计划和实施 Azure 信息保护租户密钥Planning and implementing your Azure Information Protection tenant key

适用范围:Azure 信息保护Applies to: Azure Information Protection

相关内容:AIP 统一标记客户端和经典客户端Relevant for: AIP unified labeling client and classic client*


为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护经典客户端和标签管理将于 2021 年 3 月 31 日弃用 。To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

Azure 信息保护租户密钥是组织的根密钥。The Azure Information Protection tenant key is a root key for your organization. 可以从此根密钥派生出其他密钥,包括用户密钥、计算机密钥和文档加密密钥。Other keys can be derived from this root key, including user keys, computer keys, or document encryption keys. 每当 Azure 信息保护使用组织的这些密钥时,它们会以加密方式链接到你的 Azure 信息保护根租户密钥。Whenever Azure Information Protection uses these keys for your organization, they cryptographically chain to your Azure Information Protection root tenant key.

除了租户根密钥外,组织可能需要特定文档的本地安全性。In addition to your tenant root key, your organization may require on-premises security for specific documents. 本地密钥保护通常只需要少量内容,因此它是与租户根密钥一起配置的。On-premises key protection is typically required only for a small amount of content, and therefore is configured together with a tenant root key.

Azure 信息保护密钥类型Azure Information Protection key types

租户根密钥可以:Your tenant root key can either be:

如果具有需要额外的本地保护的高度敏感内容,建议使用双重密钥加密 (DKE)If you have highly sensitive content that requires additional, on-premises protection, we recommend using Double Key Encryption (DKE).


如果使用的是经典客户端,并需要额外的本地保护,请改用保留自己的密钥 (HYOK)If you are using the classic client, and need additional, on-premises protection, use Hold Your Own Key (HYOK) instead.

Microsoft 生成的租户根密钥Tenant root keys generated by Microsoft

由 Microsoft 自动生成的默认密钥是 Azure 信息保护专用的默认密钥,用于管理租户密钥生命周期的大多数方面。The default key, automatically generated by Microsoft, is the default key used exclusively for Azure Information Protection to manage most aspects of your tenant key life cycle.

如果希望快速部署 Azure 信息保护,而无需特殊的硬件、软件或 Azure 订阅,请继续使用默认的 Microsoft 密钥。Continue using the default Microsoft key when you want to deploy Azure Information Protection quickly and without special hardware, software, or an Azure subscription. 示例包括没有密钥管理监管要求的测试环境或组织。Examples include testing environments or organizations without regulatory requirements for key management.

对于默认密钥,无需执行其他步骤,你可以直接转到租户根密钥入门For the default key, no further steps are required, and you can go directly to Getting started with your tenant root key.


Microsoft 生成的默认密钥是具有最低管理开销的建议选项。The default key generated by Microsoft is the simplest option with the lowest administrative overheads.

在大多数情况下,你可能不知道自己具有租户密钥,因为你可以注册 Azure 信息保护,并将密钥管理过程的剩余部分交由 Microsoft 处理。In most cases, you may not even know that you have a tenant key, as you can sign up for Azure Information Protection and the rest of the key management process is handled by Microsoft.

创建自己的密钥 (BYOK) 保护Bring Your Own Key (BYOK) protection

BYOK 保护使用客户在 Azure Key Vault 或在客户组织中本地创建的密钥。BYOK-protection uses keys that are created by customers, either in the Azure Key Vault or on-premises in the customer organization. 然后,这些密钥将传输到 Azure Key Vault 以进行进一步的管理。These keys are then transferred to Azure Key Vault for further management.

组织具有针对密钥生成的符合性规定(包括对所有生命周期操作的控制)时,请使用 BYOK。Use BYOK when your organization has compliance regulations for key generation, including control over all life-cycle operations. 例如,密钥必须由硬件安全模块保护的情况下。For example, when your key must be protected by a hardware security module.

有关详细信息,请参阅配置 BYOK 保护For more information, see Configure BYOK protection.

