IdentityShroud/IdentityShroud.Core/Services/DataEncryptionService.cs

using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;

namespace IdentityShroud.Core.Services;

public class DataEncryptionService(
    IRealmContext realmContext,
    IDekEncryptionService dekCryptor) : IDataEncryptionService
{
    
    // Note this array is expected to have one item in it most of the during key rotation it will have two
    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
    private IList<RealmDek>? _deks = null;

    private IList<RealmDek> GetDeks()
    {
        if (_deks is null)
            _deks = realmContext.GetDeks().Result;

        return _deks;
    }

    private RealmDek GetActiveDek() => GetDeks().Single(d => d.Active);
    private RealmDek GetKey(DekId id) => GetDeks().Single(d => d.Id == id);
    
    public byte[] Decrypt(EncryptedValue input)
    {
        var dek = GetKey(input.DekId);
        var key = dekCryptor.Decrypt(dek.KeyData);
        return Encryption.Decrypt(input.Value, key);
    }

    public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)
    {
        var dek = GetActiveDek();
        var key = dekCryptor.Decrypt(dek.KeyData);
        byte[] cipher = Encryption.Encrypt(plain, key);
        return new (dek.Id, cipher);
    }
}
Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek. 2026-02-26 16:53:02 +01:00			`using IdentityShroud.Core.Contracts;`
			`using IdentityShroud.Core.Model;`
			`using IdentityShroud.Core.Security;`

			`namespace IdentityShroud.Core.Services;`

			`public class DataEncryptionService(`
			`IRealmContext realmContext,`
			`IDekEncryptionService dekCryptor) : IDataEncryptionService`
			`{`

			`// Note this array is expected to have one item in it most of the during key rotation it will have two`
			`// until it is ensured the old key can safely be removed. More then two will work but is not really expected.`
			`private IList<RealmDek>? _deks = null;`

			`private IList<RealmDek> GetDeks()`
			`{`
			`if (_deks is null)`
			`_deks = realmContext.GetDeks().Result;`

			`return _deks;`
			`}`

			`private RealmDek GetActiveDek() => GetDeks().Single(d => d.Active);`
			`private RealmDek GetKey(DekId id) => GetDeks().Single(d => d.Id == id);`

			`public byte[] Decrypt(EncryptedValue input)`
			`{`
			`var dek = GetKey(input.DekId);`
			`var key = dekCryptor.Decrypt(dek.KeyData);`
			`return Encryption.Decrypt(input.Value, key);`
			`}`

Pass Span instead of Memory 2026-02-26 20:39:48 +01:00			`public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)`
Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek. 2026-02-26 16:53:02 +01:00			`{`
			`var dek = GetActiveDek();`
			`var key = dekCryptor.Decrypt(dek.KeyData);`
			`byte[] cipher = Encryption.Encrypt(plain, key);`
			`return new (dek.Id, cipher);`
			`}`
			`}`