使用客户管理的密钥对 Azure Database for PostgreSQL 单一服务器进行数据加密Azure Database for PostgreSQL Single server data encryption with a customer-managed key

Azure PostgreSQL 利用 Azure 存储加密通过 Microsoft 管理的密钥来默认加密静态数据。Azure PostgreSQL leverages Azure Storage encryption to encrypt data at-rest by default using Microsoft-managed keys. 对于 Azure PostgreSQL 用户,这与其他数据库(例如 SQL Server)中的透明数据加密 (TDE) 非常类似。For Azure PostgreSQL users, it is a very similar to Transparent Data Encryption (TDE) in other databases such as SQL Server. 许多组织需要使用客户管理的密钥完全控制对数据的访问。Many organizations require full control on access to the data using a customer-managed key. 通过使用客户管理的密钥对 Azure Database for PostgreSQL 单一服务器进行数据加密,让你能够创建自己的密钥 (BYOK) 来保护静态数据。Data encryption with customer-managed keys for Azure Database for PostgreSQL Single server enables you to bring your own key (BYOK) for data protection at rest. 通过它,组织还可在管理密钥和数据时实现职责分离。It also allows organizations to implement separation of duties in the management of keys and data. 通过客户托管的加密,密钥的生命周期、密钥使用权限以及对密钥操作的审核都由你负责和完全控制。With customer-managed encryption, you are responsible for, and in a full control of, a key's lifecycle, key usage permissions, and auditing of operations on keys.

在服务器级别使用客户管理的密钥对 Azure Database for PostgreSQL 单一服务器进行数据加密。Data encryption with customer-managed keys for Azure Database for PostgreSQL Single server, is set at the server-level. 客户管理的密钥被称为密钥加密密钥 (KEK),它在给定的服务器中用于对该服务使用的数据加密密钥 (DEK) 进行加密。For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. KEK 是一种非对称密钥,它存储在客户自有和客户管理的 Azure Key Vault 实例中。The KEK is an asymmetric key stored in a customer-owned and customer-managed Azure Key Vault instance. 本文稍后将更详细地描述密钥加密密钥 (KEK) 和数据加密密钥 (DEK)。The Key Encryption Key (KEK) and Data Encryption Key (DEK) is described in more detail later in this article.

Key Vault 是一种基于云的外部密钥管理系统。Key Vault is a cloud-based, external key management system. 它具有高可用性,并为 RSA 加密密钥提供可扩展的安全存储。It's highly available and provides scalable, secure storage for RSA cryptographic keys. 它不允许直接访问存储的密钥,而是为已获授权的实体提供加密和解密服务。It doesn't allow direct access to a stored key, but does provide services of encryption and decryption to authorized entities.

优点Benefits

使用客户管理的密钥对 Azure Database for PostgreSQL 单一服务器进行数据加密提供以下优势:Data encryption with customer-managed keys for Azure Database for PostgreSQL Single server provides the following benefits:

  • 数据访问完全由你控制,你可删除密钥并使数据库无法访问Data-access is fully controlled by you by the ability to remove the key and making the database inaccessible
  • 可完全控制密钥生命周期,包括根据公司策略轮替密钥Full control over the key-lifecycle, including rotation of the key to align with corporate policies
  • 在 Azure Key Vault 中集中管理和整理密钥Central management and organization of keys in Azure Key Vault
  • 可实现安全专员与 DBA 和系统管理员之间的职责分离Ability to implement separation of duties between security officers, and DBA and system administrators

术语和说明Terminology and description

数据加密密钥 (DEK) :对称 AES256 密钥,用于加密数据分区或数据块。Data encryption key (DEK): A symmetric AES256 key used to encrypt a partition or block of data. 使用不同的密钥加密每个数据块可以增加加密分析攻击的难度。Encrypting each block of data with a different key makes crypto analysis attacks more difficult. 资源提供程序或应用程序实例需要 DEK 访问权限才能加密和解密特定的块。Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. 将 DEK 替换为新密钥时,只需使用新密钥对其关联的块中的数据重新加密。When you replace a DEK with a new key, only the data in its associated block must be re-encrypted with the new key.

密钥加密密钥 (KEK) :用于加密 DEK 的加密密钥。Key encryption key (KEK): An encryption key used to encrypt the DEKs. KEK 始终在 Key Vault 中,这使得 DEK 本身能得到加密和控制。A KEK that never leaves Key Vault allows the DEKs themselves to be encrypted and controlled. 具有 KEK 访问权限的实体可能不是需要 DEK 的实体。The entity that has access to the KEK might be different than the entity that requires the DEK. 由于解密 DEK 需要 KEK,因此 KEK 实际上构成了一个单点机制:删除 KEK 即可删除 DEK。Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK.

DEK 使用 KEK 加密且单独存储。The DEKs, encrypted with the KEKs, are stored separately. 只有有权访问 KEK 的实体才能解密这些 DEK。Only an entity with access to the KEK can decrypt these DEKs. 有关详细信息,请参阅静态加密中的安全性For more information, see Security in encryption at rest.

使用客户管理的密钥进行数据加密的工作原理How data encryption with a customer-managed key work

显示“创建自己的密钥”概述的关系图

若要使 PostgreSQL 服务器使用存储在 Key Vault 中的客户管理的密钥对 DEK 进行加密,Key Vault 管理员需向服务器授予以下访问权限:For a PostgreSQL server to use customer-managed keys stored in Key Vault for encryption of the DEK, a Key Vault administrator gives the following access rights to the server:

  • get:用于检索 Key Vault 中密钥的公共部分和属性。get: For retrieving the public part and properties of the key in the key vault.
  • wrapKey:可加密 DEK。wrapKey: To be able to encrypt the DEK. 加密的 DEK 存储在 Azure Database for PostgreSQL 中。The encrypted DEK is stored in the Azure Database for PostgreSQL.
  • unwrapKey:可解密 DEK。unwrapKey: To be able to decrypt the DEK. Azure Database for PostgreSQL 需要解密的 DEK 对数据进行加密/解密Azure Database for PostgreSQL needs the decrypted DEK to encrypt/decrypt the data

Key Vault 管理员还可启用 Key Vault 审核事件的日志记录,便于稍后对其进行审核。The key vault administrator can also enable logging of Key Vault audit events, so they can be audited later.

当服务器配置为使用存储在 Key Vault 中的客户管理的密钥时,该服务器会将 DEK 发送到 Key Vault 进行加密。When the server is configured to use the customer-managed key stored in the key vault, the server sends the DEK to the key vault for encryptions. Key Vault 返回存储在用户数据库中已加密的 DEK。Key Vault returns the encrypted DEK, which is stored in the user database. 同样在必要时,服务器会将受保护的 DEK 发送到 Key Vault 进行解密。Similarly, when needed, the server sends the protected DEK to the key vault for decryption. 如果启用了日志记录,审计可使用 Azure Monitor 查看 Key Vault 审核事件日志。Auditors can use Azure Monitor to review Key Vault audit event logs, if logging is enabled.

为 Azure Database for PostgreSQL 单一服务器配置数据加密的要求Requirements for configuring data encryption for Azure Database for PostgreSQL Single server

下面是 Key Vault 的配置要求:The following are requirements for configuring Key Vault:

  • Key Vault 和 Azure Database for PostgreSQL 单一服务器必须属于同一个 Azure Active Directory (Azure AD) 租户。Key Vault and Azure Database for PostgreSQL Single server must belong to the same Azure Active Directory (Azure AD) tenant. 不支持跨租户的 Key Vault 和服务器交互。Cross-tenant Key Vault and server interactions aren't supported. 之后若要移动 Key Vault 资源,需要重新配置数据加密。Moving the Key Vault resource afterwards requires you to reconfigure the data encryption.
  • 必须将“已删除保管库的保留天数”设为 90 天来设置密钥保管库。The key vault must be set with 90 days for 'Days to retain deleted vaults'. 如果已将现有的密钥保管库配置为较小的数字,则需要创建新的密钥保管库,因为在创建后不能对其进行修改。If the existing key vault has been configured with a lower number, you will need to create a new key vault as it cannot be modified after creation.
  • 启用 Key Vault 上的软删除功能,防止在意外删除密钥(或 Key Vault)时丢失数据。Enable the soft-delete feature on the key vault, to protect from data loss if an accidental key (or Key Vault) deletion happens. 被软删除的资源将保留 90 天,除非用户在此期间恢复或清除它们。Soft-deleted resources are retained for 90 days, unless the user recovers or purges them in the meantime. “恢复”和“清除”操作均自带与 Key Vault 访问策略关联的权限。The recover and purge actions have their own permissions associated in a Key Vault access policy. 软删除功能默认关闭,但你可通过 PowerShell 或 Azure CLI 启用它(请注意,无法通过 Azure 门户启用)。The soft-delete feature is off by default, but you can enable it through PowerShell or the Azure CLI (note that you can't enable it through the Azure portal).
  • 启用清除保护对已删除的保管库和保管库对象执行强制保留期Enable Purge protection to enforce a mandatory retention period for deleted vaults and vault objects
  • 通过唯一托管标识,使用 get、wrapKey 和 unwrapKey 权限授权 Azure Database for PostgreSQL 单一服务器访问 Key Vault。Grant the Azure Database for PostgreSQL Single server access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. 在 Azure 门户中,当 PostgreSQL 单一服务器上启用数据加密时,将自动创建唯一“服务”标识。In the Azure portal, the unique 'Service' identity is automatically created when data encryption is enabled on the PostgreSQL Single server. 有关使用 Azure 门户时的详细分步说明,请参阅通过 Azure 门户对 Azure Database for PostgreSQL 单一服务器进行数据加密See Data encryption for Azure Database for PostgreSQL Single server by using the Azure portal for detailed, step-by-step instructions when you're using the Azure portal.

