eelke/IdentityShroud
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

5-improve-encrypted-storage (#6)

Browse source 
Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation.

Co-authored-by: eelke <eelke@eelkeklein.nl>
Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com>
Reviewed-on: #6
This commit is contained in:
eelke 2026-02-27 17:57:42 +00:00
parent 138f335af0
commit 07393f57fc
87 changed files with 1903 additions and 533 deletions
Download patch file Download diff file Expand all files Collapse all files

41
IdentityShroud.Core/Db.cs
View file

@ -1,5 +1,7 @@
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
@ -16,9 +18,44 @@ public class Db(
ILoggerFactory? loggerFactory)
: DbContext
{
public virtual DbSet<Client> Clients { get; set; }
public virtual DbSet<Realm> Realms { get; set; }
public virtual DbSet<Key> Keys { get; set; }
public virtual DbSet<RealmKey> Keys { get; set; }
public virtual DbSet<RealmDek> Deks { get; set; }
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
var dekIdConverter = new ValueConverter<DekId, Guid>(
id => id.Id,
guid => new DekId(guid));
var kekIdConverter = new ValueConverter<KekId, Guid>(
id => id.Id,
guid => new KekId(guid));
modelBuilder.Entity<RealmDek>()
.Property(d => d.Id)
.HasConversion(dekIdConverter);
modelBuilder.Entity<RealmDek>()
.OwnsOne(d => d.KeyData, keyData =>
{
keyData.Property(k => k.KekId).HasConversion(kekIdConverter);
});
modelBuilder.Entity<RealmKey>()
.OwnsOne(k => k.Key, key =>
{
key.Property(k => k.KekId).HasConversion(kekIdConverter);
});
modelBuilder.Entity<ClientSecret>()
.OwnsOne(c => c.Secret, secret =>
{
secret.Property(s => s.DekId).HasConversion(dekIdConverter);
});
}
protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
{
optionsBuilder.UseNpgsql("<connection string>");