Skip to content

feat: add Azure Key Vault support for payload encryption#14

Open
jdswain wants to merge 1 commit into
temporal-sa:mainfrom
jdswain:feat/azure-keyvault-support
Open

feat: add Azure Key Vault support for payload encryption#14
jdswain wants to merge 1 commit into
temporal-sa:mainfrom
jdswain:feat/azure-keyvault-support

Conversation

@jdswain
Copy link
Copy Markdown

@jdswain jdswain commented Apr 23, 2026

Summary

  • Add Azure Key Vault adapter implementing the MaterialsManager interface using WrapKey/UnwrapKey with RSA-OAEP-256
  • Register azure-keyvault provider in the codec factory with azidentity.NewDefaultAzureCredential for authentication
  • Add unit tests for the provider covering constructor defaults, GetMaterial, DecryptMaterial, and unique key generation

Configuration

Set encryption type to azure-keyvault with a key-id config value, and set the AZURE_VAULT_URL environment variable to the vault URL.

Test plan

  • All new Azure KeyVault provider tests pass
  • All existing AWS and GCP provider tests pass
  • Build compiles cleanly
  • Manual integration test with an Azure Key Vault instance

@jdswain
feat: add Azure Key Vault support for payload encryption
e4cd52a 
Add an Azure Key Vault adapter for the MaterialsManager interface,
enabling payload encryption/decryption using Azure Key Vault's
WrapKey/UnwrapKey operations with RSA-OAEP-256.
taonic
taonic reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@taonic taonic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @jdswain!

Were you able to complete the manual test against the Azure service?

taonic
taonic reviewed May 3, 2026
View reviewed changes
Comment thread codec/codec.go

azureMaterialsManager := crypto.NewAzureKeyVaultProvider(azAdapter, crypto.AzureKeyVaultOptions{
KeyID: keyID,
Algorithm: "RSA-OAEP-256",
Copy link
Copy Markdown
Collaborator

@taonic taonic May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we need a symmetric algorithm here?

Copy link
Copy Markdown
Author

@jdswain jdswain May 11, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is envelope encryption: we generate a random 256-bit AES (symmetric) data key locally, that's the key actually encrypting the payload, see crypto/azure_keyvault_provider.go:50. The Algorithm parameter is just the wrapping algorithm Azure Key Vault uses to encrypt that data key for storage.

RSA-OAEP-256 is the right default for Azure Key Vault because standard-tier vaults only support RSA and EC keys, symmetric (oct) keys are exclusive to the Premium SKU and Managed HSM. Wrapping a symmetric data key with an asymmetric KMS key is a standard pattern (it's what most Azure Key Vault envelope-encryption examples do). Although if we want to support customers on Premium / Managed HSM (probably do) with oct keys, we can thread algorithm through from YAML, AzureKeyVaultOptions.Algorithm already supports it, it's just hardcoded in codec.go:170 today. I didn't do this because it's one more setting that could go wrong, but in a banking context it should be there.

The AWS/GCP AES_256 settings aren't directly analogous: AWS's KeySpec describes the data key GenerateDataKey returns and wrapping is opaque inside KMS; it looks like GCP's Algorithm field is actually unused in gcp_kms_provider.go. Azure exposes wrap/unwrap directly, so we have to name the wrap algorithm explicitly.

Copy link
Copy Markdown
Collaborator

@taonic taonic May 14, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Thanks @jdswain. I think we can leave this one hard-coded for now.

Happy to merge once "Manual integration test with an Azure Key Vault instance" is ticked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@taonic taonic taonic left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdswain @taonic