通过加密范围(预览),可在单个 blob 或容器级别管理加密。Encryption scopes (preview) enable you to manage encryption at the level of an individual blob or container.加密范围将 blob 数据隔离在存储帐户内的安全 enclave 中。An encryption scope isolates blob data in a secure enclave within a storage account.可以使用加密范围在驻留在同一存储帐户中但属于不同客户的数据之间创建安全边界。You can use encryption scopes to create secure boundaries between data that resides in the same storage account but belongs to different customers.有关加密范围的详细信息,请参阅 Blob 存储(预览)的加密范围。For more information about encryption scopes, see Encryption scopes for Blob storage (preview).
本文介绍如何创建加密范围。This article shows how to create an encryption scope.本文还介绍如何在创建 blob 或容器时指定加密范围。It also shows how to specify an encryption scope when you create a blob or container.
可以使用 Microsoft 管理的密钥或 Azure Key Vault 中存储的客户管理的密钥来创建加密范围。You can create an encryption scope with a Microsoft-managed key or with a customer-managed key that's stored in Azure Key Vault.若要使用客户管理的密钥创建加密范围,必须先创建密钥保管库,并添加要用于此范围的密钥。To create an encryption scope with a customer-managed key, you must first create a key vault and add the key you intend to use for the scope.密钥保管库必须已启用清除保护,并且必须与存储帐户位于同一区域中。The key vault must have purge protection enabled and must be in the same region as the storage account.
创建加密范围时会自动启用它。An encryption scope is automatically enabled when you create it.创建加密范围后,可以在创建 blob 时指定它。After you create the encryption scope, you can specify it when you create a blob.还可以在创建容器时指定默认的加密范围,它将自动应用于容器中的所有 blob。You can also specify a default encryption scope when you create a container, which automatically applies to all blobs in the container.
若要在 Azure 门户中创建加密范围,请执行以下步骤:To create an encryption scope in the Azure portal, follow these steps:
导航到 Azure 门户中的存储帐户。Navigate to your storage account in the Azure portal.
选择“加密”设置。Select the Encryption setting.
选择“加密范围”选项卡。Select the Encryption Scopes tab.
单击“添加”按钮以添加新加密范围。Click the Add button to add a new encryption scope.
在“创建加密范围”窗格输入新范围的名称。In the Create Encryption Scope pane, enter a name for the new scope.
选择加密的类型,Microsoft 托管密钥或客户管理的密钥 。Select the type of encryption, either Microsoft-managed keys or Customer-managed keys.
如果选择了“Microsoft 管理的密钥”,请单击“创建”以创建加密范围 。If you selected Microsoft-managed keys, click Create to create the encryption scope.
如果选择了“客户管理的密钥”,请指定要用于此加密范围的密钥保险库、密钥和密钥版本,如下图所示。If you selected Customer-managed keys, specify a key vault, key, and key version to use for this encryption scope, as shown in the following image.
要使用 PowerShell 创建加密范围,请首先安装 Az.Storage 预览模块版本。To create an encryption scope with PowerShell, first install the Az.Storage preview module version.建议使用最新的预览版本,但 1.13.4 预览版及更高版本中也支持加密范围。Using the latest preview version is recommended, but encryption scopes are supported in version 1.13.4-preview and later.删除其他版本的 Az.Storage 模块。Remove any other versions of the Az.Storage module.
创建受 Microsoft 托管密钥保护的加密范围Create an encryption scope protected by Microsoft-managed keys
若要创建受 Microsoft 托管密钥保护的新加密范围,请使用 -StorageEncryption 参数调用 New-AzStorageEncryptionScope 命令。To create a new encryption scope that is protected by Microsoft-managed keys, call the New-AzStorageEncryptionScope command with the -StorageEncryption parameter.
请务必将示例中的占位符值替换为你自己的值:Remember to replace the placeholder values in the example with your own values:
创建由客户管理的密钥保护的加密范围Create an encryption scope protected by customer-managed keys
若要创建受密钥保管库中存储的客户管理的密钥保护的新加密范围,请首先为存储帐户配置客户管理的密钥。To create a new encryption scope that is protected by customer-managed keys stored in a key vault, first configure customer-managed keys for the storage account.必须为存储帐户分配一个托管标识,然后使用该托管标识配置密钥保管库的访问策略,使存储帐户有权访问该密钥保管库。You must assign a managed identity to the storage account and then use the managed identity to configure the access policy for the key vault so that the storage account has permissions to access it.
若要配置与加密范围一起使用的客户管理的密钥,必须在密钥保管库上启用清除保护。To configure customer-managed keys for use with an encryption scope, purge protection must be enabled on the key vault.密钥保管库必须与存储帐户位于同一区域中。The key vault must be in the same region as the storage account.
请务必将示例中的占位符值替换为你自己的值:Remember to replace the placeholder values in the example with your own values:
$rgName = "<resource-group>"
$accountName = "<storage-account>"
$keyVaultName = "<key-vault>"
$keyUri = "<key-uri-with-version>"
$scopeName2 = "customer2scope"
# Assign a system managed identity to the storage account.
$storageAccount = Set-AzStorageAccount -ResourceGroupName $rgName `
-Name $accountName `
-AssignIdentity
# Configure the access policy for the key vault.
Set-AzKeyVaultAccessPolicy `
-VaultName $keyVaultName `
-ObjectId $storageAccount.Identity.PrincipalId `
-PermissionsToKeys wrapkey,unwrapkey,get
接下来,使用 -KeyvaultEncryption 参数调用 New-AzStorageEncryptionScope 命令,并指定密钥 URI。Next, call the New-AzStorageEncryptionScope command with the -KeyvaultEncryption parameter, and specify the key URI.请确保在密钥 URI 上包括密钥版本。Be sure to include the key version on the key URI.请务必将示例中的占位符值替换为你自己的值:Remember to replace the placeholder values in the example with your own values:
若要使用 Azure CLI 创建加密范围,请先安装 Azure CLI 2.4.0 或更高版本。To create an encryption scope with Azure CLI, first install Azure CLI version 2.4.0 or later.
创建受 Microsoft 托管密钥保护的加密范围Create an encryption scope protected by Microsoft-managed keys
若要创建受 Microsoft 托管密钥保护的新加密范围,请调用 az storage account encryption-scope create 命令,并将 --key-source 参数指定为 Microsoft.Storage。To create a new encryption scope that is protected by Microsoft-managed keys, call the az storage account encryption-scope create command, specifying the --key-source parameter as Microsoft.Storage.请务必将占位符值替换为你自己的值:Remember to replace the placeholder values with your own values:
创建由客户管理的密钥保护的加密范围Create an encryption scope protected by customer-managed keys
若要创建受 Microsoft 托管密钥保护的新加密范围,请调用 az storage account encryption-scope create 命令,并将 --key-source 参数指定为 Microsoft.Storage。To create a new encryption scope that is protected by Microsoft-managed keys, call the az storage account encryption-scope create command, specifying the --key-source parameter as Microsoft.Storage.请务必将占位符值替换为你自己的值:Remember to replace the placeholder values with your own values:
若要创建受密钥保管库中的客户管理的密钥保护的新加密范围,请首先为存储帐户配置客户管理的密钥。To create a new encryption scope that is protected by customer-managed keys in a key vault, first configure customer-managed keys for the storage account.必须为存储帐户分配一个托管标识,然后使用该托管标识配置密钥保管库的访问策略,使存储帐户有权访问该密钥保管库。You must assign a managed identity to the storage account and then use the managed identity to configure the access policy for the key vault so that the storage account has permissions to access it.有关详细信息,请参阅用于 Azure 存储加密的客户管理的密钥。For more information, see Customer-managed keys for Azure Storage encryption.
若要配置与加密范围一起使用的客户管理的密钥,必须在密钥保管库上启用清除保护。To configure customer-managed keys for use with an encryption scope, purge protection must be enabled on the key vault.密钥保管库必须与存储帐户位于同一区域中。The key vault must be in the same region as the storage account.