下面是客户管理的密钥的配置要求:The following are requirements for configuring the customer-managed key:

  • 用于加密 DEK 的客户管理的密钥只能是非对称的 RSA 2048。The customer-managed key to be used for encrypting the DEK can be only asymmetric, RSA 2048.
  • 密钥激活日期(如果已设置)必须是过去的日期和时间。The key activation date (if set) must be a date and time in the past. 到期日期(若已设置)必须是将来的日期和时间。The expiration date (if set) must be a future date and time.
  • 密钥必须处于“已启用”状态。The key must be in the Enabled state.
  • 若要导入现有密钥到密钥保管库,请确保以受支持的文件格式(.pfx.byok.backup)提供该密钥。If you're importing an existing key into the key vault, make sure to provide it in the supported file formats (.pfx, .byok, .backup).

建议Recommendations

通过客户管理的密钥使用数据加密时,请查看下列 Key Vault 配置建议:When you're using data encryption by using a customer-managed key, here are recommendations for configuring Key Vault:

  • 在 Key Vault 中设置资源锁可控制谁能删除该关键资源,并防止意外或未经授权的删除。Set a resource lock on Key Vault to control who can delete this critical resource and prevent accidental or unauthorized deletion.

  • 对所有加密密钥启用审核和报告功能。Enable auditing and reporting on all encryption keys. Key Vault 提供可轻松注入到其他安全信息和事件管理工具的日志。Key Vault provides logs that are easy to inject into other security information and event management tools. Azure Monitor Log Analytics 就是一项已集成的服务。Azure Monitor Log Analytics is one example of a service that's already integrated.

  • 确保 Key Vault 和 Azure Database for PostgreSQL 单一服务器位于同一区域,从而保证能更快地访问 DEK 的“包装”和“取消包装”操作。Ensure that Key Vault and Azure Database for PostgreSQL Single server reside in the same region, to ensure a faster access for DEK wrap, and unwrap operations.

  • 锁定 Azure KeyVault,使其只能用于专用终结点和所选网络,且仅允许使用受信任的 Microsoft 服务来保护资源。Lock down the Azure KeyVault to only private endpoint and selected networks and allow only trusted Microsoft services to secure the resources.

    trusted-service-with-AKV

下面是客户管理的密钥的配置建议:Here are recommendations for configuring a customer-managed key:

  • 将客户管理的密钥副本保存在安全的位置,或将其托管到托管服务。Keep a copy of the customer-managed key in a secure place, or escrow it to the escrow service.

  • 如果 Key Vault 生成密钥,请在首次使用该密钥之前创建密钥备份。If Key Vault generates the key, create a key backup before using the key for the first time. 只能将备份还原到 Key Vault。You can only restore the backup to Key Vault. 要详细了解备份命令,请参阅 Backup-AzKeyVaultKeyFor more information about the backup command, see Backup-AzKeyVaultKey.

