Additional Key Sets

jbtule edited this page Jan 5, 2013 · 6 revisions

##Keyset Design

There are two kinds of key sets, a base key set that describe where to get the key set data, or a transforming key set that will take a base key set's bytes and decode it to json.

##Standard Key Sets

plain old KeySet : base key set

This is the standard key set format and is a directory of json files on disk.

var keySet = new KeySet("path_to_keyset");

The key set used by the api could be created with the KeyczarTool by the following commands.

:> KeyczarTool.exe create --location="path_to_keyset" --purpose="crypt"
:> KeyczarTool.exe addkey --location="path_to_keyset" --status="primary"

EncryptedKeySet : transforming key set

Uses a Crypter with a separate key set to decrypt the keys of a base key set.

using(var crypter= new Crypter("path_to_encrypting")){
    var encKeySet = new EncrytedKeySet(keySet, crypter);
    using(var otherCrypter = new Crypter(encKeySet)){
       //do stuff
    }
}

The key set used by the api could be created with the KeyczarTool by the following commands.

:> KeyczarTool.exe create --location="path_to_encrypting" --purpose="crypt"
:> KeyczarTool.exe addkey --location="path_to_encrypting" --status="primary"
:> KeyczarTool.exe create --location="path_to_keyset" --purpose="crypt"
:> KeyczarTool.exe addkey --location="path_to_keyset" --status="primary" --crypter="path_to_encrypting"

PbeKeySet : transforming key set

Password Based Encryption Key Set. Uses a passphrase to decrypt a base key set. It takes a Func<string> callback to provide the password. This is to encourage developers not to hardcode the password.

using(var pbeKeySet = new PbeKeySet(keySet, passwordCallback))
using(var crypter = new Crypter(pbeKeySet)){
{
	//do stuff
}

The key set used by the api could be created with the KeyczarTool by the following commands.

:> KeyczarTool.exe create --name="Test" --location="path_to_keyset" --purpose="crypt"
:> KeyczarTool.exe addkey --location="path_to_keyset" --status="primary" --password
Please enter password:
Please re-enter password:

Note: if you ever need to change the password on a keyset use :> KeyczarTool.exe password to see usage of the KeyczarTool password command.

Unofficial API Key Sets

BlobKeySet : base key set

This represents a key set in a single blob of data for convenience, it doesn't have to be made with the Key Managing API, if you make a plain old key set with the KeyczarTool just zip it up and it should match a BlobKeySet.

using(var stream = File.OpenRead("path_to_zip_file_of_key_set"))
using(var blobKeySet = new BlobKeySet(stream))
using(var crypter = new Crypter(blobKeySet)){
{
	//do stuff
}

WebKeySet : base key set

A WebKeySet is a read only key set that is in the same format as the standard keyset. It just uses a url instead of a file path. It is advisable that you should only use this for public key sets or encrypted key sets.

var webKeySet = new WebKeySet("http://url_to_public_or_encrypted_keyset");