Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.

IdentityShroud.Core/Contracts/IDataEncryptionService.cs

@@ -1,6 +1,8 @@
+using IdentityShroud.Core.Security;
+
 namespace IdentityShroud.Core.Contracts;
 
-public interface IEncryptionService
+public interface IDataEncryptionService
 {
     EncryptedValue Encrypt(ReadOnlyMemory<byte> plain);
     byte[] Decrypt(EncryptedValue input);

IdentityShroud.Core/Contracts/IDekEncryptionService.cs

@@ -0,0 +1,11 @@
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Contracts;
+
+
+
+public interface IDekEncryptionService
+{
+    EncryptedDek Encrypt(ReadOnlyMemory<byte> plain);
+    byte[] Decrypt(EncryptedDek input);
+}

IdentityShroud.Core/Contracts/IRealmContext.cs

@@ -0,0 +1,9 @@
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IRealmContext
+{
+    public Realm GetRealm();
+    Task<IList<RealmDek>> GetDeks(CancellationToken ct = default);
+}

IdentityShroud.Core/Contracts/IRealmService.cs

@@ -11,4 +11,5 @@ public interface IRealmService
         
     Task<Result<RealmCreateResponse>> Create(RealmCreateRequest request, CancellationToken ct = default);
     Task LoadActiveKeys(Realm realm);
+    Task LoadDeks(Realm realm);
 }

IdentityShroud.Core/Contracts/ISecretProvider.cs

@@ -1,3 +1,5 @@
+using IdentityShroud.Core.Security;
+
 namespace IdentityShroud.Core.Contracts;
 
 public interface ISecretProvider
@@ -8,5 +10,5 @@ public interface ISecretProvider
     /// Should return one active key, might return inactive keys.
     /// </summary>
     /// <returns></returns>
-    EncryptionKey[] GetKeys(string name);
+    KeyEncryptionKey[] GetKeys(string name);
 }

IdentityShroud.Core/Db.cs

@@ -1,5 +1,7 @@
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
@@ -19,7 +21,41 @@ public class Db(
     public virtual DbSet<Client> Clients { get; set; }
     public virtual DbSet<Realm> Realms { get; set; }
     public virtual DbSet<RealmKey> Keys { get; set; }
-    
+    public virtual DbSet<RealmDek> Deks { get; set; }
+
+    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    {
+        var dekIdConverter = new ValueConverter<DekId, Guid>(
+            id => id.Id,
+            guid => new DekId(guid));
+
+        var kekIdConverter = new ValueConverter<KekId, Guid>(
+            id => id.Id,
+            guid => new KekId(guid));
+
+        modelBuilder.Entity<RealmDek>()
+            .Property(d => d.Id)
+            .HasConversion(dekIdConverter);
+
+        modelBuilder.Entity<RealmDek>()
+            .OwnsOne(d => d.KeyData, keyData =>
+            {
+                keyData.Property(k => k.KekId).HasConversion(kekIdConverter);
+            });
+
+        modelBuilder.Entity<RealmKey>()
+            .OwnsOne(k => k.Key, key =>
+            {
+                key.Property(k => k.KekId).HasConversion(kekIdConverter);
+            });
+
+        modelBuilder.Entity<ClientSecret>()
+            .OwnsOne(c => c.Secret, secret =>
+            {
+                secret.Property(s => s.DekId).HasConversion(dekIdConverter);
+            });
+    }
+
     protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
     {
         optionsBuilder.UseNpgsql("<connection string>");

IdentityShroud.Core/IdentityShroud.Core.csproj

@@ -12,6 +12,7 @@
       <PackageReference Include="FluentValidation" Version="12.1.1" />
       <PackageReference Include="jose-jwt" Version="5.2.0" />
       <PackageReference Include="LanguageExt.Core" Version="4.4.9" />
+      <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.3.9" />
       <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
       <PackageReference Include="Microsoft.AspNetCore.WebUtilities" Version="10.0.2" />
       <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />

IdentityShroud.Core/Model/ClientSecret.cs

@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
 using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
 
 namespace IdentityShroud.Core.Model;
 

IdentityShroud.Core/Model/Realm.cs

@@ -21,9 +21,20 @@ public class Realm
 
     public List<RealmKey> Keys { get; init; } = [];
 
