The Basis Theory Azure KeyVault Emulator to mock interactions with Azure KeyVault using the official Azure KeyVault client
- Create Key
- Get Key
- Get Key by Version
- Encrypt
- Decrypt
- Supported Algorithms
RSA1_5
RSA-OAEP
- Set
- Get Secret
- Get Secret by Version
Azure's KeyClient requires HTTPS communication with a KeyVault instance.
When accessing the emulator on localhost
, configure a trusted TLS certificate with dotnet dev-certs.
For accessing the emulator with a hostname other than localhost
, a self-signed certificate needs to be generated and trusted by the client. See Adding to docker-compose for further instructions.
For the Azure KeyVault Emulator to be accessible from other containers in the same compose file, a new OpenSSL certificate has to be generated:
-
Replace
<emulator-hostname>
and run the following script to generate a new public/private keypair:openssl req \ -x509 \ -newkey rsa:4096 \ -sha256 \ -days 3560 \ -nodes \ -keyout <emulator-hostname>.key \ -out <emulator-hostname>.crt \ -subj '/CN=<emulator-hostname>' \ -extensions san \ -config <( \ echo '[req]'; \ echo 'distinguished_name=req'; \ echo '[san]'; \ echo 'subjectAltName=DNS.1:localhost,DNS.2:<emulator-hostname>')
-
Export a
.pks
formatted key using the public/private keypair generated in the previous step:openssl pkcs12 -export -out <emulator-hostname>.pfx \ -inkey <emulator-hostname>.key \ -in <emulator-hostname>.crt
-
Trust the certificate in the login keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <emulator-hostname>.crt
-
Add a service to docker-compose.yml for Azure KeyVault Emulator:
version: '3.7' services: ... azure-keyvault-emulator: container_name: azure-keyvault-emulator image: basis-theory/azure-keyvault-emulator:latest ports: - 5001:5001 - 5000:5000 volumes: - <path-to-certs>:/https environment: - ASPNETCORE_URLS=https://+:5001;http://+:5000 - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/<emulator-hostname>.pfx - KeyVault__Name=<emulator-hostname>
-
Modify the client application's entrypoint to add the self-signed certificate to the truststore. Example using docker-compose.yml to override the entrypoint:
version: '3.7' services: my-awesome-keyvault-client: container_name: my-awesome-client build: context: . depends_on: - azure-keyvault-emulator entrypoint: sh -c "cp /https/<emulator-hostname>.crt /usr/local/share/ca-certificates/<emulator-hostname>.crt && update-ca-certificates && exec <original-entrypoint>" volumes: - <path-to-certs>:/https environment: - KeyVault__BaseUrl=https://azure-keyvault-emulator:5001/
The provided scripts will check for all dependencies, start docker, build the solution, and run all tests.
Run the following command from the root of the project:
make verify