Client Encryption: Adds an abstraction layer to hide the underlying usage of Microsoft Data Encryption(MDE) library.

Microsoft.Azure.Cosmos.Encryption/src/EncryptionCosmosClient.cs

@@ -8,7 +8,6 @@ namespace Microsoft.Azure.Cosmos.Encryption
     using System.Net;
     using System.Threading;
     using System.Threading.Tasks;
-    using Microsoft.Data.Encryption.Cryptography;
 
     /// <summary>
     /// CosmosClient with Encryption support.
@@ -19,14 +18,14 @@ internal sealed class EncryptionCosmosClient : CosmosClient
 
         private readonly AsyncCache<string, ClientEncryptionKeyProperties> clientEncryptionKeyPropertiesCacheByKeyId;
 
-        public EncryptionCosmosClient(CosmosClient cosmosClient, EncryptionKeyStoreProvider encryptionKeyStoreProvider)
+        public EncryptionCosmosClient(CosmosClient cosmosClient, CosmosEncryptionKeyStoreProvider cosmosEncryptionKeyStoreProvider)
         {
             this.cosmosClient = cosmosClient ?? throw new ArgumentNullException(nameof(cosmosClient));
-            this.EncryptionKeyStoreProvider = encryptionKeyStoreProvider ?? throw new ArgumentNullException(nameof(encryptionKeyStoreProvider));
+            this.CosmosEncryptionKeyStoreProvider = cosmosEncryptionKeyStoreProvider ?? throw new ArgumentNullException(nameof(cosmosEncryptionKeyStoreProvider));
             this.clientEncryptionKeyPropertiesCacheByKeyId = new AsyncCache<string, ClientEncryptionKeyProperties>();
         }
 
-        public EncryptionKeyStoreProvider EncryptionKeyStoreProvider { get; }
+        public CosmosEncryptionKeyStoreProvider CosmosEncryptionKeyStoreProvider { get; }
 
         public override CosmosClientOptions ClientOptions => this.cosmosClient.ClientOptions;
 

Microsoft.Azure.Cosmos.Encryption/src/EncryptionCosmosClientExtensions.cs

@@ -16,15 +16,15 @@ public static class EncryptionCosmosClientExtensions
         /// Get Cosmos Client with Encryption support for performing operations using client-side encryption.
         /// </summary>
         /// <param name="cosmosClient">Regular Cosmos Client.</param>
-        /// <param name="encryptionKeyStoreProvider">EncryptionKeyStoreProvider, provider that allows interaction with the master keys.</param>
+        /// <param name="cosmosEncryptionKeyStoreProvider">CosmosEncryptionKeyStoreProvider, provider that allows interaction with the master keys.</param>
         /// <returns> CosmosClient to perform operations supporting client-side encryption / decryption.</returns>
         public static CosmosClient WithEncryption(
             this CosmosClient cosmosClient,
-            EncryptionKeyStoreProvider encryptionKeyStoreProvider)
+            CosmosEncryptionKeyStoreProvider cosmosEncryptionKeyStoreProvider)
         {
-            if (encryptionKeyStoreProvider == null)
+            if (cosmosEncryptionKeyStoreProvider == null)
             {
-                throw new ArgumentNullException(nameof(encryptionKeyStoreProvider));
+                throw new ArgumentNullException(nameof(cosmosEncryptionKeyStoreProvider));
             }
 
             if (cosmosClient == null)
@@ -33,9 +33,9 @@ public static CosmosClient WithEncryption(
             }
 
