Azure Key Vault 基本概念Azure Key Vault basic concepts

Azure Key Vault 是一个用于安全地存储和访问机密的云服务。Azure Key Vault is a cloud service for securely storing and accessing secrets. 机密是你想要严格控制对其的访问的任何内容,例如 API 密钥、密码、证书或加密密钥。A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault 服务支持:保管库。Key Vault service supports: vaults. 保管库支持存储软件密钥、机密和证书。Vaults support storing software keys, secrets, and certificates.

下面是其他重要的术语:Here are other important terms:

  • 租户:租户是拥有和管理特定的 Azure 云服务实例的组织。Tenant: A tenant is the organization that owns and manages a specific instance of Azure cloud services. 它最常用来引用组织的 Azure 和 Microsoft 365 服务集。It's most often used to refer to the set of Azure and Microsoft 365 services for an organization.

  • 保管库所有者:保管库所有者可以创建密钥保管库并获得它的完全访问权限和控制权。Vault owner: A vault owner can create a key vault and gain full access and control over it. 保管库所有者还可以设置审核来记录谁访问了机密和密钥。The vault owner can also set up auditing to log who accesses secrets and keys. 管理员可以控制密钥生命周期。Administrators can control the key lifecycle. 他们可以滚动到密钥的新版本、对其进行备份,以及执行相关的任务。They can roll to a new version of the key, back it up, and do related tasks.

  • 保管库使用者:当保管库所有者为保管库使用者授予了访问权限时,使用者可以对密钥保管库内的资产执行操作。Vault consumer: A vault consumer can perform actions on the assets inside the key vault when the vault owner grants the consumer access. 可用操作取决于所授予的权限。The available actions depend on the permissions granted.

  • 资源:资源是可通过 Azure 获取的可管理项。Resource: A resource is a manageable item that's available through Azure. 常见示例包括虚拟机、存储帐户、Web 应用、数据库和虚拟网络。Common examples are virtual machine, storage account, web app, database, and virtual network. 这只是其中一小部分。There are many more.

  • 资源组:资源组是用于保存 Azure 解决方案相关资源的容器。Resource group: A resource group is a container that holds related resources for an Azure solution. 资源组可以包含解决方案的所有资源,也可以只包含想要作为组来管理的资源。The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. 根据对组织有利的原则,决定如何将资源分配到资源组。You decide how you want to allocate resources to resource groups, based on what makes the most sense for your organization.

  • 安全主体:Azure 安全主体是用户创建的应用、服务和自动化工具用来访问特定 Azure 资源的安全标识。Security principal: An Azure security principal is a security identity that user-created apps, services, and automation tools use to access specific Azure resources. 可将其视为具有特定角色,并且权限受到严格控制的“用户标识”(用户名和密码,或者证书)。Think of it as a "user identity" (username and password or certificate) with a specific role, and tightly controlled permissions. 与普通的用户标识不同,安全主体应该只需执行特定的操作。A security principal should only need to do specific things, unlike a general user identity. 如果只向它授予执行管理任务所需的最低权限级别,则可以提高安全性。It improves security if you grant it only the minimum permission level that it needs to perform its management tasks. 与应用程序或服务一起使用的安全主体专称为“服务主体”。A security principal used with an application or service is specifically called a service principal.

  • Azure Active Directory (Azure AD):Azure AD 是租户的 Active Directory 服务。Azure Active Directory (Azure AD): Azure AD is the Active Directory service for a tenant. 每个目录有一个或多个域。Each directory has one or more domains. 每个目录可以有多个订阅与之关联,但只有一个租户。A directory can have many subscriptions associated with it, but only one tenant.

  • Azure 租户 ID:租户 ID 是用于在 Azure 订阅中标识 Azure AD 实例的唯一方法。Azure tenant ID: A tenant ID is a unique way to identify an Azure AD instance within an Azure subscription.

  • 托管标识:虽然 Azure Key Vault 可用于安全存储凭据以及其他密钥和机密,但代码需要通过 Key Vault 的身份验证才能检索它们。Managed identities: Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. 使用托管标识可为 Azure 服务提供 Azure AD 中的自动托管标识,更巧妙地解决了这个问题。Using a managed identity makes solving this problem simpler by giving Azure services an automatically managed identity in Azure AD. 可以使用此标识向支持 Azure AD 身份验证的密钥保管库或任何服务证明身份,而无需在代码中放入任何凭据。You can use this identity to authenticate to Key Vault or any service that supports Azure AD authentication, without having any credentials in your code. 有关详细信息,请参阅下图以及 Azure 资源的托管标识概述For more information, see the following image and the overview of managed identities for Azure resources.

    Azure 资源的托管标识的工作原理图


若要使用密钥保管库执行任何操作,首先需要向其进行身份验证。To do any operations with Key Vault, you first need to authenticate to it. 可通过三种方式向密钥保管库进行身份验证:There are three ways to authenticate to Key Vault:

  • Azure 资源的托管标识:在 Azure 中的虚拟机上部署应用时,可以为虚拟机分配具有密钥保管库访问权限的标识。Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. 还可以将标识分配给其他 Azure 资源You can also assign identities to other Azure resources. 这种方法的好处在于应用或服务不管理第一个机密的轮换。The benefit of this approach is that the app or service isn't managing the rotation of the first secret. Azure 会自动轮换标识。Azure automatically rotates the identity. 我们将此方法作为最佳做法推荐。We recommend this approach as a best practice.
  • 服务主体和证书:可以使用服务主体和具有密钥保管库访问权限的关联证书。Service principal and certificate: You can use a service principal and an associated certificate that has access to Key Vault. 我们不建议使用此方法,因为应用程序所有者或开发人员必须轮换证书。We don't recommend this approach because the application owner or developer must rotate the certificate.
  • 服务主体和机密:尽管可以使用服务主体和机密向密钥保管库进行身份验证,但我们不建议你这样做。Service principal and secret: Although you can use a service principal and a secret to authenticate to Key Vault, we don't recommend it. 自动轮换用于向密钥保管库进行身份验证的启动机密非常困难。It's hard to automatically rotate the bootstrap secret that's used to authenticate to Key Vault.

