加密 Azure 自动化中的安全资产Encryption of secure assets in Azure Automation

Azure 自动化中的安全资产包括凭据、证书、连接和加密的变量。Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. 这些资产在 Azure 自动化中受到了多级加密的保护。These assets are protected in Azure Automation using multiple levels of encryption. 根据用于加密的顶级密钥,有两种加密模型:Based on the top-level key used for the encryption, there are two models for encryption:

  • 使用 Microsoft 托管密钥Using Microsoft-managed keys
  • 使用你管理的密钥Using keys that you manage

Microsoft 托管密钥Microsoft-managed Keys

你的 Azure 自动化帐户默认使用 Microsoft 托管密钥。By default, your Azure Automation account uses Microsoft-managed keys.

每一安全资产是通过针对每个自动化帐户生成的唯一密钥(数据加密密钥)加密并存储在 Azure 自动化中的。Each secure asset is encrypted and stored in Azure Automation using a unique key (Data Encryption key) that is generated for each automation account. 这些密钥本身是通过另一个唯一的密钥加密并存储在 Azure 自动化中的,该密钥是针对每个名为帐户加密密钥 (AEK) 的帐户生成的。These keys themselves are encrypted and stored in Azure Automation using yet another unique key that is generated for each account called an Account Encryption Key (AEK). 这些帐户加密密钥是通过 Microsoft 托管密钥加密并存储在 Azure 自动化中的。These account encryption keys encrypted and stored in Azure Automation using Microsoft-managed Keys.

通过 Key Vault 管理的密钥(预览版)Keys that you manage with Key Vault (preview)

可以通过自己的密钥来管理自动化帐户的安全资产加密。You can manage encryption of secure assets for your Automation account with your own keys. 当你在自动化帐户级别指定客户管理的密钥时,此密钥用于保护和控制对自动化帐户的帐户加密密钥的访问。When you specify a customer-managed key at the level of the Automation account, that key is used to protect and control access to the account encryption key for the Automation account. 这反过来用于加密和解密所有安全资产。This in turn is used to encrypt and decrypt all the secure assets. 客户管理的密钥在创建、轮换、禁用和撤销访问控制方面可提供更大的灵活性。Customer-managed keys offer greater flexibility to create, rotate, disable, and revoke access controls. 此外,你还可以审核用于保护安全资产的加密密钥。You can also audit the encryption keys used to protect your secure assets.

使用 Azure Key Vault 存储客户管理的密钥。Use Azure Key Vault to store customer-managed keys. 可以创建自己的密钥并将其存储在密钥保管库中,也可以使用 Azure 密钥保管库 API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 有关 Azure 密钥保管库的详细信息,请参阅什么是 Azure 密钥保管库?For more information about Azure Key Vault, see What is Azure Key Vault?

为自动化帐户使用客户管理的密钥Use of customer-managed keys for an Automation account

当你通过客户管理的密钥对自动化帐户使用加密时,Azure 自动化会使用相关密钥保管库中的客户管理的密钥来包装帐户加密密钥。When you use encryption with customer-managed keys for an Automation account, Azure Automation wraps the account encryption key with the customer-managed key in the associated key vault. 启用客户管理的密钥不会影响性能,并且帐户会立即通过新密钥受到加密,没有任何延迟。Enabling customer-managed keys does not impact performance, and the account is encrypted with the new key immediately, without any delay.

新的自动化帐户始终是通过 Microsoft 托管密钥加密的。A new Automation account is always encrypted using Microsoft-managed keys. 创建帐户时不能启用客户管理的密钥。It's not possible to enable customer-managed keys at the time that the account is created. 客户管理的密钥存储在 Azure Key Vault 中,并且必须使用访问策略对密钥保管库进行预配,此访问策略应向与自动化帐户关联的托管标识授予密钥权限。Customer-managed keys are stored in Azure Key Vault, and the key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Automation account. 托管标识仅在创建存储帐户后可用。The managed identity is available only after the storage account is created.

当你通过启用或禁用客户管理的密钥、更新密钥版本或者指定不同的密钥来修改用于 Azure 自动化安全资产加密的密钥时,帐户加密密钥的加密会更改,但不需要对 Azure 自动化帐户中的安全资产进行重新加密。When you modify the key being used for Azure Automation secure asset encryption, by enabling or disabling customer-managed keys, updating the key version, or specifying a different key, the encryption of the account encryption key changes but the secure assets in your Azure Automation account do not need to be re-encrypted.

备注

若要启用客户管理的密钥,需要使用 api version 2020-01-13-preview 来进行 Azure 自动化 REST API 调用To enable customer-managed keys, you need to make Azure Automation REST API calls using api version 2020-01-13-preview

在 Azure 自动化中使用客户管理的密钥的先决条件Prerequisites for using customer-managed keys in Azure Automation

为自动化帐户启用客户管理的密钥之前,必须先确保满足以下先决条件:Before enabling customer-managed keys for an Automation account, you must ensure the following prerequisites are met:

  • 客户管理的密钥存储在 Azure Key Vault 中。The customer-manged key is stored in an Azure Key Vault.
  • 同时在密钥保管库上启用“软删除”和“不清除”属性 。Enable both the Soft Delete and Do Not Purge properties on the key vault. 在意外删除了密钥的情况下需要这些功能才能恢复密钥。These features are required to allow for recovery of keys in case of accidental deletion.
  • Azure 自动化加密仅支持 RSA 密钥。Only RSA keys are supported with Azure Automation encryption. 有关密钥的详细信息,请参阅关于 Azure Key Vault 密钥、机密和证书For more information about keys, see About Azure Key Vault keys, secrets, and certificates.
  • 自动化帐户和密钥保管库可以位于不同的订阅中,但它们需要位于同一个 Azure Active Directory 租户中。The Automation account and the key vault can be in different subscriptions, but need to be in the same Azure Active Directory tenant.

