedKey deletedKey = await deleteOperation.WaitForCompletionAsync(); // Purge the deleted key. await client.PurgeDeletedKeyAsync(deletedKey.Name); // You can also recover the deleted key using StartRecoverDeletedKeyAsync, // which returns RecoverDeletedKeyOperation you can await like DeleteKeyOperation above. } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt // Encrypt a message. The plaintext must be small enough for the chosen algorithm. byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt"); EncryptResult encrypted = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep256, plaintext); // Decrypt the message. DecryptResult decrypted = await cryptoClient.DecryptAsync(encrypted.Algorithm, encrypted.Ciphertext); string message = Encoding.UTF8.GetString(decrypted.Plaintext); #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap using (Aes aes = Aes.Create()) { // Use a symmetric key to encrypt large amounts of data, possibly streamed... // Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data. WrapResult wrapped = await cryptoClient.WrapKeyAsync(KeyWrapAlgorithm.RsaOaep256, aes.Key); // Read the IV and the encrypted key from the payload, then unwrap the key. UnwrapResult unwrapped = await cryptoClient.UnwrapKeyAsync(wrapped.Algorithm, wrapped.EncryptedKey); aes.Key = unwrapped.Key; // Decrypt the payload with the symmetric key. } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap } }
public async Task SerializeJsonWebKeyAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = TestEnvironment.KeyVaultUrl; var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, }; KeyVaultKey cloudRsaKey = await keyClient.CreateRsaKeyAsync(rsaKey); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}"); string dir = Path.Combine(TestContext.CurrentContext.WorkDirectory, "samples", nameof(Sample7_SerializeJsonWebKey)); Directory.CreateDirectory(dir); string path = Path.Combine(dir, $"{nameof(SerializeJsonWebKeyAsync)}.json"); // Use `using` expression for clean sample, but scope it to close and dispose immediately. { using FileStream file = File.Create(path); await JsonSerializer.SerializeAsync(file, cloudRsaKey.Key); Debug.WriteLine($"Saved JWK to {path}"); } // Use `using` expression for clean sample, but scope it to close and dispose immediately. JsonWebKey jwk = null; { using FileStream file = File.Open(path, FileMode.Open); jwk = await JsonSerializer.DeserializeAsync <JsonWebKey>(file); Debug.WriteLine($"Read JWK from {path} with ID {jwk.Id}"); } string content = "plaintext"; var encryptClient = new CryptographyClient(jwk); byte[] plaintext = Encoding.UTF8.GetBytes(content); EncryptResult encrypted = await encryptClient.EncryptAsync(EncryptParameters.RsaOaepParameters(plaintext)); Debug.WriteLine($"Encrypted: {Encoding.UTF8.GetString(plaintext)}"); byte[] ciphertext = encrypted.Ciphertext; CryptographyClient decryptClient = keyClient.GetCryptographyClient(cloudRsaKey.Name, cloudRsaKey.Properties.Version); DecryptResult decrypted = await decryptClient.DecryptAsync(DecryptParameters.RsaOaepParameters(ciphertext)); Debug.WriteLine($"Decrypted: {Encoding.UTF8.GetString(decrypted.Plaintext)}"); DeleteKeyOperation operation = await keyClient.StartDeleteKeyAsync(rsaKeyName); // You only need to wait for completion if you want to purge or recover the key. await operation.WaitForCompletionAsync(); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged. keyClient.PurgeDeletedKey(rsaKeyName); }
public async Task SignVerifyAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a key client that will be used to create a key. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // First we'll create both a RSA key and an EC which will be used to sign and verify string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}"; var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false) { KeySize = 2048, }; string ecKeyName = $"CloudEcKey-{Guid.NewGuid()}"; var ecKey = new CreateEcKeyOptions(ecKeyName, hardwareProtected: false) { CurveName = KeyCurveName.P256K, }; KeyVaultKey cloudRsaKey = await keyClient.CreateRsaKeyAsync(rsaKey); Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}"); KeyVaultKey cloudEcKey = await keyClient.CreateEcKeyAsync(ecKey); Debug.WriteLine($"Key is returned with name {cloudEcKey.Name} and type {cloudEcKey.KeyType}"); // Let's create the CryptographyClient which can perform cryptographic operations with the keys we just created. // Again we are using