Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.

IdentityShroud.Core/Model/ClientSecret.cs

@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
 using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
 
 namespace IdentityShroud.Core.Model;
 

IdentityShroud.Core/Model/Realm.cs

@@ -21,9 +21,20 @@ public class Realm
 
     public List<RealmKey> Keys { get; init; } = [];
 
+    public List<RealmDek> Deks { get; init; } = [];
+
     /// <summary>
     /// Can be overriden per client
     /// </summary>
     public string DefaultSignatureAlgorithm { get; set; } = JsonWebAlgorithm.RS256;
-    
+}
+
+[Table("realm_dek")]
+public record RealmDek
+{
+    public required DekId Id { get; init; }
+    public required bool Active { get; init; }
+    public required string Algorithm { get; init; }
+    public required EncryptedDek KeyData { get; init; }
+    public required Guid RealmId { get; init; }
 }

IdentityShroud.Core/Model/RealmKey.cs

@@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations.Schema;
 using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
 using Microsoft.EntityFrameworkCore;
 
 namespace IdentityShroud.Core.Model;
@@ -12,7 +13,7 @@ public record RealmKey
     public required string KeyType { get; init; }
 
     
-    public required EncryptedValue Key { get; init; }
+    public required EncryptedDek Key { get; init; }
     public required DateTime CreatedAt { get; init; }
     public DateTime? RevokedAt { get; set; }