Any resources for education about on-the-fly Azure Blob encryption/decryption?

Question

We have a scenario where we are storing scanned documents with sensitive information in it (let's say it's social security numbers for now). For us, there aren't regulations requiring this (no HIPAA or anything like that) so we don't have forced hoops to jump through, just common sense best practice that we'd like to follow with this.

I've been looking for some posted articles, blog posts, etc. to help me design and build such a system and it doesn't appear there are many resources on this subject matter. One that I did find is Using Certificate-Based Encryption in Windows Azure Applications and that covers the low-level encryption side of things well. However, what about the rest of the system? We need to integrate/implement an end-to-end solution from upload to storage to download via (ultimately) a web app. A few thoughts/questions that I don't necessarily need all answered but to help show where I'd like help and guidance:

1. I suspect I need to use some web roles as "file handlers" to perform this on-the-fly encryption/decryption since (I assume) there is no built-in functionality to perform this type of a task for me.
2. Should I truly perform on-the-fly encryption/decryption where I dynamically host the file with this web app (i.e. a VERY memory-intensive process I pressume) or should I instead decrypt and store (in another blob) a temporary unencrypted file to allow Azure Blob Storage to host it for me with, perhaps, a 20-minute SharedAccessPolicy and delete the file after 20 minutes? (perhaps adjust this depending on how long it needs to exist to be successfully downloaded by slower connections) (I'm really not liking the idea of even temporary copies of unencrypted files laying around)
3. Are there any other major concerns that I should be considering? We'll probably be following that Certificate article fairly closely so we don't have decryption secrets laying around after a single layer of security is breached, but what other Azure-specific things should we be considering for this?
4. Does Azure have any built-in functionality to help us with this sort of operation? Is there ANY way I can utilize SharedAccessPolicies or anything else? (I don't think so)

Many thanks, and my apologies for this being a somewhat vague question. It's vague because I'm asking for resources to help educate me to know what more specific questions to ask (or to educate me on things that I don't know exist).

Answer 1

1. Assuming that this is a browser based application then yes - you will need a web role to handle the encryption/decryption. if you're using a rich client than potentially that could handle it before storing/after retrieving.

2. Whether you could/should anticipate the download requirements and pre-decrypt is a question for your requirements/tolerances, but if the information is sensitive I agree that decrypting on the fly makes more sense.

3. Obviously you need to consider the authentication/authorisation of the web role to ensure you only serve documents to valid requestors. also - as you've acknowledged - protecting the certificate is key (no punt intended)

4. Not sure what else you'd want to get, in that this story is not really an Azure one, but rather a .net/security one, and assymetric encryption is a well proven path for these sort of things.