保护对密钥保管库的访问Secure access to a key vault

Azure 密钥保管库是一种云服务,用于保护加密密钥和机密(例如证书、连接字符串和密码)。Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. 因为此数据是敏感数据和业务关键数据,所以需要保护对密钥保管库的访问,只允许得到授权的应用程序和用户进行访问。Because this data is sensitive and business critical, you need to secure access to your key vaults by allowing only authorized applications and users. 本文简要介绍了 Key Vault 访问模型。This article provides an overview of the Key Vault access model. 其中介绍了身份验证和授权,以及如何保护对密钥保管库的访问。It explains authentication and authorization, and describes how to secure access to your key vaults.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

访问模型概述Access model overview

可通过以下两个接口来控制对密钥保管库的访问:管理平面数据平面Access to a key vault is controlled through two interfaces: the management plane and the data plane. 管理平面用于管理密钥保管库本身。The management plane is where you manage Key Vault itself. 此平面中的操作包括创建和删除密钥保管库、检索密钥保管库属性以及更新访问策略。Operations in this plane include creating and deleting key vaults, retrieving Key Vault properties, and updating access policies. 数据平面用于处理密钥保管库中存储的数据。The data plane is where you work with the data stored in a key vault. 可以添加、删除和修改密钥、机密及证书。You can add, delete, and modify keys, secrets, and certificates.

若要在任一平面中访问密钥保管库,所有调用方(用户或应用程序)都必须进行适当的身份验证并拥有适当的授权。To access a key vault in either plane, all callers (users or applications) must have proper authentication and authorization. 身份验证可确定调用方的身份。Authentication establishes the identity of the caller. 授权可确定调用方能够执行的操作。Authorization determines which operations the caller can execute.

对于身份验证,这两个平面都使用 Azure Active Directory (Azure AD)。Both planes use Azure Active Directory (Azure AD) for authentication. 对于授权,管理平面使用基于角色的访问控制 (RBAC),而数据平面使用密钥保管库访问策略。For authorization, the management plane uses role-based access control (RBAC) and the data plane uses a Key Vault access policy.

Active Directory 身份验证Active Directory authentication

在 Azure 订阅中创建密钥保管库时,该密钥保管库自动与订阅的 Azure AD 租户关联。When you create a key vault in an Azure subscription, it's automatically associated with the Azure AD tenant of the subscription. 两个平面中的所有调用方都必须在此租户中注册并进行身份验证,然后才能访问该密钥保管库。All callers in both planes must register in this tenant and authenticate to access the key vault. 在这两种情况下,应用程序可以通过两种方式访问密钥保管库:In both cases, applications can access Key Vault in two ways:

  • 用户加应用程序访问:应用程序代表已登录的用户访问密钥保管库。User plus application access: The application accesses Key Vault on behalf of a signed-in user. 此类访问的示例包括 Azure PowerShell 和 Azure 门户。Examples of this type of access include Azure PowerShell and the Azure portal. 用户访问权限通过两种方式授予。User access is granted in two ways. 用户可以从任何应用程序访问密钥保管库,或者用户必须使用特定的应用程序(称为_复合标识_)。Users can access Key Vault from any application, or they must use a specific application (referred to as compound identity).
  • 仅限应用程序的访问:应用程序作为守护程序服务或后台作业运行。Application-only access: The application runs as a daemon service or background job. 向应用程序标识授予访问密钥保管库的权限。The application identity is granted access to the key vault.

对于这两种类型的访问,应用程序都使用 Azure AD 进行身份验证。For both types of access, the application authenticates with Azure AD. 应用程序根据应用程序类型使用任何支持的身份验证方法The application uses any supported authentication method based on the application type. 应用程序通过获取平面中资源的令牌来授予访问权限。The application acquires a token for a resource in the plane to grant access. 资源是管理平面或数据平面中基于 Azure 环境的终结点。The resource is an endpoint in the management or data plane, based on the Azure environment. 应用程序使用令牌并向密钥保管库发送 REST API 请求。The application uses the token and sends a REST API request to Key Vault. 若要了解详细信息,请查看整个身份验证流To learn more, review the whole authentication flow.

对这两种平面使用单一身份验证机制模型具有多个优点:The model of a single mechanism for authentication to both planes has several benefits:

  • 组织可以集中控制对其组织中的所有密钥保管库的访问。Organizations can control access centrally to all key vaults in their organization.
  • 离职的用户会立即失去对组织中所有密钥保管库的访问权限。If a user leaves, they instantly lose access to all key vaults in the organization.
  • 组织可以通过 Azure AD 中的选项自定义身份验证(例如,启用多重身份验证以提高安全性)。Organizations can customize authentication by using the options in Azure AD, such as to enable multi-factor authentication for added security.

资源终结点Resource endpoints

应用程序通过终结点访问平面。Applications access the planes through endpoints. 两个平面的访问控制独立运行。The access controls for the two planes work independently. 若要授权应用程序使用密钥保管库中的密钥,可以使用密钥保管库访问策略授予数据平面访问权限。To grant an application access to use keys in a key vault, you grant data plane access by using a Key Vault access policy. 若要授予用户对密钥保管库属性和标记的读取访问权限,但不授予对数据(密钥、机密或证书)的访问权限,请使用 RBAC 授予管理平面访问权限。To grant a user read access to Key Vault properties and tags, but not access to data (keys, secrets, or certificates), you grant management plane access with RBAC.

下表显示了用于管理平面和数据平面的终结点。The following table shows the endpoints for the management and data planes.

访问 平面Access plane 访问终结点Access endpoints 操作Operations 访问 控制机制Access control mechanism
管理平面Management plane Azure 中国世纪互联:Azure China 21Vianet:
management.chinacloudapi.cn:443management.chinacloudapi.cn:443
创建、读取、更新和删除密钥保管库Create, read, update, and delete key vaults

设置密钥保管库访问策略Set Key Vault access policies

设置密钥保管库标记Set Key Vault tags
Azure 资源管理器 RBACAzure Resource Manager RBAC
数据平面Data plane Azure 中国世纪互联:Azure China 21Vianet:
<vault-name>.vault.azure.cn:443<vault-name>.vault.azure.cn:443
密钥:解密、加密,Keys: decrypt, encrypt,
解包、包装、验证、签名,unwrap, wrap, verify, sign,
获取、列出、更新、创建,get, list, update, create,
导入、删除、备份、还原import, delete, backup, restore

机密:获取、列出、设置、删除Secrets: get, list, set, delete
Key Vault 访问策略Key Vault access policy

管理平面和 RBACManagement plane and RBAC

在管理平面中,使用 RBAC 对调用方可以执行的操作进行授权。In the management plane, you use RBAC to authorize the operations a caller can execute. 在 RBAC 模型中,每个 Azure 订阅都有一个 Azure AD 实例。In the RBAC model, each Azure subscription has an instance of Azure AD. 可以从此目录向用户、组和应用程序授予访问权限。You grant access to users, groups, and applications from this directory. 授予访问权限以管理 Azure 订阅中使用 Azure 资源管理器部署模型的资源。Access is granted to manage resources in the Azure subscription that use the Azure Resource Manager deployment model. 若要授予访问权限,请使用 Azure 门户Azure CLIAzure PowerShellAzure 资源管理器 REST APITo grant access, use the Azure portal, the Azure CLI, Azure PowerShell, or the Azure Resource Manager REST APIs.

可以在资源组中创建密钥保管库,并使用 Azure AD 管理访问权限。You create a key vault in a resource group and manage access by using Azure AD. 授予用户或组管理资源组中的密钥保管库的权限。You grant users or groups the ability to manage the key vaults in a resource group. 通过分配适当的 RBAC 角色在特定范围级别授予访问权限。You grant the access at a specific scope level by assigning appropriate RBAC roles. 若要授予用户管理密钥保管库的访问权限,请为特定范围的用户分配预定义的 key vault Contributor 角色。To grant access to a user to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope. 可以将以下范围级别分配给 RBAC 角色:The following scopes levels can be assigned to an RBAC role:

  • 订阅:在订阅级别分配的 RBAC 角色适用于该订阅中的所有资源组和资源。Subscription: An RBAC role assigned at the subscription level applies to all resource groups and resources within that subscription.
  • 资源组:在资源组级别分配的 RBAC 角色适用于该资源组中的所有资源。Resource group: An RBAC role assigned at the resource group level applies to all resources in that resource group.
  • 特定资源:为特定资源分配的 RBAC 角色适用于该资源。Specific resource: An RBAC role assigned for a specific resource applies to that resource. 在这种情况下,资源是特定的密钥保管库。In this case, the resource is a specific key vault.

有多种预定义角色。There are several predefined roles. 如果预定义角色不符合需求,可以定义自己的角色。If a predefined role doesn't fit your needs, you can define your own role. 有关详细信息,请参阅 RBAC:内置角色For more information, see RBAC: Built-in roles.

Important

如果用户具有密钥保管库管理平面的 Contributor 权限,则该用户可以通过设置密钥保管库访问策略来授予自己对数据平面的访问权限。If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. 应严格控制对密钥保管库具有 Contributor 角色访问权限的用户。You should tightly control who has Contributor role access to your key vaults. 请确保仅授权的人员才能访问和管理 Key Vault、密钥、机密和证书。Ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.

数据平面和访问策略Data plane and access policies

通过为密钥保管库设置密钥保管库访问策略授予数据平面访问权限。You grant data plane access by setting Key Vault access policies for a key vault. 若要设置这些访问策略,用户、组或应用程序必须具有该密钥保管库管理平面的 Contributor 权限。To set these access policies, a user, group, or application must have Contributor permissions for the management plane for that key vault.

可以向用户、组或应用程序授予对密钥保管库中的密钥或机密执行特定操作的访问权限。You grant a user, group, or application access to execute specific operations for keys or secrets in a key vault. 密钥保管库最多支持 1024 个密钥保管库访问策略条目。Key Vault supports up to 1,024 access policy entries for a key vault. 若要向多个用户授予对数据平面的访问权限,创建一个 Azure AD 安全组,并将用户添加到该组。To grant data plane access to several users, create an Azure AD security group and add users to that group.

密钥保管库访问策略单独授予对密钥、机密和证书的权限。Key Vault access policies grant permissions separately to keys, secrets, and certificate. 可以仅授予用户对密钥的访问权限,而不授予对机密的访问权限。You can grant a user access only to keys and not to secrets. 密钥、机密或证书的访问权限是保管库级别的。Access permissions for keys, secrets, and certificates are at the vault level. 密钥保管库访问策略不支持粒度、对象级别权限,例如特定的密钥、机密或证书。Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. 若要为密钥保管库设置访问策略,可以使用 Azure 门户Azure CLI 工具PowerShell密钥保管库管理 REST APITo set access policies for a key vault, use the Azure portal, the Azure CLI, Azure PowerShell, or the Key Vault Management REST APIs.

Important

Key Vault 访问策略适用于保管库级别。Key Vault access policies apply at the vault level. 如果授予某个用户创建和删除密钥的权限,该用户可以针对该密钥保管库中的所有密钥执行这些操作。When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.

可以通过使用适用于 Azure 密钥保管库的虚拟网络服务终结点来限制数据平面访问权限。You can restrict data plane access by using virtual network service endpoints for Azure Key Vault. 可以配置防火墙和虚拟网络规则以提供额外的安全层。You can configure firewalls and virtual network rules for an additional layer of security.

示例Example

在此示例中,我们正在开发一个应用程序,该应用程序使用 SSL 证书,使用 Azure 存储进行数据存储,并使用 RSA 2048 位密钥进行签名操作。In this example, we're developing an application that uses a certificate for SSL, Azure Storage to store data, and an RSA 2,048-bit key for sign operations. 我们的应用程序在 Azure 虚拟机 (VM)(或虚拟机规模集)中运行。Our application runs in an Azure virtual machine (VM) (or a virtual machine scale set). 我们可以使用密钥保管库来存储应用程序机密。We can use a key vault to store the application secrets. 我们可以存储应用程序用于通过 Azure AD 进行身份验证的启动证书。We can store the bootstrap certificate that's used by the application to authenticate with Azure AD.

我们需要对以下存储密钥和机密的访问权限:We need access to the following stored keys and secrets:

  • SSL 证书:用于 SSL。SSL certificate: Used for SSL.
  • 存储密钥:无法访问存储帐户。Storage key: Used to access the Storage account.
  • RSA 2048 位密钥:用于签名操作。RSA 2,048-bit key: Used for sign operations.
  • 启动证书:用于使用 Azure AD 进行身份验证。Bootstrap certificate: Used to authenticate with Azure AD. 授予访问权限后,可以提取存储密钥并使用 RSA 密钥进行签名。After access is granted, we can fetch the storage key and use the RSA key for signing.

我们需要定义以下角色,以指定可以管理、部署和审核应用程序的用户:We need to define the following roles to specify who can manage, deploy, and audit our application:

  • 安全团队:CSO(首席安全官)办公室中的 IT 人员或类似参与者。Security team: IT staff from the office of the CSO (Chief Security Officer) or similar contributors. 安全团队负责机密的适当保管。The security team is responsible for the proper safekeeping of secrets. 机密可以包括 SSL 证书、用于签名的 RSA 密钥、连接字符串和存储帐户密钥。The secrets can include SSL certificates, RSA keys for signing, connection strings, and storage account keys.
  • 开发人员和操作人员:开发应用程序并在 Azure 中进行部署的人员。Developers and operators: The staff who develop the application and deploy it in Azure. 此团队的成员不属于安全人员。The members of this team aren't part of the security staff. 他们不应有权访问 SSL 证书和 RSA 密钥等敏感数据。They shouldn't have access to sensitive data like SSL certificates and RSA keys. 仅他们部署的应用程序才应有权访问敏感数据。Only the application that they deploy should have access to sensitive data.
  • 审核员:此角色适用于不属于开发人员或一般 IT 人员的参与者。Auditors: This role is for contributors who aren't members of the development or general IT staff. 他们评审证书、密钥和机密的使用及维护,确保符合安全标准。They review the use and maintenance of certificates, keys, and secrets to ensure compliance with security standards.

还有一个超出我们应用程序范围的角色:订阅(或资源组)管理员。There's another role that's outside the scope of our application: the subscription (or resource group) administrator. 订阅管理员为安全团队设置初始访问权限。The subscription admin sets up initial access permissions for the security team. 他们通过使用具有应用程序所需资源的资源组来授予安全团队访问权限。They grant access to the security team by using a resource group that has the resources required by the application.

我们需要为角色的以下操作进行授权:We need to authorize the following operations for our roles:

安全团队Security team

  • 创建密钥保管库。Create key vaults.
  • 打开密钥保管库日志记录。Turn on Key Vault logging.
  • 添加密钥和机密。Add keys and secrets.
  • 为灾难恢复创建密钥备份。Create backups of keys for disaster recovery.
  • 设置密钥保管库访问策略,向用户和应用程序授予执行特定操作的权限。Set Key Vault access policies to grant permissions to users and applications for specific operations.
  • 定期滚动密钥和机密。Roll the keys and secrets periodically.

开发人员和操作人员Developers and operators

  • 从安全团队获取启动证书和 SSL 证书引用(指纹)、存储密钥(机密 URI)以及用于签名的 RSA 密钥(密钥 URI)。Get references from the security team for the bootstrap and SSL certificates (thumbprints), storage key (secret URI), and RSA key (key URI) for signing.
  • 以编程方式开发和部署用于访问密钥和机密的应用程序。Develop and deploy the application to access keys and secrets programmatically.

审核人员Auditors

  • 查看密钥保管库日志以确认正确使用了密钥和机密且符合数据安全标准。Review the Key Vault logs to confirm proper use of keys and secrets, and compliance with data security standards.

下表总结了我们的角色和应用程序的访问权限。The following table summarizes the access permissions for our roles and application.

角色Role 管理平面权限Management plane permissions 数据平面权限Data plane permissions
安全团队Security team 密钥保管库参与者Key Vault Contributor 密钥:备份、创建、删除、获取、导入、列出、还原Keys: backup, create, delete, get, import, list, restore
机密:所有操作Secrets: all operations
开发人员和 操作人员Developers and operators 密钥保管库部署权限Key Vault deploy permission

注意:此权限允许已部署的 VM 从密钥保管库提取机密。Note: This permission allows deployed VMs to fetch secrets from a key vault.
None
审核人员Auditors None 密钥:列出Keys: list
机密:列出Secrets: list

注意:此权限让审核员能够检查日志中未发出的密钥和机密的属性(标记、激活日期、到期日期)。Note: This permission enables auditors to inspect attributes (tags, activation dates, expiration dates) for keys and secrets not emitted in the logs.
应用程序Application None 密钥:签名Keys: sign
机密:获取Secrets: get

三个团队角色需要访问其他资源的权限以及密钥保管库权限。The three team roles need access to other resources along with Key Vault permissions. 若要部署 VM(或 Azure 应用服务的 Web 应用功能),开发人员和操作人员需要对这些资源类型的 Contributor 访问权限。To deploy VMs (or the Web Apps feature of Azure App Service), developers and operators need Contributor access to those resource types. 审核员需要具有对存储密钥保管库日志的存储帐户的“读取”访问权限。Auditors need read access to the Storage account where the Key Vault logs are stored.

有关如何以编程方式部署证书、访问密钥和机密的详细信息,请参阅以下资源:For more information about how to deploy certificates, access keys, and secrets programmatically, see these resources:

可以通过使用 Azure 门户授予大部分访问权限。You can grant most of the access permissions by using the Azure portal. 若要授予粒度权限,可以使用 Azure PowerShell 或 Azure CLI。To grant granular permissions, you can use Azure PowerShell or the Azure CLI.

本部分中的 PowerShell 代码片段基于以下假设生成:The PowerShell snippets in this section are built with the following assumptions:

  • Azure AD 管理员已创建安全组来表示三个角色:Contoso 安全团队、Contoso 应用开发运营团队和 Contoso 应用审核员。The Azure AD administrator has created security groups to represent the three roles: Contoso Security Team, Contoso App DevOps, and Contoso App Auditors. 管理员已将用户添加到其各自的组中。The admin has added users to their respective groups.
  • 所有资源都位于 ContosoAppRG 资源组中。All resources are located in the ContosoAppRG resource group.
  • 密钥保管库日志存储在 contosologstorage 存储帐户中。The Key Vault logs are stored in the contosologstorage storage account.
  • ContosoKeyVault 密钥保管库和 contosologstorage 存储帐户位于同一 Azure 位置。The ContosoKeyVault key vault and the contosologstorage storage account are in the same Azure location.

订阅管理员将 key vault ContributorUser Access Administrator 角色分配给安全团队。The subscription admin assigns the key vault Contributor and User Access Administrator roles to the security team. 这些角色使安全团队可管理对其他资源和密钥保管库的访问,且它们都位于 ContosoAppRG 资源组中。These roles allow the security team to manage access to other resources and key vaults, both of which in the ContosoAppRG resource group.

New-AzRoleAssignment -ObjectId (Get-AzADGroup -SearchString 'Contoso Security Team')[0].Id -RoleDefinitionName "key vault Contributor" -ResourceGroupName ContosoAppRG
New-AzRoleAssignment -ObjectId (Get-AzADGroup -SearchString 'Contoso Security Team')[0].Id -RoleDefinitionName "User Access Administrator" -ResourceGroupName ContosoAppRG

安全团队创建密钥保管库并设置日志记录和访问权限。The security team creates a key vault and sets up logging and access permissions. 有关密钥保管库访问策略权限的详细信息,请参阅关于 Azure 密钥保管库密钥、机密和证书For details about Key Vault access policy permissions, see About Azure Key Vault keys, secrets, and certificates.

# Create a key vault and enable logging
$sa = Get-AzStorageAccount -ResourceGroup ContosoAppRG -Name contosologstorage
$kv = New-AzKeyVault -Name ContosoKeyVault -ResourceGroup ContosoAppRG -SKU premium -Location 'chinanorth' -EnabledForDeployment
Set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Category AuditEvent

# Set up data plane permissions for the Contoso Security Team role
Set-AzKeyVaultAccessPolicy -VaultName ContosoKeyVault -ObjectId (Get-AzADGroup -SearchString 'Contoso Security Team')[0].Id -PermissionsToKeys backup,create,delete,get,import,list,restore -PermissionsToSecrets get,list,set,delete,backup,restore,recover,purge

# Set up management plane permissions for the Contoso App DevOps role
# Create the new role from an existing role
$devopsrole = Get-AzRoleDefinition -Name "Virtual Machine Contributor"
$devopsrole.Id = $null
$devopsrole.Name = "Contoso App DevOps"
$devopsrole.Description = "Can deploy VMs that need secrets from a key vault"
$devopsrole.AssignableScopes = @("/subscriptions/<SUBSCRIPTION-GUID>")

# Add permissions for the Contoso App DevOps role so members can deploy VMs with secrets deployed from key vaults
$devopsrole.Actions.Add("Microsoft.KeyVault/vaults/deploy/action")
New-AzRoleDefinition -Role $devopsrole

# Assign the new role to the Contoso App DevOps security group
New-AzRoleAssignment -ObjectId (Get-AzADGroup -SearchString 'Contoso App Devops')[0].Id -RoleDefinitionName "Contoso App Devops" -ResourceGroupName ContosoAppRG

# Set up data plane permissions for the Contoso App Auditors role
Set-AzKeyVaultAccessPolicy -VaultName ContosoKeyVault -ObjectId (Get-AzADGroup -SearchString 'Contoso App Auditors')[0].Id -PermissionsToKeys list -PermissionsToSecrets list

定义的自定义角色只能分配给创建 ContosoAppRG 资源组所在的订阅。Our defined custom roles are assignable only to the subscription where the ContosoAppRG resource group is created. 若要将自定义角色用于其他订阅中的其他项目,请将其他订阅添加到角色的范围。To use a custom role for other projects in other subscriptions, add other subscriptions to the scope for the role.

对于我们的开发运营人员,密钥保管库 deploy/action 权限的自定义角色分配范围限定为资源组。For our DevOps staff, the custom role assignment for the key vault deploy/action permission is scoped to the resource group. 仅允许在 ContosoAppRG 资源组中创建的 VM 访问机密(SSL 和启动证书)。Only VMs created in the ContosoAppRG resource group are allowed access to the secrets (SSL and bootstrap certificates). 即使 VM 具有机密 URI,由开发运营成员在其他资源组中创建的 VM 也无法访问这些机密。VMs created in other resource groups by a DevOps member can't access these secrets, even if the VM has the secret URIs.

我们的示例介绍了一个简单的方案。Our example describes a simple scenario. 现实方案可能更复杂。Real-life scenarios can be more complex. 可以根据需要调整密钥保管库的权限。You can adjust permissions to your key vault based on your needs. 我们假设安全团队提供密钥和机密引用(URI 和指纹),开发运营员工在其应用程序中使用这些引用。We assumed the security team provides the key and secret references (URIs and thumbprints), which are used by the DevOps staff in their applications. 开发人员和操作员不需要任何数据平面访问权限。Developers and operators don't require any data plane access. 我们将重点放在如何保护密钥保管库上。We focused on how to secure your key vault. 对于保护 VM存储帐户和其他 Azure 资源,应进行类似的考虑。Give similar consideration when you secure your VMs, storage accounts, and other Azure resources.

Note

此示例介绍如何在生产中锁定密钥保管库访问。This example shows how Key Vault access is locked down in production. 开发人员应具有其自己的订阅或资源组,他们具有这些订阅或资源组的完整权限,可管理其用来开发应用程序的保管库、VM 和存储帐户。Developers should have their own subscription or resource group with full permissions to manage their vaults, VMs, and the storage account where they develop the application.

我们建议配置密钥保管库防火墙和虚拟网络,以进一步保护对密钥保管库的访问。We recommend that you set up additional secure access to your key vault by configuring Key Vault firewalls and virtual networks.

资源Resources

后续步骤Next steps

配置密钥保管库防火墙和虚拟网络Configure Key Vault firewalls and virtual networks.

有关面向管理员的入门教程,请参阅什么是 Azure 密钥保管库?For a getting-started tutorial for an administrator, see What is Azure Key Vault?.

有关将密钥和机密与 Azure Key Vault 配合使用的详细信息,请参阅关于密钥和机密For more information about using keys and secrets with Azure Key Vault, see About keys and secrets.

如果对 Key Vault 有任何疑问,请访问论坛If you have questions about Key Vault, visit the forums.