Azure 存储安全指南Azure Storage security guide

Azure 存储提供一整套安全性功能,这些功能相辅相成,帮助开发人员构建安全的应用程序:Azure Storage provides a comprehensive set of security capabilities that together enable developers to build secure applications:

  • 所有写入 Azure 存储的数据(包括元数据),都使用存储服务加密 (SSE) 进行自动加密。All data (including metadata) written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE). 有关详细信息,请参阅宣布推出针对 Azure Blob、文件、表和队列存储的默认加密For more information, see Announcing Default Encryption for Azure Blobs, Files, Table and Queue Storage.
  • Azure 存储支持使用 Azure Active Directory (Azure AD) 和基于角色的访问控制 (RBAC) 进行资源管理操作和数据操作,如下所示:Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) are supported for Azure Storage for both resource management operations and data operations, as follows:
    • 可以将作用域为存储帐户的 RBAC 角色分配给安全主体,并使用 Azure AD 为密钥管理之类的资源管理操作授权。You can assign RBAC roles scoped to the storage account to security principals and use Azure AD to authorize resource management operations such as key management.
    • 支持通过 Azure AD 集成执行 blob 和队列数据操作。Azure AD integration is supported for blob and queue data operations. 可以将范围为订阅、资源组、存储帐户或单个容器或队列的 RBAC 角色分配给 Azure 资源的某个安全主体或托管标识。You can assign RBAC roles scoped to a subscription, resource group, storage account, or an individual container or queue to a security principal or a managed identity for Azure resources. 有关详细信息,请参阅使用 Azure Active Directory 对 Azure 存储访问进行身份验证For more information, see Authenticate access to Azure Storage using Azure Active Directory.
  • 在应用程序和 Azure 之间传输数据时,可使用客户端加密、HTTPS 或 SMB 3.0 保护数据。Data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPS, or SMB 3.0.
  • Azure 虚拟机使用的 OS 和数据磁盘可使用 Azure 磁盘加密进行加密。OS and data disks used by Azure virtual machines can be encrypted using Azure Disk Encryption.
  • 在 Azure 存储中,可以使用共享访问签名授予数据对象的委派访问权限。Delegated access to the data objects in Azure Storage can be granted using Shared Access Signatures.

本文概述其中每项可配合 Azure 存储使用的安全功能。This article provides an overview of each of these security features that can be used with Azure Storage. 提供了详述每项功能的文章的链接,让你能够轻松深入每个主题。Links are provided to articles that will give details of each feature so you can easily do further investigation on each topic.

本文涵盖以下主题:Here are the topics to be covered in this article:

  • 管理平面安全性 - 保护存储帐户Management Plane Security - Securing your Storage Account

    管理平面包含用于管理存储帐户的资源。The management plane consists of the resources used to manage your storage account. 此部分包括 Azure 资源管理器部署模型,以及如何使用基于角色的访问控制 (RBAC) 来控制对存储帐户的访问。This section covers the Azure Resource Manager deployment model and how to use Role-Based Access Control (RBAC) to control access to your storage accounts. 还解决了如何管理存储帐户密钥以及重新生成此类密钥。It also addresses managing your storage account keys and how to regenerate them.

  • 数据平面安全 - 保护对数据的访问Data Plane Security - Securing Access to Your Data

    此部分探讨如何在存储帐户(例如 Blob、文件、队列和表)中,允许使用共享访问签名和存储访问策略来访问实际的数据对象。In this section, we'll look at allowing access to the actual data objects in your Storage account, such as blobs, files, queues, and tables, using Shared Access Signatures and Stored Access Policies. 我们介绍服务级别 SAS 和帐户级别 SAS。We will cover both service-level SAS and account-level SAS. 此外,介绍如何限制访问特定的 IP 地址(或 IP 地址范围)、如何限制用于 HTTPS 的协议,以及如何吊销共享访问签名而无需等到它过期。We'll also see how to limit access to a specific IP address (or range of IP addresses), how to limit the protocol used to HTTPS, and how to revoke a Shared Access Signature without waiting for it to expire.

  • 传输中加密Encryption in Transit

    此部分讨论如何在将数据传输到 Azure 存储或从中传出时提供保护。This section discusses how to secure data when you transfer it into or out of Azure Storage. 我们将讨论 HTTPS 的建议用法,以及 SMB 3.0 针对 Azure 文件共享使用的加密。We'll talk about the recommended use of HTTPS and the encryption used by SMB 3.0 for Azure file shares. 同时还将探讨客户端加密,它可让你在将数据传输到客户端应用程序中的存储之前加密数据,以及从存储传出后解密数据。We will also take a look at Client-side Encryption, which enables you to encrypt the data before it is transferred into Storage in a client application, and to decrypt the data after it is transferred out of Storage.

  • 静态加密Encryption at Rest

    我们还将讨论存储服务加密 (SSE),目前此项服务已针对新的和现有的存储帐户自动启用。We will talk about Storage Service Encryption (SSE), which is now automatically enabled for new and existing storage accounts. 还会介绍如何使用 Azure 磁盘加密,并探究磁盘加密、SSE 与客户端加密之间的基本差异和情况。We will also look at how you can use Azure Disk Encryption and explore the basic differences and cases of Disk Encryption versus SSE versus Client-Side Encryption.

  • 使用 存储分析 审核 Azure 存储的访问Using Storage Analytics to audit access of Azure Storage

    此部分介绍如何在存储分析日志中查找某个请求的相关信息。This section discusses how to find information in the storage analytics logs for a request. 我们将查看实际的分析记录数据,并了解如何分辨请求是否是利用存储帐户密钥、共享访问签名还是匿名方式发出的,以及该请求是成功还是失败。We'll take a look at real storage analytics log data and see how to discern whether a request is made with the Storage account key, with a Shared Access signature, or anonymously, and whether it succeeded or failed.

  • 使用 CORS 启用基于浏览器的客户端Enabling Browser-Based Clients using CORS

    本部分介绍了如何允许跨域资源共享 (CORS)。This section talks about how to allow cross-origin resource sharing (CORS). 我们将讨论跨域访问,以及如何使用 Azure 存储内置的 CORS 功能来处理这种访问。We'll talk about cross-domain access, and how to handle it with the CORS capabilities built into Azure Storage.

管理平面安全性Management Plane Security

管理平面包含影响存储帐户本身的操作。The management plane consists of operations that affect the storage account itself. 例如,可以创建或删除存储帐户、获取订阅中的存储帐户列表、检索存储帐户密钥,或重新生成存储帐户密钥。For example, you can create or delete a storage account, get a list of storage accounts in a subscription, retrieve the storage account keys, or regenerate the storage account keys.

创建新的存储帐户时,可以选择经典或 Resource Manager 部署模型。When you create a new storage account, you select a deployment model of Classic or Resource Manager. 在 Azure 中创建资源的经典模型只允许以孤注一掷的方式访问订阅,并访问存储帐户。The Classic model of creating resources in Azure only allows all-or-nothing access to the subscription, and in turn, the storage account.

本指南着重于资源管理器模型,即创建存储帐户的建议方法。This guide focuses on the Resource Manager model that is the recommended means for creating storage accounts. 使用 Resource Manager 存储帐户而不是提供整个订阅的访问权限,可以使用基于角色的访问控制 (RBAC) 以更高的限制级别来控制对管理平面的访问。With the Resource Manager storage accounts, rather than giving access to the entire subscription, you can control access on a more finite level to the management plane using Role-Based Access Control (RBAC).

如何使用基于角色的访问控制 (RBAC) 来保护存储帐户How to secure your storage account with Role-Based Access Control (RBAC)

接下来,我们将讨论什么是 RBAC 以及如何使用它。Let's talk about what RBAC is, and how you can use it. 每个 Azure 订阅都有一个 Azure Active Directory。Each Azure subscription has an Azure Active Directory. 可以向该目录中的用户、组和应用程序授予访问权限,以便其管理使用 Resource Manager 部署模型的 Azure 订阅中的资源。Users, groups, and applications from that directory can be granted access to manage resources in the Azure subscription that use the Resource Manager deployment model. 此类型的安全性称为基于角色的访问控制 (RBAC)。This type of security is referred to as Role-Based Access Control (RBAC). 若要管理此访问权限,可以使用 Azure 门户Azure CLI 工具PowerShellAzure 存储资源提供程序 REST APITo manage this access, you can use the Azure portal, the Azure CLI tools, PowerShell, or the Azure Storage Resource Provider REST APIs.

使用资源管理器模型可以将存储帐户放在资源组中,并使用 Azure Active Directory 来控制对该特定存储帐户的管理平面的访问。With the Resource Manager model, you put the storage account in a resource group and control access to the management plane of that specific storage account using Azure Active Directory. 例如,可以授权特定用户访问存储帐户密钥,而其他用户可以查看有关存储帐户的信息,但无法访问存储帐户密钥。For example, you can give specific users the ability to access the storage account keys, while other users can view information about the storage account, but cannot access the storage account keys.

授予访问权限Granting Access

通过将相应的 RBAC 角色分配给适当范围的用户、组和应用程序来授予访问权限。Access is granted by assigning the appropriate RBAC role to users, groups, and applications, at the right scope. 若要授予对整个订阅的访问权限,请在订阅级别分配角色。To grant access to the entire subscription, you assign a role at the subscription level. 可以将权限授予资源组本身,以此授予资源组中所有资源的访问权限。You can grant access to all of the resources in a resource group by granting permissions to the resource group itself. 也可以将特定角色分配给特定资源,例如存储帐户。You can also assign specific roles to specific resources, such as storage accounts.

关于使用 RBAC 访问 Azure 存储帐户的管理操作,需了解以下要点:Here are the main points that you need to know about using RBAC to access the management operations of an Azure Storage account:

  • 分配访问权限,就是将角色分配给希望拥有访问权限的帐户。When you assign access, you basically assign a role to the account that you want to have access. 可控制对用于管理该存储帐户的操作的访问权限,但不能控制对帐户中数据对象的访问权限。You can control access to the operations used to manage that storage account, but not to the data objects in the account. 例如,你可以授予检索存储帐户属性(例如冗余)的权限,但不能授予检索 Blob 存储中的容器或容器中的数据的权限。For example, you can grant permission to retrieve the properties of the storage account (such as redundancy), but not to a container or data within a container inside Blob Storage.

  • 针对有权访问存储帐户中数据对象的用户,可为他们提供权限来读取存储帐户密钥,而该用户可以使用这些密钥来访问 Blob、队列、表和文件。For someone to have permission to access the data objects in the storage account, you can give them permission to read the storage account keys, and that user can then use those keys to access the blobs, queues, tables, and files.

  • 可将角色分配给特定的用户帐户、用户组或应用程序。Roles can be assigned to a specific user account, a group of users, or to a specific application.

  • 每个角色都有“操作”和“非操作”列表。Each role has a list of Actions and Not Actions. 例如,“虚拟机参与者”角色具有“listKeys”操作,允许读取存储帐户密钥。For example, the Virtual Machine Contributor role has an Action of "listKeys" that allows the storage account keys to be read. “参与者”具有“非操作”,例如在 Active Directory 中更新用户的访问权限。The Contributor has "Not Actions" such as updating the access for users in the Active Directory.

  • 存储的角色包括(但不限于)以下角色:Roles for storage include (but are not limited to) the following roles:

    • 所有者 - 他们可以管理一切,包括访问权限。Owner - They can manage everything, including access.

    • 参与者 - 他们可以执行所有者可执行的所有操作,但分配访问权限除外。Contributor - They can do anything the owner can do except assign access. 拥有此角色的用户可以查看和重新生成存储帐户密钥。Someone with this role can view and regenerate the storage account keys. 他们可以使用存储帐户密钥来访问数据对象。With the storage account keys, they can access the data objects.

    • 读者 - 他们可以查看有关存储帐户的信息(机密除外)。Reader - They can view information about the storage account, except secrets. 例如,如果将存储帐户中拥有读取者权限的角色分配给某个用户,该用户就可以查看存储帐户的属性,但无法对属性进行任何更改或查看存储帐户密钥。For example, if you assign a role with reader permissions on the storage account to someone, they can view the properties of the storage account, but they can't make any changes to the properties or view the storage account keys.

    • 存储帐户参与者 - 他们可以管理存储帐户 - 他们可以读取订阅的资源组和资源,以及创建和管理订阅资源组部署。Storage Account Contributor - They can manage the storage account - they can read the subscription's resource groups and resources, and create and manage subscription resource group deployments. 他们也可以访问存储帐户密钥,这又意味着他们可以访问数据平面。They can also access the storage account keys, which in turn means they can access the data plane.

    • 用户访问管理员 - 他们可以管理对存储帐户的用户访问。User Access Administrator - They can manage user access to the storage account. 例如,他们可将“读者”权限授予特定用户。For example, they can grant Reader access to a specific user.

    • 虚拟机参与者 - 他们可以管理虚拟机,但无法管理已连接的存储帐户。Virtual Machine Contributor - They can manage virtual machines but not the storage account to which they are connected. 此角色可以列出存储帐户密钥,意味着分配此角色的用户可以更新数据平面。This role can list the storage account keys, which means that the user to whom you assign this role can update the data plane.

      为了让用户能够创建虚拟机,他们必须能够在存储帐户中创建相应的 VHD 文件。In order for a user to create a virtual machine, they have to be able to create the corresponding VHD file in a storage account. 为此,他们需要能够检索存储帐户密钥,并将它传递给创建 VM 的 API。To do that, they need to be able to retrieve the storage account key and pass it to the API creating the VM. 因此,他们必须拥有此权限才能列出存储帐户密钥。Therefore, they must have this permission so they can list the storage account keys.

  • 利用定义自定义角色的功能,可以从可对 Azure 资源执行的操作的列表中整理出一组操作。The ability to define custom roles is a feature that allows you to compose a set of actions from a list of available actions that can be performed on Azure resources.

  • 必须先在 Azure Active Directory 中设置用户,才能为他们分配角色。The user must be set up in your Azure Active Directory before you can assign a role to them.

  • 可以创建一份报告,描述哪个用户使用了 PowerShell 或 Azure CLI 在哪个范围为哪些对象授予/撤销哪种类型的访问权限。You can create a report of who granted/revoked what kind of access to/from whom and on what scope using PowerShell or the Azure CLI.

资源Resources

管理存储帐户密钥Managing Your Storage Account Keys

存储帐户密钥是由 Azure 创建的 512 位字符串,配合存储帐户名称用于访问存储于存储帐户中的数据对象,例如,Blob、表中的实体、队列消息,以及 Azure 文件共享中的文件。Storage account keys are 512-bit strings created by Azure that, along with the storage account name, can be used to access the data objects stored in the storage account, for example, blobs, entities within a table, queue messages, and files on an Azure file share. 控制对存储帐户密钥的访问就能控制对该存储帐户的数据平面的访问。Controlling access to the storage account keys controls access to the data plane for that storage account.

每个存储帐户在 Azure 门户和 PowerShell cmdlet 中有两个密钥,分别称为“密钥 1”和“密钥 2”。Each storage account has two keys referred to as "Key 1" and "Key 2" in the Azure portal and in the PowerShell cmdlets. 可采用多种多种方式手动重新生成这些密钥,包括(但不限于)使用 Azure 门户、PowerShell、Azure CLI,或以编程方式使用 .NET 存储客户端库或 Azure 存储服务 REST API。These can be regenerated manually using one of several methods, including, but not limited to using the Azure portal, PowerShell, the Azure CLI, or programmatically using the .NET Storage Client Library or the Azure Storage Services REST API.

有许多原因会导致重新生成存储帐户密钥。There are any number of reasons to regenerate your storage account keys.

  • 可出于安全原因而定期重新生成密钥。You might regenerate them on a regular basis for security reasons.
  • 如果有人设法侵入应用程序并检索硬编码或存储在配置文件中的密钥,为其提供存储帐户的完整访问权限,则必须重新生成存储帐户密钥。You would regenerate your storage account keys if someone managed to hack into an application and retrieve the key that was hardcoded or saved in a configuration file, giving them full access to your storage account.
  • 如果团队使用存储资源管理器应用程序来保留存储帐户密钥,则有团队成员离职时也需要重新生成密钥。Another case for key regeneration is if your team is using a Storage Explorer application that retains the storage account key, and one of the team members leaves. 在某人离职后,应用程序仍将继续运行,使其他成员可以访问存储帐户。The application would continue to work, giving them access to your storage account after they're gone. 这实际上是他们创建帐户级别共享访问签名的主要原因 - 可以改用帐户级别的 SAS,而不是将访问密钥存储在配置文件中。This is actually the primary reason they created account-level Shared Access Signatures - you can use an account-level SAS instead of storing the access keys in a configuration file.

密钥重新生成计划Key regeneration plan

你不希望在不进行某些规划的情况下单纯重新生成你使用的密钥。You don't want to just regenerate the key you are using without some planning. 如果这样做,可能会切断对该存储帐户的所有访问权限,而这会造成严重中断。If you do that, you could cut off all access to that storage account, which can cause major disruption. 因此有两个密钥。This is why there are two keys. 一次只应重新生成一个密钥。You should regenerate one key at a time.

重新生成密钥之前,请务必列出依赖于存储帐户的所有应用程序,以及 Azure 中使用的所有其他服务。Before you regenerate your keys, be sure you have a list of all of your applications that are dependent on the storage account, as well as any other services you are using in Azure. 例如,如果 Azure 媒体服务依赖于存储帐户,则必须在重新生成密钥后将访问密钥与媒体服务重新同步。For example, if you are using Azure Media Services that are dependent on your storage account, you must resync the access keys with your media service after you regenerate the key. 如果使用存储资源管理器之类的任何应用程序,也必须为这些应用程序提供新的密钥。If you are using any applications such as a storage explorer, you will need to provide the new keys to those applications as well. 如果 VM 的 VHD 文件存储在存储帐户中,它们将不会受到重新生成存储帐户密钥的影响。If you have VMs whose VHD files are stored in the storage account, they will not be affected by regenerating the storage account keys.

可以在 Azure 门户中重新生成密钥。You can regenerate your keys in the Azure portal. 重新生成密钥之后,最多 10 分钟后即可跨存储服务进行同步。Once keys are regenerated, they can take up to 10 minutes to be synchronized across Storage Services.

