Microsoft Codename “Trust Services” is an application-level encryption framework that can be used to protect sensitive data stored on Windows Azure Platform. Data encrypted with Trust Services can only be decrypted by authorized
data consumers. This empowers data publishers to freely distribute and share data by first encrypting it using the Trust Services. Consumers of sensitive data encrypted with Trust Services can have full confidence in the privacy of the data and the knowledge
that the data has not been viewed by anyone else.
The basic scenario involves 2 steps:
• Data publishers use Trust Services to encrypt sensitive data and store it in Windows Azure storage or SQL Azure
• Authorized data consumers can decrypt data after it is read from storage
Two common scenarios supported by Microsoft Codename “Trust Services” are:
In many cases, the TSA & TSPA roles are filled by same user. The main difference between the two roles is that the TSA role performs operations on the Trust Services portal while the TSPA role performs
operations on the client machine using the Trust Services SDK (.NET library or PowerShell snap-in).
Streaming API allows transforming large amounts of data with high performance and low memory footprint. Streaming API also provides ongoing checksums to ensure data integrity.
For ease of use, streaming API exposes .NET Stream class implementation and supports both read and write modes. See Trust Services SDK Help for API details.
The “search in encrypted data” feature allows TSPAs to define searchable policies on data. A searchable data policy enables authorized publishers to transform the associated data into an index that can be stored in an appropriate
data structure in the cloud. Authorized subscribers can use the index to search, filter and join the data.
The searchable transformation is:
To enable join operation between data transformed by distinct policies, policies can be grouped together to produce the same ciphertext for a given plaintext. This grouping can be implemented using the SearchSpace property of the data policy.
The overall-basic usage flow is described below. The flow is not exhaustive and focuses on a basic Trust Services usage of creating a Trust Services instance, defining a data policy and sharing protected data between a data publisher and a data consumer.
In the process below, the data being shared is a blob. The Trust Services service enables clients to encrypt and decrypt data. The action of storing the protected data in Windows Azure is assumed to be performed by the application.
The first step in using the Trust Service is to create a Trust Server for the application scenario and associating the participants. This step is performed by the TSA.
Once user certificates are uploaded, the Trust Server is ready for the TSPA to perform the administration step.
The next step is to identify the data entities to be protected and create data policies on the Trust Server for all entities, protected and clear. This step is performed by the TSPA role on his machine.
At this point, the Trust Server now has a data policy defined; identifying a data entity with a set of authorized users. Now, the Data Publisher can encrypt the data on his machine.
In this step, the Data Publisher (application) encrypts the data as identified by the TSPA in his data policy. This encryption step is performed in the Data Publisher’s machine.
Now, the application can move the encrypted data to Windows Azure storage.
In this last step, the Data Consumer (application) decrypts the encrypted data as identified by the TSPA in his data policy. The encryption is performed by the Data Publisher in the step above. This decryption step is performed in the Data Consumer’s machine.
It is assumed that the Data Consumer application downloads the encrypted data first from the Windows Azure storage (placed by the Data Publisher) prior to this decrypt step.
To get additional information on Trust Services, see Learn More page.
To get started, follow Getting Started Tutorial.
Getting Started Tutorial
Download "Trust Services" SDK
Access "Trust Services" Portal
SQL Azure Labs Forums
Great Work - Very helpful - Thanks :-)
Richard Mueller edited Revision 48. Comment: Removed (en-US) from title, added tags