客户托管:租户密钥生命周期操作Customer-managed: Tenant key life cycle operations

适用范围:Azure 信息保护Office 365*Applies to: Azure Information Protection, Office 365*

相关内容:AIP 统一标记客户端和经典客户端Relevant for: AIP unified labeling client and classic client*

如果你自己管理 Azure 信息保护租户密钥(自带密钥方案,简称 BYOK),请阅读以下部分,详细了解此拓扑相关的生命周期操作。If you manage your tenant key for Azure Information Protection (the bring your own key, or BYOK, scenario), use the following sections for more information about the life cycle operations that are relevant to this topology.

撤消你的租户密钥Revoke your tenant key

在极少数情况下,可能需要撤销密钥,而不是重新生成密钥。There are very few scenarios when you might need to revoke your key instead of rekeying. 撤销密钥后,所有人都将无法访问租户使用该密钥保护的所有内容(包括 Microsoft、全局管理员和超级用户),除非有可以还原的密钥备份。When you revoke your key, all content that has been protected by your tenant using that key will become inaccessible to everybody (including Microsoft, your global admins, and super users) unless you have a backup of the key that you can restore. 撤消密钥后,在为 Azure 信息保护创建和配置新的租户密钥之前,将无法保护新内容。After revoking your key, you won't be able to protect new content until you create and configure a new tenant key for Azure Information Protection.

若要撤销客户管理的租户密钥,请在 Azure Key Vault 中更改对包含 Azure 信息保护租户密钥的密钥保管库的权限,使 Azure Rights Management 服务不再能够访问该密钥。To revoke your customer-managed tenant key, in Azure Key Vault, change the permissions on the key vault that contains your Azure Information Protection tenant key so that the Azure Rights Management service can no longer access the key. 此操作可以有效地撤销 Azure 信息保护的租户密钥。This action effectively revokes the tenant key for Azure Information Protection.

取消 Azure 信息保护订阅时,Azure 信息保护会停止使用租户密钥,用户无需执行任何操作。When you cancel your subscription for Azure Information Protection, Azure Information Protection stops using your tenant key and no action is needed from you.

重新生成租户密钥Rekey your tenant key

重新生成密钥也称为滚动密钥。Rekeying is also known as rolling your key. 执行此操作时,Azure 信息保护会停止使用现有租户密钥保护文档和电子邮件,而开始使用其他密钥。When you do this operation, Azure Information Protection stops using the existing tenant key to protect documents and emails, and starts to use a different key. 策略和模板将立即进行重新签名,但对于使用 Azure 信息保护的现有客户端和服务,此转换将逐渐完成。Policies and templates are immediately resigned but this changeover is gradual for existing clients and services using Azure Information Protection. 因此在一段时间内,有些新内容继续使用旧租户密钥进行保护。So for some time, some new content continues to be protected with the old tenant key.

要重新生成密钥,必须配置租户密钥对象并指定要使用的备用密钥。To rekey, you must configure the tenant key object and specify the alternative key to use. 然后,以前使用的密钥将自动为 Azure 信息保护 标记为“已存档”。Then, the previously used key is automatically marked as archived for Azure Information Protection. 此配置可确保通过使用此密钥进行保护的内容仍可访问。This configuration ensures that content that was protected by using this key remains accessible.

可能需要重新生成 Azure 信息保护密钥的情况示例:Examples of when you might need to rekey for Azure Information Protection:

  • 你的公司拆分为两家或更多公司。Your company has split into two or more companies. 在重新生成租户密钥时,新公司将无法访问员工发布的新内容。When you rekey your tenant key, the new company will not have access to new content that your employees publish. 如果有旧租户密钥的副本,他们可以访问旧内容。They can access the old content if they have a copy of the old tenant key.

  • 想从一个密钥管理拓扑移动到另一个拓扑。You want to move from one key management topology to another.

  • 你认为租户密钥的主控副本(你掌握的副本)已泄露。You believe the master copy of your tenant key (the copy in your possession) is compromised.

若要将密钥重新生成为所管理的其他密钥,可在 Azure Key Vault 中创建新的密钥,或使用 Azure Key Vault 中已有的其他密钥。To rekey to another key that you manage, you can either create a new key in Azure Key Vault or use a different key that is already in Azure Key Vault. 然后按照为 Azure 信息保护实现 BYOK 的相同过程进行操作。Then follow the same procedures that you did to implement BYOK for Azure Information Protection.

  1. 仅当新密钥所在密钥保管库与已用于 Azure 信息保护的密钥保管库不同时:授权 Azure 信息保护使用此密钥保管库,方法是使用 Set-AzKeyVaultAccessPolicy cmdlet。Only if the new key is in a different key vault to the one you are already using for Azure Information Protection: Authorize Azure Information Protection to use the key vault, by using the Set-AzKeyVaultAccessPolicy cmdlet.

  2. 如果 Azure 信息保护还不知道你要使用的密钥,请运行 Use-AipServiceKeyVaultKey cmdlet。If Azure Information Protection doesn't already know about the key you want to use, run Use-AipServiceKeyVaultKey cmdlet.

  3. 配置租户密钥对象,方法是运行 Set-AipServiceKeyProperties cmdlet。Configure the tenant key object, by using the run Set-AipServiceKeyProperties cmdlet.

关于每个步骤的详细信息:For more information about each of these steps:

  • 若要将密钥重新生成为所管理的其他密钥,请参阅计划和实现 Azure 信息保护租户密钥To rekey to another key that you manage, see Planning and implementing your Azure Information Protection tenant key.

