教程:使用 Azure 门户将客户管理的密钥或 BYOK 与媒体服务配合使用Tutorial: Use the Azure portal to use customer-managed keys or BYOK with Media Services

借助 2020-05-01 API,可将客户管理的 RSA 密钥与具有系统托管标识的 Azure 媒体服务帐户配合使用。本教程包含 Azure 门户中的步骤。With the 2020-05-01 API, you can use a customer-managed RSA key with an Azure Media Services account that has a system-managed identity.This tutorial covers the steps in the Azure portal.

使用的服务是:The services used are:

  • Azure 存储Azure Storage
  • Azure Key VaultAzure Key Vault
  • Azure 媒体服务Azure Media Services

本教程介绍如何使用 Azure 门户来完成以下操作:In this tutorial, you'll learn to use the Azure portal to:

  • 创建资源组。Create a resource group.
  • 创建包含系统托管标识的存储帐户。Create a storage account with a system-managed identity.
  • 创建包含系统托管标识的媒体服务帐户。Create a Media Services account with a system-managed identity.
  • 创建用于存储客户管理的 RSA 密钥的密钥保管库。Create a key vault for storing a customer-managed RSA key.

先决条件Prerequisites

Azure 订阅。An Azure subscription.

如果没有 Azure 订阅,请创建一个试用帐户If you don't have an Azure subscription, create a trial account.

系统管理的密钥System-managed keys

创建资源组Create a resource group

  1. 在 Azure 门户的主屏幕上,选择“创建资源”。On the Home screen of the Azure portal, select Create a resource. 将显示“市场”屏幕。The Marketplace screen will appear.
  2. 选择“资源组”。Select Resource groups. 将显示资源组列表。A listing of resource groups will appear.
  3. 选择 添加Select Add. 将显示“创建资源组”屏幕。The Create a resource group screen will appear.
  4. 选择要用于此资源组的订阅。Select the subscription you want to use for this resource group.
  5. 在“资源组”字段中输入资源组名称。Enter the resource group name in the Resource group field.
  6. 选择资源组所在的“区域”。Select the Region for the resource group.
  7. 选择“查看 + 创建”。Select Review + create.

重要

对于以下存储帐户创建步骤,需要在“高级设置”中选择“系统管理的密钥”选项。For the following storage account creation steps, you will select the system-managed key choice in Advanced settings.

创建媒体服务帐户Create a Media Services account

  1. 登录到 Azure 门户Sign in at the Azure portal.

  2. 单击“+创建资源” > “媒体” > “媒体服务”。Click +Create a resource > Media > Media Services.

  3. 在“创建媒体服务帐户”部分中输入所需的值。In the Create a Media Services account section enter required values.

    名称Name 说明Description
    帐户名Account Name 输入新的媒体服务帐户的名称。Enter the name of the new Media Services account. 媒体服务帐户名称由小写字母或数字构成(不含空格),长度为 3 到 24 个字符。A Media Services account name is all lowercase letters or numbers with no spaces, and is 3 to 24 characters in length.
    订阅Subscription 如果有多个订阅,请从有权访问的 Azure 订阅的列表中选择一个订阅。If you have more than one subscription, select one from the list of Azure subscriptions that you have access to.
    资源组Resource Group 选择新的或现有的资源。Select the new or existing resource. 资源组是共享生命周期、权限和策略的资源的集合。A resource group is a collection of resources that share lifecycle, permissions, and policies. 此处了解更多信息。Learn more here.
    位置Location 选择用于存储媒体服务帐户的媒体和元数据记录的地理区域。Select the geographic region that will be used to store the media and metadata records for your Media Services account. 此区域用于处理和流式传输媒体。This region will be used to process and stream your media. 下拉列表中仅显示可用的媒体服务区域。Only the available Media Services regions appear in the drop-down list box.
    存储帐户Storage Account 选择一个存储帐户,以便为媒体服务帐户中的媒体内容提供 Blob 存储。Select a storage account to provide blob storage of the media content from your Media Services account. 可以选择位于媒体服务帐户所在的地理区域内的现有存储帐户,也可以创建一个新的存储帐户。You can select an existing storage account in the same geographic region as your Media Services account, or you can create a new storage account. 在同一区域内会创建一个新的存储帐户。A new storage account is created in the same region. 适用于存储帐户名的规则对媒体服务帐户同样适用。The rules for storage account names are the same as for Media Services accounts.

    必须具有一个主存储帐户,并且可以拥有任意数量的与媒体服务帐户关联的辅助存储帐户 。You must have one Primary storage account and you can have any number of Secondary storage accounts associated with your Media Services account. 可以使用 Azure 门户来添加辅助存储帐户。You can use the Azure portal to add secondary storage accounts. 有关详细信息,请参阅 Azure 存储帐户与 Azure 媒体服务帐户For more information, see Azure Storage accounts with Azure Media Services accounts.

    媒体服务帐户和所有关联的存储帐户必须位于同一 Azure 订阅中。The Media Services account and all associated storage accounts must be in the same Azure subscription. 强烈建议在媒体服务帐户所在的位置使用存储帐户,避免额外的延迟和数据出口成本。It is strongly recommended to use storage accounts in the same location as the Media Services account to avoid additional latency and data egress costs.
  4. 选择“固定到仪表板”以查看帐户部署进度。Select Pin to dashboard to see the progress of the account deployment.

  5. 单击窗体底部的“创建”。Click Create at the bottom of the form.

创建 Key VaultCreate a key vault

  1. 从 Azure 门户的主屏幕上,选择“创建资源”。From the Home screen of the Azure portal, select Create a resource.
  2. 在“市场”搜索字段中输入“Key vault”,并在搜索结果中显示“Key Vault”时选择它。 Enter Key vault into the Marketplace search field and select Key Vault when it appears in the search results.
  3. 选择“创建” 。Select Create. 此时将显示“创建密钥保管库”屏幕。The Create key vault screen appears.
  4. 选择要使用的资源组,或创建新的资源组。Select the Resource group you want to use or create a new one.
  5. 为 Key Vault 命名,方法是在“Key Vault”字段中输入名称。Give the Key Vault a name by entering it into the Key Vault field.
  6. 对于本示例,保留“恢复选项”的默认设置。For this example, you will leave the default setting the way they are for the Recovery options.
  7. 在完成时选择“下一步:访问策略 >”。Select Next: Access policy >. 将显示“访问策略”屏幕。The access policy screen will appear.
  8. 向列出的密钥保管库用户授予足够的权限。Give the user listed for the key vault sufficient permissions. 默认权限应可满足需求。The default permissions should be enough.
  9. 在完成时选择“下一步:网络”。Select Next: Networking. 将显示“网络”屏幕。The Networking screen will appear.
  10. 选择要使用的终结点的类型。Select the type of endpoint you want to use.
  11. 单击“查看 + 创建” 。Click Review + create.

在媒体服务帐户上启用客户管理的密钥Enable customer managed keys on a Media Services account

  1. 创建媒体服务帐户后,在门户中转到它。After creating the Media Services account, go to it in the portal.
  2. 选择“加密(新)”。Select Encryption (new).
  3. 在“加密类型”下选择“客户管理的密钥”。Select Customer-managed keys under Encryption Type.
  4. 选择连接“选择密钥保管库和密钥”Select the link Select a key vault and key
  5. 选择现有密钥或创建新密钥。Either pick an existing key or create a new one.
  6. 选择“保存”。Select Save.

重要

对于以下存储加密步骤,需要选择“客户管理的密钥”选项。For the following storage encryption steps, you will select the customer-managed key choice.

在存储帐户上设置加密Set the encryption on a storage account

  1. 在 Azure 门户中,在屏幕顶部的“搜索”字段中输入要加密的存储帐户的名称。In the Azure portal, enter the name of the storage account you want to encrypt in the Search field at the top of the screen. 匹配项将显示在搜索字段下方。Matches will appear below the search field.
  2. 选择所需的存储帐户。Select the storage account you are looking for. 将显示存储帐户屏幕。The storage account screen will appear.
  3. 选择“加密”。Select Encryption.
  4. 选择 Microsoft 托管密钥或客户管理的密钥。Select either Microsoft managed keys or Customer managed keys.

使用 Microsoft 托管密钥Use Microsoft-managed keys

默认情况下,使用 Microsoft 托管密钥加密存储帐户中的数据。By default, data in the storage account is encrypted using Microsoft managed keys.

使用客户管理的密钥Use customer managed keys

  1. 选择“客户管理的密钥”。Select Customer managed keys.
  2. 选择“输入密钥 URI”或“从密钥保管库中选择” 。Select either Enter key URI or Select from key vault.
    1. 如果选择“输入密钥 URI”,请在“密钥 URI”字段中输入密钥 URI,然后选择订阅。If you select Enter key URI, enter the key URI in the Key URI field and select the subscription. (该选项可能已选中。)(It may already be selected for you.)
    2. 如果选择“从密钥保管库中选择”,则选择“选择密钥保管库和密钥” 。If you select Select from key vault, you will then select Select a key vault and key. “从 Azure Key Vault 选择密钥”屏幕将会显示。The Select key from Azure Key Vault screen will appear.
  3. 选择要使用的“密钥保管库”,然后选择密钥保管库中已有的密钥或者创建新密钥 。Select the Key Vault you want to use and either select a key you already have in your key vault or create a new key.
    1. 如果选择创建新密钥,请从“选项”下拉列表中选择“生成”或“导入” 。If you choose to create a new key, select Generate or Import from the Options drop down. 只能导入 RSA 密钥。You can import only RSA keys.
    2. 若要生成新密钥,请在“名称”字段中为密钥命名,然后选择密钥类型:To generate a new key, give the key a name in the Name field then select the Key type:
      1. RSA - 密钥大小:2048、3072 或 4096。RSA - Key Sizes: 2048,3072 or 4096. 这是大多数客户的选择。This is what most customers choose.
      2. EC - 椭圆曲线名称:P-256、P-384、P-521 或 P-256KEC - Elliptic Curve Names: P-256, P-384, P-521, or P-256K
      3. (可选)可以设置密钥的激活日期和到期日期。Optionally, you can set the activation and expiration dates of the key.
      4. 选择“是”,启用自动轮换密钥。Select Yes to enable automatic key rotation.
      5. 选择“创建” 。Select Create.
    3. 若要导入密钥,请单击“选择文件”字段中的任意位置,选择要上传的文件。To import a key, select the file to upload by clicking anywhere in the Select a file field.
      1. 在“名称”字段中为密钥命名。Give the key a name in the Name field.
      2. (可选)可以设置密钥的激活日期和到期日期。Optionally, you can set the activation and expiration dates of the key.
      3. 选择“是”,启用自动轮换密钥。Select Yes to enable automatic key rotation.
      4. 选择“创建” 。Select Create.
    4. 选择“选择”,选择此密钥以加密存储帐户。Select Select to select this key to encrypt your storage account. 将返回到“加密”屏幕。You will be taken back to the Encryption screen.
  4. 重要说明!IMPORTANT! 选择“保存”,以保存加密设置,否则刚刚执行的所有操作均无效。Select Save to save your encryption settings or everything you just did will be lost.

更改密钥Change the key

媒体服务自动检测密钥何时发生了更改。Media Services automatically detects when the key is changed. 可选:若要对此进程进行测试,请为同一密钥创建另一个密钥版本。OPTIONAL: To test this process, create another key version for the same key. 媒体服务应该会检测到此密钥已发生更改。Media Services should detect that the key has been changed.

清理资源Clean up resources

如果不打算继续使用所创建的资源,并且不想继续付费,请删除这些资源。If you're not going to continue to use the resources that you created and you don't want to continue to be billed, delete them.

后续步骤Next steps

转到下一篇文章,了解如何:Go to the next article to learn how to: