I am trying to upload blob to azure blob storage, but I'd like to have client side encryption with keys stored on my side(not on Azure KeyVault). I'd like to use newest Java SDK - v12. I have found that for client side encryption I should use EncryptedBlobClient class, which is instanced through EncryptedBlobClientBuilder. EncryptedBlobClientBuilder requires AsyncKeyEncryptionKey to be set, and I'd like to use keys stored on my side - is LocalKeyEncryptionKeyAsyncClient used for these needs? I can not find much about this class. Thank you
The sample uses ResolveKeyAsync method to return an RsaKey. If you don't want to store the Key into KeyVault then it's no need to use this, you could use the key as you like.
RsaKey rsa = new RsaKey("your private Key");
// Create the encryption policy to be used for upload and download.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
// Set the encryption policy on the request options.
BlobRequestOptions options = new BlobRequestOptions();
options.setEncryptionPolicy(policy);
// Upload the encrypted contents to the blob.
blob.upload(stream, size, null, options, null);
For more details, see the similar issue.
Update:
There is an answer of the similar issue.
JsonWebKey localKey = JsonWebKey.fromAes(new SecretKeySpec(encryptionKeyBytes, "AES"), Arrays.asList(KeyOperation.WRAP_KEY, KeyOperation.UNWRAP_KEY)).setId("my-id");
AsyncKeyEncryptionKey akek = new LocalKeyEncryptionKeyClientBuilder().buildAsyncKeyEncryptionKey(localKey).block();
EncryptedBlobClient encryptedBlobClient = new EncryptedBlobClientBuilder()
.endpoint(serviceClient.getAccountUrl())
.sasToken("<SAS token>")
.containerName(containerName)
.blobName(blobName)
.key(akek, KeyWrapAlgorithm.A256KW.toString())
.buildEncryptedBlobClient();
encryptedBlobClient.uploadFromFile(filepath);