创建和管理加密范围(预览)Create and manage encryption scopes (preview)

通过加密范围(预览),可在单个 blob 或容器级别管理加密。Encryption scopes (preview) enable you to manage encryption at the level of an individual blob or container. 加密范围将 blob 数据隔离在存储帐户内的安全 enclave 中。An encryption scope isolates blob data in a secure enclave within a storage account. 可以使用加密范围在驻留在同一存储帐户中但属于不同客户的数据之间创建安全边界。You can use encryption scopes to create secure boundaries between data that resides in the same storage account but belongs to different customers. 有关加密范围的详细信息,请参阅 Blob 存储(预览)的加密范围For more information about encryption scopes, see Encryption scopes for Blob storage (preview).

本文介绍如何创建加密范围。This article shows how to create an encryption scope. 本文还介绍如何在创建 blob 或容器时指定加密范围。It also shows how to specify an encryption scope when you create a blob or container.

备注

具有分层命名空间 (Azure Data Lake Storage Gen2) 的帐户尚不支持此功能。This feature is not yet supported in accounts that have a hierarchical namespace (Azure Data Lake Storage Gen2). 若要了解详细信息,请参阅 Azure Data Lake Storage Gen2 中可用的 Blob 存储功能To learn more, see Blob storage features available in Azure Data Lake Storage Gen2.

创建加密范围Create an encryption scope

可以使用 Microsoft 管理的密钥或 Azure Key Vault 中存储的客户管理的密钥来创建加密范围。You can create an encryption scope with a Microsoft-managed key or with a customer-managed key that's stored in Azure Key Vault. 若要使用客户管理的密钥创建加密范围,必须先创建密钥保管库,并添加要用于此范围的密钥。To create an encryption scope with a customer-managed key, you must first create a key vault and add the key you intend to use for the scope. 密钥保管库必须已启用清除保护,并且必须与存储帐户位于同一区域中。The key vault must have purge protection enabled and must be in the same region as the storage account.

创建加密范围时会自动启用它。An encryption scope is automatically enabled when you create it. 创建加密范围后,可以在创建 blob 时指定它。After you create the encryption scope, you can specify it when you create a blob. 还可以在创建容器时指定默认的加密范围,它将自动应用于容器中的所有 blob。You can also specify a default encryption scope when you create a container, which automatically applies to all blobs in the container.

若要在 Azure 门户中创建加密范围,请执行以下步骤:To create an encryption scope in the Azure portal, follow these steps:

  1. 导航到 Azure 门户中的存储帐户。Navigate to your storage account in the Azure portal.

  2. 选择“加密”设置。Select the Encryption setting.

  3. 选择“加密范围”选项卡。Select the Encryption Scopes tab.

  4. 单击“添加”按钮以添加新加密范围。Click the Add button to add a new encryption scope.

  5. 在“创建加密范围”窗格输入新范围的名称。In the Create Encryption Scope pane, enter a name for the new scope.

  6. 选择加密的类型,Microsoft 托管密钥或客户管理的密钥 。Select the type of encryption, either Microsoft-managed keys or Customer-managed keys.

    • 如果选择了“Microsoft 管理的密钥”,请单击“创建”以创建加密范围 。If you selected Microsoft-managed keys, click Create to create the encryption scope.
    • 如果选择了“客户管理的密钥”,请指定要用于此加密范围的密钥保险库、密钥和密钥版本,如下图所示。If you selected Customer-managed keys, specify a key vault, key, and key version to use for this encryption scope, as shown in the following image.

    显示如何在 Azure 门户中创建加密范围的屏幕截图

若要了解如何使用密钥保管库中的客户管理的密钥来配置 Azure 存储加密,请参阅使用 Azure Key Vault 中存储的客户管理的密钥配置加密To learn how to configure Azure Storage encryption with customer-managed keys in a key vault, see Configure encryption with customer-managed keys stored in Azure Key Vault.

列出存储帐户的加密范围List encryption scopes for storage account

若要在 Azure 门户中查看存储帐户的加密范围,请导航到该存储帐户的“加密范围”设置。To view the encryption scopes for a storage account in the Azure portal, navigate to the Encryption Scopes setting for the storage account. 在此窗格中,你可以启用或禁用加密范围,或者更改加密范围的密钥。From this pane, you can enable or disable an encryption scope or change the key for an encryption scope.

显示 Azure 门户中的加密范围列表的屏幕截图

创建具有默认加密范围的容器Create a container with a default encryption scope

创建容器时,可以指定默认的加密范围。When you create a container, you can specify a default encryption scope. 默认情况下,该容器中的 blob 将使用该范围。Blobs in that container will use that scope by default.

除非容器配置为要求所有 blob 使用其默认范围,否则可以使用其自己的加密范围创建单个 blob。An individual blob can be created with its own encryption scope, unless the container is configured to require that all blobs use its default scope.

若要在 Azure 门户中创建具有默认加密范围的容器,请先创建加密范围,如创建加密范围中所述。To create a container with a default encryption scope in the Azure portal, first create the encryption scope as described in Create an encryption scope. 接下来,请按照以下步骤创建容器:Next, follow these steps to create the container:

  1. 导航到存储帐户中的容器列表,然后选择“添加”按钮创建一个新容器。Navigate to the list of containers in your storage account, and select the Add button to create a new container.

