Skip to content

Instantly share code, notes, and snippets.

@christothes

christothes/backup-sample.md

Last active October 12, 2020 16:29
Show Gist options
  • Save christothes/d28b7ae2057caf83d1d616209afefcc4 to your computer and use it in GitHub Desktop.
Save christothes/d28b7ae2057caf83d1d616209afefcc4 to your computer and use it in GitHub Desktop.
Download ZIP
Backup/Restore-sample
Raw
backup-sample.md

Backup Restore Key concepts

Full Backup

Create a full backup of the entire contents of the Managed HSM including all keys, versions, attributes, tags, and role assignments. The backup is encrypted with cryptographic keys associated with the HSM's security domain.

Full Restore

Completely restore the contents of the Managed HSM with a previous backup, including all keys, versions, attributes, tags, and role assignments. Everything currently stored in the HSM will be wiped out, and it will return to the same state it was in when the source backup was created.

Selective Restore

Selectively restore just one key from a Managed HSM backup in blob storage. Only key material (all versions), tags, attributes, and key level role assignments are restored.

Expected Usage

Create the KeyVaultBackupClient

KeyVaultBackupClient client = new KeyVaultBackupClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential());

Create a SAS token to authorize Backup and Restore operations

// Using the Azure.Storage.Blobs package, ceate an account level SAS that only allows reading from service level APIs
AccountSasBuilder sas = new AccountSasBuilder
{
    // Allow access to blobs.
    Services = AccountSasServices.Blobs,

    // Allow access to the service level APIs.
    ResourceTypes = AccountSasResourceTypes.Service,

    // Access expires in 1 hour.
    ExpiresOn = DateTimeOffset.UtcNow.AddDays(1)
};
// Allow All access
sas.SetPermissions(AccountSasPermissions.All);

// Create a SharedKeyCredential that we can use to sign the SAS token
StorageSharedKeyCredential credential = new StorageSharedKeyCredential("my-storage-account-name", "my-storage-account-key");

// Get a SAS token
string sasToken = sas.ToSasQueryParameters(credential).ToString();

Create a Full Backup

Execute a backup operation given an Azure Stroage Uri and a valid SAS token with permissions to create a blob.

// Start the backup long-running operation.
BackupOperation backupOperation = Client.StartBackup(new Uri("https://myaccount.blob.core.windows.net/backup/"), sasToken);

// Wait for operation completion.
Uri backupBlobUri = await backupOperation.WaitForCompletionAsync(source.Token).ConfigureAwait(false);

Console.WriteLine($"The location of the newly created backup is: {backupBlobUri}");

Execute a Full Restore

Execute a restore operation given an Azure Stroage Uri and a valid SAS token with permissions to create a blob.

// Start the restore long-running operation.
RestoreOperation restoreOperation = Client.StartRestore(new Uri("https://myaccount.blob.core.windows.net/backup/"), sasToken);

// Wait for operation completion.
Response result = await restoreOperation.WaitForCompletion(source.Token).ConfigureAwait(false);

Console.WriteLine($"The restore operation is complete!");

Execute a Selective Restore

Execute a selective restore operation given an Azure Stroage Uri and a valid SAS token with permissions to create a blob.

// Start the restore long-running operation for a specific key.
RestoreOperation restoreOperation = Client.StartSelectiveRestore("my-key-name", new Uri("https://myaccount.blob.core.windows.net/backup/"), sasToken);

// Wait for operation completion.
Response result = await restoreOperation.WaitForCompletionAsync(source.Token).ConfigureAwait(false);

Console.WriteLine($"The selective restore operation is complete!");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment