Azure Key Vault 备份Azure Key Vault backup

本文档介绍如何备份密钥保管库中存储的机密、密钥和证书。This document shows you how to back up secrets, keys, and certificates stored in your key vault. 备份旨在为你提供所有机密的脱机副本,以防你无法访问密钥保管库。A backup is intended to provide you with an offline copy of all your secrets in the unlikely event that you lose access to your key vault.

概述Overview

Azure 密钥保管库自动提供了一些功能来帮助你维护可用性并防止数据丢失。Azure Key Vault automatically provides features to help you maintain availability and prevent data loss. 仅当有充分且重要的业务理由时才备份机密。Back up secrets only if you have a critical business justification. 备份密钥保管库中的机密可能会带来操作难题,例如在机密过期或轮换时维护多组日志、权限和备份。Backing up secrets in your key vault may introduce operational challenges such as maintaining multiple sets of logs, permissions, and backups when secrets expire or rotate.

密钥保管库在灾难情况下维持可用性,并将请求自动故障转移到配对区域,而无需用户进行任何干预。Key Vault maintains availability in disaster scenarios and will automatically fail over requests to a paired region without any intervention from a user. 有关详细信息,请参阅 Azure Key Vault 可用性和冗余For more information, see Azure Key Vault availability and redundancy.

如果要防止意外或恶意删除机密,请在密钥保管库上配置软删除和清除保护功能。If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault. 有关详细信息,请参阅 Azure 密钥保管库软删除概述For more information, see Azure Key Vault soft-delete overview.

限制Limitations

重要

对于密钥、机密和证书对象,Key Vault 不支持备份超过 500 个的历史版本。Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. 尝试备份密钥、机密或证书对象可能会导致出现错误。Attempting to backup a key, secret, or certificate object may result in an error. 无法删除密钥、机密或证书的历史版本。It is not possible to delete previous versions of a key, secret, or certificate.

Azure 密钥保管库当前不提供在单个操作中备份整个密钥保管库的方法。Key Vault doesn't currently provide a way to back up an entire key vault in a single operation. 任何使用此文档中列出的命令执行密钥保管库自动备份的尝试都可能导致错误,且 Microsoft 或 Azure 密钥保管库团队不支持此操作。Any attempt to use the commands listed in this document to do an automated backup of a key vault may result in errors and won't be supported by Microsoft or the Azure Key Vault team.

另请考虑以下后果:Also consider the following consequences:

  • 备份具有多个版本的机密可能导致超时错误。Backing up secrets that have multiple versions might cause time-out errors.
  • 备份会创建时间点快照。A backup creates a point-in-time snapshot. 在备份期间机密可能会续订,从而导致加密密钥不匹配。Secrets might renew during a backup, causing a mismatch of encryption keys.
  • 如果超过每秒请求的密钥保管库服务限制,密钥保管库将受到限制,备份将失败。If you exceed key vault service limits for requests per second, your key vault will be throttled, and the backup will fail.

设计注意事项Design considerations

备份密钥保管库对象(如机密、密钥或证书)时,备份操作会将该对象作为加密的 blob 下载。When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. 无法在 Azure 外部解密此 blob。This blob can't be decrypted outside of Azure. 若要从此 blob 获取可用数据,必须将 blob 还原到同一 Azure 订阅和 地理位置内的密钥保管库中。To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography.

先决条件Prerequisites

若要备份密钥保管库对象,你必须具有:To back up a key vault object, you must have:

  • Azure 订阅的参与者级别或更高权限。Contributor-level or higher permissions on an Azure subscription.
  • 包含要备份的机密的主密钥保管库。A primary key vault that contains the secrets you want to back up.
  • 将在其中还原机密的辅助密钥保管库。A secondary key vault where secrets will be restored.

从 Azure 门户备份和还原Back up and restore from the Azure portal

按照本部分中的步骤使用 Azure 门户来备份和还原对象。Follow the steps in this section to back up and restore objects by using the Azure portal.

备份Back up

  1. 转到 Azure 门户。Go to the Azure portal.

  2. 选择密钥保管库。Select your key vault.

  3. 转到要备份的对象(机密、密钥或证书)。Go to the object (secret, key, or certificate) you want to back up.

    显示应在密钥保管库中的什么位置选择“密钥”设置和对象的屏幕截图。

  4. 选择对象。Select the object.

  5. 选择“下载备份”。Select Download Backup.

    显示应在密钥保管库中的什么位置选择“下载备份”按钮的屏幕截图。

  6. 选择“下载”。Select Download.

    显示应在密钥保管库中的什么位置选择“下载”按钮的屏幕截图。

  7. 将加密的 blob 存储在安全的位置。Store the encrypted blob in a secure location.

还原Restore

  1. 转到 Azure 门户。Go to the Azure portal.

  2. 选择密钥保管库。Select your key vault.

  3. 转到要还原的对象类型(机密、密钥或证书)。Go to the type of object (secret, key, or certificate) you want to restore.

  4. 选择“还原备份”。Select Restore Backup.

    显示应在密钥保管库中的什么位置选择“还原备份”的屏幕截图。

  5. 转到加密的 blob 的存储位置。Go to the location where you stored the encrypted blob.

  6. 选择“确定”。Select OK.

从 Azure CLI 或 Azure PowerShell 进行备份和还原Back up and restore from the Azure CLI or Azure PowerShell

## Log in to Azure
az cloud set -n AzureChinaCloud
az login

## Set your subscription
az account set --subscription {AZURE SUBSCRIPTION ID}

## Register Key Vault as a provider
az provider register -n Microsoft.KeyVault

## Back up a certificate in Key Vault
az keyvault certificate backup --file {File Path} --name {Certificate Name} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

## Back up a key in Key Vault
az keyvault key backup --file {File Path} --name {Key Name} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

## Back up a secret in Key Vault
az keyvault secret backup --file {File Path} --name {Secret Name} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

## Restore a certificate in Key Vault
az keyvault certificate restore --file {File Path} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

## Restore a key in Key Vault
az keyvault key restore --file {File Path} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

## Restore a secret in Key Vault
az keyvault secret restore --file {File Path} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

后续步骤Next steps

启用 Key Vault 的日志记录和监视Turn on logging and monitoring for Key Vault.