Azure Key Vault 客户数据功能Azure Key Vault customer data features

Azure Key Vault 在创建或更新保管库、密钥、机密、证书和托管的存储帐户期间接收客户数据。Azure Key Vault receives customer data during creation or update of vaults, keys, secrets, certificates, and managed storage accounts. 此客户数据在 Azure 门户中以及通过 REST API 直接可见。This Customer data is directly visible in the Azure portal and through the REST API. 可以通过更新或删除包含客户数据的对象来编辑或删除此数据。Customer data can be edited or deleted by updating or deleting the object that contains the data.

系统访问日志是在用户或应用程序访问 Key Vault 时生成的。System access logs are generated when a user or application accesses Key Vault. 使用 Azure 见解的客户可以获得详细的访问日志。Detailed access logs are available to customers using Azure Insights.


本文介绍如何删除设备或服务中的个人数据,并且可为 GDPR 下的任务提供支持。This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. 如需关于 GDPR 的常规信息,请参阅服务信任门户的 GDPR 部分If you're looking for general info about GDPR, see the GDPR section of the Service Trust portal.

标识客户数据Identifying customer data

以下信息标识 Azure Key Vault 中的客户数据:The following information identifies customer data within Azure Key Vault:

  • Azure Key Vault 的访问策略包含代表用户、组或应用程序的对象 IDAccess policies for Azure Key Vault contain object-IDs representing users, groups, or applications
  • 证书使用者可能包含电子邮件地址或者其他用户或组织标识符Certificate subjects may include email addresses or other user or organizational identifiers
  • 证书联系人可能包含用户电子邮件地址、姓名或电话号码Certificate contacts may contain user email addresses, names, or phone numbers
  • 证书颁发者可能包含电子邮件地址、姓名、电话号码、帐户凭据和组织详细信息Certificate issuers may contain email addresses, names, phone numbers, account credentials, and organizational details
  • 可以向 Azure Key Vault 中的对象应用任意标记。Arbitrary tags can be applied to Objects in Azure Key Vault. 这些对象包括保管库、密钥、机密、证书和存储帐户。These objects include vaults, keys, secrets, certificates, and storage accounts. 使用的标记可能包含个人数据The tags used may contain personal data
  • Azure Key Vault 访问日志包含每个 REST API 调用的对象 ID、UPN 和 IP 地址Azure Key Vault access logs contain object-IDs, UPNs, and IP addresses for each REST API call
  • Azure Key Vault 诊断日志可能包含 REST API 调用的对象 ID 和 IP 地址Azure Key Vault diagnostic logs may contain object-IDs and IP addresses for REST API calls

删除客户数据Deleting customer data

用于创建保管库、密钥、机密、证书和托管存储帐户的相同 REST API、门户体验和 SDK 也能够更新和删除这些对象。The same REST APIs, Portal experience, and SDKs used to create vaults, keys, secrets, certificates, and managed storage accounts, are also able to update and delete these objects.

软删除允许你在删除数据后的 90 天内恢复已删除的数据。Soft-delete allows you to recover deleted data for 90 days after deletion. 使用软删除时,可以通过执行清除操作在 90 天保留期到期之前永久删除数据。When using soft-delete, the data may be permanently deleted prior to the 90 days retention period expires by performing a purge operation. 如果保管库或订阅已配置为阻止清除操作,则不能在计划的保留期结束前永久删除数据。If the vault or subscription has been configured to block purge operations, it is not possible to permanently delete data until the scheduled retention period has passed.

导出客户数据Exporting customer data

用于创建保管库、密钥、机密、证书和托管存储帐户的相同 REST API、门户体验和 SDK 也可以让你查看和导出这些对象。The same REST APIs, portal experience, and SDKs that are used to create vaults, keys, secrets, certificates, and managed storage accounts also allow you to view and export these objects.

Azure Key Vault 访问日志记录是可选功能,可将其启用以便为每个 REST API 调用生成日志。Azure Key Vault access logging is an optional feature that can be turned on to generate logs for each REST API call. 这些日志将传输到应用了符合组织要求的保留策略的订阅中的存储帐户。These logs will be transferred to a storage account in your subscription where you apply the retention policy that meets your organization's requirements.

Azure Key Vault 诊断日志包含可通过在用户隐私门户中发出导出请求来进行检索的个人数据。Azure Key Vault diagnostic logs that contain personal data can be retrieved by making an export request in the User Privacy portal. 此请求必须由租户管理员发出。This request must be made by the tenant administrator.

后续步骤Next steps