配置后,请继续参阅租户根密钥入门,了解有关使用和管理密钥的详细信息。Once configured, continue to Getting started with your tenant root key for more information about using and managing your key.

双重密钥加密 (DKE)Double Key Encryption (DKE)

相关客户端:仅限 AIP 统一标记客户端Relevant for: AIP unified labeling client only

DKE 保护通过使用以下两个密钥来为内容提供额外的安全性:一个密钥由 Microsoft 在 Azure 中创建并持有,另一个密钥由客户本地创建并持有。DKE protection provides additional security for your content by using two keys: one created and held by Microsoft in Azure, and another created and held on-premises by the customer.

DKE 要求使用这两个密钥才能访问受保护的内容,能够确保 Microsoft 和其他第三方本身决不会拥有受保护数据的访问权限。DKE requires both keys to access protected content, ensuring that Microsoft and other third parties never have access to protected data on their own.

可以在云中或本地部署 DKE,从而为存储位置提供完全的灵活性。DKE can be deployed either in the cloud or on-premises, providing full flexibility for storage locations.

在组织符合以下条件时使用 DKE:Use DKE when your organization:

  • 想要确保在所有情况下,只有组织能够解密受保护的内容。Wants to ensure that only they can ever decrypt protected content, under all circumstances.
  • 不希望 Microsoft 自行拥有对受保护数据的访问权限。Don't want Microsoft to have access to protected data on its own.
  • 具有在地理边界内保存密钥的法规要求。Has regulatory requirements to hold keys within a geographical boundary. 使用 DKE,客户持有的密钥在客户数据中心内维护。With DKE, customer-held keys are maintained within the customer data center.


DKE 类似于要求使用银行密钥和客户密钥才能获得访问权限的保险箱。DKE is similar to a safety deposit box that requires both a bank key and a customer key to gain access. DKE 保护需要 Microsoft 持有的密钥和客户持有的密钥来解密受保护的内容。DKE-protection requires both the Microsoft-held key and the customer-held key to decrypt protected content.

有关详细信息,请参阅 Microsoft 365 文档中的双重密钥加密For more information, see Double key encryption in the Microsoft 365 documentation.

保留自己的密钥 (HYOK)Hold Your Own Key (HYOK)

相关客户端:仅限 AIP 经典客户端Relevant for: AIP classic client only

HYOK 保护使用客户在与云隔离的位置创建和保留的密钥。HYOK-protection uses a key that is created and held by customers, in a location isolated from the cloud. 由于 HYOK 保护只允许访问本地应用程序和服务的数据,使用 HYOK 的客户也对云文档具有基于云的密钥。Since HYOK-protection only enables access to data for on-premises applications and services, customers that use HYOK also have a cloud-based key for cloud documents.

对以下文档使用 HYOK:Use HYOK for documents that are:

  • 仅限少数人使用Restricted to just a few people
  • 不在组织外共享Not shared outside the organization
  • 仅在内部网络上使用。Are consumed only on the internal network.

这些文档通常在组织中具有最高的分类,称为“顶级机密”。These documents typically have the highest classification in your organization, as "Top Secret".

仅当使用的是经典客户端时,才能使用 HYOK 保护对内容进行加密。Content can be encrypted using HYOK protection only if you have the classic client. 但是,如果你有受 HYOK 保护的内容,则可以在经典标记客户端和统一标记客户端中查看该内容。However, if you have HYOK-protected content, it can be viewed in both the classic and unified labeling client.

有关详细信息,请参阅保留自己的密钥 (HYOK) 详细信息For more information, see Hold Your Own Key (HYOK) details.

后续步骤Next steps

有关特定类型的密钥的详细信息,请参阅以下任意文章:See any of the following articles for more details about specific types of keys:

如果要跨租户进行迁移(例如,在公司合并之后),我们建议阅读我们的有关公司合并与分拆的博客文章了解详细信息。If you are migrating across tenants, such as after a company merger, we recommend that you read our blog post on mergers and spinoffs for more information.