How can I add transparent encryption/decryption to my CloudPageBlob reads and writes when the data is at rest? HTTPS just encrypts in transport...
Assume that I'm running the code on my desktop and am simply using HTTP to access the blob store.
Asked
Active
Viewed 1,228 times
1
-
@breischl I know you! We're both commiters on [Azure Table Encryption](http://azuretableencrypt.codeplex.com/) (I'm clamont there). Similar to how that project extends the Azure Table SDK I want to extend the blob SDK in a similar manner. Transparent encryption decryption of the data. – makerofthings7 Apr 06 '12 at 15:43
-
That's funny! It's a small cloud. :) I did something similar to that library for block blobs. I couldn't find any hooks like the TableServiceContext has, so it's not transparent in the same sense. I just wrote methods that I do all my reading and writing through instead. They store the crypto version into blob metadata, and wrap the streams in CryptoStream's as needed. I don't know if that'll work for Page blobs though. – Brian Reischl Apr 06 '12 at 17:22
-
Other random thought - perhaps you could do the encryption at a higher level? eg, if you're using the to store a virtual machine image, maybe just use an encrypted filesystem for the image? – Brian Reischl Apr 07 '12 at 18:34
2 Answers
2
Well, from what I understand you want to add additional encryption to the content, before transmitting it into the wire.
To achieve this you have to create your own wrappers around the Storage Service REST API and not using the Storage Client Library provided by Microsoft. Only with your own REST callers, you will be able to encrypt/decrypt the content before setting it as a Request Body. Then when you are downloading the blobs, you have to decrypt them from the Response Body. This way you may achieve a "transparent encryption". Transparent to some degree, because from application prespective you will just call EncryptedBlobStorageClient.UploadBlob(path_to_local_file). But this is not real transparent, as it lives in your application, and you cannot use the encrypted blobs without your application.
However if you want this encryption/decryption to live on the Blob Service endpoint - this is not possible.
astaykov
- 30,768
- 3
- 70
- 86
0
It is not possible to do this transparently on the server side with Azure blob storage. It is possible however, to do it with Amazon S3:
http://aws.typepad.com/aws/2011/10/new-amazon-s3-server-side-encryption.html
This is done very simply with a request header, and there is not additional charge for it :o)
If you could move your application, or at least, move it's storage to S3 you could use this.
Mike Goodwin
- 8,810
- 2
- 35
- 50