I am trying to implement JWE for my Rest API. I came across following NODE library that implements JWE. However the library lack the documentation around how JSON Web Key(JWK) should be used(JSON object) that help in Key Management Mode. The JWE documentation reads as follows:
A method of determining the Content Encryption Key value to use.
Each algorithm used for determining the CEK value uses a specific
Key Management Mode. Key Management Modes employed by this
specification are Key Encryption, Key Wrapping, Direct Key
Agreement, Key Agreement with Key Wrapping, and Direct Encryption.
So I want to know how I should feed the JWK to this library inorder to implement JWE ? I want to know how my JSON format will dictate the Key Managemnet Mode ?
Can any one provide mi such JSON format for JWK and tell how that provide the Key Management Mode ?
Node-jose
I wrote a documentation for my PHP framework where you will find a table about the relationship between the encryption algorithm and the key management mode.
Related
Hi everyone im trying to receive my blob storage data via my spring boot client application. I can retrieve the data however it is encrypted.
In my Storage Account settings the encryption type is "Microsoft-managed keys". Now, where do find the key i need for decrypting my data? I am kinda confused i'm just not able to find the key.
Thanks a lot in advance
Azure Storage encrypts all data in a storage account at rest. By
default, data is encrypted with Microsoft-managed keys
All data that is written into Azure storage will be automatically encrypted by Storage service prior to persisting, and decrypted prior to retrieval. Encryption and decryption are completely transparent to the user. All data is encrypted using 256-bit AES encryption, also known as AES-256—one of the strongest block ciphers available. With encryption enabled by default.
Reference: https://azure.microsoft.com/en-in/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-storage/
And The Microsoft managed keys used for encryption are not available
In Your scenario check the encryption type at the client side Data that is already encrypted when it is received by Azure. With client-side encryption, cloud service providers don’t have access to the encryption keys and cannot decrypt this data. You maintain complete control of the keys.
For more details refer this document: https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
I have some encrypted Azure Blobs that I need to decrypt using this Azure Key Vault mechanism. Is there any possibility of using Scala or Python in databricks to do this decryption? I am not sure if there are any libraries available in either of these languages that will allow me to do the decryption? If you know of any libraries or have some sample code that can work in Python or Scala, it would really help.
Thanks!
Try using Azure Storage Client Library for Python supports encrypting data within client applications before uploading to Azure Storage, and decrypting data while downloading to the client.
Use the Encryption via the envelope technique contains the following steps
1) The Azure storage client library generates a content encryption key (CEK), which is a one-time-use symmetric key.
2) User data is encrypted using this content encryption key (CEK)
3) The CEK is then wrapped (encrypted) using the key encryption key (KEK). The KEK is identified by a key identifier and can be an asymmetric key pair or a symmetric key, which is managed locally. The storage client library itself never has access to KEK. The library invokes the key wrapping algorithm that is provided by the KEK. Users can choose to use custom providers for key wrapping/unwrapping if desired
4) The encrypted data is then uploaded to the Azure Storage service. The wrapped key along with some additional encryption metadata is either stored as metadata (on a blob) or interpolated with the encrypted data (queue messages and table entities).
Decryption via the envelope technique: contains the following steps
1) The client library assumes that the user is managing the key encryption key (KEK) locally. The user does not need to know the specific key that was used for encryption. Instead, a key resolver, which resolves different key identifiers to keys, can be set up and used.
2) The client library downloads the encrypted data along with any encryption material that is stored on the service
3) The wrapped content encryption key (CEK) is then unwrapped (decrypted) using the key encryption key (KEK). Here again, the client library does not have access to KEK. It simply invokes the custom provider's unwrapping algorithm
4) The content encryption key (CEK) is then used to decrypt the encrypted user data.
For more details and step by step procedure refer this document
we used Encrypt and decrypt blobs using Azure Key Vault to protect our files from dev ops person or any unwanted access to files.
i have created the RSA key like below
now i have few doubts
#1 : if i set expiration date to this key,( let's say 2 year from today's date ) will it effect my encryption? -
for example, after 2 year, i will create new RSA key and old files which is already encrypted wont be able to decrypt ? if answer is no - how the version changed will make sure decryption keep working?
#2 : which RSA key size i have to use ? what is best as per industry standards?
