通过 Azure CLI 使用 Azure Key Vault 配置客户管理的密钥Configure customer-managed keys with Azure Key Vault by using Azure CLI

Azure 存储对静态存储帐户中的所有数据进行加密。Azure Storage encrypts all data in a storage account at rest. 默认情况下,使用 Microsoft 管理的密钥对数据进行加密。By default, data is encrypted with Microsoft-managed keys. 为了更进一步控制加密密钥,可以提供客户管理的密钥,以用于对 Blob 和文件数据进行加密。For additional control over encryption keys, you can supply customer-managed keys to use for encryption of blob and file data.

客户管理的密钥必须存储在 Azure密钥保管库中。Customer-managed keys must be stored in an Azure Key Vault. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 存储帐户和 Key Vault 必须在同一个区域中,但可以在不同的订阅中。The storage account and the key vault must be in the same region, but they can be in different subscriptions. 有关 Azure 存储加密和密钥管理的详细信息,请参阅静态数据的 Azure 存储加密For more information about Azure Storage encryption and key management, see Azure Storage encryption for data at rest. 有关 Azure 密钥保管库的详细信息,请参阅什么是 Azure 密钥保管库?For more information about Azure Key Vault, see What is Azure Key Vault?

本文介绍如何使用 Azure CLI 配置包含客户管理的密钥的 Azure Key Vault。This article shows how to configure an Azure Key Vault with customer-managed keys using Azure CLI. 要了解如何使用 Azure CLI 创建密钥保管库,请参阅快速入门:使用 Azure CLI 在 Azure Key Vault 中设置和检索机密To learn how to create a key vault using Azure CLI, see Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI.

将标识分配到存储帐户Assign an identity to the storage account

若要为存储帐户启用客户管理的密钥,请先将一个系统分配的托管标识分配到该存储帐户。To enable customer-managed keys for your storage account, first assign a system-assigned managed identity to the storage account. 将使用此托管标识授予存储帐户访问 Key Vault 的权限。You'll use this managed identity to grant the storage account permissions to access the key vault.

若要使用 Azure CLI 分配托管标识,请调用 az storage account updateTo assign a managed identity using Azure CLI, call az storage account update. 请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.

az account set --subscription <subscription-id>

az storage account update \
    --name <storage-account> \
    --resource-group <resource_group> \
    --assign-identity

有关使用 Azure CLI 配置系统分配的托管标识的详细信息,请参阅使用 Azure CLI 在 Azure VM 上配置 Azure 资源的托管标识For more information about configuring system-assigned managed identities with Azure CLI, see Configure managed identities for Azure resources on an Azure VM using Azure CLI.

创建新的 Key VaultCreate a new key vault

必须为用来存储客户管理的密钥(用于 Azure 存储加密)的 Key Vault 启用两项密钥保护设置:“软删除”和“不要清除”。 The key vault that you use to store customer-managed keys for Azure Storage encryption must have two key protection settings enabled, Soft Delete and Do Not Purge. 若要在启用这些设置的情况下使用 PowerShell 或 Azure CLI 创建新的 Key Vault,请执行以下命令。To create a new key vault using PowerShell or Azure CLI with these settings enabled, execute the following commands. 请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.

若要使用 Azure CLI 创建新的 Key Vault,请调用 az keyvault createTo create a new key vault using Azure CLI, call az keyvault create. 请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.

az keyvault create \
    --name <key-vault> \
    --resource-group <resource_group> \
    --location <region> \
    --enable-soft-delete \
    --enable-purge-protection

若要了解如何使用 Azure CLI 在现有密钥保管库上启用“软删除” 和“请勿清除” ,请参阅如何在 CLI 中使用软删除中标题为“启用软删除” 和“启用清除保护” 的部分。To learn how to enable Soft Delete and Do Not Purge on an existing key vault with Azure CLI, see the sections titled Enabling soft-delete and Enabling Purge Protection in How to use soft-delete with CLI.

配置 Key Vault 访问策略Configure the key vault access policy

接下来,配置 Key Vault 的访问策略,使存储帐户有权访问 Key Vault。Next, configure the access policy for the key vault so that the storage account has permissions to access it. 此步骤使用前面分配给存储帐户的托管标识。In this step, you'll use the managed identity that you previously assigned to the storage account.

若要设置 Key Vault 的访问策略,请调用 az keyvault set-policyTo set the access policy for the key vault, call az keyvault set-policy. 请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.

storage_account_principal=$(az storage account show \
    --name <storage-account> \
    --resource-group <resource-group> \
    --query identity.principalId \
    --output tsv)
az keyvault set-policy \
    --name <key-vault> \
    --resource-group <resource_group>
    --object-id $storage_account_principal \
    --key-permissions get recover unwrapKey wrapKey

新建密钥Create a new key

接下来,在 Key Vault 中创建密钥。Next, create a key in the key vault. 若要创建密钥,请调用 az keyvault key createTo create a key, call az keyvault key create. 请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.

az keyvault key create
    --name <key> \
    --vault-name <key-vault>

配置使用客户管理的密钥进行加密Configure encryption with customer-managed keys

Azure 存储加密默认使用 Microsoft 托管的密钥。By default, Azure Storage encryption uses Microsoft-managed keys. 配置客户管理的密钥的 Azure 存储帐户,并指定要与存储帐户关联的密钥。Configure your Azure Storage account for customer-managed keys and specify the key to associate with the storage account.

若要更新存储帐户的加密设置,请调用 az storage account update,如以下示例所示。To update the storage account's encryption settings, call az storage account update, as shown in the following example. 包括 --encryption-key-source 参数并将其设置为 Microsoft.Keyvault 即可为存储帐户启用客户托管密钥。Include the --encryption-key-source parameter and set it to Microsoft.Keyvault to enable customer-managed keys for the storage account. 此示例还会查询密钥保管库 URI 和最新密钥版本,需要使用这两个值才能将密钥与存储帐户关联。The example also queries for the key vault URI and the latest key version, both of which values are needed to associate the key with the storage account. 请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.

key_vault_uri=$(az keyvault show \
    --name <key-vault> \
    --resource-group <resource_group> \
    --query properties.vaultUri \
    --output tsv)
key_version=$(az keyvault key list-versions \
    --name <key> \
    --vault-name <key-vault> \
    --query [-1].kid \
    --output tsv | cut -d '/' -f 6)
az storage account update
    --name <storage-account> \
    --resource-group <resource_group> \
    --encryption-key-name <key> \
    --encryption-key-version $key_version \
    --encryption-key-source Microsoft.Keyvault \
    --encryption-key-vault $key_vault_uri

更新密钥版本Update the key version

创建密钥的新版本时,需将存储帐户更新为使用新版本。When you create a new version of a key, you'll need to update the storage account to use the new version. 首先,通过调用 az keyvault show 查询 Key Vault URI,并通过调用 az keyvault key list-versions 查询密钥版本。First, query for the key vault URI by calling az keyvault show, and for the key version by calling az keyvault key list-versions. 然后调用 az storage account update 更新存储帐户的加密设置,以使用新的密钥版本,如上一部分中所示。Then call az storage account update to update the storage account's encryption settings to use the new version of the key, as shown in the previous section.

使用其他密钥Use a different key

若要更改用于 Azure 存储加密的密钥,请调用 az storage account update(如使用客户托管密钥配置加密中所示),并提供新的密钥名称和版本。To change the key used for Azure Storage encryption, call az storage account update as shown in Configure encryption with customer-managed keys and provide the new key name and version. 如果新密钥位于不同的密钥保管库中,还需要更新密钥保管库 URI。If the new key is in a different key vault, also update the key vault URI.

撤销客户托管密钥Revoke customer-managed keys

如果你认为密钥可能已泄露,则可以通过删除密钥保管库访问策略来撤销客户托管密钥。If you believe that a key may have been compromised, you can revoke customer-managed keys by removing the key vault access policy. 若要撤销客户托管密钥,请调用 az keyvault delete-policy 命令,如下例所示。To revoke a customer-managed key, call the az keyvault delete-policy command, as shown in the following example. 请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

az keyvault delete-policy \
    --name <key-vault> \
    --object-id $storage_account_principal

禁用客户托管密钥Disable customer-managed keys

禁用客户托管密钥后,将使用 Microsoft 托管密钥对存储帐户加密。When you disable customer-managed keys, your storage account is then encrypted with Microsoft-managed keys. 若要禁用客户托管密钥,请调用 az storage account update 并将 --encryption-key-source parameter 设置为 Microsoft.Storage,如以下示例所示。To disable customer-managed keys, call az storage account update and set the --encryption-key-source parameter to Microsoft.Storage, as shown in the following example. 请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

az storage account update
    --name <storage-account> \
    --resource-group <resource_group> \
    --encryption-key-source Microsoft.Storage

后续步骤Next steps