I'm currently using Azure Key vault .net SDK to encrypt/decrypt some data. Azure SDK for .net has a build-in Class called "CryptographyClient" and it has built-in method for doing that: CryptographyClient.decrypt and CryptographyClient.encrypt
The key I'm using is a RSA key and algorithm I use is RsaOaep, so I assume it is asymmetric encryption. I followed this article to write my c# code. Basically, I get the public part of the asymmetric key from the key vault first, then use it to create a CryptographyClient.
Usually, for asymmetric encryption, we gonna use the public key to encrypt while the private key is for decryption only. So basically, the private key will never leave the Azure Key Vault (always at the Azure server, is it true?).
Now my question is:
when I call CryptographyClient.encrypt, is it only running on the client-side (my local server)? or will it send my plaintext to Azure server and send back the encrypted text?
when I call CryptographyClient.decrypt, since the private key should never leave Azure and you can only decrypt with private key, is it only running on the Azure server-side? Mean that my local server will need to send the encrypted text to Azure and wait for decryption?
I got a feeling that both of those methods are only happening on the client-side and this is what I want. But then it doesn't make sense for decryption.
Thanks for the clarification as I can't find any MS documentation for this.
Operations that use the public key - if they can download the public key i.e. caller has the "get" permission - will happen on the client. The public key is download and operation performed. If the caller doesn't have the "get" permission on that key, the operation will be performed on the KeyVault server. These operations include:
Operations that require the private key will always be performed on the server, unless you created a CryptographyClient from your own JSON web key (JWK) that has both the public and private keys.
These operations include: