在 C# 中使用 azure key vault 解密和下载“加密的 azure blob”
Posted
技术标签:
【中文标题】在 C# 中使用 azure key vault 解密和下载“加密的 azure blob”【英文标题】:Decrypting and downloading 'encrypted azure blob' using azure key vault in C# 【发布时间】:2021-12-13 03:32:31 【问题描述】:我正在按照本文档使用 Azure Key Vault 中的密钥加密数据并上传到 Azure Blob 存储
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault?WT.mc_id=Portal-Microsoft_Azure_Support&tabs=dotnet11#use-key-vault-secrets
我能够使用 azure key vault 中的密钥进行加密和上传,但在解密和下载数据时出错
StorageCredentials dcreds = new StorageCredentials("storage-account-name", "storage-account-key");
CloudStorageAccount daccount = new CloudStorageAccount(dcreds, useHttps: true);
CloudBlobClient dclient = daccount.CreateCloudBlobClient();
CloudBlobContainer dcontain = dclient.GetContainerReference("container-name");
KeyVaultKeyResolver dcloudResolver = new KeyVaultKeyResolver(GetToken);
var drsa = dcloudResolver.ResolveKeyAsync(
"https://my-key-vault.vault.azure.net/keys/my-key",
CancellationToken.None).GetAwaiter().GetResult();
BlobEncryptionPolicy dpolicy = new BlobEncryptionPolicy(null, dcloudResolver);
BlobRequestOptions doptions = new BlobRequestOptions() EncryptionPolicy = dpolicy ;
CloudBlockBlob dblob = dcontain.GetBlockBlobReference("Data.txt");
using (var np = File.Open(@"Data.txt", FileMode.Create))
dblob.DownloadToStream(np, null, doptions, null);
Data.txt 是容器中的加密 blob
下面的堆栈跟踪
Microsoft.Azure.Storage.StorageException: "Decryption logic threw error. Please check the inner exception for more details."--->System.AggregateException:
"One or more errors occurred. (Operation returned an invalid status code 'Forbidden')"--->Microsoft.Azure.KeyVault.Models.KeyVaultErrorException:
"Operation returned an invalid status code 'Forbidden'"
at at Microsoft.Azure.KeyVault.KeyVaultClient.<UnwrapKeyWithHttpMessagesAsync>d__58.MoveNext()\n
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\n
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()\n
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<UnwrapKeyAsync>d__5.MoveNext()
---End of inner exception stack trace ---
at at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)\n
at System.Threading.Tasks.Task`1.get_Result()\n
at Microsoft.Azure.KeyVault.KeyVaultKey.<>c.<UnwrapKeyAsync>b__14_0(Task`1 result)\n
at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()\n
at System.Threading.Tasks.Task.<>c.<.cctor>b__277_0(Object obj)\n
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)\n--
- End of stack trace from previous location ---\n
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)\n
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)\n-- - End of stack trace from previous location ---\n
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\n
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()\n
at Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy.<>c__DisplayClass13_1.<DecryptBlob>b__2()\n
at Microsoft.Azure.Storage.Core.Util.CommonUtility.RunWithoutSynchronizationContext[T](Func`1 actionToRun)\n
at Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy.DecryptBlob(Stream userProvidedStream, IDictionary`2 metadata, ICryptoTransform& transform, Nullable`1 requireEncryption, Byte[] iv,
Boolean noPadding)
---End of inner exception stack trace ---
at Microsoft.Azure.Storage.Core.Executor.Executor.<ExecuteAsync>d__1`1.MoveNext()\n
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\n
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()\n
at Microsoft.Azure.Storage.Core.Executor.Executor.<>c__DisplayClass0_0`1.<ExecuteSync>b__0()\n
at Microsoft.Azure.Storage.Core.Util.CommonUtility.RunWithoutSynchronizationContext[T](Func`1 actionToRun)\n
at Microsoft.Azure.Storage.Core.Executor.Executor.ExecuteSync[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext)\n
at Microsoft.Azure.Storage.Blob.CloudBlob.DownloadRangeToStream(Stream target, Nullable`1 offset, Nullable`1 length, AccessCondition accessCondition, BlobRequestOptions options,OperationContext operationContext)\n
at Microsoft.Azure.Storage.Blob.CloudBlob.DownloadToStream(Stream target, AccessCondition accessCondition, BlobRequestOptions options, OperationContextoperationContext)\n
at decryptBlobUsingVaultKey.Program.Main(String[] args) in / Users / takeatu / Projects / decryptBlobUsingVaultKey / decryptBlobUsingVaultKey / Program.cs:127
Key Vault 中的密钥拥有所有操作的权限
【问题讨论】:
【参考方案1】:我尝试在我的系统中获取令牌加密和解密 blob
尝试授予获取权限
输出:
【讨论】:
有两种配置 1) 允许对 Key 的操作 2) 对访问策略的 Key 权限。我错过了第二部分,在访问策略中提供了正确的密钥权限操作,我能够解密谢谢以上是关于在 C# 中使用 azure key vault 解密和下载“加密的 azure blob”的主要内容,如果未能解决你的问题,请参考以下文章
Azure Key Vault 使用Azure Portal创建和查看Azure Key Vault
如何在 Azure Key Vault 中序列化和反序列化 PFX 证书?
Angular - Azure Key Vault 管理 Vault 访问机密
您如何在功能应用程序中从Azure Key Vault引用密钥?