在 Azure Key Vault 中使用客户托管密钥管理 Azure 存储加密Use customer-managed keys with Azure Key Vault to manage Azure Storage encryption

可以使用自己的加密密钥来保护存储帐户中的数据。You can use your own encryption key to protect the data in your storage account. 指定客户托管密钥时,该密钥用于保护和控制对数据加密密钥的访问。When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. 使用客户托管密钥可以更灵活地管理访问控制。Customer-managed keys offer greater flexibility to manage access controls.

必须使用 Azure Key Vault 来存储客户管理的密钥。You must use Azure Key Vault to store your customer-managed keys. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 存储帐户和 Key Vault 必须在同一个区域和同一个 Azure Active Directory (Azure AD) 租户中,但可以在不同的订阅中。The storage account and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. 有关 Azure Key Vault 的详细信息,请参阅什么是 Azure Key Vault?For more information about Azure Key Vault, see What is Azure Key Vault?.

关于客户托管密钥About customer-managed keys

下图显示了 Azure 存储如何使用 Azure Active Directory 和 Azure Key Vault 通过客户托管密钥发出请求:The following diagram shows how Azure Storage uses Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:

Azure 存储中客户管理的密钥的工作原理示意图

以下列表解释了示意图中带编号的步骤:The following list explains the numbered steps in the diagram:

  1. Azure Key Vault 管理员向与存储帐户关联的托管标识授予对加密密钥的权限。An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the storage account.
  2. Azure 存储管理员使用存储帐户的客户管理密钥配置加密。An Azure Storage admin configures encryption with a customer-managed key for the storage account.
  3. Azure 存储使用与存储帐户关联的托管标识,对通过 Azure Active Directory 访问 Azure Key Vault 的活动进行身份验证。Azure Storage uses the managed identity that's associated with the storage account to authenticate access to Azure Key Vault via Azure Active Directory.
  4. Azure 存储使用 Azure Key Vault 中的客户密钥包装帐户加密密钥。Azure Storage wraps the account encryption key with the customer key in Azure Key Vault.
  5. 对于读/写操作,Azure 存储将向 Azure Key Vault 发送解包帐户加密密钥的请求,以执行加密和解密操作。For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.

为存储帐户启用客户管理的密钥Enable customer-managed keys for a storage account

在配置客户托管密钥时,Azure 存储会在关联的密钥保管库中使用客户托管密钥来包装帐户的根数据加密密钥。When you configure a customer-managed key, Azure Storage wraps the root data encryption key for the account with the customer-managed key in the associated key vault. 启用客户托管密钥不影响性能,并且会立即生效。Enabling customer-managed keys does not impact performance, and takes effect immediately.

在启用或禁用客户托管密钥时,或者在修改密钥或密钥版本时,对根加密密钥的保护会变化,但你不需要重新加密 Azure 存储帐户中的数据。When you enable or disable customer managed keys, or when you modify the key or the key version, the protection of the root encryption key changes, but the data in your Azure Storage account does not need to be re-encrypted.

客户托管密钥只能在现有存储帐户上启用。Customer-managed keys can enabled only on existing storage accounts. 必须使用访问策略对密钥保管库进行配置,这些策略将权限授予与存储帐户关联的托管标识。The key vault must be configured with access policies that grant permissions to the managed identity that is associated with the storage account. 托管标识仅在存储帐户创建后可用。The managed identity is available only after the storage account is created.

可随时在客户管理的密钥与 Microsoft 管理的密钥之间进行切换。You can switch between customer-managed keys and Microsoft-managed keys at any time. 有关 Microsoft 管理的密钥的详细信息,请参阅关于加密密钥管理For more information about Microsoft-managed keys, see About encryption key management.

要了解如何将客户管理的密钥与 Azure 密钥保管库配合使用来对 Azure 存储进行加密,请参阅以下文章之一:To learn how to use customer-managed keys with Azure Key Vault for Azure Storage encryption, see one of these articles:

重要

客户托管密钥依赖于 Azure 资源的托管标识,后者是Azure AD 的一项功能。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure AD. 托管标识当前不支持跨目录方案。Managed identities do not currently support cross-directory scenarios. 在 Azure 门户中配置客户管理的密钥时,系统会在幕后自动将一个托管标识分配到你的存储帐户。When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned to your storage account under the covers. 如果随后将订阅、资源组或存储帐户从一个 Azure AD 目录移到另一个目录,与存储帐户关联的托管标识不会传输到新租户,因此客户管理的密钥可能不再起作用。If you subsequently move the subscription, resource group, or storage account from one Azure AD directory to another, the managed identity associated with the storage account is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅 Azure 资源的常见问题解答和已知问题中的“在 Azure AD 目录之间转移订阅”。For more information, see Transferring a subscription between Azure AD directories in FAQs and known issues with managed identities for Azure resources.

