{"id":15422600,"url":"https://github.com/heaths/azure-samples-kek","last_synced_at":"2026-04-10T08:30:20.711Z","repository":{"id":145642205,"uuid":"330027188","full_name":"heaths/azure-samples-kek","owner":"heaths","description":"Azure SDK sample for client-side encryption and decryption of blobs","archived":false,"fork":false,"pushed_at":"2021-01-15T21:34:13.000Z","size":4,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-01T10:16:44.282Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/heaths.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-15T21:33:41.000Z","updated_at":"2021-01-28T14:39:14.000Z","dependencies_parsed_at":null,"dependency_job_id":"fbfe86c0-8c0d-4057-9aa9-4e77c8773071","html_url":"https://github.com/heaths/azure-samples-kek","commit_stats":{"total_commits":1,"total_committers":1,"mean_commits":1.0,"dds":0.0,"last_synced_commit":"1c9bc50fc00130ac19716af4722ebf365280b0fc"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/heaths%2Fazure-samples-kek","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/heaths%2Fazure-samples-kek/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/heaths%2Fazure-samples-kek/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/heaths%2Fazure-samples-kek/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/heaths","download_url":"https://codeload.github.com/heaths/azure-samples-kek/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239979019,"owners_count":19728448,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-01T17:39:00.210Z","updated_at":"2026-04-10T08:30:20.660Z","avatar_url":"https://github.com/heaths.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Client-side encryption example for Azure SDKs\n\nThis is a simple sample showing how to use a Key Encryption Key for [client-side blob encryption](https://docs.microsoft.com/azure/storage/common/storage-client-side-encryption?tabs=dotnet#blob-service-encryption) using the new Azure SDKs:\n\n* [Azure.Identity](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/README.md)\n* [Azure.Security.KeyVault.Keys](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/keyvault/Azure.Security.KeyVault.Keys/README.md)\n* [Azure.Storage.Blobs](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/storage/Azure.Storage.Blobs/README.md)\n\n## Getting started\n\nYou'll need to install the [Azure CLI](https://aka.ms/docs/azurecli) to run this sample.\n\n1. Log in:\n\n    ```bash\n    az login\n    ```\n\n2. Create a resource group. Be sure to change the name to something unique. Do not use spaces, dashes, or underscores unless you change the deployment template since both Key Vault and Storage have different name character limits.\n\n    ```bash\n    az group create -n rg-keksample -l westus2\n    ```\n\n3. Deploy the template to the resource group you just created. The name parameter must also be unique for the same reason described above.\n\n    ```bash\n    az deployment group create -g rg-keksample -f deployment.json -p name=keksample\n    ```\n\n    The output will contain an `outputs` group with values you'll need to use below, specifically `` and ``. Save them to variables for ease. The syntax below uses bash, so adjust for your shell as appropriate.\n\n    ```bash\n    AZURE_KEYVAULT_URL=https://keksamplekv.vault.azure.net/\n    STORAGE_CONNECTION_STRING=$(echo \"DefaultEndpointsProtocol=https;AccountName=keksamplestg;AccountKey=Nv...;EndpointSuffix=core.windows.net\")\n    ```\n\n4. Now add an access policy. The example below adds your user account using `--upn`, but you can just as easily add a service principal using `--spn`. See `az keyvault set-policy --help` for more information. Normally you wouldn't let this principal create or update keys or secrets, but we do so here for the purpose of this exampe.\n\n    ```bash\n    az keyvault set-policy -n keksamplekv --upn user@domain.com --key-permissions get create update wrapKey unwrapKey --secret-permissions get set\n    ```\n\n5. Now create a key or secret. Keys will automatically create a secure key. The key really only need `wrapKey` and `unwrapKey` operation permissions if you don't use it for anything else. If you use secrets for legacy support, you'll need to supply a cryptographically secure key value yourself.\n\n    ```bash\n    az keyvault key create --vault-name keksamplekv -n kek --kty RSA --ops wrapKey unwrapKey\n    ```\n\n    You can also create an \"oct\" key type, but will need to change the `KeyWrapAlgorithm` in _Program.cs_ accordingly.\n\n6. Now run the sample program to upload a file like this one. It will be encrypted during upload. Run it again without the `--file` parameter to download and decrypt the file. Note that the file in this sample is output to `stdout` so binary files may exhibit issues. Please use text files for this sample.\n\n    ```bash\n    dotnet run -- --key-id $AZURE_KEYVAULT_URL/keys/kek --connection-string $STORAGE_CONNECTION_STRING --container sample --path README.md --file README.md\n    dotnet run -- --key-id $AZURE_KEYVAULT_URL/keys/kek --connection-string $STORAGE_CONNECTION_STRING --container sample --path README.md\n    ```\n\n7. When you are finished, you can simply delete the resource group you create previously:\n\n    ```bash\n    az group delete -n rg-keksample --yes\n    ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fheaths%2Fazure-samples-kek","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fheaths%2Fazure-samples-kek","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fheaths%2Fazure-samples-kek/lists"}