通过 Azure 门户使用 Azure Key Vault 配置客户管理的密钥Configure customer-managed keys with Azure Key Vault by using the Azure portal

Azure 存储对静态存储帐户中的所有数据进行加密。Azure Storage encrypts all data in a storage account at rest. 默认情况下,使用 Microsoft 管理的密钥对数据进行加密。By default, data is encrypted with Microsoft-managed keys. 为了更进一步控制加密密钥,可以提供客户管理的密钥,以用于对 Blob 和文件数据进行加密。For additional control over encryption keys, you can supply customer-managed keys to use for encryption of blob and file data.

客户管理的密钥必须存储在 Azure密钥保管库中。Customer-managed keys must be stored in an Azure Key Vault. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 存储帐户和 Key Vault 必须在同一个区域中,但可以在不同的订阅中。The storage account and the key vault must be in the same region, but they can be in different subscriptions. 有关 Azure 存储加密和密钥管理的详细信息,请参阅静态数据的 Azure 存储加密For more information about Azure Storage encryption and key management, see Azure Storage encryption for data at rest. 有关 Azure 密钥保管库的详细信息,请参阅什么是 Azure 密钥保管库?For more information about Azure Key Vault, see What is Azure Key Vault?

本文介绍如何使用 Azure 门户配置包含客户管理的密钥的 Azure 密钥保管库。This article shows how to configure an Azure Key Vault with customer-managed keys using the Azure portal. 若要了解如何使用 Azure 门户创建 Key Vault,请参阅快速入门:使用 Azure 门户在 Azure Key Vault 中设置和检索机密To learn how to create a key vault using the Azure portal, see Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal.

配置 Azure Key VaultConfigure Azure Key Vault

使用带有 Azure 存储加密的客户管理密钥需要在密钥保管库上设置两个属性:“软删除”和“不要清除”。Using customer-managed keys with Azure Storage encryption requires that two properties be set on the key vault, Soft Delete and Do Not Purge. 默认不会启用这些属性,但可以使用 PowerShell 或 Azure CLI 对新的或现有的 Key Vault 启用。These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.

若要了解如何在现有密钥保管库上启用这些属性,请参阅以下文章之一中标题为“启用软删除”和“启用清除保护”的部分: To learn how to enable these properties on an existing key vault, see the sections titled Enabling soft-delete and Enabling Purge Protection in one of the following articles:

Azure 存储加密仅支持 2048 位 RSA 密钥。Only 2048-bit RSA keys are supported with Azure Storage encryption. 有关密钥的详细信息,请参阅关于 Azure Key Vault 密钥、机密和证书中的“Key Vault 密钥”。For more information about keys, see Key Vault keys in About Azure Key Vault keys, secrets and certificates.

启用客户管理的密钥Enable customer-managed keys

若要在 Azure 门户中启用客户管理的密钥,请执行以下步骤:To enable customer-managed keys in the Azure portal, follow these steps:

  1. 导航到存储帐户。Navigate to your storage account.

  2. 在存储帐户的“设置”边栏选项卡上,单击“加密”。On the Settings blade for the storage account, click Encryption. 选择“客户托管密钥”选项,如下图所示。Select the Customer Managed Keys option, as shown in the following image.

    显示加密选项的门户屏幕截图

指定密钥Specify a key

启用客户管理的密钥后,可以指定要与存储帐户关联的密钥。After you enable customer-managed keys, you'll have the opportunity to specify a key to associate with the storage account.

将密钥指定为 URISpecify a key as a URI

若要将某个密钥指定为 URI,请执行下列步骤:To specify a key as a URI, follow these steps:

  1. 若要在 Azure 门户中查找密钥 URI,请导航到 Key Vault,然后选择“密钥”设置。To locate the key URI in the Azure portal, navigate to your key vault, and select the Keys setting. 选择所需的密钥,然后单击该密钥以查看其版本。Select the desired key, then click the key to view its versions. 选择一个密钥版本,查看该版本的设置。Select a key version to view the settings for that version.

  2. 复制“密钥标识符”字段的值(提供 URI)。Copy the value of the Key Identifier field, which provides the URI.

    显示 Key Vault 密钥 URI 的屏幕截图

  3. 在存储帐户的“加密”设置中,选择“输入密钥 URI”选项。 In the Encryption settings for your storage account, choose the Enter key URI option.

  4. 将复制的 URI 粘贴到“密钥 URI”字段中。Paste the URI that you copied into the Key URI field.

    显示如何输入密钥 URI 的屏幕截图

  5. 指定包含密钥保管库的订阅。Specify the subscription that contains the key vault.

  6. 保存所做更改。Save your changes.

从 Key Vault 指定密钥Specify a key from a key vault

若要指定 Key Vault 中的密钥,请先请确保有一个包含密钥的 Key Vault。To specify a key from a key vault, first make sure that you have a key vault that contains a key. 若要指定 Key Vault 中的密钥,请执行以下步骤:To specify a key from a key vault, follow these steps:

  1. 选择“从 Key Vault 中选择”选项。Choose the Select from Key Vault option.

  2. 选择包含要使用的密钥的密钥保管库。Select the key vault containing the key you want to use.

  3. 从密钥保管库中选择密钥。Select the key from the key vault.

    显示客户管理的密钥选项的屏幕截图

  4. 保存所做更改。Save your changes.

更新密钥版本Update the key version

创建密钥的新版本时,请将存储帐户更新为使用新版本。When you create a new version of a key, update the storage account to use the new version. 执行以下步骤:Follow these steps:

  1. 导航到你的存储帐户,并显示“加密”设置。Navigate to your storage account and display the Encryption settings.
  2. 输入新密钥版本的 URI。Enter the URI for the new key version. 或者,可以再次选择 Key Vault 和密钥以更新版本。Alternately, you can select the key vault and the key again to update the version.
  3. 保存所做更改。Save your changes.

使用其他密钥Use a different key

若要更改用于 Azure 存储加密的密钥,请执行以下步骤:To change the key used for Azure Storage encryption, follow these steps:

  1. 导航到你的存储帐户,并显示“加密”设置。Navigate to your storage account and display the Encryption settings.
  2. 输入新密钥的 URI。Enter the URI for the new key. 也可选择密钥保管库并选择一个新密钥。Alternately, you can select the key vault and choose a new key.
  3. 保存所做更改。Save your changes.

禁用客户托管密钥Disable customer-managed keys

禁用客户托管密钥时,将再次使用 Microsoft 托管密钥对存储帐户进行加密。When you disable customer-managed keys, your storage account is once again encrypted with Microsoft-managed keys. 若要禁用客户托管密钥,请执行以下步骤:To disable customer-managed keys, follow these steps:

  1. 导航到你的存储帐户,并显示“加密”设置。Navigate to your storage account and display the Encryption settings.
  2. 取消选中“使用自己的密钥”设置旁边的复选框。Deselect the checkbox next to the Use your own key setting.

后续步骤Next steps