将 Azure Key Vault 中的客户管理的密钥用于导入/导出服务Use customer-managed keys in Azure Key Vault for Import/Export service

Azure 导入/导出使用加密密钥保护用于锁定驱动器的 BitLocker 密钥。Azure Import/Export protects the BitLocker keys used to lock the drives via an encryption key. 默认情况下将使用 Microsoft 管理的密钥对 BitLocker 密钥进行加密。By default, BitLocker keys are encrypted with Microsoft-managed keys. 为了更进一步控制加密密钥,你还可以提供客户管理的密钥。For additional control over encryption keys, you can also provide customer-managed keys.

必须在 Azure Key Vault 中创建并存储客户管理的密钥。Customer-managed keys must be created and stored in an Azure Key Vault. 有关 Azure 密钥保管库的详细信息,请参阅什么是 Azure 密钥保管库?For more information about Azure Key Vault, see What is Azure Key Vault?

本文介绍了如何在 Azure 门户中将客户管理的密钥用于导入/导出服务。This article shows how to use customer-managed keys with Import/Export service in the Azure portal.

先决条件Prerequisites

在开始之前,请确保:Before you begin, make sure:

  1. 你已按照以下部分中的说明创建了一个导入或导出作业:You have created an import or an export job as per the instructions in:

  2. 你有一个现有的 Azure Key Vault,其中包含可用于保护 BitLocker 密钥的密钥。You have an existing Azure Key Vault with a key in it that you can use to protect your BitLocker key. 若要了解如何使用 Azure 门户创建 Key Vault,请参阅快速入门:使用 Azure 门户创建 Azure Key VaultTo learn how to create a key vault using the Azure portal, see Quickstart: Create an Azure Key Vault using the Azure portal.

    • 在现有 Key Vault 上设置了“软删除”和“不清除”。Soft delete and Do not purge are set on your existing Key Vault. 默认情况下未启用这些属性。These properties are not enabled by default. 若要启用这些属性,请参阅以下文章之一中标题为“启用软删除”和“启用清除保护”的部分: To enable these properties, see the sections titled Enabling soft-delete and Enabling Purge Protection in one of the following articles:

    • 现有密钥保管库应当具有大小为 2048 或更大的 RSA 密钥。The existing key vault should have an RSA key of 2048 size or more. 有关密钥的详细信息,请参阅关于密钥For more information about keys, see About keys.

    • 密钥保管库必须与数据的存储帐户位于同一区域。Key vault must be in the same region as the storage account for your data.

    • 如果你没有现有的 Azure Key Vault,也可按照以下部分的描述以内联方式创建它。If you don't have an existing Azure Key Vault, you can also create it inline as described in the following section.

启用密钥Enable keys

为导入/导出服务配置客户管理的密钥这一操作是可选的。Configuring customer-managed key for your Import/Export service is optional. 默认情况下,导入/导出服务使用 Microsoft 管理的密钥来保护 BitLocker 密钥。By default, the Import/Export service uses a Microsoft managed key to protect your BitLocker key. 若要在 Azure 门户中启用客户管理的密钥,请执行以下步骤:To enable customer-managed keys in the Azure portal, follow these steps:

  1. 转到导入作业的“概览”边栏选项卡。Go to the Overview blade for your Import job.

  2. 在右侧窗格中,选择“选择 BitLocker 密钥的加密方式”。In the right-pane, select Choose how your BitLocker keys are encrypted.

    选择加密选项

  3. 在“加密”边栏选项卡中,可以查看和复制设备 BitLocker 密钥。In the Encryption blade, you can view and copy the device BitLocker key. 在“加密类型”下,可以选择要如何保护你的 BitLocker 密钥。Under Encryption type, you can choose how you want to protect your BitLocker key. 默认情况下将使用 Microsoft 管理的密钥。By default, a Microsoft managed key is used.

    查看 BitLocker 密钥

  4. 你可以选择指定客户管理的密钥。You have the option to specify a customer managed key. 选择客户管理的密钥后,单击“选择密钥保管库和密钥”。After you have selected the customer managed key, Select key vault and a key.

    选择客户管理的密钥

  5. 在“从 Azure Key Vault 中选择密钥”边栏选项卡中,订阅会自动填充。In the Select key from Azure Key Vault blade, the subscription is automatically populated. 对于“密钥保管库”,可以从下拉列表中选择现有的密钥保管库。For Key vault, you can select an existing key vault from the dropdown list.

    选择或创建 Azure Key Vault

  6. 还可以选择“新建”来创建新的密钥保管库。You can also select Create new to create a new key vault. 在“创建密钥保管库”边栏选项卡中,输入资源组和密钥保管库名称。In the Create key vault blade, enter the resource group and the key vault name. 接受其他所有默认值。Accept all other defaults. 选择“查看 + 创建”。Select Review + Create.

    创建新的 Azure Key Vault

  7. 查看与密钥保管库关联的信息,然后选择“创建”。Review the information associated with your key vault and select Create. 等待几分钟,以便完成密钥保管库的创建。Wait for a couple minutes for the key vault creation to complete.

    创建 Azure Key Vault

  8. 在“从 Azure Key Vault 中选择密钥”中,可以选择现有密钥保管库中的密钥。In the Select key from Azure Key Vault, you can select a key in the existing key vault.

  9. 如果你创建了新的密钥保管库,请选择“新建”来创建密钥。If you created a new key vault, select Create new to create a key. RSA 密钥大小可以是 2048 或更大。RSA key size can be 2048 or greater.

    在 Azure Key Vault 中创建新密钥

    如果在创建密钥保管库时未启用软删除和清除保护,则会更新密钥保管库以启用软删除和清除保护。If the soft delete and purge protection are not enabled when you create the key vault, key vault will be updated to have soft delete and purge protection enabled.

  10. 提供密钥的名称,接受其他默认值,然后选择“创建”。Provide the name for your key, accept the other defaults, and select Create.

    创建新密钥

  11. 选择“版本”,然后选择“选择”。Select the Version and then choose Select. 系统会通知你已在密钥保管库中创建了密钥。You are notified that a key is created in your key vault.

    在密钥保管库中创建的新密钥

在“加密”边栏选项卡中,可以看到为客户管理的密钥选择的密钥保管库和密钥。In the Encryption blade, you can see the key vault and the key selected for your customer managed key.

重要

在导入/导出作业的任何阶段,你只能禁用 Microsoft 管理的密钥,改为使用客户管理的密钥。You can only disable Microsoft managed keys and move to customer managed keys at any stage of the import/export job. 但是,在创建客户管理的密钥后,你无法将其禁用。However, you cannot disable the customer managed key once you have created it.

排查客户管理的密钥的错误Troubleshoot customer managed key errors

如果收到与客户管理的密钥相关的任何错误,请使用下表进行故障排除:If you receive any errors related to your customer managed key, use the following table to troubleshoot:

错误代码Error code 详细信息Details 可恢复?Recoverable?
CmkErrorAccessRevokedCmkErrorAccessRevoked 撤销了对客户管理的密钥的访问权限。Access to the customer managed key is revoked. 是,检查以下事项:Yes, check if:
  1. 密钥保管库在访问策略中是否仍具有 MSI。Key vault still has the MSI in the access policy.
  2. 访问策略是否启用了获取、包装和解包权限。Access policy has Get, Wrap, and Unwrap permissions enabled.
  3. 如果密钥保管库位于防火墙后面的 VNet 中,请检查是否启用了“允许 Microsoft 信任的服务”。If key vault is in a VNet behind the firewall, check if Allow Microsoft Trusted Services is enabled.
  4. 使用 API 检查作业资源的 MSI 是否已重置为 NoneCheck if the MSI of the job resource was reset to None using APIs.
    如果是,则将该值设置回 Identity = SystemAssignedIf yes, then Set the value back to Identity = SystemAssigned. 这将重新创建作业资源的标识。This recreates the identity for the job resource.
    创建新标识后,在密钥保管库的访问策略中为新标识启用 GetWrapUnwrap 权限Once the new identity has been created, enable Get, Wrap, and Unwrap permissions to the new identity in the key vault's access policy
CmkErrorKeyDisabledCmkErrorKeyDisabled 禁用了客户管理的密钥。The customer managed key is disabled. 是,通过启用密钥版本Yes, by enabling the key version
CmkErrorKeyNotFoundCmkErrorKeyNotFound 找不到客户管理的密钥。Cannot find the customer managed key. 是,如果该密钥已删除,但仍处于清除保护期内,请使用撤消密钥保管库密钥删除Yes, if the key has been deleted but it is still within the purge duration, using Undo Key vault key removal.
否则,Else,
  1. 如果客户已备份密钥并还原了它,则可恢复。Yes, if the customer has the key backed-up and restores it.
  2. 其他情况下,无法恢复。No, otherwise.
CmkErrorVaultNotFoundCmkErrorVaultNotFound 找不到客户管理的密钥的密钥保管库。Cannot find the key vault of the customer managed key. 如果密钥保管库已删除:If the key vault has been deleted:
  1. 是,如果它处于清除保护期内,请使用恢复密钥保管库中的步骤。Yes, if it is in the purge-protection duration, using the steps at Recover a key vault.
  2. 否,如果超出了清除保护期。No, if it is beyond the purge-protection duration.

如果密钥保管库已迁移到其他租户,可以使用以下步骤之一进行恢复:Else if the key vault was migrated to a different tenant, yes, it can be recovered using one of the below steps:
  1. 将密钥保管库还原回旧租户。Revert the key vault back to the old tenant.
  2. 设置 Identity = None,然后将值设置回 Identity = SystemAssignedSet Identity = None and then set the value back to Identity = SystemAssigned. 这将在新标识创建后删除并重新创建该标识。This deletes and recreates the identity once the new identity has been created. 在密钥保管库的“访问策略”中为新标识启用 GetWrapUnwrap 权限。Enable Get, Wrap, and Unwrap permissions to the new identity in the key vault's Access policy.

后续步骤Next steps