/// <summary> /// Encrypts a plain text and then decrypts the encrypted text /// </summary> /// <param name="keyId"> a global key identifier of the key to get </param> private static void EncryptDecrypt(KeyBundle key) { KeyOperationResult operationResult; var algorithm = inputValidator.GetEncryptionAlgorithm(); var plainText = inputValidator.GetPlainText(); string keyVersion = inputValidator.GetKeyVersion(); if (keyVersion != string.Empty) { var vaultAddress = inputValidator.GetVaultAddress(); string keyName = inputValidator.GetKeyName(true); // Encrypt the input data using the specified algorithm operationResult = keyVaultClient.EncryptAsync(vaultAddress, keyName, keyVersion, algorithm, plainText).GetAwaiter().GetResult(); } else { // If the key is not initialized get the key id from args var keyId = (key != null) ? key.Key.Kid : inputValidator.GetKeyId(); // Encrypt the input data using the specified algorithm operationResult = keyVaultClient.EncryptAsync(keyId, algorithm, plainText).GetAwaiter().GetResult(); } Console.Out.WriteLine(string.Format("The text is encrypted using key id {0} and algorithm {1}", operationResult.Kid, algorithm)); // Decrypt the encrypted data var decryptedText = keyVaultClient.DecryptAsync(operationResult.Kid, algorithm, operationResult.Result).GetAwaiter().GetResult(); Console.Out.WriteLine(string.Format("The decrypted text is {0}the same as the original key!", plainText.SequenceEqual(decryptedText.Result) ? "" : "not ")); Console.Out.WriteLine(string.Format("The decrypted text is {0}", Encoding.UTF8.GetString(decryptedText.Result))); }
public async Task CreateSecret(VehiclePolicies policydata) { // Create the content for the Policy data to be stored as Secret Insdata akvdata = new Insdata { Id = policydata.Id, Inscompany = policydata.Inscompany, Policyno = policydata.Policyno, Userid = policydata.Userid, Vehicleno = policydata.Vehicleno }; //Create a JSON String of the Policy data to be stored as Secret string insurancepolicysecret = JsonConvert.SerializeObject(akvdata); byte[] datatoencrypt = System.Text.Encoding.UTF8.GetBytes(insurancepolicysecret); string keyUri = string.Format("https://{0}.vault.azure.net/keys/{1}", _keyVaultName, _keyName); string keyVaultUri = string.Format("https://{0}.vault.azure.net", _keyVaultName); //Encrypt the data before it is stored as a Secret KeyOperationResult result = await _keyVaultClient.EncryptAsync(keyUri, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, datatoencrypt); byte[] encdata = result.Result; string encrypteddata = Convert.ToBase64String(encdata); //Set the Policy Start and Expiry Data to be added as attributes to the secret SecretAttributes attribs = new SecretAttributes { Enabled = true, Expires = DateTime.UtcNow.AddYears(1), NotBefore = DateTime.UtcNow }; IDictionary <string, string> alltags = new Dictionary <string, string> { { "InsuranceCompany", policydata.Inscompany } }; string contentType = "DigitalInsurance"; // Create a Secret with the encrypted Policy data SecretBundle bundle = await _keyVaultClient.SetSecretAsync(keyVaultUri, policydata.Uidname, encrypteddata, alltags, contentType, attribs); string bundlestr = bundle.Value; policydata.Version = bundle.SecretIdentifier.Version; policydata.Lastmod = bundle.Attributes.Updated; policydata.Startdate = bundle.Attributes.NotBefore; policydata.Enddate = bundle.Attributes.Expires; }
public async Task <byte[]> Encrypt(string keyName, string keyVersion, string algorithm, byte[] value, CancellationToken cancellationToken) { var encrypt = await _keyVaultClient.EncryptAsync(_baseUrl, keyName, keyVersion, algorithm, value, cancellationToken); return(encrypt.Result); }
public async Task <byte[]> EncryptSecretUsingKeyVault(byte[] secret, string keyId) { var keyIdentifier = _keyVaultPath + "keys/" + keyId + "/"; var keyOpResult = await _keyVaultClient.EncryptAsync(keyIdentifier, JsonWebKeyEncryptionAlgorithm.RSAOAEP, secret); return(keyOpResult.Result); }
