使用客户管理的密钥加密 Azure 数据工厂Encrypt Azure Data Factory with customer-managed keys

适用于: Azure 数据工厂 Azure Synapse Analytics(预览版)

Azure 数据工厂对静态数据进行加密,其中包括实体定义和在运行期间缓存的所有数据。Azure Data Factory encrypts data at rest, including entity definitions and any data cached while runs are in progress. 默认情况下,使用随机生成并由 Microsoft 管理的密钥加密数据,该密钥只会分配到数据工厂。By default, data is encrypted with a randomly generated Microsoft-managed key that is uniquely assigned to your data factory. 为了获得额外的安全保证,现在可以通过 Azure 数据工厂客户管理的密钥功能启用“创建自己的密钥”(BYOK)。For additional security guarantees, you can now enable Bring Your Own Key (BYOK) with customer-managed keys feature in Azure Data Factory. 指定客户管理的密钥时,数据工厂会使用工厂系统密钥和 CMK 加密客户数据。When you specify a customer-managed key, Data Factory uses both the factory system key and the CMK to encrypt customer data. 缺少两者中的任何一个都会导致拒绝访问数据和工厂。Missing either would result in Deny of Access to data and factory.

存储客户管理的密钥需要 Azure 密钥保管库。Azure Key Vault is required to store customer-managed keys. 可以创建自己的密钥并将其存储在密钥保管库中,也可以使用 Azure 密钥保管库 API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 密钥保管库和数据工厂必须位于同一 Azure Active Directory (Azure AD) 租户和同一区域,但可以位于不同订阅中。Key vault and Data Factory must be in the same Azure Active Directory (Azure AD) tenant and in the same region, but they may be in different subscriptions. 有关 Azure 密钥保管库的详细信息,请参阅什么是 Azure 密钥保管库?For more information about Azure Key Vault, see What is Azure Key Vault?

备注

客户管理的密钥只能在空数据工厂上配置。A customer-managed key can only be configured on an empty data Factory. 数据工厂不能包含链接服务和管道等任何资源。The data factory can't contain any resources such as linked services, and pipelines. 建议创建工厂后立即启用客户管理的密钥。It is recommended to enable customer-managed key right after factory creation.

关于客户管理的密钥About customer-managed keys

下图显示了数据工厂如何借助 Azure Active Directory 和 Azure 密钥保管库使用客户管理的密钥发出请求:The following diagram shows how Data Factory uses Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:

该图显示了客户管理的密钥在 Azure 数据工厂中的工作方式

下表说明了图中的编号步骤:The following list explains the numbered steps in the diagram:

  1. Azure 密钥保管库管理员向与数据工厂关联的托管标识授予对加密密钥的权限An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the Data Factory
  2. 数据工厂管理员在工厂中启用客户管理的密钥功能A Data Factory admin enables customer-managed key feature in the factory
  3. 数据工厂使用与工厂关联的托管标识通过 Azure Active Directory 针对对 Azure 密钥保管库的访问进行身份验证Data Factory uses the managed identity that's associated with the factory to authenticate access to Azure Key Vault via Azure Active Directory
  4. 数据工厂在 Azure 密钥保管库中使用客户密钥包装工厂加密密钥Data Factory wraps the factory encryption key with the customer key in Azure Key Vault
  5. 对于读/写操作,数据工厂会将请求发送到 Azure 密钥保管库,以便展开包帐户加密密钥,从而执行加密和解密操作For read/write operations, Data Factory sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations

先决条件 - 配置 Azure 密钥保管库并生成密钥Prerequisites - configure Azure Key Vault and generate keys

在 Azure 密钥保管库上启用“软删除”和“不清除”Enable Soft Delete and Do Not Purge on Azure Key Vault

要在数据工厂中使用客户管理的密钥,需要在密钥保管库上设置两个属性,即“软删除”和“不清除” 。Using customer-managed keys with Data Factory requires two properties to be set on the Key Vault, Soft Delete and Do Not Purge. 可以在新的或现有的密钥保管库上使用 PowerShell 或 Azure CLI 启用这些属性。These properties can be enabled using either PowerShell or Azure CLI on a new or existing key vault. 若要了解如何在现有的密钥保管库上启用这些属性,请参阅下方其中一篇文章中标题为“启用软删除”和“启用清除保护”的部分 :To learn how to enable these properties on an existing key vault, see the sections titled Enabling soft-delete and Enabling Purge Protection in one of the following articles:

如果通过 Azure 门户新建 Azure 密钥保管库,可通过如下方式启用“软删除”和“不清除” :If you are creating a new Azure Key Vault through Azure portal, Soft Delete and Do Not Purge can be enabled as follows:

创建密钥保管库时启用软删除和清除保护的屏幕截图

授予数据工厂对 Azure 密钥保管库的访问权限Grant Data Factory access to Azure Key Vault

确保 Azure 密钥保管库和 Azure 数据工厂位于同一 Azure Active Directory (Azure AD) 租户以及同一区域。Make sure that Azure Key Vault and Azure Data Factory are in the same Azure Active Directory (Azure AD) tenant and in the same region. 从 Azure 密钥保管库访问控制,向数据工厂的托管服务标识 (MSI) 授予以下权限:获取、展开密钥和包装密钥 。From Azure Key Vault access control, grant data factory's Managed Service Identity (MSI) following permissions: Get, Unwrap Key, and Wrap Key. 在数据工厂中启用客户管理的密钥需要这些权限。These permissions are required to enable customer-managed keys in Data Factory.

