Application level envelope encryption SDK for C# with support for cloud-agnostic data storage and key management.
You can get the latest release from Nuget:
<ItemGroup>
<PackageReference Include="GoDaddy.Asherah.AppEncryption" Version="0.2.6" />
</ItemGroup>
GoDaddy.Asherah.AppEncryption
targets NetStandard 2.0 and NetStandard 2.1. See the
.NET Standard documentation and
Multi-targeting
for more information.
// Create a session factory. The builder steps used below are for testing only.
using (SessionFactory sessionFactory = SessionFactory
.NewBuilder("some_product", "some_service")
.WithMemoryPersistence()
.WithNeverExpiredCryptoPolicy()
.WithStaticKeyManagementService("thisIsAStaticMasterKeyForTesting")
.Build())
{
// Now create a cryptographic session for a partition.
using (Session<byte[], byte[]> sessionBytes =
sessionFactory.GetSessionBytes("some_partition"))
{
// Encrypt some data
const string originalPayloadString = "mysupersecretpayload";
byte[] dataRowRecordBytes = sessionBytes.Encrypt(Encoding.UTF8.GetBytes(originalPayloadString));
// Decrypt the data
string decryptedPayloadString = Encoding.UTF8.GetString(sessionBytes.Decrypt(dataRowRecordBytes));
}
}
A more extensive example is the Reference Application, which will evolve along with the SDK.
Before you can start encrypting data, you need to define Asherah's required pluggable components. Below we show how to build the various options for each component.
Detailed information about the Metastore, including any provisioning steps, can be found here.
Asherah can connect to a relational database by accepting an ADO DbProviderFactory and a connection string.
// Create / retrieve a DbProviderFactory for your target vendor, as well as the connection string
DbProviderFactory dbProviderFactory = ...;
string connectionString = ...;
// Build the ADO Metastore
IMetastore<JObject> adoMetastore = AdoMetastoreImpl.NewBuilder(dbProviderFactory, connectionString).Build();
For simplicity, the DynamoDB implementation uses the builder pattern to enable configuration changes.
To obtain an instance of the builder, use the static factory method NewBuilder
.
DynamoDbMetastoreImpl.NewBuilder("<preferred-aws-region>");
Once you have a builder, you can either use the WithXXX
setter methods to configure the metastore properties or simply
build the metastore by calling the Build
method.
- WithKeySuffix: Specifies whether key suffix should be enabled for DynamoDB. This is required to enable Global Tables.
- WithTableName: Specifies the name of the DynamoDb table.
- WithRegion: Specifies the region for the AWS DynamoDb client.
- WithEndPointConfiguration: Adds an EndPoint configuration to the AWS DynamoDb client.
Below is an example of a DynamoDB metastore that uses a Global Table named TestTable
// Setup region via global default or via other AWS .NET SDK mechanisms
AWSConfigs.AWSRegion = "us-west-2";
// Build the DynamoDB Metastore.
IMetastore<JObject> dynamoDbMetastore = DynamoDbMetastoreImpl.NewBuilder("us-west-2")
.WithKeySuffix()
.WithTableName("TestTable")
.Build();
IMetastore<JObject> metastore = new InMemoryPersistenceImpl<JObject>();
Detailed information about the Key Management Service can be found here.
// Create a dictionary of region and ARN pairs that will all be used when creating a System Key
Dictionary<string, string> regionDictionary = new Dictionary<string, string>
{
{ "us-east-1", "arn_of_us-east-1" },
{ "us-east-2", "arn_of_us-east-2" },
...
};
// Build the Key Management Service using the region dictionary and your preferred (usually current) region
KeyManagementService keyManagementService = AwsKeyManagementServiceImpl.newBuilder(regionDictionary, "us-east-1").Build();
KeyManagementService keyManagementService = new StaticKeyManagementServiceImpl("thisIsAStaticMasterKeyForTesting");
Detailed information on Crypto Policy can be found here. The Crypto Policy's effect on key caching is explained here.
CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder()
.WithKeyExpirationDays(90)
.WithRevokeCheckMinutes(60)
.Build();
Session caching is disabled by default. Enabling it is primarily useful if you are working with stateless workloads and the shared session can't be used by the calling app.
To enable session caching, simply use the optional builder step WithCanCacheSessions(true)
when building a crypto policy.
CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder()
.WithKeyExpirationDays(90)
.WithRevokeCheckMinutes(60)
.WithCanCacheSessions(true) // Enable session cache
.WithSessionCacheMaxSize(200) // Define the number of maximum sessions to cache
.WithSessionCacheExpireMillis(5000) // Evict the session from cache after some milliseconds
.Build();
CryptoPolicy neverExpiredCryptoPolicy = new NeverExpiredCryptoPolicy();
Asherah's C# implementation uses App.Metrics for metrics, which are disabled by default.
If metrics are left disabled, we simply create and use an IMetrics
instance whose
Enabled flag is disabled.