  2. 在“新容器”窗格中展开“高级”设置 。Expand the Advanced settings in the New Container pane.

  3. 在“加密范围”下拉列表中,为容器选择默认的加密范围。In the Encryption scope drop-down, select the default encryption scope for the container.

  4. 若要要求容器中的所有 blob 使用默认加密范围,请选中“对容器中的所有 blob 使用此加密范围”的复选框。To require that all blobs in the container use the default encryption scope, select the checkbox to Use this encryption scope for all blobs in the container. 如果选中此复选框,则容器中的单个 blob 无法重写默认的加密范围。If this checkbox is selected, then an individual blob in the container cannot override the default encryption scope.

    显示具有默认加密范围的容器的屏幕截图

如果客户端在将 blob 上传到具有默认加密范围的容器时尝试指定范围,并且容器配置为阻止 blob 重写默认范围,则操作将失败,并显示一条消息,指示容器加密策略禁止该请求。If a client attempts to specify a scope when uploading a blob to a container that has a default encryption scope and the container is configured to prevent blobs from overriding the default scope, then the operation fails with a message indicating that the request is forbidden by the container encryption policy.

上传具有加密范围的 blobUpload a blob with an encryption scope

上传 blob 时,可以指定该 blob 的加密范围,或者使用容器的默认加密范围(如果已指定)。When you upload a blob, you can specify an encryption scope for that blob, or use the default encryption scope for the container, if one has been specified.

若要上传具有 Azure 门户中指定的加密范围的 blob,请首先按照创建加密范围中所述创建加密范围。To upload a blob with an encryption scope specified in the Azure portal, first create the encryption scope as described in Create an encryption scope. 接下来,请按照以下步骤创建 blob:Next, follow these steps to create the blob:

  1. 导航到要将 blob 上传到的容器。Navigate to the container to which you want to upload the blob.

  2. 选择“上传”按钮,然后找到要上传的 blob。Select the Upload button, and locate the blob to upload.

  3. 在“上传 blob”窗格中展开“高级”设置 。Expand the Advanced settings in the Upload blob pane.

  4. 找到“加密范围”下拉部分。Locate the Encryption scope drop-down section. 默认情况下,将使用容器的默认加密范围(如果已指定)创建 blob。By default, the blob is created with the default encryption scope for the container, if one has been specified. 如果容器要求 blob 使用默认加密范围,则禁用此部分。If the container requires that blobs use the default encryption scope, this section is disabled.

  5. 若要为要上传的 blob 指定其他范围,请选择“选择现有范围”,然后从下拉列表中选择所需的范围。To specify a different scope for the blob that you are uploading, select Choose an existing scope, then select the desired scope from the drop-down.

    显示如何上传具有加密范围的 blob 的屏幕截图

更改范围的加密密钥Change the encryption key for a scope

若要将保护加密范围的密钥从 Microsoft 托管密钥更改为客户管理的密钥,请首先确保已使用 Azure Key Vault 为存储帐户启用了客户管理的密钥。To change the key that protects an encryption scope from a Microsoft-managed key to a customer-managed key, first make sure that you have enabled customer-managed keys with Azure Key Vault for the storage account. 有关详细信息,请参阅使用 Azure Key Vault 中存储的客户管理的密钥配置加密使用 Azure Key Vault 中存储的客户管理的密钥配置加密For more information, see Configure encryption with customer-managed keys stored in Azure Key Vault or Configure encryption with customer-managed keys stored in Azure Key Vault.

若要更改保护 Azure 门户范围的密钥,请执行以下步骤:To change the key that protects a scope in the Azure portal, follow these steps:

  1. 导航到“加密范围”选项卡,查看存储帐户的加密范围列表。Navigate to the Encryption Scopes tab to view the list of encryption scopes for the storage account.
  2. 选择要修改的范围旁边的“更多”按钮。Select the More button next to the scope you wish to modify.
  3. 在“编辑加密范围”窗格中,可以将加密类型从 Microsoft 托管密钥更改为客户管理的密钥,反之亦然。In the Edit encryption scope pane, you can change the encryption type from Microsoft-managed key to customer-managed key or vice versa.
  4. 要选择新的客户管理的密钥,请选择“使用新密钥”并指定密钥保管库、密钥和密钥版本。To select a new customer-managed key, select Use a new key and specify the key vault, key, and key version.

禁用加密范围Disable an encryption scope

禁用加密范围后,将不再为此付费。When an encryption scope is disabled, you are no longer billed for it. 禁用不需要的任何加密范围以避免不必要的费用。Disable any encryption scopes that are not needed to avoid unnecessary charges. 有关详细信息,请参阅静态数据的 Azure 存储加密For more information, see Azure Storage encryption for data at rest.

若要在 Azure 门户中禁用加密范围,请导航到该存储帐户的“加密范围”设置,选择所需的加密范围,然后选择“禁用” 。To disable an encryption scope in the Azure portal, navigate to the Encryption Scopes setting for the storage account, select the desired encryption scope, and select Disable.

后续步骤Next steps