无法访问客户管理的密钥的情形Inaccessible customer-managed key condition

在 Key Vault 中使用客户管理的密钥配置数据加密时,服务器必须保持联机状态才能持续访问该密钥。When you configure data encryption with a customer-managed key in Key Vault, continuous access to this key is required for the server to stay online. 如果服务器无法再访问 Key Vault 中客户管理的密钥,它将在 10 分钟内开始拒绝所有连接。If the server loses access to the customer-managed key in Key Vault, the server begins denying all connections within 10 minutes. 服务器会发出相应的错误消息,并将服务器状态更改为“无法访问”。The server issues a corresponding error message, and changes the server state to Inaccessible. 使服务器达到此状态的部分原因如下:Some of the reason why the server can reach this state are:

  • 如果为 Azure Database for PostgreSQL 单一服务器创建“时间点还原”服务器,而前者启用了数据加密,则新创建的服务器将处于“无法访问”状态。If we create a Point In Time Restore server for your Azure Database for PostgreSQL Single server, which has data encryption enabled, the newly created server will be in Inaccessible state. 可通过 Azure 门户CLI 修复服务器状态。You can fix the server state through Azure portal or CLI.
  • 如果为 Azure Database for PostgreSQL 单一服务器创建只读副本,而该服务器启用了数据加密,则副本服务器将处于“无法访问”状态。If we create a read replica for your Azure Database for PostgreSQL Single server, which has data encryption enabled, the replica server will be in Inaccessible state. 可通过 Azure 门户CLI 修复服务器状态。You can fix the server state through Azure portal or CLI.
  • 如果删除 KeyVault,Azure Database for PostgreSQL 单一服务器将无法访问密钥,并将转为“无法访问”状态。If you delete the KeyVault, the Azure Database for PostgreSQL Single server will be unable to access the key and will move to Inaccessible state. 请恢复 Key Vault 并重新验证数据加密,使服务器的状态变为“可用”。Recover the Key Vault and revalidate the data encryption to make the server Available.
  • 如果从 KeyVault 中删除密钥,Azure Database for PostgreSQL 单一服务器将无法访问密钥,并将转为“无法访问”状态。If we delete the key from the KeyVault, the Azure Database for PostgreSQL Single server will be unable to access the key and will move to Inaccessible state. 请恢复密钥并重新验证数据加密,使服务器的状态变为“可用”。Recover the Key and revalidate the data encryption to make the server Available.
  • 如果 Azure KeyVault 中存储的密钥过期,则该密钥将失效,且 Azure Database for PostgreSQL 单一服务器将变为“无法访问”状态。If the key stored in the Azure KeyVault expires, the key will become invalid and the Azure Database for PostgreSQL Single server will transition into Inaccessible state. 请使用 CLI 将密钥到期日期延后,然后重新验证数据加密,使服务器的状态变为“可用”。Extend the key expiry date using CLI and then revalidate the data encryption to make the server Available.

从 Key Vault 意外撤消密钥访问Accidental key access revocation from Key Vault

可能会发生这样的情况:对 Key Vault 具有足够访问权限的人员通过下列方式意外禁用了服务器对密钥的访问:It might happen that someone with sufficient access rights to Key Vault accidentally disables server access to the key by:

  • 从服务器中撤消 Key Vault 的 get、wrapKey 和 unwrapKey 权限。Revoking the key vault's get, wrapKey, and unwrapKey permissions from the server.

  • 删除密钥。Deleting the key.

  • 删除 Key Vault。Deleting the key vault.

  • 更改 Key Vault 的防火墙规则。Changing the key vault's firewall rules.

  • 删除 Azure AD 中服务器的托管标识。Deleting the managed identity of the server in Azure AD.

在 Key Vault 中监视客户管理的密钥Monitor the customer-managed key in Key Vault

若要监视数据库状态并在透明数据加密保护程序访问权限丢失时发出警报,请配置以下 Azure 功能:To monitor the database state, and to enable alerting for the loss of transparent data encryption protector access, configure the following Azure features:

  • Azure 资源运行状况:在与数据库的第一次连接遭到拒绝后,已失去客户密钥访问权限的无法访问的数据库将显示为“无法访问”。Azure Resource Health: An inaccessible database that has lost access to the customer key shows as "Inaccessible" after the first connection to the database has been denied.

  • 活动日志:对 Key Vault 中客户管理的密钥访问失败时,活动日志中会添加相应条目。Activity log: When access to the customer key in the customer-managed Key Vault fails, entries are added to the activity log. 如果为这些事件创建警报,就可尽快恢复访问。You can reinstate access as soon as possible, if you create alerts for these events.

