Dapr Cryptography Building Block Summary
Overview
The Dapr cryptography building block provides a safe and consistent way to leverage cryptography in applications. It exposes APIs for operations like encrypting and decrypting messages within key vaults or the Dapr sidecar, without exposing cryptographic keys to your application.
Why Use Cryptography?
Applications extensively use cryptography to enhance security, even when data is compromised. It's often required for:
- Industry regulation compliance (e.g., finance)
- Legal requirements (e.g., GDPR privacy regulations)
Challenges with Traditional Cryptography
Implementing cryptography correctly is difficult because you need to:
- Choose the right algorithms and options
- Learn proper key management and protection
- Navigate operational complexities when limiting access to cryptographic key material
Key Security Principle
Limiting access to raw key material is crucial for security. Dapr addresses this by:
- Integrating with key vaults (like Azure Key Vault) that store keys in secure enclaves
- Performing cryptographic operations in vaults without exposing keys
- Managing cryptographic keys within the sidecar when vaults aren't available
Benefits of Dapr Cryptography
- Safer Operations: Provides safeguards against unsafe algorithms or configurations
- Key Isolation: Applications never see raw key material
- Separation of Concerns: Only authorized teams can access private key materials
- Easier Key Management: Keys are managed outside applications and can be rotated without developer involvement
- Better Audit Logging: Monitor when operations are performed with keys in vaults
Features
Cryptographic Components
Dapr includes two types of components:
1. Key Vault Components
- Interface with management services or vaults (e.g., Azure Key Vault)
- Perform cryptographic operations within vaults
- Dapr never sees private keys
2. Dapr's Own Cryptographic Engine
- Components with
.dapr.
in the name - Used when key vaults aren't available
- Perform operations within Dapr sidecar
- Keys stored in files, Kubernetes secrets, or other sources
- Private keys known by Dapr but not available to applications
Abstraction Layer
Both component types offer the same abstraction layer, allowing solutions to switch between:
- Various vaults and cryptography components
- Local keys during development
- Cloud vaults in production
Cryptographic APIs
- Encrypt and decrypt data using the Dapr Crypto Scheme v1
- Opinionated encryption scheme with modern, safe cryptographic standards
- Efficiently processes data (including large files) as streams
Getting Started
Recommended Approach
While both HTTP and gRPC are supported in the alpha release, using gRPC APIs with supported Dapr SDKs is recommended for cryptography.
Next Steps
- Try the cryptography quickstart and tutorials
- Follow the cryptography how-to guide after installing Dapr
- Watch the demo video from Dapr Community Call #83
Architecture
The cryptography building block sits between your application and the cryptographic operations, ensuring that:
- Applications make requests to Dapr
- Dapr handles the cryptographic operations securely
- Raw key material never reaches the application layer
Top comments (0)