Share via

Encrypt/Decrypt for blobs produced or consumed outside of Azure

Moyer, Todd 80 Reputation points
2024-06-12T18:22:51.2166667+00:00

We have files we want to exchange with systems outside of Azure. For import we want them written to blob PGP encrypted by the source system, and for export want them PGP encrypted by ADF for the destination system. I understand that Azure does it's own encryption, including Customer provided keys (CPK)/Bring Your Own Key (BYOK). However, this doens't sound like a solution since half of the tranform needs to be done outside of Azure.

We were using a C# Batch process for the encrypt/decrypt, but would like to port that to Az Functions, ideally written in Python.

Is Azure Functions the best means to achive our goals?

Can this be written in Python, or would C# make life a lot easier?

Are there any examples of functions to do something like this?

(The docs on Blob triggered functions is really confusing because of the blob and event grid options.)

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,694 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,644 questions
0 comments
Accepted answer
  1. Pieter de Bruin 321 Reputation points Microsoft Employee
    2024-06-14T06:33:19.3433333+00:00

    Hi Todd,

    Azure Functions can do that. Whether Functions is the right compute option for, depends on your requirements. https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/compute-decision-tree

    C# can encrypt/decrypt and so can Python. What language is right for you, depends on your requirements. For instance, what language is your team most productive in? Also, since you mention that you are using C# today, maybe the fastest migration is to reuse that code.

    When you have working logic, your biggest change will be to work with Functions triggers and bindings. See an example here, available in multiple languages.

    https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-storage-blob-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cextensionv5&pivots=programming-language-python#example

    One remark on your introduction: Azure Storage provides encryption at rest (when the data is stored on disk) and in transit (when the data is passed from one service to another). More info https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview See the section for client-side encryption which may be relevant for you.

    Hope that helps,

    Pieter

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest