使用客户管理的密钥加密静态应用程序数据Encrypt your application data at rest using customer-managed keys

静态加密函数应用的应用程序数据需要一个 Azure 存储帐户和一个 Azure Key Vault。Encrypting your function app's application data at rest requires an Azure Storage Account and an Azure Key Vault. 从部署包运行应用时,将使用这些服务。These services are used when you run your app from a deployment package.

  • Azure 存储提供静态加密Azure Storage provides encryption at rest. 你可以使用系统提供的密钥或自己的密钥(客户管理的密钥)。You can use system-provided keys or your own, customer-managed keys. 当 Azure 存储不是在 Azure 上的函数应用中运行时,将在其中存储应用程序数据。This is where your application data is stored when it's not running in a function app in Azure.
  • 从部署包运行是应用服务的部署功能。Running from a deployment package is a deployment feature of App Service. 借助此功能可以使用共享访问签名 (SAS) URL 从 Azure 存储帐户部署站点内容。It allows you to deploy your site content from an Azure Storage Account using a Shared Access Signature (SAS) URL.
  • Key Vault 引用是应用服务的一项安全功能。Key Vault references are a security feature of App Service. 借助此功能可以在运行时将机密作为应用程序设置导入。It allows you to import secrets at runtime as application settings. 使用此机密可以加密 Azure 存储帐户的 SAS URL。Use this to encrypt the SAS URL of your Azure Storage Account.

设置静态加密Set up encryption at rest

创建 Azure 存储帐户Create an Azure Storage account

首先,创建一个 Azure 存储帐户使用客户管理的密钥将其加密First, create an Azure Storage account and encrypt it with customer managed keys. 创建存储帐户后,使用 Azure 存储资源管理器上传包文件。Once the storage account is created, use the Azure Storage Explorer to upload package files.

接下来,使用存储资源管理器生成 SASNext, use the Storage Explorer to generate an SAS.

备注

请保存此 SAS URL,因为以后在运行时启用部署包的安全访问时需要用到它。Save this SAS URL, this is used later to enable secure access of the deployment package at runtime.

配置从存储帐户中的包运行Configure running from a package from your storage account

将文件上传到 Blob 存储并获取该文件的 SAS URL 后,请将 WEBSITE_RUN_FROM_PACKAGE 应用程序设置指定为该 SAS URL。Once you upload your file to Blob storage and have an SAS URL for the file, set the WEBSITE_RUN_FROM_PACKAGE application setting to the SAS URL. 以下示例使用 Azure CLI 执行此操作:The following example does it by using Azure CLI:

az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_RUN_FROM_PACKAGE="<your-SAS-URL>"

添加此应用程序设置会导致函数应用重启。Adding this application setting causes your function app to restart. 重启应用后,浏览到该应用,并确保它已使用部署包正常启动。After the app has restarted, browse to it and make sure that the app has started correctly using the deployment package. 如果应用程序未正常启动,请参阅“从包运行”故障排除指南If the application didn't start correctly, see the Run from package troubleshooting guide.

使用 Key Vault 引用加密应用程序设置Encrypt the application setting using Key Vault references

现在,可将 WEBSITE_RUN_FROM_PACKAGE 应用程序设置的值替换为对 SAS 编码 URL 的 Key Vault 引用。Now you can replace the value of the WEBSITE_RUN_FROM_PACKAGE application setting with a Key Vault reference to the SAS-encoded URL. 这会使 SAS URL 在 Key Vault 中加密,从而提供附加的安全层。This keeps the SAS URL encrypted in Key Vault, which provides an extra layer of security.

  1. 使用以下 az keyvault create 命令创建 Key Vault 实例。Use the following az keyvault create command to create a Key Vault instance.

    az keyvault create --name "Contoso-Vault" --resource-group <group-name> --location chinanorth2    
    
  2. 按照这些说明向应用授予对 Key Vault 的访问权限:Follow these instructions to grant your app access to your key vault:

  3. 使用以下 az keyvault secret set 命令将外部 URL 添加为 Key Vault 中的机密:Use the following az keyvault secret set command to add your external URL as a secret in your key vault:

    az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>"    
    
  4. 使用以下 az webapp config appsettings set 命令创建 WEBSITE_RUN_FROM_PACKAGE 应用程序设置,该设置的值为对外部 URL 的 Key Vault 引用:Use the following az webapp config appsettings set command to create the WEBSITE_RUN_FROM_PACKAGE application setting with the value as a Key Vault reference to the external URL:

    az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.cn/secrets/external-url/<secret-version>"    
    

    上述 az keyvault secret set 命令的输出中会显示 <secret-version>The <secret-version> will be in the output of the previous az keyvault secret set command.

更新此应用程序设置会导致函数应用重启。Updating this application setting causes your function app to restart. 重启应用后,请浏览到该应用,并确保它已使用 Key Vault 引用正常启动。After the app has restarted, browse to it make sure it has started correctly using the Key Vault reference.

如何轮换访问令牌How to rotate the access token

最佳做法是定期轮换存储帐户的 SAS 密钥。It is best practice to periodically rotate the SAS key of your storage account. 为了确保函数应用不会无意中失去访问权限,还必须更新 Key Vault 中的 SAS URL。To ensure the function app does not inadvertently loose access, you must also update the SAS URL in Key Vault.

  1. 若要轮换 SAS 密钥,请在 Azure 门户中导航到你的存储帐户。Rotate the SAS key by navigating to your storage account in the Azure portal. 在“设置” > “访问密钥”下,单击相应的图标来轮换 SAS 密钥。Under Settings > Access keys, click the icon to rotate the SAS key.

  2. 复制新的 SAS URL,并使用以下命令在 Key Vault 中设置更新的 SAS URL:Copy the new SAS URL, and use the following command to set the updated SAS URL in your key vault:

    az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>"    
    
  3. 将应用程序设置中的 Key Vault 引用更新为新的机密版本:Update the key vault reference in your application setting to the new secret version:

    az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.cn/secrets/external-url/<secret-version>"    
    

    上述 az keyvault secret set 命令的输出中会显示 <secret-version>The <secret-version> will be in the output of the previous az keyvault secret set command.

如何撤销函数应用的数据访问权限How to revoke the function app's data access

可通过两种方法撤消函数应用对存储帐户的访问权限。There are two methods to revoke the function app's access to the storage account.

轮换 Azure 存储帐户的 SAS 密钥Rotate the SAS key for the Azure Storage account

如果轮换了存储帐户的 SAS 密钥,则函数应用将不再有权访问该存储帐户,但它会使用上次下载的包文件版本继续运行。If the SAS key for the storage account is rotated, the function app will no longer have access to the storage account, but it will continue to run with the last downloaded version of the package file. 重启函数应用可以清除上次下载的版本。Restart the function app to clear the last downloaded version.

删除函数应用对 Key Vault 的访问权限Remove the function app's access to Key Vault

通过禁用函数应用对 Key Vault 的访问权限,来撤销函数应用对站点数据的访问权限。You can revoke the function app's access to the site data by disabling the function app's access to Key Vault. 为此,请删除针对函数应用的标识的访问策略。To do this, remove the access policy for the function app's identity. 此标识是之前在配置 Key Vault 引用时创建的同一标识。This is the same identity you created earlier while configuring key vault references.

摘要Summary

现在,应用程序文件已在存储帐户中静态加密。Your application files are now encrypted at rest in your storage account. 当函数应用启动时,它会从 Key Vault 检索 SAS URL。When your function app starts, it retrieves the SAS URL from your key vault. 最后,函数应用会从存储帐户加载应用程序文件。Finally, the function app loads the application files from the storage account.

如果需要撤销函数应用对存储帐户的访问权限,可以撤销对 Key Vault 的访问权限,或轮换存储帐户密钥,使 SAS URL 失效。If you need to revoke the function app's access to your storage account, you can either revoke access to the key vault or rotate the storage account keys, which invalidates the SAS URL.

常见问题解答Frequently Asked Questions

从部署包运行函数应用是否会产生任何额外的费用?Is there any additional charge for running my function app from the deployment package?

只会产生 Azure 存储帐户相关的费用,以及任何适用的传出费用。Only the cost associated with the Azure Storage Account and any applicable egress charges.

从部署包运行会给函数应用产生怎样的影响?How does running from the deployment package affect my function app?

  • 从部署包运行应用会使 wwwroot/ 变为只读。Running your app from the deployment package makes wwwroot/ read-only. 应用在尝试写入此目录时会收到错误。Your app receives an error when it attempts to write to this directory.
  • 不支持 TAR 和 GZIP 格式。TAR and GZIP formats are not supported.
  • 此功能与本地缓存不兼容。This feature is not compatible with local cache.

后续步骤Next steps