OneDrive for Business and SharePoint Online Migration API encryption
Using the Migration API requires a temporary storage container in Azure. This Azure container is already only openable by someone having a SAS key access to the container. The Goal of this feature is to allow to pass Encrypted content at rest to the API meaning that even if a malicious user has access to the Container he won’t be able to use its content.
What is stored in the Azure blob container
The Migration API requires the Azure Container for content passing and also for log and queue reporting back. It can be split down as a summary into those buckets:
Content
- Files
- Manifest
- Metadata
- Permissions
- List items
- Taxonomy
- Logs (created by SharePoint Online to report back on the migration results)
- Queue
- Real time reportig on the progress
What is the encryption feature?
When using the encryption parameter, everything listed above will be encrypted at rest and the key will need to be preserved in order to read the logs and the real time progress.
The main benefits is making the content useless for a malicious user who would manage to breach into the Azure container.
This comes with a small cost of performance. This feature is optional when using the API and it is recommended to only use it for the most confidential information since it does reduce the speed of the migration by a small portion. Microsoft destroys the key once the migration job is finished and there is no way to recover the key if lost, not even from support.
As a 3rd party developer how do I take advantage of the Encryption feature?
Calling the API
The method for calling the Migration Job has a different name and an additional parameter at the end. The new name is: CreateMigrationJobEncrypted
The new parameter is: EncryptionOption
For now, it only supports receiving an AES256CBC Encryption Key.
Example:
public Guid CreateMigrationJobEncrypted(
Guid gWebId,
string azureContainerSourceUri,
string azureContainerManifestUri,
string azureQueueReportUri,
EncryptionOption AES256CBCKey)
Extra requirement
For the encryption, each file must be encrypted and have an IV assigned to it. The encryption method should follow the AES CBC 256 Standard. A unique, cryptographically-random IV must be generated for every file including the manifests in the package and should be stored as a property on each files. Use the AesCryptoServiceProvider.GenerateIV method to generate a unique random IV for each file.
- Name: [IV]
- Value: [Base64encoded byte array of the IV]
Reading the queue when encrypted
When using the encryption option, the messages in the queue will also get encrypted.
It is important to remember the Job ID. Without the specific key used for the job, you won’t be able to read the message back.
Here is the JSON content in the queue message
{"Label": "Encrypted"},
{"JobId": "[JobId value]"},
{"IV": "[IV value in base64format]"},
{"Content": "[encrypted message in base64string]"}
Once the messages are decrypted, they will be the same as the API without encryption.
Note
The Migration is not available for users of Office 365 operated by 21Vianet in China. It is also not available for users of Office 365 with the German cloud using the data trustee, German Telekom. However, it is supported for users in Germany whose data location is not in the German data center.
피드백
출시 예정: 2024년 내내 콘텐츠에 대한 피드백 메커니즘으로 GitHub 문제를 단계적으로 폐지하고 이를 새로운 피드백 시스템으로 바꿀 예정입니다. 자세한 내용은 다음을 참조하세요. https://aka.ms/ContentUserFeedback
다음에 대한 사용자 의견 제출 및 보기