Azure Stack Hub 中的 Key Vault 简介Introduction to Key Vault in Azure Stack Hub
先决条件Prerequisites
- 订阅包含 Azure Key Vault 服务的产品/服务。Subscribe to an offer that includes the Azure Key Vault service.
- PowerShell 已安装并配置为用于 Azure Stack Hub。PowerShell is installed and configured for use with Azure Stack Hub.
Key Vault 基础知识Key Vault basics
Azure Stack Hub 中的 Key Vault 可帮助保护云应用和服务使用的加密密钥和机密。Key Vault in Azure Stack Hub helps safeguard cryptographic keys and secrets that cloud apps and services use. 通过使用 Key Vault,可以加密密钥和机密,例如:By using Key Vault, you can encrypt keys and secrets, such as:
- 身份验证密钥Authentication keys
- 存储帐户密钥Storage account keys
- 数据加密密钥Data encryption keys
- .pfx 文件.pfx files
- 密码Passwords
密钥保管库简化了密钥管理过程,可让你控制用于访问和加密数据的密钥。Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. 开发人员可以在几分钟内创建用于开发和测试的密钥,并无缝地将其迁移到生产密钥。Developers can create keys for development and testing in minutes, and then seamlessly migrate them to production keys. 安全管理员可以根据需要授予(和撤销)密钥权限。Security admins can grant (and revoke) permissions to keys as needed.
只要拥有 Azure Stack Hub 订阅,任何人都可以创建和使用密钥保管库。Anybody with an Azure Stack Hub subscription can create and use key vaults. 尽管 Key Vault 能够为开发人员和安全管理员提供便利,但管理组织的其他 Azure Stack Hub 服务的操作员也可以实现和管理 Key Vault。Although Key Vault benefits developers and security administrators, the operator who manages other Azure Stack Hub services for an organization can implement and manage it. 例如,Azure Stack Hub 操作员可以使用 Azure Stack Hub 订阅登录,并为组织创建用于存储密钥的保管库。For example, the Azure Stack Hub operator can sign in with an Azure Stack Hub subscription and create a vault for the organization in which to store keys. 完成此操作后,他们可以:Once that's done, they can:
- 创建或导入密钥或机密。Create or import a key or secret.
- 撤销或删除密钥或机密。Revoke or delete a key or secret.
- 授权用户或应用访问密钥保管库,以便他们随后可以管理或使用其密钥和机密。Authorize users or apps to access the key vault so they can then manage or use its keys and secrets.
- 配置密钥用法(例如,签名或加密)。Configure key usage (for example, sign or encrypt).
然后,操作员可以向开发人员提供统一资源标识符 (URI),以便从其应用调用。The operator can then provide developers with Uniform Resource Identifiers (URIs) to call from their apps.
开发人员还可使用 API 直接管理密钥。Developers can also manage the keys directly by using APIs. 有关详细信息,请参阅 Key Vault 开发人员指南。For more info, see the Key Vault developer's guide.
方案Scenarios
以下方案说明 Key Vault 如何帮助满足开发人员和安全管理员的需求。The following scenarios describe how Key Vault can help meet the needs of developers and security admins.
Azure Stack Hub 应用开发人员Developer for an Azure Stack Hub app
问题: 我想要编写使用密钥进行签名和加密的 Azure Stack Hub 应用。Problem: I want to write an app for Azure Stack Hub that uses keys for signing and encryption. 我希望这些密钥在应用外部,以便解决方案适用于地理位置分散的应用。I want these keys to be external from my app so that the solution is suitable for an app that is geographically distributed.
说明: 密钥会存储在保管库中,根据需要由 URI 调用。Statement: Keys are stored in a vault and invoked by a URI when needed.
软件即服务 (SaaS) 开发人员Developer for software as a service (SaaS)
问题: 对于客户的密钥和机密,我不想承担任何实际或潜在的法律责任。Problem: I don't want the responsibility or potential liability for my customer's keys and secrets. 我希望客户拥有并管理其密钥,这样我就可以集中精力做我最擅长的事情,即提供核心软件功能。I want customers to own and manage their keys so that I can concentrate on doing what I do best, which is providing the core software features.
说明: 客户可以在 Azure Stack Hub 中导入和管理自己的密钥。Statement: Customers can import and manage their own keys in Azure Stack Hub.
首席安全官 (CSO)Chief Security Officer (CSO)
问题: 我想要确保我的组织掌控密钥生命周期,并可监视密钥使用情况。Problem: I want to make sure that my organization is in control of the key lifecycle and can monitor key usage.
说明: Key Vault 的设计可确保 Azure 无法看到或提取你的密钥。Statement: Key Vault is designed so that Azure does not see or extract your keys. 当应用需要使用客户密钥来执行加密操作时,Key Vault 会代表应用来使用密钥。When an app needs to perform cryptographic operations by using customer keys, Key Vault uses the keys on behalf of the app. 应用看不到客户密钥。The app doesn't see the customer keys. 即使我们使用多个 Azure Stack Hub 服务和资源,你可以从 Azure Stack Hub 中的单一位置管理密钥。Although we use multiple Azure Stack Hub services and resources, you can manage the keys from a single location in Azure Stack Hub. 不论你在 Azure Stack Hub 中有几个保管库、保管库支持哪些区域以及使用哪些应用使用这些保管库,保管库都可提供单一界面。The vault provides a single interface, regardless of how many vaults you have in Azure Stack Hub, which regions they support, and which apps use them.