Externalize Message Property Encryption

The Message Property Encryption feature has been moved from the NServiceBus package. It is now available as a separate NuGet package, NServiceBus.Encryption.MessageProperty. The new package should be used to encrypt message properties when using NServiceBus Versions 6.2 and above.

The API was also modified.

Removed APIs

Configuring encryption via app.config and via IProvideConfiguration have been removed. Instead use configuration via code.

Compatibility

The NServiceBus.Encryption.MessageProperty package is not fully compatible with endpoints that use NServiceBus package's encryption functionality. Because the core implementation is not aware of the existence of the external package, it is unable to decrypt message that use the NServiceBus.Encryption.MessageProperty.EncryptedString. Here are details of the specific cases.

Encrypting and decrypting using NServiceBus.Encryption.MessageProperty

  • NServiceBus.Encryption.MessageProperty can decrypt and encrypt all messages with message properties of type NServiceBus.WireEncryptedString.
  • NServiceBus.Encryption.MessageProperty can decrypt and encrypt all messages with message properties of type NServiceBus.Encryption.MessageProperty.EncryptedString.
  • NServiceBus.Encryption.MessageProperty can decrypt and encrypt all messages using an encrypted property convention.

Encrypting and decrypting using NServiceBus

  • NServiceBus.Encryption.MessageProperty cannot decrypt and encrypt messages with message properties of type NServiceBus.Encryption.MessageProperty.EncryptedString.
  • NServiceBus can decrypt and encrypt all messages with message properties of type NServiceBus.WireEncryptedString.
  • NServiceBus can decrypt and encrypt all messages using an encrypted property convention.

Migration example

For a system with two or more endpoints, these are the steps to migrate to the NServiceBus.Encryption.MessageProperty package:

  1. Install the NServiceBus.Encryption.MessageProperty NuGet package into all endpoints.
  2. Update the configuration for all endpoints to use either RijndaelEncryptionService or a custom encryption service.
  3. Deploy all endpoints.
  4. After all endpoints are deployed, update message contracts in all endpoints to use the NServiceBus.Encryption.MessageProperty.EncryptedString property type.
  5. Deploy all endpoints again.
All endpoints must be updated to the NServiceBus.Encryption.MessageProperty package and deployed before updating any message contracts to use NServiceBus.Encryption.MessageProperty.EncryptedString. This is to prevent issues with compatibility.

Enabling RijndaelEncryptionService

1.x NServiceBus.Encryption.MessageProperty
var defaultKey = "2015-10";

var ascii = Encoding.ASCII;
var keys = new Dictionary<string, byte[]>
{
    {"2015-10", ascii.GetBytes("gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6")},
    {"2015-09", ascii.GetBytes("abDbqRpQdRbTs3mhdZh9qCaDaxJXl+e6")},
    {"2015-08", ascii.GetBytes("cdDbqRpQdRbTs3mhdZh9qCaDaxJXl+e6")},
};
var encryptionService = new RijndaelEncryptionService(defaultKey, keys);

endpointConfiguration.EnableMessagePropertyEncryption(encryptionService);
6.x NServiceBus
var defaultKey = "2015-10";

var ascii = Encoding.ASCII;
var keys = new Dictionary<string, byte[]>
{
    {"2015-10", ascii.GetBytes("gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6")},
    {"2015-09", ascii.GetBytes("abDbqRpQdRbTs3mhdZh9qCaDaxJXl+e6")},
    {"2015-08", ascii.GetBytes("cdDbqRpQdRbTs3mhdZh9qCaDaxJXl+e6")},
};
endpointConfiguration.RijndaelEncryptionService(defaultKey, keys);

Using EncryptedString

1.x NServiceBus.Encryption.MessageProperty
using NServiceBus;
using NServiceBus.Encryption.MessageProperty;

public class MyMessage :
    IMessage
{
    public EncryptedString MyEncryptedProperty { get; set; }
}
6.x NServiceBus
using NServiceBus;

public class MyMessage :
    IMessage
{
    public WireEncryptedString MyEncryptedProperty { get; set; }
}

Encrypted property convention

1.x NServiceBus.Encryption.MessageProperty
var ascii = Encoding.ASCII;
var encryptionService = new RijndaelEncryptionService(
    encryptionKeyIdentifier: "2015-10",
    key: ascii.GetBytes("gdDbqRpqdRbTs3mhdZh9qCaDaxJXl+e6"));

endpointConfiguration.EnableMessagePropertyEncryption(
    encryptionService: encryptionService,
    encryptedPropertyConvention: propertyInfo =>
    {
        return propertyInfo.Name.EndsWith("EncryptedProperty");
    }
);
6.x NServiceBus
var conventions = endpointConfiguration.Conventions();
conventions.DefiningEncryptedPropertiesAs(
    definesEncryptedProperty: propertyInfo =>
    {
        return propertyInfo.Name.EndsWith("EncryptedProperty");
    });

Custom encryption service

1.x NServiceBus.Encryption.MessageProperty
endpointConfiguration.EnableMessagePropertyEncryption(new EncryptionService());
6.x NServiceBus
endpointConfiguration.RegisterEncryptionService(
    func: () =>
    {
        return new EncryptionService();
    });

Related Articles


Last modified