In this demonstration, we are going to encrypt and decrypt blobs in Microsoft Azure Storage using Azure Key Vault. We are going to use the Azure Storage client SDK for this. This will generate a content encryption key (CEK), which is a one-time-use symmetric key. The user can use this CEK to encrypt the data.

This CEK is then encrypted using the key encryption key (KEK). This KEK can then be managed locally, or you can store it in the Azure Key Vault. It is identified by a key identifier and can be an asymmetric key pair or a symmetric key. The storage client never has access to the KEK. The KEK will invoke a key wrapping algorithm that is provided by Azure Key Vault and the encrypted data will then be uploaded to the Azure Storage service. 

The first step is to create the Key Vault. Therefore, we have to take the following steps.