人脸服务静态数据的加密Face service encryption of data at rest

人脸服务在将数据保存到云时会自动加密数据。The Face service automatically encrypts your data when persisted it to the cloud. 人脸服务加密可以保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。The Face service encryption protects your data and to help you to meet your organizational security and compliance commitments.

关于认知服务加密About Cognitive Services encryption

数据是使用符合 FIPS 140-2256 位 AES 加密法加密和解密的。Data is encrypted and decrypted using FIPS 140-2 compliant 256-bit AES encryption. 加密和解密都是透明的,这意味着将替你管理加密和访问。Encryption and decryption are transparent, meaning encryption and access are managed for you. 你的数据默认情况下就是安全的,你无需修改代码或应用程序,即可利用加密。Your data is secure by default and you don't need to modify your code or applications to take advantage of encryption.

关于加密密钥管理About encryption key management

默认情况下,订阅使用 Microsoft 托管的加密密钥。By default, your subscription uses Microsoft-managed encryption keys. 你还可以选择使用自己的密钥(称为“客户管理的密钥 (CMK)”)来管理订阅。There is also the option to manage your subscription with your own keys called customer-managed keys (CMK). 使用 CMK 可以更灵活地创建、轮换、禁用和撤销访问控制。CMK offer greater flexibility to create, rotate, disable, and revoke access controls. 还可以审核用于保护数据的加密密钥。You can also audit the encryption keys used to protect your data. 如果你为订阅配置了 CMK,我们还提供双重加密,它提供额外的一层保护,同时允许你通过 Azure Key Vault 控制加密密钥。If CMK is configured for your subscription, double encryption is provided, which offers a second layer of protection, while allowing you to control the encryption key through your Azure Key Vault.


客户管理的密钥仅在 E0 定价层可用。Customer-managed keys are only available on the E0 pricing tier. 若要请求使用客户管理的密钥的能力,请填写并提交人脸服务客户管理的密钥请求表单To request the ability to use customer-managed keys, fill out and submit the Face Service Customer-Managed Key Request Form. 你大约需要 3-5 个工作日才能收到关于请求状态的回复。It will take approximately 3-5 business days to hear back on the status of your request. 视情况而定,你可能需要排队,并在空间可用时获批。Depending on demand, you may be placed in a queue and approved as space becomes available. 获批可在人脸服务中使用 CMK 后,需要新建人脸资源并选择 E0 作为定价层。Once approved for using CMK with the Face service, you will need to create a new Face resource and select E0 as the Pricing Tier. 创建具有 E0 定价层的人脸资源后,可以使用 Azure Key Vault 设置托管标识。Once your Face resource with the E0 pricing tier is created, you can use Azure Key Vault to set up your managed identity.

客户管理的密钥和 Azure Key VaultCustomer-managed keys with Azure Key Vault

必须使用 Azure Key Vault 来存储客户管理的密钥。You must use Azure Key Vault to store customer-managed keys. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 认知服务资源和密钥保管库必须在同一个区域和同一个 Azure Active Directory (Azure AD) 租户中,但可以在不同的订阅中。The Cognitive Services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. 有关 Azure Key Vault 的详细信息,请参阅什么是 Azure Key Vault?For more information about Azure Key Vault, see What is Azure Key Vault?.

创建新的认知服务资源时,将始终使用 Microsoft 管理的密钥对其进行加密。When a new Cognitive Services resource is created it is always encrypted using Microsoft-managed keys. 当创建资源时,无法启用客户管理的密钥。It's not possible to enable customer-managed keys at the time that the resource is created. 客户管理的密钥存储在 Azure Key Vault 中,必须使用访问策略对密钥保管库进行预配,这些策略将密钥权限授予与认知服务资源关联的托管标识。Customer-managed keys are stored in Azure Key Vault, and the key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Cognitive Services resource. 只有在使用 CMK 所需的定价层创建资源后,托管标识才可用。The managed identity is available only after the resource is created using the Pricing Tier required for CMK.

