4

I am saving identity documents via my MVC/Durandal web app to Azure blob storage. I am following this example to encrypt blobs in Azure storage using Azure key vault to store the encryption secret.

Here is my code:


    public async Task UploadIdentityDocumentForClient(string fileName, ParsedClientModel parsedClientModel)
    {
        BlobRequestOptions options = await GetBlobRequestOptions();
        await
            _storageRepository.CreateEncryptedBlobFromByteArray(_storageManager, _containerName, fileName, parsedClientModel.IdentityDocumentFile, parsedClientModel.IdentityDocumentContentType, options);
        return fileName;
    }


    private static async Task GetBlobRequestOptions()
    {
        string secretUri = WebConfigurationManager.AppSettings["SecretUri"];
        string secretName = WebConfigurationManager.AppSettings["SecretEncryptionName"];
    *1  KeyVaultKeyResolver keyVaultKeyResolver = new KeyVaultKeyResolver(GetAccessToken);

    *2  IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();
        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsaKey, null);
        BlobRequestOptions options = new BlobRequestOptions
        {
            EncryptionPolicy = policy
        };
        return options;
    }


     public static async Task GetAccessToken(string authority, string resource, string scope)
    {
        string clientId = WebConfigurationManager.AppSettings["ClientId"];
        string clientSecret = WebConfigurationManager.AppSettings["ClientSecret"];
        ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, TokenCache.DefaultShared);
        AuthenticationResult result = await authenticationContext.AcquireTokenAsync(resource, clientCredential);
        if (result == null)
        {
            throw new InvalidOperationException(
                "GetAccessToken - Failed to obtain the Active Directory token for application.");
        }
    *3  return result.AccessToken;
    }


    public async Task CreateEncryptedBlobFromByteArray(IStorageManager storageManager, string containerName, string fileName,
        byte[] byteArray, string contentType, BlobRequestOptions options)
    {
        CloudBlobContainer container = await CreateStorageContainerIfNotExists(storageManager, containerName);
        CloudBlockBlob blob = container.GetBlockBlobReference(fileName);
        blob.Properties.ContentType = contentType;
        await blob.UploadFromByteArrayAsync(byteArray, 0, byteArray.Length, AccessCondition.GenerateEmptyCondition(), options, new OperationContext());
    }

This line...


    IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();

always returns null.

I have added breakpoints (*1 to *3) in the code above and have noticed that *2 always gets hit before *3. This means that the KeyVaultKeyResolver(GetAccessToken) call is not waiting for the GetAccessToken call to return with the value.

Any ideas as to what I am doing wrong?

Improve this question

1 Answer 1

Reset to default
1

I figured out what I was doing wrong.

Where breakpoint 2 is I should have used this code:

SymmetricKey sec = (SymmetricKey) cloudResolver
            .ResolveKeyAsync("https://yourkeyvault.vault.azure.net/secrets/MiplanAdminLocalEncryption",
                CancellationToken.None)
            .GetAwaiter()
            .GetResult();

I also had to add the secret to my Azure Key Vault using PowerShell. Creating the secret via the management UI did not work. Here are the commands I used:

enter image description here

Sorry for image but SO would not accept the above text even when pasted as a code sample.

See this site for the original example.

I found a way to add the secret via the Azure portal:

    //If entering via Azure UI:
    //Your secret string must be 16 characters (28 bits) long or end up being 28, 192, 256, 384, or 512 bits.
    // Base64 encode using https://www.base64encode.org/
    //Take this encoded value and enter it as the secret value in the UI.
Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.