To enable metrics generation, simply pass in an existing IMetrics
instance to the final optional builder step when creating a
SessionFactory
.
The following metrics are available:
- ael.drr.decrypt: Total time spent on all operations that were needed to decrypt.
- ael.drr.encrypt: Total time spent on all operations that were needed to encrypt.
- ael.kms.aws.decrypt.<region>: Time spent on decrypting the region-specific keys.
- ael.kms.aws.decryptkey: Total time spend in decrypting the key which would include the region-specific decrypt calls in case of transient failures.
- ael.kms.aws.encrypt.<region>: Time spent on data key plain text encryption for each region.
- ael.kms.aws.encryptkey: Total time spent in encrypting the key which would include the region-specific generatedDataKey and parallel encrypt calls.
- ael.kms.aws.generatedatakey.<region>: Time spent to generate the first data key which is then encrypted in remaining regions.
- ael.metastore.ado.load: Time spent to load a record from ado metastore.
- ael.metastore.ado.loadlatest: Time spent to get the latest record from ado metastore.
- ael.metastore.ado.store: Time spent to store a record into ado metastore.
- ael.metastore.dynamodb.load: Time spent to load a record from DynamoDB metastore.
- ael.metastore.dynamodb.loadlatest: Time spent to get the latest record from DynamoDB metastore.
- ael.metastore.dynamodb.store: Time spent to store a record into DynamoDB metastore.
A session factory can now be built using the components we defined above.
SessionFactory sessionFactory = SessionFactory.NewBuilder("some_product", "some_service")
.WithMetastore(metastore)
.WithCryptoPolicy(policy)
.WithKeyManagementService(keyManagementService)
.WithMetrics(metrics) // Optional
.Build();
NOTE: We recommend that every service have its own session factory, preferably as a singleton instance within the service. This will allow you to leverage caching and minimize resource usage. Always remember to close the session factory before exiting the service to ensure that all resources held by the factory, including the cache, are disposed of properly.
Create a Session
session to be used for cryptographic operations.
Session<byte[], byte[]> sessionBytes = sessionFactory.GetSessionBytes("some_user");
The different usage styles are explained below.
NOTE: Remember to close the session after all cryptographic operations to dispose of associated resources.
This usage style is similar to common encryption utilities where payloads are simply encrypted and decrypted, and it is completely up to the calling application for storage responsibility.
string originalPayloadString = "mysupersecretpayload";
// encrypt the payload
byte[] dataRowRecordBytes = sessionBytes.Encrypt(Encoding.UTF8.GetBytes(originalPayloadString));
// decrypt the payload
string decryptedPayloadString = Encoding.UTF8.GetString(dataRowRecordBytes.Decrypt(newDataRowRecordBytes));
Asherah supports a key-value/document storage model. An AppEncryption instance can
accept a Persistence implementation and hook into its Load
and Store
calls.
An example Dictionary
-backed Persistence
implementation:
public class DictionaryPersistence : Persistence<JObject>
{
Dictionary<string, JObject> dictionaryPersistence = new Dictionary<string, JObject>();
public override Option<JObject> Load(String key)
{
return dictionaryPersistence.TryGetValue(key, out JObject result) ? result : Option<JObject>.None;
}
public override void Store(String key, JObject value)
{
dictionaryPersistence.Add(key, value);
}
}
An example end-to-end use of the store and load calls:
// Encrypts the payload, stores it in the dictionaryPersistence and returns a look up key
string persistenceKey = sessionJson.Store(originalPayload.ToJObject(), dictionaryPersistence);
// Uses the persistenceKey to look-up the payload in the dictionaryPersistence, decrypts the payload if any and then returns it
Option<JObject> payload = sessionJson.Load(persistenceKey, dictionaryPersistence);
Dotnet enables debugging and profiling by default causing filesystem writes. Disabling them ensures that the SDK can be used in a read-only container.
To do so, simply set the environment variable COMPlus_EnableDiagnostics
to 0
ENV COMPlus_EnableDiagnostics=0
Our sample application's Dockerfile can be used for reference.
Some unit tests will use the AWS SDK, If you don’t already have a local
AWS credentials file,
create a dummy file called ~/.aws/credentials
with the below contents:
[default]
aws_access_key_id = foobar
aws_secret_access_key = barfoo
Alternately, you can set the AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
environment variables.
The regression test use configuration parameters that can be passed either by using a config.yaml
file or by
setting the environment variables. The below table outlines the parameter names and their default values (if any)
Config File | Environment Variable | Default Value |
---|---|---|
kmsType | KMS_TYPE | static |
kmsAwsRegionArnTuples | KMS_AWS_REGION_ARN_TUPLES | N/A |
kmsAwsPreferredRegion | KMS_AWS_PREFERRED_REGION | us-west-2 |
metastoreType | METASTORE_TYPE | memory |
metastoreAdoConnectionString | METASTORE_ADO_CONNECTION_STRING | N/A |