  • 操作组:定义这些组,使其根据首选项向你发送通知和警报。Action groups: Define these groups to send you notifications and alerts based on your preferences.

在 Key Vault 中使用客户管理的密钥进行还原和复制Restore and replicate with a customer's managed key in Key Vault

在使用 Key Vault 中存储的客户管理的密钥对 Azure Database for PostgreSQL 单一服务器进行加密后,还将所有新创建的服务器副本进行加密。After Azure Database for PostgreSQL Single server is encrypted with a customer's managed key stored in Key Vault, any newly created copy of the server is also encrypted. 可通过本地或异地还原操作,或通过只读副本创建这个新副本。You can make this new copy either through a local or geo-restore operation, or through read replicas. 可更改该副本,使其反映出用于加密的客户管理的新密钥。However, the copy can be changed to reflect a new customer's managed key for encryption. 当客户管理的密钥更改时,服务器的旧备份将开始使用最新的密钥。When the customer-managed key is changed, old backups of the server start using the latest key.

为避免在还原或只读副本创建期间设置客户管理的数据加密时出现问题,有必要在主服务器和还原/副本服务器上执行以下步骤:To avoid issues while setting up customer-managed data encryption during restore or read replica creation, it's important to follow these steps on the primary and restored/replica servers:

  • 通过主要 Azure Database for PostgreSQL 单一服务器启动还原或只读副本创建过程。Initiate the restore or read replica creation process from the primary Azure Database for PostgreSQL Single server.
  • 使新创建的(还原/副本)服务器保持在无法访问的状态,因为其唯一标识尚无权访问 Key Vault。Keep the newly created server (restored/replica) in an inaccessible state, because its unique identity hasn't yet been given permissions to Key Vault.
  • 在还原/副本服务器上,重新验证数据加密设置中客户管理的密钥。On the restored/replica server, revalidate the customer-managed key in the data encryption settings. 这可确保为新创建的服务器授予对 Key Vault 中存储的密钥进行包装和取消包装的权限。This ensures that the newly created server is given wrap and unwrap permissions to the key stored in Key Vault.

限制Limitations

对于 Azure Database for PostgreSQL,对使用客户管理的密钥 (CMK) 加密静态数据的支持有少数限制 -For Azure Database for PostgreSQL, the support for encryption of data at rest using customers managed key (CMK) has few limitations -

  • 对此功能的支持仅限“常规用途”和“内存优化”定价层。Support for this functionality is limited to General Purpose and Memory Optimized pricing tiers.

  • 此功能仅在支持高达 16 TB 的存储的区域和服务器上受支持。This feature is only supported in regions and servers which support storage up to 16TB. 有关支持存储最多 16 TB 的 Azure 区域的列表,请参阅此处文档中的“存储”部分For the list of Azure regions supporting storage up to 16TB, refer to the storage section in documentation here

    备注

    • 在上面列出的区域中创建的所有新 PostgreSQL 服务器都提供对使用客户管理器密钥进行加密的支持。All new PostgreSQL servers created in the regions listed above, support for encryption with customer manager keys is available. 时间点还原 (PITR) 服务器或只读副本不符合条件,尽管它们在理论上是“新的”。Point In Time Restored (PITR) server or read replica will not qualify though in theory they are 'new'.
    • 若要验证预配的服务器是否最多支持 16 TB,可以转到门户中的“定价层”边栏选项卡,并查看预配服务器支持的最大存储大小。To validate if your provisioned server supports up to 16TB, you can go to the pricing tier blade in the portal and see the max storage size supported by your provisioned server. 如果可以将滑块向上移动到 4 TB,则服务器可能不支持使用客户管理的密钥进行加密。If you can move the slider up to 4TB, your server may not support encryption with customer managed keys. 但是,始终使用服务托管密钥对数据进行加密。However, the data is encrypted using service managed keys at all times.
  • 仅支持使用 RSA 2048 加密密钥进行加密。Encryption is only supported with RSA 2048 cryptographic key.

后续步骤Next steps

了解如何通过 Azure 门户设置使用 Azure Database for PostgreSQL 单一服务器的客户管理的密钥进行数据加密的操作Learn how to set up data encryption with a customer-managed key for your Azure database for PostgreSQL Single server by using the Azure portal.