Skip to content

Sample that illustrates using Azure KeyVault for Key Management to wrap / unwrap one-time use symmetric keys for encrypting serialized data at rest.

License

Notifications You must be signed in to change notification settings

Nexosis/azure-keyvault-wrap-sample

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Azure KeyVault using HSM and Envelope Technique

Sample that illustrates how to leverage Azure KeyVault for centralized Key Management to wrap / unwrap one-time symmetric keys for encrypting serialized data at rest.

Encryption Steps:

  • Generates an AES symmetric key. This is to be a limited-use symmetric key. If there are changes to the underlying data just re-gen a new IV/symmetric key - the bits are free.
  • Data at rest is encrypted using this.
  • This AES Symmetric key is then wrapped (encrypted) using key encryption key stored in KeyVault. This key is identified by a Key Identifier and is an asymmetric key pair managed and stored in Azure Key Vault allowing for auditing, key versioning, etc.
  • The client systems never have access to the KeyVault key, but instead invoke the key wrapping algorithm provided by Azure Key Vault using the API.
  • The encrypted data can then be stored anywhere. The wrapped key along with some additional encryption metadata must be stored along with the encrypted data.

Decryption Steps:

  • Library assumes the key encryption key is managed in Azure Key Vaults. The user does not need to know the specific key that was used for encryption. Instead, the key resolver which resolves different key identifiers to keys can be set up and used.
  • The library downloads the encrypted data along with any encryption material that is stored in the KeyVault service.
  • The wrapped (encrypted) symmetric key is then unwrapped (decrypted) using the Azure KeyVault key. The client library does not have access to the key itself. It simply invokes the Key Vault provider's unwrapping algorithm.
  • The symmetric key is then used to decrypt the encrypted user data.

The Following Nuget packages must be installed:

PM> Install-Package Microsoft.Azure.KeyVault
PM> Install-Package Microsoft.Azure.KeyVault.Extensions
PM> Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202

Sample Output

What's stored in the Encrypted JSON object below:

  • an = string Algorithm Name, 'RSA-OAEP' for now.
  • wk = base64(encrypted/wrapped AES Key)
  • ct = base64(iv+cipherText) - (NOTE: for file encryption, the path to the encrypted file is put here and the IV is pre-pended to the encrypted file).
  • kv = Key Version
Object to encrypt...
UserName: bob Password: password123

Encrypting object...
{
	"an":"RSA-OAEP",
	"wk":"FQ0Kzb1q676wRDdJIREjGmRWWBp4MgYsYGxoXQ0KHCQLYhFrC35gIyordCw4aSA3C0MQDQo/bwVAX++1jCxvGEICMkJgNR5fZiQYGRUZEhHlrK9+1porJlJ3ezJeDmFSBu6emRQMNC5dEEFndggmBFERRRdNAhYME0BXPGUSKmE0fzItNRcpL28tN1RvHi1aZNesAk/ckAYBGF1BJ09TJit8FQ==",
	"ct":"US9iJzUpw7giAnZDTDsZRQJxSUbLsljCgT9dPlZsHw==",
	"kv":"abcdefghijklmnopqrstuvwxyz0123456"
}

Decrypting object...
UserName: bob Password: password123

References for more information

About

Sample that illustrates using Azure KeyVault for Key Management to wrap / unwrap one-time use symmetric keys for encrypting serialized data at rest.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages