flytzen
commented
1 year ago Having thought about this carefully and considering that even Azure Blob Storage Client-side encryption uses AES-CBC with the envelope method then I think it is good enough here.
The added Authenticated Encryption step makes this library stronger than Blob Storage. I am not qualified to say whether it becomes as good as AES-GCM, though I suspect not.
Netstandard2.1 supporta AES GCM which both had some performance benefits and should remove the need to sign with Key Vault (need to dig into that a bit). But, it's only in 2.1 onwards so would render apps on older Frameworks unable to use it.