通过 IoT 中心的客户托管密钥加密静态数据Encryption of data at rest with customer-managed keys for IoT Hub

IoT 中心支持使用客户托管的密钥 (CMK) 对静态数据加密,该密钥也称为自带密钥 (BYOK)。IoT Hub supports encryption of data at rest with customer-managed keys (CMK), also known as Bring your own key (BYOK). Azure IoT 中心对写入数据中心的静态数据和传输中的数据进行加密,并在你访问数据时解密。Azure IoT Hub provides encryption of data at rest and in-transit as it's written in our datacenters and decrypts it for you as you access it. 默认情况下,IoT 中心使用 Microsoft 托管的密钥来加密静态数据。By default, IoT Hub uses Microsoft-managed keys to encrypt the data at rest. 使用 CMK,可以在默认加密的基础上再添加一层加密,还可以选择使用密钥加密密钥(通过 Azure密钥保管库管理)来加密静态数据。With CMK, you can get another layer of encryption on top of default encryption and can choose to encrypt data at rest with a key encryption key, managed through your Azure Key Vault. 这使你能够灵活创建、轮换、禁用和撤销访问控制权。This gives you the flexibility to create, rotate, disable, and revoke access controls. 如果为 IoT 中心配置了 BYOK,我们还提供双重加密,可提供额外一层保护,同时可通过 Azure 密钥保管库控制加密密钥。If BYOK is configured for your IoT Hub, we also provide double encryption, which offers a second layer of protection, while allowing you to control the encryption key through your Azure Key Vault.

此功能需要创建新的 IoT 中心(基本层或标准层)。This capability requires the creation of a new IoT Hub (basic or standard tier).

后续步骤Next steps