为 DBFS 根配置双重加密Configure double encryption for DBFS root

备注

此功能仅在 Azure Databricks Premium 计划中提供。This feature is available only in the Azure Databricks Premium Plan.

Databricks 文件系统 (DBFS) 是一个装载到 Azure Databricks 工作区的分布式文件系统,可以在 Azure Databricks 群集上使用。Databricks File System (DBFS) is a distributed file system mounted into an Azure Databricks workspace and available on Azure Databricks clusters. DBFS 在 Azure Databricks 工作区的受管理资源组中实现为存储帐户。DBFS is implemented as a storage account in your Azure Databricks workspace’s managed resource group. DBFS 中的默认存储位置称为 DBFS 根The default storage location in DBFS is known as the DBFS root.

Azure 存储使用 256 位 AES 加密,在服务级别自动加密存储帐户中的所有数据,包括 DBFS 根存储。Azure Storage automatically encrypts all data in a storage account—including DBFS root storage—at the service level using 256-bit AES encryption. 这是可用的最强分组加密技术之一,并且符合 FIPS 140-2 规范。This is one of the strongest block ciphers available and is FIPS 140-2 compliant. 如果需要更高级别的数据安全保证,则还可以在 Azure 存储基础结构级别启用 256 位 AES 加密。If you require higher levels of assurance that your data is secure, you can also enable 256-bit AES encryption at the Azure Storage infrastructure level. 启用基础结构加密后,将对存储帐户中的数据进行两次加密,分别在服务级别和基础架构级别使用两种不同的加密算法和两个不同的密钥。When infrastructure encryption is enabled, data in a storage account is encrypted twice, once at the service level and once at the infrastructure level, with two different encryption algorithms and two different keys. Azure 存储数据的双重加密可以在其中一种加密算法或密钥泄露的情况下提供保护。Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys is compromised. 在此方案中,附加的一层加密会继续保护你的数据。In this scenario, the additional layer of encryption continues to protect your data.

本文介绍如何创建工作区来为其根存储添加基础结构加密(因此是双重加密)。This article describes how to create a workspace that adds infrastructure encryption (and therefore double encryption) for a workspace’s root storage. 必须在创建工作区时启用基础结构加密;不能将基础结构加密添加到现有工作区。You must enable infrastructure encryption at workspace creation; you cannot add infrastructure encryption to an existing workspace.

要求Requirements

使用 Azure 门户创建具有双重加密的工作区Create a workspace with double encryption using the Azure portal

按照快速入门:使用 Azure 门户在 Azure Databricks 工作区上运行 Spark 作业中的使用 Azure 门户创建工作区的说明操作,添加以下步骤:Follow the instructions for creating a workspace using the Azure portal in Quickstart: Run a Spark job on Azure Databricks Workspace using the Azure portal, adding these steps:

  1. 在“创建 Azure Databricks 工作区”页上(“创建资源”>“分析”>“Azure Databricks”),单击“高级”选项卡 。On the Create an Azure Databricks workspace page (Create a resource > Analytics > Azure Databricks), click the Advanced tab.

  2. 在“启用基础结构加密”旁边,选择“是” 。Next to Enable Infrastructure Encryption, select Yes.

    在创建工作区时启用双重加密Enable double encryption at workspace creation

  3. 完成工作区配置并创建工作区后,验证是否已启用基础结构加密。When you have finished your workspace configuration and created the workspace, verify that infrastructure encryption is enabled.

    在 Azure Databricks 工作区的资源页上,转到边栏菜单,选择“设置”>“加密”。In the resource page for the Azure Databricks workspace, go to the sidebar menu and select Settings > Encryption. 确认已选中“启用基础结构加密”。Confirm that Enable Infrastructure Encryption is selected.

    创建工作区后验证双重加密Verify double encryption after workspace creation

使用 PowerShell 创建具有双重加密的工作区Create a workspace with double encryption using PowerShell

按照快速入门:使用 PowerShell 创建 Azure Databricks 工作区中的说明,将选项 -RequireInfrastructureEncryption 添加到在创建 Azure Databricks 工作区步骤中运行的命令:Follow the instructions in Quickstart: Create an Azure Databricks workspace using PowerShell, adding the option -RequireInfrastructureEncryption to the command you run in the Create an Azure Databricks workspace step:

例如,For example,

New-AzDatabricksWorkspace -Name databricks-test -ResourceGroupName testgroup -Location chinaeast2 -ManagedResourceGroupName databricks-group -Sku premium -RequireInfrastructureEncryption

创建工作区后,通过运行以下内容来验证是否已启用基础结构加密:After your workspace is created, verify that infrastructure encryption is enabled by running:

Get-AzDatabricksWorkspace  -Name <workspace-name> -ResourceGroupName <resource-group> | fl

RequireInfrastructureEncryption 应设置为 trueRequireInfrastructureEncryption should be set to true.

有关 Azure Databricks 工作区的 PowerShell cmdlet 的详细信息,请参阅 Az.Databricks 模块参考For more information about PowerShell cmdlets for Azure Databricks workspaces, see the Az.Databricks module reference.

使用 Azure CLI 创建具有双重加密的工作区Create a workspace with double encryption using the Azure CLI

使用 Azure CLI 创建工作区时,包括选项 --require-infrastructure-encryptionWhen you create a workspace using the Azure CLI, include the option --require-infrastructure-encryption.

例如,For example,

az databricks workspace create --name <workspace-name> --location <workspace-location> --resource-group <resource-group> --sku premium --require-infrastructure-encryption

创建工作区后,通过运行以下内容来验证是否已启用基础结构加密:After your workspace is created, verify that infrastructure encryption is enabled by running:

az databricks workspace show --name <workspace-name> --resource-group <resource-group>

requireInfrastructureEncryption 字段应出现在加密属性中,并设置为 trueThe requireInfrastructureEncryption field should be present in the encryption property and set to true.

有关 Azure Databricks 工作区的 Azure CLI 命令的详细信息,请参阅 az databricks workspace 命令参考For more information about Azure CLI commands for Azure Databricks workspaces, see the az databricks workspace command reference.