#3 : in blob files, have metadata properties added by SDK : "encryptiondata" - what is that, and it include "EncryptedKey" also, what's that use?, seems like SDK is doing behind the process, when we set "BlobEncryptionPolicy"
#4 : when we set KEY to azure key vault - is it private key or public key? will we're able to see it's content ?
let's say someone got to know the RSA key from key vault in plain text..he/she will download encrypted files directly from blob and use that key in separate program and unlock/decrypt it?
Thanks,
#1 In Azure Keyvault the encryption keys don't have an expiry by default. But it is a good practice to set one. And then rotate the keys.
Rotation would involve Generate new key(s),
Re-encrypt all data that was encrypted using the old key, using new key(s)
Delete old encrypted data and old encrypted key.
Azure supports three models with respect to Data Encryption.
1)Server-side encryption using Service-Managed keys
2)Server-side encryption using customer-managed keys in Azure Key Vault
3) Server-side encryption using customer-managed keys on customer-controlled hardware
You can read more about that here. https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-models
and choose the option that you need.
If you need to bring your own keys in azure storage - https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview
Rotation process can be automated with Events, event grid, functions.
For example A secret near expiry gets triggered when the secret is near its expiry date and that is captured in an event grid and the necessary action is taken via an azure function who's trigger is that event grid mapping for this event.
Azure runbook based automation options are also possible.
#2 Bigger keysize is tougher or takes time to crack is what I know and from what I read 2048 or 4096 should be good. But again there are schools of thought on not using standard keysize etc. I guess you can consult a security/cryptography expert for the specifics.
#3 those properties refer to the default encryption at rest done in azure storage. Refer the data encryption models available for azure storage.
#4 In Azure keyvault a Cryptographic key is represented as JWK (JSON Web Key)
for Example a .pfx certificate file that contains a pair of public & private keys.
The API call to GetKeyAsync doesn't return private key data.This is why the DecryptAsync wrapper method does use the Key Vault API for decryption.
I make speech recognition App using Bing speech API with javascript library.
But I need to contain SubscriptionKey to Html/JS code using Library.
I think another person can see my key and use it.
How to save my key?
Can regenerate key dynamically on each user access?
or
Can set expire limitation to key?
You are recommended to make calls from the server side. You can initiate a call from your client to server, where your client is whitelisted and then make a call to the API. Alternately, you can use Azure Key Vault to generate secret and use that and change that often. Further, you are recommended to change subscription keys and/or Azure Key Vault secret often to limit exposure.
A similar question but for Bing Maps is posted here: http://www.garzilla.net/vemaps/Protecting-Your-Map-Key.aspx.
I would appreciate clarification and advice on the following:
My project requires me to use symmetric data encryption (using AES), in a Nodejs environment, to secure data on a database (mongodb). Ideally, I would like to do this as follows:
Store the symmetric key in Azure Key Vault as a Key, then make 'encrypt' calls to the vault to perform AES encryption on the data with the Key. The encrypted data is sent in the response to my app and then stored in the database in its encrypted form.
I am confused after reading MS Azure's documentation and related blog posts, where some sources claim symmetric key encryption is supported, but there is no official documentation on this.
Can anyone advise whether this an exhaustive list of all key types and algorithms supported for Azure's Key Vault?
https://msdn.microsoft.com/en-us/library/azure/dn903623.aspx#BKMK_KeyTypes
It also seems this may be an option (http://www.nuget.org/packages/Microsoft.Azure.KeyVault.extensions) but only for environments on .NET. Any love for Nodejs?
If indeed symmetric keys/encryption are not currently supported, can anyone offer an alternative means to my approach described above?
Thanks and much appreciated.
I agree the documentation/blogs do seem a little confusing on this topic. From my understanding the key vault does not yet currently support symmetric encryption. I believe the closest you can get is storing symmetric keys as secrets and using them outside of the vault.
This article talks about doing such. See the section where the heading is Use Key Vault secrets
I understand your using node.js and that example is in powershell just trying to illustrate the example of symmetric encryption with a secret. Obviously the crypto operations happen outside the vault. So, at rest the keys are more secure but do get exposed in memory anytime an operation occurs.
Hope that helps.
Here is an example in PowerShell of creating a secret in Key Vault that can be used as a SymmetricKey.
SymmetricKey sec = (SymmetricKey) cloudResolver.ResolveKeyAsync(
"https://contosokeyvault.vault.azure.net/secrets/TestSecret2/",
CancellationToken.None).GetAwaiter().GetResult();