Azure Media services: storage encrypted rest api didn't work

1
votes

I am using azure media services rest api to create an asset which should be storage encrypted.

The below steps where successful:

1: created an asset with "Options": "1"(storage encryption). 2: created the a content key with ContentKeyType":"1""ProtectionKeyType":"0". 3: Associated the content key with asset created. 4: created the asset file. 5: created the Access policy. 6: created the SAS url(StartTime is five minutes before the current time). 7: uploaded the file to the SAS url by correctly specifying the file name(I did a chunk upload to the blob storage). 8: Deleted the Locator & AcessPolicy.

Problem:

  1. I was not able to encode the asset.
  2. From the blob storage, I was able to download the file and play. The file was not encrypted at storage!

Further inference

  1. I could verify the asset file with AMS Explorer(image attached).
  2. Downloading the file from AMS Explorer didn't work. enter image description here
1
azureazure-media-services

1 Answers

2
votes

From docs - "If you have unencrypted media that you wish to encrypt prior to upload you should specify AssetCreationOptions.StorageEncrypted when creating the asset. This encrypts media locally prior to uploading it to Azure storage where it will be stored encrypted."

From REST API reference (https://msdn.microsoft.com/en-us/library/azure/hh974277.aspx) -

StorageEncrypted = 1: Specifies that an asset's files should be encrypted on for upload and storage when creating the asset.

What is mean that providing StorageEncryption option you just telling system that your asset has been encrypted before uploading. .Net SDK doing it for you, but when you are using rest api you have to encrypt file yourself before uploading.

You can look at https://github.com/Azure/azure-sdk-for-media-services/blob/dev/src/net/Client/Entities/AssetFileData.cs to see how encryption for asset file implemented in .net SDK.

You have to create content key and associate it with asset and use it for encryption. Once you have all this information i system, azure media services will be able to decrypt your content during encoding to other formats.