-
Notifications
You must be signed in to change notification settings - Fork 494
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Samples: Adds sample to demonstrate reencryption using Always Encrypted Cosmos SDK. #2825
Conversation
…e/azure-cosmos-dotnet-v3 into users/sakulk/CepCekRotation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
{ | ||
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); | ||
store.Open(OpenFlags.ReadOnly); | ||
X509Certificate2Collection certs = store.Certificates.Find(findType: X509FindType.FindByThumbprint, findValue: clientCertThumbprint, validOnly: false); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ValidOnly: false might be very liberal (might be okey for testing)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, if you want to retrieve only trusted certs. Since here its a sample we are just returning the self signed cert setting true will not return it unless its issuer need to be present in trusted root authority. There are however multiple ways to get the token credentials, can use AD too. This is just an example.
|
||
Program.client = Program.CreateClientInstance(configuration, azureKeyVaultKeyStoreProvider); | ||
|
||
await Program.CreateAndRunReEncryptionTasks(client); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the client is passed as instance across, is the member state necessary?
document.Remove(Constants.MetadataPropertyName); | ||
document.Remove(Constants.LsnPropertyName); | ||
bulkOperations.Tasks.Add(this.container.UpsertItemAsync( | ||
item: document, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarification:
I guess we do allow changing the 'id' of document part of update, that should flow through good. Do that show-up as update in the change-feed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. We get the entire image.
bcf2b81
Description
Sample/Driver - demonstrates, how reencryption of encrypted data in Cosmos DB can be carried out using Always Encrypted CosmosDB SDK (Client-Side encryption). This can be used to change/rotate data encryption keys or change the client encryption policy.
Initially there will be no support for reencrypting the data when there are active changes taking place in the source containers, so the flag IsFFChangeFeedSupported(in Constants.cs file) value has been set to false. Full Fidelity change feed is in Preview mode and has to be enabled on an account to use the feature. This allows for reencryption
to be carried out, when the source container is still receiving changes. This can be set to true when the feature is available or is enabled on the account.
Type of change