双重加密Double encryption

双重加密是指启用了两个或更多独立加密层,目的是在任一加密层遭到破坏的情况下提供保护。Double encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. 使用两个加密层可减少加密数据带来的威胁。Using two layers of encryption mitigates threats that come with encrypting data. 例如: 。For example:

  • 数据加密中的配置错误Configuration errors in the data encryption
  • 加密算法中的实现错误Implementation errors in the encryption algorithm
  • 单一加密密钥遭到泄露Compromise of a single encryption key

Azure 为静态数据和传输中的数据提供双重加密。Azure provides double encryption for data at rest and data in transit.

静态数据Data at rest

Microsoft 针对静态数据启用双重加密的方法是:Microsoft’s approach to enabling two layers of encryption for data at rest is:

  • 使用客户管理的密钥进行磁盘加密Disk encryption using customer-managed keys . 你提供自己的密钥用于加密磁盘。You provide your own key for disk encryption. 你可将自己的密钥带到 Key Vault 中(BYOK - 创建自己的密钥),也可在 Azure Key Vault 中生成新的密钥来加密所需资源。You can bring your own keys to your Key Vault (BYOK - Bring Your Own Key), or generate new keys in Azure Key Vault to encrypt the desired resources.
  • 使用平台管理的密钥进行基础结构加密Infrastructure encryption using platform-managed keys . 默认情况下,使用平台管理的加密密钥自动对磁盘进行静态加密。By default, disks are automatically encrypted at rest using platform-managed encryption keys.

传输中的数据Data in transit

Microsoft 针对传输中的数据启用双重加密的方法是:Microsoft’s approach to enabling two layers of encryption for data in transit is:

  • 使用传输层安全性 (TLS) 协议 1.2 进行传输加密,在云服务与你之间传输数据时对数据进行保护。Transit encryption using Transport Layer Security (TLS) 1.2 to protect data when it’s traveling between the cloud services and you . 即使流量目标是同一区域中的另一个域控制器,仍会在传输过程中对离开数据中心的所有流量进行加密。All traffic leaving a datacenter is encrypted in transit, even if the traffic destination is another domain controller in the same region. 使用的默认安全协议是 TLS 1.2。TLS 1.2 is the default security protocol used. TLS 提供严格的身份验证,消息隐私性和完整性强(允许检测消息篡改、拦截和伪造),具有良好的互操作性,算法灵活,易于部署和使用。TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.
  • 在基础结构层提供的其他加密层Additional layer of encryption provided at the infrastructure layer . 在底层网络硬件上点对点实施使用 IEEE 802.1AE MAC 安全标准(也称 MACsec)的数据链路层加密方法。A data-link layer encryption method using the IEEE 802.1AE MAC Security Standards (also known as MACsec) is applied from point-to-point across the underlying network hardware. Azure 客户流量每次在数据中心之间(在不受 Microsoft 或代表 Microsoft 的某方控制的物理边界之外)移动时,数据包都会在发送之前在设备上进行加密和解密,以防止物理上的“中间人”攻击或窥探/窃听攻击。Whenever Azure Customer traffic moves between datacenters-- outside physical boundaries not controlled by Microsoft (or on behalf of Microsoft)-- The packets are encrypted and decrypted on the devices before being sent, preventing physical “man-in-the-middle” or snooping/wiretapping attacks. 由于此技术在网络硬件本身上集成,因此它会在网络硬件上提供线路速率加密,而不会增加可度量的链路延迟。Because this technology is integrated on the network hardware itself, it provides line rate encryption on the network hardware with no measurable link latency increase. 对于在区域内或区域之间传输的所有 Azure 流量,会默认启用此 MACsec 加密,客户无需执行任何操作。This MACsec encryption is on by default for all Azure traffic traveling within a region or between regions, and no action is required on customers’ part to enable.

后续步骤Next steps

了解如何在 Azure 中使用加密Learn how encryption is used in Azure.