static void Main(string[] args)
{
Console.WriteLine("Queue encryption sample");
// Retrieve storage account information from connection string
// How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/
CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString();
CloudQueueClient client = storageAccount.CreateCloudQueueClient();
CloudQueue queue = client.GetQueueReference(DemoQueue + Guid.NewGuid().ToString("N"));
try
{
queue.Create();
// Create the IKey used for encryption.
RsaKey key = new RsaKey("private:key1");
// Create the encryption policy to be used for insert and update.
QueueEncryptionPolicy insertPolicy = new QueueEncryptionPolicy(key, null);
// Set the encryption policy on the request options.
QueueRequestOptions insertOptions = new QueueRequestOptions() { EncryptionPolicy = insertPolicy };
string messageStr = Guid.NewGuid().ToString();
CloudQueueMessage message = new CloudQueueMessage(messageStr);
// Add message
Console.WriteLine("Inserting the encrypted message.");
queue.AddMessage(message, null, null, insertOptions, null);
// For retrieves, a resolver can be set up that will help pick the key based on the key id.
LocalResolver resolver = new LocalResolver();
resolver.Add(key);
QueueEncryptionPolicy retrPolicy = new QueueEncryptionPolicy(null, resolver);
QueueRequestOptions retrieveOptions = new QueueRequestOptions() { EncryptionPolicy = retrPolicy };
// Retrieve message
Console.WriteLine("Retrieving the encrypted message.");
CloudQueueMessage retrMessage = queue.GetMessage(null, retrieveOptions, null);
// Update message
Console.WriteLine("Updating the encrypted message.");
string updatedMessage = Guid.NewGuid().ToString("N");
retrMessage.SetMessageContent(updatedMessage);
queue.UpdateMessage(retrMessage, TimeSpan.FromSeconds(0), MessageUpdateFields.Content | MessageUpdateFields.Visibility, insertOptions, null);
// Retrieve updated message
Console.WriteLine("Retrieving the updated encrypted message.");
retrMessage = queue.GetMessage(null, retrieveOptions, null);
Console.WriteLine("Press enter key to exit");
Console.ReadLine();
}
finally
{
queue.DeleteIfExists();
}
}
static void Main(string[] args)
{
Console.WriteLine("Table encryption sample");
// Retrieve storage account information from connection string
// How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/
CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString();
CloudTableClient client = storageAccount.CreateCloudTableClient();
CloudTable table = client.GetTableReference(DemoTable + Guid.NewGuid().ToString("N"));
try
{
table.Create();
// Create the IKey used for encryption.
RsaKey key = new RsaKey("private:key1");
EncryptedEntity ent = new EncryptedEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() };
ent.Populate();
TableRequestOptions insertOptions = new TableRequestOptions()
{
EncryptionPolicy = new TableEncryptionPolicy(key, null)
};
// Insert Entity
Console.WriteLine("Inserting the encrypted entity.");
table.Execute(TableOperation.Insert(ent), insertOptions, null);
// For retrieves, a resolver can be set up that will help pick the key based on the key id.
LocalResolver resolver = new LocalResolver();
resolver.Add(key);
TableRequestOptions retrieveOptions = new TableRequestOptions()
{
EncryptionPolicy = new TableEncryptionPolicy(null, resolver)
};
// Retrieve Entity
Console.WriteLine("Retrieving the encrypted entity.");
TableOperation operation = TableOperation.Retrieve(ent.PartitionKey, ent.RowKey);
TableResult result = table.Execute(operation, retrieveOptions, null);
Console.WriteLine("Press enter key to exit");
Console.ReadLine();
}
finally
{
table.DeleteIfExists();
}
}
public void CloudQueueAddUpdateEncryptedMessage()
{
// Create the Key to be used for wrapping.
SymmetricKey aesKey = new SymmetricKey("symencryptionkey");
RsaKey rsaKey = new RsaKey("asymencryptionkey");
// Create the resolver to be used for unwrapping.
DictionaryKeyResolver resolver = new DictionaryKeyResolver();
resolver.Add(aesKey);
resolver.Add(rsaKey);
DoCloudQueueAddUpdateEncryptedMessage(aesKey, resolver);
DoCloudQueueAddUpdateEncryptedMessage(rsaKey, resolver);
}
static void Main(string[] args)
{
Console.WriteLine("Table encryption sample");
// Retrieve storage account information from connection string
// How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/
CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString();
CloudTableClient client = storageAccount.CreateCloudTableClient();
CloudTable table = client.GetTableReference(DemoTable + Guid.NewGuid().ToString("N"));
try
{
table.Create();
// Create the IKey used for encryption.
