Sample that illustrates how to leverage Azure KeyVault for centralized Key Management to wrap / unwrap one-time symmetric keys for encrypting serialized data at rest.
- Generates an AES symmetric key. This is to be a limited-use symmetric key. If there are changes to the underlying data just re-gen a new IV/symmetric key - the bits are free.
- Data at rest is encrypted using this.
- This AES Symmetric key is then wrapped (encrypted) using key encryption key stored in KeyVault. This key is identified by a Key Identifier and is an asymmetric key pair managed and stored in Azure Key Vault allowing for auditing, key versioning, etc.
- The client systems never have access to the KeyVault key, but instead invoke the key wrapping algorithm provided by Azure Key Vault using the API.
- The encrypted data can then be stored anywhere. The wrapped key along with some additional encryption metadata must be stored along with the encrypted data.
- Library assumes the key encryption key is managed in Azure Key Vaults. The user does not need to know the specific key that was used for encryption. Instead, the key resolver which resolves different key identifiers to keys can be set up and used.
- The library downloads the encrypted data along with any encryption material that is stored in the KeyVault service.
- The wrapped (encrypted) symmetric key is then unwrapped (decrypted) using the Azure KeyVault key. The client library does not have access to the key itself. It simply invokes the Key Vault provider's unwrapping algorithm.
- The symmetric key is then used to decrypt the encrypted user data.
PM> Install-Package Microsoft.Azure.KeyVault
PM> Install-Package Microsoft.Azure.KeyVault.Extensions
PM> Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202
What's stored in the Encrypted JSON object below:
- an = string Algorithm Name, 'RSA-OAEP' for now.
- wk = base64(encrypted/wrapped AES Key)
- ct = base64(iv+cipherText) - (NOTE: for file encryption, the path to the encrypted file is put here and the IV is pre-pended to the encrypted file).
- kv = Key Version
Object to encrypt...
UserName: bob Password: password123
Encrypting object...
{
"an":"RSA-OAEP",
"wk":"FQ0Kzb1q676wRDdJIREjGmRWWBp4MgYsYGxoXQ0KHCQLYhFrC35gIyordCw4aSA3C0MQDQo/bwVAX++1jCxvGEICMkJgNR5fZiQYGRUZEhHlrK9+1porJlJ3ezJeDmFSBu6emRQMNC5dEEFndggmBFERRRdNAhYME0BXPGUSKmE0fzItNRcpL28tN1RvHi1aZNesAk/ckAYBGF1BJ09TJit8FQ==",
"ct":"US9iJzUpw7giAnZDTDsZRQJxSUbLsljCgT9dPlZsHw==",
"kv":"abcdefghijklmnopqrstuvwxyz0123456"
}
Decrypting object...
UserName: bob Password: password123
- Azure Key Vault Developer's Guide
- azure-sdk-for-net/src/SDKs/KeyVault/
- azure-storage-net/Samples/GettingStarted/EncryptionSamples/
- Protecting Sensitive Data with Azure Key Vault
- Microsoft.Azure.KeyVault Namespace
- About keys, secrets, and certificates
- Securing Secrets Using Azure Key Vault and Config Encryption
- Accessing Key Vault from a native application
- Use Azure Key Vault from a Web Application
- Azure Key Vault – Step by Step
- Client-Side Encryption and Azure Key Vault for Microsoft Azure Storage
- Tutorial: Encrypt and decrypt blobs in Microsoft Azure Storage using Azure Key Vault
- Set up Azure Key Vault with end-to-end key rotation and auditing
- azure-storage-net/Lib/ClassLibraryCommon/Blob/BlobEncryptionPolicy.cs
- azure-storage-net/Lib/ClassLibraryCommon/Table/TableEncryptionPolicy.cs