使用客户管理的密钥加密 Azure 数据工厂Encrypt Azure Data Factory with customer-managed keys

适用于: Azure 数据工厂 Azure Synapse Analytics

Azure 数据工厂对静态数据进行加密,其中包括实体定义和在运行期间缓存的所有数据。Azure Data Factory encrypts data at rest, including entity definitions and any data cached while runs are in progress. 默认情况下,使用随机生成并由 Microsoft 管理的密钥加密数据,该密钥只会分配到数据工厂。By default, data is encrypted with a randomly generated Microsoft-managed key that is uniquely assigned to your data factory. 为了获得额外的安全保证,现在可以通过 Azure 数据工厂客户管理的密钥功能启用“创建自己的密钥”(BYOK)。For extra security guarantees, you can now enable Bring Your Own Key (BYOK) with customer-managed keys feature in Azure Data Factory. 指定客户管理的密钥时,数据工厂会使用工厂系统密钥和 CMK 加密客户数据。When you specify a customer-managed key, Data Factory uses both the factory system key and the CMK to encrypt customer data. 缺少两者中的任何一个都会导致拒绝访问数据和工厂。Missing either would result in Deny of Access to data and factory.

存储客户管理的密钥需要 Azure 密钥保管库。Azure Key Vault is required to store customer-managed keys. 可以创建自己的密钥并将其存储在密钥保管库中,也可以使用 Azure 密钥保管库 API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 密钥保管库和数据工厂必须位于同一 Azure Active Directory (Azure AD) 租户和同一区域,但可以位于不同订阅中。Key vault and Data Factory must be in the same Azure Active Directory (Azure AD) tenant and in the same region, but they may be in different subscriptions. 有关 Azure 密钥保管库的详细信息,请参阅什么是 Azure 密钥保管库?For more information about Azure Key Vault, see What is Azure Key Vault?

关于客户管理的密钥About customer-managed keys

下图显示了数据工厂如何借助 Azure Active Directory 和 Azure 密钥保管库使用客户管理的密钥发出请求:The following diagram shows how Data Factory uses Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:

该图显示了客户管理的密钥在 Azure 数据工厂中的工作方式。

下表说明了图中的编号步骤:The following list explains the numbered steps in the diagram:

  1. Azure 密钥保管库管理员向与数据工厂关联的托管标识授予对加密密钥的权限An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the Data Factory
  2. 数据工厂管理员在工厂中启用客户管理的密钥功能A Data Factory admin enables customer-managed key feature in the factory
  3. 数据工厂使用与工厂关联的托管标识通过 Azure Active Directory 针对对 Azure 密钥保管库的访问进行身份验证Data Factory uses the managed identity that's associated with the factory to authenticate access to Azure Key Vault via Azure Active Directory
  4. 数据工厂在 Azure 密钥保管库中使用客户密钥包装工厂加密密钥Data Factory wraps the factory encryption key with the customer key in Azure Key Vault
  5. 对于读/写操作,数据工厂会将请求发送到 Azure 密钥保管库,以便展开包帐户加密密钥,从而执行加密和解密操作For read/write operations, Data Factory sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations

可通过两种方法将客户管理的密钥加密添加到数据工厂。There are two ways of adding Customer Managed Key encryption to data factories. 一种是在 Azure 门户中创建工厂期间,另一种是在数据工厂 UI 中创建工厂后。One is during factory creation time in Azure portal, and the other is post factory creation, in Data Factory UI.

先决条件 - 配置 Azure 密钥保管库并生成密钥Prerequisites - configure Azure Key Vault and generate keys

在 Azure 密钥保管库上启用“软删除”和“不清除”Enable Soft Delete and Do Not Purge on Azure Key Vault

要在数据工厂中使用客户管理的密钥,需要在密钥保管库上设置两个属性,即“软删除”和“不清除” 。Using customer-managed keys with Data Factory requires two properties to be set on the Key Vault, Soft Delete and Do Not Purge. 可以在新的或现有的密钥保管库上使用 PowerShell 或 Azure CLI 启用这些属性。These properties can be enabled using either PowerShell or Azure CLI on a new or existing key vault. 若要了解如何在现有的密钥保管库上启用这些属性,请参阅具有软删除和清除保护的 Azure Key Vault 恢复管理To learn how to enable these properties on an existing key vault, see Azure Key Vault recovery management with soft delete and purge protection