             // set the TTL for ProtectedDataEncryption at the Encryption CosmosClient Init so that we have a uniform expiry of the KeyStoreProvider and ProtectedDataEncryption cache items.
-            if (encryptionKeyStoreProvider.DataEncryptionKeyCacheTimeToLive.HasValue)
+            if (cosmosEncryptionKeyStoreProvider.DataEncryptionKeyCacheTimeToLive.HasValue)
             {
-                ProtectedDataEncryptionKey.TimeToLive = encryptionKeyStoreProvider.DataEncryptionKeyCacheTimeToLive.Value;
+                ProtectedDataEncryptionKey.TimeToLive = cosmosEncryptionKeyStoreProvider.DataEncryptionKeyCacheTimeToLive.Value;
             }
             else
             {
@@ -44,7 +44,7 @@ public static CosmosClient WithEncryption(
                 ProtectedDataEncryptionKey.TimeToLive = TimeSpan.FromDays(36500);
             }
 
-            return new EncryptionCosmosClient(cosmosClient, encryptionKeyStoreProvider);
+            return new EncryptionCosmosClient(cosmosClient, cosmosEncryptionKeyStoreProvider);
         }
     }
 }

Microsoft.Azure.Cosmos.Encryption/src/EncryptionDatabaseExtensions.cs

@@ -38,7 +38,7 @@ public static class EncryptionDatabaseExtensions
         public static async Task<ClientEncryptionKeyResponse> CreateClientEncryptionKeyAsync(
             this Database database,
             string clientEncryptionKeyId,
-            DataEncryptionKeyAlgorithm dataEncryptionKeyAlgorithm,
+            string dataEncryptionKeyAlgorithm,
             EncryptionKeyWrapMetadata encryptionKeyWrapMetadata,
             CancellationToken cancellationToken = default)
         {
@@ -49,11 +49,9 @@ public static async Task<ClientEncryptionKeyResponse> CreateClientEncryptionKeyA
                 throw new ArgumentNullException(nameof(clientEncryptionKeyId));
             }
 
-            string encryptionAlgorithm = dataEncryptionKeyAlgorithm.ToString();
-
-            if (!string.Equals(encryptionAlgorithm, DataEncryptionKeyAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256.ToString()))
+            if (!string.Equals(dataEncryptionKeyAlgorithm, CosmosDataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256))
             {
-                throw new ArgumentException($"Invalid Encryption Algorithm '{encryptionAlgorithm}' passed. Please refer to https://aka.ms/CosmosClientEncryption for more details. ");
+                throw new ArgumentException($"Invalid Encryption Algorithm '{dataEncryptionKeyAlgorithm}' passed. Please refer to https://aka.ms/CosmosClientEncryption for more details. ");
             }
 
             if (encryptionKeyWrapMetadata == null)
@@ -65,17 +63,17 @@ public static async Task<ClientEncryptionKeyResponse> CreateClientEncryptionKeyA
                 ? encryptionDatabase.EncryptionCosmosClient
                 : throw new ArgumentException("Creating a ClientEncryptionKey resource requires the use of an encryption - enabled client. Please refer to https://aka.ms/CosmosClientEncryption for more details. ");
 
-            EncryptionKeyStoreProvider encryptionKeyStoreProvider = encryptionCosmosClient.EncryptionKeyStoreProvider;
+            CosmosEncryptionKeyStoreProvider cosmosEncryptionKeyStoreProvider = encryptionCosmosClient.CosmosEncryptionKeyStoreProvider;
 
-            if (!string.Equals(encryptionKeyWrapMetadata.Type, encryptionKeyStoreProvider.ProviderName))
+            if (!string.Equals(encryptionKeyWrapMetadata.Type, cosmosEncryptionKeyStoreProvider.ProviderName))
             {
                 throw new ArgumentException("The EncryptionKeyWrapMetadata Type value does not match with the ProviderName of EncryptionKeyStoreProvider configured on the Client. Please refer to https://aka.ms/CosmosClientEncryption for more details. ");
             }
 
             KeyEncryptionKey keyEncryptionKey = KeyEncryptionKey.GetOrCreate(
                 encryptionKeyWrapMetadata.Name,
                 encryptionKeyWrapMetadata.Value,
-                encryptionKeyStoreProvider);
+                cosmosEncryptionKeyStoreProvider.EncryptionKeyStoreProviderImpl);
 
