Protect Azure page blob connection string

  • Article

Azure page blobs are used in a Cloud Cache configuration for profile or ODFC containers. Cloud Cache connects to the blob using the HTTPS protocol over REST API. This connection requires the storage accounts access key formatted into a connection string. With this connection string, the entire storage account can be accessed. Knowledge of this information exposes a security risk that must be considered.

FSLogix protects this information by adding it to the virtual machines Credential Manager store using the frx command-line utility.

Prerequisites

  • Create an Azure page blob storage account.
  • Install and import Azure PowerShell modules.
  • Download and install the latest version of FSLogix.
  • Review: frx command-line utility reference

Find Azure page blob storage account connection string

  1. Select Start.

  2. Type powershell directly into the Start Menu.

  3. Select Run as administrator from the Start Menu.

    powershell start

  4. Sign in to Azure.

    Connect-AzAccount

  5. Change to your Azure context to your subscription containing the storage account.

    Set-AzContext -Subscription <subscription name or id>

  6. Get the connection string for your storage account.

    $ResourceGroupName = "<resource-group-name>"
$StorageAccountName = "<storage-account-name>"
$StorageAccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName
$ConnectionString = $StorageAccount.Context.ConnectionString

    powershell get connection string

Add Azure page blob connection string to Credential Manager

  1. Use the same PowerShell session from Find Azure page blob storage account connection string.

  2. Use the frx command add-secure-key to add the connection string to Credential Manager.

    & "C:\Program Files\FSLogix\Apps\frx.exe" add-secure-key -key <custom-key-name> -value $ConnectionString

  3. Use the frx command list-secure-key to validate it was added successfully.

    & "C:\Program Files\FSLogix\Apps\frx.exe" list-secure-key

    powershell add list secure key

Use the secure key in CCDLocations

Cloud Cache uses the CCDLocations to retrieve the list of storage providers. The string used to specify the Azure page blob must follow a specific format.

  • type=azure,name=<optional-name>,connectionString="|fslogix/<key-name>|"

The key stored in Credential Manager must be reference using |fslogix/<key-name>| where any part of the connection string could be replaced with a secure key created using the frx command-line utility.

Delete Azure page blob connection string from Credential Manager

  1. Use the same PowerShell session from Find Azure page blob storage account connection string.

  2. Use the frx command del-secure-key to delete the secure key from Credential Manager.

    & "C:\Program Files\FSLogix\Apps\frx.exe" del-secure-key -key <custom-key-name>

  3. Use the frx command list-secure-key to validate it was removed successfully.

    & "C:\Program Files\FSLogix\Apps\frx.exe" list-secure-key