加密部署数据Encrypt deployment data

在云中运行 Azure 容器实例 (ACI) 资源时,ACI 服务将收集并保存与容器相关的数据。When running Azure Container Instances (ACI) resources in the cloud, the ACI service collects and persists data related to your containers. 将此数据保存在云中时,ACI 会自动对其进行加密。ACI automatically encrypts this data when it is persisted in the cloud. 这种加密可以保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。This encryption protects your data to help meet your organization's security and compliance commitments. ACI 还提供相应的选项让你使用自己的密钥来加密数据,使你可以更好地控制与 ACI 部署相关的数据。ACI also gives you the option to encrypt this data with your own key, giving you greater control over the data related to your ACI deployments.

关于 ACI 数据加密About ACI data encryption

ACI 中的数据是使用 256 位 AES 加密法加密和解密的。Data in ACI is encrypted and decrypted using 256-bit AES encryption. 此加密法已为所有 ACI 部署启用,无需修改部署或容器即可利用它。It is enabled for all ACI deployments, and you don't need to modify your deployment or containers to take advantage of this encryption. 这些数据包括有关部署的元数据、环境变量、要传入容器的密钥,以及在停止容器后保存的日志(以便仍可以查看这些日志)。This includes metadata about the deployment, environment variables, keys being passed into your containers, and logs persisted after your containers are stopped so you can still see them. 加密不影响容器组的性能,并且不产生额外的费用。Encryption does not affect your container group performance, and there is no additional cost for encryption.

加密密钥管理Encryption key management

可以依赖于使用 Azure 托管的密钥来加密容器数据,或者,可以使用自己的密钥来管理加密。You can rely on Azure-managed keys for the encryption of your container data, or you can manage the encryption with your own keys. 下表对这些选项做了比较:The following table compares these options:

Azure 托管的密钥Azure-managed keys 客户管理的密钥Customer-managed keys
加密/解密操作Encryption/decryption operations AzureAzure AzureAzure
密钥存储Key storage Azure 密钥存储Azure key store Azure Key VaultAzure Key Vault
密钥轮换职责Key rotation responsibility AzureAzure 客户Customer
密钥访问权限Key access 仅限 AzureAzure only Azure、客户Azure, Customer

本文档的余下内容将介绍使用你自己的密钥(客户管理的密钥)加密 ACI 部署数据所要执行的步骤。The rest of the document covers the steps required to encrypt your ACI deployment data with your key (customer-managed key).

先决条件Prerequisites

  • 如果需要,请安装 Azure CLI 来运行 CLI 参考命令。If you prefer, install the Azure CLI to run CLI reference commands.
    • 如果使用的是本地安装,请通过 Azure CLI 使用 az login 命令登录。If you're using a local install, sign in with Azure CLI by using the az login command. 若要完成身份验证过程,请遵循终端中显示的步骤。To finish the authentication process, follow the steps displayed in your terminal. 有关其他登录选项,请参阅使用 Azure CLI 登录See Sign in with Azure CLI for additional sign-in options.
    • 出现提示时,请在首次使用时安装 Azure CLI 扩展。When you're prompted, install Azure CLI extensions on first use. 有关扩展详细信息,请参阅使用 Azure CLI 的扩展For more information about extensions, see Use extensions with Azure CLI.
    • 运行 az version 以查找安装的版本和依赖库。Run az version to find the version and dependent libraries that are installed. 若要升级到最新版本,请运行 az upgradeTo upgrade to the latest version, run az upgrade.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

使用客户管理的密钥来加密数据Encrypt data with a customer-managed key

为 ACI 创建服务主体Create Service Principal for ACI

第一步是确保为 Azure 租户分配一个服务主体,用于向 Azure 容器实例服务授予权限。The first step is to ensure that your Azure tenant has a service principal assigned for granting permissions to the Azure Container Instances service.

重要

若要成功地运行以下命令并创建服务主体,请确认你有权在租户中创建服务主体。In order to run the following command and create a service principal successfully, confirm that you have permissions to create service principals in your tenant.

以下 CLI 命令将在 Azure 环境中设置 ACI SP:The following CLI command will set up the ACI SP in your Azure environment:

az ad sp create --id 6bb8e274-af5d-4df2-98a3-4fd78b4cafd9

运行此命令后返回的输出应显示一个已设置了“displayName”:“Azure 容器实例服务”的服务主体。The output from running this command should show you a service principal that has been set up with "displayName": "Azure Container Instance Service."

如果无法成功创建服务主体,请执行以下操作:In case you are unable to successfully create the service principal:

  • 确认你在租户中有权执行此操作confirm that you have permissions to do so in your tenant
  • 进行检查,看租户中是否存在服务主体,以便部署到 ACI。check to see if a service principal already exists in your tenant for deploying to ACI. 为此,可以运行 az ad sp show --id 6bb8e274-af5d-4df2-98a3-4fd78b4cafd9 并改用该服务主体You can do that by running az ad sp show --id 6bb8e274-af5d-4df2-98a3-4fd78b4cafd9 and use that service principal instead

创建 Key Vault 资源Create a Key Vault resource

使用 Azure 门户Azure CLIAzure PowerShell 创建 Azure Key Vault。Create an Azure Key Vault using Azure portal, Azure CLI, or Azure PowerShell.

对于 Key Vault 的属性,请使用以下指导原则:For the properties of your key vault, use the following guidelines:

  • 姓名:必须提供唯一的名称。Name: A unique name is required.
  • 订阅:选择订阅。Subscription: Choose a subscription.
  • 在“资源组”下,选择现有的资源组,或创建新的资源组并输入资源组名称。Under Resource Group, either choose an existing resource group, or create new and enter a resource group name.
  • 在“位置”下拉菜单中选择一个位置。In the Location pull-down menu, choose a location.
  • 可将其他选项保留默认值,或者根据其他要求进行选择。You can leave the other options to their defaults or pick based on additional requirements.

重要

使用客户管理的密钥加密 ACI 部署模板时,建议对 Key Vault 设置以下两个属性:“软删除”和“不清除”。When using customer-managed keys to encrypt an ACI deployment template, it is recommended that the following two properties be set on the key vault, Soft Delete and Do Not Purge. 默认不会启用这些属性,但可以使用 PowerShell 或 Azure CLI 对新的或现有的 Key Vault 启用。These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.

生成新密钥Generate a new key

创建 Key Vault 后,在 Azure 门户中导航到该资源。Once your key vault is created, navigate to the resource in Azure portal. 在资源边栏选项卡的左侧导航菜单中的“设置”下,单击“密钥”。 On the left navigation menu of the resource blade, under Settings, click Keys. 在“密钥”的视图中,单击“生成/导入”以生成新密钥。On the view for "Keys," click "Generate/Import" to generate a new key. 对此密钥使用任何唯一名称,并根据要求设置任何其他首选项。Use any unique Name for this key, and any other preferences based on your requirements.

生成新密钥

设置访问策略Set access policy

创建新的访问策略,以允许 ACI 服务访问你的密钥。Create a new access policy for allowing the ACI service to access your Key.

  • 生成密钥后,返回到 Key Vault 资源边栏选项卡,在“设置”下单击“访问策略”。 Once your key has been generated, back in your key vault resource blade, under Settings, click Access Policies.
  • 在 Key Vault 的“访问策略”页上,单击“添加访问策略”。 On the "Access Policies" page for your key vault, click Add Access Policy.
  • 设置“密钥权限”以包括“获取”和“解包密钥” 设置密钥权限
  • 对于“选择主体”,请选择“Azure 容器实例服务” For Select Principal, select Azure Container Instance Service
  • 在底部单击“添加” Click Add at the bottom

现在,该访问策略应会显示在 Key Vault 的访问策略中。The access policy should now show up in your key vault's access policies.

新访问策略

修改 JSON 部署模板Modify your JSON deployment template

重要

当前正在推出的最新 API 版本 (2019-12-01) 中提供了使用客户管理的密钥加密部署数据的功能。请在部署模板中指定此 API 版本。Encrypting deployment data with a customer-managed key is available in the latest API version (2019-12-01) that is currently rolling out. Specify this API version in your deployment template. 如果在执行此操作时遇到任何问题,请联系 Azure 支持部门。If you have any issues with this, please reach out to Azure Support.

设置 Key Vault 密钥和访问策略后,将以下属性添加到 ACI 部署模板。Once the key vault key and access policy are set up, add the following properties to your ACI deployment template. 若要详细了解如何使用模板来部署 ACI 资源,请参阅教程:使用资源管理器模板部署多容器组Learn more about deploying ACI resources with a template in the Tutorial: Deploy a multi-container group using a Resource Manager template.