准备就绪后,请遵循以下常规过程,详细了解应如何更改密钥。When you're ready, here's the general process detailing how you should change your key. 在本例中,假设你当前使用的是密钥 1,并想要更改所有项目以改用密钥 2。In this case, the assumption is that you are currently using Key 1 and you are going to change everything to use Key 2 instead.

  1. 重新生成密钥 2 以确保密钥的安全。Regenerate Key 2 to ensure that it is secure. 可在 Azure 门户中执行此操作。You can do this in the Azure portal.
  2. 在存储密钥所存储到的所有应用程序中,更改存储密钥以使用密钥 2 的新值。In all of the applications where the storage key is stored, change the storage key to use Key 2's new value. 测试并发布应用程序。Test and publish the application.
  3. 在所有应用程序和服务成功启动并运行之后,重新生成密钥 1。After all of the applications and services are up and running successfully, regenerate Key 1. 这可确保未明确提供新密钥的任何人都不再拥有存储帐户的访问权限。This ensures that anybody to whom you have not expressly given the new key will no longer have access to the storage account.

如果当前使用密钥 2,可以使用相同的过程,但反转密钥名称。If you are currently using Key 2, you can use the same process, but reverse the key names.

可以过几天后迁移,更改每个应用程序来使用新的密钥并进行发布。You can migrate over a couple of days, changing each application to use the new key and publishing it. 全部完成之后,应该返回并重新生成旧密钥,使其不再可用。After all of them are done, you should then go back and regenerate the old key so it no longer works.

还可将存储帐户密钥作为机密放在 Azure 密钥保管库中,并让应用程序从此处检索该密钥。Another option is to put the storage account key in an Azure Key Vault as a secret and have your applications retrieve the key from there. 然后,重新生成密钥并更新 Azure 密钥保管库时,就不需要重新部署应用程序,因为它们自动从 Azure 密钥保管库中选择新密钥。Then when you regenerate the key and update the Azure Key Vault, the applications will not need to be redeployed because they will pick up the new key from the Azure Key Vault automatically. 请注意,可以让应用程序每次在需要密钥时读取它,或者,可以将它缓存在内存中,如果使用密钥时失败,将再次从 Azure Key Vault 中检索该密钥。Note that you can have the application read the key each time you need it, or you can cache it in memory and if it fails when using it, retrieve the key again from the Azure Key Vault.

使用 Azure 密钥保管库还可以提高存储密钥的安全级别。Using Azure Key Vault also adds another level of security for your storage keys. 如果使用此方法,永远都不需要将存储密钥硬编码于配置文件中,这样将删除某人不需特定权限即可访问密钥的途径。If you use this method, you will never have the storage key hardcoded in a configuration file, which removes that avenue of somebody getting access to the keys without specific permission.

使用 Azure 密钥保管库的另一个优点是,还可使用 Azure Active Directory 来控制对密钥的访问。Another advantage of using Azure Key Vault is you can also control access to your keys using Azure Active Directory. 这意味着,可以将访问权限授予少数必须从 Azure Key Vault 检索密钥的应用程序,并了解其他应用程序在未特别授予它们权限的情况下无法访问密钥。This means you can grant access to the handful of applications that need to retrieve the keys from Azure Key Vault, and know that other applications will not be able to access the keys without granting them permission specifically.

Note

我们建议你同时仅在所有应用程序中使用其中一个密钥。We recommend using only one of the keys in all of your applications at the same time. 如果在某些地方使用密钥 1 并在其他地方使用密钥 2,则无法在没有部分应用程序失去访问的情况下轮转密钥。If you use Key 1 in some places and Key 2 in others, you will not be able to rotate your keys without some application losing access.

资源Resources

数据平面安全Data Plane Security

数据平面安全是指用于保护存储在 Azure 存储的数据对象(Blob、队列、表和文件)的方法。Data Plane Security refers to the methods used to secure the data objects stored in Azure Storage - the blobs, queues, tables, and files. 我们已了解在传输数据期间加密数据和安全的方法,但该从何处着手来控制访问对象?We've seen methods to encrypt the data and security during transit of the data, but how do you go about controlling access to the objects?

Azure 存储中数据对象的访问授权有三个选项,包括:You have three options for authorizing access to data objects in Azure Storage, including:

  • 使用 Azure AD 进行容器和队列的访问授权。Using Azure AD to authorize access to containers and queues. 进行身份验证时,Azure AD 相对于其他方法具有很多优势,包括不需要将机密存储在代码中。Azure AD provides advantages over other approaches to authorization, including removing the need to store secrets in your code. 有关详细信息,请参阅使用 Azure Active Directory 对 Azure 存储访问进行身份验证For more information, see Authenticate access to Azure Storage using Azure Active Directory.
  • 使用存储帐户密钥通过共享密钥进行访问授权。Using your storage account keys to authorize access via Shared Key. 通过共享密钥进行授权需要将存储帐户密钥存储在应用程序中,因此 Azure 建议尽可能改用 Azure AD。Authorizing via Shared Key requires storing your storage account keys in your application, so Azure recommends using Azure AD instead where possible.
  • 使用共享访问签名授予特定时间段对特定数据对象的受控权限。Using Shared Access Signatures to grant controlled permissions to specific data objects for a specific amount of time.

此外,对于 Blob 存储,可以通过对保存 Blob 的容器的访问级别进行相应设置,来允许对 Blob 进行公共访问。In addition, for Blob Storage, you can allow public access to your blobs by setting the access level for the container that holds the blobs accordingly. 如果将容器的访问权限设置为“Blob”或“容器”,则允许该容器中 Blob 的公共读取访问权限。If you set access for a container to Blob or Container, it will allow public read access for the blobs in that container. 这意味着 URL 指向该容器中 Blob 的任何人都可以在浏览器中打开它,而不需要使用共享访问签名或拥有存储帐户密钥。This means anyone with a URL pointing to a blob in that container can open it in a browser without using a Shared Access Signature or having the storage account keys.

除通过授权限制访问外,还可使用防火墙和虚拟网络来根据网络规则限制对存储帐户的访问。In addition to limiting access through authorization, you can also use Firewalls and Virtual Networks to limit access to the storage account based on network rules. 通过此方法,可拒绝对公共 Internet 流量的访问,并仅向特定 Azure 虚拟网络或公共 Internet IP 地址范围授予访问权限。This approach enables you deny access to public internet traffic, and to grant access only to specific Azure Virtual Networks or public internet IP address ranges.

存储帐户密钥Storage Account Keys

存储帐户密钥是由 Azure 创建的 512 位字符串,配合存储帐户名称用于访问存储于存储帐户中的数据对象。Storage account keys are 512-bit strings created by Azure that, along with the storage account name, can be used to access the data objects stored in the storage account.

例如,可读取 Blob、写入队列、创建表,还可修改文件。For example, you can read blobs, write to queues, create tables, and modify files. 可以通过 Azure 门户或使用众多存储资源管理器应用程序之一来执行这其中的许多操作。Many of these actions can be performed through the Azure portal, or using one of many Storage Explorer applications. 也可编写代码来使用 REST API 或某个存储客户端库来执行这些操作。You can also write code to use the REST API or one of the Storage Client Libraries to perform these operations.

管理平面安全性部分中所述,对经典存储帐户的存储密钥的访问权限可以通过提供对 Azure 订阅的完全访问权限来授予。As discussed in the section on the Management Plane Security, access to the storage keys for a Classic storage account can be granted by giving full access to the Azure subscription. 可以通过基于角色的访问控制 (RBAC) 来控制对使用 Azure Resource Manager 模型的存储帐户的存储密钥的访问权限。Access to the storage keys for a storage account using the Azure Resource Manager model can be controlled through Role-Based Access Control (RBAC).

如何使用共享访问签名和存储访问策略来委派对帐户中对象的访问权限How to delegate access to objects in your account using Shared Access Signatures and Stored Access Policies

共享访问签名是一个字符串,包含可附加到 URI 的安全令牌,可用于委派存储对象的访问权限,以及指定访问的权限和日期/时间范围等限制。A Shared Access Signature is a string containing a security token that can be attached to a URI that allows you to delegate access to storage objects and specify constraints such as the permissions and the date/time range of access.

可以授予对 Blob、容器、队列、文件和表的访问权限。You can grant access to blobs, containers, queue messages, files, and tables. 使用表时,可以实际授予权限来访问表中某个范围的条目,方法是指定想要让用户有权访问的分区和行键范围。With tables, you can actually grant permission to access a range of entities in the table by specifying the partition and row key ranges to which you want the user to have access. 例如,如果已使用具有地理状态的分区键存储数据,则可为某人提供仅限加州数据的访问权限。For example, if you have data stored with a partition key of geographical state, you could give someone access to just the data for California.

另举一例,可以为 Web 应用程序提供 SAS 令牌,使它能够将条目写入队列,并为辅助角色应用程序提供 SAS 令牌,以便从队列中获取和处理消息。In another example, you might give a web application a SAS token that enables it to write entries to a queue, and give a worker role application a SAS token to get messages from the queue and process them. 或者,可以为某位客户提供 SAS 令牌,使他们能够将图片上传到 Blob 存储中的容器,并为 Web 应用程序提供权限来读取这些图片。Or you could give one customer a SAS token they can use to upload pictures to a container in Blob Storage, and give a web application permission to read those pictures. 在这两种情况下,都可实现关注点分离 – 每个应用程序只能获取执行其任务所需的访问权限。In both cases, there is a separation of concerns - each application can be given just the access that they require in order to perform their task. 这是通过使用共享访问签名来实现的。This is possible through the use of Shared Access Signatures.

使用共享访问签名的原因Why you want to use Shared Access Signatures

为什么要使用 SAS 而不只是分发存储帐户密钥,哪一种方法更方便?Why would you want to use an SAS instead of just giving out your storage account key, which is so much easier? 分发存储帐户密钥就像是在存储王国中共享密钥。Giving out your storage account key is like sharing the keys of your storage kingdom. 它会授予完全访问权限。It grants complete access. 其他人可以使用密钥,并将其整个音乐库上传到你的存储帐户。Someone could use your keys and upload their entire music library to your storage account. 他们也许还能将文件替换为受病毒感染的版本,或窃取数据。They could also replace your files with virus-infected versions, or steal your data. 不应草率地无限制分发对存储帐户的访问权限。Giving away unlimited access to your storage account is something that should not be taken lightly.

如果使用共享访问签名,可以只为客户端提供有限时间内所需的权限。With Shared Access Signatures, you can give a client just the permissions required for a limited amount of time. 例如,如果有人将 Blob 上传到帐户,则你可以授予他们刚好足够时间的写入权限来上传 Blob(当然,这取决于 Blob 的大小)。For example, if someone is uploading a blob to your account, you can grant them write access for just enough time to upload the blob (depending on the size of the blob, of course). 如果改变想法,可以撤销该访问权限。And if you change your mind, you can revoke that access.

此外,可以指定将使用 SAS 所发出的请求限制为特定的 IP 地址或 Azure 外部的 IP 地址范围。Additionally, you can specify that requests made using a SAS are restricted to a certain IP address or IP address range external to Azure. 你还可以要求使用特定协议(HTTPS 或 HTTP/HTTPS)来发出请求。You can also require that requests are made using a specific protocol (HTTPS or HTTP/HTTPS). 这意味着,如果只想要允许 HTTPS 流量,可以将所需的协议设置为仅限 HTTPS,并阻止 HTTP 流量。This means if you only want to allow HTTPS traffic, you can set the required protocol to HTTPS only, and HTTP traffic will be blocked.

共享访问签名的定义Definition of a Shared Access Signature

共享访问签名是一组附加到指向资源的 URL 的查询参数A Shared Access Signature is a set of query parameters appended to the URL pointing at the resource

其中提供有关允许的访问权限的信息,以及准许该访问权限的时间长度。that provides information about the access allowed and the length of time for which the access is permitted. 下面提供了一个示例:此 URI 将提供对 Blob 的读取权限,期限为五分钟。Here is an example; this URI provides read access to a blob for five minutes. 请注意,SAS 查询参数必须以 URL 编码,例如 %3A 表示冒号 (:),%20 表示空格。Note that SAS query parameters must be URL Encoded, such as %3A for colon (:) or %20 for a space.

http://mystorage.blob.core.chinacloudapi.cn/mycontainer/myblob.txt (URL to the blob)
?sv=2015-04-05 (storage service version)
&st=2015-12-10T22%3A18%3A26Z (start time, in UTC time and URL encoded)
&se=2015-12-10T22%3A23%3A26Z (end time, in UTC time and URL encoded)
&sr=b (resource is a blob)
&sp=r (read access)
&sip=168.1.5.60-168.1.5.70 (requests can only come from this range of IP addresses)
&spr=https (only allow HTTPS requests)
&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTjEg2tYkboXr1P9ZUXDtkk%3D (signature used for the authentication of the SAS)

Azure 存储服务如何对共享访问签名进行授权How the Shared Access Signature is authorized by the Azure Storage Service

当存储服务收到请求时,它获取输入查询参数,并使用与调用程序相同的方法来创建签名。When the storage service receives the request, it takes the input query parameters and creates a signature using the same method as the calling program. 然后比较这两个签名。It then compares the two signatures. 如果它们相符,则存储服务可以检查存储服务版本以确保它有效、检查当前日期和时间是在指定时段内、确保请求的访问权限对应于发出的请求,等等。If they agree, then the storage service can check the storage service version to make sure it's valid, verify that the current date and time are within the specified window, make sure the access requested corresponds to the request made, etc.

以上述 URL 为例,如果 URL 指向文件而不是 Blob,此请求会失败,因为它指定共享访问签名适用于 Blob。For example, with our URL above, if the URL was pointing to a file instead of a blob, this request would fail because it specifies that the Shared Access Signature is for a blob. 如果调用的 REST 命令是更新 Blob,则该命令会失败,因为共享访问签名指定只准许读访问权限。If the REST command being called was to update a blob, it would fail because the Shared Access Signature specifies that only read access is permitted.

共享访问签名的类型Types of Shared Access Signatures

  • 服务级别 SAS 可用于访问存储帐户中的特定资源。A service-level SAS can be used to access specific resources in a storage account. 其中的一些示例是检索容器中的 Blob 列表、下载 Blob、更新表中的实体、将消息添加到队列,或将文件上传到文件共享。Some examples of this are retrieving a list of blobs in a container, downloading a blob, updating an entity in a table, adding messages to a queue, or uploading a file to a file share.
  • 帐户级别 SAS 可用于访问服务级别 SAS 可用的任何功能。An account-level SAS can be used to access anything that a service-level SAS can be used for. 此外,它可以为服务级别 SAS 不准许的资源提供选项,例如,能够创建容器、表、队列及文件共享。Additionally, it can give options to resources that are not permitted with a service-level SAS, such as the ability to create containers, tables, queues, and file shares. 也可一次性指定对多个服务的访问权限。You can also specify access to multiple services at once. 例如,可授权某人访问存储帐户中的 Blob 和文件。For example, you might give someone access to both blobs and files in your storage account.

创建 SAS URICreating a SAS URI

  1. 可以根据需要创建 URI,每次都定义所有查询参数。You can create a URI on demand, defining all of the query parameters each time.

    该方法十分灵活,但如果每次都有一组类似的逻辑参数,使用存储访问策略是个不错的想法。This approach is flexible, but if you have a logical set of parameters that are similar each time, using a Stored Access Policy is a better idea.

  2. 可以针对整个容器、文件共享、表或队列创建存储访问策略。You can create a Stored Access Policy for an entire container, file share, table, or queue. 然后使用此策略作为所创建的 SAS URI 的基础。Then you can use this as the basis for the SAS URIs you create. 可以轻松撤销基于存储访问策略的权限。Permissions based on Stored Access Policies can be easily revoked. 可以对每个容器、队列、表或文件共享最多定义五个策略。You can have up to five policies defined on each container, queue, table, or file share.

    例如,如果要让许多人读取特定容器中的 Blob,则可以创建存储访问策略,表示“提供读访问权限”以及每次都一样的任何其他设置。For example, if you were going to have many people read the blobs in a specific container, you could create a Stored Access Policy that says "give read access" and any other settings that will be the same each time. 然后,可以使用存储访问策略的设置,并指定过期日期/时间,来创建 SAS URI。Then you can create an SAS URI using the settings of the Stored Access Policy and specifying the expiration date/time. 这样做的优点是不需要每次指定所有查询参数。The advantage of this is that you don't have to specify all of the query parameters every time.

吊销Revocation

假设 SAS 已泄露,或者要基于公司安全或法规遵循要求更改 SAS。Suppose your SAS has been compromised, or you want to change it because of corporate security or regulatory compliance requirements. 如何使用该 SAS 撤销对资源的访问权限?How do you revoke access to a resource using that SAS? 这取决于 SAS URI 的创建方式。It depends on how you created the SAS URI.

如果使用即席 URI,将有三个选项。If you are using ad hoc URIs, you have three options. 可以颁发具有短期过期策略的 SAS 令牌,然后等待 SAS 过期。You can issue SAS tokens with short expiration policies and wait for the SAS to expire. 可以重命名或删除资源(假设令牌范围只限于单个对象)。You can rename or delete the resource (assuming the token was scoped to a single object). 可以更改存储帐户密钥。You can change the storage account keys. 根据使用该存储帐户的服务数目而定,最后一个选项可能造成很大的影响,而且在没有任何规划的情况下可能达不到想要的效果。This last option can have a significant impact, depending on how many services are using that storage account, and probably isn't something you want to do without some planning.

如果使用派生自存储访问策略的 SAS,可以通过撤销存储访问策略来删除访问权限 – 只能在其过期后进行更改,或者完全删除它。If you are using a SAS derived from a Stored Access Policy, you can remove access by revoking the Stored Access Policy - you can just change it so it has already expired, or you can remove it altogether. 这会立即生效,并使每个使用该存储访问策略创建的 SAS 失效。This takes effect immediately, and invalidates every SAS created using that Stored Access Policy. 更新或删除存储访问策略可能将影响通过 SAS 访问该特定容器、文件共享、表或队列的用户,但如果要写入客户端,使得他们可在旧的 SAS 变成无效时请求一个新的 SAS,则这将可正常运行。Updating or removing the Stored Access Policy may impact people accessing that specific container, file share, table, or queue via SAS, but if the clients are written so they request a new SAS when the old one becomes invalid, this will work fine.

