Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.

2026-02-26 16:53:02 +01:00 · 2026-02-26 16:53:02 +01:00 · 650fe99990
commit 650fe99990
parent 644b005f2a
36 changed files with 399 additions and 129 deletions
--- a/IdentityShroud.Core/Services/ClientService.cs
+++ b/IdentityShroud.Core/Services/ClientService.cs
@ -7,7 +7,7 @@ namespace IdentityShroud.Core.Services;

 public class ClientService(
    Db db,
-    IEncryptionService cryptor,
+    IDataEncryptionService cryptor,
    IClock clock) : IClientService
 {
    public async Task<Result<Client>> Create(Guid realmId, ClientCreateRequest request, CancellationToken ct = default)
@ -52,12 +52,13 @@ public class ClientService(

    private ClientSecret CreateSecret()
    {
-        byte[] secret = RandomNumberGenerator.GetBytes(24);
+        Span<byte> secret = stackalloc byte[24];
+        RandomNumberGenerator.Fill(secret);

        return new ClientSecret()
        {
            CreatedAt = clock.UtcNow(),
-            Secret = cryptor.Encrypt(secret),
+            Secret = cryptor.Encrypt(secret.ToArray()),
        };

    }