             ProtectedDataEncryptionKey protectedDataEncryptionKey = new ProtectedDataEncryptionKey(
                 clientEncryptionKeyId,
@@ -91,7 +89,7 @@ public static async Task<ClientEncryptionKeyResponse> CreateClientEncryptionKeyA
 
             ClientEncryptionKeyProperties clientEncryptionKeyProperties = new ClientEncryptionKeyProperties(
                 clientEncryptionKeyId,
-                encryptionAlgorithm,
+                dataEncryptionKeyAlgorithm,
                 wrappedDataEncryptionKey,
                 encryptionKeyWrapMetadata);
 
@@ -145,9 +143,9 @@ public static async Task<ClientEncryptionKeyResponse> RewrapClientEncryptionKeyA
                 ? encryptionDatabase.EncryptionCosmosClient
                 : throw new ArgumentException("Rewraping a ClientEncryptionKey requires the use of an encryption - enabled client. Please refer to https://aka.ms/CosmosClientEncryption for more details. ");
 
-            EncryptionKeyStoreProvider encryptionKeyStoreProvider = encryptionCosmosClient.EncryptionKeyStoreProvider;
+            CosmosEncryptionKeyStoreProvider cosmosEncryptionKeyStoreProvider = encryptionCosmosClient.CosmosEncryptionKeyStoreProvider;
 
-            if (!string.Equals(newEncryptionKeyWrapMetadata.Type, encryptionKeyStoreProvider.ProviderName))
+            if (!string.Equals(newEncryptionKeyWrapMetadata.Type, cosmosEncryptionKeyStoreProvider.ProviderName))
             {
                 throw new ArgumentException("The EncryptionKeyWrapMetadata Type value does not match with the ProviderName of EncryptionKeyStoreProvider configured on the Client. Please refer to https://aka.ms/CosmosClientEncryption for more details. ");
             }
@@ -162,14 +160,14 @@ public static async Task<ClientEncryptionKeyResponse> RewrapClientEncryptionKeyA
             KeyEncryptionKey keyEncryptionKey = KeyEncryptionKey.GetOrCreate(
                 clientEncryptionKeyProperties.EncryptionKeyWrapMetadata.Name,
                 clientEncryptionKeyProperties.EncryptionKeyWrapMetadata.Value,
-                encryptionKeyStoreProvider);
+                cosmosEncryptionKeyStoreProvider.EncryptionKeyStoreProviderImpl);
 
             byte[] unwrappedKey = keyEncryptionKey.DecryptEncryptionKey(clientEncryptionKeyProperties.WrappedDataEncryptionKey);
 
             keyEncryptionKey = KeyEncryptionKey.GetOrCreate(
                 newEncryptionKeyWrapMetadata.Name,
                 newEncryptionKeyWrapMetadata.Value,
-                encryptionKeyStoreProvider);
+                cosmosEncryptionKeyStoreProvider.EncryptionKeyStoreProviderImpl);
 
             byte[] rewrappedKey = keyEncryptionKey.EncryptEncryptionKey(unwrappedKey);
 

Microsoft.Azure.Cosmos.Encryption/src/EncryptionSettingForProperty.cs

@@ -52,7 +52,7 @@ public async Task<AeadAes256CbcHmac256EncryptionAlgorithm> BuildEncryptionAlgori
                 // Here a request is sent out to unwrap using the Master Key configured via the Key Encryption Key.
                 protectedDataEncryptionKey = await this.BuildProtectedDataEncryptionKeyAsync(
                     clientEncryptionKeyProperties,
-                    this.encryptionContainer.EncryptionCosmosClient.EncryptionKeyStoreProvider,
+                    this.encryptionContainer.EncryptionCosmosClient.CosmosEncryptionKeyStoreProvider,
                     this.ClientEncryptionKeyId,
                     cancellationToken);
             }
@@ -75,7 +75,7 @@ public async Task<AeadAes256CbcHmac256EncryptionAlgorithm> BuildEncryptionAlgori
                     // try to build the ProtectedDataEncryptionKey. If it fails, try to force refresh the gateway cache and get the latest client encryption key.
                     protectedDataEncryptionKey = await this.BuildProtectedDataEncryptionKeyAsync(
                         clientEncryptionKeyProperties,
-                        this.encryptionContainer.EncryptionCosmosClient.EncryptionKeyStoreProvider,
+                        this.encryptionContainer.EncryptionCosmosClient.CosmosEncryptionKeyStoreProvider,
                         this.ClientEncryptionKeyId,
                         cancellationToken);
                 }
@@ -146,7 +146,7 @@ private async Task<ProtectedDataEncryptionKey> ForceRefreshGatewayCacheAndBuildP
 
         private async Task<ProtectedDataEncryptionKey> BuildProtectedDataEncryptionKeyAsync(
             ClientEncryptionKeyProperties clientEncryptionKeyProperties,
-            EncryptionKeyStoreProvider encryptionKeyStoreProvider,
+            CosmosEncryptionKeyStoreProvider cosmosEncryptionKeyStoreProvider,
             string keyId,
             CancellationToken cancellationToken)
         {
@@ -157,7 +157,7 @@ private async Task<ProtectedDataEncryptionKey> BuildProtectedDataEncryptionKeyAs
                     KeyEncryptionKey keyEncryptionKey = KeyEncryptionKey.GetOrCreate(
                         clientEncryptionKeyProperties.EncryptionKeyWrapMetadata.Name,
                         clientEncryptionKeyProperties.EncryptionKeyWrapMetadata.Value,
-                        encryptionKeyStoreProvider);
+                        cosmosEncryptionKeyStoreProvider.EncryptionKeyStoreProviderImpl);
 
                     ProtectedDataEncryptionKey protectedDataEncryptionKey = ProtectedDataEncryptionKey.GetOrCreate(
                         keyId,

Microsoft.Azure.Cosmos.Encryption/src/MdeSupport/CosmosAzureKeyVaultKeyStoreProvider.cs