启用客户管理的密钥还会启用系统分配的托管标识,这是 Azure AD 的一项功能。Enabling customer managed keys will also enable a system assigned managed identity, a feature of Azure AD. 启用系统分配的托管标识后,此资源将注册到 Azure Active Directory。Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. 注册后,将向托管标识授予在设置客户管理的密钥期间选择的 Key Vault 的访问权限。After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup.


如果禁用系统分配的托管标识,则会删除对密钥保管库的访问权限,而使用客户密钥加密的任何数据都将不再可供访问。If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. 任何依赖于此数据的功能都会失效。Any features depended on this data will stop working.


托管标识当前不支持跨目录方案。Managed identities do not currently support cross-directory scenarios. 在 Azure 门户中配置客户管理的密钥时,系统会在幕后自动分配一个托管标识。When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. 如果随后将订阅、资源组或资源从一个 Azure AD 目录移动到另一个目录,则与资源关联的托管标识不会转移到新租户,因此,客户管理的密钥可能不再有效。If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅 Azure 资源的常见问题解答和已知问题中的“在 Azure AD 目录之间转移订阅”。For more information, see Transferring a subscription between Azure AD directories in FAQs and known issues with managed identities for Azure resources.

配置 Azure Key VaultConfigure Azure Key Vault

使用客户管理的密钥需要在密钥保管库中设置两个属性:“软删除”和“不清除”。Using customer-managed keys requires that two properties be set in the key vault, Soft Delete and Do Not Purge. 默认不会启用这些属性,但可以使用 PowerShell 或 Azure CLI 对新的或现有的 Key Vault 启用。These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.


如果你在没有启用“软删除”和“不清除”属性的情况下删除了你的密钥,则无法恢复认知服务资源中的数据。If you do not have the Soft Delete and Do Not Purge properties enabled and you delete your key, you won't be able to recover the data in your Cognitive Service resource.

若要了解如何在现有密钥保管库上启用这些属性,请参阅以下文章之一中标题为“启用软删除”和“启用清除保护”的部分: To learn how to enable these properties on an existing key vault, see the sections titled Enabling soft-delete and Enabling Purge Protection in one of the following articles:

Azure 存储加密仅支持大小为 2048 的 RSA 密钥。Only RSA keys of size 2048 are supported with Azure Storage encryption. 有关密钥的详细信息,请参阅关于 Azure Key Vault 密钥、机密和证书中的“Key Vault 密钥”。For more information about keys, see Key Vault keys in About Azure Key Vault keys, secrets and certificates.

为你的资源启用客户管理的密钥Enable customer-managed keys for your resource

若要在 Azure 门户中启用客户管理的密钥,请执行以下步骤:To enable customer-managed keys in the Azure portal, follow these steps:

  1. 导航到你的认知服务资源。Navigate to your Cognitive Services resource.

  2. 在你的认知服务资源的“设置”边栏选项卡上,单击“加密”。On the Settings blade for your Cognitive Services resource, click Encryption. 选择“客户管理的密钥”选项,如下图所示。Select the Customer Managed Keys option, as shown in the following figure.


指定密钥Specify a key

启用客户管理的密钥后,可以指定要与认知服务资源关联的密钥。After you enable customer-managed keys, you'll have the opportunity to specify a key to associate with the Cognitive Services resource.

将密钥指定为 URISpecify a key as a URI

若要将某个密钥指定为 URI,请执行下列步骤:To specify a key as a URI, follow these steps:

  1. 若要在 Azure 门户中查找密钥 URI,请导航到 Key Vault,然后选择“密钥”设置。To locate the key URI in the Azure portal, navigate to your key vault, and select the Keys setting. 选择所需的密钥,然后单击该密钥以查看其版本。Select the desired key, then click the key to view its versions. 选择一个密钥版本,查看该版本的设置。Select a key version to view the settings for that version.

  2. 复制“密钥标识符”字段的值(提供 URI)。Copy the value of the Key Identifier field, which provides the URI.

    显示 Key Vault 密钥 URI 的屏幕截图

  3. 在存储帐户的“加密”设置中,选择“输入密钥 URI”选项。 In the Encryption settings for your storage account, choose the Enter key URI option.

