This plugin provides Azure Blob Storage capabilities to the Orthanc server. Azure already provides means to secure data at rest by simply enabling KeyVault encryption. This is usually not enough to properly secure PHI that's why this plugin also provides a highly secure client-side AES-256 encryption of all data stored within the Azure Blob Storage.
The client-side enryption uses AES-256 CBC encryption combined with a envelop technique leveraging the AzureKeyVault for securely storing the key encryption key (kek)
Each data object uploaded to the blob storage will be encrypted following the principle of
- Creating a one-time content encryption key (cek)
- Encrypting the data with that cek
- Encrypting the cek with a key encryption key provided by the Azure Key Vault
- Storing encryption meta data alongside the encrypted data blob
This mechanism makes sure that the actual kek is never available on the client-side. Wraping as well as unwraping is exectuted by the Azure Key Vault REST API providing only encrypted and decrypted content to the client-side.
To enable the plugin within your Orthanc server, setup the location of the plugin within the Orthanc configuration file.
Windows:
"Plugins" : [
"OrthancAzureBlobStorage.dll"
]Linux:
"Plugins" : [
"OrthancAzureBlobStorage.so"
]MacOS:
"Plugins" : [
"OrthancAzureBlobStorage.dylib"
]After that either add the plugin specific configuration into Orthanc's main configuration file, or setup Orthanc to parse all json files within a folder.
{
"AzureBlobStorage" : {
"EnableStorage" : true,
"ConnectionString" : "",
"ContainerName" : "",
"EncryptionEnabled" : true,
"AzureKeyVault": {
"baseUrl" : "https://xxx-yyyy.vault.azure.net/",
"clientId" : "1a816e71-9ae0-4666-a6d1-cac05c5de767",
"clientSecret" : "rwifi2d3456sCslZn40jDDzgZDuhpCp93qZjKX9Y4=",
"kid" : "OrthancKek"
}
}
}In order to use the client-side encryption mechanism, add the following options to your json configuration within the plugin area
"AzureBlobStorage" : {
"EncryptionEnabled" : true,
"KeyDecayCount": 10000,
"KeyPoolSize": 10,
"AzureKeyVault": {
"baseUrl" : "https://xxx-yyyy.vault.azure.net/",
"clientId" : "1a816e71-9ae0-4666-a6d1-cac05c5de767",
"clientSecret" : "rwifi2d3456sCslZn40jDDzgZDuhpCp93qZjKX9Y4=",
"kid" : "https://xxx-yyyy.vault.azure.net/OrthancKek/3b3f64de68ab4c43abcd42085786b6dd"
}
}Make sure your client has the rights to execute wrap and unwrap functions on your AzureKeyVault instance, otherwise the encryption of the data will fail.
Encryption and communication with AzureKeyVault creates some overhead, since every CEK needs to be encrypted using AzureKeyVault. In the worst-case this means that every single images gets it's own CEK which makes the highest security possible. In order to speed up the encryption and processing time, you can set the KeyDecayCount. This value will define how often a CEK is allowed to be re-used before it will be renewed. Only on renewal a communication with KeyVault needs to happen, which speeds up the process quite a bit. Additionally this plugin implements a KeyPool approach that keeps a number of hot keys for decryption to prevent constant communication with AzureKeyVault for decrypting the CEK. Setting the KeyPoolSize to 0 will make the highest security setting, since no key will be kept.
The plugin can be build on all major platforms.
To build on a Unix/MacOS system use the provided scripts that are simply invoking cmake with the correct parameters
# bootstrap the system in order to retrieve necessary thridparties libraries as well as the orthanc sources
./bootstrap.sh
./build.shYou can use docker to build the plugin for Unix. Make sure you have the latest docker-compose installed.
docker-compose build orthanc
docker-compose build sdk
docker-compose build orthanc-pluginsThe latest Orthanc with the plugin already installed is available on dockerhub. In order to have the plugin work correctly make sure you add a proper configuration when running your container.
Create a file containing the json content described as above and then mount that file into /etc/orthanc/ on the docker environment. Also make sure you assign all ports correctly
docker run -p 8042:8042 -p 4242:4242 -v plugin-config.json:/etc/orthanc/plugin-config.json mschmieder/orthanc-plugins:latestThe default Orthanc config is being used. In order to access your Orthanc instance you will need to provide the user credentials
Username: orthanc
Password: orthanc