@@ -0,0 +1,83 @@
+//------------------------------------------------------------
+// Copyright (c) Microsoft Corporation.  All rights reserved.
+//------------------------------------------------------------
+
+namespace Microsoft.Azure.Cosmos.Encryption
+{
+    using System;
+    using System.Threading.Tasks;
+    using global::Azure.Core;
+    using Microsoft.Data.Encryption.AzureKeyVaultProvider;
+    using Microsoft.Data.Encryption.Cryptography;
+
+    /// <summary>
+    /// Implementation of key encryption key store provider that allows client applications to access data when a
+    /// key encryption key is stored in Microsoft Azure Key Vault.
+    /// </summary>
+    public sealed class CosmosAzureKeyVaultKeyStoreProvider : CosmosEncryptionKeyStoreProvider
+    {
+        private readonly AzureKeyVaultKeyStoreProvider azureKeyVaultKeyStoreProvider;
+
+        private TimeSpan? dataEncryptionKeyCacheTimeToLive;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="CosmosAzureKeyVaultKeyStoreProvider"/> class.
+        /// Constructor that takes an implementation of Token Credential that is capable of providing an OAuth Token.
+        /// </summary>
+        /// <param name="tokenCredential"> returns token credentials. </param>
+        public CosmosAzureKeyVaultKeyStoreProvider(TokenCredential tokenCredential)
+        {
+            this.azureKeyVaultKeyStoreProvider = new AzureKeyVaultKeyStoreProvider(tokenCredential);
+        }
+
+        /// <inheritdoc/>
+        public override TimeSpan? DataEncryptionKeyCacheTimeToLive
+        {
+            get => this.dataEncryptionKeyCacheTimeToLive;
+            set => this.azureKeyVaultKeyStoreProvider.DataEncryptionKeyCacheTimeToLive = this.dataEncryptionKeyCacheTimeToLive = value;
+        }
+
+        /// <summary>
+        /// Gets name of the Encryption Key Store Provider implementation.
+        /// </summary>
+        public override string ProviderName => this.azureKeyVaultKeyStoreProvider.ProviderName;
+
+        /// <summary>
+        /// This function uses the asymmetric key specified by the key path
+        /// and decrypts an encrypted data dencryption key with RSA encryption algorithm.
+        /// </summary>.
+        /// <param name="encryptionKeyId">Identifier of an asymmetric key in Azure Key Vault. </param>
+        /// <param name="cosmosKeyEncryptionKeyAlgorithm">The key encryption algorithm.</param>
+        /// <param name="encryptedKey">The ciphertext key.</param>
+        /// <returns>Plain text data encryption key. </returns>
+        public override Task<byte[]> UnwrapKeyAsync(string encryptionKeyId, string cosmosKeyEncryptionKeyAlgorithm, byte[] encryptedKey)
+        {
+            KeyEncryptionKeyAlgorithm keyEncryptionKeyAlgorithm = cosmosKeyEncryptionKeyAlgorithm switch
+            {
+                CosmosKeyEncryptionKeyAlgorithm.RsaOaep => KeyEncryptionKeyAlgorithm.RSA_OAEP,
+                _ => throw new NotSupportedException("The specified KeyEncryptionAlgorithm is not supported. Please refer to https://aka.ms/CosmosClientEncryption for more details. "),
+            };
+
+            return Task.FromResult(this.azureKeyVaultKeyStoreProvider.UnwrapKey(encryptionKeyId, keyEncryptionKeyAlgorithm, encryptedKey));
+        }
+
+        /// <summary>
+        /// This function uses the asymmetric key specified by the key path
+        /// and encrypts an unencrypted data encryption key with RSA encryption algorithm.
+        /// </summary>
+        /// <param name="encryptionKeyId">Identifier of an asymmetric key in Azure Key Vault. </param>
+        /// <param name="cosmosKeyEncryptionKeyAlgorithm">The key encryption algorithm.</param>
+        /// <param name="key">The plaintext key.</param>
+        /// <returns>Encrypted data encryption key. </returns>
+        public override Task<byte[]> WrapKeyAsync(string encryptionKeyId, string cosmosKeyEncryptionKeyAlgorithm, byte[] key)
+        {
+            KeyEncryptionKeyAlgorithm keyEncryptionKeyAlgorithm = cosmosKeyEncryptionKeyAlgorithm switch
+            {
+                CosmosKeyEncryptionKeyAlgorithm.RsaOaep => KeyEncryptionKeyAlgorithm.RSA_OAEP,
+                _ => throw new NotSupportedException("This specified KeyEncryptionAlgorithm is not supported. Please refer to https://aka.ms/CosmosClientEncryption for more details. "),
+            };
+
+            return Task.FromResult(this.azureKeyVaultKeyStoreProvider.WrapKey(encryptionKeyId, keyEncryptionKeyAlgorithm, key));
+        }
+    }
+}

Microsoft.Azure.Cosmos.Encryption/src/MdeSupport/CosmosDataEncryptionKeyAlgorithm.cs

@@ -0,0 +1,18 @@
+//------------------------------------------------------------
+// Copyright (c) Microsoft Corporation.  All rights reserved.
+//------------------------------------------------------------
+
+namespace Microsoft.Azure.Cosmos.Encryption
+{
+    /// <summary>
+    /// Represents the encryption algorithms supported for data encryption.
+    /// </summary>
+    public static class CosmosDataEncryptionKeyAlgorithm
+    {
+        /// <summary>
+        /// Represents the authenticated encryption algorithm with associated data as described in
+        /// http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05.
+        /// </summary>
+        public const string AeadAes256CbcHmacSha256 = "AEAD_AES_256_CBC_HMAC_SHA256";
+    }
+}