RsaKey key = new RsaKey("private:key1");
DynamicTableEntity ent = new DynamicTableEntity() { PartitionKey = Guid.NewGuid().ToString(), RowKey = DateTime.Now.Ticks.ToString() };
ent.Properties.Add("EncryptedProp1", new EntityProperty(string.Empty));
ent.Properties.Add("EncryptedProp2", new EntityProperty("bar"));
ent.Properties.Add("NotEncryptedProp", new EntityProperty(1234));
// This is used to indicate whether a property should be encrypted or not given the partition key, row key,
// and the property name.
Func<string, string, string, bool> encryptionResolver = (pk, rk, propName) =>
{
if (propName.StartsWith("EncryptedProp"))
{
return true;
}
return false;
};
TableRequestOptions insertOptions = new TableRequestOptions()
{
EncryptionPolicy = new TableEncryptionPolicy(key, null),
EncryptionResolver = encryptionResolver
};
// Insert Entity
Console.WriteLine("Inserting the encrypted entity.");
table.Execute(TableOperation.Insert(ent), insertOptions, null);
// For retrieves, a resolver can be set up that will help pick the key based on the key id.
LocalResolver resolver = new LocalResolver();
resolver.Add(key);
TableRequestOptions retrieveOptions = new TableRequestOptions()
{
EncryptionPolicy = new TableEncryptionPolicy(null, resolver)
};
// Retrieve Entity
Console.WriteLine("Retrieving the encrypted entity.");
TableOperation operation = TableOperation.Retrieve(ent.PartitionKey, ent.RowKey);
TableResult result = table.Execute(operation, retrieveOptions, null);
Console.WriteLine("Press enter key to exit");
Console.ReadLine();
}
finally
{
table.DeleteIfExists();
}
}
static void Main(string[] args)
{
Console.WriteLine("Blob encryption sample");
// Retrieve storage account information from connection string
// How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/
CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString();
CloudBlobClient client = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = client.GetContainerReference(DemoContainer + Guid.NewGuid().ToString("N"));
try
{
container.Create();
int size = 5 * 1024 * 1024;
byte[] buffer = new byte[size];
Random rand = new Random();
rand.NextBytes(buffer);
CloudBlockBlob blob = container.GetBlockBlobReference("blockblob");
// Create the IKey used for encryption.
RsaKey key = new RsaKey("private:key1");
// Create the encryption policy to be used for upload.
BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(key, null);
// Set the encryption policy on the request options.
BlobRequestOptions uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy };
Console.WriteLine("Uploading the encrypted blob.");
// Upload the encrypted contents to the blob.
using (MemoryStream stream = new MemoryStream(buffer))
{
blob.UploadFromStream(stream, size, null, uploadOptions, null);
}
// Download the encrypted blob.
// For downloads, a resolver can be set up that will help pick the key based on the key id.
LocalResolver resolver = new LocalResolver();
resolver.Add(key);
BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, resolver);
// Set the decryption policy on the request options.
BlobRequestOptions downloadOptions = new BlobRequestOptions() { EncryptionPolicy = downloadPolicy };
Console.WriteLine("Downloading the encrypted blob.");
// Download and decrypt the encrypted contents from the blob.
using (MemoryStream outputStream = new MemoryStream())
{
blob.DownloadToStream(outputStream, null, downloadOptions, null);
}
Console.WriteLine("Press enter key to exit");
Console.ReadLine();
}
finally
{
container.DeleteIfExists();
}
}
public void CloudBlockBlobEncryptionValidateWrappers()
{
// Create the Key to be used for wrapping.
SymmetricKey aesKey = new SymmetricKey("symencryptionkey");
RsaKey rsaKey = new RsaKey("asymencryptionkey");
// Create the resolver to be used for unwrapping.
DictionaryKeyResolver resolver = new DictionaryKeyResolver();
resolver.Add(aesKey);
resolver.Add(rsaKey);
DoCloudBlockBlobEncryptionValidateWrappers(aesKey, resolver);
DoCloudBlockBlobEncryptionValidateWrappers(rsaKey, resolver);
}
static void Main(string[] args)
{
Console.WriteLine("Blob encryption with Key Vault integration");
Console.WriteLine();
// Get the key ID from App.config if it exists.
string keyID = CloudConfigurationManager.GetSetting("KeyID");
// If no key ID was specified, we will create a new secret in Key Vault.
// To create a new secret, this client needs full permission to Key Vault secrets.
