How to store private and public keys in azure key vault to make end-to-end encryption

Enes Sahin 1 Reputation point
2022-01-18T17:43:02.477+00:00

Hi all

I've been developing a real time chat application with React.js. What i m after is implement end-to-end encryption to secure user messages. For that i started checking Azure Key Vault service and trying to figure out how to store these keys(private/public) and keep it between user sessions. Also since we want to use two keys (public/private) it seems like RSA key type i need to create ?

If anyone give suggessions i would be appreciate since i m trying to find best secure way which how decrypt messages on client-side.

thanks !

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,164 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,591 Reputation points
    2022-01-19T11:44:38.1+00:00

    Hello @Enes Sahin ,

    Thanks for reaching out.

    Your application can use keys for signing and encryption to keep the key management external from your application. Key Vault supports RSA and EC keys also supports Managed HSM RSA, EC, and symmetric keys.

    You could use APIs and SDKs to interact with Azure key vault as explained here. The ENCRYPT and DECRYPT operation encrypts & decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm.

    Please find following examples for your reference:
    https://learn.microsoft.com/en-us/rest/api/keyvault/keys/decrypt/decrypt#examples
    https://learn.microsoft.com/en-us/rest/api/keyvault/keys/encrypt/encrypt#examples

    ENCRYPT :
    166308-image.png
    DECRYPT :
    166318-image.png

    For more information, see About keys and Azure Key Vault developer's guide.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Enes Sahin 1 Reputation point
    2022-01-19T12:04:25.877+00:00

    @sikumars-msft Thank you for response !

    I understand how should use keys to encrypt/decrypt messages with azure key vaults. There is only thing that i have doubt :

    When users register the app, we will create RSA key for per user. RSA key basically has two key pairs which public and private keys. Before user send a message, receiver's public key will encrypt the message text and send to our api. All things is fine until there. The problem start after that.

    Receiver need to decrypt chiperText with private key on client-side. This private key should be accessaible only from that user. I would consider to store user private key in local maybe. But since Azure key vault don't allow to download or retrieve private key, receiver need to access it via sdk. But @azure/keyvault-keys sdk package doesn't work on browser. So we need to add an api endpoint which serve key id to client side. In order to achieve that, still we need to store user's key id in database. these all ways looks unsecure way to me ?

    I would appreciate if you give some suggestions

    0 comments No comments