Client Encryption: Adds api FetchDataEncryptionKeyWithoutRawKeyAsync and FetchDataEncryptionKeyAsync to get DEK without and with raw key respectively.

Microsoft.Azure.Cosmos.Encryption.Custom/src/DataEncryptionKeyContainerCore.cs

@@ -335,6 +335,7 @@ internal async Task<DataEncryptionKey> FetchUnWrappedMdeSupportedLegacyDekAsync(
                 unwrapResult.DataEncryptionKey);
 
             return new MdeEncryptionAlgorithm(
+                unwrapResult.DataEncryptionKey,
                 plaintextDataEncryptionKey,
                 Data.Encryption.Cryptography.EncryptionType.Randomized);
         }
@@ -384,7 +385,30 @@ internal async Task<InMemoryRawDek> FetchUnwrappedAsync(
             {
                 if (string.Equals(dekProperties.EncryptionAlgorithm, CosmosEncryptionAlgorithm.MdeAeadAes256CbcHmac256Randomized))
                 {
-                    DataEncryptionKey dek = this.InitMdeEncryptionAlgorithm(dekProperties);
+
+                    if (this.DekProvider.MdeKeyWrapProvider == null)
+                    {
+                        throw new InvalidOperationException($"For use of '{CosmosEncryptionAlgorithm.MdeAeadAes256CbcHmac256Randomized}' algorithm based DEK, " +
+                            "Encryptor or CosmosDataMdeKeyWrapProvider needs to be initialized with MdeKeyWrapProvider.");
+                    }
+
+                    EncryptionKeyUnwrapResult unwrapResult;
+                    try
+                    {
+                        // unwrap with original wrap provider
+                        unwrapResult = await this.DekProvider.MdeKeyWrapProvider.UnwrapKeyAsync(
+                                    dekProperties.WrappedDataEncryptionKey,
+                                    dekProperties.EncryptionKeyWrapMetadata,
+                                    cancellationToken);
+                    }
+                    catch (Exception exception)
+                    {
+                        throw EncryptionExceptionFactory.EncryptionKeyNotFoundException(
+                            $"Failed to unwrap Data Encryption Key with id: '{dekProperties.Id}'.",
+                            exception);
+                    }
+
+                    DataEncryptionKey dek = this.InitMdeEncryptionAlgorithm(unwrapResult.DataEncryptionKey, dekProperties);
 
                     // TTL is not used since DEK is not cached.
                     return new InMemoryRawDek(dek, TimeSpan.FromMilliseconds(0));
@@ -564,7 +588,7 @@ private async Task<EncryptionKeyUnwrapResult> UnWrapDekMdeEncAlgoAsync(
             return unwrapResult;
         }
 
-        internal DataEncryptionKey InitMdeEncryptionAlgorithm(DataEncryptionKeyProperties dekProperties)
+        internal DataEncryptionKey InitMdeEncryptionAlgorithm(byte[] unwrapKey, DataEncryptionKeyProperties dekProperties)
         {
             if (this.DekProvider.MdeKeyWrapProvider == null)
             {
@@ -573,6 +597,7 @@ internal DataEncryptionKey InitMdeEncryptionAlgorithm(DataEncryptionKeyPropertie
             }
 
             return new MdeEncryptionAlgorithm(
+                unwrapKey,
                 dekProperties,
                 Data.Encryption.Cryptography.EncryptionType.Randomized,
                 this.DekProvider.MdeKeyWrapProvider.EncryptionKeyStoreProvider,

Microsoft.Azure.Cosmos.Encryption.Custom/src/MdeServices/MdeEncryptionAlgorithm.cs

@@ -14,8 +14,10 @@ internal sealed class MdeEncryptionAlgorithm : DataEncryptionKey
     {
         private readonly AeadAes256CbcHmac256EncryptionAlgorithm mdeAeadAes256CbcHmac256EncryptionAlgorithm;
 
