跨区域移动 Azure 密钥保管库Move an Azure key vault across regions

Azure 密钥保管库不支持资源移动操作,使用这个操作可以将密钥保管库从一个区域移动到另一个区域。Azure Key Vault doesn't support a resource move operation that permits moving a key vault from one region to another. 有些组织具有将密钥保管库移动到另一个区域的业务需求,本文提供了适用的解决方法。This article covers workarounds for organizations that have a business need to move a key vault to another region. 每个解决方法选项都存在限制。Each workaround option has limitations. 在尝试将解决方法应用于生产环境之前,请务必先了解这些解决方法的含义。It's critical to understand the implications of these workarounds before you attempt to apply them in a production environment.

若要将密钥保管库移动到另一个区域,请在目标区域中创建一个密钥保管库,然后将现有密钥保管库中的每个机密分别手动复制到新的密钥保管库中。To move a key vault to another region, you create a key vault in that other region and then manually copy each individual secret from your existing key vault to the new key vault. 可以使用以下两个选项之一来执行此操作。You can do this by using either of the following two options.

设计注意事项Design considerations

在开始之前,请注意理解以下概念:Before you begin, keep in mind the following concepts:

  • 密钥保管库名称具备全局唯一性。Key vault names are globally unique. 不能重复使用保管库名称。You can't reuse a vault name.
  • 需要在新的密钥保管库中重新配置访问策略和网络配置设置。You need to reconfigure your access policies and network configuration settings in the new key vault.
  • 需要在新的密钥保管库中重新配置软删除和清除保护。You need to reconfigure soft-delete and purge protection in the new key vault.
  • 备份和还原操作不会保留自动轮换设置。The backup and restore operation won't preserve your autorotation settings. 你可能需要重新配置这些设置。You might need to reconfigure the settings.

选项 1:使用密钥保管库备份和还原命令Option 1: Use the key vault backup and restore commands

可以使用备份命令来备份保管库中的每个机密、密钥和证书。You can back up each individual secret, key, and certificate in your vault by using the backup command. 下载的机密是加密形式的 blob。Your secrets are downloaded as an encrypted blob. 然后,可以将 blob 还原到新的密钥保管库中。You can then restore the blob into your new key vault. 有关命令的列表,请参阅 Azure 密钥保管库命令For a list of commands, see Azure Key Vault commands.

使用备份和还原命令存在两个限制:Using the backup and restore commands has two limitations:

  • 不能在一个地理位置备份密钥保管库,并将其还原到另一个地理位置。You can't back up a key vault in one geography and restore it into another geography. 有关详细信息,请参阅Azure 地域For more information, see Azure geographies.

  • 备份命令可备份每个机密的所有版本。The backup command backs up all versions of each secret. 如果你的机密具有大量早期版本(超过 10 个),请求大小可能超出允许的最大值,并且操作可能会失败。If you have a secret with a large number of previous versions (more than 10), the request size might exceed the allowed maximum and the operation might fail.

选项 2:手动下载和上传密钥保管库机密Option 2: Manually download and upload the key vault secrets

可以手动下载某些机密类型。You can download certain secret types manually. 例如,可以将证书下载为 PFX 文件。For example, you can download certificates as a PFX file. 如果使用此选项,那么某些机密类型(如证书)不再具有地理位置方面的限制。This option eliminates the geographical restrictions for some secret types, such as certificates. 可以将 PFX 文件上传到任何区域中的任何密钥保管库。You can upload the PFX files to any key vault in any region. 以非密码保护的格式下载机密。The secrets are downloaded in a non-password protected format. 在移动过程中,需要负责保证机密的安全性。You are responsible for securing your secrets during the move.