Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.

IdentityShroud.Core/Services/DekEncryptionService.cs

@@ -0,0 +1,38 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Services;
+
+/// <summary>
+/// 
+/// </summary>
+public class DekEncryptionService : IDekEncryptionService
+{
+    // Note this array is expected to have one item in it most of the during key rotation it will have two
+    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
+    private readonly KeyEncryptionKey[] _encryptionKeys;
+
+    private KeyEncryptionKey ActiveKey => _encryptionKeys.Single(k => k.Active);
+    private KeyEncryptionKey GetKey(KekId keyId) => _encryptionKeys.Single(k => k.Id == keyId);
+
+    public DekEncryptionService(ISecretProvider secretProvider)
+    {
+        _encryptionKeys = secretProvider.GetKeys("master");
+        // if (_encryptionKey.Length != 32) // 256‑bit key
+        //     throw new Exception("Key must be 256 bits (32 bytes) for AES‑256‑GCM.");
+    }
+
+    public EncryptedDek Encrypt(ReadOnlyMemory<byte> plaintext)
+    {
+        var encryptionKey = ActiveKey;
+        byte[] cipher = Encryption.Encrypt(plaintext, encryptionKey.Key);
+        return new (encryptionKey.Id, cipher);
+    }
+
+    public byte[] Decrypt(EncryptedDek input)
+    {
+        var encryptionKey = GetKey(input.KekId);
+
+        return Encryption.Decrypt(input.Value, encryptionKey.Key);
+    }
+}