请务必将示例中的占位符值替换为你自己的值:Remember to replace the placeholder values in the example with your own values:
az login
az account set --subscription <subscription-id>
az storage account update \
--name <storage-account> \
--resource-group <resource_group> \
--assign-identity
storage_account_principal=$(az storage account show \
--name <storage-account> \
--resource-group <resource-group> \
--query identity.principalId \
--output tsv)
az keyvault set-policy \
--name <key-vault> \
--resource-group <resource_group> \
--object-id $storage_account_principal \
--key-permissions get unwrapKey wrapKey
接下来,使用 --key-uri 参数调用 az storage account encryption-scope create 命令,并指定密钥 URI。Next, call the az storage account encryption-scope create command with the --key-uri parameter, and specify the key URI.请确保在密钥 URI 上包括密钥版本。Be sure to include the key version on the key URI.请务必将示例中的占位符值替换为你自己的值:Remember to replace the placeholder values in the example with your own values:
若要在 Azure 门户中查看存储帐户的加密范围,请导航到该存储帐户的“加密范围”设置。To view the encryption scopes for a storage account in the Azure portal, navigate to the Encryption Scopes setting for the storage account.在此窗格中,你可以启用或禁用加密范围,或者更改加密范围的密钥。From this pane, you can enable or disable an encryption scope or change the key for an encryption scope.
若要使用 PowerShell 列出存储帐户可用的加密范围,请调用 Get-AzStorageEncryptionScope 命令。To list the encryption scopes available for a storage account with PowerShell, call the Get-AzStorageEncryptionScope command.请务必将示例中的占位符值替换为你自己的值:Remember to replace the placeholder values in the example with your own values:
az storage account encryption-scope list \
--account-name <storage-account> \
--resource-group <resource-group>
创建具有默认加密范围的容器Create a container with a default encryption scope
创建容器时,可以指定默认的加密范围。When you create a container, you can specify a default encryption scope.默认情况下,该容器中的 blob 将使用该范围。Blobs in that container will use that scope by default.
除非容器配置为要求所有 blob 使用其默认范围,否则可以使用其自己的加密范围创建单个 blob。An individual blob can be created with its own encryption scope, unless the container is configured to require that all blobs use its default scope.
若要在 Azure 门户中创建具有默认加密范围的容器,请先创建加密范围,如创建加密范围中所述。To create a container with a default encryption scope in the Azure portal, first create the encryption scope as described in Create an encryption scope.接下来,请按照以下步骤创建容器:Next, follow these steps to create the container:
导航到存储帐户中的容器列表,然后选择“添加”按钮创建一个新容器。Navigate to the list of containers in your storage account, and select the Add button to create a new container.
在“新容器”窗格中展开“高级”设置 。Expand the Advanced settings in the New Container pane.
在“加密范围”下拉列表中,为容器选择默认的加密范围。In the Encryption scope drop-down, select the default encryption scope for the container.
若要要求容器中的所有 blob 使用默认加密范围,请选中“对容器中的所有 blob 使用此加密范围”的复选框。To require that all blobs in the container use the default encryption scope, select the checkbox to Use this encryption scope for all blobs in the container.如果选中此复选框,则容器中的单个 blob 无法重写默认的加密范围。If this checkbox is selected, then an individual blob in the container cannot override the default encryption scope.
要使用 PowerShell 创建具有默认加密范围的容器,请调用 New-AzRmStorageContainer 命令,并指定 -DefaultEncryptionScope 参数的范围。To create a container with a default encryption scope with PowerShell, call the New-AzRmStorageContainer command, specifying the scope for the -DefaultEncryptionScope parameter.New-AzRmStorageContainer 命令使用 Azure 存储资源提供程序创建一个容器,使用该容器可配置加密范围和其他资源管理操作。The New-AzRmStorageContainer command creates a container by using the Azure Storage resource provider, which enables configuration of encryption scopes and other resource management operations.
若要强制容器中的所有 blob 使用容器的默认范围,请将 -PreventEncryptionScopeOverride 参数设置为 true。To force all blobs in a container to use the container's default scope, set the -PreventEncryptionScopeOverride parameter to true.
