Hello Azure (Security) community!
In an earlier blog post here on the Azure Security Team blog, we talked about a cool new security feature in Azure which enables client-side storage encryption in Azure. You can use client-side storage encryption to encrypt data in Azure Blobs, Tables and Queues.
David Cross, Partner Director of Azure Security Engineering, did a great demo of how client-side encryption works in his AzureCon 2015 presentation on Azure Platform security and compliance. In this demo, David and his team built up a simple application that he used to demonstrate how you can use the Azure SDK to perform client-side encryption.
In the demo David:
- Used the Azure Storage Explorer to view storage containers in his account
- Created a secret that would be stored in Azure Key Vault to be used to encrypt a blob
- Uploaded that key blob into Azure storage
- Downloaded the key blob which contained the content encryption key
- Uploaded the encrypted content blob into Azure storage
- Used a sample console app that he used to create a blog in Azure storage
- Used the same app to perform client-side encryption of the blob in storage using Key Vault encryption
- Deleted the demo blob containers
You can see the demo here
OK, seeing is believing. But doing is knowing! How would you like to get your hands on the demo tools and test/perform the same demo? I know when I saw the demo I wanted to get the demo code and try it out for myself. Now we all can.
We want to give a big shout out to Rakesh Narayan, Program Manager in Azure Security Engineering, for putting together the following instructions for running the sample code to perform the demo.
How To Run This Sample
To run this sample, you will need:
- Visual Studio 2013 or 2015 (note that Visual Studio 2013 and 2015 have Git integration in the IDE if you want to use these instead of the command line tools)
- An Internet connection
- An Azure subscription (a free trial is sufficient)
- Azure Storage Explorer
Every Azure subscription has an associated Azure Active Directory tenant. If you don't already have an Azure subscription, you can get a free Azure trial subscription. All of the Azure AD features used by this sample are available free of charge.
Step 1: Clone or download this repository
From your shell (ie: Git Bash, etc.) or command line, run the following command:
Step 2: Create an Azure Key Vault
Follow the instructions in the article Get started with Azure Key Vault to create a Key Vault in your subscription.
Step 3: Create a Storage Account
Follow the instructions in the article About Azure storage accounts to create a storage account.
Step 4: Edit, build, and run the sample in Visual Studio 2013
After you clone or download the sample app, you will need to update the App.config file with following detail
<!--Uncomment the string and insert your storage account name and key in the line below.-->
<add key="StorageConnectionString" value="DefaultEndpointsProtocol=https;AccountName=<>;AccountKey=<>" />
<!--Uncomment the strings and insert your Key Vault credentials in the lines below. For more information about getting started with Key Vault, please look at http://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/ -->
<add key="KVClientId" value="<>" />
<add key="KVClientKey" value="<>" />
<add key="VaultUri" value="<>"/>
When you're finished, you should be able to successfully build and run the application, which will present a console UI which you can use for testing.
It’s as easy as that! But this is just a start. Use the info in the blog to get familiar with the technology and then start experimenting with it. Try client-side encryption of tables, and then try encrypting queues. The article Client-Side Encryption and Azure Key Vault for Microsoft Azure Storage is a great place to get the information you need to begin your own testing and experimenting. Use your dev chops and create apps that can take advantage of client-side encryption too!
Let us know what you think about Azure client-side encryption. Is there anything you would change? Anything you would add? Need some help? Leave a comment at the bottom of the blog and we’ll respond and take your input back to the team.