Azure storage client side encryption/decryption when blobs move to another storage account

0
votes

I have an EU storage account (v1) and an EU Key Vault. I do client side encryption when saving and retrieving the blobs. Encryption/Decryption works in this scenario.

I am re-creating my resources in the ZA region and have created a new storage account (v2) and a new key vault. I have copied the blobs across using MS Azure Storage Explorer. Both key vaults have the same secret but with a different name.

I cannot decrypt the blobs on the ZA storage even though the secrets are the same.

I have noticed that the copied blobs on the ZA storage have metadata called "encryptiondata" which points to the EU key vault.

Is there a way to copy the encrypted blobs from EU to the ZA storage account and use the ZA keyvault to decrypt them?

The only solution I can think of is to write a method to do the following:

  1. Get EU blob and decrypt with EU secret.
  2. Write decrypted data to ZA storage with ZA secret.

Thanks.

1
azureencryptioncloudazure-storage

1 Answers

0
votes

I tried SO and MS to resolve this. In the end I created my own solution as follows:

//Procedure:
// 1. Go to ZA storage and delete all blobs.
// 2. Copy all EU storage to ZA storage with MSASE. Encrypted blobs will not be able to be decrypted yet.
// 3. Run this method. It does the following:
//   a: Processes "Documents" and "Mandates" folders.
//   b. Always copies encrypted blobs using the ZA key.Encrypted blobs will now be able to be decrypted.
//   c. If standard blob does not exist, copies it as well (without encryption).

MSASE = Microsoft Azure Storage Explorer