使用 Azure Key Vault 中自己的密钥管理托管实例中的透明数据加密Manage Transparent Data Encryption in a Managed Instance using your own key from Azure Key Vault

此 Azure CLI 脚本示例使用 Azure Key Vault 中的密钥为 Azure SQL 托管实例配置使用客户托管密钥的透明数据加密 (TDE)。This Azure CLI script example configures Transparent Data Encryption (TDE) with customer-managed key for Azure SQL Managed Instance, using a key from Azure Key Vault. 这通常称为 TDE 的自带密钥方案。This is often referred to as a Bring Your Own Key scenario for TDE. 若要详细了解使用客户托管密钥的 TDE,请参阅适用于 Azure SQL 的支持“创建自己的密钥”的 TDETo learn more about the TDE with customer-managed key, see TDE Bring Your Own Key to Azure SQL.

本文要求运行 Azure CLI 2.0 或更高版本。This article requires that you are running the Azure CLI version 2.0 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如需进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install the Azure CLI.

示例脚本Sample script

先决条件Prerequisites

现有托管实例,请参阅使用 Azure CLI 创建 Azure SQL 数据库托管实例An existing Managed Instance, see Use Azure CLI to create an Azure SQL Database managed instance.

登录 AzureSign in to Azure

如果没有 Azure 订阅,可在开始前创建一个试用订阅If you don't have an Azure subscription, create a Trial Subscription before you begin.

$subscription = "<subscriptionId>" # add subscription here

az account set -s $subscription # ...or use 'az login'

运行脚本Run the script

#!/bin/bash
instance="<instanceId>" # add instance here
resource="<resourceId>" # add resource here

location="China East 2"
randomIdentifier=random123

vault="vault-$randomIdentifier"
key="key-$randomIdentifier"

echo "Creating $vault..."
az keyvault create --name $vault --resource-group $resource --enable-soft-delete true --location "$location"

echo "Setting policy on $vault..."
$instanceId = az sql mi show --name $instance --resource-group $resource -o json --query identity.principalId

az keyvault set-policy --name $vault --key-permissions get, unwrapKey, wrapKey --object-id $instanceId

echo "Creating $key..."
az keyvault key create --name $key --vault-name $vault --size 2048 

#keyPath="C:\yourFolder\yourCert.pfx"
#keyPassword="yourPassword" 
#az keyvault certificate import --file $keyPath --name $key --vault-name $vault --password $keyPassword

echo "Setting security on $instance with $key..."
keyId=$(az keyvault key show --name $key --vault-name $vault -o json --query key.kid | tr -d '"')

az sql mi key create --kid $keyId --managed-instance $instance --resource-group $resource
az sql mi tde-key set --server-key-type AzureKeyVault --kid $keyId --managed-instance $instance --resource-group $resource

清理部署Clean up deployment

使用以下命令删除资源组及其相关的所有资源。Use the following command to remove the resource group and all resources associated with it.

az group delete --name $resource

示例参考Sample reference

此脚本使用以下命令。This script uses the following commands. 表中的每条命令均链接到特定于命令的文档。Each command in the table links to command specific documentation.

az sql dbaz sql db 数据库命令。Database commands.
az sql failover-groupaz sql failover-group 故障转移组命令。Failover group commands.

后续步骤Next steps

有关 Azure CLI 的详细信息,请参阅 Azure CLI 文档For more information on the Azure CLI, see Azure CLI documentation.

其他 SQL 数据库 CLI 脚本示例可以在 Azure SQL 数据库文档中找到。Additional SQL Database CLI script samples can be found in the Azure SQL Database documentation.