Azure Blob Plugin - Unable to decrypt data, version 'Ru' is not supported

Allard-Chris · July 1, 2025, 2:49pm

Hello,

I’ve activated the Azure blob plugin on a server that already has instances.
The blob is empty and I have setup the plugin with an encryption key.

Each time I try to read DICOM tags, I have these errors:

Request ID: 4b34ce5d-001e-0063-3995-ea2f29000000
I0701 16:36:05.882541           HTTP-0 Toolbox.cpp:2690] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/header (elapsed: 23429 us)
I0701 16:36:05.890683           HTTP-0 Toolbox.cpp:2685] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/metadata
I0701 16:36:05.890683           HTTP-0 Toolbox.cpp:2690] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/metadata (elapsed: 0 us)
I0701 16:36:05.896240           HTTP-0 Toolbox.cpp:2685] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/attachments
I0701 16:36:05.896240           HTTP-0 Toolbox.cpp:2690] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/attachments (elapsed: 0 us)
I0701 16:36:05.900465           HTTP-0 Toolbox.cpp:2685] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/metadata/SopClassUid
I0701 16:36:05.900465           HTTP-0 Toolbox.cpp:2690] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/metadata/SopClassUid (elapsed: 0 us)
I0701 16:36:05.902464           HTTP-0 Toolbox.cpp:2685] (http) GET /app/libs/images/icons-18-white.png
I0701 16:36:05.902464           HTTP-0 Toolbox.cpp:2690] (http) GET /app/libs/images/icons-18-white.png (elapsed: 0 us)
I0701 16:36:05.910023           HTTP-0 Toolbox.cpp:2685] (http) GET /system
I0701 16:36:05.913827           HTTP-0 Toolbox.cpp:2690] (http) GET /system (elapsed: 3804 us)
I0701 16:36:05.915832           HTTP-0 Toolbox.cpp:2685] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f
I0701 16:36:05.915832           HTTP-0 Toolbox.cpp:2690] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f (elapsed: 0 us)
I0701 16:36:05.917311           HTTP-0 Toolbox.cpp:2685] (http) GET /series/3c29a4cf-742ca637-ae167d77-145931f9-5bfda6ef
I0701 16:36:05.918316           HTTP-0 Toolbox.cpp:2690] (http) GET /series/3c29a4cf-742ca637-ae167d77-145931f9-5bfda6ef (elapsed: 1005 us)
I0701 16:36:05.919317           HTTP-0 Toolbox.cpp:2685] (http) GET /studies/103b4827-d40005df-f2ef4d8b-9129f2a4-048bc386
I0701 16:36:05.920316           HTTP-0 Toolbox.cpp:2690] (http) GET /studies/103b4827-d40005df-f2ef4d8b-9129f2a4-048bc386 (elapsed: 999 us)
I0701 16:36:05.922821           HTTP-0 Toolbox.cpp:2685] (http) GET /patients/db97d189-a237ad9b-2d8fbd11-cfd5e5c0-d39e8540
I0701 16:36:05.922821           HTTP-0 Toolbox.cpp:2690] (http) GET /patients/db97d189-a237ad9b-2d8fbd11-cfd5e5c0-d39e8540 (elapsed: 0 us)
I0701 16:36:05.926826           HTTP-0 Toolbox.cpp:2685] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/labels
I0701 16:36:05.927827           HTTP-0 Toolbox.cpp:2690] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/labels (elapsed: 1001 us)
I0701 16:36:05.933857           HTTP-0 Toolbox.cpp:2685] (http) GET /instances/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/tags
I0701 16:36:05.933857           HTTP-0 PluginsManager.cpp:162] (plugins) Azure Blob Storage (Primary: file-system): reading whole attachment 7cfab96b-6cc0-4137-bc5b-fefbdb222534 of type 1
W0701 16:36:05.935858           HTTP-0 PluginsManager.cpp:158] Azure Blob Storage (Primary: file-system): error while decrypting object 7cfab96b-6cc0-4137-bc5b-fefbdb222534: Unable to decrypt data, version 'Ru' is not supported
I0701 16:36:05.935858           HTTP-0 PluginsManager.cpp:162] (plugins) Azure Blob Storage (Secondary: object-storage): reading whole attachment 7cfab96b-6cc0-4137-bc5b-fefbdb222534 of type 1
E0701 16:36:05.952590           HTTP-0 PluginsManager.cpp:154] Azure Blob Storage (Secondary: object-storage): error while reading object 7cfab96b-6cc0-4137-bc5b-fefbdb222534: AzureBlobStorage: error opening file for reading 7cfab96b-6cc0-4137-bc5b-fefbdb222534.dcm.enc: 404 The specified blob does not exist.

