Skip to main content

Encrypt/Decrypt text using the new Azure Key Vault Client Libraries

Securing applications is hard. We often have to struggle with storing connection strings, encryption keys and other sensitive pieces of information securely in our code base. Azure Key Vault is a great place to store these securely and allow only limited access to authorized applications. Azure Key Vault can store Keys, Secrets and Certificates. It supports storing only asymmetric keys (RSA and EC). One can generate a key in Azure Key Vault and it will only give out Public Key to your application. All operations involving Private Key has to be done by Azure Key Vault only. Encryption algorithms like AES are symmetric encryption methods - meaning they use one key to encrypt and decrypt the data. There are two ways we can store this key - either as a secret in Azure Key Vault (less secure) or encrypt the key itself using the RSA key generated in Azure Key Vault and store the encrypted key as a secret (more secure). If you are using .NET, there are numerous examples on the interwebs showing how to do this using the old Microsoft.Azure.KeyVault libraries. (Un)Fortunately those libraries are now replaced by new Azure SDKs splitting the one library in three separate Nuget packages:

How do we encrypt/decrypt using these packages? Sadly the documentation regarding these is sparse. Hence this blog post.

In the following code, we create a small console application using .NET Core and pull down a RSA key generated in Azure Key Vault named "KEK" (Key Encryption Key). We use that key to encrypt the string passed in by the user and store in Azure Key Vault as a secret. Finally to get back the original string, we pull down the secret stored in previous step and use the KEK to decrypt the string back to original value.

using System;
using System.Text;
using Azure.Identity;
using Azure.Security.KeyVault.Keys;
using Azure.Security.KeyVault.Keys.Cryptography;
using Azure.Security.KeyVault.Secrets;
namespace key_vault_console_app
    class Program
        static void Main(string[] args)
            Console.WriteLine("Enter string to encrypt:");
            var keyToEncrypt = Console.ReadLine();
            var credential = new ClientSecretCredential("AzureTenantId", "ClientId", "ClientSecret");
            var kvUri = "";
            var client = new KeyClient(new Uri(kvUri), credential);
            var key = client.GetKey("KEK");
            var cryptoClient = new CryptographyClient(key.Value.Id, credential);
            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, Encoding.UTF8.GetBytes(keyToEncrypt));
            Console.WriteLine("Encrypted string is: " + Convert.ToBase64String(encryptResult.Ciphertext));
// Store the encrypted key in Azure KV as secret
            var secretClient = new SecretClient(new Uri(kvUri), credential);
            secretClient.SetSecret(new KeyVaultSecret("EncryptedKey1", Convert.ToBase64String(encryptResult.Ciphertext)));

            Console.WriteLine("Do you want to decrypt? (Y/N)");
            if (Console.ReadLine().ToUpper() == "Y")
                var encryptedSecret = secretClient.GetSecret("EncryptedKey1");
                DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, Convert.FromBase64String(encryptedSecret.Value.Value));
                Console.WriteLine("Decrypted string is: " + Encoding.UTF8.GetString(decryptResult.Plaintext));
Hope the above example helps someone struggling with using the new Azure SDKs. Is there a better way to do this? Do let me know in the comments below.


Popular posts from this blog

Integrating React with SonarQube using Azure DevOps Pipelines

In the world of automation, code quality is of paramount importance. SonarQube and Azure DevOps are two tools which solve this problem in a continuous and automated way. They play well for a majority of languages and frameworks. However, to make the integration work for React applications still remains a challenge. In this post we will explore how we can integrate a React application to SonarQube using Azure DevOps pipelines to continuously build and assess code quality. Creating the React Application Let's start at the beginning. We will use npx to create a Typescript based React app. Why Typescript? I find it easier to work and more maintainable owing to its strongly-typed behavior. You can very well follow this guide for jsx based applications too. We will use the fantastic Create-React-App (CRA) tool to create a React application called ' sonar-azuredevops-app '. > npx create-react-app sonar-azuredevops-app --template typescript Once the project creation is done, we

Creating a Smart Playlist

A few days earlier I was thinking that wouldn't it be nice if I had something which will automatically generate a playlist for me with no artists repeated. Also, it would be nice if I could block those artists which I really hate (like Himesh Reshammiya!). Since I couldn't find anything already available, I decided to code it myself. Here is the outcome -  This application is created entirely in .NET Framework 4/WPF and uses Windows Media Player Library as its source of information. So you have to keep your Windows Media Player Library updated for this to work. It is tested only on Windows 7/Vista. You can download it from here . UPDATE : You can download the Windows XP version of the application here . Please provide your feedback!

Add Git Commit Hash and Build Number to a Static React Website using Azure DevOps

While working on a React based static website recently, there was a need to see exactly what was deployed in the Dev/Test environments to reduce confusion amongst teams. I wanted to show something like this: A quick look at the site's footer should show the Git Commit Hash and Build Number which was deployed and click through to actual commits and build results. Let's see how we achieved this using Azure DevOps. Git Commit Hash Azure DevOps exposes a variable called  $(Build.SourceVersion) which contains the hash of the commit. So I defined a variable in the Build Pipeline using it. Build Id and Build Number Azure DevOps also exposes two release time variables  $(Build.BuildId) and  $(Build.BuildNumber) which can be used to define custom variables in the pipeline. So we have a total of 3 variables defined: Next we use these variables in our React App. I created 3 global variables in index.html and assigned a token value to them. < script   type = "text/JavaScript&quo