Understanding Dapr Cryptography building block

Dapr Cryptography Building Block Summary

Overview

The Dapr cryptography building block provides a safe and consistent way to leverage cryptography in applications. It exposes APIs for operations like encrypting and decrypting messages within key vaults or the Dapr sidecar, without exposing cryptographic keys to your application.

Why Use Cryptography?

Applications extensively use cryptography to enhance security, even when data is compromised. It's often required for:

• Industry regulation compliance (e.g., finance)
• Legal requirements (e.g., GDPR privacy regulations)

Challenges with Traditional Cryptography

Implementing cryptography correctly is difficult because you need to:

• Choose the right algorithms and options
• Learn proper key management and protection
• Navigate operational complexities when limiting access to cryptographic key material

Key Security Principle

Limiting access to raw key material is crucial for security. Dapr addresses this by:

• Integrating with key vaults (like Azure Key Vault) that store keys in secure enclaves
• Performing cryptographic operations in vaults without exposing keys
• Managing cryptographic keys within the sidecar when vaults aren't available

Benefits of Dapr Cryptography

1. Safer Operations: Provides safeguards against unsafe algorithms or configurations
2. Key Isolation: Applications never see raw key material
3. Separation of Concerns: Only authorized teams can access private key materials
4. Easier Key Management: Keys are managed outside applications and can be rotated without developer involvement
5. Better Audit Logging: Monitor when operations are performed with keys in vaults

Features

Cryptographic Components

Dapr includes two types of components:

1. Key Vault Components

• Interface with management services or vaults (e.g., Azure Key Vault)
• Perform cryptographic operations within vaults
• Dapr never sees private keys

2. Dapr's Own Cryptographic Engine

• Components with .dapr. in the name
• Used when key vaults aren't available
• Perform operations within Dapr sidecar
• Keys stored in files, Kubernetes secrets, or other sources
• Private keys known by Dapr but not available to applications

Abstraction Layer

Both component types offer the same abstraction layer, allowing solutions to switch between:

• Various vaults and cryptography components
• Local keys during development
• Cloud vaults in production

Cryptographic APIs

• Encrypt and decrypt data using the Dapr Crypto Scheme v1
• Opinionated encryption scheme with modern, safe cryptographic standards
• Efficiently processes data (including large files) as streams

Getting Started

Recommended Approach

While both HTTP and gRPC are supported in the alpha release, using gRPC APIs with supported Dapr SDKs is recommended for cryptography.

Next Steps

1. Try the cryptography quickstart and tutorials
2. Follow the cryptography how-to guide after installing Dapr
3. Watch the demo video from Dapr Community Call #83

Architecture

The cryptography building block sits between your application and the cryptographic operations, ensuring that:

• Applications make requests to Dapr
• Dapr handles the cryptographic operations securely
• Raw key material never reaches the application layer