启用数据工厂对密钥保管库的访问权限的屏幕截图

在 Azure Key Vault 中生成或上传客户管理的密钥Generate or upload customer-managed key to Azure Key Vault

可以创建自己的密钥并将其存储在密钥保管库中,也可以使用 Azure 密钥保管库 API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 数据工厂加密仅支持 2048 位 RSA 密钥。Only 2048-bit RSA keys are supported with Data Factory encryption. 有关详细信息,请参阅关于密钥、机密和证书For more information, see About keys, secrets, and certificates.

生成客户管理的密钥的屏幕截图

启用客户管理的密钥Enable customer-managed keys

  1. 确保数据工厂为空。Ensure the Data Factory is empty. 数据工厂不能包含链接服务和管道等任何资源。The data factory can't contain any resources such as linked services, and pipelines. 目前,将客户管理的密钥部署到非空工厂将会导致错误。For now, deploying customer-managed key to a non-empty factory will result in an error.

  2. 若要在 Azure 门户中找到密钥 URI,请导航到 Azure 密钥保管库,然后选择“密钥”设置。To locate the key URI in the Azure portal, navigate to Azure Key Vault, and select the Keys setting. 选择所需密钥,然后单击该密钥以查看其版本。Select the wanted key, then click the key to view its versions. 选择密钥版本以查看设置Select a key version to view the settings

  3. 复制密钥标识符字段的值,该字段提供了 URICopy the value of the Key Identifier field, which provides the URI

    屏幕截图:从密钥保管库获取密钥 URI

  4. 启动 Azure 数据工厂门户,然后使用左侧导航栏跳转到数据工厂管理门户Launch Azure Data Factory portal, and using the navigation bar on the left, jump to Data Factory Management Portal

  5. 单击“客户管理的密钥”图标Click on the Customer manged key icon

    在数据工厂中启用客户管理的密钥的屏幕截图

  6. 输入之前复制的客户管理的密钥的 URIEnter the URI for customer-managed key that you copied before

  7. 单击“保存”,然后为数据工厂启用客户管理的密钥加密Click Save and customer-manged key encryption is enabled for Data Factory

更新密钥版本Update Key Version

新建密钥版本时,请更新数据工厂以使用新版本。When you create a new version of a key, update data factory to use the new version. 按照“启用客户管理的密钥”一节中所述的类似步骤进行操作,其中包括:Follow similar steps as described in section Enable Customer-Managed Keys, including:

  1. 通过 Azure 密钥保管库门户找到新密钥版本的 URILocate the URI for the new key version through Azure Key Vault Portal

  2. 导航到“客户管理的密钥”设置Navigate to Customer-managed key setting

  3. 替换并粘贴新密钥的 URIReplace and paste in the URI for the new key

  4. 单击“保存”,数据工厂将立即使用新密钥版本进行加密Click Save and Data Factory will now encrypt with the new key version

使用其他密钥Use a Different Key

若要更改用于数据工厂加密的密钥,必须手动更新数据工厂中的设置。To change key used for Data Factory encryption, you have to manually update the settings in Data Factory. 按照“启用客户管理的密钥”一节中所述的类似步骤进行操作,其中包括:Follow similar steps as described in section Enable Customer-Managed Keys, including:

  1. 通过 Azure 密钥保管库门户找到新密钥的 URILocate the URI for the new key through Azure Key Vault Portal

  2. 导航到“客户管理的密钥”设置Navigate to Customer manged key setting

  3. 替换并粘贴新密钥的 URIReplace and paste in the URI for the new key

  4. 单击“保存”,数据工厂将立即使用新密钥进行加密Click Save and Data Factory will now encrypt with the new key

禁用客户管理的密钥Disable Customer-Managed Keys

按照设计,启用客户管理的密钥功能之后,无法删除其他安全步骤。By design, once the customer-managed key feature is enabled, you can't remove the extra security step. 我们将始终需要使用客户所提供的密钥来加密工厂和数据。We will always expect a customer provided key to encrypt factory and data.

后续步骤Next steps

完成相关教程来了解如何在更多方案中使用数据工厂。Go through the tutorials to learn about using Data Factory in more scenarios.