关于 Azure Key Vault 机密About Azure Key Vault secrets

Key Vault 为机密(例如密码和数据库连接字符串)提供安全存储。Key Vault provides secure storage of secrets, such as passwords and database connection strings.

从开发人员的角度来看,Key Vault API 接受机密值并将其作为字符串返回。From a developer's perspective, Key Vault APIs accept and return secret values as strings. 在内部,Key Vault 存储机密并将其作为八位字节序列(8 位字节)管理,每个字节的最大大小为 25k 字节。Internally, Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k bytes each. Key Vault 服务不提供机密的语义。The Key Vault service doesn't provide semantics for secrets. 它只是接受数据,然后加密和存储该数据,最后返回机密标识符(“id”)。It merely accepts the data, encrypts it, stores it, and returns a secret identifier ("id"). 该标识符可用于稍后检索机密。The identifier can be used to retrieve the secret at a later time.

对于高度敏感的数据,客户端应考虑对数据进行额外的保护。For highly sensitive data, clients should consider additional layers of protection for data. 例如,在 Key Vault 中存储数据之前,使用单独的保护密钥加密数据。Encrypting data using a separate protection key prior to storage in Key Vault is one example.

Key Vault 还支持机密的 contentType 字段。Key Vault also supports a contentType field for secrets. 客户端可以指定机密的内容类型,以帮助在检索时解释机密数据。Clients may specify the content type of a secret to assist in interpreting the secret data when it's retrieved. 此字段的最大长度为 255 个字符。The maximum length of this field is 255 characters. 没有预定义的值。There are no pre-defined values. 建议用于解释机密数据的提示。The suggested usage is as a hint for interpreting the secret data. 例如,实现可以将密码和证书都存储为机密,然后使用此字段进行区分。For instance, an implementation may store both passwords and certificates as secrets, then use this field to differentiate. 没有预定义的值。There are no predefined values.

加密Encryption

Key Vault 中的所有机密均已加密存储。All secrets in your Key Vault are stored encrypted. 此加密是透明的,不需要用户执行任何操作。This encryption is transparent, and requires no action from the user. Azure Key Vault 服务会在你添加机密时对其进行加密,并在你读取机密时自动对其进行解密。The Azure Key Vault service encrypts your secrets when you add them, and decrypts them automatically when you read them. 加密密钥对于每个密钥保管库来说是唯一的。The encryption key is unique to each key vault.

机密属性Secret attributes

除机密数据外,还可以指定以下属性:In addition to the secret data, the following attributes may be specified:

  • exp:IntDate,可选,默认值为 foreverexp: IntDate, optional, default is forever. exp(过期时间)属性标识在不应检索机密数据当时或之后的过期时间,特定情况除外。The exp (expiration time) attribute identifies the expiration time on or after which the secret data SHOULD NOT be retrieved, except in particular situations. 此字段仅供参考,因为它通知密钥保管库服务用户可能无法使用特定机密。This field is for informational purposes only as it informs users of key vault service that a particular secret may not be used. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.
  • nbf:IntDate,可选,默认值为 nownbf: IntDate, optional, default is now. nbf(非过去)属性标识在不应检索机密数据之前的时间,特定情况除外。The nbf (not before) attribute identifies the time before which the secret data SHOULD NOT be retrieved, except in particular situations. 此字段仅供参考。This field is for informational purposes only. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.
  • enabled:布尔型,可选,默认值为 true。enabled: boolean, optional, default is true. 此属性指定是否可以检索机密数据。This attribute specifies whether the secret data can be retrieved. enabled 属性与 nbf 和 exp 结合使用,如果在 nbf 和 exp 之间出现操作,只有在 enabled 设置为 true 时,才允许该操作 。The enabled attribute is used in conjunction with nbf and exp when an operation occurs between nbf and exp, it will only be permitted if enabled is set to true. nbf 和 exp 时段外的操作会自动禁止,特定情况除外 。Operations outside the nbf and exp window are automatically disallowed, except in particular situations.

在包含机密属性的任何响应中还包括以下其他只读属性:There are additional read-only attributes that are included in any response that includes secret attributes:

  • created:IntDate,可选。created: IntDate, optional. created 属性指示创建此版本的机密的时间。The created attribute indicates when this version of the secret was created. 如果机密在添加此属性之前创建,此值为 NULL。This value is null for secrets created prior to the addition of this attribute. 其值必须是包含 IntDate 值的数字。Its value must be a number containing an IntDate value.
  • updated:IntDate,可选。updated: IntDate, optional. updated 属性指示更新此版本的机密的时间。The updated attribute indicates when this version of the secret was updated. 如果机密上次更新的时间早于添加此属性的时间,此值为 NULL。This value is null for secrets that were last updated prior to the addition of this attribute. 其值必须是包含 IntDate 值的数字。Its value must be a number containing an IntDate value.

日期时间控制的操作Date-time controlled operations

机密的获取操作在 nbf / exp 时段外适合尚未生效的机密和过期的机密 。A secret's get operation will work for not-yet-valid and expired secrets, outside the nbf / exp window. 对于尚未生效的机密,调用机密的“获取”操作可用于测试目的。Calling a secret's get operation, for a not-yet-valid secret, can be used for test purposes. 检索(获取)过期的密钥可以用于恢复操作。Retrieving (getting) an expired secret, can be used for recovery operations.

机密访问控制Secret access control

Key Vault 中托管的机密的访问控制是在包含这些机密的 Key Vault 级别提供的。Access Control for secrets managed in Key Vault, is provided at the level of the Key Vault that contains those secrets. 在同一 Key Vault 中,机密的访问控制策略不同于密钥的访问控制策略。The access control policy for secrets, is distinct from the access control policy for keys in the same Key Vault. 用户可以创建一个或多个保管库来保存机密,并且需要维护方案相应的机密分段和管理。Users may create one or more vaults to hold secrets, and are required to maintain scenario appropriate segmentation and management of secrets.

在保管库上的机密访问控制条目中可以按主体使用以下权限,这些权限对机密对象上允许的操作采取严密的镜像操作:The following permissions can be used, on a per-principal basis, in the secrets access control entry on a vault, and closely mirror the operations allowed on a secret object:

  • 针对机密管理操作的权限Permissions for secret management operations

    • get:读取机密get: Read a secret
    • list:列出 Key Vault 中存储的机密或机密版本list: List the secrets or versions of a secret stored in a Key Vault
    • set:创建机密set: Create a secret
    • delete:删除机密delete: Delete a secret
    • recover:恢复已删除的机密recover: Recover a deleted secret
    • backup:备份密钥保管库中的机密backup: Back up a secret in a key vault
    • restore:将备份机密还原到密钥保管库restore: Restore a backed up secret to a key vault
  • 针对特权操作的权限Permissions for privileged operations

    • purge:清除(永久删除)已删除的机密purge: Purge (permanently delete) a deleted secret

有关使用机密的详细信息,请参阅 Key Vault REST API 中的机密操作参考For more information on working with secrets, see Secret operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 创建或更新保管库 - 更新访问策略For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

机密标记Secret tags

可以用标记的形式指定其他特定于应用程序的元数据。You can specify additional application-specific metadata in the form of tags. Key Vault 支持多达 15 种标记,每种标记可以有 256 个字符的名称和 256 个字符的值。Key Vault supports up to 15 tags, each of which can have a 256 character name and a 256 character value.

备注

如果调用方具有“列表”或“获取”权限,则调用方可以读取标记。Tags are readable by a caller if they have the list or get permission.

Azure 存储帐户密钥管理Azure Storage account key management

Key Vault 可以管理 Azure 存储帐户密钥:Key Vault can manage Azure storage account keys:

  • 在内部,Key Vault 可以使用 Azure 存储帐户列出(同步)密钥。Internally, Key Vault can list (sync) keys with an Azure storage account.
  • Key Vault 定期重新生成(轮换)密钥。Key Vault regenerates (rotates) the keys periodically.
  • 响应调用方时永远不会返回密钥值。Key values are never returned in response to caller.
  • Key Vault 管理存储帐户和经典存储帐户的密钥。Key Vault manages keys of both storage accounts and classic storage accounts.

有关详细信息,请参阅 Azure Key Vault 存储帐户密钥For more information, see Azure Key Vault Storage Account Keys

存储帐户访问控制Storage account access control

授权用户或应用程序主体对托管的存储帐户执行操作时,可以使用以下权限:The following permissions can be used when authorizing a user or application principal to perform operations on a managed storage account:

  • 针对托管存储帐户和 SaS 定义操作的权限Permissions for managed storage account and SaS-definition operations

    • get:获取有关存储帐户的信息get: Gets information about a storage account
    • list:列出 Key Vault 托管的存储帐户list: List storage accounts managed by a Key Vault
    • update:更新存储帐户update: Update a storage account
    • delete:删除存储帐户delete: Delete a storage account
    • recover:恢复删除的存储帐户recover: Recover a deleted storage account
    • backup:备份存储帐户backup: Back up a storage account
    • restore:将备份存储帐户还原到 Key Vaultrestore: Restore a backed-up storage account to a Key Vault
    • set:创建或更新存储帐户set: Create or update a storage account
    • regeneratekey:为存储帐户重写指定的密钥值regeneratekey: Regenerate a specified key value for a storage account
    • getsas:获取有关存储帐户的 SAS 定义的信息getsas: Get information about a SAS definition for a storage account
    • listsas:列出存储帐户的存储 SAS 定义listsas: List storage SAS definitions for a storage account
    • deletesas:从存储帐户中删除 SAS 定义deletesas: Delete a SAS definition from a storage account
    • setsas:创建或更新存储帐户的新 SAS 定义/属性setsas: Create or update a new SAS definition/attributes for a storage account
  • 针对特权操作的权限Permissions for privileged operations

    • purge:清除(永久删除)托管存储帐户purge: Purge (permanently delete) a managed storage account

有关详细信息,请参阅 Key Vault REST API 中的存储帐户操作参考For more information, see the Storage account operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 创建或更新保管库 - 更新访问策略For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

后续步骤Next steps