Key Vault 角色Key Vault roles

使用下表详细了解密钥保管库如何帮助达到开发人员和安全管理员的需求。Use the following table to better understand how Key Vault can help to meet the needs of developers and security administrators.

角色Role 问题陈述Problem statement Azure 密钥保管库已解决问题Solved by Azure Key Vault
Azure 应用程序开发人员Developer for an Azure application “我想要编写使用密钥进行签名和加密的 Azure 应用程序。"I want to write an application for Azure that uses keys for signing and encryption. 但我希望这些密钥与应用程序分开,使解决方案适用于在地理上分散的应用程序。But I want these keys to be external from my application so that the solution is suitable for an application that's geographically distributed.

希望这些密钥和机密都是经过加密的,而无需自己编写代码。I want these keys and secrets to be protected, without having to write the code myself. 我还希望这些密钥和机密对于我来说很容易在应用程序中使用,并发挥最佳性能。”I also want these keys and secrets to be easy for me to use from my applications, with optimal performance."
√ 密钥存储在保管库中,可按需由 URI 调用。√ Keys are stored in a vault and invoked by URI when needed.

√ 密钥由 Azure 通过行业标准算法和密钥长度进行保护。√ Keys are safeguarded by Azure, using industry-standard algorithms, key lengths.

软件即服务 (SaaS) 开发人员Developer for software as a service (SaaS) “对于客户的租户密钥和机密,我不想承担任何实际或潜在法律责任。"I don't want the responsibility or potential liability for my customers' tenant keys and secrets.

我希望客户拥有并管理其密钥,这样我就可以集中精力做我最擅长的事情,即提供核心软件功能。”I want customers to own and manage their keys so that I can concentrate on doing what I do best, which is providing the core software features."
√ 客户可以将他们自己的密钥导入 Azure 并进行管理。√ Customers can import their own keys into Azure, and manage them. 当 SaaS 应用程序需要使用客户的密钥来执行加密操作时,Key Vault 将代表应用程序执行这些操作。When a SaaS application needs to perform cryptographic operations by using customers' keys, Key Vault does these operations on behalf of the application. 应用程序看不到客户的密钥。The application does not see the customers' keys.
首席安全官 (CSO)Chief security officer (CSO) “我想要知道我们的应用程序是否符合 FIPS 140-2 第 2 级的安全密钥管理要求。"I want to know that our applications comply with FIPS 140-2 Level 2 for secure key management.

我想要确保我的组织掌控密钥生命周期,并可监视密钥的使用。I want to make sure that my organization is in control of the key lifecycle and can monitor key usage.

而且,尽管我们使用多个 Azure 服务和资源,但我想从 Azure 中的单个位置管理密钥。”And although we use multiple Azure services and resources, I want to manage the keys from a single location in Azure."

√ Key Vault 设计用于确保 Microsoft 不会看到或提取你的密钥。√ Key Vault is designed so that Microsoft does not see or extract your keys.

√ 以近实时方式记录密钥的使用。√ Key usage is logged in near real time.

√ 无论 Azure 中拥有的密钥数量,以及支持的地区和使用这些密钥的应用程序,保管库都仅提供单个界面。√ The vault provides a single interface, regardless of how many vaults you have in Azure, which regions they support, and which applications use them.

具有 Azure 订阅的任何人都可以创建和使用密钥保管库。Anybody with an Azure subscription can create and use key vaults. 尽管 Key Vault 使开发人员和安全管理员受益,但是可以由管理其他 Azure 服务的组织管理员来实施和管理。Although Key Vault benefits developers and security administrators, it can be implemented and managed by an organization's administrator who manages other Azure services. 例如,此管理员可以使用 Azure 订阅登录、创建组织用来存储密钥的保管库,并负责执行操作任务,如下所示:For example, this administrator can sign in with an Azure subscription, create a vault for the organization in which to store keys, and then be responsible for operational tasks like these:

  • 创建或导入密钥或机密Create or import a key or secret
  • 吊销或删除密钥或机密Revoke or delete a key or secret
  • 授权用户或应用程序访问密钥保管库,使它们能够管理或使用其密钥和机密Authorize users or applications to access the key vault, so they can then manage or use its keys and secrets
  • 配置密钥用法(例如,签名或加密)Configure key usage (for example, sign or encrypt)
  • 监视密钥用法Monitor key usage

该管理员然后会为开发人员提供 URI,方便其从应用程序进行调用。This administrator then gives developers URIs to call from their applications. 该管理员也会将密钥使用日志记录信息提供给安全管理员。This administrator also gives key usage logging information to the security administrator.

Azure 密钥保管库的工作原理概述

开发人员还可通过使用 API 直接管理密钥。Developers can also manage the keys directly, by using APIs. 有关详细信息,请参阅 开发人员指南For more information, see the Key Vault developer's guide.

后续步骤Next steps

了解如何保护保管库Learn how to secure your vault.

大多数区域都提供了 Azure 密钥保管库。Azure Key Vault is available in most regions. 有关详细信息,请参阅 密钥保管库定价页For more information, see the Key Vault pricing page.