Simple Key Manager with persistence to Json or file
This library contains an in-memory (and persistable) keystore for processes that need to use or share encryption keys. It can be used as a process-wide, in-memory keystore, that holds keys, retrieved from a central secret authority. Or, it can manage keys that are stored in JSON or a file (saved in JSON format).
The following is a list of key object and keystore features:
- A keystore instance supports the generation, verification, usage, and persistence of encryption keys of:
- RSA
- AES
- ECDSA
- It currently leverages base .NET encryption libraries. But, can be extended to manage keys made/used by LibSodium, BouncyCastle, or others.
- Supports CRUD functionality of key objects.
- Key objects can be retrieved from the store by name or by key properties, such as type, age, status, etc...
- Key queries are implemented using a predicate filter (See comments at top of PredicateBuilder).
- Both key object and keystore classes are versioned, so they can be correctly loaded by (and migrated to) newer versions.
- A keystore updates a version counter each time its contents are changed, for easier reconciliation.
- Persisted keystores are signed (via ECDSA) to ensure integrity and tampering. The signature is verified on load.
- At-rest encryption is used for securely storing private keys.
OGA.KeyMgmt is available via NuGet:
- NuGet Official Releases:
This library depends on:
Here are usage examples...
// Create three keys...
KeyStore_v2_Base.Create_New_AES_Key(Guid.NewGuid().ToString(), 256, out var k1);
KeyStore_v2_Base.Create_New_ECDSA_KeyPair(Guid.NewGuid().ToString(), out var k2);
KeyStore_v2_Base.Create_New_RSA_KeyPair(Guid.NewGuid().ToString(), 512, out var k3);
// Add all three keys to a new in-memory keystore instance...
var ks = new KeyStore_v2_Base();
var res1 = ks.AddKey_toStore(k1);
var res2 = ks.AddKey_toStore(k2);
var res3 = ks.AddKey_toStore(k3); // Create a keystore with a couple of symmetric keys...
KeyStore_v2_Base.Create_New_AES_Key(Guid.NewGuid().ToString(), 256, out var k1);
KeyStore_v2_Base.Create_New_AES_Key(Guid.NewGuid().ToString(), 256, out var k2);
var ks = new KeyStore_v2_Base();
var res1 = ks.AddKey_toStore(k1);
var res2 = ks.AddKey_toStore(k2);
// Retrieve the oldest AES key in the keystore...
// To query the store, we need to build a predicate filter... for AES keys.
var filter = OGA.DomainBase.QueryHelpers.PredicateBuilder.True<KeyObject_v2>(); // Filter for symmetric keys.
filter = filter.And<KeyObject_v2>(t => t.Is_SymmetricKey()); // Filter for enabled keys.
filter = filter.And<KeyObject_v2>(t => t.Status == eKeyStatus.Enabled); // Filter for private keys.
// Pass the query filter to the keystore...
var res = ks.GetOldestKey_fromStore_byFilter(filter, out var k4);
if (res != 1)
{
// Failed to locate an AES key in keystore.
return;
}
// Do something with the retrieved key...
var keystring = k4.PrivateKey; // Create a couple of keys...
KeyStore_v2_Base.Create_New_AES_Key(Guid.NewGuid().ToString(), 256, out var k1);
KeyStore_v2_Base.Create_New_AES_Key(Guid.NewGuid().ToString(), 256, out var k2);
// Create a file-based keystore instance...
// Pass in the filepath and storage password at construction...
var ks = new KeyStore_v2_File(store_filepath, storagepassword);
// Add the created keys...
var res1 = ks.AddKey_toStore(k1);
var res2 = ks.AddKey_toStore(k2);
// Save the store to disk...
var saveres = ks.Save();
if (res != 1)
{
// Failed to save keystore.
return;
}This library is built with the new SDK-style projects. It contains multiple projects, one for each of the following frameworks:
- NET 5
- NET 6
- NET 7
And, the output nuget package includes runtimes targets for:
- linux-any
- win-any
Currently, the nuget package of this library supports the framework versions and runtimes of applications that I maintain (see above). If someone needs others (older or newer), let me know, and I'll add them to the build script.
It is currently built using Visual Studio 2019 17.1.
Please see the License.