If I set StorageEncryption to false, there is no more problem.
The azure.json is like this:

{
    "AzureBlobStorage": {
        "ConnectionString": "****",
        "ContainerName": "test-orthanc-storage-plugin",
        "CreateContainerIfNotExists": true,
        "RootPath": "",
        "MigrationFromFileSystemEnabled": false,
        "StorageStructure": "flat",
		"StorageEncryption": {
            "Enable": true,
            "MasterKey": [
                1,
                "C:\\Program Files\\Orthanc Server\\Configuration\\master.key"
            ],
            "MaxConcurrentInputSize": 1024
        },
        "HybridMode": "WriteToFileSystem"
    }
}

What does the term ‘Ru’ meaning ?
Thanks in advance for your help.

alainmazy · July 2, 2025, 7:31am

Hi @Allard-Chris

I have just updated the doc in the book:

Note : You can not enable StorageEncryption once files have already been stored without encryption. The plugin is unable to handle both encrypted and unencrypted files at the same time.

Best,

Alain

Allard-Chris · July 2, 2025, 3:03pm

Hello,

Thank you very much, it’s a very good idea to have added the information in the documentation.

Just to make sure I’ve understood correctly, can’t we add the encryption functionality from the moment we already have instances (on local disk or the blob) or if only we’ve already archived on the blob without encryption?

The following test seems to confirm that this is the case as soon as an instance arrives on the orthanc, regardless of storage (locally or blob):

Run a new fresh Orthanc server without the Azure plugin.
Upload some instances locally.
Stop the server and enable Azure plugin with encryption.
Can’t access previous uploaded instances (that are still locally on disk)

Thanks in advance.
Regards.

Allard-Chris · July 3, 2025, 1:10pm

I have made other tests and there is something I don’t understand:

I create a new orthanc server without enable Azure plugin.
I import some instances on it that I can read without difficulty with the web viewer.
I stop the server, activate the plugin (with encryption) and turn it back on.
Can’t read anymore instances (like with “Deep Zoom viewer” tool) with these logs:

I0703 14:48:36.969305           HTTP-4 Toolbox.cpp:2685] (http) GET /wsi/frames-pyramids/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/0
I0703 14:48:36.969305           HTTP-4 OrthancPlugins.cpp:2671] (plugins) Delegating HTTP request to plugin for URI: /wsi/frames-pyramids/79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f/0
I0703 14:48:36.969305           HTTP-4 wsi:/Plugin.cpp:154] Accessing pyramid of frame 0 in instance 79d57ad0-60beeeea-861b5d8f-f222e427-309b9a9f
I0703 14:48:36.969305           HTTP-4 PluginsManager.cpp:162] (plugins) Azure Blob Storage (Primary: file-system): reading whole attachment df947311-d261-4981-ad4f-653019b8ca3e of type 1
W0703 14:48:36.974818           HTTP-4 PluginsManager.cpp:158] Azure Blob Storage (Primary: file-system): error while decrypting object df947311-d261-4981-ad4f-653019b8ca3e: Unable to decrypt data, version 'Ru' is not supported
I0703 14:48:36.974818           HTTP-4 PluginsManager.cpp:162] (plugins) Azure Blob Storage (Secondary: object-storage): reading whole attachment df947311-d261-4981-ad4f-653019b8ca3e of type 1
E0703 14:48:36.995885           HTTP-4 PluginsManager.cpp:154] Azure Blob Storage (Secondary: object-storage): error while reading object df947311-d261-4981-ad4f-653019b8ca3e: AzureBlobStorage: error opening file for reading df947311-d261-4981-ad4f-653019b8ca3e.dcm.enc: 404 The specified blob does not exist.

Stop the server, disable the plugin and turn it back on.
Can read back all instances.

I thought the encryption system was only to protect instances on external storage, but it seems that if you activate the plugin for the first time, with encryption, and you already have instances, then it can’t work.

In the end, the only use case is to activate the Azure plugin with encryption when installing the Orthanc server.

It can’t be done after that.

Allard-Chris · July 8, 2025, 7:08am

Hi @alainmazy

Thank you for updating the documentation.
Do you confirm that encryption can only be activated if no instances is already present in the Orthanc database?

I thought that encryption was only about external storage and didn’t impact local storage.

Regards,
Chris

alainmazy · July 9, 2025, 7:35am

Yes.

No, all files are encrypted.