  • resources 下,将 apiVersion 设置为 2019-12-01Under resources, set apiVersion to 2019-12-01.
  • 在部署模板的容器组 properties 节下,添加包含以下值的 encryptionPropertiesUnder the container group properties section of the deployment template, add an encryptionProperties, which contains the following values:
    • vaultBaseUrl:Key Vault 的 DNS 名称,可在门户中 Key Vault 资源的概览边栏选项卡上找到。vaultBaseUrl: the DNS Name of your key vault, can be found on the overview blade of the key vault resource in Portal
    • keyName:前面生成的密钥的名称keyName: the name of the key generated earlier
    • keyVersion:密钥的当前版本。keyVersion: the current version of the key. 单击密钥本身可找到此值(在 Key Vault 资源的“设置”部分的“密钥”下)This can be found by clicking into the key itself (under "Keys" in the Settings section of your key vault resource)
  • 在容器组 properties 节下,添加值为 Standardsku 属性。Under the container group properties, add a sku property with value Standard. 在 API 版本 2019-12-01 中,sku 属性是必需的。The sku property is required in API version 2019-12-01.

以下模板代码段显示了用于加密部署数据的其他属性:The following template snippet shows these additional properties to encrypt deployment data:

[...]
"resources": [
    {
        "name": "[parameters('containerGroupName')]",
        "type": "Microsoft.ContainerInstance/containerGroups",
        "apiVersion": "2019-12-01",
        "location": "[resourceGroup().location]",    
        "properties": {
            "encryptionProperties": {
                "vaultBaseUrl": "https://example.vault.azure.cn",
                "keyName": "acikey",
                "keyVersion": "xxxxxxxxxxxxxxxx"
            },
            "sku": "Standard",
            "containers": {
                [...]
            }
        }
    }
]

下面是一个完整的模板,改编自教程:使用资源管理器模板部署多容器组Following is a complete template, adapted from the template in Tutorial: Deploy a multi-container group using a Resource Manager template.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "containerGroupName": {
      "type": "string",
      "defaultValue": "myContainerGroup",
      "metadata": {
        "description": "Container Group name."
      }
    }
  },
  "variables": {
    "container1name": "aci-tutorial-app",
    "container1image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest",
    "container2name": "aci-tutorial-sidecar",
    "container2image": "mcr.microsoft.com/azuredocs/aci-tutorial-sidecar"
  },
  "resources": [
    {
      "name": "[parameters('containerGroupName')]",
      "type": "Microsoft.ContainerInstance/containerGroups",
      "apiVersion": "2019-12-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "encryptionProperties": {
            "vaultBaseUrl": "https://example.vault.azure.cn",
            "keyName": "acikey",
            "keyVersion": "xxxxxxxxxxxxxxxx"
        },
        "sku": "Standard",  
        "containers": [
          {
            "name": "[variables('container1name')]",
            "properties": {
              "image": "[variables('container1image')]",
              "resources": {
                "requests": {
                  "cpu": 1,
                  "memoryInGb": 1.5
                }
              },
              "ports": [
                {
                  "port": 80
                },
                {
                  "port": 8080
                }
              ]
            }
          },
          {
            "name": "[variables('container2name')]",
            "properties": {
              "image": "[variables('container2image')]",
              "resources": {
                "requests": {
                  "cpu": 1,
                  "memoryInGb": 1.5
                }
              }
            }
          }
        ],
        "osType": "Linux",
        "ipAddress": {
          "type": "Public",
          "ports": [
            {
              "protocol": "tcp",
              "port": "80"
            },
            {
                "protocol": "tcp",
                "port": "8080"
            }
          ]
        }
      }
    }
  ],
  "outputs": {
    "containerIPv4Address": {
      "type": "string",
      "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups/', parameters('containerGroupName'))).ipAddress.ip]"
    }
  }
}

部署资源Deploy your resources

你在桌面上创建并编辑了模板文件。You created and edited the template file on your desktop.

使用 az group create 命令创建资源组。Create a resource group with the az group create command.

az group create --name myResourceGroup --location chinaeast2

使用 az deployment group create 命令部署模板。Deploy the template with the az deployment group create command.

az deployment group create --resource-group myResourceGroup --template-file deployment-template.json

将在几秒钟内收到来自 Azure 的初始响应。Within a few seconds, you should receive an initial response from Azure. 部署完成后,所有与之相关且由 ACI 服务保存的数据将使用提供的密钥进行加密。Once the deployment completes, all data related to it persisted by the ACI service will be encrypted with the key you provided.