The code within this repository demonstrates a means by which durable entity state can be encrypted at the application layer. A key is configured for the function app. That key is then used during the serialization process to encrypt any properties annotated with the Encrypted attribute.

• .NET Core 3.1
• Azure Storage Emulator
• Azure Storage Explorer

As part of the Configure method in the FunctionsStartup class register the dependencies necessary to enable encryption

Register how to resolve the encryption options/configuration. The key is expected to come from a key management solution such as Azure Key Vault. See Azure Key Vault Configuration Provider in ASP.NET Core for how to retrieve secrets from Azure Key Vault.

builder.Services.AddSingleton(sp => new EncryptionOptions(config["ENCRYPTIONKey"]));

Register the implementation of IEncryptionService to be used

builder.Services.AddSingleton<IEncryptionService, EncryptionService>();

Register customization to IMessageSerializerSettingsFactory to customize how durable functions serializes the state

//necessary to engage custom settings during serialization
builder.Services.AddSingleton<IContractResolver, EncryptedContractResolver>();
builder.Services.AddSingleton(sp => new JsonSerializerSettings { ContractResolver = sp.GetService<IContractResolver>() });
builder.Services.AddSingleton<IMessageSerializerSettingsFactory, SerializerSettingsFactory>();

Register customization to Json.NET's default serialization settings to customize how durable functions deserializes the state

//necessary to engage custom settings during deserialization
JsonConvert.DefaultSettings = () => builder.Services.BuildServiceProvider().GetService<JsonSerializerSettings>();

To indicate which entity properties should be encrypted, annotate the properties with the Encrypted attribute. The EncryptedContractResolver will scan for this attribute to determine which properties need to be encrypted/decrypted.

[JsonObject(MemberSerialization = MemberSerialization.OptOut)]
public class AccountEntity : IAccountEntity
{
    // ensure account number is encrypted when saved
    [Encrypted]
    public string AccountNumber { get; set; }

    public void Set(string accountNumber) => AccountNumber = accountNumber;

    [FunctionName(nameof(AccountEntity))]
    public static Task Run([EntityTrigger] IDurableEntityContext ctx) => ctx.DispatchAsync<AccountEntity>();
}

To test the encryption/decryption in this sample, the following two endpoints can be used.

This will set the account number to a value for the account of the provided accountId.

The value when saved to Azure Table Storage should be encrypted. The following is from the Hub Instances table; Input column for the row that represents the Durable Entity.

{"exists":true,"state":"{\"AccountNumber\":\"A1k9ufGmHFMgM83sE/8EdCMls/TLeXbWDEU32ZXrhE4=\"}","sorter":{}}

This will retrieve the account entity for the account of the provided accountId.

The returned value should be decrypted

{ "accountNumber": "123ABC" }

To customize the specific encryption algorithm used, a new implementation of IEncryptionService can be created. This will not change what properties are selected for encryption. It will only change how the properties annotated are encrypted & decrypted. If for example, something other than AesManaged is needed, a new implementation of IEncryptionService could be created to use a different cryptography implementation.

public interface IEncryptionService
{
    string Decrypt(string value);
    string Encrypt(string value);
}

public class MyEncryptionService
{
    public string Encrypt(string value)
    {
        //todo: return encrypted value
    }

    public string Decrypt(string value)
    {
        //todo: return the decrypted value
    }
}

Then, register the new implementation with the IServiceProvider

builder.Services.AddSingleton<IEncryptionService, EncryptionService>();