什么是 Azure 密钥保管库?What is Azure Key Vault?

Key Vault 有助于解决以下问题:Key Vault helps solve the following problems:

  • 机密管理:安全地存储令牌、密码、证书、API 密钥和其他机密,并对其访问进行严格控制。Secret management: Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
  • 密钥管理:创建和控制用于加密数据的加密密钥。Key management: Create and control encryption keys that encrypt your data.
  • 证书管理:预配、管理和部署公用和专用安全套接字层/传输层安全性 (SSL/TLS) 证书,这些证书可以与 Azure 以及你的内部连接资源配合使用。Certificate management: Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.

基本概念Basic concepts

Azure Key Vault 是一个用于安全地存储和访问机密的工具。Azure Key Vault is a tool for securely storing and accessing secrets. 机密是你希望严格控制对其的访问的任何东西,例如 API 密钥、密码或证书。A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. 保管库是机密的逻辑组。A vault is logical group of secrets.

下面是其他重要的术语:Here are other important terms:

  • 租户:租户是拥有和管理特定的 Microsoft 云服务实例的组织。Tenant: A tenant is the organization that owns and manages a specific instance of Microsoft cloud services. 它通常用来引用组织的 Azure 和 Office 365 服务集。It’s most often used to refer to the set of Azure and Office 365 services for an organization.

  • 保管库所有者:保管库所有者可以创建密钥保管库并获得它的完全访问权限和控制权。Vault owner: A vault owner can create a key vault and gain full access and control over it. 保管库所有者还可以设置审核来记录谁访问了机密和密钥。The vault owner can also set up auditing to log who accesses secrets and keys. 管理员可以控制密钥生命周期。Administrators can control the key lifecycle. 他们可以滚动到密钥的新版本、对其进行备份,以及执行相关的任务。They can roll to a new version of the key, back it up, and do related tasks.

  • 保管库使用者:当保管库所有者为保管库使用者授予了访问权限时,使用者可以对密钥保管库内的资产执行操作。Vault consumer: A vault consumer can perform actions on the assets inside the key vault when the vault owner grants the consumer access. 可用操作取决于所授予的权限。The available actions depend on the permissions granted.

  • 资源:资源是可通过 Azure 获取的可管理项。Resource: A resource is a manageable item that's available through Azure. 常见示例包括虚拟机、存储帐户、Web 应用、数据库和虚拟网络。Common examples are virtual machine, storage account, web app, database, and virtual network. 这只是其中一小部分。There are many more.

  • 资源组:资源组是用于保存 Azure 解决方案相关资源的容器。Resource group: A resource group is a container that holds related resources for an Azure solution. 资源组可以包含解决方案的所有资源,也可以只包含想要作为组来管理的资源。The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. 根据对组织有利的原则,决定如何将资源分配到资源组。You decide how you want to allocate resources to resource groups, based on what makes the most sense for your organization.

  • 服务主体:Azure 服务主体是用户创建的应用、服务和自动化工具用来访问特定 Azure 资源的安全标识。Service principal: An Azure service principal is a security identity that user-created apps, services, and automation tools use to access specific Azure resources. 可将其视为具有特定角色,并且权限受到严格控制的“用户标识”(用户名和密码,或者证书)。Think of it as a "user identity" (username and password or certificate) with a specific role, and tightly controlled permissions. 与普通的用户标识不同,服务主体只需执行特定的操作。A service principal should only need to do specific things, unlike a general user identity. 如果只向它授予执行管理任务所需的最低权限级别,则可以提高安全性。It improves security if you grant it only the minimum permission level that it needs to perform its management tasks.

  • Azure Active Directory (Azure AD) :Azure AD 是租户的 Active Directory 服务。Azure Active Directory (Azure AD): Azure AD is the Active Directory service for a tenant. 每个目录有一个或多个域。Each directory has one or more domains. 每个目录可以有多个订阅与之关联,但只有一个租户。A directory can have many subscriptions associated with it, but only one tenant.

  • Azure 租户 ID:租户 ID 是用于在 Azure 订阅中标识 Azure AD 实例的唯一方法。Azure tenant ID: A tenant ID is a unique way to identify an Azure AD instance within an Azure subscription.

Key Vault 角色Key Vault roles

使用下表详细了解密钥保管库如何帮助达到开发人员和安全管理员的需求。Use the following table to better understand how Key Vault can help to meet the needs of developers and security administrators.

角色Role 问题陈述Problem statement Azure 密钥保管库已解决问题Solved by Azure Key Vault
Azure 应用程序开发人员Developer for an Azure application “我想要编写使用密钥进行签名和加密的 Azure 应用程序,但希望这些密钥与应用程序分开,使解决方案适用于地理分散的应用程序。“I want to write an application for Azure that uses keys for signing and encryption, but I want these keys to be external from my application so that the solution is suitable for an application that is geographically distributed.

同时还希望这些密钥和机密都是经过加密的,而无需自己编写代码。I also want these keys and secrets to be protected, without having to write the code myself. 除此之外,希望这些密钥和机密在应用程序中易于使用,能实现最佳性能。”I also want these keys and secrets to be easy for me to use from my applications, with optimal performance.”
√ 密钥存储在保管库中,可按需由 URI 调用。√ Keys are stored in a vault and invoked by URI when needed.

软件即服务 (SaaS) 开发人员Developer for software as a service (SaaS) “对于客户的租户密钥和机密,我不想承担任何实际或潜在法律责任。“I don’t want the responsibility or potential liability for my customers’ tenant keys and secrets.

我希望客户拥有并管理他们自己的密钥,使我能够将全部精力集中在我的专长上,也就是提供核心软件功能。”I want customers to own and manage their keys so that I can concentrate on doing what I do best, which is providing the core software features.”
√ 客户可以将他们自己的密钥导入 Azure 并进行管理。√ Customers can import their own keys into Azure, and manage them. 当 SaaS 应用程序需要使用客户的密钥来执行加密操作时,Key Vault 将代表应用程序执行这些操作。When a SaaS application needs to perform cryptographic operations by using customers’ keys, Key Vault does these operations on behalf of the application. 应用程序看不到客户的密钥。The application does not see the customers’ keys.
首席安全官 (CSO)Chief security officer (CSO) “我想要确保我的组织掌控密钥生命周期,并可监视密钥的使用。“I want to make sure that my organization is in control of the key lifecycle and can monitor key usage.

此外,即使我们使用多个 Azure 服务和资源,我也想要从 Azure 中的单个位置管理密钥。”And although we use multiple Azure services and resources, I want to manage the keys from a single location in Azure.”
√ Key Vault 设计用于确保 Microsoft 不会看到或提取你的密钥。√ Key Vault is designed so that Microsoft does not see or extract your keys.

√ 以近实时方式记录密钥的使用。√ Key usage is logged in near real time.

√ 无论 Azure 中拥有的密钥数量,以及支持的地区和使用这些密钥的应用程序,保管库都仅提供单个界面。√ The vault provides a single interface, regardless of how many vaults you have in Azure, which regions they support, and which applications use them.

具有 Azure 订阅的任何人都可以创建和使用密钥保管库。Anybody with an Azure subscription can create and use key vaults. 尽管 Key Vault 能够为开发人员和安全管理员提供便利,但管理其他 Azure 服务的管理员也可以实现和管理 Key Vault。Although Key Vault benefits developers and security administrators, it can be implemented and managed by an organization’s administrator who manages other Azure services. 例如,此管理员可以使用 Azure 订阅登录、创建组织用来存储密钥的保管库,并负责执行操作任务,如下所示:For example, this administrator can sign in with an Azure subscription, create a vault for the organization in which to store keys, and then be responsible for operational tasks like these:

  • 创建或导入密钥或机密Create or import a key or secret
  • 吊销或删除密钥或机密Revoke or delete a key or secret
  • 授权用户或应用程序访问密钥保管库,使它们能够管理或使用其密钥和机密Authorize users or applications to access the key vault, so they can then manage or use its keys and secrets
  • 配置密钥用法(例如,签名或加密)Configure key usage (for example, sign or encrypt)
  • 监视密钥用法Monitor key usage

该管理员然后会为开发人员提供 URI,方便其从应用程序进行调用。This administrator then gives developers URIs to call from their applications. 该管理员也会将密钥使用日志记录信息提供给安全管理员。This administrator also gives key usage logging information to the security administrator.

Azure 密钥保管库的工作原理概述

开发人员还可通过使用 API 直接管理密钥。Developers can also manage the keys directly, by using APIs. 有关详细信息,请参阅 开发人员指南For more information, see the Key Vault developer's guide.

后续步骤Next steps

了解如何保护保管库Learn how to secure your vault.

大多数区域都提供了 Azure 密钥保管库。Azure Key Vault is available in most regions. 有关详细信息,请参阅 密钥保管库定价页For more information, see the Key Vault pricing page.