通过 PowerShell 使用 Azure Key Vault 配置客户管理的密钥Configure customer-managed keys with Azure Key Vault by using PowerShell

Azure 存储对静态存储帐户中的所有数据进行加密。Azure Storage encrypts all data in a storage account at rest. 默认情况下,使用 Microsoft 管理的密钥对数据进行加密。By default, data is encrypted with Microsoft-managed keys. 为了更进一步控制加密密钥,可以提供客户管理的密钥,以用于对 Blob 和文件数据进行加密。For additional control over encryption keys, you can supply customer-managed keys to use for encryption of blob and file data.

客户管理的密钥必须存储在 Azure密钥保管库中。Customer-managed keys must be stored in an Azure Key Vault. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 存储帐户和 Key Vault 必须在同一个区域中,但可以在不同的订阅中。The storage account and the key vault must be in the same region, but they can be in different subscriptions. 有关 Azure 存储加密和密钥管理的详细信息,请参阅静态数据的 Azure 存储加密For more information about Azure Storage encryption and key management, see Azure Storage encryption for data at rest. 有关 Azure 密钥保管库的详细信息,请参阅什么是 Azure 密钥保管库?For more information about Azure Key Vault, see What is Azure Key Vault?

本文介绍如何使用 PowerShell 配置包含客户管理的密钥的 Azure Key Vault。This article shows how to configure an Azure Key Vault with customer-managed keys using PowerShell. 要了解如何使用 Azure CLI 创建密钥保管库,请参阅快速入门:使用 PowerShell 在 Azure Key Vault 中设置和检索机密To learn how to create a key vault using Azure CLI, see Quickstart: Set and retrieve a secret from Azure Key Vault using PowerShell.

将标识分配到存储帐户Assign an identity to the storage account

若要为存储帐户启用客户管理的密钥,请先将一个系统分配的托管标识分配到该存储帐户。To enable customer-managed keys for your storage account, first assign a system-assigned managed identity to the storage account. 将使用此托管标识授予存储帐户访问 Key Vault 的权限。You'll use this managed identity to grant the storage account permissions to access the key vault.

若要使用 PowerShell 分配托管标识,请调用 Set-AzStorageAccountTo assign a managed identity using PowerShell, call Set-AzStorageAccount. 请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.

$storageAccount = Set-AzStorageAccount -ResourceGroupName <resource_group> `
    -Name <storage-account> `
    -AssignIdentity

有关使用 PowerShell 配置系统分配的托管标识的详细信息,请参阅使用 PowerShell 在 Azure VM 上配置 Azure 资源的托管标识For more information about configuring system-assigned managed identities with PowerShell, see Configure managed identities for Azure resources on an Azure VM using PowerShell.

创建新的 Key VaultCreate a new key vault

若要使用 PowerShell 创建新密钥保管库,请安装 Az. KeyVault PowerShell 模块的版本 2.0.0 或更高版本。To create a new key vault using PowerShell, install version 2.0.0 or later of the Az.KeyVault PowerShell module. 然后调用 New-AzKeyVault 来创建新密钥保管库。Then call New-AzKeyVault to create a new key vault.

必须为用来存储客户管理的密钥(用于 Azure 存储加密)的 Key Vault 启用两项密钥保护设置:“软删除”和“不要清除”。 The key vault that you use to store customer-managed keys for Azure Storage encryption must have two key protection settings enabled, Soft Delete and Do Not Purge. 在 Az.KeyVault 模块的版本 2.0.0 和更高版本中,当创建新密钥保管库时,默认会启用软删除。In version 2.0.0 and later of the Az.KeyVault module, soft delete is enabled by default when you create a new key vault.

以下示例在启用了“软删除”和“请勿清除”属性的情况下创建新密钥保管库 。The following example creates a new key vault with the Soft Delete and Do Not Purge properties enabled. 请记得将括号中的占位符值替换为你自己的值。Remember to replace the placeholder values in brackets with your own values.

$keyVault = New-AzKeyVault -Name <key-vault> `
    -ResourceGroupName <resource_group> `
    -Location <location> `
    -EnablePurgeProtection

若要了解如何使用 PowerShell 在现有密钥保管库上启用“软删除”和“请勿清除”,请参阅如何在 PowerShell 中使用软删除中标题为“启用软删除”和“启用清除保护”的部分。To learn how to enable Soft Delete and Do Not Purge on an existing key vault with PowerShell, see the sections titled Enabling soft-delete and Enabling Purge Protection in How to use soft-delete with PowerShell.

配置 Key Vault 访问策略Configure the key vault access policy

接下来,配置 Key Vault 的访问策略,使存储帐户有权访问 Key Vault。Next, configure the access policy for the key vault so that the storage account has permissions to access it. 此步骤使用前面分配给存储帐户的托管标识。In this step, you'll use the managed identity that you previously assigned to the storage account.

若要设置 Key Vault 的访问策略,请调用 Set-AzKeyVaultAccessPolicyTo set the access policy for the key vault, call Set-AzKeyVaultAccessPolicy. 请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

Set-AzKeyVaultAccessPolicy `
    -VaultName $keyVault.VaultName `
    -ObjectId $storageAccount.Identity.PrincipalId `
    -PermissionsToKeys wrapkey,unwrapkey,get

新建密钥Create a new key

接下来,在 Key Vault 中创建新密钥。Next, create a new key in the key vault. 若要创建新密钥,请调用 Add-AzKeyVaultKeyTo create a new key, call Add-AzKeyVaultKey. 请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

$key = Add-AzKeyVaultKey -VaultName $keyVault.VaultName -Name <key> -Destination 'Software'

Azure 存储加密支持 2048、3072 和 4096 大小的 RSA 密钥。Azure storage encryption supports RSA keys of sizes 2048, 3072 and 4096. 有关密钥的详细信息,请参阅关于 Azure Key Vault 密钥、机密和证书中的“Key Vault 密钥”。For more information about keys, see Key Vault keys in About Azure Key Vault keys, secrets and certificates.

配置使用客户管理的密钥进行加密Configure encryption with customer-managed keys

Azure 存储加密默认使用 Microsoft 托管的密钥。By default, Azure Storage encryption uses Microsoft-managed keys. 在这一步中,请将 Azure 存储帐户配置为通过 Azure Key Vault 使用客户管理的密钥,然后指定要与存储帐户关联的密钥。In this step, configure your Azure Storage account to use customer-managed keys with Azure Key Vault, then specify the key to associate with the storage account.

在使用客户管理的密钥配置加密时,可以选择在关联的密钥保管库中的密钥版本发生更改时自动更新用于加密的密钥。When you configure encryption with customer-managed keys, you can choose to automatically update the key used for encryption when the key version changes in the associated key vault. 也可以显式指定在手动更新密钥版本之前要用于加密的密钥版本。Alternately, you can explicitly specify a key version to be used for encryption until the key version is manually updated.

备注

若要轮换密钥,请在 Azure Key Vault 中创建密钥的新版本。To rotate a key, create a new version of the key in Azure Key Vault. Azure 存储不会处理 Azure Key Vault 中的密钥轮换,因此你将需要手动轮换密钥,或创建一个函数以便按计划轮换密钥。Azure Storage does not handle the rotation of the key in Azure Key Vault, so you will need to rotate your key manually or create a function to rotate it on a schedule.

配置加密以自动更新密钥版本Configure encryption to automatically update the key version

若要使用客户管理的密钥配置加密以自动更新密钥版本,请安装 Az.Storage 模块 2.0.0 版或更高版本。To configure encryption with customer-managed keys to automatically update the key version, install the Az.Storage module, version 2.0.0 or later.

若要自动更新客户管理密钥的密钥版本,请在使用客户管理的密钥为存储帐户配置加密时省略密钥版本。To automatically update the key version for a customer-managed key, omit the key version when you configure encryption with customer-managed keys for the storage account. 调用 AzStorageAccount 以更新存储帐户的加密设置(如以下示例所示),并包含 -KeyvaultEncryption 选项,以便为存储帐户启用客户管理的密钥。Call Set-AzStorageAccount to update the storage account's encryption settings, as shown in the following example, and include the -KeyvaultEncryption option to enable customer-managed keys for the storage account. 请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

Set-AzStorageAccount -ResourceGroupName $storageAccount.ResourceGroupName `
    -AccountName $storageAccount.StorageAccountName `
    -KeyvaultEncryption `
    -KeyName $key.Name `
    -KeyVaultUri $keyVault.VaultUri

配置加密以手动更新密钥版本Configure encryption for manual updating of key versions

若要显式指定用于加密的密钥版本,请在为存储帐户配置使用客户管理的密钥进行加密时提供该密钥版本。To explicitly specify a key version to use for encryption, provide the key version when you configure encryption with customer-managed keys for the storage account. 调用 AzStorageAccount 以更新存储帐户的加密设置(如以下示例所示),并包含 -KeyvaultEncryption 选项,以便为存储帐户启用客户管理的密钥。Call Set-AzStorageAccount to update the storage account's encryption settings, as shown in the following example, and include the -KeyvaultEncryption option to enable customer-managed keys for the storage account. 请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

Set-AzStorageAccount -ResourceGroupName $storageAccount.ResourceGroupName `
    -AccountName $storageAccount.StorageAccountName `
    -KeyvaultEncryption `
    -KeyName $key.Name `
    -KeyVersion $key.Version `
    -KeyVaultUri $keyVault.VaultUri

手动更新密钥版本时,需要更新存储帐户的加密设置以使用新版本。When you manually update the key version, you'll need to update the storage account's encryption settings to use the new version. 首先调用 Get-AzKeyVaultKey 以获取最新密钥版本。First, call Get-AzKeyVaultKey to get the latest version of the key. 然后调用 Set-AzStorageAccount 来更新存储帐户的加密设置,以使用该密钥的新版本,如前面示例所示。Then call Set-AzStorageAccount to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.

使用其他密钥Use a different key

若要更改用于 Azure 存储加密的密钥,请调用 Set-AzStorageAccount(如使用客户管理的密钥配置加密中所示),并提供新的密钥名称和版本。To change the key used for Azure Storage encryption, call Set-AzStorageAccount as shown in Configure encryption with customer-managed keys and provide the new key name and version. 如果新密钥位于不同的密钥保管库中,还需要更新密钥保管库 URI。If the new key is in a different key vault, also update the key vault URI.

撤销客户托管密钥Revoke customer-managed keys

通过删除密钥保管库访问策略可以撤消客户管理的密钥。You can revoke customer-managed keys by removing the key vault access policy. 若要撤销客户托管密钥,请调用 Remove-AzKeyVaultAccessPolicy 命令,如下例所示。To revoke a customer-managed key, call the Remove-AzKeyVaultAccessPolicy command, as shown in the following example. 请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

Remove-AzKeyVaultAccessPolicy -VaultName $keyVault.VaultName `
    -ObjectId $storageAccount.Identity.PrincipalId `

禁用客户托管密钥Disable customer-managed keys

禁用客户托管密钥时,将再次使用 Microsoft 托管密钥对存储帐户进行加密。When you disable customer-managed keys, your storage account is once again encrypted with Microsoft-managed keys. 若要禁用客户管理的密钥,请使用 -StorageEncryption 选项调用 Set-AzStorageAccount,如以下示例所示。To disable customer-managed keys, call Set-AzStorageAccount with the -StorageEncryption option, as shown in the following example. 请记得将括号中的占位符值替换为自己的值,并使用前面示例中定义的变量。Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

Set-AzStorageAccount -ResourceGroupName $storageAccount.ResourceGroupName `
    -AccountName $storageAccount.StorageAccountName `
    -StorageEncryption  

后续步骤Next steps