$containerName1 = "container1"
$containerName2 = "container2"
# Create a container with a default encryption scope that cannot be overridden.
New-AzRmStorageContainer -ResourceGroupName $rgName `
-StorageAccountName $accountName `
-Name $containerName1 `
-DefaultEncryptionScope $scopeName1 `
-PreventEncryptionScopeOverride $true
若要使用 Azure CLI 创建具有默认加密范围的容器,请调用 az storage container create 命令,并指定 --default-encryption-scope 参数的范围。To create a container with a default encryption scope with Azure CLI, call the az storage container create command, specifying the scope for the --default-encryption-scope parameter.若要强制容器中的所有 blob 使用容器的默认范围,请将 --prevent-encryption-scope-override 参数设置为 true。To force all blobs in a container to use the container's default scope, set the --prevent-encryption-scope-override parameter to true.
如果客户端在将 blob 上传到具有默认加密范围的容器时尝试指定范围,并且容器配置为阻止 blob 重写默认范围,则操作将失败,并显示一条消息,指示容器加密策略禁止该请求。If a client attempts to specify a scope when uploading a blob to a container that has a default encryption scope and the container is configured to prevent blobs from overriding the default scope, then the operation fails with a message indicating that the request is forbidden by the container encryption policy.
上传具有加密范围的 blobUpload a blob with an encryption scope
上传 blob 时,可以指定该 blob 的加密范围,或者使用容器的默认加密范围(如果已指定)。When you upload a blob, you can specify an encryption scope for that blob, or use the default encryption scope for the container, if one has been specified.
若要上传具有 Azure 门户中指定的加密范围的 blob,请首先按照创建加密范围中所述创建加密范围。To upload a blob with an encryption scope specified in the Azure portal, first create the encryption scope as described in Create an encryption scope.接下来,请按照以下步骤创建 blob:Next, follow these steps to create the blob:
导航到要将 blob 上传到的容器。Navigate to the container to which you want to upload the blob.
选择“上传”按钮,然后找到要上传的 blob。Select the Upload button, and locate the blob to upload.
在“上传 blob”窗格中展开“高级”设置 。Expand the Advanced settings in the Upload blob pane.
找到“加密范围”下拉部分。Locate the Encryption scope drop-down section.默认情况下,将使用容器的默认加密范围(如果已指定)创建 blob。By default, the blob is created with the default encryption scope for the container, if one has been specified.如果容器要求 blob 使用默认加密范围,则禁用此部分。If the container requires that blobs use the default encryption scope, this section is disabled.
若要为要上传的 blob 指定其他范围,请选择“选择现有范围”,然后从下拉列表中选择所需的范围。To specify a different scope for the blob that you are uploading, select Choose an existing scope, then select the desired scope from the drop-down.
若要上传使用 PowerShell 指定加密范围的 blob,请调用 Set-AzStorageBlobContent 命令并提供该 blob 的加密范围。To upload a blob with an encryption scope specified by using PowerShell, call the Set-AzStorageBlobContent command and provide the encryption scope for the blob.
$containerName2 = "container2"
$localSrcFile = "C:\temp\helloworld.txt"
$ctx = (Get-AzStorageAccount -ResourceGroupName $rgName -StorageAccountName $accountName).Context
# Create a new container with no default scope defined.
New-AzStorageContainer -Name $containerName2 -Context $ctx
# Upload a block upload with an encryption scope specified.
Set-AzStorageBlobContent -Context $ctx -Container $containerName2 -File $localSrcFile -Blob "helloworld.txt" -BlobType Block -EncryptionScope $scopeName2
若要上传使用 Azure CLI 指定加密范围的 blob,请调用 az storage blob upload 命令并提供该 blob 的加密范围。To upload a blob with an encryption scope specified by using Azure CLI, call the az storage blob upload command and provide the encryption scope for the blob.
按照上传 blob 中所述的步骤在根目录中创建文件。Follow the steps described in Upload a blob to create a file in the root directory.然后,可以使用以下示例将此文件上传到 blob。You can then upload this file to a blob using the following sample.
若要更改保护 Azure 门户范围的密钥,请执行以下步骤:To change the key that protects a scope in the Azure portal, follow these steps:
导航到“加密范围”选项卡,查看存储帐户的加密范围列表。Navigate to the Encryption Scopes tab to view the list of encryption scopes for the storage account.
选择要修改的范围旁边的“更多”按钮。Select the More button next to the scope you wish to modify.
在“编辑加密范围”窗格中,可以将加密类型从 Microsoft 托管密钥更改为客户管理的密钥,反之亦然。In the Edit encryption scope pane, you can change the encryption type from Microsoft-managed key to customer-managed key or vice versa.
要选择新的客户管理的密钥,请选择“使用新密钥”并指定密钥保管库、密钥和密钥版本。To select a new customer-managed key, select Use a new key and specify the key vault, key, and key version.
若要使用 PowerShell 将保护加密范围的密钥从客户管理的密钥更改为 Microsoft 托管密钥,请调用 Update-AzStorageEncryptionScope 命令并传入 -StorageEncryption 参数:To change the key that protects an encryption scope from a customer-managed key to a Microsoft-managed key with PowerShell, call the Update-AzStorageEncryptionScope command and pass in the -StorageEncryption parameter:
接下来,调用 Update-AzStorageEncryptionScope 命令并传入 -KeyUri 和 -KeyvaultEncryption 参数:Next, call the Update-AzStorageEncryptionScope command and pass in the -KeyUri and -KeyvaultEncryption parameters:
若要使用 Azure CLI 将保护加密范围的密钥从客户管理的密钥更改为 Microsoft 托管密钥,请调用 az storage account encryption-scope update 命令并传入值为 Microsoft.Storage 的 --key-source 参数:To change the key that protects an encryption scope from a customer-managed key to a Microsoft-managed key with Azure CLI, call the az storage account encryption-scope update command and pass in the --key-source parameter with the value Microsoft.Storage:
接下来,调用 az storage account encryption-scope update 命令,传入 --key-uri 参数,并传入值为 Microsoft.KeyVault 的 --key-source 参数:Next, call the az storage account encryption-scope update command, pass in the --key-uri parameter, and pass in the --key-source parameter with the value Microsoft.KeyVault:
禁用加密范围后,将不再为此付费。When an encryption scope is disabled, you are no longer billed for it.禁用不需要的任何加密范围以避免不必要的费用。Disable any encryption scopes that are not needed to avoid unnecessary charges.有关详细信息,请参阅静态数据的 Azure 存储加密。For more information, see Azure Storage encryption for data at rest.
若要在 Azure 门户中禁用加密范围,请导航到该存储帐户的“加密范围”设置,选择所需的加密范围,然后选择“禁用” 。To disable an encryption scope in the Azure portal, navigate to the Encryption Scopes setting for the storage account, select the desired encryption scope, and select Disable.
若要使用 PowerShell 禁用加密范围,请调用 Update-AzStorageEncryptionScope 命令,并包括值为 disabled 的 -State 参数,如以下示例中所示。To disable an encryption scope with PowerShell, call the Update-AzStorageEncryptionScope command and include the -State parameter with a value of disabled, as shown in the following example.若要重新启用加密范围,请调用相同的命令,并将 -State 参数设置为 enabled。To re-enable an encryption scope, call the same command with the -State parameter set to enabled.请务必将示例中的占位符值替换为你自己的值:Remember to replace the placeholder values in the example with your own values:
若要使用 Azure CLI 禁用加密范围,请调用 az storage account encryption-scope update 命令,并包括值为 Disabled 的 --state 参数,如以下示例中所示。To disable an encryption scope with Azure CLI, call the az storage account encryption-scope update command and include the --state parameter with a value of Disabled, as shown in the following example.若要重新启用加密范围,请调用相同的命令,并将 --state 参数设置为 Enabled。To re-enable an encryption scope, call the same command with the --state parameter set to Enabled.请务必将示例中的占位符值替换为你自己的值:Remember to replace the placeholder values in the example with your own values: