关于 Azure Key Vault 密钥About Azure Key Vault keys

Azure Key Vault 支持多种密钥类型和算法。Azure Key Vault Supports multiple key types and algorithms.

Key Vault 中的加密密钥表示为 JSON Web 密钥 [JWK] 对象。Cryptographic keys in Key Vault are represented as JSON Web Key [JWK] objects. JavaScript 对象表示法 (JSON) 和 JavaScript 对象签名和加密 (JOSE) 规范如下:The JavaScript Object Notation (JSON) and JavaScript Object Signing and Encryption (JOSE) specifications are:

此外,还扩展了基本 JWK/JWA 规范,以启用对于 Key Vault 实现唯一的密钥类型。The base JWK/JWA specifications are also extended to enable key types unique to the Key Vault implementation.

Azure Key Vault 支持软密钥:Azure Key Vault supports Soft keys:

  • 受软件保护的密钥:Key Vault 在软件中处理的密钥。Software protected keys: A key processed in software by Key Vault. 客户端可以导入现有 RSA 或 EC(椭圆曲线)密钥,也可以请求 Key Vault 生成该密钥。Clients may import an existing RSA or EC (Elliptic Curve) key, or request that Key Vault generate one.

加密保护Cryptographic protection

Key Vault 仅支持 RSA 和椭圆曲线密钥。Key Vault supports RSA and Elliptic Curve keys only.

  • EC:“软”椭圆曲线密钥。EC: "Soft" Elliptic Curve key.
  • RSA:“软”RSA 密钥。RSA: "Soft" RSA key.

Key Vault 支持大小为 2048、3072 和 4096 的 RSA 密钥。Key Vault supports RSA keys of sizes 2048, 3072 and 4096. Key Vault 支持类型为 P-256、P-384、P-521 和 P-256K (SECP256K1) 的椭圆曲线密钥。Key Vault supports Elliptic Curve key types P-256, P-384, P-521, and P-256K (SECP256K1).

Key Vault 使用的加密模块经过 FIPS(美国联邦信息处理标准)验证。The cryptographic modules that Key Vault uses are FIPS (Federal Information Processing Standards) validated. 因此不必执行任何特殊操作便可在 FIPS 模式下运行。You don’t need to do anything special to run in FIPS mode. “创建”或“导入”为受软件保护的密钥在加密模块内处理,且验证为 FIPS 140-2 级别 1 。Keys created or imported as software-protected, are processed inside cryptographic modules validated to FIPS 140-2 Level 1.

EC 算法EC algorithms

Key Vault 中的 EC 密钥支持以下算法标识符。The following algorithm identifiers are supported with EC keys in Key Vault.

曲线类型Curve Types

SIGN/VERIFYSIGN/VERIFY

  • ES256 - 使用曲线 P-256 创建的 SHA-256 摘要和密钥的 ECDSA。ES256 - ECDSA for SHA-256 digests and keys created with curve P-256. RFC7518 中描述了此算法。This algorithm is described at RFC7518.
  • ES256K - 使用曲线 P-256K 创建的 SHA-256 摘要和密钥的 ECDSA。ES256K - ECDSA for SHA-256 digests and keys created with curve P-256K. 此算法正在等待标准化。This algorithm is pending standardization.
  • ES384 - 使用曲线 P-384 创建的 SHA-384 摘要和密钥的 ECDSA。ES384 - ECDSA for SHA-384 digests and keys created with curve P-384. RFC7518 中描述了此算法。This algorithm is described at RFC7518.
  • ES512 - 使用曲线 P-521 创建的 SHA-512 摘要和密钥的 ECDSA。ES512 - ECDSA for SHA-512 digests and keys created with curve P-521. RFC7518 中描述了此算法。This algorithm is described at RFC7518.

RSA 算法RSA algorithms

Key Vault 中的 RSA 密钥支持以下算法标识符。The following algorithm identifiers are supported with RSA keys in Key Vault.

包装密钥/解包密钥、加密/解密WRAPKEY/UNWRAPKEY, ENCRYPT/DECRYPT

  • RSA1_5 - RSAES-PKCS1-V1_5 [RFC3447] 密钥加密RSA1_5 - RSAES-PKCS1-V1_5 [RFC3447] key encryption
  • RSA-OAEP - RSAES 使用最优非对称加密填充 (OAEP) [RFC3447] 以及 A.2.1. 节中 RFC 3447 指定的默认参数。RSA-OAEP - RSAES using Optimal Asymmetric Encryption Padding (OAEP) [RFC3447], with the default parameters specified by RFC 3447 in Section A.2.1. 这些默认参数使用 SHA-1 哈希函数和 SHA-1 附带的 MGF1 掩码生成函数。Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1.

SIGN/VERIFYSIGN/VERIFY

  • PS256 - 将 SHA-256 和 MGF1 与 SHA-256 配合使用的 RSASSA-PSS,如 RFC7518 中所述。PS256 - RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as described in RFC7518.
  • PS384 - 将 SHA-384 和 MGF1 与 SHA-384 配合使用的 RSASSA-PSS,如 RFC7518 中所述。PS384 - RSASSA-PSS using SHA-384 and MGF1 with SHA-384, as described in RFC7518.
  • PS512 - 将 SHA-512 和 MGF1 与 SHA-512 配合使用的 RSASSA-PSS,如 RFC7518 中所述。PS512 - RSASSA-PSS using SHA-512 and MGF1 with SHA-512, as described in RFC7518.
  • RS256 - RSASSA-PKCS-v1_5 使用 SHA-256。RS256 - RSASSA-PKCS-v1_5 using SHA-256. 必须使用 SHA-256 计算应用程序提供的摘要值,并且该值的长度必须为 32 字节。The application supplied digest value must be computed using SHA-256 and must be 32 bytes in length.
  • RS384 - RSASSA-PKCS-v1_5 使用 SHA-384。RS384 - RSASSA-PKCS-v1_5 using SHA-384. 必须使用 SHA-384 计算应用程序提供的摘要值,并且该值的长度必须为 48 字节。The application supplied digest value must be computed using SHA-384 and must be 48 bytes in length.
  • RS512 - RSASSA-PKCS-v1_5 使用 SHA-512。RS512 - RSASSA-PKCS-v1_5 using SHA-512. 必须使用 SHA-512 计算应用程序提供的摘要值,并且该值的长度必须为 64 字节。The application supplied digest value must be computed using SHA-512 and must be 64 bytes in length.
  • RSNULL - 请参阅一种用于实现某种 TLS 方案的特殊用例 [RFC2437]。RSNULL - See [RFC2437], a specialized use-case to enable certain TLS scenarios.

密钥操作Key operations

Key Vault 支持对密钥对象执行以下操作:Key Vault supports the following operations on key objects:

  • 创建:允许客户端在 Key Vault 中创建密钥。Create: Allows a client to create a key in Key Vault. 密钥的值由 Key Vault 生成,存储但不发布到客户端。The value of the key is generated by Key Vault and stored, and isn't released to the client. 可在 Key Vault 中创建非对称密钥。Asymmetric keys may be created in Key Vault.
  • 导入:允许客户端将现有密钥导入到 Key Vault。Import: Allows a client to import an existing key to Key Vault. 非对称密钥可以使用 JWK 构造中的多种不同的打包方法导入到 Key Vault。Asymmetric keys may be imported to Key Vault using a number of different packaging methods within a JWK construct.
  • 更新:允许具有足够权限的客户端修改与以前存储在 Key Vault 中的密钥相关联的元数据(密钥属性)。Update: Allows a client with sufficient permissions to modify the metadata (key attributes) associated with a key previously stored within Key Vault.
  • 删除:允许具有足够权限的客户端删除 Key Vault 中的密钥。Delete: Allows a client with sufficient permissions to delete a key from Key Vault.
  • 列出:允许客户端列出给定 Key Vault 中的所有项。List: Allows a client to list all keys in a given Key Vault.
  • 列出版本:允许客户端列出给定 Key Vault 中的给定密钥的所有版本。List versions: Allows a client to list all versions of a given key in a given Key Vault.
  • 获取:允许客户端检索 Key Vault 中的给定密钥的公共部分。Get: Allows a client to retrieve the public parts of a given key in a Key Vault.
  • 备份:导出受保护窗体中的密钥。Backup: Exports a key in a protected form.
  • 还原:导入以前备份的密钥。Restore: Imports a previously backed up key.

有关详细信息,请参阅 Key Vault REST API 中的密钥操作参考For more information, see Key operations in the Key Vault REST API reference.

在 Key Vault 中创建密钥后,即可使用密钥执行以下加密操作:Once a key has been created in Key Vault, the following cryptographic operations may be performed using the key:

  • 签名并验证:严格来讲,此操作应该为“签名哈希”或“验证哈希”,因为 Key Vault 不支持创建签名过程中的内容哈希。Sign and Verify: Strictly, this operation is "sign hash" or "verify hash", as Key Vault doesn't support hashing of content as part of signature creation. 应用程序应哈希要在本地签名的数据,然后请求 Key Vault 对哈希签名。Applications should hash the data to be signed locally, then request that Key Vault sign the hash. 支持签名哈希的验证,作为可能无法访问 [公共] 密钥材料的应用程序的一种便捷操作。Verification of signed hashes is supported as a convenience operation for applications that may not have access to [public] key material. 为获得最佳应用程序性能,VERIFY 操作应在本地执行。For best application performance, VERIFY operations should be are performed locally.
  • 密钥加密/包装:Key Vault 中存储的一个密钥可以用来保护另一个密钥,通常是对称内容加密密钥 (CEK)。Key Encryption / Wrapping: A key stored in Key Vault may be used to protect another key, typically a symmetric content encryption key (CEK). 如果 Key Vault 中的密钥是非对称密钥,将使用密钥加密。When the key in Key Vault is asymmetric, key encryption is used. 例如,RSA-OAEP 和 WRAPKEY/UNWRAPKEY 操作等同于 ENCRYPT/DECRYPT。For example, RSA-OAEP and the WRAPKEY/UNWRAPKEY operations are equivalent to ENCRYPT/DECRYPT. 如果 Key Vault 中的密钥是对称密钥,则使用密钥包装。When the key in Key Vault is symmetric, key wrapping is used. 例如,AES-KW。For example, AES-KW. 支持 WRAPKEY 操作,作为可能无法访问 [公共] 密钥材料的应用程序的一种便捷操作。The WRAPKEY operation is supported as a convenience for applications that may not have access to [public] key material. 为获得最佳应用程序性能,WRAPKEY 操作应在本地执行。For best application performance, WRAPKEY operations should be performed locally.
  • 加密和解密:存储在 Key Vault 中的密钥可用于加密或解密单个数据块。Encrypt and Decrypt: A key stored in Key Vault may be used to encrypt or decrypt a single block of data. 块大小取决于密钥类型和所选加密算法。The size of the block is determined by the key type and selected encryption algorithm. 支持加密操作,作为可能无法访问 [公共] 密钥材料的应用程序的一种便捷操作。The Encrypt operation is provided for convenience, for applications that may not have access to [public] key material. 为获得最佳应用程序性能,ENCRYPT 操作应在本地执行。For best application performance, ENCRYPT operations should be performed locally.

虽然使用非对称密钥的 WRAPKEY/UNWRAPKEY 可能看似多余(因为操作等同于 ENCRYPT/DECRYPT),但使用不同的操作却非常重要。While WRAPKEY/UNWRAPKEY using asymmetric keys may seem superfluous (as the operation is equivalent to ENCRYPT/DECRYPT), the use of distinct operations is important. 此不同提供了这些操作的语义和授权分离,并在服务支持其他密钥类型时提供一致性。The distinction provides semantic and authorization separation of these operations, and consistency when other key types are supported by the service.

Key Vault 不支持“导出”操作。Key Vault doesn't support EXPORT operations. 在系统中设置密钥后,便无法提取该密钥,也无法修改其密钥材料。Once a key is provisioned in the system, it cannot be extracted or its key material modified. 但是,Key Vault 的用户可能需要将密钥用于其他用例,例如删除密钥后。However, users of Key Vault may require their key for other use cases, such as after it has been deleted. 在这种情况下,可以使用“备份”和“还原”操作以受保护的形式导出/导入密钥。In this case, they may use the BACKUP and RESTORE operations to export/import the key in a protected form. “备份”操作创建的密钥无法在 Key Vault 外部使用。Keys created by the BACKUP operation are not usable outside Key Vault. 或者,可能会对多个 Key Vault 实例使用“导入”操作。Alternatively, the IMPORT operation may be used against multiple Key Vault instances.

用户可以使用 JWK 对象的 key_ops 属性按密钥限制 Key Vault 支持的任何加密操作。Users may restrict any of the cryptographic operations that Key Vault supports on a per-key basis using the key_ops property of the JWK object.

有关 JWK 对象的详细信息,请参阅 JSON Web 密钥 (JWK)For more information on JWK objects, see JSON Web Key (JWK).

密钥属性Key attributes

除密钥材料外,还可以指定以下属性。In addition to the key material, the following attributes may be specified. 在 JSON 请求中,即使未指定任何属性,也需要属性关键字和大括号“{”“}”。In a JSON Request, the attributes keyword and braces, '{' '}', are required even if there are no attributes specified.

  • enabled:布尔型,可选,默认值为 true。enabled: boolean, optional, default is true. 指定密钥是否已启用并可用于加密操作。Specifies whether the key is enabled and useable for cryptographic operations. enabled 属性结合 nbf 和 exp 使用 。如果在 nbf 和 exp 之间出现操作,只有在 enabled 设置为 true 时,才允许该操作 。The enabled attribute is used in conjunction with nbf and exp. When an operation occurs between nbf and exp, it will only be permitted if enabled is set to true. nbf / exp 时段外的操作会自动禁止,特定条件下的某些操作类型除外 。Operations outside the nbf / exp window are automatically disallowed, except for certain operation types under particular conditions.
  • nbf:IntDate,可选,默认值为“now”。nbf: IntDate, optional, default is now. nbf(非过去)属性识别密钥不得用于加密操作以前的时间,特定条件下的某些操作类型除外。The nbf (not before) attribute identifies the time before which the key MUST NOT be used for cryptographic operations, except for certain operation types under particular conditions. 处理 nbf 属性要求当前日期/时间必须晚于或等于 nbf 属性中列出的非过去日期/时间 。The processing of the nbf attribute requires that the current date/time MUST be after or equal to the not-before date/time listed in the nbf attribute. Key Vault 可能会稍微留有一些余地(通常不超过几分钟),以适应时钟偏差。Key Vault MAY provide for some small leeway, normally no more than a few minutes, to account for clock skew. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.
  • exp:IntDate,可选,默认值为“forever”。exp: IntDate, optional, default is "forever". exp(过期时间)属性识别密钥不得用于加密操作当时或之后的过期时间,特定条件下的某些操作类型除外。The exp (expiration time) attribute identifies the expiration time on or after which the key MUST NOT be used for cryptographic operation, except for certain operation types under particular conditions. 处理 exp 属性要求当前日期/时间必须早于 exp 属性中列出的过期日期/时间 。The processing of the exp attribute requires that the current date/time MUST be before the expiration date/time listed in the exp attribute. Key Vault 可能会稍微留有一些余地(通常不超过几分钟),以适应时钟偏差。Key Vault MAY provide for some small leeway, typically no more than a few minutes, to account for clock skew. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.

在包含密钥属性的任何响应中还包括以下其他只读属性:There are additional read-only attributes that are included in any response that includes key attributes:

  • created:IntDate,可选。created: IntDate, optional. created 属性指示创建此版本的密钥的时间。The created attribute indicates when this version of the key was created. 如果密钥在添加此属性之前创建,此值为 NULL。The value is null for keys created prior to the addition of this attribute. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.
  • updated:IntDate,可选。updated: IntDate, optional. updated 属性指示更新此版本的密钥的时间。The updated attribute indicates when this version of the key was updated. 如果密钥上次更新的时间早于添加此属性的时间,此值为 NULL。The value is null for keys that were last updated prior to the addition of this attribute. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.

有关 IntDate 和其他数据类型的详细信息,请参阅[关于密钥、机密和证书:数据类型For more information on IntDate and other data types, see [About keys, secrets, and certificates: Data types.

日期时间控制的操作Date-time controlled operations

这些在 nbf / exp 时段外的尚未生效的密钥和过期密钥适合 decrypt、unwrap 和 verify 操作(不会返回“403 禁止访问”) 。Not-yet-valid and expired keys, outside the nbf / exp window, will work for decrypt, unwrap, and verify operations (won't return 403, Forbidden). 使用尚未生效状态的基本原理是允许在投入生产前测试密钥。The rationale for using the not-yet-valid state is to allow a key to be tested before production use. 使用过期状态的基本原理是允许对秘钥有效期间创建的数据执行恢复操作。The rationale for using the expired state is to allow recovery operations on data that was created when the key was valid. 此外,使用 Key Vault 策略,或通过将 enabled 密钥属性更新为 false 可以禁用访问密钥。Also, you can disable access to a key using Key Vault policies, or by updating the enabled key attribute to false.

有关数据类型的详细信息,请参阅数据类型For more information on data types, see Data types.

有关其他可能的属性的详细信息,请参阅 JSON Web 密钥 (JWK)For more information on other possible attributes, see the JSON Web Key (JWK).

密钥标记Key tags

可以用标记的形式指定其他特定于应用程序的元数据。You can specify additional application-specific metadata in the form of tags. Key Vault 支持多达 15 种标记,每种标记可以有 256 个字符的名称和 256 个字符的值。Key Vault supports up to 15 tags, each of which can have a 256 character name and a 256 character value.

备注

如果调用方具有该对象类型(密钥、机密或证书)的列出或获取权限,则调用方可读取标记 。Tags are readable by a caller if they have the list or get permission to that object type (keys, secrets, or certificates).

密钥访问控制Key access control

Key Vault 托管的密钥的访问控制是在充当密钥容器的 Key Vault 级别提供的。Access control for keys managed by Key Vault is provided at the level of a Key Vault that acts as the container of keys. 在同一密钥保管库中,密钥的访问控制策略不同于机密的访问控制策略。The access control policy for keys is distinct from the access control policy for secrets in the same Key Vault. 用户可以创建一个或多个保管库来保存密钥,并且需要维护方案相应的密钥分段和管理。Users may create one or more vaults to hold keys, and are required to maintain scenario appropriate segmentation and management of keys. 密钥的访问控制与机密的访问控制无关。Access control for keys is independent of access control for secrets.

在保管库上的密钥访问控制条目中可以按用户/服务主体授予以下权限。The following permissions can be granted, on a per user / service principal basis, in the keys access control entry on a vault. 这些权限对密钥对象上允许的操作采取严密的镜像操作。These permissions closely mirror the operations allowed on a key object. 向密钥保管库中的服务主体授予访问权限是一项一次性操作,并且对所有 Azure 订阅保持不变。Granting access to an service principal in key vault is a onetime operation, and it will remain same for all Azure subscriptions. 可以使用它来部署所需数量的证书。You can use it to deploy as many certificates as you want.

  • 针对密钥管理操作的权限Permissions for key management operations

    • get:读取密钥的公共部分及其属性get: Read the public part of a key, plus its attributes
    • list:列出密钥保管库中存储的密钥或密钥版本list: List the keys or versions of a key stored in a key vault
    • update:更新键的属性update: Update the attributes for a key
    • create:新建密钥create: Create new keys
    • import:将密钥导入到密钥保管库import: Import a key to a key vault
    • delete:删除密钥对象delete: Delete the key object
    • recover:恢复已删除的密钥recover: Recover a deleted key
    • backup:备份密钥保管库中的密钥backup: Back up a key in a key vault
    • restore:将备份密钥还原到密钥保管库restore: Restore a backed up key to a key vault
  • 针对加密操作的权限Permissions for cryptographic operations

    • decrypt:使用密钥取消保护字节序列decrypt: Use the key to unprotect a sequence of bytes
    • encrypt:使用密钥保护任意字节序列encrypt: Use the key to protect an arbitrary sequence of bytes
    • unwrapKey:使用密钥取消保护包装的对称密钥unwrapKey: Use the key to unprotect wrapped symmetric keys
    • wrapKey:使用密钥保护对称密钥wrapKey: Use the key to protect a symmetric key
    • verify:使用密钥验证摘要verify: Use the key to verify digests
    • sign:使用密钥签名摘要sign: Use the key to sign digests
  • 针对特权操作的权限Permissions for privileged operations

    • purge:清除(永久删除)已删除的密钥purge: Purge (permanently delete) a deleted key

有关使用密钥的详细信息,请参阅 Key Vault REST API 中的密钥操作参考For more information on working with keys, see Key operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 创建或更新保管库 - 更新访问策略For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

后续步骤Next steps