Skip to content

Dealogic/azure-servicebus-encryption

BranchesTags

Repository files navigation

Dealogic Azure Service Bus Encryption

Adds Encryption policy and extensions methods to Brokered message for easy message body encryption. For encrypting messages you have to set the Encryption key of the encryption policy. For decrypting messages the DecryptionKeyResolver parameter has to be set or the same encryption key used for encryption. The easyiest way to retrieve these object is through the KeyVaultClient class in the Azure Key Vault Extensions package

Build status and NuGet

build status

NuGet Badge

Content

Encrypting messages

By registering the plugin

var encryptionPolicy = new EncryptionPolicy(key, null);
var queueClient = new QueueClient("YOUR CONNECTION STRING", "YOUR QUEUE");
queueClient.RegisterPlugin(new MessageBodyEncryptionPlugin(encryptionPolicy));

var body = new byte[0];
var message = new Message(body);
await queueClient.SendAsync(message).ConfigureAwait(false);

By using extensions

var encryptionPolicy = new EncryptionPolicy(key, null);
var encryptedMessage = await message.EncryptAsync(encryptionPolicy, cancellationToken).ConfigureAwait(false);

Decrypting messages

By registering the plugin

var encryptionPolicy = new EncryptionPolicy(null, keyResolver);
var queueClient = new QueueClient("YOUR CONNECTION STRING", "YOUR QUEUE");
queueClient.RegisterPlugin(new MessageBodyEncryptionPlugin(encryptionPolicy));

client.RegisterMessageHandler(SomeHandlerDelegate, MessageHandlerOptions);

By using extensions

var decryptionPolicy = new EncryptionPolicy(null, keyResolver);
var decryptedMessage = await encryptedMessage.DecryptAsync(decryptionPolicy, cancellationToken).ConfigureAwait(false);

Using lazy initialization

Encryption policy can be costructed with lazy encryption key initialization. The encryption key will be resolved when it's first used. The default implementation caches the key. For example:

var encryptionPolicy = new EncryptionPolicy(o =>
{
   o.EncryptionKey = (token) => keyResolver.ResolveKeyAsync("Key ID", token);
   o.ReyResolver = keyResolver
});

Tracing

The component supports Event Source tracing out of the box. The Event Source name can be retreived from Dealogic.ServiceBus.Azure.Encryption.Tracing.EventSourceName.

Implementation notes

  • when encrypting a message one new custom value will be added to the Message's property bag:
    • encryptiondata: contains the nessesary metadata for decryption
  • if the encryptiondata is not provided, the message wont be decrypted
  • when encrypting the message, the original body will replaced with the encrypted body content
  • when decrypting the message, the original body will replaced with the decrypted body content
  • When encrypting messages Wrap permission is needed on the Key Vault Keys
  • When decrypting messages Unwrap permission is needed on the Key Vault Keys
  • When using KeyResolver for decrpytion Get permission is needed for the user on the Key Vault Keys
  • if possible use CachingKeyResolver to avoid multiple roundtrips to the server
  • try to cache the access token for the KeyVault access to avoid multiple roundtrips to the server

Contribution

The packages uses VSTS pipeline for build and release. The versioning is done by GitVersion. From all feature (features) branches a new pre-release pacakges will be automatically released. After releasing a stable version, the version Tag has to be added to the code with the released version number.

About

Azure Service Bus Encryption Library

Topics

encryption servicebus azure-keyvault azure-service-bus encryption-library

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases 2

NuGet.org release Latest
May 29, 2018
+ 1 release

Packages

No packages published

Languages