使用 Azure Key Vault 中由客户管理的密钥进行 Azure SQL 透明数据加密:自带密钥支持Azure SQL Transparent Data Encryption with customer-managed keys in Azure Key Vault: Bring Your Own Key support

集成了 Azure Key Vault 的透明数据加密 (TDE) 允许使用由客户管理的非对称密钥(称为 TDE 保护器)对数据库加密密钥 (DEK) 进行加密。Transparent Data Encryption (TDE) with Azure Key Vault integration allows to encrypt the Database Encryption Key (DEK) with a customer-managed asymmetric key called TDE Protector. 这通常也称为透明数据加密的创建自己的密匙 (BYOK) 支持。This is also generally referred to as Bring Your Own Key (BYOK) support for Transparent Data Encryption. 在 BYOK 方案中,TDE 保护器存储在由客户拥有和管理的 Azure Key Vault(Azure 的基于云的外部密钥管理系统)中。In the BYOK scenario, the TDE Protector is stored in a customer-owned and managed Azure Key Vault, Azure’s cloud-based external key management system. TDE 保护器可由密钥保管库生成The TDE Protector can be generated by the key vault. TDE DEK 存储在数据库的启动页上,由 TDE 保护器进行加密和解密,该保护器存储在 Azure Key Vault 中并且从不会离开密钥保管库。The TDE DEK, which is stored on the boot page of a database, is encrypted and decrypted by the TDE Protector stored in Azure Key Vault, which it never leaves. 需要向 SQL 数据库授予对客户管理的密钥保管库的权限才能对 DEK 进行解密和加密。SQL Database needs to be granted permissions to the customer-owned key vault to decrypt and encrypt the DEK. 如果撤销了逻辑 SQL Server 对 Key Vault 的权限,则数据库将不可访问,连接将被拒绝,并且所有数据将会加密。If permissions of the logical SQL server to the key vault are revoked, a database will be inaccessible, connections will be denied and all data is encrypted. 对于 Azure SQL 数据库,TDE 保护器是在逻辑 SQL Server 级别设置的,并由该服务器关联的所有数据库继承。For Azure SQL Database, the TDE protector is set at the logical SQL server level and is inherited by all databases associated with that server. 对于 Azure SQL 托管实例,TDE 保护器是在实例级别设置的,并由该实例上所有加密的 数据库继承。For Azure SQL Managed Instance, the TDE protector is set at the instance level and it is inherited by all encrypted databases on that instance. 除非另有说明,否则术语“服务器”在整个文档中指的是服务器和实例 。The term server refers both to server and instance throughout this document, unless stated differently.

Note

Azure SQL 数据库托管实例的集成了 Azure Key Vault 的透明数据加密(创建自己的密钥)处于预览状态。Transparent Data Encryption with Azure Key Vault integration (Bring Your Own Key) for Azure SQL Database Managed Instance is in preview.

使用集成了 Azure Key Vault 的 TDE,用户可以控制密钥管理任务,包括密钥轮换、密钥保管库权限、密钥备份,以及使用 Azure Key Vault 功能对所有 TDE 保护器启用审核/报告。With TDE with Azure Key Vault integration, users can control key management tasks including key rotations, key vault permissions, key backups, and enable auditing/reporting on all TDE protectors using Azure Key Vault functionality. Key Vault 提供了集中密钥管理功能,并可在密钥与数据管理之间实现职责分离,以帮助满足安全策略的符合性。Key Vault provides central key management, and enables separation of duties between management of keys and data to help meet compliance with security policies.

集成了 Azure Key Vault 的 TDE 具有以下优势:TDE with Azure Key Vault integration provides the following benefits:

  • 更高的透明度和细化控制,能够自我管理 TDE 保护器Increased transparency and granular control with the ability to self-manage the TDE protector
  • 随时能够撤销权限,使数据库不可访问Ability to revoke permissions at any time to render database inaccessible
  • 通过将 TDE 保护器(以及其他 Azure 服务中使用的其他密钥和机密)托管在 Key Vault 中,对其进行集中管理Central management of TDE protectors (along with other keys and secrets used in other Azure services) by hosting them in Key Vault
  • 将组织内部的密钥与数据管理责任相分离,以支持职责分离Separation of key and data management responsibilities within the organization, to support separation of duties
  • 自己的客户端更值得信赖,因为密钥保管库的设计可以防止 Azure 查看或提取任何加密密钥。Greater trust from your own clients, since Key Vault is designed so that Azure does not see or extract any encryption keys.
  • 支持密钥轮换Support for key rotation

Important

对于目前正在使用服务托管的 TDE,但想要开始使用 Key Vault 的用户,在切换到 Key Vault 中 TDE 保护器的过程中,会保持启用 TDE。For those using service-managed TDE who would like to start using Key Vault, TDE remains enabled during the process of switching over to a TDE protector in Key Vault. 这既不会造成停机,也无需重新加密数据库文件。There is no downtime nor re-encryption of the database files. 从服务托管的密钥切换到 Key Vault 密钥只需重新加密数据库加密密钥 (DEK),此操作非常快捷且可在线完成。Switching from a service-managed key to a Key Vault key only requires re-encryption of the database encryption key (DEK), which is a fast and online operation.

支持 Azure Key Vault 集成的 TDE 如何工作How does TDE with Azure Key Vault integration support work

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

Important

PowerShell Azure 资源管理器模块仍受 Azure SQL 数据库的支持,但所有未来的开发都是针对 Az.Sql 模块的。The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical.

在 Key Vault 中对服务器进行身份验证

首次将 TDE 配置为使用 Key Vault 中的 TDE 保护器后,服务器会将每个已启用 TDE 的数据库的 DEK 发送到 Key Vault,以发出包装密钥请求。When TDE is first configured to use a TDE protector from Key Vault, the server sends the DEK of each TDE-enabled database to Key Vault for a wrap key request. Key Vault 返回存储在用户数据库中的已加密数据库加密密钥。Key Vault returns the encrypted database encryption key, which is stored in the user database.

Important

必须注意,将 TDE 保护器存储在 Azure Key Vault 中之后,它永远不会离开 Azure Key Vault 。It is important to note that once a TDE Protector is stored in Azure Key Vault, it never leaves the Azure Key Vault. 服务器只能将密钥操作请求发送到 Key Vault 中的 TDE 保护器密钥材料,并且永远不会访问或缓存 TDE 保护器 。The server can only send key operation requests to the TDE protector key material within Key Vault, and never accesses or caches the TDE protector. Key Vault 管理员随时有权撤销服务器的 Key Vault 权限,在这种情况下,将拒绝与数据库建立任何连接。The Key Vault administrator has the right to revoke Key Vault permissions of the server at any point, in which case all connections to the database are denied.

有关配置采用 Azure Key Vault 的 TDE 的准则Guidelines for configuring TDE with Azure Key Vault

一般性指导General Guidelines

  • 确保 Azure Key Vault 和 Azure SQL 数据库/托管实例位于同一租户中。Ensure Azure Key Vault and Azure SQL Database/Managed Instance are going to be in the same tenant. 不支持 Key Vault 与服务器进行跨租户的交互。Cross-tenant key vault and server interactions are not supported.
  • 如果你正在规划租户迁移,则必须重新配置 TDE 和 AKV。有关详细信息,请参阅移动资源If you are planning a tenant move, TDE with AKV will have to be reconfigured, learn more about moving resources.
  • 配置采用 Azure Key Vault 的 TDE 时,必须考虑到重复的包装/解包操作在密钥保管库中施加的负载。When configuring TDE with Azure Key Vault, it is important to consider the load placed on the key vault by repeated wrap/unwrap operations. 例如,由于与 SQL 数据库服务器关联的所有数据库使用相同的 TDE 保护器,因此,该服务器的故障转移将会针对保管库触发密钥操作:服务器中有多少个数据库,就会触发多少次密钥操作。For example, since all databases associated with a SQL Database server use the same TDE protector, a failover of that server will trigger as many key operations against the vault as there are databases in the server. 根据我们的经验以及 Key Vault 服务限制中所述,我们建议将最多 500 个标准/常规用途库或 200 个高级/业务关键型数据库与单个订阅中的 1 个 Azure Key Vault 相关联,以确保在访问保管库中的 TDE 保护器时能够获得一致的高可用性。Based on our experience and documented key vault service limits, we recommend associating at most 500 Standard / General Purpose or 200 Premium / Business Critical databases with one Azure Key Vault in a single subscription to ensure consistently high availability when accessing the TDE protector in the vault.

有关配置 Azure Key Vault 的指导Guidelines for configuring Azure Key Vault

  • 创建启用软删除和清除保护的 Key Vault,以防在意外删除了密钥或 Key Vault 时丢失数据。Create a key vault with soft-delete and purge protection enabled to protect from data loss in case of accidental key – or key vault – deletion. 必须使用 PowerShell 在 Key Vault 中启用“软删除”属性(目前无法从 AKV 门户使用此选项 – 但 Azure SQL 需要此选项):You must use PowerShell to enable the “soft-delete” property on the key vault (this option is not available from the AKV Portal yet – but required by Azure SQL):

    • 除非进行恢复或清除,否则软删除的资源将保留设置的一段时间(90 天)。Soft deleted resources are retained for a set period of time, 90 days unless they are recovered or purged.
    • “恢复”和“清除”操作在 Key Vault 访问策略中各自具有相关联的权限 。The recover and purge actions have their own permissions associated in a key vault access policy.
  • 在 Key Vault 中设置资源锁可以控制谁能删除此关键资源,并帮助防止意外或未经授权的删除。Set a resource lock on the key vault to control who can delete this critical resource and help to prevent accidental or unauthorized deletion. 详细了解资源锁Learn more about resource locks

  • 使用 SQL 数据库服务器的 Azure Active Directory (Azure AD) 标识授予其对密钥保管库的访问权限。Grant the SQL Database server access to the key vault using its Azure Active Directory (Azure AD) Identity. 使用门户 UI 时,会自动创建 Azure AD 标识,并向服务器授予 Key Vault 访问权限。When using the Portal UI, the Azure AD identity gets automatically created and the key vault access permissions are granted to the server. 使用 PowerShell 配置支持 BYOK 的 TDE 时,必须手动创建 Azure AD 标识,且验证完成进度。Using PowerShell to configure TDE with BYOK, the Azure AD identity must be created and completion should be verified. 有关使用 PowerShell 进行配置的详细分步说明,请参阅配置支持 BYOK 的 TDE配置支持托管实例 BYOK 的 TDESee Configure TDE with BYOK and Configure TDE with BYOK for Managed Instance for detailed step-by-step instructions when using PowerShell.

    Note

    如果意外删除了 Azure AD 标识、使用 Key Vault 的访问策略撤销了服务器的权限,或者将服务器移到不同的租户时意外撤销了服务器的权限,则在还原逻辑服务器的 Azure AD 标识和权限之前,服务器将失去 Key Vault 的访问权限,TDE 加密的数据库将不可访问,并且登录将被拒绝。If the Azure AD Identity is accidentally deleted or the server’s permissions are revoked using the key vault’s access policy or inadvertently by moving the server to a different tenant, the server loses access to the key vault, and TDE encrypted databases will be inaccessible and logons are denied until the logical server’s Azure AD Identity and permissions have been restored.

  • 在对 Azure Key Vault 使用防火墙和虚拟网络时,必须允许受信任的 Microsoft 服务绕过此防火墙。When using firewalls and virtual networks with Azure Key Vault, you must allow trusted Microsoft services to bypass this firewall. 选择“是”。Choose YES.

    Note

    如果 TDE 加密的 SQL 数据库由于无法绕过防火墙而失去了对 Key Vault 的访问权限,则在还原防火墙绕过权限之前,这些数据库将不可访问,并且登录将被拒绝。If TDE encrypted SQL databases lose access to the key vault because they cannot bypass the firewall, the databases will be inaccessible, and logons are denied until firewall bypass permissions have been restored.

  • 对所有加密密钥启用审核和报告:Key Vault 提供可以轻松注入到其他安全信息和事件管理 (SIEM) 工具的日志。Enable auditing and reporting on all encryption keys: Key Vault provides logs that are easy to inject into other security information and event management (SIEM) tools. Operations Management Suite (OMS) Log Analytics 是已集成的服务的一个示例。Operations Management Suite (OMS) Log Analytics is one example of a service that is already integrated.

  • 为了确保已加密数据库的高可用性,请在每个 SQL 数据库服务器上配置两个驻留在不同区域的 Azure Key Vault。To ensure high availability of encrypted databases, configure each SQL Database server with two Azure Key Vaults that reside in different regions.

高可用性、异地复制和备份/还原High Availability, Geo-Replication, and Backup / Restore

高可用性和灾难恢复High availability and disaster recovery

如何使用 Azure Key Vault 配置高可用性取决于数据库和 SQL 数据库服务器的配置,下面针对两种不同的情况提供了建议的配置。How to configure high availability with Azure Key Vault depends on the configuration of your database and SQL Database server, and here are the recommended configurations for two distinct cases. 第一种情况是未配置异地冗余的独立数据库或 SQL 数据库服务器。The first case is a stand-alone database or SQL Database server with no configured geo redundancy. 第二种情况是配置了故障转移组或异地冗余的数据库或 SQL 数据库服务器,其中,必须确保每个异地冗余副本在故障转移组中具有一个本地 Azure Key Vault,以保证异地故障转移能够正常工作。The second case is a database or SQL Database server configured with failover groups or geo-redundancy, where it must be ensured that each geo-redundant copy has a local Azure Key Vault within the failover group to ensure geo-failovers work.

对于第一种情况,如果要求未配置异地冗余的数据库和 SQL 数据库服务器具有高可用性,我们强烈建议将服务器配置为使用两个不同区域中具有相同密钥材料的两个不同 Key Vault。In the first case, if you require high availability of a database and SQL Database server with no configured geo-redundancy, it is highly recommended to configure the server to use two different key vaults in two different regions with the same key material. 若要实现此目的,可以使用与 SQL 数据库服务器共置在同一区域中的主要 Key Vault 来创建一个 TDE 保护器,并将密钥克隆到位于不同 Azure 区域中的 Key Vault,以便在主要 Key Vault 遇到服务中断时,服务器能够访问另一个 Key Vault,同时让数据库保持正常运行。This can be accomplished by creating a TDE protector using the primary Key Vault co-located in the same region as the SQL Database server and cloning the key into a key vault in a different Azure region, so that the server has access to a second key vault should the primary key vault experience an outage while the database is up and running. 使用 Backup-AzKeyVaultKey cmdlet 从主要 Key Vault 检索加密格式的密钥,然后使用 Restore-AzKeyVaultKey cmdlet 并指定第二个区域中的 Key Vault。Use the Backup-AzKeyVaultKey cmdlet to retrieve the key in encrypted format from the primary key vault and then use the Restore-AzKeyVaultKey cmdlet and specify a key vault in the second region.

单服务器 HA 和无异地灾难恢复

如何使用 Azure Key Vault 配置异地灾难恢复How to configure Geo-DR with Azure Key Vault

若要保持已加密数据库的 TDE 保护器的高可用性,必须基于现有或所需的 SQL 数据库故障转移组或活动异地复制实例配置冗余的 Azure Key Vault。To maintain high availability of TDE Protectors for encrypted databases, it is required to configure redundant Azure Key Vaults based on the existing or desired SQL Database failover groups or active geo-replication instances. 每个异地复制的服务器需要一个单独的 Key Vault,该 Key Vault 必须与服务器共置在同一 Azure 区域中。Each geo-replicated server requires a separate key vault, that must be co-located with the server in the same Azure region. 如果一个区域发生的服务中断导致主数据库不可访问,并且触发了故障转移,则辅助数据库能够使用辅助 Key Vault 接管工作。Should a primary database become inaccessible due to an outage in one region and a failover is triggered, the secondary database is able to take over using the secondary key vault.

对于异地复制的 Azure SQL 数据库,需要使用以下 Azure Key Vault 配置:For Geo-Replicated Azure SQL databases, the following Azure Key Vault configuration is required:

  • 一个主数据库和一个辅助数据库各自使用区域中的某个 Key Vault。One primary database with a key vault in region and one secondary database with a key vault in region.
  • 至少需要一个辅助数据库,最多支持四个辅助数据库。At least one secondary is required, up to four secondaries are supported.
  • 不支持辅助数据库的辅助数据库(链接)。Secondaries of secondaries (chaining) are not supported.

以下部分将更详细地介绍设置和配置步骤。The following section will go over the setup and configuration steps in more detail.

Azure Key Vault 配置步骤Azure Key Vault Configuration Steps

  • 安装 Azure PowerShellInstall Azure PowerShell
  • 使用 PowerShell 在 Key Vault 中启用“软删除”属性(目前无法从 AKV 门户使用此选项 – 但 SQL 需要此选项),在两个不同的区域中创建两个 Azure Key Vault。Create two Azure Key Vaults in two different regions using PowerShell to enable the “soft-delete” property on the key vaults (this option is not available from the AKV Portal yet – but required by SQL).
  • 这两个 Azure Key Vault 必须位于同一 Azure 地理位置中的两个区域,这样才能正常备份和还原密钥。Both Azure Key Vaults must be located in the two regions available in the same Azure Geo in order for backup and restore of keys to work.
  • 在第一个 Key Vault 中创建新密钥:Create a new key in the first key vault:
    • RSA 2048 密钥RSA 2048 key
    • 无过期日期No expiration dates
    • 密钥已启用并有权执行“获取”、“包装密钥”和“解包密钥”操作Key is enabled and has permissions to perform get, wrap key, and unwrap key operations
  • 备份主密钥,并将密钥还原到第二个 Key Vault。Back up the primary key and restore the key to the second key vault. 请参阅 BackupAzureKeyVaultKeyRestore-AzKeyVaultKeySee BackupAzureKeyVaultKey and Restore-AzKeyVaultKey.

Azure SQL 数据库配置步骤Azure SQL Database Configuration Steps

根据是要从新的 SQL 部署开始,还是使用现有的 SQL 异地灾难恢复部署,以下配置步骤会有所不同。The following configuration steps differ whether starting with a new SQL deployment or if working with an already existing SQL Geo-DR deployment. 我们先概述新部署的配置步骤,然后说明如何将 Azure Key Vault 中存储的 TDE 保护器分配到已建立异地灾难恢复链接的现有部署。We outline the configuration steps for a new deployment first, and then explain how to assign TDE Protectors stored in Azure Key Vault to an existing deployment that already has a Geo-DR link established.

适用于新部署的步骤Steps for a new deployment:

  • 在前面创建的密钥保管库所在的两个相同区域创建两个 SQL 数据库服务器。Create the two SQL Database servers in the same two regions as the previously created key vaults.
  • 选择 SQL 数据库服务器 TDE 窗格,并为每个 SQL 数据库服务器:Select the SQL Database server TDE pane, and for each SQL Database server:
    • 选择同一区域中的 AKVSelect the AKV in the same region
    • 选择用作 TDE 保护器的密钥 - 每个服务器将使用 TDE 保护器的本地副本。Select the key to use as TDE Protector – each server will use the local copy of the TDE Protector.
    • 在门户中执行此操作会创建 SQL 数据库服务器的 AppID,此标识用于向 SQL 数据库服务器分配密钥保管库的访问权限 - 请不要删除此标识。Doing this in the Portal will create an AppID for the SQL Database server, which is used to assign the SQL Database server permissions to access the key vault – do not delete this identity. 可以通过在 Azure Key Vault 中删除相应的权限(而不是对 SQL 数据库服务器执行此类操作),以撤销 SQL 数据库服务器对密钥保管库的访问权限。Access can be revoked by removing the permissions in Azure Key Vault instead for the SQL Database server, which is used to assign the SQL Database server permissions to access the key vault.
  • 创建主数据库。Create the primary database.
  • 遵循活动异地复制指导来完成该方案,此步骤会创建辅助数据库。Follow the active geo-replication guidance to complete the scenario, this step will create the secondary database.

故障转移组和异地灾难恢复

Note

继续在数据库之间建立异地链接之前,必须确保相同的 TDE 保护器在这两个 Key Vault 中存在。It is important to ensure that the same TDE Protectors are present in both key vaults, before proceeding to establish the geo-link between the databases.

适用于异地灾难恢复部署中现有 SQL 数据库的步骤:Steps for an existing SQL DB with Geo-DR deployment:

由于 SQL 数据库服务器已存在并且已分配主数据库和辅助数据库,因此,必须按以下顺序执行配置 Azure Key Vault 的步骤:Because the SQL Database servers already exist, and primary and secondary databases are already assigned, the steps to configure Azure Key Vault must be performed in the following order:

  • 从托管辅助数据库的 SQL 数据库服务器开始:Start with the SQL Database server that hosts the secondary database:
    • 分配位于同一区域中的 Key VaultAssign the key vault located in the same region
    • 分配 TDE 保护器Assign the TDE Protector
  • 现在,请转到托管主数据库的 SQL 数据库服务器:Now go to the SQL Database server that hosts the primary database:
    • 选择用于辅助数据库的同一 TDE 保护器Select the same TDE Protector as used for the secondary DB

故障转移组和异地灾难恢复

Note

将 Key Vault 分配到服务器时,必须从辅助服务器开始。When assigning the key vault to the server, it is important to start with the secondary server. 在第二个步骤中,将 Key Vault 分配到主服务器并更新 TDE 保护器;异地灾难恢复链接会继续工作,因为复制的数据库使用的 TDE 保护器此时可供这两个服务器使用。In the second step assign the key vault to the primary server and update the TDE Protector, the Geo-DR link will continue to work because at this point the TDE Protector used by the replicated database is available to both servers.

在使用 Azure Key Vault 中客户管理的密钥为 SQL 数据库异地灾难恢复方案启用 TDE 之前,必须使用同一区域中用于 SQL 数据库异地复制的相同内容创建并维护两个 Azure Key Vault。Before enabling TDE with customer managed keys in Azure Key Vault for a SQL Database Geo-DR scenario, it is important to create and maintain two Azure Key Vaults with identical contents in the same regions that will be used for SQL Database geo-replication. 具体而言,“相同内容”是指这两个 Key Vault 必须包含相同 TDE 保护器的副本,以便这两个服务器能够访问所有数据库使用的 TDE 保护器。“Identical contents” specifically means that both key vaults must contain copies of the same TDE Protector(s) so that both servers have access to the TDE Protectors use by all databases. 接下来,必须使这两个 Key Vault 保持同步,这意味着,它们在密钥轮换之后必须包含 TDE 保护器的相同副本,并保留用于日志文件或备份的旧版密钥;TDE 保护器必须保留相同的密钥属性;Key Vault 必须保留 SQL 的相同访问权限。Going forward, it is required to keep both key vaults in sync, which means they must contain the same copies of TDE Protectors after key rotation, maintain old versions of keys used for log files or backups, TDE Protectors must maintain the same key properties and the key vaults must maintain the same access permissions for SQL.

遵循活动异地复制概述中的步骤来测试和触发故障转移,应定期执行此操作,以确认保留了 SQL 对这两个 Key Vault 的访问权限。Follow the steps in Active geo-replication overview to test and trigger a failover, which should be done on a regular basis to confirm the access permissions for SQL to both key vaults have been maintained.

备份和还原Backup and Restore

使用 Key Vault 中的密钥通过 TDE 加密数据库后,也会使用相同的 TDE 保护器加密所有生成的备份。Once a database is encrypted with TDE using a key from Key Vault, any generated backups are also encrypted with the same TDE Protector.

若要从 Key Vault 中还原使用 TDE 保护器加密的备份,请确保密钥材料仍在原始保管库中,并使用原始密钥名称。To restore a backup encrypted with a TDE Protector from Key Vault, make sure that the key material is still in the original vault under the original key name. 更改数据库的 TDE 保护器后,数据库的旧备份不会更新为使用最新的 TDE 保护器。When the TDE Protector is changed for a database, old backups of the database are not updated to use the latest TDE Protector. 因此,我们建议在 Key Vault 中保留所有旧版 TDE 保护器,以便可以还原数据库备份。Therefore, we recommend that you keep all old versions of the TDE Protector in Key Vault, so database backups can be restored.

如果还原备份可能需要的密钥不再位于其原始 Key Vault 中,则会返回以下错误消息:“目标服务器 <Servername> 无权访问在 <时间戳 #1> 与 <时间戳 #2> 之间创建的所有 AKV URI。If a key that might be needed for restoring a backup is no longer in its original key vault, the following error message is returned: "Target server <Servername> does not have access to all AKV Uris created between <Timestamp #1> and <Timestamp #2>. 请在还原所有 AKV URI 之后重试操作。”Please retry operation after restoring all AKV Uris."

若要缓解此问题,请运行 Get-AzSqlServerKeyVaultKey cmdlet,从 Key Vault 中返回已添加到服务器的密钥列表(除非用户已将其删除)。To mitigate this, run the Get-AzSqlServerKeyVaultKey cmdlet to return the list of keys from Key Vault that were added to the server (unless they were deleted by a user). 为了确保可以还原所有备份,请确保备份的目标服务器能够访问所有这些密钥。To ensure all backups can be restored, make sure the target server for the backup has access to all of these keys.

Get-AzSqlServerKeyVaultKey `
  -ServerName <LogicalServerName> `
  -ResourceGroup <SQLDatabaseResourceGroupName>

若要详细了解 SQL 数据库的备份恢复,请参阅恢复 Azure SQL 数据库To learn more about backup recovery for SQL Database, see Recover an Azure SQL database. 若要详细了解 SQL 数据仓库的备份恢复,请参阅恢复 Azure SQL 数据仓库To learn more about backup recovery for SQL Data Warehouse, see Recover an Azure SQL Data Warehouse.

有关备份的日志文件的其他注意事项:备份的日志文件仍会使用原始 TDE 加密器保持加密,即使 TDE 保护器已轮换,并且数据库正在使用新的 TDE 保护器。Additional consideration for backed up log files: Backed up log files remain encrypted with the original TDE Encryptor, even if the TDE Protector was rotated and the database is now using a new TDE Protector. 还原时,需要使用这两个密钥来还原数据库。At restore time, both keys will be needed to restore the database. 如果日志文件使用 Azure Key Vault 中存储的 TDE 保护器,则还原时需要此密钥,即使数据库同时已改用服务托管的 TDE。If the log file is using a TDE Protector stored in Azure Key Vault, this key will be needed at restore time, even if the database has been changed to use service-managed TDE in the meantime.