0

I'm encrypting a db using Always Encrypted with the master key in the software ksp.

The key is created with CngKey.Create, I can also export it, but I'm stuck after that. Using the CngKey.Import creates a non-named key, meaning IsEphemeral=true, so the key gets destroyed when there is no more handles.

How can I'm import the key as a named key that will be persisted?

The ultimate goal is to be able to export the key used as the master encryption key with the db and give that along with the db backup to party x who wants to use the db. The tool should then recreate the key in party x's machine.

Swifty
  • 1,422
  • 2
  • 18
  • 38

2 Answers2

1

I believe (based on vague recollection and a similar answer) that you can make Create import at the same time, unless it's an encrypted PKCS#8.

byte[] exported = key.Export(blobType);

Send exported and blobType to somewhere else.

var keyParams = new CngKeyCreationParameters();
// whatever else you want to assign here.

// Add an import to the create step.
keyParams.Properties.Add(new CngProperty(blobType.Format, exported, CngPropertyOptions.None));

CngKey key = CngKey.Create(algorithm, keyName, keyParams);
bartonjs
  • 30,352
  • 2
  • 71
  • 111
0

CnhKey.Create has an overload that takes a name.

The linked documents say:

If keyName is provided, this overload creates a persisted key

Richard
  • 106,783
  • 21
  • 203
  • 265
  • Yes, I'm aware of this, I want to recreate the key on a different machine. So I need to create a key with a specific private key – Swifty Jun 14 '18 at 12:08
  • @Swifty OK, from the class overview "This class wraps NCrypt keys, not BCrypt keys. NCrypt is a subset of CNG that provides key storage functionality. BCrypt is a subset that provides base cryptographic services such as random number generation, hash functions, signatures, and encryption keys". So likely `CngKey` is not the right starting point. you probably should be looking at certificates (as a tool for storing and sharing key pairs). – Richard Jun 14 '18 at 12:17