-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE REQ] Provide an implementation of 'AsyncKeyEncryptionKey' that uses a local symmetric key #6569
Comments
@g2vinay what is the ETA for this? |
@SukruthKS, |
@SukruthKS Sample Code to build AsyncKeyEncryptionKey using local symmetric key: AsyncKeyEncryptionKey akek = new KeyEncryptionKeyClientBuilder() |
@g2vinay in the sample code you provided above, why should I pass any credentials? I'm not using a key vault and this is just a local symmetric key. If I don't provide the credentials, I get the below error when building the key object.
|
@SukruthKS
In the upcoming releases, we will be enabling local crypto on Cryptography client as well, it is captured in this issue #8006 |
Thanks! |
Thanks, Vinay! I ran into another issue when using the local symmetric key with storage client. It appears that Code:
Stack trace:
|
@SukruthKS
@rickle-msft , since the keys can be local too now, is it possible to relax the requirement of key id in encrypted blob client ? |
Sorry, removed my old comment after processing this a little more. We actually do need a key Id because we put that in the encryption metadata to ensure that the key we later use to decrypt is the same key we used to encrypt. |
@SukruthK Do you guys plan on using only non URI looking strings e.g. “key-name” as key ids for local keys ? Or should we expect you may pass any URI looking strings as key id for local keys too? |
@rickle-msft we plan to use only non-URI strings for local keys. |
@SukruthKS
Here is the code sample that you can use: JsonWebKey localKey = JsonWebKey.fromAes(new SecretKeySpec(encryptionKeyBytes, "AES"), Arrays.asList(KeyOperation.WRAP_KEY, KeyOperation.UNWRAP_KEY))
.setId("my-id");
AsyncKeyEncryptionKey akek = new LocalKeyEncryptionKeyClientBuilder()
.buildAsyncKeyEncryptionKey(localKey).block(); |
Thanks @g2vinay! will try this out soon. |
Marking this as resolved as this feature is now available in Beta. Will update once it's made generally available (GA). |
Is your feature request related to a problem? Please describe.
With version 8 of the storage SDK, we are using SymmetricKey for client-side encryption of Azure storage blobs. This implementation performs encryption locally on the machine and accepts an in-memory encryption key. The new version 12 of the storage SDK (
azure-storage-blob-cryptography
) uses a new interfaceAsyncKeyEncryptionKey
for the encryption key and I couldn't find an implementation of it like theSymmetricKey
class. There is one implementation that Rick from storage sdk team pointed me toKeyEncryptionKeyClient
but it requires the encryption key to be present in key vault. More details in this query - #6536.Describe the solution you'd like
An implementation of AsyncKeyEncryptionKey that mimics the functionality provided by SymmetricKey.
Describe alternatives you've considered
No other alternatives have been considered yet.
Additional context
NA
Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report
The text was updated successfully, but these errors were encountered: