0

I have to implement key rotations in my application. I have some idea how to do that but I am not sure if everything is OK with that solution.

Ok, lets start. I have couple places in my application where I use the KeyVaultClient(Azure KeyVault client) for decrypting purpose. It's work preety well. In my application are some places where KeyVaultClient is used for encrypting. For now(still development phase) I am using hardcoded params(vaultBaseUrl, keyName, keyVersion). But I want to go further and move this params to app.config file.

And here the question begun what to do with keyVersion variable(rest of them I think I can easy store in app.config file, isn't it?) I have couple ideas:

For encrypting:

  1. I could store current keyVersion in app.config, and use this value each time I will encrypt data.
  2. I could read from KeyVaultClients all Keys(GetKeysAsync), next filter them by active flag and order by expiration date. Finally use the newest one.

For decrypting:

  1. I could store keyVersion used for encryption in encrypted data(the encryption result I am converting to Base64String). I mean I could add to string result the 32 characters(keyVersion) prefix.
  2. No more ideas, maybe using the keyVersion from app.config, but it creates problem with keys rotations.

Maybe there is some tool/library that handle this all work for me? :p

For now, new keys are inserted manually, by administrator. In next phases I am going to implement scheduled task for that.

sglogowski
  • 261
  • 2
  • 8

1 Answers1

1

Maybe there is some tool/library that handle this all work for me?

As you mentioned that you need to encrypt key version is consistent with decrypting key version. It is better that if you could share your scenario. Take Encrypt blob for example. If the blob is encrypted,it will have a Metadata["encryptiondata"] with keyId in it. In your case, maybe you also could add a property with keyId for the object. When you try to decrypt then you could get the keyId from the object.

For now, new keys are inserted manually, by administrator. In next phases I am going to implement scheduled task for that.

If you want to create keys, you could do that with following this code sample in WebJob or Azure function.

static string _clientId= "xxxxxxxxxxxxx";
static string _clientSecret = "xxxxxxxxxxxxxxxx";
static string _tenantId = "xxxxxxxxxxxxxxxx";
public static async Task<string> GetAccessToken(string azureTenantId, string azureAppId, string azureSecretKey)
{
   var context = new AuthenticationContext("https://login.windows.net/" + _tenantId);
   ClientCredential clientCredential = new ClientCredential(_clientId, _clientSecret);
   var tokenResponse = await context.AcquireTokenAsync("https://vault.azure.net", clientCredential);
   var accessToken = tokenResponse.AccessToken;
   return accessToken;
}
var kv = new KeyVaultClient(GetAccessToken);
var result = kv.CreateKeyAsync(vault,keyName,keyType).Result;
Tom Sun - MSFT
  • 22,436
  • 3
  • 23
  • 40