/// <summary> /// Use symmetric encryption, then wrap the key using Key Vault /// </summary> /// <returns></returns> private static async Task EncryptAndWrap() { // In real-world, these could be concatenated and stored. byte[] iv; byte[] wrappedKey; Stream encryptedData = new MemoryStream(); string wrappingKeyIdentifier; string keyWrappingEncryptionAlgorithm = JsonWebKeyEncryptionAlgorithm.RSA15; // TODO: This (probably) doesn't use "AE" - update accordingly. // This creates a random key and initialisation vector (IV) and encrypts the data using (var encryptingAes = Aes.Create()) { iv = encryptingAes.IV; var encryptor = encryptingAes.CreateEncryptor(); using (var encryptingStream = new CryptoStream(encryptedData, encryptor, CryptoStreamMode.Write, true)) using (var writer = new StreamWriter(encryptingStream)) // NOTE: This is a text writer! Shouldn't do this if we're dealing with binary data! { writer.Write(inputText); writer.Flush(); encryptingStream.Flush(); } var wrappingResult = await keyVaultClient.WrapKeyAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key); wrappedKey = wrappingResult.Result; wrappingKeyIdentifier = wrappingResult.Kid; // TODO: Test if "wrap" and "encrypt" produce the same resul;t var encryptTest = await keyVaultClient.EncryptAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key); } encryptedData.Position = 0; // Decrypt var unwrapKeyResult = await keyVaultClient.UnwrapKeyAsync(wrappingKeyIdentifier, keyWrappingEncryptionAlgorithm, wrappedKey); var symmetricKey = unwrapKeyResult.Result; string decrypted; using (var decryptingAes = Aes.Create()) { decryptingAes.IV = iv; decryptingAes.Key = symmetricKey; var decryptor = decryptingAes.CreateDecryptor(); using (var decryptingStream = new CryptoStream(encryptedData, decryptor, CryptoStreamMode.Read)) using (var reader = new StreamReader(decryptingStream)) { decrypted = reader.ReadToEnd(); } } if (inputText != decrypted) { throw new Exception("Decrypted does not match encrypted"); } }
public static string EncryptKey(byte[] key) { if (kvc == null) { kvc = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken)); } var rr = kvc.EncryptAsync(keyIdentifier, JsonWebKeyEncryptionAlgorithm.RSAOAEP, key).GetAwaiter().GetResult(); return(Convert.ToBase64String(rr.Result)); }
/// <summary> /// Encrypte un message /// </summary> /// <param name="keyName">Nom de la clef d'encryptage</param> /// <param name="message">Message à encrypter</param> /// <returns></returns> public async Task <string> EncryptAsync(string keyName, string message) { byte[] byteMessage = Encoding.Default.GetBytes(message); KeyOperationResult result = await KeyVaultClient.EncryptAsync( GetKeyUrl(keyName), _encryptionAlgorithm, byteMessage) .ConfigureAwait(false); return(Convert.ToBase64String(result.Result)); }
private static KeyOperationResult _encrypt(KeyBundle key, string keyVersion, string algorithm, byte[] plainText) { KeyOperationResult operationResult; if (keyVersion != string.Empty) { var vaultAddress = inputValidator.GetVaultAddress(); string keyName = inputValidator.GetKeyName(true); // Encrypt the input data using the specified algorithm operationResult = keyVaultClient.EncryptAsync(vaultAddress, keyName, keyVersion, algorithm, plainText).GetAwaiter().GetResult(); } else { // If the key is not initialized get the key id from args var keyId = (key != null) ? key.Key.Kid : inputValidator.GetKeyId(); // Encrypt the input data using the specified algorithm operationResult = keyVaultClient.EncryptAsync(keyId, algorithm, plainText).GetAwaiter().GetResult(); } return(operationResult); }
public void EncryptDecrypt(KeyVaultClient client, KeyIdentifier keyIdentifier, string algorithm) { var plainText = RandomBytes(10); var encryptResult = client.EncryptAsync(keyIdentifier.BaseIdentifier, algorithm, plainText).GetAwaiter().GetResult(); Assert.NotNull(encryptResult); Assert.NotNull(encryptResult.Kid); var decryptResult = client.DecryptAsync(encryptResult.Kid, algorithm, encryptResult.Result).GetAwaiter().GetResult(); Assert.NotNull(decryptResult); Assert.NotNull(decryptResult.Kid); Assert.True(plainText.SequenceEqual(decryptResult.Result)); }
