使用 PowerShell 删除透明数据加密 (TDE) 保护器Remove a Transparent Data Encryption (TDE) protector using PowerShell

适用于: Azure SQL 数据库 Azure Synapse Analytics (SQL DW)

本主题介绍如何针对使用 TDE(支持“Azure Key Vault 中的客户托管密钥 - 创建自己的密钥 (BYOK)”)的 Azure SQL 数据库或 Azure Synapse Analytics,响应可能已泄露的 TDE 保护器。This topic describes how to respond to a potentially compromised TDE protect for Azure SQL Database or Azure Synapse Analytics that is using TDE with customer-managed keys in Azure Key Vault - Bring Your Own Key (BYOK) support. 若要详细了解 TDE 的 BYOK 支持,请参阅概述页To learn more about BYOK support for TDE, see the overview page.

注意

本文概述的过程仅应在极端情况下或在测试环境中执行。The procedures outlined in this article should only be done in extreme cases or in test environments. 请仔细查看相关步骤,因为从 Azure Key Vault 中删除活跃使用的 TDE 保护器将导致数据库不可用。Review the steps carefully, as deleting actively used TDE protectors from Azure Key Vault will result in database becoming unavailable.

如果怀疑某个密钥已泄露,以致某个服务或用户在未经授权的情况下访问该密钥,则最好是删除该密钥。If a key is ever suspected to be compromised, such that a service or user had unauthorized access to the key, it's best to delete the key.

请记住,在 Key Vault 中删除了 TDE 保护器后,在长达 10 分钟的时间内,所有加密数据库将开始拒绝所有带有相应错误消息的连接,并将其状态更改为无法访问Keep in mind that once the TDE protector is deleted in Key Vault, in up to 10 minutes, all encrypted databases will start denying all connections with the corresponding error message and change its state to Inaccessible.

本操作指南根据事件响应泄露后的预期结果介绍了两种方法:This how-to guide goes over two approaches depending on the desired result after a compromised incident response:

  • 使 Azure SQL 数据库/Azure Synapse Analytics 中的数据库无法访问。To make the databases in Azure SQL Database / Azure Synapse Analytics inaccessible.
  • 使 Azure SQL 数据库/Azure Synapse Analytics(以前称为“SQL 数据仓库”)中的数据库无法访问。To make the databases in Azure SQL Database / Azure Synapse Analytics (formerly SQL Data Warehouse) inaccessible.

先决条件Prerequisites

  • 必须有一个 Azure 订阅,并且是该订阅的管理员You must have an Azure subscription and be an administrator on that subscription
  • 必须安装并运行 Azure PowerShell。You must have Azure PowerShell installed and running.
  • 本操作指南假设已使用 Azure Key Vault 中的密钥作为 Azure SQL 数据库或 Azure Synapse(以前称为 SQL 数据仓库)的 TDE 保护器。This how-to guide assumes that you are already using a key from Azure Key Vault as the TDE protector for an Azure SQL Database or Azure Synapse (formerly SQL Data Warehouse). 有关详细信息,请参阅支持 BYOK 的透明数据加密See Transparent Data Encryption with BYOK Support to learn more.

有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell. 若要了解具体的 cmdlet,请参阅 AzureRM.SqlFor specific cmdlets, see AzureRM.Sql.

重要

仍然支持 PowerShell Azure 资源管理器 (RM) 模块,但所有后续开发都针对 Az.Sql 模块。The PowerShell Azure Resource Manager (RM) module is still supported but all future development is for the Az.Sql module. AzureRM 模块至少在 2020 年 12 月之前将继续接收 bug 修补程序。The AzureRM module will continue to receive bug fixes until at least December 2020. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. 若要详细了解其兼容性,请参阅新 Azure PowerShell Az 模块简介For more about their compatibility, see Introducing the new Azure PowerShell Az module.

检查 TDE 保护程序指纹Check TDE Protector thumbprints

以下步骤概述了如何检查给定数据库的虚拟日志文件 (VLF) 仍在使用的 TDE 保护程序指纹。The following steps outline how to check the TDE Protector thumbprints still in use by Virtual Log Files (VLF) of a given database. 可以通过运行以下命令来查找数据库的当前 TDE 保护程序的指纹:The thumbprint of the current TDE protector of the database, and the database ID can be found by running:

SELECT [database_id],
       [encryption_state],
       [encryptor_type], /*asymmetric key means AKV, certificate means service-managed keys*/
       [encryptor_thumbprint]
 FROM [sys].[dm_database_encryption_keys]

下面的查询返回 VLF 和 TDE 保护程序各自使用的指纹。The following query returns the VLFs and the TDE Protector respective thumbprints in use. 每个不同的指纹引用 Azure Key Vault (AKV) 中的不同密钥:Each different thumbprint refers to different key in Azure Key Vault (AKV):

SELECT * FROM sys.dm_db_log_info (database_id)

或者,可以使用 PowerShell 或 Azure CLI:Alternatively, you can use PowerShell or the Azure CLI:

PowerShell 命令 Get-AzureRmSqlServerKeyVaultKey 提供查询中使用的 TDE 保护程序的指纹,因此你可以查看要在 AKV 中保留哪些密钥以及删除哪些密钥。The PowerShell command Get-AzureRmSqlServerKeyVaultKey provides the thumbprint of the TDE Protector used in the query, so you can see which keys to keep and which keys to delete in AKV. 只能放心地从 Azure Key Vault 中删除数据库不再使用的密钥。Only keys no longer used by the database can be safely deleted from Azure Key Vault.

使加密资源保持可访问Keep encrypted resources accessible

  1. 在 Key Vault 中创建新密钥Create a new key in Key Vault. 请务必在不包含可能已泄露的 TDE 保护器的另一个 Key Vault 中创建此新密钥,因为访问控制是在保管库级别预配的。Make sure this new key is created in a separate key vault from the potentially compromised TDE protector, since access control is provisioned on a vault level.

  2. 使用 Add-AzSqlServerKeyVaultKeySet-AzSqlServerTransparentDataEncryptionProtector cmdlet 将新密钥添加到服务器,并将其更新为服务器的新 TDE 保护器。Add the new key to the server using the Add-AzSqlServerKeyVaultKey and Set-AzSqlServerTransparentDataEncryptionProtector cmdlets and update it as the server's new TDE protector.

    # add the key from Key Vault to the server  
    Add-AzSqlServerKeyVaultKey -ResourceGroupName <SQLDatabaseResourceGroupName> -ServerName <LogicalServerName> -KeyId <KeyVaultKeyId>
    
    # set the key as the TDE protector for all resources under the server
    Set-AzSqlServerTransparentDataEncryptionProtector -ResourceGroupName <SQLDatabaseResourceGroupName> `
        -ServerName <LogicalServerName> -Type AzureKeyVault -KeyId <KeyVaultKeyId>
    
  3. 确保使用 Get-AzSqlServerTransparentDataEncryptionProtector cmdlet 将服务器和所有副本更新到新的 TDE 保护器。Make sure the server and any replicas have updated to the new TDE protector using the Get-AzSqlServerTransparentDataEncryptionProtector cmdlet.

    备注

    将新 TDE 保护器传播到服务器中的所有数据库和辅助数据库可能需要几分钟时间。It may take a few minutes for the new TDE protector to propagate to all databases and secondary databases under the server.

    Get-AzSqlServerTransparentDataEncryptionProtector -ServerName <LogicalServerName> -ResourceGroupName <SQLDatabaseResourceGroupName>
    
  4. 在 Key Vault 中创建新密钥的备份Take a backup of the new key in Key Vault.

    # -OutputFile parameter is optional; if removed, a file name is automatically generated.
    Backup-AzKeyVaultKey -VaultName <KeyVaultName> -Name <KeyVaultKeyName> -OutputFile <DesiredBackupFilePath>
    
  5. 使用 Remove-AzKeyVaultKey cmdlet 从密钥保管库中删除已泄露的密钥。Delete the compromised key from Key Vault using the Remove-AzKeyVaultKey cmdlet.

    Remove-AzKeyVaultKey -VaultName <KeyVaultName> -Name <KeyVaultKeyName>
    
  6. 将来若要使用 Restore-AzKeyVaultKey cmdlet 将密钥还原到 Key Vault:To restore a key to Key Vault in the future using the Restore-AzKeyVaultKey cmdlet:

    Restore-AzKeyVaultKey -VaultName <KeyVaultName> -InputFile <BackupFilePath>
    

使加密的资源不可访问Make encrypted resources inaccessible

  1. 删除可能已泄露的密钥所加密的数据库。Drop the databases that are being encrypted by the potentially compromised key.

    数据库和日志文件会自动备份,因此,随时可对数据库执行时间点还原(只要提供密钥即可)。The database and log files are automatically backed up, so a point-in-time restore of the database can be done at any point (as long as you provide the key). 必须在删除活动的 TDE 保护器之前删除数据库,以防止最近事务的数据丢失(最长 10 分钟的数据)。The databases must be dropped before deletion of an active TDE protector to prevent potential data loss of up to 10 minutes of the most recent transactions.

  2. 在 Key Vault 中备份 TDE 保护器的密钥材料。Back up the key material of the TDE protector in Key Vault.

  3. 从 Key Vault 中删除可能已泄露的密钥Remove the potentially compromised key from Key Vault

备注

对于密钥保管库,任何权限更改可能需要大约 10 分钟才能生效。It may take around 10 minutes for any permission changes to take effect for the key vault. 这包括撤销对 AKV 中的 TDE 保护程序的访问权限,并且此时间范围内的用户可能仍具有访问权限。This includes revoking access permissions to the TDE protector in AKV, and users within this time frame may still have access permissions.

后续步骤Next steps