使用 .NET 在对 Blob 存储的请求中指定客户提供的密钥Specify a customer-provided key on a request to Blob storage with .NET

对 Azure Blob 存储发出请求的客户端可以选择在单个请求中提供加密密钥。Clients making requests against Azure Blob storage have the option to provide an encryption key on an individual request. 在请求中包含加密密钥可以精细控制 Blob 存储操作的加密设置。Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. 客户提供的密钥(预览版)可以存储在 Azure Key Vault 或另一密钥存储中。Customer-provided keys (preview) can be stored in Azure Key Vault or in another key store.

本文介绍如何使用 .NET 在请求中指定客户提供的密钥。This article shows how to specify a customer-provided key on a request with .NET.

安装客户端库包Install client library packages

Note

本文中的示例使用 Azure 存储客户端库版本 12。The examples shown here use the Azure Storage client library version 12. 版本 12 的客户端库是 Azure SDK 的一部分。The version 12 client library is part of the Azure SDK. 有关 Azure SDK 的更多信息,请参阅 GitHub 上的 Azure SDK 存储库。For more information about the Azure SDK, see the Azure SDK repository on GitHub.

若要安装 Blob 存储包,请在 NuGet 包管理器控制台中运行以下命令:To install the Blob storage package, run the following command from the NuGet package manager console:

Install-Package Azure.Storage.Blobs

本文中的示例还使用用于 .NET 的 Azure 标识客户端库的最新版通过 Azure AD 凭据进行身份验证。The examples shown here also use the latest version of the Azure Identity client library for .NET to authenticate with Azure AD credentials. 若要安装包,请在 NuGet 包管理器控制台中运行以下命令:To install the package, run the following command from the NuGet package manager console:

Install-Package Azure.Identity

若要详细了解如何使用 Azure 存储中的 Azure 标识客户端库进行身份验证,请参阅使用 Azure Active Directory 和 Azure 资源的托管标识授权访问 Blob 和队列中标题为使用 Azure 标识库进行身份验证的部分。To learn more about how to authenticate with the Azure Identity client library from Azure Storage, see the section titled Authenticate with the Azure Identity library in Authorize access to blobs and queues with Azure Active Directory and managed identities for Azure Resources.

示例:使用客户提供的密钥上传 BlobExample: Use a customer-provided key to upload a blob

以下示例创建客户提供的密钥,并使用该密钥上传 Blob。The following example creates a customer-provided key and uses that key to upload a blob. 该代码将上传一个块,然后提交块列表以将 Blob 写入 Azure 存储。The code uploads a block, then commits the block list to write the blob to Azure Storage.

async static Task UploadBlobWithClientKey(string accountName, string containerName,
    string blobName, Stream data, byte[] key)
{
    const string blobServiceEndpointSuffix = ".blob.core.chinacloudapi.cn";
    Uri accountUri = new Uri("https://" + accountName + blobServiceEndpointSuffix);

    // Specify the customer-provided key on the options for the client.
    BlobClientOptions options = new BlobClientOptions()
    {
        CustomerProvidedKey = new CustomerProvidedKey(key)
    };

    // Create a client object for the Blob service, including options.
    BlobServiceClient serviceClient = new BlobServiceClient(accountUri, 
        new DefaultAzureCredential(), options);

    // Create a client object for the container.
    // The container client retains the credential and client options.
    BlobContainerClient containerClient = serviceClient.GetBlobContainerClient(containerName);

    // Create a new block blob client object.
    // The blob client retains the credential and client options.
    BlobClient blobClient = containerClient.GetBlobClient(blobName);

    try
    {
        // Create the container if it does not exist.
        await containerClient.CreateIfNotExistsAsync();

        // Upload the data using the customer-provided key.
        await blobClient.UploadAsync(data);
    }
    catch (RequestFailedException e)
    {
        Console.WriteLine(e.Message);
        Console.ReadLine();
        throw;
    }
}

后续步骤Next steps