Azure Storage – Encrypt and Decrypt blobs using Azure Key Vault

The blob storage accessibility can be control using Role-Based Access Control (RBAC). Team members have read permission then they can view data inside blob storage which is quite useful for non-prod environment scenarios. But, if this is not a good use case for production environment.

Production environment data security can be improved using Azure Data Encryption at rest. Azure Key Vault can help to implement Azure Storage blob encryption and decryption using Key Vault Key. So, data can be read only after decryption.

This post will talk about how to encrypt and decrypt Azure blob storage blobs using Azure Key Vault Key. So, follow along to see how this can be done using Azure services and C# code.

1 – Create Azure APP

The very first step is to create an application registration in Azure Active Directory. Perform below steps once app has been created –

  1. Go the the Azure Application.
  2. Click on API permissions and add the permission per screenshot – 1
  3. Click on Certificates and secrets, generate new secret by clicking on “New Client Secret”. screenshot – 2
  4. Copy the secret in notepad.
1 – API Permission Setting in AAD
2 – Application Secret

2 – Create Azure Key Vault

Next, we need to create the Azure Key Vault with Standard pricing tire within a resource group <RG01>. Once the Key Vault resource is up and running state, then perform below steps

  1. Go to Key Vault from the resource group.
  2. Under the Settings section, click on Keys.
  3. Click on Generate/Import
  4. Add the key <Key01>, screenshot – 3
  5. Assign Wrap and Unwrap permission to the key, screenshot – 4
3 – Create Key Vault Key
4 – Key Permissions

We would use Key Vault Key Identifier with the latest Key version in the code, so keep it handy. It is a URL which can be retrieved by clicking on the Key01 > <KeyVersion> > <Key Identifier>

3 – Create Azure Storage Account

Next, we need to create a general purpose – V2 storage account. Once, storage account resource has created then add a blob container <container01> to it.

We would use Storage Account Name and Access Key to connect the blob storage in the code, so keep them handy.

So, we completed the required configuration.

4 – Time to Code

Now, open Visual Studio 2019 Community edition as an Administrator and create a new .Net Core Console Project. To implement the complete functionality, we need to download some Nuget packages as given

  • Microsoft.Azure.KeyVault
  • Microsoft.Azure.KeyVault.Core
  • Microsoft.Azure.KeyVault.Cryptography
  • Microsoft.Azure.KeyVault.Extensions
  • Microsoft.Azure.KeyVault.WebKey
  • Microsoft.Azure.Storage.Blob
  • Microsoft.IdentityModel.Clients.ActiveDirectory

Once all the NuGet packages are added to project, the open Program.cs file and add C# code in the man method.

  1. Using Statements
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Storage;
using Microsoft.Azure.Storage.Auth;
using Microsoft.Azure.Storage.Blob;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.IO;
using System.Threading;
using System.Threading.Tasks;

2. Main method code

StorageCredentials storageCredentials 
       = new StorageCredentials("<AccountName>", "<AccountKey>");
CloudStorageAccount account 
       = new CloudStorageAccount(storageCredentials, true);
CloudBlobClient client = account.CreateCloudBlobClient();
CloudBlobContainer contain 
       = client.GetContainerReference("container01");
KeyVaultKeyResolver tokenResolver = new KeyVaultKeyResolver(GetToken);
var keyResolver 
   = tokenResolver.ResolveKeyAsync("<KeyIdentifier>",
BlobEncryptionPolicy policy 
   = new BlobEncryptionPolicy(keyResolver, null);
BlobRequestOptions options 
   = new BlobRequestOptions() { EncryptionPolicy = policy };    
CloudBlockBlob blob 
   = contain.GetBlockBlobReference("MyFile.txt");         
using (var stream = System.IO.File.OpenRead(@"C:\Temp\MyFile.txt"))
    blob.UploadFromStream(stream, stream.Length, null, options, null);
Console.WriteLine("Encrypted Successfully");
tokenResolver = new KeyVaultKeyResolver(GetToken);
policy = new BlobEncryptionPolicy(null, tokenResolver);
options = new BlobRequestOptions() { EncryptionPolicy = policy };
using (var np = System.IO.File.Open(@"C:\Temp\MyFile1.txt", FileMode.Create))
    blob.DownloadToStream(np, null, options, null);
Console.WriteLine("Decrypted Successfully");

3. To get token, add below static method in Program.cs file.

private async static Task<string> GetToken(string authority, string resource, string scope)
     var authContext = new AuthenticationContext(authority);
     ClientCredential clientCred 
        = new ClientCredential("<ClientID>", "<ClientSecret>");
     AuthenticationResult result 
        = await authContext.AcquireTokenAsync(resource, clientCred);
    return result.AccessToken;


Let’s create a file “MyFile.txt” at “C:\Temp” and add some random text inside that file. This code is using .txt file, but same code can be used to encrypt and decrypt any type of files in blob storage.

Before, running the code make sure that you have updated all the values written in “<>” tag as per Azure Services within Resource Group<RG01>.

5. Non-Encrypted File

Once, file has been created and press F5 to run the project from Visual Studio and would see the below output.

5. Visual Studio Output

After this, go to blob storage container<container01>, open the “MyFile.txt” and verify the output.

6. Blob Storage Encrypted File

Also, verify the decrypted file “MyFile1.txt” which would be available at “C:\Temp” and you would see that we are able to decrypted content inside the file.

7. Downloaded Decrypted File

So, we have seen how encryption and decryption of blob storage can be achieve using Key Vault Key. The code do not cover all the aspects, but gives an overview about the encryption and decryption process.

However, this code can be customized to achieve more dynamic behavior at runtime using parameters and can be integrated with other Azure Services. For ex – Web App, Web API, Logic App, Function App and Azure Data Factory etc.

If you have any suggestions/feedback, please put them in the comment box.

Happy Learning 🙂

Leave a Reply

Up ↑

%d bloggers like this: