Choice of encryption method

Sep 8, 2011 at 7:03 AM

Hello table encryption attribute

First off, great project, great initiative and great work!

Here my question though :)

I was wondering about thechoice of encryption made in this project, i.e. the choice of both using a certificate and symmetric keys for encryption..

From what I understand you use symmetric keys to encrypt data, and store the symmetric keys in table storage. Before you save the keys, you use a certificate (X509) to encrypt them.
So my question is really - why not just encrypt data with the certificate at hand? What is the need for using symmetric keys for the encryption?


Maybe I'm misunderstanding the concept or something, but I cannot see the need for using symmetric keys for storing the data.

Jan 7, 2012 at 8:01 PM


The encryption choice in this project is a well accepted practice. Large keys, such as the certificate used in asymmetric encryption work best on small data sets. In Azure storage there isn't an enforced upper limit on field size. In theory the properties could have a significant amount of text. By using the symmetric key we have a small (256bit) key that can efficiently encrypt any size of data and we only need to use the large key (certificate likely 2048bit) to encrypt/decrypt the 32 bytes (256bit) keys.

You can read on this type of encryption method here:

Take note, this is what TLS, PGP and GPG use for encrypting the data and is used for encrypting email (MIME) using the S/MIME standard. One final thing to keep in mind is that this scheme allows there to be many different encryption keys in use. If you related the x509 cert to the encryption, you would need to upload a different x509 cert per use Table and configure it in the csdef file as well.