通过 Azure 门户对 Azure Database for PostgreSQL 单一服务器进行数据加密Data encryption for Azure Database for PostgreSQL Single server by using the Azure portal

了解如何通过 Azure 门户为 Azure Database for PostgreSQL 单一服务器设置和管理数据加密。Learn how to use the Azure portal to set up and manage data encryption for your Azure Database for PostgreSQL Single server.

Azure CLI 的先决条件Prerequisites for Azure CLI

  • 必须有一个 Azure 订阅,并且是该订阅的管理员。You must have an Azure subscription and be an administrator on that subscription.

  • 在 Azure Key Vault 中,创建要用于客户管理的密钥的密钥保管库和密钥。In Azure Key Vault, create a key vault and key to use for a customer-managed key.

  • 该密钥保管库必须具有以下属性才能用作客户管理的密钥:The key vault must have the following properties to use as a customer-managed key:

    • 软删除Soft delete

      az resource update --id $(az keyvault show --name \ <key_vault_name> -test -o tsv | awk '{print $1}') --set \ properties.enableSoftDelete=true
      
    • 清除保护Purge protected

      az keyvault update --name <key_vault_name> --resource-group <resource_group_name>  --enable-purge-protection true
      
  • 该密钥必须具有以下属性才能用作客户管理的密钥:The key must have the following attributes to use as a customer-managed key:

    • 无过期日期No expiration date
    • 未禁用Not disabled
    • 能够执行“获取”、“包装密钥”和“解包密钥”操作Able to perform get, wrap key, and unwrap key operations

为密钥操作设置正确的权限Set the right permissions for key operations

  1. 在 Key Vault 中,选择“访问策略” > “添加访问策略”。In Key Vault, select Access policies > Add Access Policy.

    突出显示了“访问策略”和“添加访问策略”的 Key Vault 的屏幕截图

  2. 选择“密钥权限”,然后选择“获取”、“换行”、“解包”和“主体”(即 PostgreSQL 服务器的名称)。Select Key permissions, and select Get, Wrap, Unwrap, and the Principal, which is the name of the PostgreSQL server. 如果在现有主体列表中找不到服务器主体,则需要注册它。If your server principal can't be found in the list of existing principals, you need to register it. 首次尝试设置数据加密时,系统会提示你注册服务器主体,但失败了。You're prompted to register your server principal when you attempt to set up data encryption for the first time, and it fails.

    访问策略概述

  3. 选择“保存”。Select Save.

为 Azure Database for PostgreSQL 单一服务器设置数据加密Set data encryption for Azure Database for PostgreSQL Single server

  1. 在 Azure Database for PostgreSQL 中,选择“数据加密”以设置客户管理的密钥。In Azure Database for PostgreSQL, select Data encryption to set up the customer-managed key.

    突出显示了数据加密的 Azure Database for PostgreSQL 的屏幕截图

  2. 可以选择密钥保管库和密钥对,也可以输入密钥标识符。You can either select a key vault and key pair, or enter a key identifier.

    突出显示了数据加密选项的 Azure Database for PostgreSQL 的屏幕截图

  3. 选择“保存”。Select Save.

  4. 若要确保所有文件(包括临时文件)完全加密,请重新启动服务器。To ensure all files (including temp files) are fully encrypted, restart the server.

对还原服务器或副本服务器使用数据加密Using Data encryption for restore or replica servers

在使用 Key Vault 中存储的客户管理的密钥对 Azure Database for PostgreSQL 单一服务器进行加密后,还将所有新创建的服务器副本进行加密。After Azure Database for PostgreSQL Single server is encrypted with a customer's managed key stored in Key Vault, any newly created copy of the server is also encrypted. 可通过本地或异地还原操作,或通过副本(本地/跨区域)操作创建这个新副本。You can make this new copy either through a local or geo-restore operation, or through a replica (local/cross-region) operation. 因此,对于加密的 PostgreSQL 服务器,可以使用以下步骤创建加密的还原服务器。So for an encrypted PostgreSQL server, you can use the following steps to create an encrypted restored server.

  1. 在服务器上,选择“概述” > “还原”。On your server, select Overview > Restore.

    突出显示了概述和还原的 Azure Database for PostgreSQL 的屏幕截图

    或者,对于启用了复制的服务器,在“设置”标题下选择“复制”。Or for a replication-enabled server, under the Settings heading, select Replication.

    突出显示了复制的 Azure Database for PostgreSQL 的屏幕截图

  2. 还原操作完成后,使用主服务器的密钥加密已创建的新服务器。After the restore operation is complete, the new server created is encrypted with the primary server's key. 但服务器上的功能和选项已禁用,并且服务器不可访问。However, the features and options on the server are disabled, and the server is inaccessible. 这会阻止任何数据操作,因为尚未向新服务器的标识授予访问密钥保管库的权限。This prevents any data manipulation, because the new server's identity hasn't yet been given permission to access the key vault.

    突出显示了不可访问状态的 Azure Database for PostgreSQL 的屏幕截图

  3. 若要使服务器可访问,请重新验证已还原服务器上的密钥。To make the server accessible, revalidate the key on the restored server. 选择“数据加密” > “重新验证密钥”。Select Data Encryption > Revalidate key.

    备注

    第一次尝试重新验证将失败,因为需要向新服务器的服务主体授予对密钥保管库的访问权限。The first attempt to revalidate will fail, because the new server's service principal needs to be given access to the key vault. 若要生成服务主体,请选择“重新验证密钥”,此时将显示错误,但会生成服务主体。To generate the service principal, select Revalidate key, which will show an error but generates the service principal. 之后,请参阅本文前面的这些步骤Thereafter, refer to these steps earlier in this article.

    突出显示了重新验证步骤的 Azure Database for PostgreSQL 的屏幕截图

    你将需要向密钥保管库授予对新服务器的访问权限。You will have to give the key vault access to the new server.

  4. 注册服务主体后,再次重新验证密钥,服务器随后会恢复其正常功能。After registering the service principal, revalidate the key again, and the server resumes its normal functionality.

    显示已还原功能的 Azure Database for PostgreSQL 的屏幕截图

后续步骤Next steps

若要详细了解数据加密,请参阅使用客户管理的密钥进行 Azure Database for PostgreSQL 单一服务器数据加密To learn more about data encryption, see Azure Database for PostgreSQL Single server data encryption with customer-managed key.