Azure SQL 数据库、Azure SQL 托管实例和 Azure Synapse Analytics 的透明数据加密Transparent data encryption for SQL Database, SQL Managed Instance, and Azure Synapse Analytics

适用于: Azure SQL 数据库 Azure SQL 托管实例 Azure Synapse Analytics

透明数据加密 (TDE) 通过加密静态数据,帮助保护 Azure SQL 数据库、Azure SQL 托管实例和 Azure Synapse Analytics 免受恶意脱机活动的威胁。Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. 它可执行静态数据库、关联备份和事务日志文件的实时加密和解密,无需更改应用程序。It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. 对于所有新部署的 SQL 数据库,默认已启用 TDE;对于 Azure SQL 数据库、Azure SQL 托管实例的旧版数据库,需要手动启用 TDE。By default, TDE is enabled for all newly deployed SQL Databases and must be manually enabled for older databases of Azure SQL Database, Azure SQL Managed Instance. 对于 Azure Synapse Analytics,需要手动启用 TDE。TDE must be manually enabled for Azure Synapse Analytics.

TDE 对页面级数据执行实时 I/O 加密和解密。TDE performs real-time I/O encryption and decryption of the data at the page level. 将每个页面读入内存时会将其解密,在写入磁盘之前会将其加密。Each page is decrypted when it's read into memory and then encrypted before being written to disk. TDE 使用称为数据库加密密钥 (DEK) 的对称密钥加密整个数据库的存储。TDE encrypts the storage of an entire database by using a symmetric key called the Database Encryption Key (DEK). 在数据库启动时,已加密的 DEK 被解密,然后用于解密和重新加密 SQL Server 数据库引擎进程中的数据库文件。On database startup, the encrypted DEK is decrypted and then used for decryption and re-encryption of the database files in the SQL Server database engine process. DEK 由 TDE 保护器保护。DEK is protected by the TDE protector. TDE 保护器是服务托管的证书(服务托管的透明数据加密)或存储在 Azure Key Vault 中的非对称密钥(客户管理的透明数据加密)。TDE protector is either a service-managed certificate (service-managed transparent data encryption) or an asymmetric key stored in Azure Key Vault (customer-managed transparent data encryption).

对于 Azure SQL 数据库和 Azure Synapse,TDE 保护器在服务器级别设置,并由该服务器关联的所有数据库继承。For Azure SQL Database and Azure Synapse, the TDE protector is set at the server level and is inherited by all databases associated with that server. 对于 Azure SQL 托管实例,TDE 保护器在实例级别设置,并由该实例上所有加密的数据库继承。For Azure SQL Managed Instance, the TDE protector is set at the instance level and it is inherited by all encrypted databases on that instance. 除非另有说明,否则术语“服务器”在整个文档中指的是服务器和实例。The term server refers both to server and instance throughout this document, unless stated differently.

重要

默认情况下,将使用服务托管的透明数据加密对 SQL 数据库中所有新建的数据库进行加密。All newly created databases in SQL Database are encrypted by default by using service-managed transparent data encryption. 默认情况下,2017 年 5 月之前创建的现有 SQL 数据库以及通过还原、异地复制和数据库副本创建的 SQL 数据库均不加密。Existing SQL databases created before May 2017 and SQL databases created through restore, geo-replication, and database copy are not encrypted by default. 默认情况下,2019 年 2 月之前创建的现有 SQL 托管实例数据库不加密。Existing SQL Managed Instance databases created before February 2019 are not encrypted by default. 通过源提供的还原继承加密状态创建的 SQL 托管实例数据库。SQL Managed Instance databases created through restore inherit encryption status from the source.

备注

TDE 不能用于对 Azure SQL 数据库和 Azure SQL 托管实例中的系统数据库(如 master 数据库)进行加密。TDE cannot be used to encrypt system databases, such as the master database, in Azure SQL Database and Azure SQL Managed Instance. master 数据库包含对用户数据库执行 TDE 操作时所需的对象。The master database contains objects that are needed to perform the TDE operations on the user databases. 建议不要将任何敏感数据存储在系统数据库中。It is recommended to not store any sensitive data in the system databases.

服务托管的透明数据加密Service-managed transparent data encryption

在 Azure 中,TDE 的默认设置是 DEK 受内置服务器证书保护。In Azure, the default setting for TDE is that the DEK is protected by a built-in server certificate. 内置服务器证书对于每个服务器都是唯一的,使用的加密算法是 AES 256。The built-in server certificate is unique for each server and the encryption algorithm used is AES 256. 如果某个数据库存在异地复制关系,则主数据库和异地辅助数据库将受主数据库的父服务器密钥保护。If a database is in a geo-replication relationship, both the primary and geo-secondary databases are protected by the primary database's parent server key. 如果两个数据库连接到同一个服务器,则它们也共享相同的内置证书。If two databases are connected to the same server, they also share the same built-in certificate. Azure 根据内部安全策略自动轮换这些证书,根密钥由 Azure 内部机密存储保护。Azure automatically rotates these certificates in compliance with the internal security policy and the root key is protected by a Azure internal secret store. 客户可以在 Azure 信任中心提供的独立第三方审核报告中验证 SQL 数据库和 SQL 托管实例是否符合内部安全策略。Customers can verify SQL Database and SQL Managed Instance compliance with internal security policies in independent third-party audit reports available on the Azure Trust Center.

Azure 还可按需无缝移动和管理密钥,以实现异地复制和还原。Azure also seamlessly moves and manages the keys as needed for geo-replication and restores.

客户管理的透明数据加密 - 创建自己的密钥Customer-managed transparent data encryption - Bring Your Own Key

客户管理的 TDE 也称为 TDE 的“创建自己的密钥”(BYOK) 支持。Customer-managed TDE is also referred to as Bring Your Own Key (BYOK) support for TDE. 在此方案中,用于加密 DEK 的 TDE 保护器是客户管理的非对称密钥,该密钥存储在客户自有且自行管理的 Azure Key Vault(Azure 的基于云的外部密钥管理系统)中,并且永远不会离开该密钥保管库。In this scenario, the TDE Protector that encrypts the DEK is a customer-managed asymmetric key, which is stored in a customer-owned and managed Azure Key Vault (Azure's cloud-based external key management system) and never leaves the key vault. TDE 保护器可由密钥保管库生成The TDE Protector can be generated by the key vault. 需要向 SQL 数据库、SQL 托管实例和 Azure Synapse 授予对客户管理的密钥保管库的权限才能对 DEK 进行解密和加密。SQL Database, SQL Managed Instance, and Azure Synapse need to be granted permissions to the customer-owned key vault to decrypt and encrypt the DEK. 如果撤销了服务器对该密钥保管库的权限,则数据库将无法访问,并且所有数据都是加密的。If permissions of the server to the key vault are revoked, a database will be inaccessible, and all data is encrypted.

使用集成了 Azure Key Vault 的 TDE,用户可以控制密钥管理任务,包括密钥轮换、密钥保管库权限、密钥备份,以及使用 Azure Key Vault 功能对所有 TDE 保护器启用审核/报告。With TDE with Azure Key Vault integration, users can control key management tasks including key rotations, key vault permissions, key backups, and enable auditing/reporting on all TDE protectors using Azure Key Vault functionality. Key Vault 提供了集中密钥管理功能,并可在密钥与数据管理之间实现职责分离,以帮助满足安全策略的符合性。Key Vault provides central key management, and enables separation of duties between management of keys and data to help meet compliance with security policies. 若要详细了解 Azure SQL 数据库和 Azure Synapse 的 BYOK,请参阅透明数据加密与 Azure Key Vault 的集成To learn more about BYOK for Azure SQL Database and Azure Synapse, see Transparent data encryption with Azure Key Vault integration.

若要开始使用 TDE 与 Azure Key Vault 的集成,请参阅操作指南使用 Key Vault 中的自有密钥启用透明数据加密To start using TDE with Azure Key Vault integration, see the how-to guide Turn on transparent data encryption by using your own key from Key Vault.

移动受透明数据加密保护的数据库Move a transparent data encryption-protected database

对于 Azure 中的操作,不需要解密数据库。You don't need to decrypt databases for operations within Azure. 源数据库或主数据库上 TDE 的设置均以透明方式继承在目标系统上。The TDE settings on the source database or primary database are transparently inherited on the target. 包括的操作涉及到:Operations that are included involve:

  • 异地还原Geo-restore
  • 自助时间点还原Self-service point-in-time restore
  • 还原已删除的数据库Restoration of a deleted database
  • 活动异地复制Active geo-replication
  • 创建数据库副本Creation of a database copy
  • 将备份文件还原到 Azure SQL 托管实例Restore of backup file to Azure SQL Managed Instance

重要

由于无法访问用于加密的证书,因此不支持在 Azure SQL 托管实例中对由服务托管的 TDE 加密的数据库手动执行仅复制备份。Taking manual COPY-ONLY backup of a database encrypted by service-managed TDE is not supported in Azure SQL Managed Instance, since the certificate used for encryption is not accessible. 使用时间点还原功能将此类型的数据库移到另一个 SQL 托管实例或切换到客户托管的密钥。Use point-in-time-restore feature to move this type of database to another SQL Managed Instance, or switch to customer-managed key.

在导出受 TDE 保护的数据库时,该数据库的导出内容不会加密。When you export a TDE-protected database, the exported content of the database isn't encrypted. 此导出内容存储在未加密的 BACPAC 文件中。This exported content is stored in unencrypted BACPAC files. 完成新数据库的导入后,请务必适当保护 BACPAC 文件并启用 TDE。Be sure to protect the BACPAC files appropriately and enable TDE after import of the new database is finished.

例如,如果从 SQL Server 实例导出 BACPAC 文件,则新数据库的导入内容不会自动加密。For example, if the BACPAC file is exported from a SQL Server instance, the imported content of the new database isn't automatically encrypted. 同样,如果将 BACPAC 文件导出到 SQL Server 实例,则新数据库也不会自动加密。Likewise, if the BACPAC file is imported to a SQL Server instance, the new database also isn't automatically encrypted.

向/从 SQL 数据库导出数据库时例外。The one exception is when you export a database to and from SQL Database. 在新数据库中启用了 TDE,但 BACPAC 文件本身仍未加密。TDE is enabled on the new database, but the BACPAC file itself still isn't encrypted.

管理透明数据加密Manage transparent data encryption

在 Azure 门户中管理 TDE。Manage TDE in the Azure portal.

若要通过 Azure 门户配置 TDE,必须以 Azure 所有者、参与者或 SQL 安全管理员的身份建立连接。To configure TDE through the Azure portal, you must be connected as the Azure Owner, Contributor, or SQL Security Manager.

在数据库级别启用和禁用 TDE。Enable and disable TDE on the database level. 对于 Azure SQL 托管实例,请使用 Transact-SQL (T-SQL) 对数据库启用和禁用 TDE。For Azure SQL Managed Instance use Transact-SQL (T-SQL) to turn TDE on and off on a database. 对于 Azure SQL 数据库和 Azure Synapse,可在使用 Azure 管理员或参与者帐户登录后,在 Azure 门户网站中管理数据库的 TDE。For Azure SQL Database and Azure Synapse, you can manage TDE for the database in the Azure portal after you've signed in with the Azure Administrator or Contributor account. 在用户数据库下查找 TDE 设置。Find the TDE settings under your user database. 默认会使用服务托管的透明数据加密。By default, service-managed transparent data encryption is used. 将为包含数据库的服务器自动生成 TDE 证书。A TDE certificate is automatically generated for the server that contains the database.

服务托管的透明数据加密

在服务器级别或实例级别设置 TDE 主密钥(称为 TDE 保护器)。You set the TDE master key, known as the TDE protector, at the server or instance level. 若要使用支持 BYOK 的 TDE,并使用 Key Vault 中的密钥来保护数据库,请在你的服务器下打开 TDE 设置。To use TDE with BYOK support and protect your databases with a key from Key Vault, open the TDE settings under your server.

支持“创建自己的密钥”的透明数据加密