  4. 将复制的 URI 粘贴到“密钥 URI”字段中。Paste the URI that you copied into the Key URI field.

    显示如何输入密钥 URI 的屏幕截图

  5. 指定包含密钥保管库的订阅。Specify the subscription that contains the key vault.

  6. 保存所做更改。Save your changes.

从 Key Vault 指定密钥Specify a key from a key vault

若要指定 Key Vault 中的密钥,请先请确保有一个包含密钥的 Key Vault。To specify a key from a key vault, first make sure that you have a key vault that contains a key. 若要指定 Key Vault 中的密钥,请执行以下步骤:To specify a key from a key vault, follow these steps:

  1. 选择“从 Key Vault 中选择”选项。Choose the Select from Key Vault option.

  2. 选择包含要使用的密钥的密钥保管库。Select the key vault containing the key you want to use.

  3. 从密钥保管库中选择密钥。Select the key from the key vault.


  4. 保存所做更改。Save your changes.

更新密钥版本Update the key version

创建密钥的新版本时,请更新认知服务资源以使用新版本。When you create a new version of a key, update the Cognitive Services resource to use the new version. 执行以下步骤:Follow these steps:

  1. 导航到你的认知服务资源,并显示“加密”设置。Navigate to your Cognitive Services resource and display the Encryption settings.
  2. 输入新密钥版本的 URI。Enter the URI for the new key version. 或者,可以再次选择 Key Vault 和密钥以更新版本。Alternately, you can select the key vault and the key again to update the version.
  3. 保存所做更改。Save your changes.

使用其他密钥Use a different key

若要更改用于加密的密钥,请执行以下步骤:To change the key used for encryption, follow these steps:

  1. 导航到你的认知服务资源,并显示“加密”设置。Navigate to your Cognitive Services resource and display the Encryption settings.
  2. 输入新密钥的 URI。Enter the URI for the new key. 也可选择密钥保管库并选择一个新密钥。Alternately, you can select the key vault and choose a new key.
  3. 保存所做更改。Save your changes.

轮换客户管理的密钥Rotate customer-managed keys

可以根据自己的合规性策略,在 Azure 密钥保管库中轮换客户管理的密钥。You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. 轮换密钥后,必须更新认知服务资源才能使用新的密钥 URI。When the key is rotated, you must update the Cognitive Services resource to use the new key URI. 若要了解如何更新资源以在 Azure 门户中使用新版本的密钥,请参阅更新密钥版本To learn how to update the resource to use a new version of the key in the Azure portal, see Update the key version.

轮换密钥不会触发资源中数据的重新加密。Rotating the key does not trigger re-encryption of data in the resource. 用户无需执行任何其他操作。There is no further action required from the user.

撤消对客户管理的密钥的访问权限Revoke access to customer-managed keys

若要撤消对客户管理的密钥的访问权限,请使用 PowerShell 或 Azure CLI。To revoke access to customer-managed keys, use PowerShell or Azure CLI. 有关详细信息,请参阅 Azure Key Vault PowerShellAzure Key Vault CLIFor more information, see Azure Key Vault PowerShell or Azure Key Vault CLI. 撤销访问权限实际上会阻止对认知服务资源中所有数据的访问,因为认知服务无法访问加密密钥。Revoking access effectively blocks access to all data in the Cognitive Services resource, as the encryption key is inaccessible by Cognitive Services.

禁用客户托管密钥Disable customer-managed keys

当你禁用客户管理的密钥后,系统会使用 Microsoft 管理的密钥加密认知服务资源。When you disable customer-managed keys, your Cognitive Services resource is then encrypted with Microsoft-managed keys. 若要禁用客户托管密钥,请执行以下步骤:To disable customer-managed keys, follow these steps:

  1. 导航到你的认知服务资源,并显示“加密”设置。Navigate to your Cognitive Services resource and display the Encryption settings.
  2. 取消选中“使用自己的密钥”设置旁边的复选框。Deselect the checkbox next to the Use your own key setting.

后续步骤Next steps