Azure 存储对静态存储帐户中的所有数据进行加密。Azure Storage encrypts all data in a storage account at rest.默认情况下,数据使用 Microsoft 管理的密钥进行加密。By default, data is encrypted with Microsoft-managed keys.为了更进一步控制加密密钥,你可以管理自己的密钥。For additional control over encryption keys, you can manage your own keys.客户管理的密钥必须存储在 Azure Key Vault 中。Customer-managed keys must be stored in Azure Key Vault.
本文介绍了如何使用 Azure 门户、PowerShell 或 Azure CLI,通过存储在密钥保管库中的客户管理的密钥配置加密。This article shows how to configure encryption with customer-managed keys stored in a key vault by using the Azure portal, PowerShell, or Azure CLI.
配置密钥保管库Configure a key vault
你可以使用新的或现有的密钥保管库来存储客户管理的密钥。You can use a new or existing key vault to store customer-managed keys.存储帐户和 Key Vault 必须在同一个区域中,但可以在不同的订阅中。The storage account and the key vault must be in the same region, but they can be in different subscriptions.
使用带有 Azure 存储加密的客户管理的密钥需要为密钥保管库启用软删除和清除保护。Using customer-managed keys with Azure Storage encryption requires that both soft delete and purge protection be enabled for the key vault.创建新密钥保管库时,默认会启用软删除,并且无法禁用。Soft delete is enabled by default when you create a new key vault and cannot be disabled.你可以在创建密钥保管库时或创建后启用清除保护。You can enable purge protection either when you create the key vault or after it is created.
若要在现有密钥保管库上启用清除保护,请执行以下步骤:To enable purge protection on an existing key vault, follow these steps:
在 Azure 门户中导航到密钥保管库。Navigate to your key vault in the Azure portal.
在“设置”下面,选择“属性”。Under Settings, choose Properties.
在“清除保护”部分,选择“启用清除保护” 。In the Purge protection section, choose Enable purge protection.
若要使用 PowerShell 创建新密钥保管库,请安装 Az. KeyVault PowerShell 模块的版本 2.0.0 或更高版本。To create a new key vault with PowerShell, install version 2.0.0 or later of the Az.KeyVault PowerShell module.然后调用 New-AzKeyVault 来创建新密钥保管库。Then call New-AzKeyVault to create a new key vault.在 Az.KeyVault 模块的版本 2.0.0 和更高版本中,当创建新密钥保管库时,默认会启用软删除。With version 2.0.0 and later of the Az.KeyVault module, soft delete is enabled by default when you create a new key vault.
以下示例将创建一个启用了软删除和清除保护的新密钥保管库。The following example creates a new key vault with both soft delete and purge protection enabled.请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.
接下来,向存储帐户分配系统分配的托管标识。Next, assign a system-assigned managed identity to your storage account.将使用此托管标识授予存储帐户访问 Key Vault 的权限。You'll use this managed identity to grant the storage account permissions to access the key vault.有关系统分配的托管标识的详细信息,请参阅什么是 Azure 资源托管标识?。For more information about system-assigned managed identities, see What are managed identities for Azure resources?.
最后,配置密钥保管库的访问策略,使存储帐户有权访问密钥保管库。Finally, configure the access policy for the key vault so that the storage account has permissions to access it.此步骤使用前面分配给存储帐户的托管标识。In this step, you'll use the managed identity that you previously assigned to the storage account.
若要使用 Azure CLI 创建新的 Key Vault,请调用 az keyvault create。To create a new key vault using Azure CLI, call az keyvault create.请记得将括号中的占位符值替换为你自己的值:Remember to replace the placeholder values in brackets with your own values:
接下来,向存储帐户分配系统分配的托管标识。Next, assign a system-assigned managed identity to the storage account.将使用此托管标识授予存储帐户访问 Key Vault 的权限。You'll use this managed identity to grant the storage account permissions to access the key vault.有关系统分配的托管标识的详细信息,请参阅什么是 Azure 资源托管标识?。For more information about system-assigned managed identities, see What are managed identities for Azure resources?.
最后,配置密钥保管库的访问策略,使存储帐户有权访问密钥保管库。Finally, configure the access policy for the key vault so that the storage account has permissions to access it.此步骤使用前面分配给存储帐户的托管标识。In this step, you'll use the managed identity that you previously assigned to the storage account.
Azure 存储加密支持 2048、3072 和 4096 大小的 RSA 密钥。Azure Storage encryption supports RSA keys of sizes 2048, 3072 and 4096.有关密钥的详细信息,请参阅关于密钥。For more information about keys, see About keys.
若要使用 PowerShell 添加密钥,请调用 Add-AzKeyVaultKey。To add a key with PowerShell, call Add-AzKeyVaultKey.请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
若要使用 Azure CLI 添加密钥,请调用 az keyvault key create。To add a key with Azure CLI, call az keyvault key create.请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.
az keyvault key create \
--name <key> \
--vault-name <key-vault>
配置使用客户管理的密钥进行加密Configure encryption with customer-managed keys
接下来,请将 Azure 存储帐户配置为通过 Azure Key Vault 使用客户管理的密钥,然后指定要与存储帐户关联的密钥。Next, configure your Azure Storage account to use customer-managed keys with Azure Key Vault, then specify the key to associate with the storage account.
使用客户管理的密钥配置加密时,只要关联的密钥保管库中有新版本可用,就可以选择自动更新用于 Azure 存储加密的密钥版本。When you configure encryption with customer-managed keys, you can choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.也可显式指定在手动更新密钥版本之前用于加密的密钥版本。Alternately, you can explicitly specify a key version to be used for encryption until the key version is manually updated.
备注
若要轮换密钥,请在 Azure Key Vault 中创建密钥的新版本。To rotate a key, create a new version of the key in Azure Key Vault.Azure 存储不会处理 Azure Key Vault 中的密钥轮换,因此你需要手动轮换密钥,或创建一个函数以便按计划轮换密钥。Azure Storage does not handle the rotation of the key in Azure Key Vault, so you will need to rotate your key manually or create a function to rotate it on a schedule.
配置加密以自动更新密钥版本Configure encryption for automatic updating of key versions
Azure 存储可以自动更新客户管理的密钥(用于加密),以使用最新密钥版本。Azure Storage can automatically update the customer-managed key that is used for encryption to use the latest key version.当在 Azure Key Vault 中轮换客户管理的密钥时,Azure 存储会自动开始将最新版本的密钥用于加密。When the customer-managed key is rotated in Azure Key Vault, Azure Storage will automatically begin using the latest version of the key for encryption.
若要在 Azure 门户中配置客户管理的密钥并自动更新密钥版本,请执行以下步骤:To configure customer-managed keys with automatic updating of the key version in the Azure portal, follow these steps:
导航到存储帐户。Navigate to your storage account.
在存储帐户的“设置”边栏选项卡上,单击“加密”。On the Settings blade for the storage account, click Encryption.默认情况下,密钥管理设置为“Microsoft 管理的密钥”,如下图所示。By default, key management is set to Microsoft Managed Keys, as shown in the following image.
选择“客户管理的密钥”选项。Select the Customer Managed Keys option.
选择“从 Key Vault 中选择”选项。Choose the Select from Key Vault option.
选择“选择密钥保管库和密钥”。Select Select a key vault and key.
选择包含要使用的密钥的密钥保管库。Select the key vault containing the key you want to use.
从密钥保管库中选择密钥。Select the key from the key vault.
保存所做更改。Save your changes.
指定密钥后,Azure 门户会指示启用密钥版本的自动更新,并显示当前用于加密的密钥版本。After you've specified the key, the Azure portal indicates that automatic updating of the key version is enabled and displays the key version currently in use for encryption.
若要使用 PowerShell 配置客户管理的密钥并自动更新密钥版本,请安装 Az.Storage 模块 2.0.0 版或更高版本。To configure customer-managed keys with automatic updating of the key version with PowerShell, install the Az.Storage module, version 2.0.0 or later.
若要自动更新客户管理密钥的密钥版本,请在使用客户管理的密钥为存储帐户配置加密时省略密钥版本。To automatically update the key version for a customer-managed key, omit the key version when you configure encryption with customer-managed keys for the storage account.调用 AzStorageAccount 以更新存储帐户的加密设置(如以下示例所示),并包含 -KeyvaultEncryption 选项,以便为存储帐户启用客户管理的密钥。Call Set-AzStorageAccount to update the storage account's encryption settings, as shown in the following example, and include the -KeyvaultEncryption option to enable customer-managed keys for the storage account.
请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
若要自动更新客户管理的密钥的密钥版本,请在使用存储帐户的客户管理的密钥配置加密时省略密钥版本。To automatically update the key version for a customer-managed key, omit the key version when you configure encryption with customer-managed keys for the storage account.请调用 az storage account update,以便更新存储帐户的加密设置,如以下示例所示。Call az storage account update to update the storage account's encryption settings, as shown in the following example.包括 --encryption-key-source 参数并将其设置为 Microsoft.Keyvault 即可为帐户启用客户管理的密钥。Include the --encryption-key-source parameter and set it to Microsoft.Keyvault to enable customer-managed keys for the account.
请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.
为手动更新密钥版本配置加密Configure encryption for manual updating of key versions
如果希望手动更新密钥版本,请在使用客户管理的密钥配置加密时显式指定该版本。If you prefer to manually update the key version, then explicitly specify the version at the time that you configure encryption with customer-managed keys.在这种情况下,当在密钥库中创建新版本时,Azure 存储将不会自动更新密钥版本。若要使用新的密钥版本,必须手动更新用于 Azure 存储加密的版本。In this case, Azure Storage will not automatically update the key version when a new version is created in the key vault.To use a new key version, you must manually update the version used for Azure Storage encryption.
若要在 Azure 门户中配置客户管理的密钥并手动更新密钥版本,请指定密钥 URI,包括版本。To configure customer-managed keys with manual updating of the key version in the Azure portal, specify the key URI, including the version.若要将某个密钥指定为 URI,请执行下列步骤:To specify a key as a URI, follow these steps:
若要在 Azure 门户中查找密钥 URI,请导航到 Key Vault,然后选择“密钥”设置。To locate the key URI in the Azure portal, navigate to your key vault, and select the Keys setting.选择所需的密钥,然后单击该密钥以查看其版本。Select the desired key, then click the key to view its versions.选择一个密钥版本,查看该版本的设置。Select a key version to view the settings for that version.
复制“密钥标识符”字段的值(提供 URI)。Copy the value of the Key Identifier field, which provides the URI.
在存储帐户的“加密密钥”设置中,选择“输入密钥 URI”选项。 In the Encryption key settings for your storage account, choose the Enter key URI option.
将复制的 URI 粘贴到“密钥 URI”字段中。Paste the URI that you copied into the Key URI field.从 URI 中省略密钥版本,以启用自动更新密钥版本。Omit the key version from the URI to enable automatic updating of the key version.
指定包含密钥保管库的订阅。Specify the subscription that contains the key vault.
保存所做更改。Save your changes.
若要配置客户管理的密钥并手动更新密钥版本,请在为存储帐户配置加密时显式提供密钥版本。To configure customer-managed keys with manual updating of the key version, explicitly provide the key version when you configure encryption for the storage account.调用 AzStorageAccount 以更新存储帐户的加密设置(如以下示例所示),并包含 -KeyvaultEncryption 选项,以便为存储帐户启用客户管理的密钥。Call Set-AzStorageAccount to update the storage account's encryption settings, as shown in the following example, and include the -KeyvaultEncryption option to enable customer-managed keys for the storage account.
请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
手动更新密钥版本时,需要更新存储帐户的加密设置以使用新版本。When you manually update the key version, you'll need to update the storage account's encryption settings to use the new version.首先调用 Get-AzKeyVaultKey 以获取最新密钥版本。First, call Get-AzKeyVaultKey to get the latest version of the key.然后调用 Set-AzStorageAccount 来更新存储帐户的加密设置,以使用该密钥的新版本,如前面示例所示。Then call Set-AzStorageAccount to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.
若要配置客户管理的密钥并手动更新密钥版本,请在为存储帐户配置加密时显式提供密钥版本。To configure customer-managed keys with manual updating of the key version, explicitly provide the key version when you configure encryption for the storage account.请调用 az storage account update,以便更新存储帐户的加密设置,如以下示例所示。Call az storage account update to update the storage account's encryption settings, as shown in the following example.包括 --encryption-key-source 参数并将其设置为 Microsoft.Keyvault 即可为帐户启用客户管理的密钥。Include the --encryption-key-source parameter and set it to Microsoft.Keyvault to enable customer-managed keys for the account.
请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.
手动更新密钥版本时,需要更新存储帐户的加密设置以使用新版本。When you manually update the key version, you'll need to update the storage account's encryption settings to use the new version.首先,通过调用 az keyvault show 查询 Key Vault URI,并通过调用 az keyvault key list-versions 查询密钥版本。First, query for the key vault URI by calling az keyvault show, and for the key version by calling az keyvault key list-versions.然后调用 az storage account update 来更新存储帐户的加密设置,以使用新的密钥版本,如上一示例所示。Then call az storage account update to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.
更改密钥Change the key
你可以在任何时候更改用于 Azure 存储加密的密钥。You can change the key that you are using for Azure Storage encryption at any time.
若要使用 Azure 门户撤消客户管理的密钥,请按照禁用客户管理的密钥中所述禁用该密钥。To revoke customer-managed keys with the Azure portal, disable the key as described in Disable customer-managed keys.
可以通过删除密钥保管库访问策略来撤销客户管理的密钥。You can revoke customer-managed keys by removing the key vault access policy.若要使用 PowerShell 撤销客户托管密钥,请调用 Remove-AzKeyVaultAccessPolicy 命令,如下例所示。To revoke a customer-managed key with PowerShell, call the Remove-AzKeyVaultAccessPolicy command, as shown in the following example.请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
可以通过删除密钥保管库访问策略来撤销客户管理的密钥。You can revoke customer-managed keys by removing the key vault access policy.若要使用 Azure CLI 撤销客户托管密钥,请调用 az keyvault delete-policy 命令,如下例所示。To revoke a customer-managed key with Azure CLI, call the az keyvault delete-policy command, as shown in the following example.请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
az keyvault delete-policy \
--name <key-vault> \
--object-id $storage_account_principal
禁用客户托管密钥Disable customer-managed keys
禁用客户托管密钥时,将再次使用 Microsoft 托管密钥对存储帐户进行加密。When you disable customer-managed keys, your storage account is once again encrypted with Microsoft-managed keys.
若要在 Azure 门户中禁用客户管理的密钥,请执行以下步骤:To disable customer-managed keys in the Azure portal, follow these steps:
导航到你的存储帐户,并显示“加密”设置。Navigate to your storage account and display the Encryption settings.
取消选中“使用自己的密钥”设置旁边的复选框。Deselect the checkbox next to the Use your own key setting.
若要使用 PowerShell 禁用客户管理的密钥,请使用 -StorageEncryption 选项调用 Set-AzStorageAccount,如下例所示。To disable customer-managed keys with PowerShell, call Set-AzStorageAccount with the -StorageEncryption option, as shown in the following example.请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
若要使用 Azure CLI 禁用客户托管密钥,请调用 az storage account update 并将 --encryption-key-source parameter 设置为 Microsoft.Storage,如下例所示。To disable customer-managed keys with Azure CLI, call az storage account update and set the --encryption-key-source parameter to Microsoft.Storage, as shown in the following example.请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