将客户管理的密钥存储在 Azure 密钥保管库Store customer-managed keys in Azure Key Vault

若要在存储帐户上启用客户管理的密钥,必须使用 Azure 密钥保管库来存储密钥。To enable customer-managed keys on a storage account, you must use an Azure key vault to store your keys. 必须同时启用密钥保管库上的“软删除”和“不清除”属性 。You must enable both the Soft Delete and Do Not Purge properties on the key vault.

Azure 存储加密支持 2048、3072 和 4096 大小的 RSA 密钥。Azure storage encryption supports RSA keys of sizes 2048, 3072 and 4096. 有关密钥的详细信息,请参阅关于 Azure Key Vault 密钥、机密和证书中的“Key Vault 密钥”。For more information about keys, see Key Vault keys in About Azure Key Vault keys, secrets and certificates.

使用 Azure Key Vault 具有相关的成本。Using Azure Key Vault has associated costs. 有关详细信息,请参阅 Key Vault 定价For more information, see Key Vault pricing.

轮换客户管理的密钥Rotate customer-managed keys

可以根据自己的合规性策略,在 Azure 密钥保管库中轮换客户管理的密钥。You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. 有两个可用于轮换客户管理的密钥的选项:You have two options for rotating a customer-managed key:

  • 自动轮换: 若要配置客户管理的密钥的自动轮换,请在使用存储帐户的客户管理的密钥启用加密时省略密钥版本。Automatic rotation: To configure automatic rotation of customer-managed keys, omit the key version when you enable encryption with customer-managed keys for the storage account. 如果省略了密钥版本,Azure 存储每天都会在 Azure Key Vault 中检查是否有新版本的客户托管的密钥。If the key version is omitted, then Azure Storage checks Azure Key Vault daily for a new version of a customer-managed key. 如果新的密钥版本可用,Azure 存储将自动使用最新版本的密钥。If a new key version is available, then Azure Storage automatically uses the latest version of the key.

  • 手动轮换: 若要对 Azure 存储加密使用特定的密钥版本,请在使用存储帐户的客户管理的密钥启用加密时指定该密钥版本。Manual rotation: To use a particular key version for Azure Storage encryption, specify that key version when you enable encryption with customer-managed keys for the storage account. 如果指定密钥版本,则 Azure 存储将使用该版本进行加密,直到手动更新密钥版本。If you specify the key version, then Azure Storage uses that version for encryption until you manually update the key version.

    手动轮换密钥后,需要更新存储帐户以使用新的密钥版本 URI。When the key is manually rotated, you must update the storage account to use the new key version URI. 若要了解如何更新存储帐户以在 Azure 门户中使用新版本的密钥,请参阅手动更新密钥版本To learn how to update the storage account to use a new version of the key in the Azure portal, see Manually update the key version.

轮换客户管理的密钥不会触发存储帐户中数据的重新加密。Rotating a customer-managed key does not trigger re-encryption of data in the storage account. 用户无需执行任何其他操作。There is no further action required from the user.

撤消对客户管理的密钥的访问权限Revoke access to customer-managed keys

可以随时撤销存储帐户对客户托管密钥的访问权限。You can revoke the storage account's access to the customer-managed key at any time. 在撤销对客户托管密钥的访问权限之后,或者在禁用或删除密钥之后,客户端无法调用在 Blob 或其元数据中读取或写入数据的操作。After access to customer-managed keys is revoked, or after the key has been disabled or deleted, clients cannot call operations that read from or write to a blob or its metadata. 对于所有用户来说,尝试调用以下任何操作都会失败,错误代码为“403 (禁止访问)”:Attempts to call any of the following operations will fail with error code 403 (Forbidden) for all users:

若要再次调用这些操作,请还原对客户托管密钥的访问权限。To call these operations again, restore access to the customer-managed key.

此部分中未列出的所有数据操作可以在撤销客户托管密钥或者禁用或删除某个密钥后继续。All data operations that are not listed in this section may proceed after customer-managed keys are revoked or a key is disabled or deleted.

若要撤销对客户托管密钥的访问权限,请使用 PowerShellAzure CLITo revoke access to customer-managed keys, use PowerShell or Azure CLI.

Azure 托管磁盘的客户托管密钥Customer-managed keys for Azure managed disks

客户托管密钥也可用于管理 Azure 托管磁盘的加密。Customer-managed keys are also available for managing encryption of Azure managed disks. 客户管理的密钥对托管磁盘的行为不同于对 Azure 存储资源的行为。Customer-managed keys behave differently for managed disks than for Azure Storage resources. 有关详细信息,请参阅适用于 Windows 的 Azure 托管磁盘的服务器端加密或适用于 Linux 的 Azure 托管磁盘的服务器端加密For more information, see Server-side encryption of Azure managed disks for Windows or Server side encryption of Azure managed disks for Linux.

后续步骤Next steps