azure-sdk-for-net icon indicating copy to clipboard operation
azure-sdk-for-net copied to clipboard

Published 20 hours ago verified publisher icon Azure

[FEATURE REQ]Add support for storing Encryption keys in Cosmos Db when using DataProtection service

Open MandeepShahi opened this issue 3 years ago • 7 comments
trafficstars

Library name

Azure.Extensions

Please describe the feature.

When using DataProtection service to encrypt/decrypt data, we store the encryption keys to some distributed resource when using apps that run on distributed systems to help decryption on any of the machine. Currently, the library provides support for storing the keys to Azure blob storage (and Redis as well).

In one of my projects, I needed encrypting auth token that we were storing in Azure Cosmos Db. We use Azure Cosmos db as a distributed token caching resource, a feature provided by MSAL(https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-acquire-cache-tokens). To help different machines use the stored tokens by decrypting them, I needed to store the encryption keys on the same resource as well but the library supports only Redis and Blob storage as Azure resources. I had to write a custom builder extension to add support for writing encryption keys to Azure Cosmos db.

Similar to StackExchangeRedis, I had implemented an extension for reading and writing Encryption keys to Azure Cosmos Db implementing IXmlRepository interface for cosmos db. The client can use an extension similar to PersistKeysToStackExchangeRedis or PersistKeysToAzureBlobStorage for Cosmos db and provide container information in the builder method. This change has been deployed and tested in our solution and it works as expected.

MandeepShahi avatar Oct 19 '22 11:10 MandeepShahi

Label prediction was below confidence level 0.6 for Model:ServiceLabels: 'Cosmos:0.52013224,Extensions:0.21414265,Storage:0.12534481'

azure-sdk avatar Oct 19 '22 11:10 azure-sdk

Hi @MandeepShahi. Thank you for your suggestion. This is not something that we're likely to be able to take on in the short-term, but I've added it to our backlog for future consideration.

jsquire avatar Oct 19 '22 12:10 jsquire

Hi @jsquire, can I take up this change? I'd be happy to contribute if permitted. I'd already implemented this in our solution and tested it!!

MandeepShahi avatar Oct 22 '22 11:10 MandeepShahi

@MandeepShahi : By all means! We very much appreciate contributions. The tricky part here, I believe, will be determining how we want to package things, given that there is no Cosmos library that follows the guidelines for the current generation of Azure SDK packages.

@KrzysztofCwalina, @tg-msft: Your insight would be very much appreciated.

//fyi: @JoshLove-msft

jsquire avatar Oct 24 '22 13:10 jsquire

@jsquire, should we do the same as we have done for Azure Blob storage? Write the extension and package it in something like Azure.Extensions.AspNetCore.DataProtection.Cosmos?

MandeepShahi avatar Oct 25 '22 17:10 MandeepShahi

@MandeepShahi : I'd wait for feedback from the folks that I mentioned above. We'd be potentially crossing generations of the SDK, and I want to be sure that our architects would approve before taking action so that we don't ask you to do something that we can't get approved.

jsquire avatar Oct 25 '22 18:10 jsquire

Hi @jsquire, any updates on this?

MandeepShahi avatar Nov 09 '22 11:11 MandeepShahi

After offline discussion, the Azure SDK team is going to decline adding this as a new library due to not having a Cosmos package from the current Azure SDK generation. Closing this out.

jsquire avatar Nov 23 '22 20:11 jsquire