pythonazure-blob-storageazure-keyvaultpublic-key-encryptionazure-container-service

Encrypt azure blob using Key in Azure-key-vault in Python


Microsoft has an example in C# for encrypting azure blob using the key in azure-key-vault https://learn.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault?WT.mc_id=Portal-Microsoft_Azure_Support&tabs=dotnet11#prerequisites

I am looking to do the same in Python I tried to follow the code given in this page https://github.com/Azure/azure-storage-python/blob/master/samples/blob/encryption_usage.py This page is not using the azure key

It is giving an error when I try to use azure key in that example

class KeyWrapper:
    def __init__(self, kid):
        self.kek = self.get_azure_vault_key()
        self.backend = default_backend()
        self.kid = 'local:' + kid

    def get_azure_vault_key(self):
        credential = DefaultAzureCredential()
        key_client = KeyClient(vault_url="https://xyz.vault.azure.net/", credential=credential)
        keyvaultObj = key_client.get_key("my-key")
        actualKey = keyvaultObj.key.n
        return actualKey

def saveEncryptedCSVtoAzureBlob(CSVData, accountName, accountKey):
    blobName = 'myBlob'
    blobService = BlockBlobService(account_name=accountName, account_key=accountKey)
    kek = KeyWrapper('local:key1') 
    blobService.key_encryption_key = kek
    blobService.create_blob_from_text(containerName, blobName, CSVData)

This example gives the following error ValueError: The wrapping key must be a valid AES key length


Solution

  • "Encrypting Azure blob storage with azure key vault" functionality is not available as of today

    The Storage Python library does not appear to support integration with Azure Key Vault yet. This support will be added in the future, and hence why there are no examples published for it at this time.

    This functionality is only available for C#/.NET

    https://learn.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault?WT.mc_id=Portal-Microsoft_Azure_Support&tabs=dotnet11#use-key-vault-secrets