Azure Cosmos DB 中的数据加密Data encryption in Azure Cosmos DB

“静态加密”这个短语通常指非易失性存储设备(例如固态硬盘 (SSD) 和机械硬盘 (HDD))上的数据的加密。Encryption at rest is a phrase that commonly refers to the encryption of data on nonvolatile storage devices, such as solid state drives (SSDs) and hard disk drives (HDDs). Cosmos DB 将其主数据库存储在 SSD 上。Cosmos DB stores its primary databases on SSDs. 其媒体附件和备份存储在通常由 HDD 备份的 Azure Blob 存储中。Its media attachments and backups are stored in Azure Blob storage, which is generally backed up by HDDs. 随着 Cosmos DB 的静态加密功能的发布,所有数据库、媒体附件以及备份都是加密的。With the release of encryption at rest for Cosmos DB, all your databases, media attachments, and backups are encrypted. 现在数据在传输中(通过网络)以及在静态时(非易失性存储)都处于加密状态,从而实现端到端加密。Your data is now encrypted in transit (over the network) and at rest (nonvolatile storage), giving you end-to-end encryption.

作为一种 PaaS 服务,Cosmos DB 非常易于使用。As a PaaS service, Cosmos DB is very easy to use. 由于 Cosmos DB 中存储的所有用户数据都会进行静态加密和传输中加密,因此你无需采取任何措施。Because all user data stored in Cosmos DB is encrypted at rest and in transport, you don't have to take any action. 实现这一理念的另一方式是默认“开启”静态加密。Another way to put this is that encryption at rest is "on" by default. 没有任何控件可以关闭或打开它。There are no controls to turn it off or on. Azure Cosmos DB 在运行帐户的所有区域中使用 AES-256 加密。Azure Cosmos DB uses AES-256 encryption on all regions where the account is running. 我们在提供此功能的同时也会遵守可用性和性能 SLAWe provide this feature while we continue to meet our availability and performance SLAs.

实现针对 Azure Cosmos DB 的静态加密Implementation of encryption at rest for Azure Cosmos DB

静态加密是使用许多安全技术实现的,其中包括安全的密钥存储系统、加密的网络以及加密 API。Encryption at rest is implemented by using a number of security technologies, including secure key storage systems, encrypted networks, and cryptographic APIs. 对数据进行解密和处理的系统必须与管理密钥的系统通信。Systems that decrypt and process data have to communicate with systems that manage keys. 下图展示了加密数据的存储和密钥的管理是如何隔离的。The diagram shows how storage of encrypted data and the management of keys is separated.

设计图

用户请求的基本流程如下:The basic flow of a user request is as follows:

  • 用户数据库帐户准备就绪以后,通过向管理服务资源提供程序发出请求来检索存储密钥。The user database account is made ready, and storage keys are retrieved via a request to the Management Service Resource Provider.
  • 用户通过 HTTPS/安全传输创建与 Cosmos DB 的连接。A user creates a connection to Cosmos DB via HTTPS/secure transport. (SDK 将详细信息抽象化。)(The SDKs abstract the details.)
  • 用户通过之前创建的安全连接发送要存储的 JSON 文档。The user sends a JSON document to be stored over the previously created secure connection.
  • 为 JSON 文档编制索引,除非用户已关闭索引编制功能。The JSON document is indexed unless the user has turned off indexing.
  • 将 JSON 文档和索引数据都写入到安全存储中。Both the JSON document and index data are written to secure storage.
  • 定期从安全存储中读取数据并将其备份到 Azure 加密 Blob 存储中。Periodically, data is read from the secure storage and backed up to the Azure Encrypted Blob Store.

常见问题Frequently asked questions

问:如果启用存储服务加密,需另付多少 Azure 存储费用?Q: How much more does Azure Storage cost if Storage Service Encryption is enabled?

答:没有任何额外费用。A: There is no additional cost.

问:加密密钥由谁管理?Q: Who manages the encryption keys?

答:密钥由世纪互联管理。A: The keys are managed by 21Vianet.

问:加密密钥多久轮换一次?Q: How often are encryption keys rotated?

答:世纪互联针对加密密钥轮换提供一组内部指导原则,Cosmos DB 必须遵守这些指导原则。A: 21Vianet has a set of internal guidelines for encryption key rotation, which Cosmos DB follows. 未发布具体的指导原则。The specific guidelines are not published. Azure 发布了安全开发生命周期 (SDL),可以将其视为内部指导原则的一部分,其中提供的最佳做法对开发人员很有用。Azure does publish the Security Development Lifecycle (SDL), which is seen as a subset of internal guidance and has useful best practices for developers.

问:我可以使用自己的加密密钥吗?Q: Can I use my own encryption keys?

答:Cosmos DB 是一项 PaaS 服务,我们一直在努力使该服务易于使用。A: Cosmos DB is a PaaS service, and we worked hard to keep the service easy to use. 我们注意到此问题经常被作为一个与满足符合性要求(例如 PCI-DSS)相关的代理问题问起。We've noticed this question is often asked as a proxy question for meeting a compliance requirement like PCI-DSS. 在构建此功能时,我们一直与符合性审核机构合作,确保使用 Cosmos DB 的客户满足相关要求,不需要客户自己管理密钥。As part of building this feature, we worked with compliance auditors to ensure that customers who use Cosmos DB meet their requirements without the need to manage keys themselves.

问:哪些区域已开启了此加密?Q: What regions have encryption turned on?

答:所有 Azure Cosmos DB 区域都已针对所有用户数据开启了此加密。A: All Azure Cosmos DB regions have encryption turned on for all user data.

问:加密是否会影响性能延迟和吞吐量 SLA?Q: Does encryption affect the performance latency and throughput SLAs?

答:现已为所有现有帐户和新帐户启用了静态加密,对性能 SLA 没有影响或更改。A: There is no impact or changes to the performance SLAs now that encryption at rest is enabled for all existing and new accounts. 可以在 Cosmos DB SLA 页上阅读详细信息,查看最新保证。You can read more on the SLA for Cosmos DB page to see the latest guarantees.

问:本地模拟器是否支持静态加密?Q: Does the local emulator support encryption at rest?

答:模拟器是独立的开发/测试工具,不使用托管 Cosmos DB 服务使用的密钥管理服务。A: The emulator is a standalone dev/test tool and does not use the key management services that the managed Cosmos DB service uses. 建议在要存储敏感的模拟器测试数据的驱动器上启用 BitLocker。Our recommendation is to enable BitLocker on drives where you are storing sensitive emulator test data. 模拟器支持更改默认数据目录以及使用已知位置。The emulator supports changing the default data directory as well as using a well-known location.

后续步骤Next steps

有关 Cosmos DB 安全性和最新改进的概述,请参阅 Azure Cosmos DB 数据库安全性For an overview of Cosmos DB security and the latest improvements, see Azure Cosmos DB database security. 有关我们的认证的详细信息,请参阅 Azure 信任中心For more information about Azure certifications, see the Azure Trust Center.