轮换透明数据加密 (TDE) 保护器Rotate the Transparent Data Encryption (TDE) protector

适用于:是Azure SQL 数据库是Azure Synapse Analytics (SQL DW)APPLIES TO: yesAzure SQL Database yesAzure Synapse Analytics (SQL DW)

本文介绍使用 Azure Key Vault 中的 TDE 保护器对服务器进行的密钥轮换。This article describes key rotation for a server using a TDE protector from Azure Key Vault. 为服务器轮换逻辑 TDE 保护器意味着切换到新的非对称密钥,该密钥可以保护服务器上的数据库。Rotating the logical TDE Protector for a server means switching to a new asymmetric key that protects the databases on the server. 密钥轮换是一种联机操作,应该只需数秒即可完成,因为此操作只在解密数据库的数据加密密钥后重新将其加密,而不是对整个数据库进行操作。Key rotation is an online operation and should only take a few seconds to complete, because this only decrypts and re-encrypts the database's data encryption key, not the entire database.

本指南介绍在服务器上轮换 TDE 保护器的两个选项。This guide discusses two options to rotate the TDE protector on the server.

备注

需要在密钥轮换之前先恢复已暂停的 Azure Synapse Analytics SQL 池。A paused Azure Synapse Analytics SQL pool must be resumed before key rotations.

重要

在滚动更新之后,请勿删除旧版密钥。Do not delete previous versions of the key after a rollover. 滚动更新密钥时,某些数据仍使用以前的密钥进行加密,例如旧版数据库备份。When keys are rolled over, some data is still encrypted with the previous keys, such as older database backups.

先决条件Prerequisites

  • 本操作方法指南假设已使用 Azure Key Vault 中的密钥作为 Azure SQL 数据库或 Azure Synapse Analytics 的 TDE 保护器。This how-to guide assumes that you are already using a key from Azure Key Vault as the TDE protector for Azure SQL Database or Azure Synapse Analytics. 请参阅提供 BYOK 支持的透明数据加密See Transparent Data Encryption with BYOK Support.
  • 必须安装并运行 Azure PowerShell。You must have Azure PowerShell installed and running.

有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell. 若要了解具体的 cmdlet,请参阅 AzureRM.SqlFor specific cmdlets, see AzureRM.Sql.

重要

仍然支持 PowerShell Azure 资源管理器 (RM) 模块,但是所有未来的开发都是针对 Az.Sql 模块的。The PowerShell Azure Resource Manager (RM) module is still supported, but all future development is for the Az.Sql module. AzureRM 模块至少在 2020 年 12 月之前将继续接收 bug 修补程序。The AzureRM module will continue to receive bug fixes until at least December 2020. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. 若要详细了解其兼容性,请参阅新 Azure PowerShell Az 模块简介For more about their compatibility, see Introducing the new Azure PowerShell Az module.

手动密钥轮换Manual key rotation

手动密钥轮换使用以下命令来添加全新的密钥,该密钥可能使用新的密钥名称,甚至使用另一密钥保管库。Manual key rotation uses the following commands to add a completely new key, which could be under a new key name or even another key vault. 使用此方法时支持将同一密钥添加到不同的密钥保管库来支持高可用性和异地灾难恢复方案。Using this approach supports adding the same key to different key vaults to support high-availability and geo-dr scenarios.

备注

Key Vault 名称和密钥名称的总长度不能超过 94 个字符。The combined length for the key vault name and key name cannot exceed 94 characters.

使用 Add-AzKeyVaultKeyAdd-AzSqlServerKeyVaultKeySet-AzSqlServerTransparentDataEncryptionProtector cmdlet。Use the Add-AzKeyVaultKey, Add-AzSqlServerKeyVaultKey, and Set-AzSqlServerTransparentDataEncryptionProtector cmdlets.

# add a new key to Key Vault
Add-AzKeyVaultKey -VaultName <keyVaultName> -Name <keyVaultKeyName> -Destination <hardwareOrSoftware>

# add the new key from Key Vault to the server
Add-AzSqlServerKeyVaultKey -KeyId <keyVaultKeyId> -ServerName <logicalServerName> -ResourceGroup <SQLDatabaseResourceGroupName>
  
# set the key as the TDE protector for all resources under the server
Set-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId <keyVaultKeyId> `
   -ServerName <logicalServerName> -ResourceGroup <SQLDatabaseResourceGroupName>

切换 TDE 保护器模式Switch TDE protector mode

后续步骤Next steps