// Once the secret is created, its ID can be added to App.config. Once this is done,
// this client only needs read access to secrets.
if (string.IsNullOrEmpty(keyID))
{
Console.WriteLine("No secret specified in App.config.");
Console.WriteLine("Please enter the name of a new secret to create in Key Vault.");
Console.WriteLine("WARNING: This will delete any existing secret with the same name.");
Console.Write("Name of the new secret to create [{0}]: ", DefaultSecretName);
string newSecretName = Console.ReadLine().Trim();
if (string.IsNullOrEmpty(newSecretName))
{
newSecretName = DefaultSecretName;
}
// Although it is possible to use keys (rather than secrets) stored in Key Vault, this prevents caching.
// Therefore it is recommended to use secrets along with a caching resolver (see below).
keyID = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret(newSecretName);
Console.WriteLine();
Console.WriteLine("Created a secret with ID: {0}", keyID);
Console.WriteLine("Copy the secret ID to App.config to reuse.");
Console.WriteLine();
}
// Retrieve storage account information from connection string
// How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/
CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString();
CloudBlobClient client = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = client.GetContainerReference(DemoContainer + Guid.NewGuid().ToString("N"));
// Construct a resolver capable of looking up keys and secrets stored in Key Vault.
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(EncryptionShared.KeyVaultUtility.GetAccessToken);
// To demonstrate how multiple different types of key can be used, we also create a local key and resolver.
// This key is temporary and won't be persisted.
RsaKey rsaKey = new RsaKey("rsakey");
LocalResolver resolver = new LocalResolver();
resolver.Add(rsaKey);
// If there are multiple key sources like Azure Key Vault and local KMS, set up an aggregate resolver as follows.
// This helps users to define a plug-in model for all the different key providers they support.
AggregateKeyResolver aggregateResolver = new AggregateKeyResolver()
.Add(resolver)
.Add(cloudResolver);
// Set up a caching resolver so the secrets can be cached on the client. This is the recommended usage
// pattern since the throttling targets for Storage and Key Vault services are orders of magnitude
// different.
CachingKeyResolver cachingResolver = new CachingKeyResolver(2, aggregateResolver);
// Create a key instance corresponding to the key ID. This will cache the secret.
IKey cloudKey = cachingResolver.ResolveKeyAsync(keyID, CancellationToken.None).GetAwaiter().GetResult();
try
{
container.Create();
int size = 5 * 1024 * 1024;
byte[] buffer = new byte[size];
Random rand = new Random();
rand.NextBytes(buffer);
// The first blob will use the key stored in Azure Key Vault.
CloudBlockBlob blob = container.GetBlockBlobReference("blockblob1");
// Create the encryption policy using the secret stored in Azure Key Vault to be used for upload.
BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(cloudKey, null);
// Set the encryption policy on the request options.
BlobRequestOptions uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy };
Console.WriteLine("Uploading the 1st encrypted blob.");
// Upload the encrypted contents to the blob.
using (MemoryStream stream = new MemoryStream(buffer))
{
blob.UploadFromStream(stream, size, null, uploadOptions, null);
}
// Download the encrypted blob.
BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, cachingResolver);
// Set the decryption policy on the request options.
BlobRequestOptions downloadOptions = new BlobRequestOptions() { EncryptionPolicy = downloadPolicy };
Console.WriteLine("Downloading the 1st encrypted blob.");
// Download and decrypt the encrypted contents from the blob.
using (MemoryStream outputStream = new MemoryStream())
{
blob.DownloadToStream(outputStream, null, downloadOptions, null);
}
// Upload second blob using the local key.
blob = container.GetBlockBlobReference("blockblob2");
// Create the encryption policy using the local key.
uploadPolicy = new BlobEncryptionPolicy(rsaKey, null);
// Set the encryption policy on the request options.
uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy };
Console.WriteLine("Uploading the 2nd encrypted blob.");
// Upload the encrypted contents to the blob.
using (MemoryStream stream = new MemoryStream(buffer))
{
blob.UploadFromStream(stream, size, null, uploadOptions, null);
}
// Download the encrypted blob. The same policy and options created before can be used because the aggregate resolver contains both
// resolvers and will pick the right one based on the key ID stored in blob metadata on the service.
Console.WriteLine("Downloading the 2nd encrypted blob.");
// Download and decrypt the encrypted contents from the blob.
using (MemoryStream outputStream = new MemoryStream())
{
blob.DownloadToStream(outputStream, null, downloadOptions, null);
}
Console.WriteLine("Press enter key to exit");
Console.ReadLine();
}
finally
{
container.DeleteIfExists();
}
}
