This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Cryptography component specs

The supported cryptography components that interface with Dapr

Table headers to note:

Header Description Example
Status Component certification status Alpha
Beta
Stable
Component version The version of the component v1
Since runtime version The version of the Dapr runtime when the component status was set or updated 1.11

Using the Dapr cryptography engine

Component Status Component version Since runtime version
JSON Web Key Sets (JWKS) Alpha v1 1.11
Kubernetes secrets Alpha v1 1.11
Local storage Alpha v1 1.11

Microsoft Azure

Component Status Component version Since runtime version
Azure Key Vault Alpha v1 1.11

1 - Azure Key Vault

Detailed information on the Azure Key Vault cryptography component

Component format

A Dapr crypto.yaml component file has the following structure:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: crypto.azure.keyvault
  metadata:
  - name: vaultName
    value: mykeyvault
  # See authentication section below for all options
  - name: azureTenantId
    value: ${{AzureKeyVaultTenantId}}
  - name: azureClientId
    value: ${{AzureKeyVaultServicePrincipalClientId}}
  - name: azureClientSecret
    value: ${{AzureKeyVaultServicePrincipalClientSecret}}

Authenticating with Microsoft Entra ID

The Azure Key Vault cryptography component supports authentication with Microsoft Entra ID only. Before you enable this component:

  1. Read the Authenticating to Azure document.
  2. Create an Microsoft Entra ID application (also called a Service Principal).
  3. Alternatively, create a managed identity for your application platform.

Spec metadata fields

Field Required Details Example
vaultName Y Azure Key Vault name "mykeyvault"
Auth metadata Y See Authenticating to Azure for more information

2 - JSON Web Key Sets (JWKS)

Detailed information on the JWKS cryptography component

Component format

The purpose of this component is to load keys from a JSON Web Key Set (RFC 7517). These are JSON documents that contain 1 or more keys as JWK (JSON Web Key); they can be public, private, or shared keys.

This component supports loading a JWKS:

  • From a local file; in this case, Dapr watches for changes to the file on disk and reloads it automatically.
  • From a HTTP(S) URL, which is periodically refreshed.
  • By passing the actual JWKS in the jwks metadata property, as a string (optionally, base64-encoded).

A Dapr crypto.yaml component file has the following structure:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: jwks
spec:
  type: crypto.dapr.jwks
  version: v1
  metadata:
    # Example 1: load JWKS from file
    - name: "jwks"
      value: "fixtures/crypto/jwks/jwks.json"
    # Example 2: load JWKS from a HTTP(S) URL
    # Only "jwks" is required
    - name: "jwks"
      value: "https://example.com/.well-known/jwks.json"
    - name: "requestTimeout"
      value: "30s"
    - name: "minRefreshInterval"
      value: "10m"
    # Option 3: include the actual JWKS
    - name: "jwks"
      value: |
        {
          "keys": [
            {
              "kty": "RSA",
              "use": "sig",
              "kid": "…",
              "n": "…",
              "e": "…",
              "issuer": "https://example.com"
            }
          ]
        }
    # Option 3b: include the JWKS base64-encoded
    - name: "jwks"
      value: |
        eyJrZXlzIjpbeyJ…

Spec metadata fields

Field Required Details Example
jwks Y Path to the JWKS document Local file: "fixtures/crypto/jwks/jwks.json"
HTTP(S) URL: "https://example.com/.well-known/jwks.json"
Embedded JWKS: {"keys": […]} (can be base64-encoded)
requestTimeout N Timeout for network requests when fetching the JWKS document from a HTTP(S) URL, as a Go duration. Default: “30s” "5s"
minRefreshInterval N Minimum interval to wait before subsequent refreshes of the JWKS document from a HTTP(S) source, as a Go duration. Default: “10m” "1h"

Cryptography building block

3 - Kubernetes Secrets

Detailed information on the Kubernetes secret cryptography component

Component format

The purpose of this component is to load the Kubernetes secret named after the key name.

A Dapr crypto.yaml component file has the following structure:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: <NAME>
spec:
  type: crypto.dapr.kubernetes.secrets
  version: v1
  metadata:[]

Spec metadata fields

Field Required Details Example
defaultNamespace N Default namespace to retrieve secrets from. If unset, the namespace must be specified for each key, as namespace/secretName/key "default-ns"
kubeconfigPath N The path to the kubeconfig file. If not specified, the component uses the default in-cluster config value "/path/to/kubeconfig"

Cryptography building block

4 - Local storage

Detailed information on the local storage cryptography component

Component format

The purpose of this component is to load keys from a local directory.

The component accepts as input the name of a folder, and loads keys from there. Each key is in its own file, and when users request a key with a given name, Dapr loads the file with that name.

Supported file formats:

  • PEM with public and private keys (supports: PKCS#1, PKCS#8, PKIX)
  • JSON Web Key (JWK) containing a public, private, or symmetric key
  • Raw key data for symmetric keys

A Dapr crypto.yaml component file has the following structure:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: mycrypto
spec:
  type: crypto.dapr.localstorage
  metadata:
    version: v1
    - name: path
      value: /path/to/folder/

Spec metadata fields

Field Required Details Example
path Y Folder containing the keys to be loaded. When loading a key, the name of the key will be used as name of the file in this folder. /path/to/folder

Example

Let’s say you’ve set path=/mnt/keys, which contains the following files:

  • /mnt/keys/mykey1.pem
  • /mnt/keys/mykey2

When using the component, you can reference the keys as mykey1.pm and mykey2.

Cryptography building block