We have been trying to implement the encryption in Cosmos DB as per the below documentation
https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotnet
We have been able to create the database with the encryption techniques and also the fields. Below is the code used
var databaseClient = cosmosClient.GetDatabase(createSqlIndexRequest.DatabaseName);
await databaseClient.CreateClientEncryptionKeyAsync(
keyName,
DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(
keyWrapProvider.ProviderName,
keyName,
keyVaultIdentifier));
var fieldEncryptionPathList = new List<ClientEncryptionIncludedPath>();
foreach (var fieldEncryptItem in createSqlIndexRequest.FieldNamesForEncryption)
{
fieldEncryptionPathList.Add(new ClientEncryptionIncludedPath()
{
Path = $"/{fieldEncryptItem}",
ClientEncryptionKeyId = keyName,
EncryptionType = EncryptionType.Deterministic.ToString(),
EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256
});
}
ContainerProperties containerProperties = new ContainerProperties
{
PartitionKeyPath = createSqlIndexRequest.PartitionKey,
Id = createSqlIndexRequest.CollectionName,
ClientEncryptionPolicy = new ClientEncryptionPolicy(fieldEncryptionPathList),
IndexingPolicy = new Microsoft.Azure.Cosmos.IndexingPolicy()
{
IndexingMode = Microsoft.Azure.Cosmos.IndexingMode.None,
Automatic = false
}
};
var containerCheck = await databaseClient.CreateContainerIfNotExistsAsync(containerProperties, ruLevel.HasValue && !ruLevel.Value ? ruValue : null);
We have been trying to implement the encryption in Cosmos DB as per the below documentation https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotnet
We have been able to create the database with the encryption techniques and also the fields. Below is the code used
var databaseClient = cosmosClient.GetDatabase(createSqlIndexRequest.DatabaseName);
await databaseClient.CreateClientEncryptionKeyAsync(
keyName,
DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(
keyWrapProvider.ProviderName,
keyName,
keyVaultIdentifier));
var fieldEncryptionPathList = new List<ClientEncryptionIncludedPath>();
foreach (var fieldEncryptItem in createSqlIndexRequest.FieldNamesForEncryption)
{
fieldEncryptionPathList.Add(new ClientEncryptionIncludedPath()
{
Path = $"/{fieldEncryptItem}",
ClientEncryptionKeyId = keyName,
EncryptionType = EncryptionType.Deterministic.ToString(),
EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256
});
}
ContainerProperties containerProperties = new ContainerProperties
{
PartitionKeyPath = createSqlIndexRequest.PartitionKey,
Id = createSqlIndexRequest.CollectionName,
ClientEncryptionPolicy = new ClientEncryptionPolicy(fieldEncryptionPathList),
IndexingPolicy = new Microsoft.Azure.Cosmos.IndexingPolicy()
{
IndexingMode = Microsoft.Azure.Cosmos.IndexingMode.None,
Automatic = false
}
};
var containerCheck = await databaseClient.CreateContainerIfNotExistsAsync(containerProperties, ruLevel.HasValue && !ruLevel.Value ? ruValue : null);
Once the above code runs, we can see the database and container created successfully. We are trying to insert Documents using the DATA Explorer available in Azure Portal, a sample one
{
"id": "1234",
"job_id": 122,
"job_name": "mongo_cosmos_job",
"job_type": "onetimeDataOffload",
"source_connector_id": 98.0,
"source_connector_name": "mongo_src",
"source_type": "mongo",
"source_database": "company",
"destination_connector_id": 99.0,
"destination_connector_name": "cosmosmongo_serverless_dest",
"destination_type": "cosmos",
"destination_database": "mongo_cosmos_db",
"dag_run_id": "manual__2021-10-06T09:56:07.175777+00:00",
"task_id": "extract_and_load_company.test_collection",
"task_name": "extract_and_load_company.test_collection",
"table_name": "test_collection",
"stage": "load",
"record_count": 0,
"size_in_mb": 0.0,
"duration": 0.0,
"is_aggregated": false,
"is_test_dag": false,
"chunk_size": 5000.0,
"ru_level": "",
"ru": 0.0,
"job_execution_datetime": "2021-10-06 09:56:07.177",
"task_execution_datetime": "2021-10-06 09:56:07.177",
"job_status": "success",
"task_execution_endtime": "2021-10-06 09:56:42.650"
}
on click of Save, we get the following error
"the collection has ClientEncryptionPolicy set, but the document to be written isn't encrypted."