验证适用于 Azure Database for PostgreSQL 的数据加密Validating data encryption for Azure Database for PostgreSQL

本文将帮助你验证 Azure Database for PostgreSQL 使用客户管理的密钥的数据加密是否按预期工作。This article helps you validate that data encryption using customer managed key for Azure Database for PostgreSQL is working as expected.

检查加密状态Check the encryption status

从门户From portal

  1. 如果要验证客户的密钥是否用于加密,请按照以下步骤进行操作:If you want to verify that the customer's key is used for encryption, follow these steps:

    • 在 Azure 门户中,导航到“Azure Key Vault” -> “密钥”In the Azure portal, navigate to the Azure Key Vault -> Keys

    • 选择用于服务器加密的密钥。Select the key used for server encryption.

    • 将密钥的状态“已启用”设置为“否”。Set the status of the key Enabled to No.

      一段时间(约 15 分钟)后,Azure Database for PostgreSQL 服务器的“状态”应为“无法访问”。After some time (~15 min), the Azure Database for PostgreSQL server Status should be Inaccessible. 针对服务器执行的任何 I/O 操作都将失败,这将证实服务器确实已使用客户密钥加密并且该密钥当前无效。Any I/O operation done against the server will fail which validates that the server is indeed encrypted with customers key and the key is currently not valid.

      为了使服务器“可用”,可以重新验证该密钥。In order to make the server Available against, you can revalidate the key.

    • 将 Key Vault 中密钥的状态设置为“是”。Set the status of the key in the Key Vault to Yes.

    • 在服务器“数据加密”上,选择“重新验证密钥”。On the server Data Encryption, select Revalidate key.

    • 密钥重新验证成功后,服务器“状态”更改为“可用”After the revalidation of the key is successful, the server Status changes to Available

  2. 在 Azure 门户上,如果可以确保设置了加密密钥,则使用 Azure 门户中使用的客户密钥对数据进行加密。On the Azure portal, if you can ensure that the encryption key is set, then data is encrypted using the customers key used in the Azure portal.

访问策略概述

从 CLIFrom CLI

  1. 我们可以使用 az CLI 命令验证将用于 Azure Database for PostgreSQL 服务器的密钥资源。We can use az CLI command to validate the key resources being used for the Azure Database for PostgreSQL server.

    az postgres server key list --name  '<server_name>'  -g '<resource_group_name>'
    

    对于没有设置数据加密的服务器,此命令将会生成空集 []。For a server without Data encryption set, this command will results in empty set [].

Azure 审核报告Azure audit reports

还可以审核信任中心,以提供有关符合数据保护标准和法规要求的信息。Trust center can also be reviewed that provides information about the compliance with data protection standards and regulatory requirements.

后续步骤Next steps

若要详细了解数据加密,请参阅使用客户管理的密钥进行 Azure Database for PostgreSQL 单一服务器数据加密To learn more about data encryption, see Azure Database for PostgreSQL Single server data encryption with customer-managed key.