Azure Cloud Append Blob KeyVault Encryption

Question

I use Azure KeyVault encryption for Azure "Block Blobs" uploads. but When I use Azure "Cloud Append Blobs" with Azure KeyVault encryption, it gives the following error. (I am using .net application for blob uploading).

"Encryption is not supported for a blob that already exists. Please do not specify an encryption policy."

Please help me the resolve this since I need to Upload the "Cloud Append Blob" with KeyVault encryption.

Code Segment:

    ConnectToKeyVaultClient();

    var identifier = new SecretIdentifier(keyVaultUrl, encryptionSecretName);
    IKey key = CachingKeyResolver.ResolveKeyAsync(identifier.Identifier, CancellationToken.None).Result;
    BlobEncryptionPolicy blobEncryptionPolicy = new BlobEncryptionPolicy(key, null);
    BlobRequestOptions blobRequestOptions  = new BlobRequestOptions() { EncryptionPolicy = blobEncryptionPolicy };
    CloudAppendBlob cloudAppendBlob = blobContainer.GetAppendBlobReference("ABC");


    if(!cloudAppendBlob.Exists())
    {
        cloudAppendBlob.CreateOrReplace(null, blobRequestOptions , null);
    }

    cloudAppendBlob.AppendFromStream(stream, null, blobRequestOptions , null);

Answer 1

Just as the error message says, you can't perform an append operation on an encrypted blob. Blob encryption uses something they call the "envelope" method, which is a wrapper structure that describes the encryption keys so that decryption can be automated.

Two statements in the documentation relate to your issue:

The client library currently supports encryption of whole blobs only. Specifically, encryption is supported when users use the UploadFrom* methods or the OpenWrite method.

and:

When reading from or writing to an encrypted blob, use whole blob upload commands and range/whole blob download commands. Avoid writing to an encrypted blob using protocol operations such as Put Block, Put Block List, Write Pages, Clear Pages, or Append Block; otherwise you may corrupt the encrypted blob and make it unreadable.