使用 Azure CLI 为 DBFS 配置客户管理的密钥Configure customer-managed keys for DBFS using the Azure CLI

重要

此功能目前以公共预览版提供。This feature is in Public Preview.

备注

此功能仅在 Azure Databricks Premium 计划中提供。This feature is available only in the Azure Databricks Premium Plan.

可以使用 Azure CLI 来配置自己的加密密钥以加密 DBFS 根存储帐户。You can use the Azure CLI to configure your own encryption key to encrypt the DBFS root storage account. 必须使用 Azure Key Vault 存储密钥。You must use Azure Key Vault to store the key.

若要详细了解用于 DBFS 的客户管理的密钥,请参阅为 DBFS 根配置客户管理的密钥For more information about customer-managed keys for DBFS, see Configure customer-managed keys for DBFS root.

安装 Azure Databricks CLI 扩展Install the Azure Databricks CLI extension

  1. 安装 Azure CLIInstall the Azure CLI.

  2. 安装 Azure Databricks CLI 扩展。Install the Azure Databricks CLI extension.

    az extension add --name databricks
    

准备新的或现有的用于加密的 Azure Databricks 工作区 Prepare a new or existing Azure Databricks workspace for encryption

请将括号中的占位符值替换为你自己的值。Replace the placeholder values in brackets with your own values. <workspace-name> 是 Azure 门户中显示的资源名称。The <workspace-name> is the resource name as displayed in the Azure portal.

az login
az account set --subscription <subscription-id>

为创建工作区期间的加密做准备:Prepare for encryption during workspace creation:

az databricks workspace create --name <workspace-name> --location <workspace-location> --resource-group <resource-group> --sku premium --prepare-encryption

准备用于加密的现有工作区:Prepare an existing workspace for encryption:

az databricks workspace update --name <workspace-name> --resource-group <resource-group> --prepare-encryption

记下命令输出的 storageAccountIdentity 部分中的 principalId 字段。Note the principalId field in the storageAccountIdentity section of the command output. 配置密钥保管库时,需将其作为托管标识值提供。You will provide it as the managed identity value when you configure your key vault.

有关 Azure Databricks 工作区的 Azure CLI 命令的详细信息,请参阅 az databricks workspace 命令参考For more information about Azure CLI commands for Azure Databricks workspaces, see the az databricks workspace command reference.

创建新的 Key VaultCreate a new key vault

使用密钥保管库为根 DBFS 存储客户管理的密钥时,密钥保管库必须已启用两项密钥保护设置:“软删除”和“清除保护”。The key vault that you use to store customer-managed keys for root DBFS must have two key protection settings enabled, Soft Delete and Purge Protection. 若要新建启用了这些设置的密钥保管库,请运行以下命令。To create a new key vault with these settings enabled, run the following commands.

请将括号中的占位符值替换为你自己的值。Replace the placeholder values in brackets with your own values.

az keyvault create \
        --name <key-vault> \
        --resource-group <resource-group> \
        --location <region> \
        --enable-soft-delete \
        --enable-purge-protection

若要详细了解如何使用 Azure CLI 启用“软删除”和“清除保护”,请参阅如何将 Key Vault 软删除与 CLI 配合使用For more information about enabling Soft Delete and Purge Protection using the Azure CLI, see How to use Key Vault soft-delete with CLI.

配置 Key Vault 访问策略Configure the key vault access policy

使用 az keyvault set-policy 命令设置密钥保管库的访问策略,以便 Azure Databricks 工作区有权访问密钥保管库。Set the access policy for the key vault so that the Azure Databricks workspace has permission to access it, using the az keyvault set-policy command.

请将括号中的占位符值替换为你自己的值。Replace the placeholder values in brackets with your own values.

az keyvault set-policy \
        --name <key-vault> \
        --resource-group <resource-group> \
        --object-id <managed-identity>  \
        --key-permissions get unwrapKey wrapKey

<managed-identity> 替换为准备用于加密的工作区时记下的 principalId 值。Replace <managed-identity> with the principalId value that you noted when you prepared your workspace for encryption.

新建密钥Create a new key

使用 az keyvault key create 命令在密钥保管库中创建密钥。Create a key in the key vault using the az keyvault key create command.

请将括号中的占位符值替换为你自己的值。Replace the placeholder values in brackets with your own values.

az keyvault key create \
       --name <key> \
       --vault-name <key-vault>

DBFS 根存储支持 2048、3072 和 4096 大小的 RSA 和 RSA-HSM 密钥。DBFS root storage supports RSA and RSA-HSM keys of sizes 2048, 3072 and 4096. 有关密钥的详细信息,请参阅关于 Key Vault 密钥For more information about keys, see About Key Vault keys.

使用客户管理的密钥配置 DBFS 加密Configure DBFS encryption with customer-managed keys

将 Azure Databricks 工作区配置为使用在 Azure Key Vault 中创建的密钥。Configure your Azure Databricks workspace to use the key you created in your Azure Key Vault.

请将括号中的占位符值替换为你自己的值。Replace the placeholder values in brackets with your own values.

key_vault_uri=$(az keyvault show \
 --name <key-vault> \
 --resource-group <resource-group> \
 --query properties.vaultUri \
--output tsv)
key_version=$(az keyvault key list-versions \
 --name <key> \ --vault-name <key-vault> \
 --query [-1].kid \
--output tsv | cut -d '/' -f 6)
az databricks workspace update --name <workspace-name> --resource-group <resource-group> --key-source Microsoft.KeyVault --key-name <key> --key-vault $key_vault_uri --key-version $key_version

禁用客户托管密钥Disable customer-managed keys

禁用客户托管密钥时,将再次使用 Microsoft 托管密钥对存储帐户进行加密。When you disable customer-managed keys, your storage account is once again encrypted with Microsoft-managed keys.

请将括号中的占位符值替换为你自己的值,并使用在前面步骤中定义的变量。Replace the placeholder values in brackets with your own values and use the variables defined in the previous steps.

az databricks workspace update --name <workspace-name> --resource-group <resource-group> --key-source Default