使用客户管理的密钥加密应用程序配置数据Use customer-managed keys to encrypt your App Configuration data

Azure 应用程序配置对敏感信息进行静态加密Azure App Configuration encrypts sensitive information at rest. 通过使用客户管理的密钥,可以管理加密密钥,从而提供增强的数据保护。The use of customer-managed keys provides enhanced data protection by allowing you to manage your encryption keys. 使用托管密钥加密时,将使用用户提供的 Azure Key Vault 密钥对应用程序配置中的所有敏感信息进行加密。When managed key encryption is used, all sensitive information in App Configuration is encrypted with a user-provided Azure Key Vault key. 这样就可以根据需要轮换加密密钥。This provides the ability to rotate the encryption key on demand. 还可以通过撤消应用程序配置实例对密钥的访问权限,来撤消 Azure 应用程序配置对敏感信息的访问权限。It also provides the ability to revoke Azure App Configuration's access to sensitive information by revoking the App Configuration instance's access to the key.

概述Overview

Azure 应用程序配置使用 Microsoft 提供的 256 位 AES 加密密钥来静态加密敏感信息。Azure App Configuration encrypts sensitive information at rest using a 256-bit AES encryption key provided by Microsoft. 每个应用程序配置实例都有其自己的加密密钥,该密钥由服务管理并用于加密敏感信息。Every App Configuration instance has its own encryption key managed by the service and used to encrypt sensitive information. 敏感信息包括在键值对中找到的值。Sensitive information includes the values found in key-value pairs. 启用客户管理的密钥功能后,应用程序配置将使用分配给应用程序配置实例的托管标识对 Azure Active Directory 进行身份验证。When customer-managed key capability is enabled, App Configuration uses a managed identity assigned to the App Configuration instance to authenticate with Azure Active Directory. 然后,托管标识调用 Azure Key Vault 并包装应用程序配置实例的加密密钥。The managed identity then calls Azure Key Vault and wraps the App Configuration instance's encryption key. 然后存储已包装的加密密钥,并在应用程序配置中将已解包的加密密钥缓存一小时。The wrapped encryption key is then stored and the unwrapped encryption key is cached within App Configuration for one hour. 应用程序配置每小时刷新应用程序配置实例加密密钥的已解包版本。App Configuration refreshes the unwrapped version of the App Configuration instance's encryption key hourly. 这可确保在正常操作情况下的可用性。This ensures availability under normal operating conditions.

重要

如果分配给应用程序配置实例的标识不再有权解包实例的加密密钥,或者如果永久删除了托管密钥,则将无法再对存储在应用程序配置实例中的敏感信息进行解密。If the identity assigned to the App Configuration instance is no longer authorized to unwrap the instance's encryption key, or if the managed key is permanently deleted, then it will no longer be possible to decrypt sensitive information stored in the App Configuration instance. 使用 Azure Key Vault 的软删除功能可降低意外删除加密密钥的概率。Using Azure Key Vault's soft delete function mitigates the chance of accidentally deleting your encryption key.

当用户在其 Azure 应用程序配置实例上启用客户管理的密钥功能时,他们将控制服务访问其敏感信息的能力。When users enable the customer managed key capability on their Azure App Configuration instance, they control the service’s ability to access their sensitive information. 托管密钥用作根加密密钥。The managed key serves as a root encryption key. 用户可以通过更改其密钥保管库访问策略来撤消其应用程序配置实例对其托管密钥的访问权限。A user can revoke their App Configuration instance’s access to their managed key by changing their key vault access policy. 撤消此访问权限时,应用程序配置将在一小时内失去解密用户数据的能力。When this access is revoked, App Configuration will lose the ability to decrypt user data within one hour. 此时,应用程序配置实例将禁止所有访问尝试。At this point, the App Configuration instance will forbid all access attempts. 可通过再次向服务授予对托管密钥的访问权限来从这种情况中恢复。This situation is recoverable by granting the service access to the managed key once again. 在一小时内,应用程序配置将能够对用户数据进行解密,并在正常情况下运行。Within one hour, App Configuration will be able to decrypt user data and operate under normal conditions.

备注

所有 Azure 应用程序配置数据都可在独立备份中存储最多 24 小时。All Azure App Configuration data is stored for up to 24 hours in an isolated backup. 这包括已解包的加密密钥。This includes the unwrapped encryption key. 此数据不能立即供服务或服务团队使用。This data is not immediately available to the service or service team. 发生紧急还原时,Azure 应用程序配置将从托管的密钥数据中重新撤消。In the event of an emergency restore, Azure App Configuration will re-revoke itself from the managed key data.

要求Requirements

若要成功启用 Azure 应用程序配置的客户管理的密钥功能,需要以下组件:The following components are required to successfully enable the customer-managed key capability for Azure App Configuration:

  • 标准层 Azure 应用程序配置实例Standard tier Azure App Configuration instance

  • 已启用软删除和清除保护功能的 Azure Key VaultAzure Key Vault with soft-delete and purge-protection features enabled

  • Key Vault 中的 RSA 密钥An RSA key within the Key Vault

    • 此密钥不能过期,必须启用,并且必须启用包装和解包功能The key must not be expired, it must be enabled, and it must have both wrap and unwrap capabilities enabled

配置这些资源后,再执行两个步骤即可允许 Azure 应用程序配置使用 Key Vault 密钥:Once these resources are configured, two steps remain to allow Azure App Configuration to use the Key Vault key:

  1. 将托管标识分配到 Azure 应用程序配置实例Assign a managed identity to the Azure App Configuration instance
  2. 在目标 Key Vault 的访问策略中授予标识 GETWRAPUNWRAP 权限。Grant the identity GET, WRAP, and UNWRAP permissions in the target Key Vault's access policy.

为 Azure 应用程序配置实例启用客户管理的密钥加密Enable customer-managed key encryption for your Azure App Configuration instance

若要开始,需要正确配置 Azure 应用程序配置实例。To begin, you will need a properly configured Azure App Configuration instance. 如果还没有可用的应用程序配置实例,请按照以下快速入门进行设置:If you do not yet have an App Configuration instance available, follow one of these quickstarts to set one up:

创建和配置 Azure Key VaultCreate and configure an Azure Key Vault

  1. 使用 Azure CLI 创建 Azure Key Vault。Create an Azure Key Vault using the Azure CLI. 请注意,vault-nameresource-group-name 均由用户提供,并且必须是唯一的。Note that both vault-name and resource-group-name are user-provided and must be unique. 在这些示例中,我们使用 contoso-vaultcontoso-resource-groupWe use contoso-vault and contoso-resource-group in these examples.

    az keyvault create --name contoso-vault --resource-group contoso-resource-group
    
  2. 为 Key Vault 启用软删除和清除保护。Enable soft-delete and purge-protection for the Key Vault. 替换在步骤 1 中创建的 Key Vault (contoso-vault) 和资源组 (contoso-resource-group) 的名称。Substitute the names of the Key Vault (contoso-vault) and Resource Group (contoso-resource-group) created in step 1.

    az keyvault update --name contoso-vault --resource-group contoso-resource-group --enable-purge-protection --enable-soft-delete
    
  3. 创建 Key Vault 密钥。Create a Key Vault key. 为此密钥提供唯一的 key-name,并替换在步骤 1 中创建的 Key Vault (contoso-vault) 的名称。Provide a unique key-name for this key, and substitute the names of the Key Vault (contoso-vault) created in step 1.

    az keyvault key create --name key-name --kty RSA --vault-name contoso-vault
    

    此命令的输出显示生成的密钥的密钥 ID(“kid”)。The output from this command shows the key ID ("kid") for the generated key. 请记录密钥 ID 以便在本练习的后面使用。Make a note of the key ID to use later in this exercise. 密钥 ID 的格式为:https://{my key vault}.vault.azure.cn/keys/{key-name}/{Key version}The key ID has the form: https://{my key vault}.vault.azure.cn/keys/{key-name}/{Key version}. 密钥 ID 包含三个重要组件:The key ID has three important components:

    1. Key Vault URI: `https://{my key vault}.vault.azure.cnKey Vault URI: `https://{my key vault}.vault.azure.cn
    2. Key Vault 密钥名称:{Key Name}Key Vault key name: {Key Name}
    3. Key Vault 密钥版本:{Key version}Key Vault key version: {Key version}
  4. 使用 Azure CLI 创建系统分配的托管标识,替换前面步骤中使用的应用程序配置实例和资源组的名称。Create a system assigned managed identity using the Azure CLI, substituting the name of your App Configuration instance and resource group used in the previous steps. 托管标识将用于访问托管密钥。The managed identity will be used to access the managed key. 我们使用 contoso-app-config 来说明应用程序配置实例的名称:We use contoso-app-config to illustrate the name of an App Configuration instance:

    az appconfig identity assign --name contoso-app-config --resource-group contoso-resource-group --identities [system]
    

    此命令的输出包含系统分配的标识的主体 ID(“principalId”)和租户 ID(“tenandId”)。The output of this command includes the principal ID ("principalId") and tenant ID ("tenandId") of the system assigned identity. 这些 ID 将用于向标识授予对托管密钥的访问权限。These IDs will be used to grant the identity access to the managed key.

    {
    "principalId": {Principal Id},
    "tenantId": {Tenant Id},
    "type": "SystemAssigned",
    "userAssignedIdentities": null
    }
    
  5. Azure 应用程序配置实例的托管标识需要访问密钥才能执行密钥验证、加密和解密。The managed identity of the Azure App Configuration instance needs access to the key to perform key validation, encryption, and decryption. 它需要访问的特定操作集包括:密钥的 GETWRAPUNWRAPThe specific set of actions to which it needs access includes: GET, WRAP, and UNWRAP for keys. 授予访问权限需要应用程序配置实例的托管标识的主体 ID。Granting the access requires the principal ID of the App Configuration instance's managed identity. 此值是在上一步中获得的。This value was obtained in the previous step. 如下所示为 contoso-principalIdIt is shown below as contoso-principalId. 使用命令行向托管密钥授予权限:Grant permission to the managed key using the command line:

    az keyvault set-policy -n contoso-vault --object-id contoso-principalId --key-permissions get wrapKey unwrapKey
    
  6. Azure 应用程序配置实例可以访问托管密钥后,便可以使用 Azure CLI 在服务中启用客户管理的密钥功能。Once the Azure App Configuration instance can access the managed key, we can enable the customer-managed key capability in the service using the Azure CLI. 请记住在密钥创建步骤的过程中记录的以下属性:key name key vault URIRecall the following properties recorded during the key creation steps: key name key vault URI.

    az appconfig update -g contoso-resource-group -n contoso-app-config --encryption-key-name key-name --encryption-key-version key-version --encryption-key-vault key-vault-Uri
    

现在,Azure 应用程序配置实例已配置为使用存储在 Azure Key Vault 中的客户管理的密钥。Your Azure App Configuration instance is now configured to use a customer-managed key stored in Azure Key Vault.

后续步骤Next Steps

本文介绍了如何配置 Azure 应用程序配置实例,令其使用客户管理的密钥进行加密。In this article, you configured your Azure App Configuration instance to use a customer-managed key for encryption. 了解如何将服务与 Azure 托管标识集成Learn how to integrate your service with Azure Managed Identities.