Our current code is using Microsoft.WindowsAzure.Storage version 9.3.2. I have started testing out running our web app on a Windows laptop with FIPS compliance enforced. The app throws a FIPS compliance error every time it attempts to upload or download a blob from Azure, saying the encryption method is not allowed. One chunk of code that throws errors looks like this:
var cloudResolver = new KeyVaultKeyResolver(<auth callback object>);
var encryptionThingy = await cloudResolver.ResolveKeyAsync(<Key Vault URL> + "/keys/" + <key name>, CancellationToken.None);
var policy = new BlobEncryptionPolicy(rsa, cloudResolver);
var options = new BlobRequestOptions() { EncryptionPolicy = policy };
await <ICloudBlob Instance>.DownloadToStreamAsync(<stream>, null, options, null);
I went up into the Azure KeyVault and checked the key being used, it is 2048 bit RSA (which should be allowed). Is that enough for FIPS compliance, or would I also have to turn on an expiration/rollover date? Currently the key does not expire and all operations are permitted on it.
I think the answer to this question is no. I've tested rewriting the Blob access with v12 of Azure.Storage.Blobs (How do you decrypt blobs with Azure KeyVault keys in Azure.Storage v12) and it works fine while using the older libraries throws the error.