Share via

How can I check if a blob is client-side encrypted through the azure portal?

Pavlidis, Vasileios 20 Reputation points
2025-01-08T09:34:59.23+00:00

There is an issue with my team that caused some files to be corrupted or encrypted unexpectedly. While testing fixes, I was unable to find documentation on how exactly client side encryption is detectable in the blob metadata. The documentation on client side encryption page states that:

The wrapped key together with some additional encryption metadata is stored as metadata on the blob

But I cannot seem to find a way to specific check whether or not a file is encrypted in the metadata. Does anyone know of a way to check if a file is encrypted on the client side through the azure portal?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,020 questions
0 comments
Accepted answer
  1. Vinod Kumar Reddy Chilupuri 2,150 Reputation points Microsoft Vendor
    2025-01-08T10:20:39.5333333+00:00

    Hi @Pavlidis, Vasileios

    Welcome to Microsoft Q&A, thank you for posting your query here.

    To check if a blob is client-side encrypted through the Azure portal, you can look for specific metadata associated with the blob. However, the Azure portal does not provide a direct way to see if a blob is encrypted using client-side encryption specifically.

    The documentation mentions that the wrapped key and additional encryption metadata are stored as metadata on the blob, but it does not specify how to view this metadata directly in the Azure portal. You may need to use Azure PowerShell to retrieve the blob's metadata and check for the presence of the encryption metadata.
    If you want to check the blob's metadata using PowerShell.

    $blob = Get-AzStorageBlob -Container <container> -Blob <blob>
$blob.ICloudBlob.Metadata

    This will return the metadata associated with the blob, where you can look for any indications of client-side encryption.
    Look for a metadata key called "encryptiondata". If this key is present, it means that the file is encrypted using client-side encryption. The value of this key contains the wrapped key and additional encryption metadata.

    If the "encryptiondata" metadata key is not present, it means that the file is not encrypted using client-side encryption

    Here are the Microsoft documentations for reference.
    https://learn.microsoft.com/en-us/azure/storage/blobs/client-side-encryption?source=recommendations&tabs=dotnet

    Hope the above answer helps! Please let us know do you have any further queries.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.