emrekizildas / entityframeworkcore.encryptcolumn Goto Github PK

I'm on MVC .Net Core 3.1 & EFCore using EntityFrameworkCore.EncryptColumn Version 3.1.0

I'm getting the following error when I create a migration on an existing table in my database.
Error: You should create encryption provider. (Parameter 'encryptionProvider')

Currently my DbContext looks thusly (the key is just a random GUID I generated for testing purposes):

I have DTO with the property SSN

The project builds, but again the error happens I create the migration. As far as I understand, isn't the provider being created when the Context is newed-up, or on application start?

Is this code using a null IV?

I don't see where you read/write the IV anywhere... this doesn't seem right to me... seems like the IV is just null.

Am I missing something?

Often the data-models are not located into the same assembly that contains the DbContext.
That "datamodels assembly" usually tends to have a lower framework compatibility level (i.e. netstandard 2.0) than the assembly containing the DbContext (which have no less than net6.0).
In order to solve this problem, I suggest to move the attribute [EncryptColumn] (and other netstandard 2.0-compliant abstractions) into another, dedicated package "EntityFrameworkCore.EncryptColumn.Abstractions", and/or implement FluentAPI like suggested in #4

Specified key is not a valid size for this algorithm.

I define my column attributes in a different namespace than my model classes. Is it possible to use FluentAPI to set the EncryptColumn setting?

Since the library is always using the same IV, is potentially fragile in terms of security.

byte[] iv = new byte[16];

Here always the IV vector is initialized to the same value. What it should be, every encrypted value must have a different IV and also add this IV block to the final ciphertext, to have the different values as result.

The IV is not a secret, so is safe to be included in the final ciphertext.

The .Net Aes already has a random IV value when is created:

`
using (Aes myAes = Aes.Create())
{

        // Encrypt the string to an array of bytes.
        byte[] encrypted = EncryptStringToBytes_Aes(original, myAes.Key, myAes.IV);

`

If you see, the AES instance when is used with Aes.Create() already create an IV.

A possible solution is to create a new buffer that combines these two values as:

Buffer.BlockCopy(iv, 0, result, 0, iv.Length); Buffer.BlockCopy(encryptedContent, 0, result, iv.Length, encryptedContent.Length);

An also, since probably is using the library, should probably be needed to create a migration plan to encrypt properly the actual data encrypted by the library by projects that used it.

For the decryption, you need to split the hypertext and the IV from the block, and from there, you can use the key, and the unique IV to decrypt the value.

Hi,
i am using .NET 7 and i did exactly what you described in documentation but nothing happens, my data is still saved in clear text.
Am i missing something?

here is my dbcontext:

private readonly IEncryptionProvider _provider;
public AppDbContext()
{
_provider = new GenerateEncryptionProvider("example_encrypt_key");
}
.....
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
modelBuilder.UseEncryption(_provider);
modelBuilder.ApplyConfigurationsFromAssembly(typeof(AppDbContext).Assembly);

    OnModelCreatingPartial(modelBuilder);

    base.OnModelCreating(modelBuilder);
}

and my entity model:
[EncryptColumn]
public string UserName { get; set; }

    [EncryptColumn]
    public string FirstName { get; set; }
    
    public string Email { get; set; }

I have tested you example https://github.com/emrekizildas/EntityFrameworkCore.EncryptColumn.Example and the first time it works, the second time I run it I get the following output:

ID: 9c2016b2-bf54-47d0-a9d0-23d94858ecad
Firstname: Emre
Lastname: Kizildas
Email Address: 
Identity Number: 
ID: d2a1252a-c7b3-41c6-b87a-e88ede34144a
Firstname: Emre
Lastname: Kizildas
Email Address: [email protected]
Identity Number: 12345678901

It seems like it can't decrypt objects created by another instance of the DBContext.

Limit the exposure of decoded strings.

The current release writes an empty string to the database instead of the encrypted value. I was able to verify this using the example project, after upgrading that project to EncryptColumn 5.0.6.

Looking at the repository history, it looks like the issue may have been resolved here back in August, but an updated NuGet package wasn't published afterward.

Microsoft has built in support for encryption key secret storage using the DataProtection APIs.

Using these interfaces you could generate and store the encryption key(s) used in GenerateEncryptionProvider.cs in a configurable, secure way.

System.MissingMethodException: 'Method not found: 'System.Collections.Generic.IEnumerable`1<Microsoft.EntityFrameworkCore.Metadata.IMutableProperty> Microsoft.EntityFrameworkCore.Metadata.IMutableEntityType.GetProperties()'.'