静态数据的 Azure 存储加密Azure Storage encryption for data at rest

Azure 存储在将数据保存到云时会自动加密数据。Azure Storage automatically encrypts your data when persisting it to the cloud. 加密可以保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。Encryption protects your data and to help you to meet your organizational security and compliance commitments. Azure 存储中的数据将使用 256 位 AES 加密法(可用的最强大块加密法之一)以透明方式进行加密和解密,并符合 FIPS 140-2 规范。Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure 存储加密法类似于 Windows 上的 BitLocker 加密法。Azure Storage encryption is similar to BitLocker encryption on Windows.

将针对所有新的和现有的存储帐户启用 Azure 存储加密,并且不能禁用加密。Azure Storage encryption is enabled for all new and existing storage accounts and cannot be disabled. 由于数据默认受到保护,因此无需修改代码或应用程序,即可利用 Azure 存储加密。Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

不管存储帐户的性能层(标准或高级)或部署模型(Azure 资源管理器或经典)是什么,都会将其加密。Storage accounts are encrypted regardless of their performance tier (standard or premium) or deployment model (Azure Resource Manager or classic). 所有 Azure 存储冗余选项都支持加密,存储帐户的所有副本都会加密。All Azure Storage redundancy options support encryption, and all copies of a storage account are encrypted. 所有 Azure 存储资源(包括 Blob、磁盘、文件、队列和表)都会加密。All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. 所有对象元数据也会加密。All object metadata is also encrypted.

加密不影响 Azure 存储的性能。Encryption does not affect Azure Storage performance. Azure 存储加密不会产生额外的费用。There is no additional cost for Azure Storage encryption.

有关 Azure 存储加密的底层加密模块的详细信息,请参见加密 API:下一代For more information about the cryptographic modules underlying Azure Storage encryption, see Cryptography API: Next Generation.

关于加密密钥管理About encryption key management

可以依赖于使用 Azure 托管的密钥来加密存储帐户,或者,可以使用自己的密钥来管理加密。You can rely on Azure-managed keys for the encryption of your storage account, or you can manage encryption with your own keys. 如果你选择使用自己的密钥来管理加密,则可以采用两种做法:If you choose to manage encryption with your own keys, you have two options:

  • 可以指定客户管理的密钥用于加密和解密存储帐户中的所有数据。 You can specify a customer-managed key to use for encrypting and decrypting all data in the storage account. 客户管理的密钥用于加密存储帐户中所有服务内的所有数据。A customer-managed key is used to encrypt all data in all services in your storage account.
  • 可以在 Blob 存储操作中指定客户提供的密钥。 You can specify a customer-provided key on Blob storage operations. 对 Blob 存储发出读取或写入请求的客户端可以在请求中包含加密密钥,以便精细控制 Blob 数据的加密和解密方式。A client making a read or write request against Blob storage can include an encryption key on the request for granular control over how blob data is encrypted and decrypted.

下表比较了 Azure 存储加密的密钥管理选项。The following table compares key management options for Azure Storage encryption.

Microsoft 管理的密钥Microsoft-managed keys 客户管理的密钥Customer-managed keys 客户提供的密钥Customer-provided keys
加密/解密操作Encryption/decryption operations AzureAzure AzureAzure AzureAzure
支持的 Azure 存储服务Azure Storage services supported 全部All Blob 存储、Azure 文件存储Blob storage, Azure Files Blob 存储Blob storage
密钥存储Key storage Microsoft 密钥存储Microsoft key store Azure Key VaultAzure Key Vault Azure Key Vault 或任何其他密钥存储Azure Key Vault or any other key store
密钥轮换责任Key rotation responsibility MicrosoftMicrosoft 客户Customer 客户Customer
密钥使用情况Key usage MicrosoftMicrosoft Azure 门户、存储资源提供程序 REST API、Azure 存储管理库、PowerShell、CLIAzure portal, Storage Resource Provider REST API, Azure Storage management libraries, PowerShell, CLI Azure 存储 REST API(Blob 存储)、Azure 存储客户端库Azure Storage REST API (Blob storage), Azure Storage client libraries
密钥访问权限Key access 仅限 MicrosoftMicrosoft only Microsoft、客户Microsoft, Customer 仅限客户Customer only

以下部分更详细地介绍了每个密钥管理选项。The following sections describe each of the options for key management in greater detail.

Azure 托管的密钥Azure-managed keys

存储帐户默认使用 Azure 托管的加密密钥。By default, your storage account uses Azure-managed encryption keys. 可以在 Azure 门户的“加密”部分查看存储帐户的加密设置,如下图所示。 You can see the encryption settings for your storage account in the Encryption section of the Azure portal, as shown in the following image.

查看使用 Microsoft 托管密钥加密的帐户

客户管理的密钥Customer-managed keys

可以选择使用自己的密钥在存储帐户级别管理 Azure 存储加密。You can choose to manage Azure Storage encryption at the level of the storage account with your own keys. 在存储帐户级别指定客户管理的密钥时,该密钥将用于加密和解密存储帐户中的所有数据,包括 Blob、队列、文件和表数据。When you specify a customer-managed key at the level of the storage account, that key is used to encrypt and decrypt all data in the storage account, including blob, queue, file, and table data. 使用客户管理的密钥可以更灵活地创建、轮换、禁用和撤销访问控制。Customer-managed keys offer greater flexibility to create, rotate, disable, and revoke access controls. 还可以审核用于保护数据的加密密钥。You can also audit the encryption keys used to protect your data.

必须使用 Azure Key Vault 来存储客户管理的密钥。You must use Azure Key Vault to store your customer-managed keys. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 存储帐户和 Key Vault 必须在同一个区域中,但可以在不同的订阅中。The storage account and the key vault must be in the same region, but they can be in different subscriptions. 有关 Azure Key Vault 的详细信息,请参阅什么是 Azure Key Vault?For more information about Azure Key Vault, see What is Azure Key Vault?.

此图显示了 Azure 存储如何使用 Azure Active Directory 和 Azure Key Vault 通过客户管理的密钥发出请求:This diagram shows how Azure Storage uses Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:

Azure 存储中客户管理的密钥的工作原理示意图

以下列表解释了示意图中带编号的步骤:The following list explains the numbered steps in the diagram:

  1. Azure Key Vault 管理员向与存储帐户关联的托管标识授予对加密密钥的权限。An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the storage account.
  2. Azure 存储管理员使用存储帐户的客户管理密钥配置加密。An Azure Storage admin configures encryption with a customer-managed key for the storage account.
  3. Azure 存储使用与存储帐户关联的托管标识,对通过 Azure Active Directory 访问 Azure Key Vault 的活动进行身份验证。Azure Storage uses the managed identity that's associated with the storage account to authenticate access to Azure Key Vault via Azure Active Directory.
  4. Azure 存储使用 Azure Key Vault 中的客户密钥包装帐户加密密钥。Azure Storage wraps the account encryption key with the customer key in Azure Key Vault.
  5. 对于读/写操作,Azure 存储将向 Azure Key Vault 发送包装和解包帐户加密密钥的请求,以执行加密和解密操作。For read/write operations, Azure Storage sends requests to Azure Key Vault to wrap and unwrap the account encryption key to perform encryption and decryption operations.

若要撤销对存储帐户中客户管理的密钥的访问权限,请参阅 Azure Key Vault PowerShellAzure Key Vault CLITo revoke access to customer-managed keys on the storage account, see Azure Key Vault PowerShell and Azure Key Vault CLI. 撤销访问权限会实际阻止对存储帐户中所有数据的访问,因为 Azure 存储帐户无法访问加密密钥。Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.

Azure 托管磁盘不支持客户管理的密钥。Customer-managed keys are not supported for Azure managed disks.

若要了解如何将客户管理的密钥与 Azure 存储配合使用,请参阅以下文章之一:To learn how to use customer-managed keys with Azure Storage, see one of these articles:

Important

客户托管密钥依赖于 Azure 资源的托管标识,后者是 Azure Active Directory (Azure AD) 的一项功能。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 在 Azure 门户中配置客户管理的密钥时,系统会在幕后自动将一个托管标识分配到你的存储帐户。When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned to your storage account under the covers. 如果随后将订阅、资源组或存储帐户从一个 Azure AD 目录移到另一个目录,与存储帐户关联的托管标识不会传输到新租户,因此客户管理的密钥可能不再起作用。If you subsequently move the subscription, resource group, or storage account from one Azure AD directory to another, the managed identity associated with the storage account is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅 Azure 资源的常见问题解答和已知问题中的“在 Azure AD 目录之间转移订阅” 。For more information, see Transferring a subscription between Azure AD directories in FAQs and known issues with managed identities for Azure resources.