如果通过 Azure 门户新建 Azure 密钥保管库,可通过如下方式启用“软删除”和“不清除” :If you are creating a new Azure Key Vault through Azure portal, Soft Delete and Do Not Purge can be enabled as follows:

显示创建 Key Vault 时启用软删除和清除保护的屏幕截图。

授予数据工厂对 Azure 密钥保管库的访问权限Grant Data Factory access to Azure Key Vault

确保 Azure Key Vault 和 Azure 数据工厂位于同一 Azure Active Directory (Azure AD) 租户以及同一区域。Make sure Azure Key Vault and Azure Data Factory are in the same Azure Active Directory (Azure AD) tenant and in the same region. 从 Azure Key Vault 访问控制,向数据工厂授予以下权限:获取、展开密钥和包装密钥 。From Azure Key Vault access control, grant data factory following permissions: Get, Unwrap Key, and Wrap Key. 在数据工厂中启用客户管理的密钥需要这些权限。These permissions are required to enable customer-managed keys in Data Factory.

在 Azure Key Vault 中生成或上传客户管理的密钥Generate or upload customer-managed key to Azure Key Vault

你可以创建自己的密钥并将其存储在密钥保管库中。You can either create your own keys and store them in a key vault. 或者,可以使用 Azure Key Vault API 来生成密钥。Or you can use the Azure Key Vault APIs to generate keys. 数据工厂加密仅支持 2048 位 RSA 密钥。Only 2048-bit RSA keys are supported with Data Factory encryption. 有关详细信息,请参阅关于密钥、机密和证书For more information, see About keys, secrets, and certificates.

显示如何生成客户管理的密钥的屏幕截图。

启用客户管理的密钥Enable customer-managed keys

在数据工厂 UI 中创建工厂后Post factory creation in Data Factory UI

本部分逐步讲解创建工厂后在数据工厂 UI 中添加客户管理的密钥加密的过程。This section walks through the process to add customer managed key encryption in Data Factory UI, after factory is created.

备注

客户管理的密钥只能在空数据工厂上配置。A customer-managed key can only be configured on an empty data Factory. 数据工厂不能包含链接服务、管道以及数据流等任何资源。The data factory can't contain any resources such as linked services, pipelines and data flows. 建议创建工厂后立即启用客户管理的密钥。It is recommended to enable customer-managed key right after factory creation.

  1. 请确保数据工厂的托管服务标识 (MSI) 对 Key Vault 具有获取、展开密钥和包装密钥权限 。Make sure that data factory's Managed Service Identity (MSI) has Get, Unwrap Key and Wrap Key permissions to Key Vault.

  2. 确保数据工厂为空。Ensure the Data Factory is empty. 数据工厂不能包含链接服务、管道以及数据流等任何资源。The data factory can't contain any resources such as linked services, pipelines, and data flows. 目前,将客户管理的密钥部署到非空工厂将会导致错误。For now, deploying customer-managed key to a non-empty factory will result in an error.

  3. 若要在 Azure 门户中找到密钥 URI,请导航到 Azure 密钥保管库,然后选择“密钥”设置。To locate the key URI in the Azure portal, navigate to Azure Key Vault, and select the Keys setting. 选择所需密钥,然后选择该密钥以查看其版本。Select the wanted key, then select the key to view its versions. 选择密钥版本以查看设置Select a key version to view the settings

  4. 复制密钥标识符字段的值,该字段提供了 URI 从 Key Vault 获取密钥 URI 的屏幕截图。

  5. 启动 Azure 数据工厂门户,然后使用左侧导航栏跳转到数据工厂管理门户Launch Azure Data Factory portal, and using the navigation bar on the left, jump to Data Factory Management Portal

  6. 单击“客户管理的密钥”图标 如何在数据工厂 UI 中启用客户管理的密钥的屏幕截图。

  7. 输入之前复制的客户管理的密钥的 URIEnter the URI for customer-managed key that you copied before

  8. 单击“保存”,然后为数据工厂启用客户管理的密钥加密Click Save and customer-manged key encryption is enabled for Data Factory

在 Azure 门户中创建工厂期间During factory creation in Azure portal

本部分逐步讲解如何在部署工厂期间在 Azure 门户中添加客户管理的密钥加密。This section walks through steps to add customer managed key encryption in Azure portal, during factory deployment.

