在对 Blob 存储的请求中提供加密密钥Provide an encryption key on a request to Blob storage

针对 Azure Blob 存储发出请求的客户端可以选择基于每个请求提供加密密钥。Clients making requests against Azure Blob storage have the option to provide an encryption key on a per-request basis. 在请求中包含加密密钥可以精细控制 Blob 存储操作的加密设置。Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. 客户提供的密钥可以存储在 Azure Key Vault 或其他密钥存储中。Customer-provided keys can be stored in Azure Key Vault or in another key store.

加密读取和写入操作Encrypting read and write operations

当客户端应用程序在请求中提供加密密钥时,Azure 存储将在读取和写入 Blob 数据时以透明方式执行加密和解密。When a client application provides an encryption key on the request, Azure Storage performs encryption and decryption transparently while reading and writing blob data. Azure 存储会将加密密钥的 SHA-256 哈希与 Blob 的内容一起写入。Azure Storage writes an SHA-256 hash of the encryption key alongside the blob's contents. 哈希用于验证对 Blob 的所有后续操作是否都使用相同的加密密钥。The hash is used to verify that all subsequent operations against the blob use the same encryption key.

Azure 存储不会存储或管理客户端连同请求一起发送的加密密钥。Azure Storage does not store or manage the encryption key that the client sends with the request. 加密或解密过程完成后,会立即以安全方式丢弃该密钥。The key is securely discarded as soon as the encryption or decryption process is complete.

当客户端使用请求中客户提供的密钥创建或更新 Blob 时,针对该 Blob 的后续读取和写入请求也必须提供该密钥。When a client creates or updates a blob using a customer-provided key on the request, then subsequent read and write requests for that blob must also provide the key. 如果在针对已使用客户提供的密钥加密的 Blob 的请求中未提供该密钥,则请求将会失败并返回错误代码 409(冲突)。If the key is not provided on a request for a blob that has already been encrypted with a customer-provided key, then the request fails with error code 409 (Conflict).

如果客户端应用程序在请求中发送加密密钥,同时使用 Microsoft 托管密钥或客户托管密钥加密了存储帐户,则 Azure 存储将使用请求中提供的密钥进行加密和解密。If the client application sends an encryption key on the request, and the storage account is also encrypted using a Microsoft-managed key or a customer-managed key, then Azure Storage uses the key provided on the request for encryption and decryption.

若要在请求中发送加密密钥,客户端必须使用 HTTPS 来与 Azure 存储建立安全连接。To send the encryption key as part of the request, a client must establish a secure connection to Azure Storage using HTTPS.

每个 Blob 快照可以有自身的加密密钥。Each blob snapshot can have its own encryption key.

用于指定客户提供的密钥的请求标头Request headers for specifying customer-provided keys

对于 REST 调用,客户端可以使用以下标头在请求中向 Blob 存储安全传递加密密钥信息:For REST calls, clients can use the following headers to securely pass encryption key information on a request to Blob storage:

请求标头Request Header 说明Description
x-ms-encryption-key 对于写入和读取请求都是必需的。Required for both write and read requests. Base64 编码的 AES-256 加密密钥值。A Base64-encoded AES-256 encryption key value.
x-ms-encryption-key-sha256 对于写入和读取请求都是必需的。Required for both write and read requests. 加密密钥的 Base64 编码 SHA256。The Base64-encoded SHA256 of the encryption key.
x-ms-encryption-algorithm 对于写入请求是必需的,对于读取请求是可选的。Required for write requests, optional for read requests. 指定在通过给定密钥加密数据时要使用的算法。Specifies the algorithm to use when encrypting data using the given key. 必须是 AES256。Must be AES256.

在请求中指定加密密钥是可选操作。Specifying encryption keys on the request is optional. 但是,如果为写入操作指定上面列出的标头之一,则必须指定所有这些标头。However, if you specify one of the headers listed above for a write operation, then you must specify all of them.

支持客户提供的密钥的 Blob 存储操作Blob storage operations supporting customer-provided keys

以下 Blob 存储操作支持在请求中发送客户提供的加密密钥:The following Blob storage operations support sending customer-provided encryption keys on a request:

轮换客户提供的密钥Rotate customer-provided keys

若要轮换用于加密 blob 的加密密钥,请下载该 Blob,并使用新的加密密钥重新上传该 Blob。To rotate an encryption key that was used to encrypt a blob, download the blob and then re-upload it with the new encryption key.

重要

无法使用 Azure 门户来读取或写入通过请求中提供的密钥加密的容器或 Blob。The Azure portal cannot be used to read from or write to a container or blob that is encrypted with a key provided on the request.

请务必在 Azure Key Vault 等安全密钥存储中,保护在对 Blob 存储发出的请求中提供的加密密钥。Be sure to protect the encryption key that you provide on a request to Blob storage in a secure key store like Azure Key Vault. 如果你尝试在不使用加密密钥的情况下对容器或 Blob 执行写入操作,该操作将会失败,并且你会失去对象访问权限。If you attempt a write operation on a container or blob without the encryption key, the operation will fail, and you will lose access to the object.

后续步骤Next steps