Azure Blob Storage

Cloud Storage & Messaging

system_type: "azure_blob"

Proxy Azure Blob container reads and writes with ML-KEM-768 client-side encryption.

Overview#

The Azure Blob Storage connector encrypts blob content with ML-KEM-768 + AES-256-GCM before upload and decrypts on download. Azure AD OAuth2 credentials are sealed in QuantaVault. Azure never receives plaintext data.

Base URL: https://api.quantaseal.io/api/v2/proxy/outbound
Auth header: X-API-Key: qs_live_...

Prerequisites#

1An Azure Storage Account and container
2An Azure AD App Registration with Storage Blob Data Contributor role on the container
3Client ID, Client Secret, Tenant ID, and Storage Account name
4A QuantaSeal API key

Configuration#

Follow these steps to connect Azure Blob Storage to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1
In Azure Portal, create an App Registration and assign it Storage Blob Data Contributor on your container.
2
Note the client_id, client_secret, and tenant_id.
3
Seal credentials: POST /api/v2/vault/seal with credential_type: oauth2_client.
4
Create the integration: POST /api/v2/integrations with system_type: azure_blob and container details.

Authentication Types#

Use oauth2_client with Azure AD client_credentials flow. Store client_id, client_secret, tenant_id, and storage_account_name as oauth2_client in QuantaVault.

Bearer TokenOAuth2 Client

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Operation	Description
`upload_blob`	Upload a PQC-encrypted blob to a container.
`download_blob`	Download and decrypt a blob.
`delete_blob`	Delete a blob.
`list_blobs`	List blobs in a container with optional prefix filter.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

bashCopy

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "integration_id": "int_01HZ9X2K4MNPQRAZUREBLOB01",
    "operation": "upload_blob",
    "payload": {
      "container": "secure-uploads",
      "blob_name": "payroll/2026-05.csv",
      "content": "employee_id,salary\n1001,120000",
      "content_type": "text/csv"
    }
  }'

# Response - HybridCryptoEnvelope
{
  "success": true,
  "encrypted": {
    "ciphertext_kem":  "<base64 - 1088 bytes ML-KEM-768>",
    "ciphertext_data": "<base64 - AES-256-GCM encrypted Azure upload result>",
    "nonce":           "<base64 - 12 bytes>",
    "tenant_id":       "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":       "ML-KEM-768"
  },
  "signature": {
    "pqc_signature":  "<base64 - ~3309 bytes ML-DSA-65>",
    "hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
    "tenant_id":      "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":      "ML-DSA-65+HMAC-SHA-512"
  },
  "audit_event_id": "aud_01HZ9XABCDEF"
}

Decrypt the response using the QuantaSeal SDK: client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.

Troubleshooting#

AuthorizationFailure - does not have required permission

The App Registration needs the Storage Blob Data Contributor role on the specific container (not just the storage account). Check the role assignment scope in Azure Portal.

Still stuck? Check the Security Events page in the Admin Console for detailed proxy error logs, or open a support ticket at quantaseal.io/support.

All Connectors API Reference