Samples: Adds sample to demonstrate reencryption using Always Encrypted Cosmos SDK. #2825
Conversation
…e/azure-cosmos-dotnet-v3 into users/sakulk/CepCekRotation
kr-santosh
requested review from
ealsur,
FabianMeiswinkel,
j82w,
khdang,
kirankumarkolli,
kirillg and
neildsh
as code owners
| { | ||
| X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); | ||
| store.Open(OpenFlags.ReadOnly); | ||
| X509Certificate2Collection certs = store.Certificates.Find(findType: X509FindType.FindByThumbprint, findValue: clientCertThumbprint, validOnly: false); |
There was a problem hiding this comment.
ValidOnly: false might be very liberal (might be okey for testing)
There was a problem hiding this comment.
Yes, if you want to retrieve only trusted certs. Since here its a sample we are just returning the self signed cert setting true will not return it unless its issuer need to be present in trusted root authority. There are however multiple ways to get the token credentials, can use AD too. This is just an example.
|
|
||
| Program.client = Program.CreateClientInstance(configuration, azureKeyVaultKeyStoreProvider); | ||
|
|
||
| await Program.CreateAndRunReEncryptionTasks(client); |
There was a problem hiding this comment.
If the client is passed as instance across, is the member state necessary?
| document.Remove(Constants.MetadataPropertyName); | ||
| document.Remove(Constants.LsnPropertyName); | ||
| bulkOperations.Tasks.Add(this.container.UpsertItemAsync( | ||
| item: document, |
There was a problem hiding this comment.
Clarification:
I guess we do allow changing the 'id' of document part of update, that should flow through good. Do that show-up as update in the change-feed?
There was a problem hiding this comment.
Yes. We get the entire image.
kr-santosh
dismissed stale reviews from abhijitpai and FabianMeiswinkel
via
bcf2b81
Description
Sample/Driver - demonstrates, how reencryption of encrypted data in Cosmos DB can be carried out using Always Encrypted CosmosDB SDK (Client-Side encryption). This can be used to change/rotate data encryption keys or change the client encryption policy.
Initially there will be no support for reencrypting the data when there are active changes taking place in the source containers, so the flag IsFFChangeFeedSupported(in Constants.cs file) value has been set to false. Full Fidelity change feed is in Preview mode and has to be enabled on an account to use the feature. This allows for reencryption
to be carried out, when the source container is still receiving changes. This can be set to true when the feature is available or is enabled on the account.
Type of change