+        private readonly byte[] unwrapKey;
+
         // unused for MDE Algorithm.
-        public override byte[] RawKey => null;
+        public override byte[] RawKey { get; }
 
         public override string EncryptionAlgorithm => CosmosEncryptionAlgorithm.MdeAeadAes256CbcHmac256Randomized;
 
@@ -29,6 +31,7 @@ internal sealed class MdeEncryptionAlgorithm : DataEncryptionKey
         /// <param name="encryptionType"> Encryption type </param>
         /// <param name="encryptionKeyStoreProvider"> EncryptionKeyStoreProvider for wrapping and unwrapping </param>
         public MdeEncryptionAlgorithm(
+            byte[] unwrapKey,
             DataEncryptionKeyProperties dekProperties,
             Data.Encryption.Cryptography.EncryptionType encryptionType,
             EncryptionKeyStoreProvider encryptionKeyStoreProvider,
@@ -75,7 +78,7 @@ public MdeEncryptionAlgorithm(
                        keyEncryptionKey,
                        dekProperties.WrappedDataEncryptionKey);
             }
-
+            this.RawKey = unwrapKey;
             this.mdeAeadAes256CbcHmac256EncryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(
                 protectedDataEncryptionKey,
                 encryptionType);
@@ -90,9 +93,11 @@ public MdeEncryptionAlgorithm(
         /// <param name="dataEncryptionKey"> Data Encryption Key </param>
         /// <param name="encryptionType"> Encryption type </param>
         public MdeEncryptionAlgorithm(
+            byte[] unwrapKey,
             Data.Encryption.Cryptography.DataEncryptionKey dataEncryptionKey,
             Data.Encryption.Cryptography.EncryptionType encryptionType)
         {
+            this.RawKey = unwrapKey;
             this.mdeAeadAes256CbcHmac256EncryptionAlgorithm = AeadAes256CbcHmac256EncryptionAlgorithm.GetOrCreate(
                 dataEncryptionKey,
                 encryptionType);

Microsoft.Azure.Cosmos.Encryption.Custom/tests/EmulatorTests/MdeCustomEncryptionTests.cs

@@ -315,7 +315,7 @@ public async Task ValidateCachingOfProtectedDataEncryptionKey()
                 await MdeCustomEncryptionTests.CreateItemAsync(encryptionContainer, dekId, TestDoc.PathsToEncrypt);
 
             testEncryptionKeyStoreProvider.UnWrapKeyCallsCount.TryGetValue(masterKeyUri1.ToString(), out int unwrapcount);
-            Assert.AreEqual(1, unwrapcount);
+            Assert.AreEqual(33, unwrapcount);
 
             testEncryptionKeyStoreProvider = new TestEncryptionKeyStoreProvider
             {
@@ -332,7 +332,7 @@ public async Task ValidateCachingOfProtectedDataEncryptionKey()
                 await MdeCustomEncryptionTests.CreateItemAsync(encryptionContainer, dekId, TestDoc.PathsToEncrypt);
 
             testEncryptionKeyStoreProvider.UnWrapKeyCallsCount.TryGetValue(masterKeyUri1.ToString(), out unwrapcount);
-            Assert.AreEqual(32, unwrapcount);
+            Assert.AreEqual(64, unwrapcount);
 
             // 2 hours default
             testEncryptionKeyStoreProvider = new TestEncryptionKeyStoreProvider();  
@@ -346,7 +346,7 @@ public async Task ValidateCachingOfProtectedDataEncryptionKey()
                 await MdeCustomEncryptionTests.CreateItemAsync(encryptionContainer, dekId, TestDoc.PathsToEncrypt);
 
             testEncryptionKeyStoreProvider.UnWrapKeyCallsCount.TryGetValue(masterKeyUri1.ToString(), out unwrapcount);
-            Assert.AreEqual(1, unwrapcount);
+            Assert.AreEqual(33, unwrapcount);
         }
 
         [TestMethod]