+    public List<RealmDek> Deks { get; init; } = [];
+
     /// <summary>
     /// Can be overriden per client
     /// </summary>
     public string DefaultSignatureAlgorithm { get; set; } = JsonWebAlgorithm.RS256;
-    
+}
+
+[Table("realm_dek")]
+public record RealmDek
+{
+    public required DekId Id { get; init; }
+    public required bool Active { get; init; }
+    public required string Algorithm { get; init; }
+    public required EncryptedDek KeyData { get; init; }
+    public required Guid RealmId { get; init; }
 }

IdentityShroud.Core/Model/RealmKey.cs

@@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations.Schema;
 using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
 using Microsoft.EntityFrameworkCore;
 
 namespace IdentityShroud.Core.Model;
@@ -12,7 +13,7 @@ public record RealmKey
     public required string KeyType { get; init; }
 
     
-    public required EncryptedValue Key { get; init; }
+    public required EncryptedDek Key { get; init; }
     public required DateTime CreatedAt { get; init; }
     public DateTime? RevokedAt { get; set; }
 

IdentityShroud.Core/Security/ConfigurationSecretProvider.cs

@@ -15,8 +15,8 @@ public class ConfigurationSecretProvider(IConfiguration configuration) : ISecret
         return secrets.GetValue<string>(name) ?? "";
     }
 
-    public EncryptionKey[] GetKeys(string name)
+    public KeyEncryptionKey[] GetKeys(string name)
     {
-        return secrets.GetSection(name).Get<EncryptionKey[]>() ?? [];
+        return secrets.GetSection(name).Get<KeyEncryptionKey[]>() ?? [];
     }
 }

IdentityShroud.Core/Security/DekId.cs

@@ -0,0 +1,6 @@
+namespace IdentityShroud.Core.Security;
+
+public record struct DekId(Guid Id)
+{
+    public static DekId NewId() => new(Guid.NewGuid());
+}

IdentityShroud.Core/Security/EncryptedDek.cs

@@ -0,0 +1,6 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace IdentityShroud.Core.Security;
+
+[Owned]
+public record EncryptedDek(KekId KekId, byte[] Value);

IdentityShroud.Core/Security/EncryptedValue.cs

@@ -1,6 +1,8 @@
 using Microsoft.EntityFrameworkCore;
 
-namespace IdentityShroud.Core.Contracts;
+namespace IdentityShroud.Core.Security;
 
 [Owned]
-public record EncryptedValue(string KeyId, byte[] Value);
+public record EncryptedValue(DekId DekId, byte[] Value);
+
+

IdentityShroud.Core/Security/Encryption.cs

@@ -1,36 +1,18 @@
 using System.Security.Cryptography;
-using IdentityShroud.Core.Contracts;
 
-namespace IdentityShroud.Core.Services;
+namespace IdentityShroud.Core.Security;
 
-/// <summary>
-/// 
-/// </summary>
-public class EncryptionService : IEncryptionService
+public static class Encryption
 {
-    private record struct AlgVersion(int NonceSize, int TagSize);
+    private record struct AlgVersion(int Version, int NonceSize, int TagSize);
 
-    private AlgVersion[] _versions = 
+    private static AlgVersion[] _versions = 
     [
-        new(0, 0), // version 0 does not realy exist
-        new (12, 16), // version 1
+        new(0, 0, 0), // version 0 does not realy exist
+        new(1, 12, 16), // version 1
     ];
     
-    // Note this array is expected to have one item in it most of the during key rotation it will have two
-    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
-    private readonly EncryptionKey[] _encryptionKeys;
-
-    private EncryptionKey ActiveKey => _encryptionKeys.Single(k => k.Active);
-    private EncryptionKey GetKey(string keyId) => _encryptionKeys.Single(k => k.Id == keyId);
-
-    public EncryptionService(ISecretProvider secretProvider)
-    {
-        _encryptionKeys = secretProvider.GetKeys("master");
-        // if (_encryptionKey.Length != 32) // 256‑bit key
-        //     throw new Exception("Key must be 256 bits (32 bytes) for AES‑256‑GCM.");
-    }
-
-    public EncryptedValue Encrypt(ReadOnlyMemory<byte> plaintext)
+    public static byte[] Encrypt(ReadOnlyMemory<byte> plaintext, ReadOnlySpan<byte> key)
     {
         const int versionNumber = 1; 
         AlgVersion versionParams = _versions[versionNumber];
@@ -39,7 +21,7 @@ public class EncryptionService : IEncryptionService
         // allocate buffer for complete response 
         var result = new byte[resultSize];
         
-        result[0] = (byte)versionNumber;
+        result[0] = (byte)versionParams.Version;
 
