CloudBlob.RotateEncryptionKey Method

Definition

Rotates the encryption key on this blob. This method rotates only the KEK, not the CEK. For more information, visit https://azure.microsoft.com/en-us/documentation/articles/storage-client-side-encryption/

[Microsoft.Azure.Storage.DoesServiceRequest]
public virtual void RotateEncryptionKey (Microsoft.Azure.Storage.AccessCondition accessCondition = default, Microsoft.Azure.Storage.Blob.BlobRequestOptions options = default, Microsoft.Azure.Storage.OperationContext operationContext = default);
[<Microsoft.Azure.Storage.DoesServiceRequest>]
abstract member RotateEncryptionKey : Microsoft.Azure.Storage.AccessCondition * Microsoft.Azure.Storage.Blob.BlobRequestOptions * Microsoft.Azure.Storage.OperationContext -> unit
override this.RotateEncryptionKey : Microsoft.Azure.Storage.AccessCondition * Microsoft.Azure.Storage.Blob.BlobRequestOptions * Microsoft.Azure.Storage.OperationContext -> unit
Public Overridable Sub RotateEncryptionKey (Optional accessCondition As AccessCondition = Nothing, Optional options As BlobRequestOptions = Nothing, Optional operationContext As OperationContext = Nothing)

Parameters

accessCondition
AccessCondition

An AccessCondition object that represents the condition that must be met in order for the request to proceed. For this operation, there must not be an IfMatchETag, IfNoneMatchETag, IfModifiedSinceTime, or IfNotModifiedSinceTime condition.
An IfMatchETag condition will be added internally.

options
BlobRequestOptions

A BlobRequestOptions object that specifies additional options for the request.

operationContext
OperationContext

An OperationContext object that represents the context for the current operation.

Attributes

Remarks

This method has a number of prerequisites: 1. The blob must be encrypted on the service using client-side encryption (not service-side encryption.) 2. The local object must have the latest attributes from the blob on the service. This can be done by calling FetchAttributes() on the blob, or by listing blobs in the container with metadata. 3. The Encryption Policy on the default BlobRequestOptions must contain an IKeyResolver capable of resolving the old encryption key. 4. The Encryption Policy on the default BlobRequestOptions must contain an IKey with the new encryption key.

Applies to