Skip to main content

Encrypt/Decrypt text using the new Azure Key Vault Client Libraries

Securing applications is hard. We often have to struggle with storing connection strings, encryption keys and other sensitive pieces of information securely in our code base. Azure Key Vault is a great place to store these securely and allow only limited access to authorized applications. Azure Key Vault can store Keys, Secrets and Certificates. It supports storing only asymmetric keys (RSA and EC). One can generate a key in Azure Key Vault and it will only give out Public Key to your application. All operations involving Private Key has to be done by Azure Key Vault only. Encryption algorithms like AES are symmetric encryption methods - meaning they use one key to encrypt and decrypt the data. There are two ways we can store this key - either as a secret in Azure Key Vault (less secure) or encrypt the key itself using the RSA key generated in Azure Key Vault and store the encrypted key as a secret (more secure). If you are using .NET, there are numerous examples on the interwebs showing how to do this using the old Microsoft.Azure.KeyVault libraries. (Un)Fortunately those libraries are now replaced by new Azure SDKs splitting the one library in three separate Nuget packages:

How do we encrypt/decrypt using these packages? Sadly the documentation regarding these is sparse. Hence this blog post.

In the following code, we create a small console application using .NET Core and pull down a RSA key generated in Azure Key Vault named "KEK" (Key Encryption Key). We use that key to encrypt the string passed in by the user and store in Azure Key Vault as a secret. Finally to get back the original string, we pull down the secret stored in previous step and use the KEK to decrypt the string back to original value.

using System;
using System.Text;
using Azure.Identity;
using Azure.Security.KeyVault.Keys;
using Azure.Security.KeyVault.Keys.Cryptography;
using Azure.Security.KeyVault.Secrets;
namespace key_vault_console_app
    class Program
        static void Main(string[] args)
            Console.WriteLine("Enter string to encrypt:");
            var keyToEncrypt = Console.ReadLine();
            var credential = new ClientSecretCredential("AzureTenantId", "ClientId", "ClientSecret");
            var kvUri = "";
            var client = new KeyClient(new Uri(kvUri), credential);
            var key = client.GetKey("KEK");
            var cryptoClient = new CryptographyClient(key.Value.Id, credential);
            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, Encoding.UTF8.GetBytes(keyToEncrypt));
            Console.WriteLine("Encrypted string is: " + Convert.ToBase64String(encryptResult.Ciphertext));
// Store the encrypted key in Azure KV as secret
            var secretClient = new SecretClient(new Uri(kvUri), credential);
            secretClient.SetSecret(new KeyVaultSecret("EncryptedKey1", Convert.ToBase64String(encryptResult.Ciphertext)));

            Console.WriteLine("Do you want to decrypt? (Y/N)");
            if (Console.ReadLine().ToUpper() == "Y")
                var encryptedSecret = secretClient.GetSecret("EncryptedKey1");
                DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, Convert.FromBase64String(encryptedSecret.Value.Value));
                Console.WriteLine("Decrypted string is: " + Encoding.UTF8.GetString(decryptResult.Plaintext));
Hope the above example helps someone struggling with using the new Azure SDKs. Is there a better way to do this? Do let me know in the comments below.


Popular posts from this blog

Centralized Configuration for .NET Core using Azure Cosmos DB and Narad

We are living in a micro services world. All these services are generally hosted in Docker container which are ephemeral. Moreover these service need to start themselves up, talk to each other, etc. All this needs configuration and there are many commercially available configuration providers like Spring Cloud Config Server, Consul etc. These are excellent tools which provide a lot more functionality than just storing configuration data. However all these have a weakness - they have a single point of failure - their storage mechanism be it a file system, database etc. There are ways to work around those but if you want a really simple place to store configuration values and at the same time make it highly available, with guaranteed global availability and millisecond reads, what can be a better tool than Azure Cosmos DB!
So I set forth on this journey for ASP.NET Core projects to talk to Cosmos DB to retrieve their configuration data. For inspiration I looked at Steeltoe Configuratio…

Enabling IT in Healthcare by simulating Patient Data

In the current times of pandemics and disease outbreaks, it is of paramount importance that we leverage software to treat diseases. One important aspect of healthcare is Patient Management. IT systems have to be developed which can support management at an enormous scale. Any development of such good software system requires data which is as realistic as possible but not real. There has to be a fine balance between privacy and enabling developers to anticipate the myriad health scenarios that may occur. Towards this initiative, healthcare industry has been standardizing around the HL7 (Health Level 7) protocol. The HL7 protocol itself has undergone transformation from pipe-based formats (v2.x) to JSON/XML based (FHIR) modern formats. FHIR is the future of HL7 messages and is being increasingly adopted. However given the slow nature and reluctance by healthcare providers to change or upgrade their systems, a majority of hospitals still use the HL7 2.3 format.
FHIR is a modern format. …

The Art of Ogling

Me and my roommate were returning from a movie theater when I noticed a girl in a black dress and black goggles who seemed to be pretty. Maybe I looked for a second too long at her that I was chided by my roommate. "Dude, don't look at girls like that!!", he said out aloud, much to my embarrassment and his delight. This made me think and write about - How the hell do you look at girls?

Let me set the ground rules before you read on. Don't despise men who stare at girls or think of them as perverts. They are doing a public service. This is how it works - Girls spend time, effort and money in buying makeup, clothes and other numerous accessories which make them look good. Have you ever thought why they go through so much trouble?