the default Azure credential as above. var rsaCryptoClient = new CryptographyClient(cloudRsaKey.Id, new DefaultAzureCredential()); var ecCryptoClient = new CryptographyClient(cloudEcKey.Id, new DefaultAzureCredential()); // Next we'll sign some arbitrary data and verify the signatures using the CryptographyClient with both the EC and RSA keys we created. byte[] data = Encoding.UTF8.GetBytes("This is some sample data which we will use to demonstrate sign and verify"); byte[] digest = null; // // Signing with the SignAsync and VerifyAsync methods // // The SignAsync and VerifyAsync methods expect a precalculated digest, and the digest needs to be calculated using the hash algorithm which matches the // singature algorithm being used. SHA256 is the hash algorithm used for both RS256 and ES256K which are the algorithms we'll be using in this sample using (HashAlgorithm hashAlgo = SHA256.Create()) { digest = hashAlgo.ComputeHash(data); } // Get the signature for the computed digest with both keys. Note that the signature algorithm specified must be a valid algorithm for the key type, // and for EC keys the algorithm must also match the curve of the key SignResult rsaSignResult = await rsaCryptoClient.SignAsync(SignatureAlgorithm.RS256, digest); Debug.WriteLine($"Signed digest using the algorithm {rsaSignResult.Algorithm}, with key {rsaSignResult.KeyId}. The resulting signature is {Convert.ToBase64String(rsaSignResult.Signature)}"); SignResult ecSignResult = await ecCryptoClient.SignAsync(SignatureAlgorithm.ES256K, digest); Debug.WriteLine($"Signed digest using the algorithm {ecSignResult.Algorithm}, with key {ecSignResult.KeyId}. The resulting signature is {Convert.ToBase64String(ecSignResult.Signature)}"); // Verify the signatures VerifyResult rsaVerifyResult = await rsaCryptoClient.VerifyAsync(SignatureAlgorithm.RS256, digest, rsaSignResult.Signature); Debug.WriteLine($"Verified the signature using the algorithm {rsaVerifyResult.Algorithm}, with key {rsaVerifyResult.KeyId}. Signature is valid: {rsaVerifyResult.IsValid}"); VerifyResult ecVerifyResult = await ecCryptoClient.VerifyAsync(SignatureAlgorithm.ES256K, digest, ecSignResult.Signature); Debug.WriteLine($"Verified the signature using the algorithm {ecVerifyResult.Algorithm}, with key {ecVerifyResult.KeyId}. Signature is valid: {ecVerifyResult.IsValid}"); // // Signing with the SignDataAsync and VerifyDataAsync methods // // The SignDataAsync and VerifyDataAsync methods take the raw data which is to be signed. The calculate the digest for the user so there is no need to compute the digest // Get the signature for the data with both keys. Note that the signature algorithm specified must be a valid algorithm for the key type, // and for EC keys the algorithm must also match the curve of the key SignResult rsaSignDataResult = await rsaCryptoClient.SignDataAsync(SignatureAlgorithm.RS256, data); Debug.WriteLine($"Signed data using the algorithm {rsaSignDataResult.Algorithm}, with key {rsaSignDataResult.KeyId}. The resulting signature is {Convert.ToBase64String(rsaSignDataResult.Signature)}"); SignResult ecSignDataResult = await ecCryptoClient.SignDataAsync(SignatureAlgorithm.ES256K, data); Debug.WriteLine($"Signed data using the algorithm {ecSignDataResult.Algorithm}, with key {ecSignDataResult.KeyId}. The resulting signature is {Convert.ToBase64String(ecSignDataResult.Signature)}"); // Verify the signatures VerifyResult rsaVerifyDataResult = await rsaCryptoClient.VerifyDataAsync(SignatureAlgorithm.RS256, data, rsaSignDataResult.Signature); Debug.WriteLine($"Verified the signature using the algorithm {rsaVerifyDataResult.Algorithm}, with key {rsaVerifyDataResult.KeyId}. Signature is valid: {rsaVerifyDataResult.IsValid}"); VerifyResult ecVerifyDataResult = await ecCryptoClient.VerifyDataAsync(SignatureAlgorithm.ES256K, data, ecSignDataResult.Signature); Debug.WriteLine($"Verified the signature using the algorithm {ecVerifyDataResult.Algorithm}, with key {ecVerifyDataResult.KeyId}. Signature is valid: {ecVerifyDataResult.IsValid}"); // The Cloud Keys are no longer needed, need to delete them from the Key Vault. DeleteKeyOperation rsaKeyOperation = await keyClient.StartDeleteKeyAsync(rsaKeyName); DeleteKeyOperation ecKeyOperation = await keyClient.StartDeleteKeyAsync(ecKeyName); // To ensure the key is deleted on server before we try to purge it. Task.WaitAll( rsaKeyOperation.WaitForCompletionAsync().AsTask(), ecKeyOperation.WaitForCompletionAsync().AsTask()); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted keys needs to be purged. Task.WaitAll( keyClient.PurgeDeletedKeyAsync(rsaKeyName), keyClient.PurgeDeletedKeyAsync(ecKeyName)); }
static async Task Main(string[] args) { // Create a new key client using the default credential from Azure.Identity using environment variables previously set, // including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID. var client = new KeyClient(vaultUri: new Uri(keyVaultUrl), credential: new ClientSecretCredential(tenantId, clientId, clientSecret)); // next two lines are just to recover key in case we stop program after deleting and before recovering / purging //var recoverOperation1 = await client.StartRecoverDeletedKeyAsync("rsa-key-name"); //await recoverOperation1.WaitForCompletionAsync(); // Create a software RSA key var rsaCreateKey = new CreateRsaKeyOptions("rsa-key-name", hardwareProtected: false); KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(rsaCreateKey); Console.WriteLine("Created the key...."); Console.WriteLine($"rsaKey.Name: {rsaKey.Name}"); Console.WriteLine($"rsaKey.KeyType: {rsaKey.KeyType}"); Console.WriteLine("=================================================="); Console.WriteLine(); // Retrieve KeyVaultKey key = await client.GetKeyAsync("rsa-key-name"); Console.WriteLine("Retrieve the key"); Console.WriteLine($"key.Name: {key.Name}"); Console.WriteLine($"key.KeyType: {key.KeyType}"); Console.WriteLine("=================================================="); Console.WriteLine(); // Update KeyVaultKey updateKey = await client.CreateKeyAsync("rsa-key-name", KeyType.Rsa); // You can specify additional application-specific metadata in the form of tags. updateKey.Properties.Tags["foo"] = "updated tag"; KeyVaultKey updatedKey = await client.UpdateKeyPropertiesAsync(updateKey.Properties); Console.WriteLine("Update Initiated."); Console.WriteLine($"updatedKey.Name: {updatedKey.Name}"); Console.WriteLine($"updatedKey.Properties.Version: {updatedKey.Properties.Version}"); Console.WriteLine($"updatedKey.Properties.UpdatedOn: {updatedKey.Properties.UpdatedOn}"); Console.WriteLine("=================================================="); Console.WriteLine(); /// Delete DeleteKeyOperation operation = await client.StartDeleteKeyAsync("rsa-key-name"); DeletedKey deletedKey = operation.Value; Console.WriteLine("Delete operation initialted."); Console.WriteLine($"deletedKey.Name: {deletedKey.Name}"); Console.WriteLine($"deletedKey.DeletedOn: {deletedKey.DeletedOn}"); Console.WriteLine("=================================================="); Console.WriteLine(); // Wait for deletion to complete await operation.WaitForCompletionAsync(); // Recover deleted key var recoverOperation = await client.StartRecoverDeletedKeyAsync("rsa-key-name"); await recoverOperation.WaitForCompletionAsync(); Console.WriteLine("Recovery completed"); Console.WriteLine("=================================================="); Console.WriteLine(); // Create crypto client and demo of encryption / decryption var cryptoClient = new CryptographyClient(keyId: key.Id, credential: new ClientSecretCredential(tenantId, clientId, clientSecret)); byte[] plaintext = Encoding.UTF8.GetBytes("If you can dream it, you can do it."); // encrypt the data using the algorithm RSAOAEP EncryptResult encryptResult = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep, plaintext); Console.WriteLine("Encryption demo."); Console.WriteLine("Encrypted Base64: " + Convert.ToBase64String(encryptResult.Ciphertext)); Console.WriteLine("=================================================="); Console.WriteLine(); // decrypt the encrypted data. DecryptResult decryptResult = await cryptoClient.DecryptAsync(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext); Console.WriteLine("Decryption demo."); Console.WriteLine("Decrypted: " + Encoding.UTF8.GetString(decryptResult.Plaintext)); Console.WriteLine("=================================================="); Console.WriteLine(); // Purge DeleteKeyOperation deleteOperation = await client.StartDeleteKeyAsync("rsa-key-name"); await deleteOperation.WaitForCompletionAsync(); DeletedKey purgekey = deleteOperation.Value; await client.PurgeDeletedKeyAsync(purgekey.Name); Console.WriteLine("Purge Initiated."); Console.WriteLine($"purgekey.Name: {purgekey.Name}"); Console.WriteLine("=================================================="); Console.WriteLine(); }