Azure storage blob, uploaded a blob using client-side encryption, using CEK and KEK. And now trying to download the decrypted file using the KEK on the client-side. But the file gets downloaded and does not decrypt. Shows only the encrypted file.
public class KeyVaultGettingStarted {
public static void main(String[] args) throws StorageException,
NoSuchAlgorithmException, InterruptedException, ExecutionException,
URISyntaxException, InvalidKeyException, IOException {
Utility.printSampleStartInfo("KeyVaultGettingStarted");
// Get the key ID from Utility if it exists.
String keyID = Utility.keyVaultKeyID;
// If no key ID was specified, we will create a new secret in Key Vault.
// To create a new secret, this client needs full permission to Key
// Vault secrets.
// Once the secret is created, its ID can be added to App.config. Once
// this is done,
// this client only needs read access to secrets.
if (keyID == null || keyID.isEmpty()) {
keyID = KeyVaultUtility.createSecret("KVGettingStartedSecret");
}
// Retrieve storage account information from connection string
// How to create a storage connection string -
// https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/
CloudStorageAccount storageAccount = CloudStorageAccount
.parse(Utility.storageConnectionString);
CloudBlobClient client = storageAccount.createCloudBlobClient();
CloudBlobContainer container = client
.getContainerReference("blobencryptioncontainer"
+ UUID.randomUUID().toString().replace("-", ""));
container.createIfNotExists();
// Construct a resolver capable of looking up keys and secrets stored in
// Key Vault.
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(
KeyVaultUtility.GetKeyVaultClient());
// To demonstrate how multiple different types of key can be used, we
// also create a local key and resolver.
// This key is temporary and won't be persisted.
final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(1024);
final KeyPair wrapKey = keyGen.generateKeyPair();
RsaKey rsaKey = new RsaKey("rsaKey1", wrapKey);
LocalResolver resolver = new LocalResolver();
resolver.add(rsaKey);
// If there are multiple key sources like Azure Key Vault and local KMS,
// set up an aggregate resolver as follows.
// This helps users to define a plug-in model for all the different key
// providers they support.
AggregateKeyResolver aggregateResolver = new AggregateKeyResolver();
aggregateResolver.Add(resolver);
aggregateResolver.Add(cloudResolver);
// Set up a caching resolver so the secrets can be cached on the client.
// This is the recommended usage
// pattern since the throttling targets for Storage and Key Vault
// services are orders of magnitude
// different.
CachingKeyResolver cachingResolver = new CachingKeyResolver(1,
aggregateResolver);
// Create a key instance corresponding to the key ID. This will cache
// the secret.
IKey cloudKey = cachingResolver.resolveKeyAsync(keyID).get();
System.out.println(cloudKey.toString());
try {
container.createIfNotExists();
int size = 5 * 1024 * 1024;
String a = "this is the encrypted message.";
// The first blob will use the key stored in the Azure Key Vault.
CloudBlockBlob blob = container.getBlockBlobReference("blockblob1");
BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(
cloudKey, null);
// Set the encryption policy on the request options.
BlobRequestOptions uploadOptions = new BlobRequestOptions();
uploadOptions.setEncryptionPolicy(uploadPolicy);
System.out.println("Uploading the 1st encrypted blob.");
// Upload the encrypted contents to the blob.
ByteArrayInputStream inputStream = new
ByteArrayInputStream(a.getBytes());
blob.upload(inputStream, size, null, uploadOptions, null);
// Download the encrypted blob.
BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(
null,cachingResolver);
// Set the decryption policy on the request options.
BlobRequestOptions downloadOptions = new BlobRequestOptions();
downloadOptions.setEncryptionPolicy(downloadPolicy);
System.out.println(downloadOptions.toString());
System.out.println("Downloading the 1st encrypted blob.");
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
blob.download(outputStream, null, downloadOptions, null);
blob.downloadToFile("C:\\Users\\kashyap\\Downloads\\abc.txt");
}
Azure storage blob, uploaded a blob using client-side encryption, using CEK and KEK. And now trying to download the decrypted file using the KEK on the client-side. But the file gets downloaded and does not decrypt. Shows only the encrypted file.