关于密钥、机密和证书About keys, secrets, and certificates

凭借 Azure Key Vault,Azure 应用程序和用户能够存储和使用多种类型的机密/密钥数据:Azure Key Vault enables Azure applications and users to store and use several types of secret/key data:

  • 加密密钥:支持多种密钥类型和算法,可以对高价值的密钥使用硬件安全模块 (HSM)。Cryptographic keys: Supports multiple key types and algorithms, and enables the use of Hardware Security Modules (HSM) for high value keys. 有关详细信息,请参阅关于密钥For more information, see About keys.
  • 机密:提供机密(例如密码和数据库连接字符串)的安全存储。Secrets: Provides secure storage of secrets, such as passwords and database connection strings. 有关详细信息,请参阅关于机密For more information, see About secrets.
  • 证书:支持基于密钥和机密并且添加了自动续订功能的证书。Certificates: Supports certificates, which are built on top of keys and secrets and add an automated renewal feature. 有关详细信息,请参阅关于证书For more information, see About certificates.
  • Azure 存储:可以管理 Azure 存储帐户的密钥。Azure Storage: Can manage keys of an Azure Storage account for you. 在内部,Key Vault 可以使用 Azure 存储帐户列出(同步)密钥,并定期重新生成(轮换)密钥。Internally, Key Vault can list (sync) keys with an Azure Storage Account, and regenerate (rotate) the keys periodically. 有关详细信息,请参阅使用 Key Vault 管理存储帐户密钥For more information, see Manage storage account keys with Key Vault.

有关 Key Vault 的更多常规信息,请参阅关于 Azure Key VaultFor more general information about Key Vault, see About Azure Key Vault.

数据类型Data types

请参阅 JOSE 规范,了解密钥、加密和签名的相关数据类型。Refer to the JOSE specifications for relevant data types for keys, encryption, and signing.

  • algorithm - 支持的密钥操作算法,例如 RSA1_5algorithm - a supported algorithm for a key operation, for example, RSA1_5
  • ciphertext-value - 密码文本八位组,使用 Base64URL 编码ciphertext-value - cipher text octets, encoded using Base64URL
  • digest-value - 哈希算法的输出,使用 Base64URL 编码digest-value - the output of a hash algorithm, encoded using Base64URL
  • key-type - 一种支持的密钥类型,例如 RSA (Rivest-Shamir-Adleman)。key-type - one of the supported key types, for example RSA (Rivest-Shamir-Adleman).
  • plaintext-value - 纯文本位组,使用 Base64URL 编码plaintext-value - plaintext octets, encoded using Base64URL
  • signature-value - 签名算法的输出,使用 Base64URL 编码signature-value - output of a signature algorithm, encoded using Base64URL
  • base64URL - Base64URL [RFC4648] 编码的二进制值base64URL - a Base64URL [RFC4648] encoded binary value
  • boolean - 要么为 true,要么为 falseboolean - either true or false
  • Identity - Azure Active Directory (AAD) 的标识。Identity - an identity from Azure Active Directory (AAD).
  • IntDate - 一个 JSON 十进制值,表示从 1970-01-01T0:0:0Z UTC 到指定 UTC 日期/时间的秒数。IntDate - a JSON decimal value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time. 请参阅 RFC3339,了解有关日期/时间的常规信息和 UTC 的特别信息。See RFC3339 for details regarding date/times, in general and UTC in particular.

对象、标识符和版本控制Objects, identifiers, and versioning

对于存储在 Key Vault 中的对象,在创建了某一对象的新实例后,这些对象就会受到版本控制。Objects stored in Key Vault are versioned whenever a new instance of an object is created. 每个版本都分配有唯一标识符和 URL。Each version is assigned a unique identifier and URL. 首次创建一个对象时,该对象被赋予了一个唯一的版本标识符,并标记为当前版本的对象。When an object is first created, it's given a unique version identifier and marked as the current version of the object. 创建与对象同名的新实例会向新对象赋予一个唯一的版本标识符,并使其成为当前版本。Creation of a new instance with the same object name gives the new object a unique version identifier, causing it to become the current version.

可以通过指定版本对 Key Vault 中的对象进行寻址,或者通过忽略版本对对象的当前版本进行操作。Objects in Key Vault can be addressed by specifing a version or by omitting version for operations on current version of the object. 例如,给定名称为 MasterKey 的密钥,执行操作而不指定版本会导致系统使用最新的可用版本。For example, given a Key with the name MasterKey, performing operations without specifing a version causes the system to use the latest available version. 使用特定于版本的标识符执行操作会导致系统使用该特定版本的对象。Performing operations with the version-specific identifier causes the system to use that specific version of the object.

Key Vault 中的对象通过 URL 唯一标识。Objects are uniquely identified within Key Vault using a URL. 不管地理位置如何,系统中都不存在两个具有相同 URL 的对象。No two objects in the system have the same URL, regardless of geo-location. 对象的完整 URL 称为对象标识符。The complete URL to an object is called the Object Identifier. URL 由标识 Key Vault 的前缀、对象类型、用户提供的对象名称和对象版本组成。The URL consists of a prefix that identifies the Key Vault, object type, user provided Object Name, and an Object Version. 对象名称不区分大小写且不可变。The Object Name is case-insensitive and immutable. 不包括对象版本的标识符称为基本标识符。Identifiers that don't include the Object Version are referred to as Base Identifiers.

有关详细信息,请参阅身份验证、请求和响应For more information, see Authentication, requests, and responses

对象标识符具有以下常规格式:An object identifier has the following general format:

https://{keyvault-name}.vault.azure.cn/{object-type}/{object-name}/{object-version}

其中:Where:

元素Element 说明Description
keyvault-name Microsoft Azure Key Vault 服务中的保管库名称。The name for a key vault in the Microsoft Azure Key Vault service.

Key Vault 名称由用户选择,并且全局唯一。Key Vault names are selected by the user and are globally unique.

Key Vault 的名称必须是 3-24 个字符,且仅包含 0-9、a-z、A-Z 和 - 的字符串。Key Vault name must be a 3-24 character string, containing only 0-9, a-z, A-Z, and -.
object-type 对象的类型(“密钥”、“机密”或“证书”)。The type of the object, "keys", "secrets", or 'certificates'.
object-name object-name 是用户提供名称,在 Key Vault 中必须保持唯一。An object-name is a user provided name for and must be unique within a Key Vault. 该名称必须是 1-127 个字符的字符串,以字母开头且仅包含 0-9、a-z、A-Z 和 -。The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -.
object-version object-version 是系统生成的 32 个字符的字符串标识符,可以选择用来对某个对象的唯一版本进行寻址。An object-version is a system-generated, 32 character string identifier that is optionally used to address a unique version of an object.

后续步骤Next steps