堆栈内存溢出
  简体   繁体   English

在 C# 应用程序中安全存储 Azure blob 存储访问密钥的正确方法

[英]Correct way to securely store Azure blob storage access key in C# app

 原文  2022-01-28 09:59:53       c#/ azure/ security/ azure-blob-storage

问题描述

I am building a c# app (WPF) which uploads log files to an azure blob storage.我正在构建一个 c# 应用程序 (WPF),它将日志文件上传到 azure blob 存储。 I store the StorageConnectionString inside the App.config file like this:我将StorageConnectionString存储在App.config文件中,如下所示:

<appSettings>
    <add key="StorageConnectionString" value="DefaultEndpointsProtocol=https;AccountName=<my account name>;AccountKey=<my account key>;EndpointSuffix=core.windows.net" />
</appSettings>

In my code I retrieve the StorageConnectionString like this:在我的代码中,我像这样检索StorageConnectionString

string connectionString = ConfigurationManager.AppSettings.Get("StorageConnectionString");

Everything works fine so far, but I am worried about the clearly visible StorageConnectionString inside the App.config file.到目前为止一切正常,但我担心App.config文件中清晰可见StorageConnectionString

How can I secure my app that its not possible with reverse engineering to get the StorageConnectionString ?如何确保我的应用程序无法通过逆向工程来获取StorageConnectionString

2 个解决方案

解决方案1
 1 已采纳  2022-01-29 12:55:17

Your application should not be using Shared Keys.您的应用程序不应使用共享密钥。 Storage account keys grant full access to your storage account.存储帐户密钥授予对存储帐户的完全访问权限。 A better approach is to use Shared Access Signatures in your application with Azure AD.更好的方法是在您的应用程序中使用共享访问签名与 Azure AD。

A full overview can be found here:完整的概述可以在这里找到:

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

While Microsoft recommends using Azure AD with SAS to authorize requests to Azure Storage.虽然 Microsoft 建议使用 Azure AD 和 SAS 来授权对 Azure 存储的请求。 If you must use Shared Key authorization, then secure your account keys with Azure Key Vault .如果您必须使用共享密钥授权,请使用Azure Key Vault保护您的帐户密钥。 You can retrieve the keys from the key vault at runtime, instead of saving them with your application.您可以在运行时从密钥保管库中检索密钥,而不是将它们与您的应用程序一起保存。 For more information about Azure Key Vault , see Azure Key Vault overview .有关Azure 密钥库的详细信息,请参阅Azure 密钥库概述

All our security recommendations can be found here:我们所有的安全建议都可以在这里找到:

https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations

解决方案2
 0  2022-01-29 09:24:23

To securely store your Storage Account access key in C# application, you can use either of the below options:要在 C# 应用程序中安全地存储您的存储帐户访问密钥,您可以使用以下任一选项:

  1. Store the Storage Account Key as an environment variable将存储帐户密钥存储为环境变量
  2. Use Azure AD Authentication for your blob storage instead of access key对 Blob 存储使用 Azure AD 身份验证,而不是访问密钥

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Azure函数c#在blob存储上存储json - store json on blob storage using Azure function c# C#MVC Web应用程序服务连接到Azure存储Blob - C# MVC Web App Service Connect to Azure Storage Blob 使用共享访问密钥上载到Azure Blob存储 - Upload to Azure Blob Storage with Shared Access Key C# - 在本机应用程序上将 Azure Key Vault 与 Azure 存储结合使用 - C# - Using Azure Key Vault with Azure Storage on Native App 从 Azure 应用服务访问 Blob 存储 - Blob storage access from Azure App Service C#Azure存储Blob上载TransactionScope - C# Azure Storage Blob Upload TransactionScope 使用 C# 的 Azure Blob 存储“找不到方法” - Azure Blob Storage "Method not found" with C# 如何使用C#使用HTTP POST创建Azure函数并将传入的数据存储到BLOB存储中的文本文件中? - How to create Azure function with C# using HTTP POST and store incoming data into text file in BLOB storage? 如何使用 Blazor 将大文件上传到 WebAPI (C#) 并将其存储到 Azure Blob 存储中 - How to upload large file using Blazor to WebAPI (C#) and store it into Azure Blob storage C#没有从Azure blob存储中检索blob - C# not retrieving blob from Azure blob storage
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM