排查 Azure Database for PostgreSQL - 单一服务器的数据加密问题Troubleshoot data encryption in Azure Database for PostgreSQL - Single Server

本文将帮助你确定和解决在使用客户管理的密钥配置了数据加密时 Azure Database for PostgreSQL 的单一服务器部署中可能出现的常见问题。This article helps you identify and resolve common issues that can occur in the single-server deployment of Azure Database for PostgreSQL when configured with data encryption using a customer-managed key.

简介Introduction

在 Azure Key Vault 中将数据加密配置为使用客户管理的密钥时,服务器必须持续访问该密钥。When you configure data encryption to use a customer-managed key in Azure Key Vault, the server requires continuous access to the key. 如果服务器在 Azure Key Vault 中失去对客户管理的密钥的访问权限,它就会拒绝所有连接,返回相应的错误消息,并在 Azure 门户中将其状态更改为“无法访问”。If the server loses access to the customer-managed key in Azure Key Vault, it will deny all connections, return the appropriate error message, and change its state to Inaccessible in the Azure portal.

如果不再需要无法访问的 Azure Database for PostgreSQL 服务器,可以将其删除以停止产生成本。If you no longer need an inaccessible Azure Database for PostgreSQL server, you can delete it to stop incurring costs. 在恢复对密钥保管库的访问权限且服务器可用之前,不允许对服务器执行其他任何操作。No other actions on the server are permitted until access to the key vault has been restored and the server is available. 在使用客户管理的密钥进行加密时,也不可能在无法访问的服务器上将数据加密选项从 Yes(客户管理)更改为 No(服务托管)。It's also not possible to change the data encryption option from Yes(customer-managed) to No (service-managed) on an inaccessible server when it's encrypted with a customer-managed key. 必须手动重新验证密钥,然后才能再次访问服务器。You'll have to revalidate the key manually before the server is accessible again. 此操作是必要的,可以在对客户管理的密钥的权限遭撤销期间保护数据免遭未经授权的访问。This action is necessary to protect the data from unauthorized access while permissions to the customer-managed key are revoked.

导致服务器无法访问的常见错误Common errors causing server to become inaccessible

以下错误配置会导致使用 Azure Key Vault 密钥的数据加密发生大多数的问题:The following misconfigurations cause most issues with data encryption that use Azure Key Vault keys:

  • 密钥保管库不可用或不存在:The key vault is unavailable or doesn't exist:

    • 密钥保管库遭意外删除。The key vault was accidentally deleted.
    • 间歇性网络错误导致密钥保管库不可用。An intermittent network error causes the key vault to be unavailable.
  • 你无权访问密钥保管库或密钥不存在:You don't have permissions to access the key vault or the key doesn't exist:

    • 密钥已过期、遭意外删除或已禁用。The key expired or was accidentally deleted or disabled.
  • 意外删除了 Azure Database for PostgreSQL 实例的托管标识。The managed identity of the Azure Database for PostgreSQL instance was accidentally deleted.

    • Azure Database for PostgreSQL 实例的托管标识没有足够的密钥权限。The managed identity of the Azure Database for PostgreSQL instance has insufficient key permissions. 例如,权限不包括“获取”、“包装”和“解包”。For example, the permissions don't include Get, Wrap, and Unwrap.
    • 对 Azure Database for PostgreSQL 实例的托管标识权限已被吊销或删除。The managed identity permissions to the Azure Database for PostgreSQL instance were revoked or deleted.

发现和解决常见错误Identify and resolve common errors

密钥保管库的错误Errors on the key vault

已禁用密钥保管库Disabled key vault

  • AzureKeyVaultKeyDisabledMessage
  • 解释:无法在服务器上完成操作,因为 Azure Key Vault 密钥已禁用。Explanation: The operation couldn't be completed on server because the Azure Key Vault key is disabled.

缺少密钥保管库权限Missing key vault permissions

  • AzureKeyVaultMissingPermissionsMessage
  • 解释:服务器没有对 Azure Key Vault 的“获取”、“包装”和“解包”必需权限。Explanation: The server doesn't have the required Get, Wrap, and Unwrap permissions to Azure Key Vault. 向具有 ID 的服务主体授予任何缺少的权限。Grant any missing permissions to the service principal with ID.

缓解措施Mitigation

  • 确认密钥保管库中是否有客户管理的密钥。Confirm that the customer-managed key is present in the key vault.
  • 标识密钥保管库,然后在 Azure 门户中转到密钥保管库。Identify the key vault, then go to the key vault in the Azure portal.
  • 确保密钥 URI 标识存在的密钥。Ensure that the key URI identifies a key that is present.

后续步骤Next steps

通过 Azure 门户在 Azure Database for PostgreSQL 上使用客户管理的密钥设置数据加密Use the Azure portal to set up data encryption with a customer-managed key on Azure Database for PostgreSQL