Azure 静态数据加密Azure data encryption at rest

Azure 提供了许多工具,可使用它们根据你公司的安全性和合规性需求来保护数据。Azure includes tools to safeguard data according to your company's security and compliance needs. 本白皮书重点介绍:This paper focuses on:

  • 如何在 Azure 上对数据进行静态保护How data is protected at rest across Azure
  • 讨论参与数据保护实现的各个组件Discusses the various components taking part in the data protection implementation,
  • 查看不同密钥管理保护方法的优点和缺点。Reviews pros and cons of the different key management protection approaches.

静态加密是常见的安全要求。Encryption at Rest is a common security requirement. 在 Azure 中,组织可以加密静态数据,而不会造成自定义密钥管理解决方案的风险或成本。In Azure, organizations can encrypt data at rest without the risk or cost of a custom key management solution. 组织可以选择让 Azure 来全权管理静态加密。Organizations have the option of letting Azure completely manage Encryption at Rest. 另外,组织还可以通过各种选择来严格管理加密或加密密钥。Additionally, organizations have various options to closely manage encryption or encryption keys.

什么是静态加密?What is encryption at rest?

静态加密是指在持久保存数据时对数据进行编码(加密)。Encryption at Rest is the encoding (encryption) of data when it is persisted. Azure 中的静态加密设计使用对称加密根据简单的概念模型来快速加密和解密大量数据:The Encryption at Rest designs in Azure use symmetric encryption to encrypt and decrypt large amounts of data quickly according to a simple conceptual model:

  • 将使用对称加密密钥在将数据写入到存储时对数据进行加密。A symmetric encryption key is used to encrypt data as it is written to storage.
  • 当数据在内存中就绪可供使用时,将会使用同一加密密钥来解密该数据。The same encryption key is used to decrypt that data as it is readied for use in memory.
  • 可以将数据分区,并可对每个分区使用不同的密钥。Data may be partitioned, and different keys may be used for each partition.
  • 必须将密钥存储在实施了基于标识的访问控制和审核策略的安全位置。Keys must be stored in a secure location with identity-based access control and audit policies. 数据加密密钥通常由 Azure Key Vault 中的密钥加密密钥进行加密,以进一步限制访问。Data encryption keys are often encrypted with a key encryption key in Azure Key Vault to further limit access.

在实践中,密钥管理和控制方案以及规模和可用性保证都需要其他构造。In practice, key management and control scenarios, as well as scale and availability assurances, require additional constructs. 下面描述的是 Azure 静态加密概念和组件。Azure Encryption at Rest concepts and components are described below.

静态加密的目的The purpose of encryption at rest

静态加密为已存储的数据(静止的)提供数据保护。Encryption at rest provides data protection for stored data (at rest). 对静态数据进行的攻击包括:试图获得存储数据的硬件的物理访问机会,然后盗用其中包含的数据。Attacks against data at-rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromise the contained data. 发生此类攻击可能是由于服务器的硬盘驱动器在维护过程中处理不当,导致攻击者有机会拆除硬盘驱动器。In such an attack, a server's hard drive may have been mishandled during maintenance allowing an attacker to remove the hard drive. 攻击者随后会将该硬盘驱动器置于受其控制的计算机中,尝试访问相关数据。Later the attacker would put the hard drive into a computer under their control to attempt to access the data.

静态加密旨在防止攻击者访问未加密的数据,其方法是确保这些数据在磁盘上时是加密的。Encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk. 如果攻击者获取了包含加密数据的硬盘驱动器但未获取加密密钥,则攻击者必须破解加密才能读取数据。If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data. 这种攻击比访问硬盘驱动器上的未加密数据要复杂得多,且消耗的资源也多得多。This attack is much more complex and resource consuming than accessing unencrypted data on a hard drive. 因此,强烈建议使用静态加密。对于许多组织来说,这是需要完成的高优先级事项。For this reason, encryption at rest is highly recommended and is a high priority requirement for many organizations.

当组织需要进行数据治理并确保符合性时,可能也需要使用静态加密。Encryption at rest may also be required by an organization's need for data governance and compliance efforts. 行业和政府法规(例如 HIPAA、PCI 和 FedRAMP)就数据保护和加密要求制定了具体的保障措施。Industry and government regulations such as HIPAA, PCI and FedRAMP, lay out specific safeguards regarding data protection and encryption requirements. 要符合这其中的许多法规,静态加密是一种必需的强制措施。Encryption at rest is a mandatory measure required for compliance with some of those regulations. 有关 Microsoft 的 FIPS 140-2 验证方法的详细信息,请参阅美国联邦信息处理标准 (FIPS) 出版物 140-2For more information on Microsoft's approach to FIPS 140-2 validation, see Federal Information Processing Standard (FIPS) Publication 140-2.

