[FEATURE REQ] Facilitate migration of blob client-side encryption from V1 to V2

[Kiechlus]

Library name

Azure.Storage.Common

Please describe the feature.

This is about facilitating migration to new V2 client-side encryption of blobs:

• V1 client-side encryption of blobs is deprecated due to a vulnerability, see https://learn.microsoft.com/en-us/azure/storage/blobs/client-side-encryption?tabs=dotnet#azure-key-vault
• The article suggests to decrypt all data and encrypt again with V2 for migration
• However, this is quite complex on a larger life-system:
  • Offline de/encryption of most of the data into a new container
  • Start downtime
  • Migrate rest of the data
  • Update service to use V2, point to new container
  • ...

It would be very helpful if we could avoid such a huge migration. Some ideas:

• Newer version of SDK persists encryption version alongside the encryption metadata on the blob
• Depending which version it finds on accessing data, it uses V1 or V2
• On older datasets that do not have the property, assume V1
• ...

This may be again a lot of work on the SDK side, however just pointing out what a huge help this would be for our teams (and probably others).

[github-actions]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @amnguye @jalauzon-msft @jaschrep-msft @nickliu-msft @seanmcc-msft.