客户管理的密钥(用于 Azure 存储加密)Customer-managed keys for Azure Storage encryption

可以使用自己的加密密钥来保护存储帐户中的数据。You can use your own encryption key to protect the data in your storage account. 指定客户托管密钥时,该密钥用于保护和控制对数据加密密钥的访问。When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. 使用客户托管密钥可以更灵活地管理访问控制。Customer-managed keys offer greater flexibility to manage access controls.

必须使用 Azure Key Vault 来存储客户管理的密钥。You must use either Azure Key Vault to store your customer-managed keys. 可以创建自己的密钥并将其存储在密钥保管库中,也可以使用 Azure 密钥保管库 API 来生成密钥。You can either create your own keys and store them in the key vault, or you can use the Azure Key Vault APIs to generate keys. 存储帐户和 Key Vault 必须在同一个区域和同一个 Azure Active Directory (Azure AD) 租户中,但可以在不同的订阅中。The storage account and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.

有关 Azure Key Vault 的详细信息,请参阅什么是 Azure Key Vault?For more information about Azure Key Vault, see What is Azure Key Vault?.

关于客户托管密钥About customer-managed keys

下图显示了 Azure 存储如何通过 Azure Active Directory 和密钥保管库使用客户管理的密钥发出请求:The following diagram shows how Azure Storage uses Azure Active Directory and a key vault to make requests using the customer-managed key:

Azure 存储中客户管理的密钥的工作原理示意图

以下列表解释了示意图中带编号的步骤:The following list explains the numbered steps in the diagram:

  1. Azure Key Vault 管理员向与存储帐户关联的托管标识授予对加密密钥的权限。An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the storage account.
  2. Azure 存储管理员使用存储帐户的客户管理密钥配置加密。An Azure Storage admin configures encryption with a customer-managed key for the storage account.
  3. Azure 存储使用与存储帐户关联的托管标识,对通过 Azure Active Directory 访问 Azure Key Vault 的活动进行身份验证。Azure Storage uses the managed identity that's associated with the storage account to authenticate access to Azure Key Vault via Azure Active Directory.
  4. Azure 存储使用 Azure Key Vault 中的客户密钥包装帐户加密密钥。Azure Storage wraps the account encryption key with the customer key in Azure Key Vault.
  5. 对于读/写操作,Azure 存储将向 Azure Key Vault 发送解包帐户加密密钥的请求,以执行加密和解密操作。For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.

为存储帐户启用客户管理的密钥Enable customer-managed keys for a storage account

在配置客户托管密钥时,Azure 存储会在关联的密钥保管库中使用客户托管密钥来包装帐户的根数据加密密钥。When you configure a customer-managed key, Azure Storage wraps the root data encryption key for the account with the customer-managed key in the associated key vault. 启用客户托管密钥不影响性能,并且会立即生效。Enabling customer-managed keys does not impact performance, and takes effect immediately.

在启用或禁用客户托管密钥时,或者在修改密钥或密钥版本时,对根加密密钥的保护会变化,但你不需要重新加密 Azure 存储帐户中的数据。When you enable or disable customer managed keys, or when you modify the key or the key version, the protection of the root encryption key changes, but the data in your Azure Storage account does not need to be re-encrypted.

客户托管密钥只能在现有存储帐户上启用。Customer-managed keys can enabled only on existing storage accounts. 密钥保管库必须配置为将权限授予与存储帐户关联的托管标识。The key vault must be configured to grant permissions to the managed identity that is associated with the storage account. 托管标识仅在存储帐户创建后可用。The managed identity is available only after the storage account is created.

可随时在客户管理的密钥与 Microsoft 管理的密钥之间进行切换。You can switch between customer-managed keys and Microsoft-managed keys at any time. 有关 Microsoft 管理的密钥的详细信息,请参阅关于加密密钥管理For more information about Microsoft-managed keys, see About encryption key management.

若要了解如何使用密钥保管库中的客户管理的密钥来配置 Azure 存储加密,请参阅使用 Azure Key Vault 中存储的客户管理的密钥配置加密To learn how to configure Azure Storage encryption with customer-managed keys in a key vault, see Configure encryption with customer-managed keys stored in Azure Key Vault.

重要

客户托管密钥依赖于 Azure 资源的托管标识,后者是Azure AD 的一项功能。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure AD. 托管标识当前不支持跨目录方案。Managed identities do not currently support cross-directory scenarios. 在 Azure 门户中配置客户管理的密钥时,系统会在幕后自动将一个托管标识分配到你的存储帐户。When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned to your storage account under the covers. 如果随后将订阅、资源组或存储帐户从一个 Azure AD 目录移到另一个目录,与存储帐户关联的托管标识不会传输到新租户,因此客户管理的密钥可能不再起作用。If you subsequently move the subscription, resource group, or storage account from one Azure AD directory to another, the managed identity associated with the storage account is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅 Azure 资源的常见问题解答和已知问题中的“在 Azure AD 目录之间转移订阅”。For more information, see Transferring a subscription between Azure AD directories in FAQs and known issues with managed identities for Azure resources.

Azure 存储加密支持 2048、3072 和 4096 大小的 RSA 密钥。Azure storage encryption supports RSA keys of sizes 2048, 3072 and 4096. 有关密钥的详细信息,请参阅关于密钥For more information about keys, see About keys.

使用密钥保管库会有相关的成本。Using a key vault has associated costs. 有关详细信息,请参阅 Key Vault 定价For more information, see Key Vault pricing.

更新密钥版本Update the key version

使用客户管理的密钥配置加密时,有两个选项可用于更新密钥版本:When you configure encryption with customer-managed keys, you have two options for updating the key version:

  • 手动更新密钥版本:若要在有新版本可用时自动更新客户管理的密钥的密钥版本,请在为存储帐户启用“使用客户管理的密钥进行加密”时省略密钥版本。Automatically update the key version: To automatically update a customer-managed key when a new version is available, omit the key version when you enable encryption with customer-managed keys for the storage account. 如果省略了密钥版本,Azure 存储每天都会在密钥保管库中检查是否有客户管理的密钥的新版本。If the key version is omitted, then Azure Storage checks the key vault daily for a new version of a customer-managed key. Azure 存储将自动使用最新版本的密钥。Azure Storage automatically uses the latest version of the key.

  • 手动更新密钥版本:若要对 Azure 存储加密使用特定版本的密钥,请在为存储帐户启用“使用客户管理的密钥进行加密”时指定该密钥版本。Manually update the key version: To use a specific version of a key for Azure Storage encryption, specify that key version when you enable encryption with customer-managed keys for the storage account. 如果指定密钥版本,则 Azure 存储将使用该版本进行加密,直到手动更新密钥版本。If you specify the key version, then Azure Storage uses that version for encryption until you manually update the key version.

    显式指定密钥版本后,必须手动更新存储帐户,以便在创建新版本时使用新密钥版本 URI。When the key version is explicitly specified, then you must manually update the storage account to use the new key version URI when a new version is created. 若要了解如何将存储帐户更新为使用新的密钥版本,请参阅使用 Azure Key Vault 中存储的客户管理的密钥配置加密To learn how to update the storage account to use a new version of the key, see Configure encryption with customer-managed keys stored in Azure Key Vault.

更新密钥版本时,根加密密钥的保护会更改,但是 Azure 存储帐户中的数据不会重新加密。When you update the key version, the protection of the root encryption key changes, but the data in your Azure Storage account is not re-encrypted. 用户无需执行任何其他操作。There is no further action required from the user.

备注

若要轮换密钥,请根据你的符合性策略,在密钥保管库中创建新版本的密钥。To rotate a key, create a new version of the key in the key vault, according to your compliance policies. 可以手动轮换密钥,或创建一个函数以便按计划轮换密钥。You can rotate your key manually or create a function to rotate it on a schedule.

撤消对客户管理的密钥的访问权限Revoke access to customer-managed keys

可以随时撤销存储帐户对客户托管密钥的访问权限。You can revoke the storage account's access to the customer-managed key at any time. 在撤销对客户托管密钥的访问权限之后,或者在禁用或删除密钥之后,客户端无法调用在 Blob 或其元数据中读取或写入数据的操作。After access to customer-managed keys is revoked, or after the key has been disabled or deleted, clients cannot call operations that read from or write to a blob or its metadata. 对于所有用户来说,尝试调用以下任何操作都会失败,错误代码为“403 (禁止访问)”:Attempts to call any of the following operations will fail with error code 403 (Forbidden) for all users:

若要再次调用这些操作,请还原对客户托管密钥的访问权限。To call these operations again, restore access to the customer-managed key.

此部分中未列出的所有数据操作可以在撤销客户托管密钥或者禁用或删除某个密钥后继续。All data operations that are not listed in this section may proceed after customer-managed keys are revoked or a key is disabled or deleted.

若要撤销对客户托管密钥的访问权限,请使用 PowerShellAzure CLITo revoke access to customer-managed keys, use PowerShell or Azure CLI.

Azure 托管磁盘的客户托管密钥Customer-managed keys for Azure managed disks

客户托管密钥也可用于管理 Azure 托管磁盘的加密。Customer-managed keys are also available for managing encryption of Azure managed disks. 客户管理的密钥对托管磁盘的行为不同于对 Azure 存储资源的行为。Customer-managed keys behave differently for managed disks than for Azure Storage resources. 有关详细信息,请参阅适用于 Windows 的 Azure 托管磁盘的服务器端加密或适用于 Linux 的 Azure 托管磁盘的服务器端加密For more information, see Server-side encryption of Azure managed disks for Windows or Server side encryption of Azure managed disks for Linux.

后续步骤Next steps