Secure confidentials with Azure KeyVault

Step 1: register an app in your AAD and create a secret there, after that you will get ClientId and ClientSecret from Azure portal (AAD part)

<add key=”ClientId” value=”caf5668f-f6fa-4634-8b10-7212020f99f9″ />
<add key=”ClientSecret” value=”ankMv1ze/n7F3GUzsF6xWjq4r9v99vpQW6YRlhCfpPU=” />

Step 2: create key vault in Azure and save a secret into it by following https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/, after that you will get your secret Uri like below:

<add key=”SecretUri” value=”https://contosokeyvault.vault.azure.cn:443/secrets/SQLPassword/daf346543c824e62b45688112afc0567″ />

Step 3: coding part:

var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(KVHelper.GetToken));
var sec = kv.GetSecretAsync(WebConfigurationManager.AppSettings[“SecretUri”]).Result.Value;

// Get the secret details
var keyIdentifier = “https://contosokeyvault.vault.azure.cn:443/keys/ContosoFirstKey/8bd9eb30f67b4e67ab101aa85b79d53a”;
var key = kv.GetKeyAsync(keyIdentifier).GetAwaiter().GetResult();
var publicKey = Convert.ToBase64String(key.Key.N);

using (var rsa = new RSACryptoServiceProvider())
{
var p = new RSAParameters() { Modulus = key.Key.N, Exponent = key.Key.E };
rsa.ImportParameters(p);
var byteData = Encoding.Unicode.GetBytes(“Time is ” + DateTime.Now.ToString());

// Encrypt and Decrypt
var encryptedText = rsa.Encrypt(byteData, true);
//var decryptedData = kv.DecryptDataAsync(keyIdentifier, “RSA_OAEP”, encryptedText).GetAwaiter().GetResult();
var decryptedData = kv.DecryptDataAsync(key, JsonWebKeyEncryptionAlgorithm.RSAOAEP, encryptedText).GetAwaiter().GetResult();
var decryptedText = Encoding.Unicode.GetString(decryptedData.Result);

KeyOperationResult operationResult = kv.EncryptAsync(keyIdentifier, JsonWebKeyEncryptionAlgorithm.RSA15, Encoding.UTF8.GetBytes(“Time is ” + DateTime.Now.ToString())).GetAwaiter().GetResult();
var decryptedBytes = kv.DecryptAsync(operationResult.Kid, JsonWebKeyEncryptionAlgorithm.RSA15, operationResult.Result).GetAwaiter().GetResult();
decryptedText = Encoding.UTF8.GetString(decryptedBytes.Result);
//Sign and Verify
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signature = kv.SignAsync(keyIdentifier, JsonWebKeySignatureAlgorithm.RS256, digest).GetAwaiter().GetResult();
//var isVerified = rsa.VerifyHash(digest, “Sha256”, signature.Result);
bool isVerified = kv.VerifyAsync(signature.Kid, JsonWebKeySignatureAlgorithm.RS256, digest, signature.Result).GetAwaiter().GetResult();

isVerified = rsa.VerifyHash(digest, “Sha256”, signature.Result);
 //warp and unwrap
KeyOperationResult wrappedKey;
var symmetricKey = SymmetricAlgorithm.Create().Key;
wrappedKey = kv.WrapKeyAsync(“https://contosokeyvault.vault.azure.cn/”, “ContosoFirstKey”, “8bd9eb30f67b4e67ab101aa85b79d53a”, JsonWebKeyEncryptionAlgorithm.RSAOAEP, symmetricKey).GetAwaiter().GetResult();
wrappedKey = kv.WrapKeyAsync(keyIdentifier, JsonWebKeyEncryptionAlgorithm.RSAOAEP, symmetricKey).GetAwaiter().GetResult();
var unwrappedKey = kv.UnwrapKeyAsync(wrappedKey.Kid, JsonWebKeyEncryptionAlgorithm.RSAOAEP, wrappedKey.Result).GetAwaiter().GetResult();

bool checkKey = symmetricKey.SequenceEqual(unwrappedKey.Result);

Leave a Reply

Your email address will not be published. Required fields are marked *