客户提供的密钥(预览版)Customer-provided keys (preview)

对 Azure Blob 存储发出请求的客户端可以选择在单个请求中提供加密密钥。Clients making requests against Azure Blob storage have the option to provide an encryption key on an individual request. 在请求中包含加密密钥可以精细控制 Blob 存储操作的加密设置。Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. 客户提供的密钥(预览版)可以存储在 Azure Key Vault 或另一密钥存储中。Customer-provided keys (preview) can be stored in Azure Key Vault or in another key store.

加密读取和写入操作Encrypting read and write operations

当客户端应用程序在请求中提供加密密钥时,Azure 存储将在读取和写入 Blob 数据时以透明方式执行加密和解密。When a client application provides an encryption key on the request, Azure Storage performs encryption and decryption transparently while reading and writing blob data. 加密密钥的 SHA-256 哈希将连同 Blob 内容一起写入,用于验证针对该 Blob 的所有后续操作是否使用相同的加密密钥。A SHA-256 hash of the encryption key is written alongside a blob's contents and is used to verify that all subsequent operations against the blob use the same encryption key. Azure 存储不会存储或管理客户端连同请求一起发送的加密密钥。Azure Storage does not store or manage the encryption key that the client sends with the request. 加密或解密过程完成后,会立即以安全方式丢弃该密钥。The key is securely discarded as soon as the encryption or decryption process is complete.

当客户端使用客户提供的密钥创建或更新 Blob 时,针对该 Blob 的后续读取和写入请求也必须提供该密钥。When a client creates or updates a blob using a customer-provided key, then subsequent read and write requests for that blob must also provide the key. 如果在针对已使用客户提供的密钥加密的 Blob 的请求中未提供该密钥,则请求将会失败并返回错误代码 409(冲突)。If the key is not provided on a request for a blob that has already been encrypted with a customer-provided key, then the request fails with error code 409 (Conflict).

如果客户端应用程序在请求中发送加密密钥,同时使用 Azure 托管的密钥或客户管理的密钥加密了存储帐户,则 Azure 存储将使用请求中提供的密钥进行加密和解密。If the client application sends an encryption key on the request, and the storage account is also encrypted using a Azure-managed key or a customer-managed key, then Azure Storage uses the key provided on the request for encryption and decryption.

若要在请求中发送加密密钥,客户端必须使用 HTTPS 来与 Azure 存储建立安全连接。To send the encryption key as part of the request, a client must establish a secure connection to Azure Storage using HTTPS.

每个 Blob 快照可以有自身的加密密钥。Each blob snapshot can have its own encryption key.

用于指定客户提供的密钥的请求标头Request headers for specifying customer-provided keys

对于 REST 调用,客户端可以使用以下标头在请求中向 Blob 存储安全传递加密密钥信息:For REST calls, clients can use the following headers to securely pass encryption key information on a request to Blob storage:

请求标头Request Header 说明Description
x-ms-encryption-key 对于写入和读取请求都是必需的。Required for both write and read requests. Base64 编码的 AES-256 加密密钥值。A Base64-encoded AES-256 encryption key value.
x-ms-encryption-key-sha256 对于写入和读取请求都是必需的。Required for both write and read requests. 加密密钥的 Base64 编码 SHA256。The Base64-encoded SHA256 of the encryption key.
x-ms-encryption-algorithm 对于写入请求是必需的,对于读取请求是可选的。Required for write requests, optional for read requests. 指定在通过给定密钥加密数据时要使用的算法。Specifies the algorithm to use when encrypting data using the given key. 必须是 AES256。Must be AES256.

在请求中指定加密密钥是可选操作。Specifying encryption keys on the request is optional. 但是,如果为写入操作指定上面列出的标头之一,则必须指定所有这些标头。However, if you specify one of the headers listed above for a write operation, then you must specify all of them.

支持客户提供的密钥的 Blob 存储操作Blob storage operations supporting customer-provided keys

以下 Blob 存储操作支持在请求中发送客户提供的加密密钥:The following Blob storage operations support sending customer-provided encryption keys on a request:

轮换客户提供的密钥Rotate customer-provided keys

若要轮换在请求中传递的加密密钥,请下载 Blob,并使用新的加密密钥重新上传该 Blob。To rotate an encryption key passed on the request, download the blob and re-upload it with the new encryption key.

Important

无法使用 Azure 门户来读取或写入通过请求中提供的密钥加密的容器或 Blob。The Azure portal cannot be used to read from or write to a container or blob that is encrypted with a key provided on the request.

请务必在 Azure Key Vault 等安全密钥存储中,保护在对 Blob 存储发出的请求中提供的加密密钥。Be sure to protect the encryption key that you provide on a request to Blob storage in a secure key store like Azure Key Vault. 如果你尝试在不使用加密密钥的情况下对容器或 Blob 执行写入操作,该操作将会失败,并且你会失去对象访问权限。If you attempt a write operation on a container or blob without the encryption key, the operation will fail, and you will lose access to the object.

示例:在 .NET 中使用客户提供的密钥上传 BlobExample: Use a customer-provided key to upload a blob in .NET

以下示例创建客户提供的密钥,并使用该密钥上传 Blob。The following example creates a customer-provided key and uses that key to upload a blob. 该代码将上传一个块,然后提交块列表以将 Blob 写入 Azure 存储。The code uploads a block, then commits the block list to write the blob to Azure Storage. 该密钥是通过设置 CustomerProvidedKey 属性在 BlobRequestOptions 对象中提供的。The key is provided on the BlobRequestOptions object by setting the CustomerProvidedKey property.

该密钥是使用 AesCryptoServiceProvider 类创建的。The key is created with the AesCryptoServiceProvider class. 若要在代码中创建此类的实例,请添加引用 System.Security.Cryptography 命名空间的 using 语句:To create an instance of this class in your code, add a using statement that references the System.Security.Cryptography namespace:

public static void UploadBlobWithClientKey(CloudBlobContainer container)
{
    // Create a new key using the Advanced Encryption Standard (AES) algorithm.
    AesCryptoServiceProvider keyAes = new AesCryptoServiceProvider();

    // Specify the key as an option on the request.
    BlobCustomerProvidedKey customerProvidedKey = new BlobCustomerProvidedKey(keyAes.Key);
    var options = new BlobRequestOptions
    {
        CustomerProvidedKey = customerProvidedKey
    };

    string blobName = "sample-blob-" + Guid.NewGuid();
    CloudBlockBlob blockBlob = container.GetBlockBlobReference(blobName);

    try
    {
        // Create an array of random bytes.
        byte[] buffer = new byte[1024];
        Random rnd = new Random();
        rnd.NextBytes(buffer);

        using (MemoryStream sourceStream = new MemoryStream(buffer))
        {
            // Write the array of random bytes to a block.
            int blockNumber = 1;
            string blockId = Convert.ToBase64String(Encoding.ASCII.GetBytes(string.Format("BlockId{0}",
                blockNumber.ToString("0000000"))));

            // Write the block to Azure Storage.
            blockBlob.PutBlock(blockId, sourceStream, null, null, options, null);

            // Commit the block list to write the blob.
            blockBlob.PutBlockList(new List<string>() { blockId }, null, options, null);
        }
    }
    catch (StorageException e)
    {
        Console.WriteLine(e.Message);
        Console.ReadLine();
        throw;
    }
}

Azure 存储加密与磁盘加密Azure Storage encryption versus disk encryption

使用 Azure 存储加密时,所有 Azure 存储帐户及其包含的资源(包括用于支持 Azure 虚拟机磁盘的页 Blob)都会经过加密。With Azure Storage encryption, all Azure Storage accounts and the resources they contain are encrypted, including the page blobs that back Azure virtual machine disks. 此外,可以使用 Azure 磁盘加密来加密 Azure 虚拟机磁盘。Additionally, Azure virtual machine disks may be encrypted with Azure Disk Encryption. Azure 磁盘加密使用 Windows 上的行业标准 BitLocker 或者 Linux 上的 DM-Crypt 来提供与 Azure Key Vault 集成的基于操作系统的加密解决方案。Azure Disk Encryption uses industry-standard BitLocker on Windows and DM-Crypt on Linux to provide operating system-based encryption solutions that are integrated with Azure Key Vault.

后续步骤Next steps