Share via

How can I obtain or create encryption scopes for an Azure storage account by using dotnet?

小龙 - Huron 吴 10 Reputation points
2024-12-20T07:56:38.9133333+00:00

This document details the operations on encryption scopes.

https://learn.microsoft.com/en-us/rest/api/aiservices/accountmanagement/encryption-scopes/get?view=rest-aiservices-accountmanagement-2024-10-01&tabs=dotnet#examples

However, I'm not familiar with this.

TokenCredential cred = new DefaultAzureCredential(); // authenticate your client ArmClient client = new ArmClient(cred);

I usually use the storage account access key to interact with my containers and perform blob file uploads and downloads. Is it possible to obtain/create encryption scopes in a similar manner (by using the storage account access key)?

Edit:

Thank you very much for your reply. What I need to do is to create a container with an encryption scope through this code. Since the encryption scope is not created in advance, it needs to be created by code when creating the container. Since operating the encryption scope requires AAD authentication, is there a way to access it through something like a token?

var blobServiceClient = new BlobServiceClient(connectionString);
var containerClient = blobServiceClient.GetBlobContainerClient(blobContainerName); await containerClient.CreateIfNotExistsAsync(PublicAccessType.None, null, new BlobContainerEncryptionScopeOptions {
PreventEncryptionScopeOverride = true, DefaultEncryptionScope = blobContainerName
});

Is this method of creating a container with an encryption scope and creating the encryption scope at the same time a good practice? Are there any better practices?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,311 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,021 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Keshavulu Dasari 2,835 Reputation points Microsoft Vendor
    2024-12-20T09:00:52.55+00:00

    HI 小龙 - Huron 吴 ,
    Greetings! Welcome to Microsoft Q&A Forum. Thanks for posting you query here!
    Encryption scopes in Azure Storage are a bit different from using the storage account access key for blob operations. Encryption scopes allow you to manage encryption at the level of an individual blob or container, providing more granular control over data encryption

    To create and manage encryption scopes, you typically need to use Azure Active Directory (AAD) credentials rather than the storage account access key. This is because encryption scopes can be tied to customer-managed keys stored in Azure Key Vault, which requires AAD authentication
    You can create an encryption scope:

    1. Navigate to your storage account in the Azure portal.
    2. Under Security + networking, select Encryption.
    3. Select the Encryption Scopes tab.
    4. Click the Add button to add a new encryption scope.
    5. Enter a name for the new scope and select the type of encryption key support (Microsoft-managed keys or Customer-managed keys).
    6. If using Customer-managed keys, specify the key vault and key to use

    For more information:
    https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=portal

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.           
    User's image

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you

    0 comments
  2. Amrinder Singh 5,555 Reputation points Microsoft Employee
    2024-12-20T17:08:25.5533333+00:00

    Hi 小龙 - Huron 吴 - Thanks for reaching out.

    The link you have shared appears to be related to Azure AI Service and account management with that and not related to the storage account one.

    I would recommend to review the below sample classes / methods which shall help in capitalizing further.:

    https://learn.microsoft.com/en-us/dotnet/api/azure.resourcemanager.storage.models.storageaccountencryption?view=azure-dotnet

    https://learn.microsoft.com/en-us/dotnet/api/azure.provisioning.storage.encryptionscope?view=azure-dotnet

    Hope that helps!

    If there are any queries. let me know and will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

  3. Keshavulu Dasari 2,835 Reputation points Microsoft Vendor
    2024-12-23T02:32:22.8566667+00:00

    HI 小龙 - Huron 吴 ,

    To create a container with an encryption scope and manage the encryption scope programmatically, you can use Azure Active Directory authentication with a token.

    1. Authenticate using Azure AD: Use the DefaultAzureCredential class from the Azure Identity library to obtain a token. This class handles various authentication methods, including managed identities, environment variables, and more.
    2. Create the encryption scope: Use the Azure SDK to create the encryption scope before creating the container.

    Create the container with the encryption scope: Specify the encryption scope when creating the container.
    https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal

    For more information:
    https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=portal

    https://stackoverflow.com/questions/76637971/create-azure-storage-account-using-azure-resourcemanager-storage

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.           
    User's image
    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.