Can Microsoft.WindowsAzure.Storage be FIPS 140-2 compliant
Question
Our current code is using Microsoft.WindowsAzure.Storage version 9.3.2. I have started testing out running our web app on a Windows laptop with FIPS compliance enforced. The app throws a FIPS compliance error every time it attempts to upload or download a blob from Azure, saying the encryption method is not allowed. One chunk of code that throws errors looks like this:
var cloudResolver = new KeyVaultKeyResolver(<auth callback object>);
var encryptionThingy = await cloudResolver.ResolveKeyAsync(<Key Vault URL> + "/keys/" + <key name>, CancellationToken.None);
var policy = new BlobEncryptionPolicy(rsa, cloudResolver);
var options = new BlobRequestOptions() { EncryptionPolicy = policy };
await <ICloudBlob Instance>.DownloadToStreamAsync(<stream>, null, options, null);
I went up into the Azure KeyVault and checked the key being used, it is 2048 bit RSA (which should be allowed). Is that enough for FIPS compliance, or would I also have to turn on an expiration/rollover date? Currently the key does not expire and all operations are permitted on it.
1 answers
solution1
0 2021-04-26 23:36:22
I think the answer to this question is no. I've tested rewriting the Blob access with v12 of Azure.Storage.Blobs ( How do you decrypt blobs with Azure KeyVault keys in Azure.Storage v12 ) and it works fine while using the older libraries throws the error.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.