Uploading an Asymmetric Key for Azure Blob Storage

Overview

In the coming months, we plan to migrate its underlying long-term storage system from Azure Disk block storage to Azure Blob object storage.

The new Azure Blob storage has many benefits to the current Azure Disk storage, and with this migration we intend to improve its service for its customers by migrating to a highly scalable and highly reliable object storage service.

The existing block storage uses symmetric encryption keys, while the new Azure Blob storage service uses asymmetric keys. Because of this, it is required for our customers with BYOK to generate an asymmetric encryption key to enable the migration of their data to Blob storage.

For FAQs, see Uploading an Asymmetric Key for Azure Blob Storage FAQ.

Procedure

Generating the Key

To generate your own key in MacOS or Linux:

1. Log in to your account as the account’s owner.
2. At the top right of the screen, click on your email address.
3. In the drop-down menu, select Account Settings.
   
4. Select the Key Management tab. By default, the Bring Your Own Key checkbox is checked.
5. Click Archive Current Key and Create New Key...
6. In the dialog window that appears are instructions on how to download the certificate, as well as the actual script, that will help you generate a 256-bit key and passphrase. In the blue instructions area of the window, click the Download hyperlink to obtain the certificate from the application UI.
7. Click either the MacOS or the Linux hyperlink (as needed) to download and run the sample script and generate the required information.
8. Change the script file to be executable:
   chmod +x secretgen-macos-azure.sh
9. Run the script as sudo along with the certificate:
   ./secretgen-macos-azure.sh akm_azure_ob_public.key
    

The output should be similar to the following: 

Private Key PKCS12:

MIIFbwIBAzCCBTUGCSqGSIb3DQEHAaCCBSYEggUiMIIFHjCCBRoGCSqGSIb3DQEH AaCCBQsEggUHMIIFAzCCBP8GCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcN AQwBAzAOBAjLkLSLOS38YQICCAAEggTIodg+/NdT9yNRtF5RqLlpr23akv0zhrJE 2BWYm+yZdSzGYu4HYPqQe102PL9MKnlx7ZfojGd+NZTqJjNpiePZu2hDewIrpnfv hfuVRsUQ6x20LN8hQ+Wspe9cvwQjYtJT7oi35DRx8qZNbmeLWELW++nGj5YVLxsX h7qUuoov092GWizhbadupX6Kfv+C/FKN4tbuzsNQXohOOV2ILETVBbqaOLoqsc36 1PTfUe9JwV43wxRMg3ciJ7RdOhuW7M/yRy5MLx1lNTcLtnlglRiwA8ug4dfhzG6N ueeh/DkxK+Wjx22Y+k3AcnChNv/3uUdhkx4o1nMt+bUOUhTP1T1lkjzy+DAd33tr dMfN+TZQbJcy4tMbot6oLV5C5sJ7MVotI3PX3xJBaLD8jrPsCPP6bbPQH+65X5Ck z3FyJMLx0e35heXE9xgzDyXIskwGrVPBYdJkXST8sWaLv7832PFl4ON5yzjrXrOh mJWBKLBwiwpSqMTZpyDuBqJNg6o/i2c4Vmdn2eLDH8DpAag5T6rMVBcd+pWUrn71 4E2siUKS+V0uy8T0hUqdo5WmK/k/O6sEFb5oy7sRS9Fkei71arZC05sGCPffhBKb JHqZOks4jnCxWvqvFrMu0KXY9y5+uG8UraOOx7D4bYs+n+TtsDorAfSlXKVMzpT2 3k1i3aLOzUWqcs+eB62onb6aP3fqciQUVulab4GZny1Jrx3i65IwpgoFkqbxmzA6 vCaQ7xFNCIdz64l+DSRrtLnHXLUz5HtgqzoB5kA/pnmwKmWa/REuXCaePAZye4i+ h52sbRBbDeKtgr146gU+LHqTBiMe8UV8pW1TTSGjhDXtGFtoEF7O456DbQm0aHve SfT9zzeq7UsdCN4KyY1FtmZwvQUR5RrJ/UPfECC1uUo85l8dwliV2klM6S8+bk3f BnR6dV6XXX44Gp5IuhDLJ2lupiFCYwRD57lydtUYSMSf7I8muzXSi2NagJRs+X2Y VJGPTWx42VMMKeAABE0M0bxrOmqBezy/RtYe+gdO0srjlXH2NXLcciSP54gbRvUi UUYPfBTx8Sf5CJ4UpK2VoZjlQ3y0DaLkcZSBY+6AtoOg94LMSWNTv0FL4xPfaWv0 5UTCFPXo6m/5ALuK48OM1TXu1WI8B+VFCQ2ist8p/l6UZRDMFQL7VnFmZqUe8oe9 e4puNlKDIPHIXb4e+MabvP+l0ghPzfDn5saYrCdAqsjTGlqDLiwssnemmw6CR2Uy KqMrFJk6J3yojMA4kKI3kZxWBRcNlIQLalF2sBJkmqRSjq6x59aKhXA2fupgXPa6 X0dIYRwSXTlsrPYd+diRNTT/C3t8eHVZnnm1/oxGsILLiX8fE8hV3oDPC8CKU4HD kfRUL6DVLHKb+bSeNSjcKoNGnkZoBWXEBnd9RlX3l263gcYFUFd6Rz6oDkCp6SgF cEAYoXukjQ9C6CmKBYlSMgo0Q60fM1edlacQYoCoOYe/xGsYi1BYmsW0N13bun32 EGTk2oqLqXFcbaMhcVrksb3Fl2+X2js4UDbs97IHP3lo2H53HicTM7wThTfYUW11 81r5ZzDleUQqxQaBZlOpchv3UZ2u4+GP9w4ZHFnzQrsJQM29jIMoEPvXA5Hp6UmT MDEwITAJBgUrDgMCGgUABBRgt0YDy4lEeM5cffjF0dDuiVbnzAQI3cWbNGBRYVcC
AggA

Encrypted Passphrase:

PZHBYNgY+XI/n7l0b1j/E23IiV2gHFAwwzPZs1g1lnrX3Cjva7KkBrqOCk60tDLj PjtFLbOJgZ2s0MQdkNN60w417zsCe2ILjckB/cEnx6GynQ7Zs3EQZ80hMTWHVz9F 5Z1sfks869uZj8XN06e8NUOcLfA6MHR6X0fXIK/WqAhUql/E2HmV8wyWWlspbGhV s28rggZe0HFpAlug79XeJAuRmBRX7udoyUml3skCvlQcqDMtt/Rp+u0mCJBWMWVP P6v8HYsN7FcbvHYrZHPjAzag2YEUpEDOsSU27SbFx7CcDMmbmY7LE8rXw4vlsL2k v3DIgpryBeIb60OTt/uDm1QLwO7LWcjshN1pfIfig8POy/dL4diV88UKYYP2dGcQ 5VDR4FYjQU2qJCNZASp28xbex33g0ZgjuRVNIiNBdJZkwngS3KPGMxrrMFnU6WSd FYNJlpWBwmjTXLjjIYyyQFmuhJqd0ASPVaQtJ7VQ5ERxA2ZLynmkNNZ73M7bVVeK oQWomQXjgIxvkjsXJK08L/RVMznyin4DDddDazhzbiy4RuoKwcsYdDIHjQConBep 6+WFTknZQsYm5c1bfIB2WVkoQSy9KN8fs693FNpr12tkoWl/pjtKVVkWj8B2LVsO I1jf50zE/xrtXWcDsuMkiLXhWysZYJlsE104fzGo1f4=

Uploading the Key

1. Log in to your account as the account’s owner.
2. At the top right of the screen, click on your email address.
3. In the drop-down menu, select Account Settings.
4. Select the Key Management tab. By default, the Bring Your Own Key checkbox is checked.
5. Click Archive Current Key and Create New Key...
6. A dialog window appears, with two text fields, for entering the Private Key PKCS12 and the Encrypted Passphrase strings.
7. Click Add and Replace Master Encryption Key.
8. Your key should appear in the table in Activating… status.