CloudBlob.RotateEncryptionKey Method    
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Rotates the encryption key on this blob. This method rotates only the KEK, not the CEK. For more information, visit https://azure.microsoft.com/en-us/documentation/articles/storage-client-side-encryption/
[Microsoft.Azure.Storage.DoesServiceRequest]
public virtual void RotateEncryptionKey(Microsoft.Azure.Storage.AccessCondition accessCondition = default, Microsoft.Azure.Storage.Blob.BlobRequestOptions options = default, Microsoft.Azure.Storage.OperationContext operationContext = default);[<Microsoft.Azure.Storage.DoesServiceRequest>]
abstract member RotateEncryptionKey : Microsoft.Azure.Storage.AccessCondition * Microsoft.Azure.Storage.Blob.BlobRequestOptions * Microsoft.Azure.Storage.OperationContext -> unit
override this.RotateEncryptionKey : Microsoft.Azure.Storage.AccessCondition * Microsoft.Azure.Storage.Blob.BlobRequestOptions * Microsoft.Azure.Storage.OperationContext -> unitPublic Overridable Sub RotateEncryptionKey (Optional accessCondition As AccessCondition = Nothing, Optional options As BlobRequestOptions = Nothing, Optional operationContext As OperationContext = Nothing)Parameters
- accessCondition
- AccessCondition
An AccessCondition object that represents the condition that must be met in order for the request to proceed.
For this operation, there must not be an IfMatchETag, IfNoneMatchETag,
IfModifiedSinceTime, or IfNotModifiedSinceTime condition.
An IfMatchETag condition will be added internally.
- options
- BlobRequestOptions
A BlobRequestOptions object that specifies additional options for the request.
- operationContext
- OperationContext
An OperationContext object that represents the context for the current operation.
- Attributes
Remarks
This method has a number of prerequisites: 1. The blob must be encrypted on the service using client-side encryption (not service-side encryption.) 2. The local object must have the latest attributes from the blob on the service. This can be done by calling FetchAttributes() on the blob, or by listing blobs in the container with metadata. 3. The Encryption Policy on the default BlobRequestOptions must contain an IKeyResolver capable of resolving the old encryption key. 4. The Encryption Policy on the default BlobRequestOptions must contain an IKey with the new encryption key.