使用适用于 .Net 的 Azure Blob Storage v12 SDK 进行加密

Question

我想将我的代码迁移到v12 SDK，但是如何使用 Azure Keyvault？

没有 BlobEncryptionPolicy 类。

这个tutorial 已经过时了。它仍然基于旧的 SDK。

v11 SDK 代码：

// Retrieve the key that you created previously.
// The IKey that is returned here is an RsaKey.
var rsa = cloudResolver.ResolveKeyAsync(
            "https://contosokeyvault.vault.azure.net/keys/TestRSAKey1", 
            CancellationToken.None).GetAwaiter().GetResult();

// Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };

// Reference a block blob.
CloudBlockBlob blob = contain.GetBlockBlobReference("MyFile.txt");

// Upload using the UploadFromStream method.
using (var stream = System.IO.File.OpenRead(@"C:\Temp\MyFile.txt"))
    blob.UploadFromStream(stream, stream.Length, null, options, null);

Answer 1

关于问题，请参考以下步骤。更多详情请参考here。

1. 在 Azure 密钥保管库中创建服务主体并设置访问策略

2. 代码（安装包``）

 string tenantId = "<sp tenant>";
            string clientId = "<sp appId>";
            string clientSecret = "<sp secret>";
            string connectionString = "";
            ClientSecretCredential cred = new ClientSecretCredential(tenantId, clientId, clientSecret);
            var vaultUri = new Uri("https://jimkey02.vault.azure.net/");
            KeyClient keyClient = new KeyClient(vaultUri, cred);  
            // if you do not have key, please use following code to create
            //KeyVaultKey rasKey = await keyClient.CreateRsaKeyAsync(new CreateRsaKeyOptions("blobKey"));
            KeyVaultKey rasKey = await keyClient.GetKeyAsync("blobKey", "<key version>");
            IKeyEncryptionKey key =new CryptographyClient(rasKey.Id, cred);
            IKeyEncryptionKeyResolver keyResolver = new KeyResolver(cred);
            ClientSideEncryptionOptions encryptionOptions = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1_0)
            {
                KeyEncryptionKey = key,
                KeyResolver = keyResolver,
                // string the storage client will use when calling IKeyEncryptionKey.WrapKey()
                KeyWrapAlgorithm = "RSA1_5"
            };

            BlobClientOptions options = new SpecializedBlobClientOptions() { ClientSideEncryption = encryptionOptions };
            BlobClient blob = new BlobServiceClient(connectionString, options).GetBlobContainerClient("test").GetBlobClient("test.txt");
            using (FileStream file = File.OpenRead(@"D:\test.txt"))
            {
                await blob.UploadAsync(file);
            }


            BlobDownloadInfo download = await blob.DownloadAsync();
            using (StreamReader reader = new StreamReader(download.Content)) {
                string text = await reader.ReadToEndAsync();
                Console.WriteLine(text);
            }