none
Azure Key Vault Blob Decryption Not working needs KeyEncryptionKey

    Question

  • Hi Guys,

                      I have Azure key vault encryption working with a certificate but I cannot get the decryption with a  certificate to work.

     

    Actually when you decrypting you are not supposed to supply any key ids as these are ment to be saved in the image meta data.

     

    As per this link

    https://azure.microsoft.com/en-in/documentation/articles/storage-encrypt-decrypt-blobs-key-vault/

     

    Decryption is really when using the Resolver classes make sense. The ID of the key used for encryption is associated with the blob in its metadata, so there is no reason for you to retrieve the key and remember the association between key and blob. You just have to make sure that the key remains in Key Vault.

    The private key of an RSA Key remains in Key Vault, so for decryption to occur, the Encrypted Key from the blob metadata that contains the CEK is sent to Key Vault for decryption.

    Add the following to decrypt the blob that you just uploaded.

    Copy

    // In this case, we will not pass a key and only pass the resolver because

    // this policy will only be used for downloading / decrypting.

    BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver);

    BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };

     

    using (var np = File.Open(@"C:\data\MyFileDecrypted.txt", FileMode.Create))

        blob.DownloadToStream(np, null, options, null);

     

    I am doing this but I am getting this error that the

    Value cannot be null.\r\nParameter name: KeyEncryptionKey

    So it seems that it has to be specified.


    Regards,

                           Alistair

    Friday, March 4, 2016 8:06 AM

All replies

  • Hi,

    We are checking on this and will revert to you at the earliest.

    Girish Prajwal

    Friday, March 4, 2016 7:22 PM
    Moderator
  • This means that your key resolver can't find the key ID that was used to encrypt the blob. This can happen if the resolver points to a different key vault, or if the upload was performed using a key stored locally. Could you share some more code showing how you are specifying the encryption key and resolver for upload and download?

    Also, the error message you get in this case could certainly be better here. We will look into improving it.

    Monday, March 7, 2016 5:05 PM
  • Sorry been busy on other things.

    Here is my key vault encryption/description service class, how do I specify that the key should be stored in the cloud? Am I using a local key?



    • Edited by acrigney Thursday, June 9, 2016 5:40 AM
    Wednesday, March 23, 2016 3:43 AM
  • Yes, it looks like your key is created locally with the following code:

    RsaKey key = new RsaKey(keyIdentifier.Name);

    To use a key in Key Vault, create a KeyVaultKeyResolver (as you do for the download path) and use ResolveKeyAsync with the Key ID. This will get you an IKey that you can use to do the upload. For an example, see this page:

    https://azure.microsoft.com/en-in/documentation/articles/storage-encrypt-decrypt-blobs-key-vault/#encrypt-blob-and-upload

    Thanks,
    Michael


    Wednesday, March 23, 2016 4:32 AM
  •  

    S

    S

    Sorry yes I am doing tha, the other code was commented out.

    KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);

                KeyVaultIdentifierHelper keyVaultIdentifierHelper = new KeyVaultIdentifierHelper(_keyVault);

                string keyIdentifier = keyVaultIdentifierHelper.GetKeyIdentifier(_imageKeyName);
                var rsa = cloudResolver.ResolveKeyAsync(keyIdentifier, CancellationToken.None).GetAwaiter().GetResult();

    And I use the cloudResolver here.

                BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, cloudResolver);

    Tuesday, March 29, 2016 12:44 AM
  • I am still getting the error.

    {"Value cannot be null.\r\nParameter name: KeyEncryptionKey"}

    When I attempt to decrypt i.e. download the image from the stream.

    As discussed the message is not very helpful.

                                                                                                                                                                                                     

    • Edited by acrigney Thursday, June 9, 2016 5:41 AM
    Thursday, March 31, 2016 7:14 AM
  • It looks like the issue is still present in your code. You need create your upload policy by first constructing a resolver and using ResolveKeyAsync to get the key. Then pass the key in while constructing the encryption policy. Here is the code that needs to change:

    RsaKey rsaKey = newRsaKey(keyIdentifier.Name);
     
                // Create the encryption policy to be used for
    upload.BlobEncryptionPolicy uploadPolicy = newBlobEncryptionPolicy(rsaKey, null);
     
                // Set the encryption policy on the request
    options.BlobRequestOptions uploadOptions = newBlobRequestOptions() { EncryptionPolicy = uploadPolicy };
    

    And here is what you need to do instead:

                KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);
    
                var rsaKey = cloudResolver.ResolveKeyAsync(keyIdentifier.Name, CancellationToken.None).GetAwaiter().GetResult();
    
                // Create the encryption policy to be used for
                upload.BlobEncryptionPolicy uploadPolicy = newBlobEncryptionPolicy(rsaKey, null);
     
                // Set the encryption policy on the request
                options.BlobRequestOptions uploadOptions = newBlobRequestOptions() { EncryptionPolicy = uploadPolicy };

    Thursday, March 31, 2016 1:59 PM
  • But I need to create a key for each Blob stored?

    And this assumes that a key has already been created?

    Tuesday, April 5, 2016 8:57 AM
  • You can reuse the same key for many blobs. As long as you pass the same key identifier to ResolveKeyAsync, you will encrypt using this key.

    The key must have been previously created for it to be used to encrypt blobs. You can create the key once and add the key identifier to your configuration file. Then your code can read the key identifier from the configuration, resolve it to the correct key, and create your upload policy.

    Tuesday, April 5, 2016 3:25 PM