若要加密工厂,数据工厂需要首先从 Key Vault 中检索客户管理的密钥。To encrypt the factory, Data Factory needs to first retrieve customer-managed key from Key Vault. 由于工厂部署仍在进行中,因此托管服务标识 (MSI) 尚无法通过 Key Vault 进行身份验证。Since factory deployment is still in progress, Managed Service Identity (MSI) isn't available yet to authenticate with Key Vault. 因此,若要使用此方法,客户需要将用户分配的托管标识 (UA-MI) 分配到数据工厂。As such, to use this approach, customer needs to assign a user-assigned managed identity (UA-MI) to data factory. 我们将假定已在 UA-MI 中定义的角色,并通过 Key Vault 进行身份验证。We will assume the roles defined in the UA-MI and authenticate with Key Vault.

若要了解有关用户分配的托管标识的详细信息,请参阅托管标识类型用户分配的托管标识的角色分配To learn more about user-assigned managed identity, see Managed identity types and Role assignment for user assigned managed identity.

  1. 请确保用户分配的托管标识 (UA-MI) 对 Key Vault 具有获取、展开密钥和包装密钥权限 Make sure that User-assigned Managed Identity (UA-MI) has Get, Unwrap Key and Wrap Key permissions to Key Vault

  2. 在“高级”选项卡下,选中“使用客户托管密钥启用加密”复选框 用于在 Azure 门户中创建数据工厂的“高级”选项卡的屏幕截图。

  3. 提供存储在 Key Vault 中的客户管理的密钥的 URLProvide the url for the customer managed key stored in Key Vault

  4. 选择适当的用户分配的托管标识以通过 Key Vault 进行身份验证Select an appropriate user assigned managed identity to authenticate with Key Vault

  5. 继续工厂部署Continue with factory deployment

更新密钥版本Update Key Version

新建密钥版本时,请更新数据工厂以使用新版本。When you create a new version of a key, update data factory to use the new version. 遵循数据工厂 UI 部分中所述的类似步骤,其中包括:Follow similar steps as described in section Data Factory UI, including:

  1. 通过 Azure 密钥保管库门户找到新密钥版本的 URILocate the URI for the new key version through Azure Key Vault Portal

  2. 导航到“客户管理的密钥”设置Navigate to Customer-managed key setting

  3. 替换并粘贴新密钥的 URIReplace and paste in the URI for the new key

  4. 单击“保存”,数据工厂将立即使用新密钥版本进行加密Click Save and Data Factory will now encrypt with the new key version

使用其他密钥Use a Different Key

若要更改用于数据工厂加密的密钥,必须手动更新数据工厂中的设置。To change key used for Data Factory encryption, you have to manually update the settings in Data Factory. 遵循数据工厂 UI 部分中所述的类似步骤,其中包括:Follow similar steps as described in section Data Factory UI, including:

  1. 通过 Azure 密钥保管库门户找到新密钥的 URILocate the URI for the new key through Azure Key Vault Portal

  2. 导航到“客户管理的密钥”设置Navigate to Customer manged key setting

  3. 替换并粘贴新密钥的 URIReplace and paste in the URI for the new key

  4. 单击“保存”,数据工厂将立即使用新密钥进行加密Click Save and Data Factory will now encrypt with the new key

禁用客户管理的密钥Disable Customer-managed Keys

按照设计,启用客户管理的密钥功能之后,无法删除其他安全步骤。By design, once the customer-managed key feature is enabled, you can't remove the extra security step. 我们将始终需要使用客户所提供的密钥来加密工厂和数据。We will always expect a customer provided key to encrypt factory and data.

后续步骤Next steps

完成相关教程来了解如何在更多方案中使用数据工厂。Go through the tutorials to learn about using Data Factory in more scenarios.