在 C# 中使用 azure key vault 解密和下载“加密的 azure blob”

Posted

技术标签:

【中文标题】在 C# 中使用 azure key vault 解密和下载“加密的 azure blob”【英文标题】:Decrypting and downloading 'encrypted azure blob' using azure key vault in C# 【发布时间】:2021-12-13 03:32:31 【问题描述】:

我正在按照本文档使用 Azure Key Vault 中的密钥加密数据并上传到 Azure Blob 存储

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault?WT.mc_id=Portal-Microsoft_Azure_Support&tabs=dotnet11#use-key-vault-secrets

我能够使用 azure key vault 中的密钥进行加密和上传,但在解密和下载数据时出错

            StorageCredentials dcreds = new StorageCredentials("storage-account-name", "storage-account-key");

          


            CloudStorageAccount daccount = new CloudStorageAccount(dcreds, useHttps: true);
            CloudBlobClient dclient = daccount.CreateCloudBlobClient();
            CloudBlobContainer dcontain = dclient.GetContainerReference("container-name");


            KeyVaultKeyResolver dcloudResolver = new KeyVaultKeyResolver(GetToken);

            var drsa = dcloudResolver.ResolveKeyAsync(
                   "https://my-key-vault.vault.azure.net/keys/my-key",
                   CancellationToken.None).GetAwaiter().GetResult();

            BlobEncryptionPolicy dpolicy = new BlobEncryptionPolicy(null, dcloudResolver);
            BlobRequestOptions doptions = new BlobRequestOptions()  EncryptionPolicy = dpolicy ;


            CloudBlockBlob dblob = dcontain.GetBlockBlobReference("Data.txt");
            
            using (var np = File.Open(@"Data.txt", FileMode.Create))
                dblob.DownloadToStream(np, null, doptions, null);

Data.txt 是容器中的加密 blob

下面的堆栈跟踪

 Microsoft.Azure.Storage.StorageException: "Decryption logic threw error. Please check the inner exception for more details."--->System.AggregateException:
     "One or more errors occurred. (Operation returned an invalid status code 'Forbidden')"--->Microsoft.Azure.KeyVault.Models.KeyVaultErrorException:
     "Operation returned an invalid status code 'Forbidden'"
   at at Microsoft.Azure.KeyVault.KeyVaultClient.<UnwrapKeyWithHttpMessagesAsync>d__58.MoveNext()\n
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n
     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\n
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n
     at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()\n
     at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<UnwrapKeyAsync>d__5.MoveNext()
   ---End of inner exception stack trace ---
   at at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)\n
     at System.Threading.Tasks.Task`1.get_Result()\n
     at Microsoft.Azure.KeyVault.KeyVaultKey.<>c.<UnwrapKeyAsync>b__14_0(Task`1 result)\n
     at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()\n
     at System.Threading.Tasks.Task.<>c.<.cctor>b__277_0(Object obj)\n
     at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)\n--
     - End of stack trace from previous location ---\n
     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n
     at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)\n
     at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)\n-- - End of stack trace from previous location ---\n
     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n
     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\n
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n
     at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()\n
     at Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy.<>c__DisplayClass13_1.<DecryptBlob>b__2()\n
     at Microsoft.Azure.Storage.Core.Util.CommonUtility.RunWithoutSynchronizationContext[T](Func`1 actionToRun)\n
     at Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy.DecryptBlob(Stream userProvidedStream, IDictionary`2 metadata, ICryptoTransform& transform, Nullable`1 requireEncryption, Byte[] iv,
     Boolean noPadding)
   ---End of inner exception stack trace ---
   at Microsoft.Azure.Storage.Core.Executor.Executor.<ExecuteAsync>d__1`1.MoveNext()\n
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n
     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\n
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n
     at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()\n
     at Microsoft.Azure.Storage.Core.Executor.Executor.<>c__DisplayClass0_0`1.<ExecuteSync>b__0()\n
     at Microsoft.Azure.Storage.Core.Util.CommonUtility.RunWithoutSynchronizationContext[T](Func`1 actionToRun)\n
     at Microsoft.Azure.Storage.Core.Executor.Executor.ExecuteSync[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext)\n
     at Microsoft.Azure.Storage.Blob.CloudBlob.DownloadRangeToStream(Stream target, Nullable`1 offset, Nullable`1 length, AccessCondition accessCondition, BlobRequestOptions options,OperationContext operationContext)\n
     at Microsoft.Azure.Storage.Blob.CloudBlob.DownloadToStream(Stream target, AccessCondition accessCondition, BlobRequestOptions options, OperationContextoperationContext)\n
     at decryptBlobUsingVaultKey.Program.Main(String[] args) in / Users / takeatu / Projects / decryptBlobUsingVaultKey / decryptBlobUsingVaultKey / Program.cs:127

Key Vault 中的密钥拥有所有操作的权限

【问题讨论】:

【参考方案1】:

我尝试在我的系统中获取令牌加密和解密 blob

尝试授予获取权限

输出:

【讨论】:

有两种配置 1) 允许对 Key 的操作 2) 对访问策略的 Key 权限。我错过了第二部分,在访问策略中提供了正确的密钥权限操作,我能够解密谢谢

以上是关于在 C# 中使用 azure key vault 解密和下载“加密的 azure blob”的主要内容,如果未能解决你的问题,请参考以下文章

Azure Key Vault 使用Azure Portal创建和查看Azure Key Vault

如何在 Azure Key Vault 中序列化和反序列化 PFX 证书?

Angular - Azure Key Vault 管理 Vault 访问机密

您如何在功能应用程序中从Azure Key Vault引用密钥?

使用 Azure Key Vault 进行 Terraform 以获取机密值

无法在Azure中使用系统分配的托管身份读取Azure Key Vault秘密值