AzureStorageClientSideEncryptionAndRewrap.cs

/*
<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.Identity.Client" Version="4.64.0" />
    <PackageReference Include="Azure.Identity" Version="1.12.0" />
    <PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.6.0" />
    <PackageReference Include="Azure.Storage.Blobs" Version="12.21.2" />
  </ItemGroup>
</Project>
*/

using Azure.Core;
using Azure.Core.Cryptography;
using Azure.Identity;
using Azure.Security.KeyVault.Keys;
using Azure.Security.KeyVault.Keys.Cryptography;
using Azure.Storage;
using Azure.Storage.Blobs;
using Azure.Storage.Blobs.Specialized;
using System.Text;

var (accountName, containerName, blobName) = ("deadbeef1", "container1", "myblob.txt");
var (keyVaultName, (keyWrapAlgorithm, rsaKeyNamesInKeyVault)) = (
    "chgeustorkv",
    (KeyWrapAlgorithm.RsaOaep, new[] { "keywrapkey1", "keywrapkey2", "keywrapkey3" }));

var (tenantId, clientId, clientSecret) = (
    "workentra.geuer-pollmann.de",
    Environment.GetEnvironmentVariable("CLIENT_ID"),
    Environment.GetEnvironmentVariable("CLIENT_SECRET"));

ClientSecretCredential credential = new(tenantId, clientId, clientSecret,
    options: new ClientSecretCredentialOptions
    {
        AdditionallyAllowedTenants = { "*" }
    }
);

Func<string, ClientSideEncryptionOptions> enc_opts(string keyVaultName, TokenCredential credential) =>
    kekName =>
        new(ClientSideEncryptionVersion.V2_0)
        {
            KeyEncryptionKey = new MyKeyEncryptionKey(
                keyVaultName: keyVaultName,
                keyName: kekName,
                credential: credential),
            KeyResolver = new MyKeyEncryptionKeyResolver(
                keyVaultName: keyVaultName,
                credential: credential),
            KeyWrapAlgorithm = keyWrapAlgorithm.ToString()
        };
var kek = enc_opts(keyVaultName, credential);

#region Upload

BlobServiceClient bsc = new(
    serviceUri: new Uri($"https://{accountName}.blob.core.windows.net"),
    credential: credential,
    options: new SpecializedBlobClientOptions
    {
        ClientSideEncryption = kek(rsaKeyNamesInKeyVault[0])
    }
);

BlobContainerClient containerClient = bsc.GetBlobContainerClient(containerName);
await containerClient.CreateIfNotExistsAsync();
BlobClient blob = containerClient.GetBlobClient(blobName);

var encoding = Encoding.UTF8;
blob.Upload(new MemoryStream(encoding.GetBytes("Hallo")), overwrite: true);

#endregion

#region Re-wrap content encryption keys with a different key encryption key

await blob.UpdateClientSideKeyEncryptionKeyAsync(kek(rsaKeyNamesInKeyVault[1]));
await blob.UpdateClientSideKeyEncryptionKeyAsync(kek(rsaKeyNamesInKeyVault[2]));

#endregion

#region Download the most recent version

// Not that for the download, we don't need to specify the key, only the IKeyEncryptionKeyResolver

BlobServiceClient bsc2 = new(
    serviceUri: new Uri($"https://{accountName}.blob.core.windows.net"),
    credential: credential,
    options: new SpecializedBlobClientOptions
    {
        ClientSideEncryption = new(ClientSideEncryptionVersion.V2_0)
        {
            KeyResolver = new MyKeyEncryptionKeyResolver(
                keyVaultName: keyVaultName,
                credential: credential),
            KeyWrapAlgorithm = keyWrapAlgorithm.ToString()
        }
    }
);
BlobContainerClient containerClient2 = bsc2.GetBlobContainerClient(containerName);
await containerClient2.CreateIfNotExistsAsync();
BlobClient blob2 = containerClient.GetBlobClient(blobName);

// Download and decrypt the encrypted contents from the blob.
MemoryStream outputStream = new();
blob2.DownloadTo(outputStream);
Console.WriteLine($"Downloaded blob. Contents: {encoding.GetString(outputStream.ToArray())}");

#endregion

public class MyKeyEncryptionKey(string keyVaultName, string keyName, TokenCredential credential) : IKeyEncryptionKey
{
    private readonly string keyVaultName = keyVaultName;
    private readonly string keyName = keyName;
    private readonly TokenCredential credential = credential;

    string IKeyEncryptionKey.KeyId => keyName;

    byte[] IKeyEncryptionKey.WrapKey(string algorithm, ReadOnlyMemory<byte> key, CancellationToken cancellationToken) 
        => ((IKeyEncryptionKey)this).WrapKeyAsync(algorithm, key, cancellationToken).Result;

    byte[] IKeyEncryptionKey.UnwrapKey(string algorithm, ReadOnlyMemory<byte> encryptedKey, CancellationToken cancellationToken) =>
        ((IKeyEncryptionKey)this).UnwrapKeyAsync(algorithm, encryptedKey, cancellationToken).Result;

    async Task<byte[]> IKeyEncryptionKey.WrapKeyAsync(string algorithm, ReadOnlyMemory<byte> key, CancellationToken cancellationToken)
    {
        CryptographyClient cryptoClient = await GetCryptographyClient(cancellationToken);

        WrapResult wrapResult = await cryptoClient.WrapKeyAsync(algorithm, key.ToArray(), cancellationToken); 

        return wrapResult.EncryptedKey;
    }

    async Task<byte[]> IKeyEncryptionKey.UnwrapKeyAsync(string algorithm, ReadOnlyMemory<byte> encryptedKey, CancellationToken cancellationToken)
    {
        CryptographyClient cryptoClient = await GetCryptographyClient(cancellationToken);

        var unwrapped = await cryptoClient.UnwrapKeyAsync(algorithm, encryptedKey.ToArray(), cancellationToken);

        return unwrapped.Key;
    }

    private async Task<CryptographyClient> GetCryptographyClient(CancellationToken cancellationToken)
    {
        KeyClient keyClient = new(
           vaultUri: new Uri($"https://{this.keyVaultName}.vault.azure.net/"),
           credential: credential);

        KeyVaultKey rsaKey = await keyClient.GetKeyAsync(name: this.keyName, cancellationToken: cancellationToken);
        CryptographyClient cryptoClient = new(keyId: rsaKey.Id, credential: credential);
        return cryptoClient;
    }
}

public class MyKeyEncryptionKeyResolver(string keyVaultName, TokenCredential credential) : IKeyEncryptionKeyResolver
{
    private readonly string keyVaultName = keyVaultName;
    private readonly TokenCredential credential = credential;

    IKeyEncryptionKey IKeyEncryptionKeyResolver.Resolve(string keyId, CancellationToken cancellationToken) =>
        ((IKeyEncryptionKeyResolver)this).ResolveAsync(keyId, cancellationToken).Result;

    async Task<IKeyEncryptionKey> IKeyEncryptionKeyResolver.ResolveAsync(string keyId, CancellationToken cancellationToken)
    {
        await Console.Out.WriteLineAsync($"Resolving key #{keyId}");

        return new MyKeyEncryptionKey(this.keyVaultName, keyId, this.credential);
    }
}

Simply speaking, you can re-wrap the content encryption key with a different key encryption key, without having to download the full ciphertext, locally re-wrap, and re-upload.

Have a look here: https://gist.github.com/chgeuer/e51aca40f55b9158da065e489b5e0242

For this to work, I created a storage account and a KeyVault, and I have 3 (RSA) keys in KeyVault, called “keywrapkey1”, “…2” and “…3”. I upload a blob and request encryption under kek1, then I call UpdateClientSideKeyEncryptionKeyAsync once with kek2, and then with kek3, so that the content encryption key is wrapped with kek1 -> kek2 -> kek3 over time.

The UpdateClientSideKeyEncryptionKeyAsync function does what you would expect it does, below is a fiddler trace screenshot. This is the UpdateClientSideKeyEncryptionKeyAsync(kek2) call, i.e. where the blob currently protected with kek1.

• In Request 1, the SDK fetches the encryption metadata (the JSON stored in the x-ms-meta-encryptiondata field):
• The JSON is this

{
    "EncryptionMode":"FullBlob",
    "WrappedContentKey":{
       "KeyId":"keywrapkey1",
       "EncryptedKey":"....",
       "Algorithm":"RSA-OAEP"},
    "EncryptionAgent":{
        "Protocol":"2.0",
        "EncryptionAlgorithm":"AES_GCM_256"
    }, 
    ...
}

• So as a result, the SDK knows that “keywrapkey1” is required to decrypt the content encryption key
• Request 2 lists the versions of that key in KV
• Request 3 fetches metadata about the most recent version
• Request 4 is the POST to /keys/keywrapkey1/…/unwrapKey?api-version=7.5 to unwrap the content encryption key under keywrapkey1’s most recent version
• Requests 6 and 7 fetch the most recent public key material (modulus exponent) of keywrapkey2
• The encryption of the content encryption key unwrapped in step 4, under keywrapkey2, happens on the client side, i.e. no keyvault involved
• Request 8 is PUT /container1/myblob.txt?comp=metadata which updates the blob’s metadata with the new EncryptedKey and indicating that it’s wrapped using keywrapkey2

{
    ...,
    "WrappedContentKey":{
    	"KeyId":"keywrapkey2",
    	"EncryptedKey": "…new stuff",
	},
	...
)

So long story short, you can achieve your whole thing just by rolling to a new KEK by calling UpdateClientSideKeyEncryptionKeyAsync, no need to mess around storing key material and stuff in some database.