C# 如何在Azure.Storage v12中使用Azure KeyVault密钥解密Blob
我们的代码当前正在使用旧的Microsoft.WindowsAzure.Storage库来访问Azure中的blob存储。我正在尝试使用新的v12 Azure.Storage.Blobs库来替换旧的库,但是我不知道如何解密/加密Blobs。MS docs()很有帮助地指出v12代码段还没有准备好,因此没有代码示例 旧代码如下所示:C# 如何在Azure.Storage v12中使用Azure KeyVault密钥解密Blob,c#,encryption,azure-keyvault,azure-blob-storage,C#,Encryption,Azure Keyvault,Azure Blob Storage,我们的代码当前正在使用旧的Microsoft.WindowsAzure.Storage库来访问Azure中的blob存储。我正在尝试使用新的v12 Azure.Storage.Blobs库来替换旧的库,但是我不知道如何解密/加密Blobs。MS docs()很有帮助地指出v12代码段还没有准备好,因此没有代码示例 旧代码如下所示: var tokenProvider = new AzureServiceTokenProvider(); var cloudResolver = new KeyVau
var tokenProvider = new AzureServiceTokenProvider();
var cloudResolver = new KeyVaultKeyResolver(
new KeyVaultClient.AuthenticationCallback(_tokenProvider.KeyVaultTokenCallback));
var encryptionThingy = await cloudResolver.ResolveKeyAsync(<Key Vault URL> + "/keys/" + <key name>, CancellationToken.None);
var policy = new BlobEncryptionPolicy(encryptionThingy, cloudResolver);
var options = new BlobRequestOptions() { EncryptionPolicy = policy };
await <ICloudBlob Instance>.DownloadToStreamAsync(<stream>, null, options, null);
var-tokenProvider=新AzureServiceTokenProvider();
var cloudResolver=新的KeyVaultKeyResolver(
新建KeyVaultClient.AuthenticationCallback(_tokenProvider.KeyVaultTokenCallback));
var encryptionThingy=await cloudResolver.ResolveKeyAsync(+“/keys/”+,CancellationToken.None);
var policy=new-blobenchryptionpolicy(encryptionThingy,cloudResolver);
var options=new BlobRequestOptions(){EncryptionPolicy=policy};
wait.DownloadToStreamAsync(,null,options,null);
到目前为止,我在这里得到了新的代码:
var azureKeys = new KeyClient(new Uri(<key vault url>), new DefaultAzureCredential());
var encKey = azureKeys.GetKey(<key name>);
ClientSideEncryptionOptions encryptionOptions = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1_0)
{
KeyEncryptionKey = (IKeyEncryptionKey)key
};
var bsClient = new BlobServiceClient(cStr, new SpecializedBlobClientOptions() { ClientSideEncryption = encryptionOptions });
var containerClient = new BlobContainerClient(cStr, containerName);
bClient = containerClient.GetBlobClient(<blob name>);
var-azureKeys=new-KeyClient(new-Uri(),new-DefaultAzureCredential());
var encKey=azureKeys.GetKey();
ClientSideEncryptionOptions encryptionOptions=新的ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1\u 0)
{
KeyEncryptionKey=(IKeyEncryptionKey)密钥
};
var bsClient=new BlobServiceClient(cStr,new SpecializedBlobClientOptions(){ClientSideEncryption=encryptions});
var containerClient=新的BlobContainerClient(cStr,containerName);
b客户端=containerClient.GetBlobClient();
当然,这会引发异常,因为KeyVaultKey无法转换为IKeyEncryptionKey。所以我的问题是
我认为有一些方法可以做到这一点,而不需要创建我们自己的接口实现,但MS以其无穷的智慧认为不适合将这几行添加到他们的文档中。我为您编写了一个简单的演示。只需尝试下面关于azure blob客户端加密与azure KeyVault的C#控制台应用程序:
using System;
using Azure.Identity;
using Azure.Security.KeyVault.Keys.Cryptography;
using Azure.Storage;
using Azure.Storage.Blobs;
using Azure.Storage.Blobs.Specialized;
namespace BlobEncyptionWithBlob
{
class Program
{
static void Main(string[] args)
{
string keyVaultName = "";
string keyName = "";
string kvUri = "https://" + keyVaultName + ".vault.azure.net/keys/" + keyName;
string storageConnStr = "";
string containerName = "";
string encyptBlob = "encypt.txt";
string localblobPath = @"C:\Users\Administrator\Desktop\123.txt";
string localblobPath2 = @"C:\Users\Administrator\Desktop\123-decode.txt";
//Below is to use recommended OAuth2 approach
//string clientID = "<OAuth Client ID>";
//string clientSecret = "<OAuth Secret>";
//string tenant = "<OAuth Tenant ID>";
//var cred = new ClientSecretCredential(tenant, clientID, clientSecret);
//This is what you use to directly replace older AppAuthentication
var cred = new DefaultAzureCredential();
CryptographyClient cryptoClient = new CryptographyClient(new Uri(kvUri), cred);
KeyResolver keyResolver = new KeyResolver(cred);
ClientSideEncryptionOptions encryptionOptions = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1_0)
{
KeyEncryptionKey = cryptoClient,
KeyResolver = keyResolver,
KeyWrapAlgorithm = "RSA-OAEP"
};
BlobClientOptions options = new SpecializedBlobClientOptions() { ClientSideEncryption = encryptionOptions };
var blobClient = new BlobServiceClient(storageConnStr,options).GetBlobContainerClient(containerName).GetBlobClient(encyptBlob);
//upload local blob to container
blobClient.Upload(localblobPath);
//If you want to modify the meta data you have to copy the exisiting meta, think there is a bug in the library that will wipe out the encryptiondata metadata if you write your own meta
var myMeta = new Dictionary<string, string>();
myMeta.Add("comment", "dis file is da shiznit");
foreach (var existingMeta in blobClient.GetProperties().Value.Metadata)
{
if (!myMeta.ContainsKey(existingMeta.Key))
{
myMeta.Add(existingMeta.Key, existingMeta.Value);
}
}
blobClient.SetMetadata(myMeta);
//Download from container to see if it is decided
blobClient.DownloadTo(localblobPath2);
}
}
}
使用系统;
使用Azure.Identity;
使用Azure.Security.KeyVault.Keys.Cryptography;
使用Azure.Storage;
使用Azure.Storage.Blobs;
使用Azure.Storage.Blobs.Specialized;
命名空间BlobEncyptionWithBlob
{
班级计划
{
静态void Main(字符串[]参数)
{
字符串keyVaultName=“”;
字符串keyName=“”;
string kvUri=“https://“+keyVaultName+”.vault.azure.net/keys/”+keyName;
字符串storageConnStr=“”;
字符串containerName=“”;
字符串encyptBlob=“encypt.txt”;
字符串localblobPath=@“C:\Users\Administrator\Desktop\123.txt”;
字符串localblobPath2=@“C:\Users\Administrator\Desktop\123 decode.txt”;
//下面是使用建议的OAuth2方法
//字符串clientID=“”;
//字符串clientSecret=“”;
//字符串=”;
//var cred=新的ClientSecretCredential(租户、clientID、clientSecret);
//这就是您用来直接替换旧AppAuthentication的方法
var cred=新的DefaultAzureCredential();
CryptographyClient cryptoClient=新的CryptographyClient(新Uri(kvUri),cred);
KeyResolver KeyResolver=新的KeyResolver(cred);
ClientSideEncryptionOptions encryptionOptions=新的ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1\u 0)
{
KeyEncryptionKey=加密客户端,
KeyResolver=KeyResolver,
keyrapalgorithm=“RSA-OAEP”
};
BlobClientOptions=new SpecializedBlobClientOptions(){ClientSideEncryption=encryptionOptions};
var blobClient=new BlobServiceClient(storageConnStr,options).GetBlobContainerClient(containerName).GetBlobClient(encyptBlob);
//将本地blob上载到容器
上传(localblobPath);
//如果您想修改元数据,您必须复制现有的元数据,请认为库中存在一个bug,如果您编写自己的元数据,该bug将清除encryptiondata元数据
var myMeta=新字典();
添加(“注释”,“dis文件是da shiznit”);
foreach(blobClient.GetProperties().Value.Metadata中的变量existingMeta)
{
如果(!myMeta.ContainsKey(existingMeta.Key))
{
添加(existingMeta.Key,existingMeta.Value);
}
}
SetMetadata(myMeta);
//从容器下载以查看是否已决定
blobClient.DownloadTo(localblobPath2);
}
}
}
结果:
我的本地.txt文件内容:
上传到blob及其内容时,已对其进行加密:
再次下载到本地,其内容已被解码:
创建ClientSecretCredential时,代码使用新的OAuth2方法。要真正替换旧代码,我必须使用DefaultAzureCredential。IE-您的cred凭据应使用以下命令创建:var appCred=new DefaultAzureCredential();。这个文档对我很有帮助:.@lan我想你关注的是
ClientSideEncryptionOptions
,我只是在这里使用ClientSecretCredential
进行演示。无论如何,如果我的帖子有帮助,你能接受它作为一个答案吗?我已经编辑了你的答案,以更恰当地回答这个问题。