使用 Azure 门户配置客户管理的密钥以用于加密 Azure 服务总线静态数据Configure customer-managed keys for encrypting Azure Service Bus data at rest by using the Azure portal

Azure 服务总线高级层提供了通过 Azure 存储服务加密 (Azure SSE) 对静态数据进行加密的功能。Azure Service Bus Premium provides encryption of data at rest with Azure Storage Service Encryption (Azure SSE). 服务总线高级层依赖于 Azure 存储来存储数据,默认情况下,通过 Azure 存储来存储的所有数据都是使用 Azure 管理的密钥进行加密的。Service Bus Premium relies on Azure Storage to store the data and by default, all the data that is stored with Azure Storage is encrypted using Azure-managed keys.

概述Overview

Azure 服务总线现在支持可以选择通过 Azure 管理的密钥还是客户管理的密钥(创建自己的密钥 - BYOK)来加密静态数据。Azure Service Bus now supports the option of encrypting data at rest with either Azure-managed keys or customer-managed keys (Bring Your Own Key - BYOK). 使用此功能可以创建、轮换、禁用用于加密 Azure 服务总线静态数据的客户管理密钥,以及撤销对这些密钥的访问权限。this feature enables you to create, rotate, disable, and revoke access to the customer-managed keys that are used for encrypting Azure Service Bus at rest.

启用 BYOK 功能是在命名空间中执行的一次性设置过程。Enabling the BYOK feature is a one time setup process on your namespace.

备注

对于用于服务端加密的客户管理密钥,需要注意一些事项。There are some caveats to the customer managed key for service side encryption.

  • Azure 服务总线高级层支持此功能。This feature is supported by Azure Service Bus Premium tier. 不能为标准层服务总线命名空间启用此功能。It cannot be enabled for standard tier Service Bus namespaces.
  • 只能为新的或空的命名空间启用加密。The encryption can only be enabled for new or empty namespaces. 如果命名空间包含任何队列或主题,则加密操作将会失败。If the namespace contains any queues or topics, then the encryption operation will fail.

可以使用 Azure Key Vault 管理密钥并审核密钥使用情况。You can use Azure Key Vault to manage your keys and audit your key usage. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 有关 Azure 密钥保管库的详细信息,请参阅什么是 Azure 密钥保管库?For more information about Azure Key Vault, see What is Azure Key Vault?

本文介绍了如何使用 Azure 门户配置包含客户管理的密钥的密钥保管库。This article shows how to configure a key vault with customer-managed keys by using the Azure portal. 若要了解如何使用 Azure 门户创建 Key Vault,请参阅快速入门:使用 Azure 门户在 Azure Key Vault 中设置和检索机密To learn how to create a key vault using the Azure portal, see Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal.

重要

为 Azure 服务总线使用客户管理的密钥需要为密钥保管库配置两个必需的属性。Using customer-managed keys with Azure Service Bus requires that the key vault have two required properties configured. 它们具有以下特点:“软删除”和“不清除”。They are: Soft Delete and Do Not Purge. 在 Azure 门户中创建新的 Key Vault 时,默认会启用这些属性。These properties are enabled by default when you create a new key vault in the Azure portal. 但是,如果需要针对现有的 Key Vault 启用这些属性,必须使用 PowerShell 或 Azure CLI。However, if you need to enable these properties on an existing key vault, you must use either PowerShell or Azure CLI.

启用客户管理的密钥Enable customer-managed keys

若要在 Azure 门户中启用客户管理的密钥,请执行以下步骤:To enable customer-managed keys in the Azure portal, follow these steps:

  1. 导航到你的服务总线高级层命名空间。Navigate to your Service Bus Premium namespace.

  2. 在你的服务总线命名空间的“设置”页上,选择“加密”。On the Settings page of your Service Bus namespace, select Encryption.

  3. 选择“客户管理的密钥加密(静态)”,如下图所示。Select the Customer-managed key encryption at rest as shown in the following image.

    启用客户管理的密钥

设置密钥保管库与密钥Set up a key vault with keys

启用客户管理的密钥后,需要将客户管理的密钥关联到 Azure 服务总线命名空间。After you enable customer-managed keys, you need to associate the customer managed key with your Azure Service Bus namespace. 服务总线仅支持 Azure Key Vault。Service Bus supports only Azure Key Vault. 如果启用了上一部分所述的“使用客户管理的密钥进行加密”选项,则需要将密钥导入 Azure Key Vault。If you enable the Encryption with customer-managed key option in the previous section, you need to have the key imported into Azure Key Vault. 此外,必须为密钥配置“软删除”和“不清除”。Also, the keys must have Soft Delete and Do Not Purge configured for the key. 可以使用 PowerShellCLI 配置这些设置。These settings can be configured using PowerShell or CLI.

  1. 若要创建新的密钥保管库,请遵循 Azure Key Vault 快速入门To create a new key vault, follow the Azure Key Vault Quickstart. 有关导入现有密钥的详细信息,请参阅关于密钥、机密和证书For more information about importing existing keys, see About keys, secrets, and certificates.

  2. 若要在创建保管库时启用“软删除”和“清除保护”,请使用 az keyvault create 命令。To turn on both soft delete and purge protection when creating a vault, use the az keyvault create command.

    az keyvault create --name contoso-SB-BYOK-keyvault --resource-group ContosoRG --location chinanorth --enable-soft-delete true --enable-purge-protection true
    
  3. 若要向现有保管库(已启用“软删除”)添加“清除保护”,请使用 az keyvault update 命令。To add purge protection to an existing vault (that already has soft delete enabled), use the az keyvault update command.

    az keyvault update --name contoso-SB-BYOK-keyvault --resource-group ContosoRG --enable-purge-protection true
    
  4. 遵循以下步骤创建密钥:Create keys by following these steps:

    1. 若要创建新密钥,请从“设置” 下的“密钥” 菜单中选择“生成/导入” 。To create a new key, select Generate/Import from the Keys menu under Settings.

      选择“生成/导入”按钮

    2. 将“选项” 设置为“生成” 并提供密钥名称。Set Options to Generate and give the key a name.

      创建密钥

    3. 现在,可以从下拉列表中选择要与服务总线命名空间关联的用于加密的密钥。You can now select this key to associate with the Service Bus namespace for encrypting from the drop-down list.

      从密钥保管库中选择密钥

      备注

      最多可以添加 3 个密钥来实现冗余。For redundancy, you can add up to 3 keys. 如果某个密钥已过期或不可访问,则会使用其他密钥进行加密。In the event that one of the keys has expired, or is not accessible, the other keys will be used for encryption.

    4. 填写密钥详细信息,然后单击“选择”。Fill in the details for the key and click Select. 然后,便可以使用客户管理的密钥来加密命名空间中的静态数据。This will enable the encryption of data at rest on the namespace with a customer managed key.

    重要

    如果你想将客户管理的密钥用于异地灾难恢复,请查看下文 -If you are looking to use Customer managed key along with Geo disaster recovery, please review the below -

    为了将客户管理的密钥用于静态加密,已在指定的 Azure KeyVault 上为服务总线托管标识设置了一个访问策略To enable encryption at rest with customer managed key, an access policy is set up for the Service Bus' managed identity on the specified Azure KeyVault. 这可确保能够控制从 Azure 服务总线命名空间对 Azure KeyVault 的访问。This ensures controlled access to the Azure KeyVault from the Azure Service Bus namespace.

    因此:Due to this:

    • 如果已经为服务总线命名空间启用了异地灾难恢复,并且你想要启用客户管理的密钥,请执行以下操作:If Geo disaster recovery is already enabled for the Service Bus namespace and you are looking to enable customer managed key, then

    • 如果想要对已设置客户管理的密钥的服务总线命名空间启用异地灾难恢复,请执行以下操作:If you are looking to enable Geo-DR on a Service Bus namespace where customer managed key is already set up, then -

轮换加密密钥Rotate your encryption keys

可以使用 Azure Key Vault 轮换机制来轮换密钥保管库中的密钥。You can rotate your key in the key vault by using the Azure Key Vaults rotation mechanism. 还可以设置激活和过期日期以自动轮换密钥。Activation and expiration dates can also be set to automate key rotation. 服务总线服务将检测新密钥版本,并自动开始使用新版本。The Service Bus service will detect new key versions and start using them automatically.

撤销对密钥的访问权限Revoke access to keys

撤销对加密密钥的访问权限不会从服务总线中清除数据。Revoking access to the encryption keys won't purge the data from Service Bus. 但是,将无法从服务总线命名空间访问数据。However, the data can't be accessed from the Service Bus namespace. 可以通过使用访问策略或删除密钥来撤销加密密钥。You can revoke the encryption key through access policy or by deleting the key. 保护对密钥保管库的访问中详细了解访问策略以及如何保护密钥保管库。Learn more about access policies and securing your key vault from Secure access to a key vault.

撤销加密密钥后,已加密的命名空间中的服务总线服务将无法正常运行。Once the encryption key is revoked, the Service Bus service on the encrypted namespace will become inoperable. 如果启用了对密钥的访问或者还原了已删除的密钥,则服务总线服务将选取密钥,使你能够从已加密的服务总线命名空间访问数据。If the access to the key is enabled or the deleted key is restored, Service Bus service will pick the key so you can access the data from the encrypted Service Bus namespace.

使用资源管理器模板启用加密Use Resource Manager template to enable encryption

本部分介绍了如何使用 Azure 资源管理器模板执行以下任务。This section shows how to do the following tasks using Azure Resource Manager templates.

  1. 创建具有托管服务标识高级服务总线命名空间。Create a premium Service Bus namespace with a managed service identity.
  2. 创建密钥保管库并向服务标识授予对密钥保管库的访问权限。Create a key vault and grant the service identity access to the key vault.
  3. 使用密钥保管库信息(密钥/值)更新服务总线命名空间。Update the Service Bus namespace with the key vault information (key/value).

创建具有托管服务标识的高级服务总线命名空间Create a premium Service Bus namespace with managed service identity

本部分介绍了如何使用 Azure 资源管理器模板和 PowerShell 创建具有托管服务标识的 Azure 服务总线命名空间。This section shows you how to create an Azure Service Bus namespace with managed service identity by using an Azure Resource Manager template and PowerShell.

  1. 创建 Azure 资源管理器模板,以创建具有托管服务标识的服务总线高级层命名空间。Create an Azure Resource Manager template to create a Service Bus premium tier namespace with a managed service identity. 将文件命名为:CreateServiceBusPremiumNamespace.jsonName the file: CreateServiceBusPremiumNamespace.json:

    {
       "$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
       "contentVersion":"1.0.0.0",
       "parameters":{
          "namespaceName":{
             "type":"string",
             "metadata":{
                "description":"Name for the Namespace."
             }
          },
          "location":{
             "type":"string",
             "defaultValue":"[resourceGroup().location]",
             "metadata":{
                "description":"Specifies the Azure location for all resources."
             }
          }
       },
       "resources":[
          {
             "type":"Microsoft.ServiceBus/namespaces",
             "apiVersion":"2018-01-01-preview",
             "name":"[parameters('namespaceName')]",
             "location":"[parameters('location')]",
             "identity":{
                "type":"SystemAssigned"
             },
             "sku":{
                "name":"Premium",
                "tier":"Premium",
                "capacity":1
             },
             "properties":{
    
             }
          }
       ],
       "outputs":{
          "ServiceBusNamespaceId":{
             "type":"string",
             "value":"[resourceId('Microsoft.ServiceBus/namespaces',parameters('namespaceName'))]"
          }
       }
    }
    
  2. 创建一个模板参数文件,名为:CreateServiceBusPremiumNamespaceParams.jsonCreate a template parameter file named: CreateServiceBusPremiumNamespaceParams.json.

    备注

    请替换以下值:Replace the following values:

    • <ServiceBusNamespaceName> - 你的服务总线命名空间的名称<ServiceBusNamespaceName> - Name of your Service Bus namespace
    • <Location> - 你的服务总线命名空间的位置<Location> - Location of your Service Bus namespace
    {
       "$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
       "contentVersion":"1.0.0.0",
       "parameters":{
          "namespaceName":{
             "value":"<ServiceBusNamespaceName>"
          },
          "location":{
             "value":"<Location>"
          }
       }
    }
    
  3. 运行以下 PowerShell 命令以部署用于创建高级服务总线命名空间的模板。Run the following PowerShell command to deploy the template to create a premium Service Bus namespace. 然后检索该服务总线命名空间的 ID 供稍后使用。Then, retrieve the ID of the Service Bus namespace to use it later. 在运行该命令之前,请将 {MyRG} 替换为资源组的名称。Replace {MyRG} with the name of the resource group before running the command.

    $outputs = New-AzResourceGroupDeployment -Name CreateServiceBusPremiumNamespace -ResourceGroupName {MyRG} -TemplateFile ./CreateServiceBusPremiumNamespace.json -TemplateParameterFile ./CreateServiceBusPremiumNamespaceParams.json
    
    $ServiceBusNamespaceId = $outputs.Outputs["serviceBusNamespaceId"].value
    

向服务总线命名空间标识授予对密钥保管库的访问权限Grant Service Bus namespace identity access to key vault

  1. 运行以下命令,以便在启用清除保护软删除的情况下创建密钥保管库。Run the following command to create a key vault with purge protection and soft-delete enabled.

    New-AzureRmKeyVault -Name "{keyVaultName}" -ResourceGroupName {RGName}  -Location "{location}" -EnableSoftDelete -EnablePurgeProtection    
    

    (或者)(OR)

    运行以下命令来更新现有的密钥保管库Run the following command to update an existing key vault. 在运行该命令之前,请指定资源组和密钥保管库名称的值。Specify values for resource group and key vault names before running the command.

    ($updatedKeyVault = Get-AzureRmResource -ResourceId (Get-AzureRmKeyVault -ResourceGroupName {RGName} -VaultName {keyVaultName}).ResourceId).Properties| Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true"-Force | Add-Member -MemberType "NoteProperty" -Name "enablePurgeProtection" -Value "true" -Force
    
  2. 设置密钥保管库访问策略,使服务总线命名空间的托管标识可以访问密钥保管库中的密钥值。Set the key vault access policy so that the managed identity of the Service Bus namespace can access key value in the key vault. 使用在上一部分创建的服务总线命名空间的 ID。Use the ID of the Service Bus namespace from the previous section.

    $identity = (Get-AzureRmResource -ResourceId $ServiceBusNamespaceId -ExpandProperties).Identity
    
    Set-AzureRmKeyVaultAccessPolicy -VaultName {keyVaultName} -ResourceGroupName {RGName} -ObjectId $identity.PrincipalId -PermissionsToKeys get,wrapKey,unwrapKey,list
    

使用密钥保管库中客户管理的密钥加密服务总线命名空间中的数据Encrypt data in Service Bus namespace with customer-managed key from key vault

到目前为止,你已完成以下步骤:You have done the following steps so far:

  1. 创建了具有托管标识的高级命名空间。Created a premium namespace with a managed identity.
  2. 创建了密钥保管库,并向托管标识授予了对该密钥保管库的访问权限。Create a key vault and granted the managed identity access to the key vault.

在此步骤中,你将使用密钥保管库信息更新服务总线命名空间。In this step, you will update the Service Bus namespace with key vault information.

  1. 创建名为 UpdateServiceBusNamespaceWithEncryption.json 的 JSON 文件,其中包含以下内容:Create a JSON file named UpdateServiceBusNamespaceWithEncryption.json with the following content:

    {
       "$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
       "contentVersion":"1.0.0.0",
       "parameters":{
          "namespaceName":{
             "type":"string",
             "metadata":{
                "description":"Name for the Namespace to be created in cluster."
             }
          },
          "location":{
             "type":"string",
             "defaultValue":"[resourceGroup().location]",
             "metadata":{
                "description":"Specifies the Azure location for all resources."
             }
          },
          "keyVaultUri":{
             "type":"string",
             "metadata":{
                "description":"URI of the KeyVault."
             }
          },
          "keyName":{
             "type":"string",
             "metadata":{
                "description":"KeyName."
             }
          }
       },
       "resources":[
          {
             "type":"Microsoft.ServiceBus/namespaces",
             "apiVersion":"2018-01-01-preview",
             "name":"[parameters('namespaceName')]",
             "location":"[parameters('location')]",
             "identity":{
                "type":"SystemAssigned"
             },
             "sku":{
                "name":"Premium",
                "tier":"Premium",
                "capacity":1
             },
             "properties":{
                "encryption":{
                   "keySource":"Microsoft.KeyVault",
                   "keyVaultProperties":[
                      {
                         "keyName":"[parameters('keyName')]",
                         "keyVaultUri":"[parameters('keyVaultUri')]"
                      }
                   ]
                }
             }
          }
       ]
    }
    
  2. 创建模板参数文件:UpdateServiceBusNamespaceWithEncryptionParams.jsonCreate a template parameter file: UpdateServiceBusNamespaceWithEncryptionParams.json.

    备注

    请替换以下值:Replace the following values:

    • <ServiceBusNamespaceName> - 你的服务总线命名空间的名称<ServiceBusNamespaceName> - Name of your Service Bus namespace
    • <Location> - 你的服务总线命名空间的位置<Location> - Location of your Service Bus namespace
    • <KeyVaultName> - 你的密钥保管库的名称<KeyVaultName> - Name of your key vault
    • <KeyName> - 密钥保管库中密钥的名称<KeyName> - Name of the key in the key vault
    {
       "$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
       "contentVersion":"1.0.0.0",
       "parameters":{
          "namespaceName":{
             "value":"<ServiceBusNamespaceName>"
          },
          "location":{
             "value":"<Location>"
          },
          "keyName":{
             "value":"<KeyName>"
          },
          "keyVaultUri":{
             "value":"https://<KeyVaultName>.vault.azure.cn"
          }
       }
    }
    
  3. 运行以下 PowerShell 命令以部署资源管理器模板。Run the following PowerShell command to deploy the Resource Manager template. 在运行该命令之前,请将 {MyRG} 替换为你的资源组名称。Replace {MyRG} with the name of your resource group before running the command.

    New-AzResourceGroupDeployment -Name UpdateServiceBusNamespaceWithEncryption -ResourceGroupName {MyRG} -TemplateFile ./UpdateServiceBusNamespaceWithEncryption.json -TemplateParameterFile ./UpdateServiceBusNamespaceWithEncryptionParams.json
    

后续步骤Next steps

请参阅以下文章:See the following articles: