You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-service-encryption.md
+16-12Lines changed: 16 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -85,25 +85,29 @@ To learn how to use customer-managed keys with Azure Storage, see one of these a
85
85
86
86
Clients making requests against Azure Blob storage have the option to provide an encryption key on an individual request. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. Customer-provided keys (preview) can be stored in Azure Key Vault or in another key store.
87
87
88
-
When a client application provides the encryption key on the request, Azure Storage performs encryption and decryption transparently while writing and reading data from Blob storage. A SHA-256 hash of the encryption key is written alongside a blob's contents and is used to verify that all subsequent operations against the blob use the same encryption key. Azure Storage does not store or manage the encryption key that the client sends with the request. The key is securely discarded as soon as the encryption or decryption process is complete.
88
+
### Encrypting read and write operations
89
89
90
-
To send the encryption key as part of the request, a client must establish a secure connection to Azure Storage using HTTPS.
90
+
When a client application provides an encryption key on the request, Azure Storage performs encryption and decryption transparently while reading and writing blob data. A SHA-256 hash of the encryption key is written alongside a blob's contents and is used to verify that all subsequent operations against the blob use the same encryption key. Azure Storage does not store or manage the encryption key that the client sends with the request. The key is securely discarded as soon as the encryption or decryption process is complete.
91
+
92
+
When a client creates or updates a blob using a customer-provided key, then subsequent read and write requests for that blob must also provide the key. If the key is not provided on a request for a blob that has already been encrypted with a customer-provided key, then the request fails with error code 409 (Conflict).
91
93
92
-
If the client application sends an encryption key on the request, and the storage account is also encrypted using a Microsoft-managed key or a customer-managed key, then Azure Storage will use the key provided on the request for encryption and decryption.
94
+
If the client application sends an encryption key on the request, and the storage account is also encrypted using a Microsoft-managed key or a customer-managed key, then Azure Storage uses the key provided on the request for encryption and decryption.
95
+
96
+
To send the encryption key as part of the request, a client must establish a secure connection to Azure Storage using HTTPS.
93
97
94
-
When performing operations on blob snapshots, each snapshot can have its own encryption key.
98
+
Each blob snapshot can have its own encryption key.
95
99
96
100
### Request headers for specifying customer-provided keys
97
101
98
-
Clients can use the following headers to securely pass encryption key information on a request to Blob storage:
102
+
For REST calls, clients can use the following headers to securely pass encryption key information on a request to Blob storage:
99
103
100
104
|Request Header | Description |
101
105
|---------------|-------------|
102
-
|`x-ms-encryption-key`|Required. A Base64-encoded AES-256 encryption key value. |
103
-
|`x-ms-encryption-key-sha256`| Required. The Base64-encoded SHA256 of the encryption key. |
104
-
|`x-ms-encryption-algorithm`| Required. Specifies the algorithm to use when encrypting data using the given key. Must be AES256. |
106
+
|`x-ms-encryption-key`|Required for both write and read requests. A Base64-encoded AES-256 encryption key value. |
107
+
|`x-ms-encryption-key-sha256`| Required for both write and read requests. The Base64-encoded SHA256 of the encryption key. |
108
+
|`x-ms-encryption-algorithm`| Required for write requests, optional for read requests. Specifies the algorithm to use when encrypting data using the given key. Must be AES256. |
105
109
106
-
Specifying encryption keys on the request is optional. However, if you specify one of the headers listed above, you must specify all of them.
110
+
Specifying encryption keys on the request is optional. However, if you specify one of the headers listed above for a write operation, then you must specify all of them.
@@ -125,16 +129,16 @@ The following Blob storage operations support sending customer-provided encrypti
125
129
126
130
### Rotate customer-provided keys
127
131
128
-
To rotate an encryption key passed on the request, download the blob and re-upload it with the new encryption key. Provide the original encryption key using the `x-ms-source-encryption-key` header. Provide the new encryption key using the `x-ms-encryption-key` header. The key is rotated when the copy operation completes.
132
+
To rotate an encryption key passed on the request, download the blob and re-upload it with the new encryption key.
129
133
130
134
> [!IMPORTANT]
131
135
> The Azure portal cannot be used to read from or write to a container or blob that is encrypted with a key provided on the request.
132
136
>
133
137
> Be sure to protect the encryption key that you provide on a request to Blob storage in a secure key store like Azure Key Vault. If you attempt a write operation on a container or blob without the encryption key, the operation will fail, and you will lose access to the object.
134
138
135
-
### Example: Use a customer-provided key to upload a blob
139
+
### Example: Use a customer-provided key to upload a blob in .NET
136
140
137
-
The following example creates a customer-provided key and uses that key to upload a blob. The code uploads a block, then commits the block list to write the blob to Azure Storage.
141
+
The following example creates a customer-provided key and uses that key to upload a blob. The code uploads a block, then commits the block list to write the blob to Azure Storage. The key is provided on the [BlobRequestOptions](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions) object by setting the [CustomerProvidedKey](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.customerprovidedkey) property.
138
142
139
143
The key is created with the [AesCryptoServiceProvider](/dotnet/api/system.security.cryptography.aescryptoserviceprovider) class. To create an instance of this class in your code, add a `using` statement that references the `System.Security.Cryptography` namespace:
0 commit comments