Reputation: 8003
Asp.net Core Data Protection decrypt Azure KeyVault keys
We have an .net5 asp.net core application that follows the Microsoft guidelines for DataProtection as described in the official documentation here.
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection()
.PersistKeysToAzureBlobStorage(new Uri("<blobUriWithSasToken>"))
.ProtectKeysWithAzureKeyVault("<keyIdentifier>", "<clientId>", "<clientSecret>");
}
By doing so we
- store our keys in a blob storage container
- have them encrypted using Azure Key vault.
We are however a little concerned that using the Azure Key vault locks us into Azure as we can see that the encrypted keys inside the file that is stored in Azure blob storage.
How hard would it be to extract the encrypted keys from the file in blob storage and convert it the the format that for example stores the key on the file system or in the database?
Upvotes: 0
Views: 909
Answers (2)
Reputation: 42043
How hard would it be to extract the encrypted keys from the file in blob storage and convert it to the format that for example stores the key on the file system or in the database?
Not sure what do you mean How hard here, if you mean the security issue as you can see the encrypted key in the storage blob, I think you don't need to worry about it. To access the storage blob, the client/user needs the RBAC roles/SAS token/connection string/Access key. After getting the blob, to decrypt it, the client/user also needs the key permissions(e.g. Unwrap Key and Wrap Key, maybe other permissions else, have not tested it) in the keyvault access policy(or RBAC role Key Vault Administrator if you select Azure role-based access control in Access policies blade of the keyvault).
If you just want to decrypt the encrypted keys from the storage blob, you can try to use the SDK, refer to this doc - Encrypt and decrypt blobs using Azure Key Vault - Decrypt blob and download, also see the source code about how the decryption works and details for this feature in this blog.
Upvotes: 1
Reputation: 19901
I did as an experiment blog about how you can store both the Data protection key ring and the protection key in Azure Key Vault.
Storing the ASP.NET Core Data Protection Key Ring in Azure Key Vault
The key-ring is pretty easy to move to some other location. Typically it is just a plain XML file.
Upvotes: 0
Related Questions
- How to implement AlwaysEncrypted AzureKeyVaultProvider 3.0.0 in ASP.NET Core application
- How to fetch certificate from keyvault?
- How to Read Azure KeyVault Secret in Asp.Net Core Web Api hosted on Azure VM IIS
- Azure Key Vault - is there a .NET Core API for that?
- Decryption with a Azure Key Vault Certificate returns errors
- Accessing AzureKeyVault
- Data Protection Keys Not Persisted To Azure
- Using ASP.Net Core v2.2 ProtectKeysWithAzureKeyVault() data protection
- Key encryption in ASP.NET Core
- Fetching secrets from keyVault from Azure in c#