         // make the spans that point to the parts of the result where their data is located
         var nonce = result.AsSpan(1, versionParams.NonceSize); 
@@ -48,18 +30,14 @@ public class EncryptionService : IEncryptionService
 
         // use the spans to place the data directly in its place
         RandomNumberGenerator.Fill(nonce);
-        var encryptionKey = ActiveKey;
-        using var aes = new AesGcm(encryptionKey.Key, versionParams.TagSize);
+        using var aes = new AesGcm(key, versionParams.TagSize);
         aes.Encrypt(nonce, plaintext.Span, cipher, tag);
-
-        return new (encryptionKey.Id, result);
+        return result;
     }
-
-    public byte[] Decrypt(EncryptedValue input)
+    
+    public static byte[] Decrypt(ReadOnlyMemory<byte> input, ReadOnlySpan<byte> key)
     {
-        var encryptionKey = GetKey(input.KeyId);
-        
-        var payload = input.Value.AsSpan();
+        var payload = input.Span;
         int versionNumber = (int)payload[0];
         if (versionNumber != 1)
             throw new ArgumentException("Invalid payload");
@@ -76,7 +54,7 @@ public class EncryptionService : IEncryptionService
 
         byte[] plaintext = new byte[cipher.Length];
 
-        using var aes = new AesGcm(encryptionKey.Key, versionParams.TagSize);
+        using var aes = new AesGcm(key, versionParams.TagSize);
         try
         {
             aes.Decrypt(nonce, cipher, tag, plaintext);

IdentityShroud.Core/Security/EncryptionKey.cs

@@ -1,4 +0,0 @@
-namespace IdentityShroud.Core.Contracts;
-
-// Contains an encryption key and associated relevant data
-public record EncryptionKey(string Id, bool Active, string Algorithm, byte[] Key);

IdentityShroud.Core/Security/KekId.cs

@@ -0,0 +1,41 @@
+using System.ComponentModel;
+using System.Globalization;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace IdentityShroud.Core.Security;
+
+[JsonConverter(typeof(KekIdJsonConverter))]
+[TypeConverter(typeof(KekIdTypeConverter))]
+public readonly record struct KekId
+{
+    public Guid Id { get; } 
+
+    public KekId(Guid id)
+    {
+        Id = id;
+    }
+
+    public static KekId NewId()
+    {
+        return new KekId(Guid.NewGuid());
+    }
+}
+
+public class KekIdJsonConverter : JsonConverter<KekId>
+{
+    public override KekId Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+        => new KekId(reader.GetGuid());
+
+    public override void Write(Utf8JsonWriter writer, KekId value, JsonSerializerOptions options)
+        => writer.WriteStringValue(value.Id);
+}
+
+public class KekIdTypeConverter : TypeConverter
+{
+    public override bool CanConvertFrom(ITypeDescriptorContext? context, Type sourceType)
+        => sourceType == typeof(string) || base.CanConvertFrom(context, sourceType);
+
+    public override object? ConvertFrom(ITypeDescriptorContext? context, CultureInfo? culture, object value)
+        => value is string s ? new KekId(Guid.Parse(s)) : base.ConvertFrom(context, culture, value);
+}

IdentityShroud.Core/Security/KeyEncryptionKey.cs

@@ -0,0 +1,10 @@
+namespace IdentityShroud.Core.Security;
+
+/// <summary>
+/// Contains a KEK and associated relevant data. This structure
+/// </summary>
+/// <param name="Id"></param>
+/// <param name="Active"></param>
+/// <param name="Algorithm"></param>
+/// <param name="Key"></param>
+public record KeyEncryptionKey(KekId Id, bool Active, string Algorithm, byte[] Key);

IdentityShroud.Core/Services/ClientService.cs

@@ -7,7 +7,7 @@ namespace IdentityShroud.Core.Services;
 
 public class ClientService(
     Db db,
-    IEncryptionService cryptor,
+    IDataEncryptionService cryptor,
     IClock clock) : IClientService
 {
     public async Task<Result<Client>> Create(Guid realmId, ClientCreateRequest request, CancellationToken ct = default)
@@ -52,12 +52,13 @@ public class ClientService(
 
     private ClientSecret CreateSecret()
     {
-        byte[] secret = RandomNumberGenerator.GetBytes(24);
+        Span<byte> secret = stackalloc byte[24];
+        RandomNumberGenerator.Fill(secret);
 
         return new ClientSecret()
         {
             CreatedAt = clock.UtcNow(),
-            Secret = cryptor.Encrypt(secret),
+            Secret = cryptor.Encrypt(secret.ToArray()),
         };
 