将标识分配给自动化帐户Assignment of an identity to the Automation account

若要将客户管理的密钥用于自动化帐户,你的自动化帐户需要对存储客户管理的密钥的密钥保管库进行身份验证。To use customer-managed keys with an Automation account, your Automation account needs to authenticate against the key vault storing customer-managed keys. Azure 自动化使用系统分配的托管标识来对 Azure Key Vault 的帐户进行身份验证。Azure Automation uses system assigned managed identities to authenticate the account with Azure Key Vault. 有关托管标识的详细信息,请参阅什么是 Azure 资源托管标识?For more information about managed identities, see What are managed identities for Azure resources?

使用以下 REST API 调用向自动化帐户配置系统分配的托管标识:Configure a system assigned managed identity to the Automation account using the following REST API call:

PATCH https://management.chinacloudapi.cn/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview

请求正文:Request body:

{ 
 "identity": 
 { 
  "type": "SystemAssigned" 
  } 
}

自动化帐户的系统分配的标识会在响应中返回,与以下内容类似:System-assigned identity for the Automation account is returned in a response similar to the following:

{
 "name": "automation-account-name",
 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name",
 ..
 "identity": {
    "type": "SystemAssigned",
    "principalId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
    "tenantId": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
 },
..
}

配置 Key Vault 访问策略Configuration of the Key Vault access policy

将托管标识分配给自动化帐户后,可以配置对存储客户管理的密钥的密钥保管库的访问。Once a managed identity is assigned to the Automation account, you configure access to the key vault storing customer-managed keys. Azure 自动化需要对客户管理的密钥进行 get、recover、wrapKey 和 UnwrapKey 操作 。Azure Automation requires get, recover, wrapKey, UnwrapKey on the customer-managed keys.

可以使用以下 REST API 调用来设置此类访问策略:Such an access policy can be set using the following REST API call:

PUT https://management.chinacloudapi.cn/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/add?api-version=2018-02-14

请求正文:Request body:

{
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
        "objectId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
        "permissions": {
          "keys": [
            "get",
            "recover",
            "wrapKey",
            "unwrapKey"
          ],
          "secrets": [],
          "certificates": []
        }
      }
    ]
  }
}

备注

必须提供“tenantId”和“objectId”字段,它们的值分别是自动化帐户的托管标识响应中的“identity.tenantId”和“identity.principalId” 。The tenantId and objectId fields must be provided with values of identity.tenantId and identity.principalId respectively from the response of managed identity for the Automation account.

将自动化帐户的配置更改为使用客户管理的密钥Change the configuration of Automation account to use customer-managed key

最后,可以使用以下 REST API 调用将自动化帐户从 Microsoft 托管密钥切换为客户管理的密钥:Finally, you can switch your Automation account from Microsoft-managed keys to customer-managed keys, using the following REST API call:

PATCH https://management.chinacloudapi.cn/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview

请求正文:Request body:

 {
    "properties": {
      "encryption": {
        "keySource": "Microsoft.Keyvault",
        "keyvaultProperties": {
          "keyName": "sample-vault-key",
          "keyvaultUri": "https://sample-vault-key12.vault.azure.cn",
          "keyVersion": "7c73556c521340209371eaf623cc099d"
        }
      }
    }
  }

示例响应Sample response

{
  "name": "automation-account-name",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name",
  ..
  "properties": {
    ..
    "encryption": {
      "keyvaultProperties": {
         "keyName": "sample-vault-key",
          "keyvaultUri": "https://sample-vault-key12.vault.azure.cn",
          "keyVersion": "7c73556c521340209371eaf623cc099d"
      },
      "keySource": "Microsoft.Keyvault"
    },
    ..
  }
}

轮换客户管理的密钥Rotation of a customer-managed key

可以根据你的符合性策略轮换 Azure Key Vault 中客户管理的密钥。You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. 当密钥轮换时,必须将自动化帐户更新为使用新的密钥 URI。When the key is rotated, you must update the Automation account to use the new key URI.

轮换密钥不会触发对自动化帐户中安全资产的重新加密。Rotating the key does not trigger re-encryption of secure assets in the Automation account. 无需任何进一步操作。There is no further action required.

撤销对客户管理的密钥的访问Revocation of access to a customer-managed key

若要撤销对客户管理的密钥的访问,请使用 PowerShell 或 Azure CLI。To revoke access to customer-managed keys, use PowerShell or the Azure CLI. 有关详细信息,请参阅 Azure Key Vault PowerShellAzure Key Vault CLIFor more information, see Azure Key Vault PowerShell or Azure Key Vault CLI. 撤销访问可有效阻止对自动化帐户中所有安全资产的访问,因为 Azure 自动化无法访问加密密钥。Revoking access effectively blocks access to all secure assets in the Automation account, as the encryption key is inaccessible by Azure Automation.

后续步骤Next steps