AzureStorageExplorer icon indicating copy to clipboard operation
AzureStorageExplorer copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Support for customer-managed keys in blob storages

Open jambon69 opened this issue 8 months ago • 3 comments

Problem

I have a blob storage where I encrypt files using customer-managed keys, and I cannot get those files with Azure Storage Explorer

Desired Solution

I would like to specify my cpk encryption key for a specific blob storage, so every file i upload is uploaded with this key, and every file i download is downloaded with the key

Alternatives and Workarounds

I was looking for extensions doing that, but didn't find any. I would be more than happy to code the extension myself, but it seems you can't build extensions as long as you're not approved by microsoft

Additional Context

No response

jambon69 avatar Mar 20 '25 14:03 jambon69

@jambon69 I'm not entirely familiar with customer-managed keys, but based on my reading of Customer-managed keys for Azure Storage encryption, encryption/decryption is already handled by the storage service. Configuring the storage account to use a customer-managed key just tells Azure to transparently use an encryption key from an Azure Key Vault instead of opaquely using its own key. Therefore, Storage Explorer as a client doesn't need to be aware of customer-managed keys.

Are you saying that you normally encrypt/decrypt data on the client side of things using the customer-managed key?

craxal avatar Mar 20 '25 18:03 craxal

You can either use keys stored in a key vault or use keys that you manage yourself (which is what I want to adress here).

If you manage your keys yourself, you need to provide the key when you do a call to the azure storage so it encrypts/decrypts on azure side but it does not store the key.

Here is a screenshot of the documentation of azcopy that can actually manage that. (the CPK_ENCRYPTION_KEY parameter).

Image

Btw, when i try to access my storage via Azure storage explorer, it correctly tells me that it is a customer managed keys blob storage, but it also tells me that it is not currently possible for azure storage explorer to download those files as azcopy does not have the option available.

I think it was true on previous versions of azcopy, but it is no more the case.

Here is what we actually use : https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-customer-provided-keys

Thank you for your reactivity ! :)

jambon69 avatar Mar 21 '25 11:03 jambon69

@jambon69 What granularity do you use custom keys? That is, do you use the same key for all blob operations? Or do you use different keys for each subscription/account/container/blob?

Right now, I'm assuming this would best be done by adding a setting for entering a custom encryption key that we would use for all blob operations. But if you need finer control, we'd have to consider alternatives.

craxal avatar Jun 19 '25 16:06 craxal

One good starting point would be on a per-connection level, so that the CPK applies on all blob operations for that given connection.

Image

sergio-u avatar Oct 29 '25 16:10 sergio-u