Sample application that can be used as a guide to using the C# Asherah SDK.
Current implementation shows a simple encrypt/decrypt use of the library. The Metastore and KMS implementations used are based on parameters specified via command-line args. A basic Crypto Policy is being used.
Future updates as the library evolves:
- Additional usage example utilizing more robust metadata and data storage handling by the library
Running dotnet publish will generate the required dll.
Example showing CLI options:
[user@machine ReferenceApp]$ dotnet bin/Debug/netcoreapp2.0/ReferenceApp.dll --helpExample run using defaults (in-memory metastore, static KMS, console metrics only):
[user@machine ReferenceApp]$ dotnet bin/Debug/netcoreapp2.0/ReferenceApp.dllExample run using ADO persistence and AWS KMS and 100 iterations:
[user@machine ReferenceApp]$ dotnet bin/Debug/netcoreapp2.0/ReferenceApp.dll \
--metastore-type ADO \
--ado-connection-string <AdoConnectionString> \
--kms-type AWS \
--preferred-region <preferredRegion> \
--region-arn-tuples <region1=arn_of_kms_key_for_region1,region2=arn_of_kms_key_for_region2, ...> \
--iterations 100The ReferenceApp can be tested/used in a docker container having only the dotnetcore runtime environment.
# Generate the build container docker image
[user@machine ReferenceApp]$ docker build images/build/
# Use the generated image to publish the packages
[user@machine ReferenceApp]$ docker run -it --rm -v $HOME/.nuget:/home/jenkins/.nuget -v "$PWD":/usr/app/src -w /usr/app/src --ulimit memlock=-1:-1 --ulimit core=-1:-1 <generated-image-id> dotnet clean -c Release && dotnet publish -c Release
# Build the runtime docker image using published packages
[user@machine ReferenceApp]$ docker build -f images/runtime/Dockerfile .
# Run the image in a read-only container
[user@machine ReferenceApp]$ docker run -it --read-only <runtime-generated-image-id>- Add an
appsettings.jsonfile to your project with the following content
{
"mlock": "disabled"
}- Package it with your project by adding the following lines to your
csprojfile
<ItemGroup>
<None Update="appsettings.json">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
</ItemGroup>
NOTE: This will disable the mlock protection that Asherah provides. While this can be used in environments where the lockable memory is limited, such as in AWS Lambda, this is not recommended for general use.
- Both the
SessionFactoryand theSessionsession classes implement the IDisposable interface for easy resource management. - The
SessionFactoryclass is intended to have as large of scope as possible to leverage caching and minimize resource usage. If your service/app is responsible for only one service, then ideally use a global instance. If it hosts multiple services, then ideally have one instance per product id and system id pairing.
To run the reference app with external metastores or KMS implementations, some additional setup may be required as specified below.
To use the ADO-compliant Metastore included with the App Encryption library, the following table should be created:
CREATE TABLE encryption_key (
id VARCHAR(255) NOT NULL,
created TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
key_record TEXT NOT NULL,
PRIMARY KEY (id, created),
INDEX (created)
);
NOTE: The above schema is known to work properly with MySQL. Adjust the schema data types for other database vendors accordingly. As we officially integrate with teams using other database vendors, we will add more vendor-specific schemas as needed.
To use the DynamoDB Metastore included with the App Encryption library, the following table should be created:
[user@machine ReferenceApp]$ aws dynamodb create-table \
--table-name EncryptionKey \
--key-schema \
AttributeName=Id,KeyType=HASH \
AttributeName=Created,KeyType=RANGE \
--attribute-definitions \
AttributeName=Id,AttributeType=S \
AttributeName=Created,AttributeType=N \
--provisioned-throughput \
ReadCapacityUnits=1,WriteCapacityUnits=1To use Global Tables, the above table needs to be created with few modifications.
More details about how to create a Global Table can be found in the AWS Developer Guide
Example run using DynamoDB metastore with key suffixes enabled (for Global Tables), a custom table name, and a local DynamoDB endpoint.
[user@machine ReferenceApp]$ dotnet bin/Debug/netcoreapp2.0/ReferenceApp.dll \
--metastore-type DYNAMODB \
--enable-key-suffix \
--dynamodb-endpoint http://localhost:8000 \
--dynamodb-signing-region us-west-2 \
--dynamodb-table-name MyGlobalTableConfiguration options are provided via command-line arguments. Supported options are as follows:
-m, --metastore-type (Default: MEMORY) Type of metastore to use. Enum values: MEMORY, ADO, DYNAMODB
-e, --dynamodb-endpoint The DynamoDb service endpoint (only supported by DYNAMODB)
-r, --dynamodb-region The AWS region for DynamoDB requests (only supported by DYNAMODB)
-t, --dynamodb-table-name The table name for DynamoDb (only supported by DYNAMODB)
-s, --key-suffix Configure the metastore to use key suffixes (only supported by DYNAMODB)
-a, --ado-connection-string ADO connection string to use for an ADO metastore. Required for ADO metastore.
-k, --kms-type (Default: STATIC) Type of key management service to use. Enum values: STATIC, AWS
-p, --preferred-region Preferred region to use for KMS if using AWS KMS. Required for AWS KMS.
--region-arn-tuples Comma separated list of <region>=<kms_arn> tuples. Required for AWS KMS.
-i, --iterations (Default: 1) Number of encrypt/decrypt iterations to run
-c, --enable-cw Enable CloudWatch Metrics output
-d, --drr DRR to be decrypted
--help Display this help screen.
--version Display version information.