CODEWITHSUNDEEP
c#azureazure-blob-storageazure-security
kosnkov
kosnkov

Reputation: 5941

Azure blob customerProvidedKey vs EncryptionPolicy

I need to encrypt files uploaded to azure blob, so that no one logged to azure can see it. One of the solution is to use encryption with custom key. I found at least two ways of doing it but I can't tell what is the difference between them, maybe some of you will help me.

first solution is to create 

BlobClientOptions options = new BlobClientOptions()
{
     CustomerProvidedKey = new CustomerProvidedKey(key)
};

and pass that option when creating BlobServiceClient

second one is to create 

BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };

and use it when uploading file blob.UploadFromStream(stream, stream.Length, null, options, null);

I can't find any documentation telling the difference between them.

Upvotes: 0

Views: 317

Answers (1)

Ivan Glasenberg
Ivan Glasenberg

Reputation: 30015

CustomerProvidedKey is used to encrypt data at azure server side(officially, it's called encrypt at rest), you can see this doc for more details. In short, when use this kind of encryption, during data uploading progress, the data is not encrypted. After the completion of upload, the data will be encrypted at azure server side with CustomerProvidedKey.

Note: CustomerProvidedKey is now in preview.

But for the second one by using BlobEncryptionPolicy, which is used to encrypt data at client side. When you use this kind of encryption, the data is encrypted before uploaded to azure.

Upvotes: 1

Related Questions