     }

IdentityShroud.Core/Services/DataEncryptionService.cs

@@ -0,0 +1,41 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Services;
+
+public class DataEncryptionService(
+    IRealmContext realmContext,
+    IDekEncryptionService dekCryptor) : IDataEncryptionService
+{
+    
+    // Note this array is expected to have one item in it most of the during key rotation it will have two
+    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
+    private IList<RealmDek>? _deks = null;
+
+    private IList<RealmDek> GetDeks()
+    {
+        if (_deks is null)
+            _deks = realmContext.GetDeks().Result;
+
+        return _deks;
+    }
+
+    private RealmDek GetActiveDek() => GetDeks().Single(d => d.Active);
+    private RealmDek GetKey(DekId id) => GetDeks().Single(d => d.Id == id);
+    
+    public byte[] Decrypt(EncryptedValue input)
+    {
+        var dek = GetKey(input.DekId);
+        var key = dekCryptor.Decrypt(dek.KeyData);
+        return Encryption.Decrypt(input.Value, key);
+    }
+
+    public EncryptedValue Encrypt(ReadOnlyMemory<byte> plain)
+    {
+        var dek = GetActiveDek();
+        var key = dekCryptor.Decrypt(dek.KeyData);
+        byte[] cipher = Encryption.Encrypt(plain, key);
+        return new (dek.Id, cipher);
+    }
+}

IdentityShroud.Core/Services/DekEncryptionService.cs

@@ -0,0 +1,38 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Services;
+
+/// <summary>
+/// 
+/// </summary>
+public class DekEncryptionService : IDekEncryptionService
+{
+    // Note this array is expected to have one item in it most of the during key rotation it will have two
+    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
+    private readonly KeyEncryptionKey[] _encryptionKeys;
+
+    private KeyEncryptionKey ActiveKey => _encryptionKeys.Single(k => k.Active);
+    private KeyEncryptionKey GetKey(KekId keyId) => _encryptionKeys.Single(k => k.Id == keyId);
+
+    public DekEncryptionService(ISecretProvider secretProvider)
+    {
+        _encryptionKeys = secretProvider.GetKeys("master");
+        // if (_encryptionKey.Length != 32) // 256‑bit key
+        //     throw new Exception("Key must be 256 bits (32 bytes) for AES‑256‑GCM.");
+    }
+
+    public EncryptedDek Encrypt(ReadOnlyMemory<byte> plaintext)
+    {
+        var encryptionKey = ActiveKey;
+        byte[] cipher = Encryption.Encrypt(plaintext, encryptionKey.Key);
+        return new (encryptionKey.Id, cipher);
+    }
+
+    public byte[] Decrypt(EncryptedDek input)
+    {
+        var encryptionKey = GetKey(input.KekId);
+
+        return Encryption.Decrypt(input.Value, encryptionKey.Key);
+    }
+}

IdentityShroud.Core/Services/KeyService.cs

@@ -6,7 +6,7 @@ using IdentityShroud.Core.Security.Keys;
 namespace IdentityShroud.Core.Services;
 
 public class KeyService(
-    IEncryptionService cryptor,
+    IDekEncryptionService cryptor,
     IKeyProviderFactory keyProviderFactory,
     IClock clock) : IKeyService
 {

IdentityShroud.Core/Services/RealmContext.cs

@@ -0,0 +1,26 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using Microsoft.AspNetCore.Http;
+
+namespace IdentityShroud.Core.Services;
+
+public class RealmContext(
+    IHttpContextAccessor accessor,
+    IRealmService realmService) : IRealmContext
+{
+    public Realm GetRealm()
+    {
+        return (Realm)accessor.HttpContext.Items["RealmEntity"];
+    }
+
+    public async Task<IList<RealmDek>> GetDeks(CancellationToken ct = default)
+    {
+        Realm realm = GetRealm();
+        if (realm.Deks.Count == 0)
+        {
+            await realmService.LoadDeks(realm);
+        }
+
+        return realm.Deks;
+    }
+}

IdentityShroud.Core/Services/RealmService.cs

@@ -58,6 +58,12 @@ public class RealmService(
             .Query()
             .Where(k => k.RevokedAt == null)
             .LoadAsync();
-        
+    }
+
+    public async Task LoadDeks(Realm realm)
+    {
+        await db.Entry(realm).Collection(r => r.Deks)
+            .Query()
+            .LoadAsync();
     }
 }