由于使用派生自存储访问策略的 SAS 可以立即撤销该 SAS,因此建议的最佳做法是尽可能使用存储访问策略。Because using a SAS derived from a Stored Access Policy gives you the ability to revoke that SAS immediately, it is the recommended best practice to always use Stored Access Policies when possible.

资源Resources

有关使用共享访问签名和存储访问策略的详细信息和示例,请参阅以下文章:For more detailed information on using Shared Access Signatures and Stored Access Policies, complete with examples, refer to the following articles:

传输中加密Encryption in Transit

传输级加密 – 使用 HTTPSTransport-Level Encryption - Using HTTPS

为确保 Azure 存储数据安全,应采取另一个措施,即在客户端与 Azure 存储之间加密数据。Another step you should take to ensure the security of your Azure Storage data is to encrypt the data between the client and Azure Storage. 第一条建议是始终使用 HTTPS 协议,这可确保通过公共 Internet 进行安全通信。The first recommendation is to always use the HTTPS protocol, which ensures secure communication over the public Internet.

若要获得安全的通信渠道,在调用 REST API 或访问存储中的对象时,应该始终使用 HTTPS。To have a secure communication channel, you should always use HTTPS when calling the REST APIs or accessing objects in storage. 此外, 共享访问签名(可用于委派对 Azure 存储对象的访问权限)包含一个选项,用于指定在使用共享访问签名时只能使用 HTTPS 协议,以确保任何使用 SAS 令牌发出链接的人都使用正确的协议。Also, Shared Access Signatures, which can be used to delegate access to Azure Storage objects, include an option to specify that only the HTTPS protocol can be used when using Shared Access Signatures, ensuring that anybody sending out links with SAS tokens will use the proper protocol.

在调用 REST API 来访问存储帐户中的对象时,可以通过为存储帐户启用需要安全传输来强制使用 HTTPS。You can enforce the use of HTTPS when calling the REST APIs to access objects in storage accounts by enabling Secure transfer required for the storage account. 在启用此功能后,使用 HTTP 的连接将被拒绝。Connections using HTTP will be refused once this is enabled.

传输期间对 Azure 文件共享使用加密Using encryption during transit with Azure file shares

Azure 文件支持通过 SMB 3.0 进行加密,以及在使用文件 REST API 时通过 HTTPS 进行加密。Azure Files supports encryption via SMB 3.0 and with HTTPS when using the File REST API. 在 Azure 文件共享所在的 Azure 区域(例如本地或另一 Azure 区域)之外进行装载时,始终需要使用带加密功能的 SMB 3.0。When mounting outside of the Azure region the Azure file share is located in, such as on-premises or in another Azure region, SMB 3.0 with encryption is always required. SMB 2.1 不支持加密,因此默认情况下只允许在 Azure 中的相同区域内连接,但可以强制使用带加密功能的 SMB 3.0,只需对存储帐户要求安全传输即可。SMB 2.1 does not support encryption, so by default connections are only allowed within the same region in Azure, but SMB 3.0 with encryption can be enforced by requiring secure transfer for the storage account.

带加密功能的 SMB 3.0 可以在所有受支持的 Windows 和 Windows Server 操作系统中使用,但 Windows 7 和 Windows Server 2008 R2 除外,这二者只支持 SMB 2.1。SMB 3.0 with encryption is available in all supported Windows and Windows Server operating systems except Windows 7 and Windows Server 2008 R2, which only support SMB 2.1. macOS 和使用 Linux 内核 4.11 及更高版本的 Linux 发行版上,SMB 3.0 也受支持。SMB 3.0 is also supported on macOS and on distributions of Linux using Linux kernel 4.11 and above. 针对 SMB 3.0 的加密支持也通过多个 Linux 发行版向后移植到旧版 Linux 内核。详情请参阅了解 SMB 客户端要求Encryption support for SMB 3.0 has also been backported to older versions of the Linux kernel by several Linux distributions, consult Understanding SMB client requirements.

使用客户端加密来保护发送到存储的数据Using Client-side encryption to secure data that you send to storage

另一个可帮助确保在客户端应用程序与存储之间传输时数据安全的选项是客户端加密。Another option that helps you ensure that your data is secure while being transferred between a client application and Storage is Client-side Encryption. 数据先经过加密,再传输到 Azure 存储。The data is encrypted before being transferred into Azure Storage. 从 Azure 存储检索数据时,在客户端上收到数据之后会将其解密。When retrieving the data from Azure Storage, the data is decrypted after it is received on the client side. 即使数据在通过连接时已加密,但还是建议使用 HTTPS,因为它内置了数据完整性检查,有助于降低影响数据完整性的网络错误。Even though the data is encrypted going across the wire, we recommend that you also use HTTPS, as it has data integrity checks built in which help mitigate network errors affecting the integrity of the data.

客户端加密也是一种可用于加密静态数据的方法,因为数据是以加密形式存储的。Client-side encryption is also a method for encrypting your data at rest, as the data is stored in its encrypted form. 静态加密部分将更详细地讨论此功能。We'll talk about this in more detail in the section on Encryption at Rest.

静态加密Encryption at Rest

有三项 Azure 功能可提供静态加密。There are three Azure features that provide encryption at rest. Azure 磁盘加密可用于加密 IaaS 虚拟机中的 OS 和数据磁盘。Azure Disk Encryption is used to encrypt the OS and data disks in IaaS Virtual Machines. 客户端加密和 SSE 都用于加密 Azure 存储中的数据。Client-side Encryption and SSE are both used to encrypt data in Azure Storage.

尽管可以使用客户端加密来加密传输中的数据(也以其加密形式存储于存储中),可能习惯在传输期间只使用 HTTPS,而且有一些方式可让数据在存储时自动加密。While you can use Client-side Encryption to encrypt the data in transit (which is also stored in its encrypted form in Storage), you may prefer to use HTTPS during the transfer, and have some way for the data to be automatically encrypted when it is stored. 有两种做法可以执行此操作 - Azure 磁盘加密和 SSE。There are two ways to do this -- Azure Disk Encryption and SSE. 其中一种是用于直接加密 VM 使用的 OS 和数据磁盘上的数据,另一种用于加密写入 Azure Blob 存储的数据。One is used to directly encrypt the data on OS and data disks used by VMs, and the other is used to encrypt data written to Azure Blob Storage.

存储服务加密 (SSE)Storage Service Encryption (SSE)

针对所有存储帐户启用 SSE,并且不能禁用。SSE is enabled for all storage accounts and cannot be disabled. 将数据写入 Azure 存储时,SSE 自动加密数据。SSE automatically encrypts your data when writing it to Azure Storage. 从 Azure 存储读取数据时,Azure 存储会在返回数据之前将其解密。When you read data from Azure Storage, it is decrypted by Azure Storage before being returned. SSE 帮助保护数据,而无需修改代码或将代码添加到任何应用程序。SSE enables you to secure your data without having to modify code or add code to any applications.

可以使用 Azure 托管的密钥或自己的自定义密钥。You can use either Azure-managed keys or your own custom keys. Azure 生成托管密钥,并根据内部 Azure Policy 的定义管理其安全存储和定期轮换。Azure generates managed keys and handles their secure storage as well as their regular rotation, as defined by internal Azure policy.

SSE 自动加密所有性能层(标准和高级)、所有部署模型(Azure 资源管理器和经典)、所有 Azure 存储服务(Blob、队列、表和文件)中的数据。SSE automatically encrypts data in all performance tiers (Standard and Premium), all deployment models (Azure Resource Manager and Classic), and all of the Azure Storage services (Blob, Queue, Table, and File).

客户端加密Client-side Encryption

在介绍传输中数据加密时,我们曾提到客户端加密。We mentioned client-side encryption when discussing the encryption of the data in transit. 此功能可用于以编程方式加密客户端应用程序中的数据,然后通过连接发送数据以写入 Azure 存储,并在从 Azure 存储检索数据之后以编程方式解密数据。This feature allows you to programmatically encrypt your data in a client application before sending it across the wire to be written to Azure Storage, and to programmatically decrypt your data after retrieving it from Azure Storage.

这确实可提供传输中加密,但也会提供静态加密的功能。This does provide encryption in transit, but it also provides the feature of Encryption at Rest. 尽管会在传输过程中加密数据,仍建议使用 HTTPS 来充分利用内置的数据完整性检查,帮助降低影响数据完整性的网络错误。Although the data is encrypted in transit, we still recommend using HTTPS to take advantage of the built-in data integrity checks that help mitigate network errors affecting the integrity of the data.

例如,如果 Web 应用程序会存储 Blob 和检索 Blob,而你想让应用程序和数据尽可能保持安全,可使用此功能。An example of where you might use this is if you have a web application that stores blobs and retrieves blobs, and you want the application and data to be as secure as possible. 在此情况下,请使用客户端加密。In that case, you would use client-side encryption. 客户端与 Azure Blob 服务之间的流量包含加密的资源,并且没有人能够解释传输中的数据并将它重组到专用 Blob。The traffic between the client and the Azure Blob Service contains the encrypted resource, and nobody can interpret the data in transit and reconstitute it into your private blobs.

客户端加密内置于 Java 和 .NET 存储客户端库,这些库使用 Azure 密钥保管库 API 让实现变得很简单。Client-side encryption is built into the Java and the .NET storage client libraries, which in turn use the Azure Key Vault APIs, making it easy for you to implement. 加密和解密数据的程序会使用信封技术,并在每个存储对象中存储加密使用的元数据。The process of encrypting and decrypting the data uses the envelope technique, and stores metadata used by the encryption in each storage object. 例如,对于 Blob,会会其存储在 Blob 元数据中;对于队列,会它添加到每个队列消息。For example, for blobs, it stores it in the blob metadata, while for queues, it adds it to each queue message.

对于加密本身,可以生成和管理自己的加密密钥。For the encryption itself, you can generate and manage your own encryption keys. 也可以使用 Azure 存储客户端库所生成的密钥,或者让 Azure 密钥保管库生成密钥。You can also use keys generated by the Azure Storage Client Library, or you can have the Azure Key Vault generate the keys. 可以将加密密钥存储在本地密钥存储中,或将它们存储在 Azure Key Vault 中。You can store your encryption keys in your on-premises key storage, or you can store them in an Azure Key Vault. Azure 密钥保管库允许使用 Azure Active Directory 为特定用户授予 Azure 密钥保管库中密码的访问权限。Azure Key Vault allows you to grant access to the secrets in Azure Key Vault to specific users using Azure Active Directory. 这意味着,并非每个人都能读取 Azure Key Vault,以及检索用于进行客户端加密的密钥。This means that not just anybody can read the Azure Key Vault and retrieve the keys you're using for client-side encryption.

资源Resources

使用 Azure 磁盘加密来加密虚拟机所用的磁盘Using Azure Disk Encryption to encrypt disks used by your virtual machines

Azure 磁盘加密允许加密 IaaS 虚拟机使用的 OS 磁盘和数据磁盘。Azure Disk Encryption allows you to encrypt the OS disks and Data disks used by an IaaS Virtual Machine. 对于 Windows,驱动器是使用行业标准 BitLocker 加密技术加密的。For Windows, the drives are encrypted using industry-standard BitLocker encryption technology. 对于 Linux,磁盘是使用 DM-Crypt 技术加密的。For Linux, the disks are encrypted using the DM-Crypt technology. 它与 Azure 密钥保管库集成,可用于控制和管理磁盘加密密钥。This is integrated with Azure Key Vault to allow you to control and manage the disk encryption keys.

在 Azure 中启用了 IaaS VM 时,该解决方案支持以下 IaaS VM 方案:The solution supports the following scenarios for IaaS VMs when they are enabled in Azure:

  • 与 Azure 密钥保管库集成Integration with Azure Key Vault
  • 标准层 VM:A、D、DS 等系列 IaaS VMStandard tier VMs: A, D, DS, and so forth series IaaS VMs
  • 在 Windows 和 Linux IaaS VM 上启用加密Enabling encryption on Windows and Linux IaaS VMs
  • 在 Windows IaaS VM 的 OS 和数据驱动器上禁用加密Disabling encryption on OS and data drives for Windows IaaS VMs
  • 在 Linux IaaS VM 的数据驱动器上禁用加密Disabling encryption on data drives for Linux IaaS VMs
  • 在运行 Windows 客户端 OS 的 IaaS VM 上启用加密Enabling encryption on IaaS VMs that are running Windows client OS
  • 在包含装载路径的卷上启用加密Enabling encryption on volumes with mount paths
  • 在使用 mdadm 配置了磁盘条带化 (RAID) 的 Linux VM 上启用加密Enabling encryption on Linux VMs that are configured with disk striping (RAID) by using mdadm
  • 使用 LVM 对 Linux VM 上的数据磁盘启用加密Enabling encryption on Linux VMs by using LVM for data disks
  • 在使用存储空间配置的 Windows VM 上启用加密Enabling encryption on Windows VMs that are configured by using storage spaces
  • 支持所有 Azure 公共区域All Azure public regions are supported

该解决方案不支持版本中的以下方案、功能和技术:The solution does not support the following scenarios, features, and technology in the release:

  • 基本层 IaaS VMBasic tier IaaS VMs
  • 在 Linux IaaS VM 的 OS 驱动器上禁用加密Disabling encryption on an OS drive for Linux IaaS VMs
  • 使用经典 VM 创建方法创建的 IaaS VMIaaS VMs that are created by using the classic VM creation method
  • 与本地密钥管理服务集成Integration with your on-premises Key Management Service
  • Azure 文件(文件共享系统)、网络文件系统 (NFS)、动态卷,以及配置了基于软件的 RAID 系统的 Windows VMAzure Files (shared file system), Network File System (NFS), dynamic volumes, and Windows VMs that are configured with software-based RAID systems

Note

Linux OS 磁盘加密当前在下列 Linux 发行版上受支持:RHEL 7.2、CentOS 7.2n 和 Ubuntu 16.04。Linux OS disk encryption is currently supported on the following Linux distributions: RHEL 7.2, CentOS 7.2n, and Ubuntu 16.04.

此功能可确保虚拟机磁盘上的所有数据在 Azure 存储中静态加密。This feature ensures that all data on your virtual machine disks is encrypted at rest in Azure Storage.

资源Resources

Azure 磁盘加密、SSE 和客户端加密的比较Comparison of Azure Disk Encryption, SSE, and Client-Side Encryption

IaaS VM 及其 VHD 文件IaaS VMs and their VHD files

对于 IaaS VM 使用的数据磁盘,建议使用 Azure 磁盘加密。For data disks used by IaaS VMs, Azure Disk Encryption is recommended. 如果使用 Azure 市场中的映像创建包含非托管磁盘的 VM,Azure 会在 Azure 存储中浅层复制存储帐户中的映像;即使已启用 SSE,也不会加密。If you create a VM with unmanaged disks using an image from the Azure Marketplace, Azure performs a shallow copy of the image to your storage account in Azure Storage, and it is not encrypted even if you have SSE enabled. 创建 VM 并启动更新映像后,SSE 开始加密数据。After it creates the VM and starts updating the image, SSE will start encrypting the data. 出于此原因,如果想要将它们完全加密,最好在通过 Azure 市场中的映像创建的包含非托管磁盘的 VM 上使用 Azure 磁盘加密。For this reason, it's best to use Azure Disk Encryption on VMs with unmanaged disks created from images in the Azure Marketplace if you want them fully encrypted. 如果创建包含托管磁盘的 VM,则 SSE 默认情况下会使用平台管理的密钥加密所有数据。If you create a VM with Managed Disks, SSE encrypts all the data by default using platform managed keys.

如果从本地将预先加密的 VM 带入 Azure 中,就能将加密密钥上传到 Azure Key Vault,并继续针对本地使用的 VM 使用加密。If you bring a pre-encrypted VM into Azure from on-premises, you will be able to upload the encryption keys to Azure Key Vault, and continue using the encryption for that VM that you were using on-premises. 启用 Azure 磁盘加密即可处理此方案。Azure Disk Encryption is enabled to handle this scenario.

如果你有来自本地的未加密 VHD,可以作为自定义映像将它上传到库并从中预配 VM。If you have non-encrypted VHD from on-premises, you can upload it into the gallery as a custom image and provision a VM from it. 如果使用 Resource Manager 模板执行此操作,可以要求它在启动 VM 时打开 Azure 磁盘加密。If you do this using the Resource Manager templates, you can ask it to turn on Azure Disk Encryption when it boots up the VM.

添加数据磁盘并将其装载到 VM 时,可在该数据磁盘上开启 Azure 磁盘加密。When you add a data disk and mount it on the VM, you can turn on Azure Disk Encryption on that data disk. 它先在本地加密该数据磁盘,然后经典部署模型层将会对存储进行延迟写入,如此即可加密存储内容。It will encrypt that data disk locally first, and then the classic deployment model layer will do a lazy write against storage so the storage content is encrypted.

客户端加密Client-side encryption

客户端加密是加密数据的最安全方法,因为它会在传输前加密数据。Client-side encryption is the most secure method of encrypting your data, because it encrypts data prior to transit. 但是,它需要向使用存储的应用程序添加代码,这可能不是理想行为。However, it does require that you add code to your applications using storage, which you may not want to do. 在以上事例中,可使用 HTTPS 保护传输中的数据。In those cases, you can use HTTPS to secure your data in transit. 数据到达 Azure 存储后,SSE 将会对其进行加密。Once data reaches Azure Storage, it is encrypted by SSE.

通过客户端加密,可以加密表中条目、消息队列和 Blob。With client-side encryption, you can encrypt table entities, queue messages, and blobs.

客户端加密完全通过应用程序来管理。Client-side encryption is managed entirely by the application. 这是最安全的方式,但要求以编程方式更改应用程序,并将密钥管理程序放在正确的位置。This is the most secure approach, but does require you to make programmatic changes to your application and put key management processes in place. 如果在传输期间想要额外的安全性,并且想要将存储的数据加密,可以使用此方法。You would use this when you want the extra security during transit, and you want your stored data to be encrypted.

客户端加密会在客户端上生成更多负载,必须在缩放性计划中考虑到这一点,特别是要加密并传输大量数据时。Client-side encryption is more load on the client, and you have to account for this in your scalability plans, especially if you are encrypting and transferring a large amount of data.

存储服务加密 (SSE)Storage Service Encryption (SSE)

SSE 由 Azure 存储管理。SSE is managed by Azure Storage. SSE 不是针对传输中数据安全性提供的,但它会在数据写入 Azure 存储时加密数据。SSE does not provide for the security of the data in transit, but it does encrypt the data as it is written to Azure Storage. SSE 不影响 Azure 存储性能。SSE does not affect Azure Storage performance.

可以使用 SSE 加密任何类型的存储帐户数据(块 blob、追加 blob、页 blob、表数据、队列数据和文件)。You can encrypt any kind of data of the storage account using SSE (block blobs, append blobs, page blobs, table data, queue data, and files).

如果使用 VHD 文件的存档或库作为创建新虚拟机的基础,可以创建新的存储帐户,然后将 VHD 文件上传到该帐户。If you have an archive or library of VHD files that you use as a basis for creating new virtual machines, you can create a new storage account and then upload the VHD files to that account. 这些 VHD 文件由 Azure 存储加密。Those VHD files will be encrypted by Azure Storage.

如果 Azure 磁盘加密已针对 VM 中的磁盘启用,则 SSE 和 Azure 磁盘加密会加密所有新写入的数据。If you have Azure Disk Encryption enabled for the disks in a VM, then any newly written data is encrypted both by SSE and by Azure Disk Encryption.

存储分析Storage Analytics

使用存储分析来监视授权类型Using Storage Analytics to monitor authorization type

对于每个存储帐户,可以启用 Azure 存储分析来执行日志记录和存储指标数据。For each storage account, you can enable Azure Storage Analytics to perform logging and store metrics data. 若要检查存储帐户的性能指标,或者由于发生性能问题而需要排查存储帐户问题,这是一个绝佳工具。This is a great tool to use when you want to check the performance metrics of a storage account, or need to troubleshoot a storage account because you are having performance problems.

可以在存储分析日志中看到的另一部分数据是其他人访问存储时使用的身份验证方法。Another piece of data you can see in the storage analytics logs is the authentication method used by someone when they access storage. 例如,使用 Blob 存储,可以看到他们使用的是共享访问签名还是存储帐户密钥,或者访问的 Blob 是否为公共的。For example, with Blob Storage, you can see if they used a Shared Access Signature or the storage account keys, or if the blob accessed was public.

如果要严密监视存储的访问,这很有用。This can be helpful if you are tightly guarding access to storage. 例如,在 Blob 存储中,可以将所有容器设置为专用,并通过应用程序实现 SAS 服务的使用。For example, in Blob Storage you can set all of the containers to private and implement the use of an SAS service throughout your applications. 然后可以定期检查日志,以了解 Blob 是否是使用存储帐户密钥访问的(这可能表示出现安全违规),或者 Blob 是公共的但它们不应该是公共的。Then you can check the logs regularly to see if your blobs are accessed using the storage account keys, which may indicate a breach of security, or if the blobs are public but they shouldn't be.

日志的外观What do the logs look like?

通过 Azure 门户启用存储帐户指标和日志记录后,分析数据会开始快速累积。After you enable the storage account metrics and logging through the Azure portal, analytics data will start to accumulate quickly. 每个服务的日志记录与指标是分开的;只有在该存储帐户中有活动时才将写入日志,而根据设置指标的方式,会每分钟、每小时或每天记录指标。The logging and metrics for each service is separate; the logging is only written when there is activity in that storage account, while the metrics will be logged every minute, every hour, or every day, depending on how you configure it.

日志将存储在存储帐户中名为 $logs 的容器的块 Blob 中。The logs are stored in block blobs in a container named $logs in the storage account. 启用存储分析后,自动创建此容器。This container is automatically created when Storage Analytics is enabled. 创建此容器之后,无法将它删除,但可以删除其内容。Once this container is created, you can't delete it, although you can delete its contents.

在 $logs 容器下面,每个服务都有一个文件夹,另外还有对应于年/月/日/小时的子文件夹。Under the $logs container, there is a folder for each service, and then there are subfolders for the year/month/day/hour. 在小时下面,日志带有编号。Under hour, the logs are numbered. 下面是目录结构的外观:This is what the directory structure will look like:

日志文件视图

针对 Azure 存储发出的每个请求都将记录。Every request to Azure Storage is logged. 下面是日志文件的快照,其中显示了前几个字段。Here's a snapshot of a log file, showing the first few fields.

日志文件快照

如你所见,可以使用日志来跟踪对存储帐户的各种调用。You can see that you can use the logs to track any kind of calls to a storage account.

所有这些字段的用途是什么?What are all of those fields for?

在下面列出的资源中,有一篇文章提供了这些日志中许多字段的列表及其用途。There is an article listed in the resources below that provides the list of the many fields in the logs and what they are used for. 下面是依次列出的字段列表:Here is the list of fields in order:

日志文件中字段的快照

我们对于 GetBlob 的条目及其授权方法感兴趣,因此需要查找操作类型为“Get-Blob”的条目,并检查请求状态(第四列)和授权类型(第八列)。We're interested in the entries for GetBlob, and how they are authorized, so we need to look for entries with operation-type "Get-Blob", and check the request-status (fourth column) and the authorization-type (eighth column).

例如,在上述列表的前几列中,请求状态为“Success”且授权类型为“authenticated”。For example, in the first few rows in the listing above, the request-status is "Success" and the authorization-type is "authenticated". 这意味着已使用存储帐户密钥对请求进行授权。This means the request was authorized using the storage account key.

如何授权对 blob 的访问?How is access to my blobs being authorized?

下面提供了我们感兴趣的三种用例。We have three cases that we are interested in.

  1. Blob 是公共的,可使用 URL 来访问(无需共享访问签名)。The blob is public and it is accessed using a URL without a Shared Access Signature. 在本例中,请求状态为“AnonymousSuccess”且授权类型为“anonymous”。In this case, the request-status is "AnonymousSuccess" and the authorization-type is "anonymous".

    1.0;2015-11-17T02:01:29.0488963Z;GetBlob;AnonymousSuccess;200;124;37;anonymous;;mystorage…1.0;2015-11-17T02:01:29.0488963Z;GetBlob;AnonymousSuccess;200;124;37;anonymous;;mystorage…

  2. Blob 是专用的且与共享访问签名配合使用。The blob is private and was used with a Shared Access Signature. 在本例中,请求状态为“SASSuccess”且授权类型为“sas”。In this case, the request-status is "SASSuccess" and the authorization-type is "sas".

    1.0;2015-11-16T18:30:05.6556115Z;GetBlob;SASSuccess;200;416;64;sas;;mystorage…1.0;2015-11-16T18:30:05.6556115Z;GetBlob;SASSuccess;200;416;64;sas;;mystorage…

  3. Blob 是专用的,可使用存储密钥来访问。The blob is private and the storage key was used to access it. 在本例中,请求状态为“Success”且授权类型为“authenticated”。In this case, the request-status is "Success" and the authorization-type is "authenticated".

    1.0;2015-11-16T18:32:24.3174537Z;GetBlob;Success;206;59;22;authenticated;mystorage…1.0;2015-11-16T18:32:24.3174537Z;GetBlob;Success;206;59;22;authenticated;mystorage…

可使用 Microsoft Message Analyzer 查看和分析这些日志。You can use the Microsoft Message Analyzer to view and analyze these logs. 它包含搜索和筛选功能。It includes search and filter capabilities. 例如,你可能想要搜索 GetBlob 的实例,以查看其使用方式是否符合预期,即要确保其他人不会以不适当的方式访问存储帐户。For example, you might want to search for instances of GetBlob to see if the usage is what you expect, that is, to make sure someone is not accessing your storage account inappropriately.

资源Resources

跨源资源共享 (CORS)Cross-Origin Resource Sharing (CORS)

跨域访问资源Cross-domain access of resources

在某一个域中运行的 Web 浏览器对来自不同域的资源发出 HTTP 请求称为跨域 HTTP 请求。When a web browser running in one domain makes an HTTP request for a resource from a different domain, this is called a cross-origin HTTP request. 例如,contoso.com 中的 HTML 页面将对托管在 fabrikam.blob.core.chinacloudapi.cn 上的 jpeg 发出请求。For example, an HTML page served from contoso.com makes a request for a jpeg hosted on fabrikam.blob.core.chinacloudapi.cn. 出于安全原因,浏览器将限制从脚本(例如 JavaScript)中初始化的跨域 HTTP 请求。For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts, such as JavaScript. 这意味着,当 contoso.com 的网页上有一些 JavaScript 代码请求 fabrikam.blob.core.chinacloudapi.cn 上的该 jpeg 时,浏览器不允许该请求。This means that when some JavaScript code on a web page on contoso.com requests that jpeg on fabrikam.blob.core.chinacloudapi.cn, the browser will not allow the request.

必须对 Azure 存储执行哪些操作?What does this have to do with Azure Storage? 如果正在使用名为 Fabrikam 的存储帐户在 Blob 存储中存储 JSON 或 XML 数据文件等静态资产,则资产的域是 fabrikam.blob.core.chinacloudapi.cn,contoso.com web 应用程序无法使用 JavaScript 来访问它们,因为域不相同。Well, if you are storing static assets such as JSON or XML data files in Blob Storage using a storage account called Fabrikam, the domain for the assets will be fabrikam.blob.core.chinacloudapi.cn, and the contoso.com web application will not be able to access them using JavaScript because the domains are different. 如果尝试调用某个 Azure 存储服务(例如表存储)以返回要通过 JavaScript 客户端处理的 JSON 数据,则这一点同样适用。This is also true if you're trying to call one of the Azure Storage Services - such as Table Storage - that return JSON data to be processed by the JavaScript client.

可能的解决方案Possible solutions

解决此问题的方法之一是将类似于“storage.contoso.com”的自定义域分配给 fabrikam.blob.core.chinacloudapi.cn。One way to resolve this is to assign a custom domain like "storage.contoso.com" to fabrikam.blob.core.chinacloudapi.cn. 问题在于,只能将该自定义域分配给一个存储帐户。The problem is that you can only assign that custom domain to one storage account. 如果资产存储在多个存储帐户中该怎么办?What if the assets are stored in multiple storage accounts?

解决此问题的另一种方法是让 Web 应用程序充当存储调用的代理。Another way to resolve this is to have the web application act as a proxy for the storage calls. 这意味着,如果要将文件上传到 Blob 存储,Web 应用程序可以在本地写入它,然后将它复制到 Blob 存储,或者将它全部读入内存,然后将它写入 Blob 存储。This means if you are uploading a file to Blob Storage, the web application would either write it locally and then copy it to Blob Storage, or it would read all of it into memory and then write it to Blob Storage. 或者,你可以编写专门的 Web 应用程序(例如 Web API),以在本地上传文件并将它们写入 Blob 存储。Alternately, you could write a dedicated web application (such as a Web API) that uploads the files locally and writes them to Blob Storage. 无论如何,都必须在确定伸缩性需求时考虑该功能。Either way, you have to account for that function when determining the scalability needs.

CORS 有何用途?How can CORS help?

Azure 存储允许启用 CORS – 跨域资源共享。Azure Storage allows you to enable CORS - Cross Origin Resource Sharing. 对于每个存储帐户,可以指定可访问该存储帐户中的资源的域。For each storage account, you can specify domains that can access the resources in that storage account. 例如,在上述用例中,我们可以在 fabrikam.blob.core.chinacloudapi.cn 存储帐户中启用 CORS,并将它设置为允许访问 contoso.com。For example, in our case outlined above, we can enable CORS on the fabrikam.blob.core.chinacloudapi.cn storage account and configure it to allow access to contoso.com. 然后,Web 应用程序 contoso.com 就能直接访问 fabrikam.blob.core.chinacloudapi.cn 中的资源。Then the web application contoso.com can directly access the resources in fabrikam.blob.core.chinacloudapi.cn.

要注意的一点是,CORS 允许访问,但不提供所有对存储资源的非公共访问所需的身份验证。One thing to note is that CORS allows access, but it does not provide authentication, which is required for all non-public access of storage resources. 这意味着,如果它们是公共的,就只能访问 Blob,或者可以包含共享访问签名来提供相应的权限。This means you can only access blobs if they are public or you include a Shared Access Signature giving you the appropriate permission. 表、队列和文件没有公共访问权限并需要 SAS。Tables, queues, and files have no public access, and require a SAS.

默认情况下,对所有服务禁用了 CORS。By default, CORS is disabled on all services. 可以使用 REST API 或存储客户端库调用某个方法来设置服务策略,以启用 CORS。You can enable CORS by using the REST API or the storage client library to call one of the methods to set the service policies. 执行该操作时,会在 XML 中包含 CORS 规则。When you do that, you include a CORS rule, which is in XML. 以下示例将针对存储帐户的 Blob 服务使用“设置服务属性”操作来设置 CORS 规则。Here's an example of a CORS rule that has been set using the Set Service Properties operation for the Blob Service for a storage account. 可以使用存储客户端库或 REST API 针对 Azure 存储执行该操作。You can perform that operation using the storage client library or the REST APIs for Azure Storage.

<Cors>    
    <CorsRule>
        <AllowedOrigins>http://www.contoso.com, http://www.fabrikam.com</AllowedOrigins>
        <AllowedMethods>PUT,GET</AllowedMethods>
        <AllowedHeaders>x-ms-meta-data*,x-ms-meta-target*,x-ms-meta-abc</AllowedHeaders>
        <ExposedHeaders>x-ms-meta-*</ExposedHeaders>
        <MaxAgeInSeconds>200</MaxAgeInSeconds>
    </CorsRule>
<Cors>

下面是每一行的含义:Here's what each row means:

  • AllowedOrigins 指出哪些不匹配的域可以从存储服务请求并接收数据。AllowedOrigins This tells which non-matching domains can request and receive data from the storage service. 这意味着,contoso.com 和 fabrikam.com 可以针对特定的存储帐户向 Blob 存储请求数据。This says that both contoso.com and fabrikam.com can request data from Blob Storage for a specific storage account. 还可将此项设置为通配符 (*),允许所有域访问请求。You can also set this to a wildcard (*) to allow all domains to access requests.
  • AllowedMethods 这是发出请求时可使用的方法(HTTP 请求谓词)列表。AllowedMethods This is the list of methods (HTTP request verbs) that can be used when making the request. 在本示例中,只允许 PUT 和 GET。In this example, only PUT and GET are allowed. 可将此项设置为通配符 (*),允许使用所有方法。You can set this to a wildcard (*) to allow all methods to be used.
  • AllowedHeaders 这是在发出请求时原始域可以指定的请求标头。AllowedHeaders This is the request headers that the origin domain can specify when making the request. 在本示例中,允许所有以 x-ms-meta-data、x-ms-meta-target 和 x-ms-meta-abc 开头的元数据标头。In this example, all metadata headers starting with x-ms-meta-data, x-ms-meta-target, and x-ms-meta-abc are permitted. 通配符 (*) 表示允许任何以指定前缀开头的标头。The wildcard character (*) indicates that any header beginning with the specified prefix is allowed.
  • ExposedHeaders 告知浏览器应向请求颁发者公开的响应标头。ExposedHeaders This tells which response headers should be exposed by the browser to the request issuer. 在本示例中,将公开任何以“x-ms-meta-”开头的标头。In this example, any header starting with "x-ms-meta-" will be exposed.
  • MaxAgeInSeconds 表示浏览器将缓存预检 OPTIONS 请求的最长时间。MaxAgeInSeconds This is the maximum amount of time that a browser will cache the preflight OPTIONS request. (有关预检请求的详细信息,请检查下面的第一篇文章。)(For more information about the preflight request, check the first article below.)

资源Resources

有关 CORS 及其启用方法的详细信息,请参阅以下资源。For more information about CORS and how to enable it, check out these resources.

有关 Azure 存储安全性的常见问题Frequently asked questions about Azure Storage security

  1. 如果无法使用 HTTPS 协议,该如何验证传输到 Azure 存储或从中传出的 Blob 的完整性?How can I verify the integrity of the blobs I'm transferring into or out of Azure Storage if I can't use the HTTPS protocol?

    如果出于任何原因需要使用 HTTP 而不是 HTTPS,并且正在使用块 Blob,可以使用 MD5 检查来帮助验证传输中 Blob 的完整性。If for any reason you need to use HTTP instead of HTTPS and you are working with block blobs, you can use MD5 checking to help verify the integrity of the blobs being transferred. 这会有助于防止网络/传输层错误,但不一定可帮助防止中间攻击。This will help with protection from network/transport layer errors, but not necessarily with intermediary attacks.

    如果可以使用提供传输级安全的 HTTPS,则使用 MD5 检查就很多余且不必要。If you can use HTTPS, which provides transport level security, then using MD5 checking is redundant and unnecessary.

    有关详细信息,请查看 Azure Blob MD5 Overview(Azure Blob MD5 概述)。For more information, please check out the Azure Blob MD5 Overview.

  2. 美国政府实施的 FIPS 合规性要求是怎样的?What about FIPS-Compliance for the U.S. Government?

    美国联邦信息处理标准 (FIPS) 定义了美国联邦政府计算机系统批准使用的加密算法,以保护敏感数据。The United States Federal Information Processing Standard (FIPS) defines cryptographic algorithms approved for use by U.S. Federal government computer systems for the protection of sensitive data. 如果在 Windows 服务器或桌面上启用 FIPS 模式,将告知 OS 仅应使用经 FIPS 验证的加密算法。Enabling FIPS mode on a Windows server or desktop tells the OS that only FIPS-validated cryptographic algorithms should be used. 如果某个应用程序使用不合规的算法,即表示该应用程序违规。If an application uses non-compliant algorithms, the applications will break. 使用 .NET Framework 4.5.2 或更高版本,应用程序可在计算机处于 FIPS 模式时自动切换加密算法来使用符合 FIPS 的算法。With.NET Framework versions 4.5.2 or higher, the application automatically switches the cryptography algorithms to use FIPS-compliant algorithms when the computer is in FIPS mode.

    Microsoft 允许每个客户决定是否启用 FIPS 模式。Microsoft leaves it up to each customer to decide whether to enable FIPS mode. 我们相信,客户没有充分的理由违反政府法规,不按默认启用 FIPS 模式。We believe there is no compelling reason for customers who are not subject to government regulations to enable FIPS mode by default.

资源Resources