在 Windows 群集上设置加密证书并对机密进行加密Set up an encryption certificate and encrypt secrets on Windows clusters

本文展示了如何在 Windows 群集上设置加密证书并使用它来加密机密。This article shows how to set up an encryption certificate and use it to encrypt secrets on Windows clusters. 对于 Linux 群集,请参阅在 Linux 群集上设置加密证书并对机密进行加密For Linux clusters, see Set up an encryption certificate and encrypt secrets on Linux clusters.

Azure 密钥保管库在此处用作证书的安全存储位置,可用于将证书安装在 Azure 中的 Service Fabric 群集上。Azure Key Vault is used here as a safe storage location for certificates and as a way to get certificates installed on Service Fabric clusters in Azure. 如果不部署到 Azure,则不需要使用密钥保管库来管理 Service Fabric 应用程序中的机密。If you are not deploying to Azure, you do not need to use Key Vault to manage secrets in Service Fabric applications. 但是,在应用程序中使用机密的方式不区分云平台,因此可让应用程序部署到托管在任何位置的群集。However, using secrets in an application is cloud platform-agnostic to allow applications to be deployed to a cluster hosted anywhere.

获取数据加密证书Obtain a data encipherment certificate

数据加密证书专门用来对服务 Settings.xml 中的参数以及服务 ServiceManifest.xml 中的环境变量进行加密和解密。A data encipherment certificate is used strictly for encryption and decryption of parameters in a service's Settings.xml and environment variables in a service's ServiceManifest.xml. 它不用于密码文本的身份验证或签名。It is not used for authentication or signing of cipher text. 该证书必须满足以下要求:The certificate must meet the following requirements:

  • 证书必须包含私钥。The certificate must contain a private key.

  • 必须为密钥交换创建证书,并且该证书可导出到个人信息交换 (.pfx) 文件。The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file.

  • 证书密钥用途必须包括数据加密 (10),不应包括服务器身份验证或客户端身份验证。The certificate key usage must include Data Encipherment (10), and should not include Server Authentication or Client Authentication.

    例如,使用 PowerShell 创建自签名证书时,KeyUsage 标志必须设置为 DataEnciphermentFor example, when creating a self-signed certificate using PowerShell, the KeyUsage flag must be set to DataEncipherment:

    New-SelfSignedCertificate -Type DocumentEncryptionCert -KeyUsage DataEncipherment -Subject mydataenciphermentcert -Provider 'Microsoft Enhanced Cryptographic Provider v1.0'
    

在群集中安装证书Install the certificate in your cluster

必须在群集中的每个节点上安装此证书。This certificate must be installed on each node in the cluster. 有关设置说明,请参阅 如何使用 Azure 资源管理器创建群集See how to create a cluster using Azure Resource Manager for setup instructions.

加密应用程序机密Encrypt application secrets

以下 PowerShell 命令用于加密机密。The following PowerShell command is used to encrypt a secret. 此命令仅加密值;对密码文本进行签名。This command only encrypts the value; it does not sign the cipher text. 若要生成机密值的密文,必须使用群集中安装的同一个加密证书:You must use the same encipherment certificate that is installed in your cluster to produce ciphertext for secret values:

Invoke-ServiceFabricEncryptText -CertStore -CertThumbprint "<thumbprint>" -Text "mysecret" -StoreLocation CurrentUser -StoreName My

生成的 base-64 编码字符串包含机密密文,以及用来将其加密的证书相关信息。The resulting base-64 encoded string contains both the secret ciphertext as well as information about the certificate that was used to encrypt it.

后续步骤Next steps

了解如何在应用程序中指定加密机密Learn how to Specify encrypted secrets in an application.