![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 57.00000000000001%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGO%3C/text%3E%3C/svg%3E)
Azure Media Services
A group of Azure services that includes encoding, format conversion, on-demand streaming, content protection, and live streaming services.
302 questions
On review, it sounds like your scenario as described above would probably NOT be supported.
We do have support for encryption in Azure Storage where you can set your own key - and that feature can be used by Azure Media Services v3. That would be my only recommendation for the storage side encryption. The first article you linked to is not going to work, as that is the older v2 API that is deprecated and you should not be using that older method of encryption for content at rest, since it pre-dated the storage account subscription support that is now available.
See the details here for how Storage Service encryption works. https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption
AMS can then use that same storage account when you are using the v3 API only, which you said above that you are using the Microsoft.Azure.Management.Media SDK, so that is correct.
https://learn.microsoft.com/en-us/azure/media-services/latest/concept-use-customer-managed-keys-byok#double-encryption
The part that is NOT going to work is your requirement to use your own key store. I don't believe that that is supported in any way by the Azure Storage service. The section of the article here describes the differences between various customer provided key options. https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption#about-encryption-key-management
From your description above, it the scenario for using Blob storage operation customer provided keys might be close to what you want - "You can specify a customer-provided key on Blob Storage operations. A client making a read or write request against Blob Storage can include an encryption key on the request for granular control over how blob data is encrypted and decrypted. For more information about customer-provided keys, see Provide an encryption key on a request to Blob Storage."
However, Azure Media Services does not support that option. We require that the storage account customer provided key is in the Azure Key Vault and it cannot be provided for each Asset stored in AMS. It's a single customer key, which matches the first bullet point on that same article location - "You can specify a customer-managed key to use for encrypting and decrypting data in Blob Storage and in Azure Files.1,2 Customer-managed keys must be stored in Azure Key Vault or Azure Key Vault Managed Hardware Security Model (HSM)."
So I don't think this would work for you based on your description above. We would not allow you to provide a custom encryption key per-Asset for the storage blobs of the uploaded source files prior to encoding. We only allow the use of the customer provided Key vault encryption key which then allows us to read the storage blobs in the Assets as "clear" content in the encoder process, prior to writing the content back to the storage account where they are once again encrypted with the customer provided key in the Key Vault.