blobxfer Client-side Encryption Notes
Please read the following carefully regarding client-side encryption support
blobxfer. Additionally, current limitations for client-side encryption
can be found here.
- Encryption is performed using AES256-CBC. MACs are generated using HMAC-SHA256.
- All required information regarding the encryption process is stored on
encryptiondata_authenticationmetadata fields. These metadata entries are used on download to configure the proper download parameters for the decryption process as well as to authenticate the
encryptiondatametadata and the encrypted entity. Encryption metadata set by
blobxfer(or any Azure Storage SDK) should not be modified or the blob/file may be unrecoverable.
- Keys for the AES256 block cipher are generated on a per-blob/file basis. These keys are encrypted using RSAES-OAEP and encoded in the metadata.
- MD5 for both the pre-encrypted and encrypted version of the file is stored
in the entity metadata, if enabled.
skip_onoptions will still work transparently with encrypted blobs/files.
- HMAC-SHA256 checks over encrypted data are performed instead of MD5 over unencrypted data to validate integrity if both are present.
- Attempting to upload the same file that exists in Azure Storage, but the
file in Azure Storage is not encrypted will not occur if any
skip_onmatch condition succeeds. This behavior can be overridden by deleting the target file in Azure Storage or disabling the
- Attempting to upload the same file as an encrypted blob with a different
RSA key will not occur if the file content MD5 is the same. This behavior
can be overridden by deleting the target file in Azure Storage or disabling
- Zero-byte files are not encrypted.