Encrypt your MassTransit messages with AWS Key Management Service (KMS)!

You can install the package using the standard dotnet CLI:

dotnet add package BigChange.MassTransit.AwsKeyManagementService

or by using the package manager within Visual Studio:

PM> Install-Package BigChange.MassTransit.AwsKeyManagementService

When "configuring the bus" you can call one of the following extension methods on either the IBusFactoryConfigurator or IReceiveEndpointConfigurator

You can configure the bus to use a given Customer Master Key (CMK), this will be used to generate and encrypt the data encryption key that will be used for encrypting and decrypting the messages.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

configurator.UseAwsKeyManagementServiceSerializer("alias/masstransit")

You can specify which region to use for fetching CMK:

configurator.UseAwsKeyManagementServiceSerializer(RegionEndpoint.EUWest1, "alias/masstransit")

You can specify MemoryDistributedCacheOptions to configure options for caching CMK in memory:

configurator.UseAwsKeyManagementServiceSerializerWithMemoryCache("alias/masstransit", Options.Create(new MemoryDistributedCacheOptions()));

or use IDistributedCache implementations for Redis and Sql Server

configurator.UseAwsKeyManagementServiceSerializerWithCache("alias/masstransit", new RedisCache(Options.Create(new RedisCacheOptions()));

You can customize how the library builds up the encryption context that will be used for encrypting and decrypting message data, the default implementation uses an empty encryption context. Note that all data used in the encryption context will logged if CloudTrail logging is turned on.

public class CustomEncryptionContextBuilder : IEncryptionContextBuilder
{
    private static readonly Dictionary<string, string> MyEncryptionContext
        = new Dictionary<string, string>()
        {
            { "SomeKey", "SomeData" }
        };

    public Dictionary<string, string> BuildEncryptionContext(SendContext context)
        => MyEncryptionContext;

    public Dictionary<string, string> BuildEncryptionContext(ReceiveContext receiveContext)
        => MyEncryptionContext;
}

configurator.UseAwsKeyManagementServiceSerializer(new CustomEncryptionContextBuilder(), "alias/masstransit")

You can configure the bus with a customized version of the IAmazonKeyManagementService, this is useful if you want to pass a custom configuration in to AmazonKeyManagementServiceClient or want the ability to mock out the calls to IAmazonKeyManagementService:

var config = new AmazonKeyManagementServiceConfig();
var client = new AmazonKeyManagementServiceClient(config);

configurator.UseAwsKeyManagementServiceSerializer(client, "alias/masstransit")

1. Fork
2. Hack!
3. Pull Request