除了满足合规要求以外,静态加密还能提供深层防御保护。In addition to satisfying compliance and regulatory requirements, encryption at rest provides defense-in-depth protection. Azure 为服务、应用程序和数据提供合规的平台。Azure provides a compliant platform for services, applications, and data. 此外,它还提供综合性的设施和物理安全性、数据访问控制和审核。It also provides comprehensive facility and physical security, data access control, and auditing. 但是,必须提供额外的“重叠性”安全措施,以免出现其他某个安全措施失效的情况,而静态加密正好提供这样一道安全措施。However, it's important to provide additional "overlapping" security measures in case one of the other security measures fails and encryption at rest provides such a security measure.

Microsoft 致力于提供跨云服务的静态加密选项,可让客户控制加密密钥和密钥使用日志。Microsoft is committed to encryption at rest options across cloud services and giving customers control of encryption keys and logs of key use. 另外,Microsoft 正在努力实现默认加密所有客户静态数据。Additionally, Microsoft is working towards encrypting all customer data at rest by default.

Azure 静态加密组件Azure Encryption at Rest Components

如前所述,静态加密的目标是使用机密加密密钥来加密持久保存在磁盘上的数据。As described previously, the goal of encryption at rest is that data that is persisted on disk is encrypted with a secret encryption key. 若要实现该目标,必须为加密密钥提供安全的密钥创建、存储、访问控制和管理措施。To achieve that goal secure key creation, storage, access control, and management of the encryption keys must be provided. 可以使用下图中介绍的术语来描述 Azure 服务静态加密实现,虽然细节可能有所不同。Though details may vary, Azure services Encryption at Rest implementations can be described in terms illustrated in the following diagram.


Azure Key VaultAzure Key Vault

对于静态加密模型来说,最重要的是加密密钥的存储位置以及对这些密钥的访问控制。The storage location of the encryption keys and access control to those keys is central to an encryption at rest model. 密钥需要严格的保护,但同时又要能够由指定的用户进行管理,并可供特定的服务使用。The keys need to be highly secured but manageable by specified users and available to specific services. 对于 Azure 服务,建议使用 Azure Key Vault 作为密钥存储解决方案,它可以跨服务提供通常的管理体验。For Azure services, Azure Key Vault is the recommended key storage solution and provides a common management experience across services. 密钥在密钥保管库中存储和管理,对密钥保管库的访问权限可以提供给用户或服务。Keys are stored and managed in key vaults, and access to a key vault can be given to users or services. Azure Key Vault 支持客户创建密钥,也支持将导入的客户密钥用于客户管理的加密密钥方案。Azure Key Vault supports customer creation of keys or import of customer keys for use in customer-managed encryption key scenarios.

Azure Active DirectoryAzure Active Directory

可以为 Azure Active Directory 帐户提供存储在 Azure Key Vault 中的密钥的使用权限,以便通过管理或访问这些密钥来完成静态加密的加密和解密操作。Permissions to use the keys stored in Azure Key Vault, either to manage or to access them for Encryption at Rest encryption and decryption, can be given to Azure Active Directory accounts.

密钥层次结构Key Hierarchy

在实施静态加密时,使用多个加密密钥。More than one encryption key is used in an encryption at rest implementation. 将加密密钥存储在 Azure Key Vault 中可确保安全的密钥访问并可集中管理密钥。Storing an encryption key in Azure Key Vault ensures secure key access and central management of keys. 但是,就批量加密和解密来说,通过服务在本地访问加密密钥比每项数据操作都要与 Key Vault 交互更为高效,可以提高加密强度和性能。However, service local access to encryption keys is more efficient for bulk encryption and decryption than interacting with Key Vault for every data operation, allowing for stronger encryption and better performance. 限制单个加密密钥的使用降低了密钥被盗用的风险,也降低了必须更换密钥时的重新加密成本。Limiting the use of a single encryption key decreases the risk that the key will be compromised and the cost of re-encryption when a key must be replaced. Azure 静态加密模块使用一个密钥层次结构来解决所有这些需求,该密钥层次结构由以下类型的密钥构成:Azure encryptions at rest models use a key hierarchy made up of the following types of keys in order to address all these needs:

  • 数据加密密钥 (DEK) - 用来加密数据分区或块的一个对称 AES256 密钥。Data Encryption Key (DEK) - A symmetric AES256 key used to encrypt a partition or block of data. 单个资源可能有多个分区和多个数据加密密钥。A single resource may have many partitions and many Data Encryption Keys. 使用不同的密钥加密每个数据块可以增加加密分析攻击的难度。Encrypting each block of data with a different key makes crypto analysis attacks more difficult. 资源提供程序或应用程序实例需要 DEK 访问权限才能加密和解密特定的块。Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. 将 DEK 替换为新密钥时,仅其关联的块中的数据需要使用新密钥重新加密。When a DEK is replaced with a new key only the data in its associated block must be re-encrypted with the new key.
  • 密钥加密密钥 (KEK) - 用来加密数据加密密钥的一个加密密钥。Key Encryption Key (KEK) - An encryption key used to encrypt the Data Encryption Keys. 使用从不离开 Key Vault 的密钥加密密钥可以加密和控制数据加密密钥本身。Use of a Key Encryption Key that never leaves Key Vault allows the data encryption keys themselves to be encrypted and controlled. 具有 KEK 访问权限的实体可能不同于需要 DEK 的实体。The entity that has access to the KEK may be different than the entity that requires the DEK. 实体可能会代理对 DEK 的访问以将每个 DEK 的访问限制到特定分区。An entity may broker access to the DEK to limit the access of each DEK to a specific partition. 由于解密 DEK 需要 KEK,因此 KEK 实际上构成了一个单点机制:删除 KEK 即可删除 DEK。Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK.

使用密钥加密密钥加密的数据加密密钥将单独进行存储,只有能够访问密钥加密密钥的实体才能解密这些数据加密密钥。The Data Encryption Keys, encrypted with the Key Encryption Keys are stored separately and only an entity with access to the Key Encryption Key can decrypt these Data Encryption Keys. 支持各种不同的密钥存储模型。Different models of key storage are supported. 有关详细信息,请参阅数据加密模型See data encryption models for more information.

Azure 云服务中的静态加密Encryption at rest in Azure cloud services

Microsoft 云服务用于下述所有三个云模型:IaaS、PaaS、SaaS。Microsoft Cloud services are used in all three cloud models: IaaS, PaaS, SaaS. 下面是在每个模型上使用该服务的示例:Below you have examples of how they fit on each model:

  • 软件服务,也称软件即服务(简称 SaaS),它包含云提供的应用程序,例如 Microsoft 365。Software services, referred to as Software as a Server or SaaS, which have applications provided by the cloud such as Microsoft 365.
  • 平台服务,方便客户在其应用程序中利用云,将云用于存储、分析和服务总线功能等。Platform services which customers leverage the cloud in their applications, using the cloud for things like storage, analytics, and service bus functionality.
  • 基础结构服务,也称基础结构即服务 (IaaS),方便客户部署托管在云中的操作系统和应用程序,并尽可能利用其他云服务。Infrastructure services, or Infrastructure as a Service (IaaS) in which customer deploys operating systems and applications that are hosted in the cloud and possibly leveraging other cloud services.

适合 SaaS 客户的静态加密Encryption at rest for SaaS customers

软件即服务 (SaaS) 客户通常会在每个服务中启用或提供静态加密。Software as a Service (SaaS) customers typically have encryption at rest enabled or available in each service. Microsoft 365 为客户提供多个选项来验证或启用静态加密。Microsoft 365 has several options for customers to verify or enable encryption at rest. 若要了解 Microsoft 365 服务,请参阅 Microsoft 365 中的加密For information about Microsoft 365 services, see Encryption in Microsoft 365.

适合 PaaS 客户的静态加密Encryption at rest for PaaS customers

平台即服务 (PaaS) 客户的数据通常驻留在存储服务(例如 Blob 存储)中,但也可以缓存或存储在应用程序执行环境(例如虚拟机)中。Platform as a Service (PaaS) customer's data typically resides in a storage service such as Blob Storage but may also be cached or stored in the application execution environment, such as a virtual machine. 若要查看适用的静态加密选项,请检查下表中是否存在所用的存储和应用程序平台。To see the encryption at rest options available to you, examine the table below for the storage and application platforms that you use.

适合 IaaS 客户的静态加密Encryption at rest for IaaS customers

基础结构即服务 (IaaS) 客户可以使用各种服务和应用程序。Infrastructure as a Service (IaaS) customers can have a variety of services and applications in use. IaaS 服务可以在其 Azure 托管的虚拟机和 VHD 中通过 Azure 磁盘加密来启用静态加密。IaaS services can enable encryption at rest in their Azure hosted virtual machines and VHDs using Azure Disk Encryption.

加密的存储Encrypted storage

与 PaaS 一样,IaaS 解决方案可以利用其他存储静态加密数据的 Azure 服务。Like PaaS, IaaS solutions can leverage other Azure services that store data encrypted at rest. 在此类情况下,可以启用每个所用 Azure 服务提供的静态加密支持。In these cases, you can enable the Encryption at Rest support as provided by each consumed Azure service. 下表枚举了主要的存储、服务和应用程序平台以及所支持的静态加密模型。The below table enumerates the major storage, services, and application platforms and the model of Encryption at Rest supported.

加密的计算Encrypted compute

所有托管磁盘、快照和映像都通过服务管理的密钥使用存储服务加密进行加密。All Managed Disks, Snapshots, and Images are encrypted using Storage Service Encryption using a service-managed key. 更完整的静态加密解决方案可确保数据从不以未加密形式持久保存。A more complete Encryption at Rest solution ensures that the data is never persisted in unencrypted form. 在虚拟机上处理数据时,可以将数据持久保存到 Windows 页面文件或 Linux 交换文件、故障转储或应用程序日志。While processing the data on a virtual machine, data can be persisted to the Windows page file or Linux swap file, a crash dump, or to an application log. 为了确保对该数据进行静态加密,IaaS 应用程序可以在 Azure IaaS 虚拟机(Windows 或 Linux)和虚拟磁盘上使用 Azure 磁盘加密。To ensure this data is encrypted at rest, IaaS applications can use Azure Disk Encryption on an Azure IaaS virtual machine (Windows or Linux) and virtual disk.

自定义静态加密Custom encryption at rest

建议让 IaaS 应用程序尽可能利用 Azure 磁盘加密以及任何所用 Azure 服务提供的静态加密选项。It is recommended that whenever possible, IaaS applications leverage Azure Disk Encryption and Encryption at Rest options provided by any consumed Azure services. 在某些情况下(例如加密要求异乎寻常,或者存储不是基于 Azure 的),IaaS 应用程序开发人员可能需要自行实施静态加密。In some cases, such as irregular encryption requirements or non-Azure based storage, a developer of an IaaS application may need to implement encryption at rest themselves. IaaS 解决方案开发人员可以利用某些 Azure 组件,改进与 Azure 管理的集成并更好地满足客户期望。Developers of IaaS solutions can better integrate with Azure management and customer expectations by leveraging certain Azure components. 具体说来,开发人员应该使用 Azure Key Vault 服务为其客户提供安全的密钥存储,以及提供与大多数 Azure 平台服务一致的密钥管理选项。Specifically, developers should use the Azure Key Vault service to provide secure key storage as well as provide their customers with consistent key management options with that of most Azure platform services. 另外,自定义解决方案应通过 Azure 托管服务标识来允许服务帐户访问加密密钥。Additionally, custom solutions should use Azure-Managed Service Identities to enable service accounts to access encryption keys. 有关 Azure Key Vault 和托管服务标识的开发人员信息,请参阅各自的 SDK。For developer information on Azure Key Vault and Managed Service Identities, see their respective SDKs.

Azure 资源提供程序加密模型支持Azure resource providers encryption model support

每项 Azure 服务支持一个或多个静态加密模型。Azure Services each support one or more of the encryption at rest models. 但是,对于某些服务来说,其中的一个或多个加密模型可能并不适用。For some services, however, one or more of the encryption models may not be applicable. 对于支持客户管理的密钥方案的服务,它们可能只支持 Azure Key Vault 支持用于密钥加密密钥的密钥类型的一个子集。For services that support customer-managed key scenarios, they may support only a subset of the key types that Azure Key Vault supports for key encryption keys. 另外,服务可能会按不同的计划发布对这些方案和密钥类型的支持。Additionally, services may release support for these scenarios and key types at different schedules. 此部分介绍的静态加密支持在撰写本文时仍适用于每个主要的 Azure 数据存储服务。This section describes the encryption at rest support at the time of this writing for each of the major Azure data storage services.

Azure 磁盘加密Azure disk encryption

任何使用 Azure 基础结构即服务 (IaaS) 功能的客户都可以通过 Azure 磁盘加密为其 IaaS VM 和磁盘实施静态加密。Any customer using Azure Infrastructure as a Service (IaaS) features can achieve encryption at rest for their IaaS VMs and disks through Azure Disk Encryption. 有关 Azure 磁盘加密的详细信息,请参阅 Azure 磁盘加密文档For more information on Azure Disk encryption, see the Azure Disk Encryption documentation.

Azure 存储Azure storage

所有 Azure 存储服务(Blob 存储、队列存储、表存储和 Azure 文件存储)均支持静态服务器端加密,其中某些服务额外支持客户管理的密钥和客户端加密。All Azure Storage services (Blob storage, Queue storage, Table storage, and Azure Files) support server-side encryption at rest; some services additionally support customer-managed keys and client-side encryption.

Azure SQL 数据库Azure SQL Database

Azure SQL 数据库目前支持将静态加密用于 Microsoft 托管的服务器端和客户端加密方案。Azure SQL Database currently supports encryption at rest for Microsoft-managed service side and client-side encryption scenarios.

对服务器加密的支持目前通过名为“透明数据加密”的 SQL 功能来提供。Support for server encryption is currently provided through the SQL feature called Transparent Data Encryption. 在 Azure SQL 数据库客户启用 TDE 后,系统会自动为其创建和管理密钥。Once an Azure SQL Database customer enables TDE key are automatically created and managed for them. 可以在数据库和服务器级别启用静态加密。Encryption at rest can be enabled at the database and server levels. 从 2017 年 6 月开始,会在新创建的数据库上默认启用透明数据加密 (TDE)As of June 2017, Transparent Data Encryption (TDE) is enabled by default on newly created databases. Azure SQL 数据库支持 Azure Key Vault 中客户管理的 RSA 2048 位密钥。Azure SQL Database supports RSA 2048-bit customer-managed keys in Azure Key Vault. 有关详细信息,请参阅使用 Azure SQL 数据库和数据仓库的“创建自己的密钥”支持进行透明数据加密For more information, see Transparent Data Encryption with Bring Your Own Key support for Azure SQL Database and Data Warehouse.

可以通过 Always Encrypted 功能启用对 Azure SQL 数据库数据的客户端加密。Client-side encryption of Azure SQL Database data is supported through the Always Encrypted feature. Always Encrypted 使用由客户端创建和存储的密钥。Always Encrypted uses a key that created and stored by the client. 客户可以将主密钥存储在 Windows 证书存储、Azure Key Vault 或本地硬件安全模块中。Customers can store the master key in a Windows certificate store, Azure Key Vault, or a local Hardware Security Module. 使用 SQL Server Management Studio 时,SQL 用户可以选择想要使用什么密钥来加密哪个列。Using SQL Server Management Studio, SQL users choose what key they'd like to use to encrypt which column.


保护存储在 Azure 服务中的客户数据对于 Microsoft 来说至关重要。Protection of customer data stored within Azure Services is of paramount importance to Microsoft. 所有 Azure 托管服务都会始终提供静态加密选项。All Azure hosted services are committed to providing Encryption at Rest options. Azure 服务支持服务管理的密钥、客户管理的密钥或客户端加密。Azure services support either service-managed keys, customer-managed keys, or client-side encryption. Azure 服务正在大范围地增强静态加密的可用性,计划在将来数月中推出新功能的预览版和公开发行版。Azure services are broadly enhancing Encryption at Rest availability and new options are planned for preview and general availability in the upcoming months.

后续步骤Next steps

  • 若要详细了解服务管理的密钥和客户管理的密钥,请参阅数据加密模型See data encryption models to learn more about service-managed keys and customer-managed keys.
  • 了解 Azure 如何使用双重加密来缓解加密数据所带来的威胁。Learn how Azure uses double encryption to mitigate threats that come with encrypting data.
  • 了解 Microsoft 在硬件和固件构建、集成、操作化和修复管道中为确保主机的平台完整性和安全性所做的工作。Learn what Microsoft does to ensure platform integrity and security of hosts traversing the hardware and firmware build-out, integration, operationalization, and repair pipelines.