public async Task <ActionResult> EncryptAsync(string dataToEncrypt) { AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); // Demonstrate how to get a key KeyBundle key = await keyVaultClient.GetKeyAsync(keyVaultOptions.VaultBaseUrl, keyVaultOptions.KeyName); // Here you can use the (public) key to do encryption which is faster // Or encrypt on the Azure side using the EncryptAsync operation // Note that you can call the EncryptAsync operation directly without calling the GetKeyAsync method above KeyOperationResult keyOperationResult = await keyVaultClient.EncryptAsync(keyVaultOptions.VaultBaseUrl, key.KeyIdentifier.Name, key.KeyIdentifier.Version, JsonWebKeyEncryptionAlgorithm.RSAOAEP, Encoding.UTF8.GetBytes(dataToEncrypt)); ViewData["Encrypted"] = Convert.ToBase64String(keyOperationResult.Result); return(View("Index")); }
/// <summary> /// Encrypts a single block of data. The amount of data that may be encrypted is determined /// by the target key type and the encryption algorithm. /// </summary> /// <param name="key">The web key to use for encryption</param> /// <param name="algorithm">The encryption algorithm. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param> /// <param name="plaintext">The plain text to encrypt</param> /// <returns></returns> public static async Task <KeyOperationResult> EncryptDataAsync(this KeyVaultClient client, JsonWebKey key, string algorithm, byte[] plaintext) { if (key == null) { throw new ArgumentNullException("key"); } if (string.IsNullOrEmpty(algorithm)) { throw new ArgumentNullException("algorithm"); } if (plaintext == null) { throw new ArgumentNullException("plaintext"); } return(await client.EncryptAsync(key.Kid, algorithm, plaintext).ConfigureAwait(false)); }
public async Task <byte[]> EncryptAsync(string keyId, byte[] dataToEncrypt) { if (string.IsNullOrEmpty(keyId)) { throw new ArgumentNullException(keyId, "Key Id is Null."); } if (dataToEncrypt == null) { throw new ArgumentNullException(nameof(dataToEncrypt), "Data to Encrypt is Null."); } if (dataToEncrypt.Length == 0) { throw new ArgumentNullException(nameof(dataToEncrypt), "Data to Encrypt is Empty."); } var operationResult = await KeyVaultClient.EncryptAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, dataToEncrypt); return(operationResult.Result); }
private static void KeyVaultEncryptionDemo() { // Use Certificate for authorization AccessToken var keyVaultClient = new KeyVaultClient(GetAccessCertificateToken, new HttpClient()); Console.Write("Password:"******"KeyId"]; var encryptedPasswordBytes = keyVaultClient.EncryptAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, System.Text.Encoding.UTF8.GetBytes(password)) .GetAwaiter() .GetResult() .Result; Console.WriteLine("Encrypted password:{0}", System.Text.Encoding.UTF8.GetString(encryptedPasswordBytes)); Console.WriteLine("decrypting..."); var decryptedPasswordBytes = keyVaultClient.DecryptAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, encryptedPasswordBytes) .GetAwaiter() .GetResult() .Result; Console.WriteLine("Decrypted password:{0}", System.Text.Encoding.UTF8.GetString(decryptedPasswordBytes)); }
static void Main(string[] args) { clientCredential = new ClientCredential(clientId, authClientSecret); KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken)); // Obtaining the secret for our application Console.WriteLine("#################### Secrets"); var results = keyVaultClient.GetSecretsAsync(vaultUrl).GetAwaiter().GetResult(); results.Value.ToList().ForEach(i => { Console.WriteLine("Name: {0}, Identifier:{1}", i.Identifier.Name, i.Identifier.Identifier); var secret = keyVaultClient.GetSecretAsync(i.Id).GetAwaiter().GetResult(); Console.WriteLine("-> Secret Value: {0} \n", secret.Value); }); Console.ReadKey(); // Encryption and decryption of information var keyId = "https://jangelfdez-key-vault.vault.azure.net:443/keys/softwareProtectedkey/901738e066144741944c274a192ad704"; var text = "Hello World!"; Console.WriteLine("#################### Encrypt "); var encryptedText = keyVaultClient.EncryptAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSA15, Encoding.UTF8.GetBytes(text)).GetAwaiter().GetResult(); Console.WriteLine("Text to encrypt: {0} , Encrypted (base64): {1} \n", text, Convert.ToBase64String(encryptedText.Result)); Console.ReadKey(); Console.WriteLine("#################### Decrypt"); var decryptedText = keyVaultClient.DecryptAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSA15, encryptedText.Result).GetAwaiter().GetResult(); Console.WriteLine("Text to decrypt (base64): {0} , Decrypted: {1} \n", Convert.ToBase64String(encryptedText.Result), Encoding.UTF8.GetString(decryptedText.Result)); Console.ReadKey(); }
// Vytvořte Key Vault. // Vytvořte v něm secret pojmenovaný "MySecret" s nějakou (ne zas tak tajnou :-) hodnotou). // Vytvořte v něm klíč pojmenovaný "MyKey". // Vytvořte v Azure Active Directory účet aplikace (WebAPI, nikoliv Native). // Vytvořte pro aplikaci klíč. // Zpět do Key Vault, přidělte aplikaci oprávnění práci se Secrets (Read) a Keys (Encrypt, Decrypt). // Doplňte údaje do aplikace. static async Task Main(string[] args) { string vaultAddress = "https://mykeyvaultrs.vault.azure.net/"; string secretName = "MySecretRS"; // Azure Key Vault Secret Name string keyName = "MyKeyRS"; // Azure Key Vault Key Name KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken)); var secret = await keyVaultClient.GetSecretAsync(vaultAddress, secretName); Console.WriteLine(secret /*.Value*/); Console.WriteLine(); var encrypted = await keyVaultClient.EncryptAsync(vaultAddress, keyName, "", JsonWebKeyEncryptionAlgorithm.RSA15, System.Text.Encoding.UTF8.GetBytes("Live demo on MFF!")); var decrypted = await keyVaultClient.DecryptAsync(vaultAddress, keyName, "", JsonWebKeyEncryptionAlgorithm.RSA15, encrypted.Result); Console.WriteLine(String.Join(" ", encrypted.Result.Select(item => item.ToString("X2")))); Console.WriteLine(); Console.WriteLine(String.Join("", System.Text.Encoding.UTF8.GetString(decrypted.Result))); Console.WriteLine(); Console.ReadKey(); }
public async Task <byte[]> EncryptAsync(string keyId, byte[] dataToEncrypt) { var operationResult = await KeyVaultClient.EncryptAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, dataToEncrypt); return(operationResult.Result); }
static void Main(string[] args) { string baseVaultAddress = "https://amethystevault.vault.azure.net"; // Azure AD //KeyVaultClient keyVaultClient = new KeyVaultClient( // new KeyVaultClient.AuthenticationCallback(GetAccessToken)); // Certificat CertificateAccesTokenService cts = new CertificateAccesTokenService(); KeyVaultClient keyVaultClient = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(cts.GetAccessToken)); #region Secret Console.WriteLine("Liste des secrets du vault"); IPage <SecretItem> items = keyVaultClient .GetSecretsAsync(baseVaultAddress) .Result; foreach (SecretItem item in items) { string name = item.Identifier.Name; SecretBundle s = keyVaultClient .GetSecretAsync(baseVaultAddress, name) .Result; Console.WriteLine("{0}: {1}", name, s.Value); } Console.WriteLine(); Console.WriteLine("Lecture d'un secret"); SecretBundle secret = keyVaultClient .GetSecretAsync(baseVaultAddress + "/secrets/password") .Result; //SecretBundle secret = keyVaultClient // .GetSecretAsync(vaultAddress, "password", version) // .Result; Console.WriteLine(secret.Value); #endregion #region Key string keyName = "keyDemo"; string identifiant = baseVaultAddress + "/keys/" + keyName; // proxy KeyBundle key = keyVaultClient .GetKeyAsync(baseVaultAddress, keyName) .Result; // encode un message byte[] byteMessage = Encoding.Default.GetBytes("Salut le monde!"); KeyOperationResult result = keyVaultClient .EncryptAsync(identifiant, JsonWebKeyEncryptionAlgorithm.RSAOAEP, byteMessage) .Result; string encoded = Convert.ToBase64String(result.Result); Console.WriteLine("Message encodé: {0}", encoded); // décode le message byteMessage = Convert.FromBase64String(encoded); result = keyVaultClient .DecryptAsync(identifiant, JsonWebKeyEncryptionAlgorithm.RSAOAEP, byteMessage) .Result; string message = Encoding.Default.GetString(result.Result); Console.WriteLine("Après décodage: {0}", message); #endregion #region Certificate // proxy CertificateBundle cert = keyVaultClient .GetCertificateAsync(baseVaultAddress, "TestCertificate") .Result; Console.WriteLine(cert.X509Thumbprint.ToHexString()); // proxy SecretBundle cert2 = keyVaultClient .GetSecretAsync(baseVaultAddress + "/secrets/TestCertificate") .Result; byte[] privateKeyBytes = Convert.FromBase64String(cert2.Value); X509Certificate2 pfx = new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet); Console.WriteLine(pfx.Thumbprint); #endregion }
private async Task KeysMigrationGuide() { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create AzureServiceTokenProvider provider = new AzureServiceTokenProvider(); KeyVaultClient client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback)); #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions using (HttpClient httpClient = new HttpClient()) { //@@AzureServiceTokenProvider provider = new AzureServiceTokenProvider(); /*@@*/ provider = new AzureServiceTokenProvider(); //@@KeyVaultClient client = new KeyVaultClient( /*@@*/ client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback), httpClient); } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey // Create RSA key. NewKeyParameters createRsaParameters = new NewKeyParameters { Kty = JsonWebKeyType.Rsa, KeySize = 4096 }; KeyBundle rsaKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "rsa-key-name", createRsaParameters); // Create Elliptic-Curve key. NewKeyParameters createEcParameters = new NewKeyParameters { Kty = JsonWebKeyType.EllipticCurve, CurveName = "P-256" }; KeyBundle ecKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "ec-key-name", createEcParameters); #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys IPage <KeyItem> page = await client.GetKeysAsync("https://myvault.vault.azure.net"); foreach (KeyItem item in page) { KeyIdentifier keyId = item.Identifier; KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name); } while (page.NextPageLink != null) { page = await client.GetKeysNextAsync(page.NextPageLink); foreach (KeyItem item in page) { KeyIdentifier keyId = item.Identifier; KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name); } } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey // Delete the key. DeletedKeyBundle deletedKey = await client.DeleteKeyAsync("https://myvault.vault.azure.net", "key-name"); // Purge or recover the deleted key if soft delete is enabled. if (deletedKey.RecoveryId != null) { DeletedKeyIdentifier deletedKeyId = deletedKey.RecoveryIdentifier; // Deleting a key does not happen immediately. Wait a while and check if the deleted key exists. while (true) { try { await client.GetDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name); // Finally deleted. break; } catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound) { // Not yet deleted... } } // Purge the deleted key. await client.PurgeDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name); // You can also recover the deleted key using RecoverDeletedKeyAsync. } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt // Encrypt a message. The plaintext must be small enough for the chosen algorithm. byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt"); KeyOperationResult encrypted = await client.EncryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, plaintext); // Decrypt the message. KeyOperationResult decrypted = await client.DecryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, encrypted.Result); string message = Encoding.UTF8.GetString(decrypted.Result); #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt } { #region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap using (Aes aes = Aes.Create()) { // Use a symmetric key to encrypt large amounts of data, possibly streamed... // Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data. KeyOperationResult wrapped = await client.WrapKeyAsync( "https://myvault.vault.azure.net", "rsa-key-name", null, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, aes.Key); // Read the IV and the encrypted key from the payload, then unwrap the key. KeyOperationResult unwrapped = await client.UnwrapKeyAsync( "https://myvault.vault.azure.net", "rsa-key-name", null, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, wrapped.Result); aes.Key = unwrapped.Result; // Decrypt the payload with the symmetric key. } #endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap } }