I have to implement key rotations in my application. I have some idea how to do that but I am not sure if everything is OK with that solution.
Ok, lets start. I have couple places in my application where I use the KeyVaultClient(Azure KeyVault client) for decrypting purpose. It's work preety well. In my application are some places where KeyVaultClient is used for encrypting. For now(still development phase) I am using hardcoded params(vaultBaseUrl, keyName, keyVersion). But I want to go further and move this params to app.config file.
And here the question begun what to do with keyVersion variable(rest of them I think I can easy store in app.config file, isn't it?) I have couple ideas:
For encrypting:
- I could store current keyVersion in app.config, and use this value each time I will encrypt data.
- I could read from KeyVaultClients all Keys(GetKeysAsync), next filter them by active flag and order by expiration date. Finally use the newest one.
For decrypting:
- I could store keyVersion used for encryption in encrypted data(the encryption result I am converting to Base64String). I mean I could add to string result the 32 characters(keyVersion) prefix.
- No more ideas, maybe using the keyVersion from app.config, but it creates problem with keys rotations.
Maybe there is some tool/library that handle this all work for me? :p
For now, new keys are inserted manually, by administrator. In next phases I am going to implement scheduled task for that.