    如果你重新生成在本地创建的受 HSM 保护的密钥并传输到密钥保管库,则可以使用与当前密钥相同的安全环境和访问卡。If you are rekeying an HSM-protected key that you create on-premises and transfer to Key Vault, you can use the same security world and access cards as you used for your current key.

  • 若要重新生成改为由 Microsoft 为你管理的密钥,请参阅 Microsoft 托管操作的重新生成租户密钥部分。To rekey, changing to a key that Microsoft manages for you, see the Rekey your tenant key section for Microsoft-managed operations.

备份和恢复你的租户密钥Backup and recover your tenant key

由于是你本人管理自己的租户密钥,因此你需负责备份 Azure 信息保护使用的密钥。Because you are managing your tenant key, you are responsible for backing up the key that Azure Information Protection uses.

如果在 nCipher HSM 中本地生成租户密钥:若要备份密钥,请备份标记化的密钥文件、体系文件和管理员卡。If you generated your tenant key on premises, in a nCipher HSM: To back up the key, back up the tokenized key file, the world file, and the administrator cards. 将密钥传送到 Azure Key Vault 时,该服务将保存已标记化的密钥文件,以防出现任何服务节点故障。When you transfer your key to Azure Key Vault, the service saves the tokenized key file, to protect against failure of any service nodes. 将此文件绑定到特定 Azure 区域或实例的安全体系。This file is bound to the security world for the specific Azure region or instance. 但是,不要将此标记化密钥文件作为完全备份。However, do not consider this tokenized key file to be a full backup. 例如,如果需要密钥的明文副本以在 nCipher HSM 外部使用,则 Azure Key Vault 无法为你检索该副本,因为它仅有不可恢复的副本。For example, if you ever need a plain text copy of your key to use outside a nCipher HSM, Azure Key Vault cannot retrieve it for you, because it has only a non-recoverable copy.

Azure Key Vault 具有一个备份 cmdlet,可通过将其下载并存储到一个文件中来备份密钥。Azure Key Vault has a backup cmdlet that you can use to back up a key by downloading it and storing it in a file. 由于下载的内容已加密,因此它不能在 Azure Key Vault 外使用。Because the downloaded content is encrypted, it cannot be used outside Azure Key Vault.

导出你的租户密钥Export your tenant key

如果使用 BYOK,则你无法从 Azure 密钥保管库或 Azure 信息保护导出租户密钥。If you use BYOK, you cannot export your tenant key from Azure Key Vault or Azure Information Protection. Azure 密钥保管库中的副本是不可恢复的。The copy in Azure Key Vault is non-recoverable.

对违规行为做出响应Respond to a breach

如果没有违规响应流程,无论如何强大的安全系统都是不完整的。No security system, no matter how strong, is complete without a breach response process. 你的租户密钥可能泄漏或失窃。Your tenant key might be compromised or stolen. 即便它得到了很好的保护,在当前这代密钥技术或当前的密钥长度和算法方面也可以找到一些漏洞。Even when it’s protected well, vulnerabilities might be found in current generation key technology or in current key lengths and algorithms.

Microsoft 拥有一个专业团队,负责响应其产品和服务中的安全事件。Microsoft has a dedicated team to respond to security incidents in its products and services. 当收到某个事件的可信报告时,该团队将参与调查事件的范围、根本原因和缓解办法。As soon as there is a credible report of an incident, this team engages to investigate the scope, root cause, and mitigations. 如果该事件影响到资产,Microsoft 将通过电子邮件通知租户全局管理员。If this incident affects your assets, Microsoft notifies your tenant Global administrators by email.

如果你发现了安全违规行为,则你或 Microsoft 能够采取的最佳行动取决于安全违规的范围;Microsoft 将与你共同完成这个过程。If you have a breach, the best action that you or Microsoft can take depends on the scope of the breach; Microsoft will work with you through this process. 下表显示了一些典型情况以及可能的响应,但具体的响应要取决于在调查过程中揭示的所有信息。The following table shows some typical situations and the likely response, although the exact response depends on all the information that is revealed during the investigation.

事件描述Incident description 可能的响应Likely response
你的租户密钥泄露。Your tenant key is leaked. 重新生成租户密钥。Rekey your tenant key. 请参阅重新生成租户密钥See Rekey your tenant key.
未经授权的个人或恶意软件获取了使用你的租户密钥的权限,但密钥本身并未泄露。An unauthorized individual or malware got rights to use your tenant key but the key itself did not leak. 重新生成租户密钥在这种情况下并不奏效,需要进行根源分析。Rekeying your tenant key does not help here and requires root-cause analysis. 如果进程或软件 Bug 是导致未经授权的个人获得访问权限的原因,则必须解决这一问题。If a process or software bug was responsible for the unauthorized individual to get access, that situation must be resolved.
在当前这代 HSM 技术中发现的漏洞。Vulnerability discovered in the current-generation HSM technology. Microsoft 必须更新 HSM。Microsoft must update the HSMs. 如果有理由认为这些漏洞泄露了密钥,Microsoft 将指示所有客户重新生成他们的租户密钥。If there is reason to believe that the vulnerability exposed keys, Microsoft will instruct all customers to rekey their tenant keys.
在 RSA 算法、密钥长度或暴力攻击方面发现的漏洞可能被利用。Vulnerability discovered in the RSA algorithm, or key length, or brute-force attacks become computationally feasible. Microsoft 必须更新 Azure 密钥保管库或 Azure 信息保护以支持新的算法和具有弹性的更长密钥长度,并指示所有客户重新生成他们的租户密钥。Microsoft must update Azure Key Vault or Azure Information Protection to support new algorithms and longer key lengths that are resilient, and instruct all customers to rekey their tenant key.