背景:
块Blob在上传过程中使用BlobEncryptionPolicy(信封技术)进行加密,并使用对称密钥而不使用密钥解析器进行加密。
上传:
var simKey = new SymmetricKey(kid);
var policy = new BlobEncryptionPolicy(new SymmetricKey(kid), null);
var options = new BlobRequestOptions() { EncryptionPolicy = policy };
var blob = cloudBlobContainer.GetBlockBlobReference("blob");
using (var stream = File.OpenRead(@"C:\tmp\blob.txt"))
{
blob.UploadFromStream(stream, stream.Length, null, options, null);
}
下载:
var policy = new BlobEncryptionPolicy(new SymmetricKey(theSameKid), null);
var options = new BlobRequestOptions() { EncryptionPolicy = policy };
var blob = cloudBlobContainer.GetBlockBlobReference("blob");
using (var np = File.Open(@"C:\tmp\blob-2.txt", FileMode.Create))
{
blob.DownloadToStream(np, null, options, null);
}
在同一服务器上执行上传和下载时,它可以正常工作。
从另一台服务器下载时,抛出错误:Data is not authentic
Callstack:
Microsoft.Azure.KeyVault.Cryptography.Algorithms.AesKw.AesKwDecryptor.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
Microsoft.Azure.KeyVault.SymmetricKey.UnwrapKeyAsync(Byte[] encryptedKey, String algorithm, CancellationToken token)
计算密钥或阻止Blob在另一台服务器上解密的加密过程(即Blob的encryptiondata元数据)中是否包含“服务器特定的东西”?