静态数据的 Azure 存储加密Azure Storage encryption for data at rest

Azure 存储在将数据保存到云时会自动加密数据。Azure Storage automatically encrypts your data when it is persisted it to the cloud. Azure 存储加密可以保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。Azure Storage encryption protects your data and to help you to meet your organizational security and compliance commitments.

关于 Azure 存储加密About Azure Storage encryption

Azure 存储中的数据将使用 256 位 AES 加密法(可用的最强大块加密法之一)以透明方式进行加密和解密,并符合 FIPS 140-2 规范。Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure 存储加密法类似于 Windows 上的 BitLocker 加密法。Azure Storage encryption is similar to BitLocker encryption on Windows.

已为所有存储帐户(包括资源管理器和经典存储帐户)启用 Azure 存储加密。Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. 无法禁用 Azure 存储加密。Azure Storage encryption cannot be disabled. 由于数据默认受到保护,因此无需修改代码或应用程序,即可利用 Azure 存储加密。Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

不管存储帐户的性能层级(标准或高级)、访问层级(热访问层或冷访问层)或部署模型(Azure 资源管理器或经典)如何,都会将存储帐户中的数据加密。Data in a storage account is encrypted regardless of performance tier (standard or premium), access tier (hot or cool), or deployment model (Azure Resource Manager or classic). 存档层级中的所有 blob 也都是加密的。All blobs in the archive tier are also encrypted. 所有 Azure 存储冗余选项都支持加密,当启用了异地复制时,会对主要区域和次要区域中的所有数据进行加密。All Azure Storage redundancy options support encryption, and all data in both the primary and secondary regions is encrypted when geo-replication is enabled. 所有 Azure 存储资源(包括 Blob、磁盘、文件、队列和表)都会加密。All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. 所有对象元数据也会加密。All object metadata is also encrypted. Azure 存储加密不会产生额外的费用。There is no additional cost for Azure Storage encryption.

2017 年 10 月 20 日后写入 Azure 存储的每个块 Blob、追加 Blob 或页 Blob 均已加密。Every block blob, append blob, or page blob that was written to Azure Storage after October 20, 2017 is encrypted. 在此日期之前创建的 Blob 继续由后台进程加密。Blobs created prior to this date continue to be encrypted by a background process. 若要强制对 2017 年 10 月 20 日之前创建的 Blob 进行加密,可以重写 Blob。To force the encryption of a blob that was created before October 20, 2017, you can rewrite the blob. 若要了解如何检查 Blob 的加密状态,请参阅 检查 Blob 的加密状态To learn how to check the encryption status of a blob, see Check the encryption status of a blob.

有关 Azure 存储加密的底层加密模块的详细信息,请参见加密 API:下一代For more information about the cryptographic modules underlying Azure Storage encryption, see Cryptography API: Next Generation.

关于加密密钥管理About encryption key management

新存储帐户中的数据使用 Microsoft 托管密钥加密。Data in a new storage account is encrypted with Microsoft-managed keys. 可以依赖于使用 Microsoft 托管的密钥来加密数据,也可以使用你自己的密钥来管理加密。You can rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. 如果你选择使用自己的密钥来管理加密,则可以采用两种做法:If you choose to manage encryption with your own keys, you have two options:

下表比较了 Azure 存储加密的密钥管理选项。The following table compares key management options for Azure Storage encryption.

Microsoft 管理的密钥Microsoft-managed keys 客户管理的密钥Customer-managed keys 客户提供的密钥Customer-provided keys
加密/解密操作Encryption/decryption operations AzureAzure AzureAzure AzureAzure
支持的 Azure 存储服务Azure Storage services supported 全部All Blob 存储、Azure 文件存储Blob storage, Azure Files Blob 存储Blob storage
密钥存储Key storage Microsoft 密钥存储Microsoft key store Azure Key VaultAzure Key Vault 客户自己的密钥存储Customer's own key store
密钥轮换责任Key rotation responsibility MicrosoftMicrosoft 客户Customer 客户Customer
密钥使用情况Key usage MicrosoftMicrosoft Azure 门户、存储资源提供程序 REST API、Azure 存储管理库、PowerShell、CLIAzure portal, Storage Resource Provider REST API, Azure Storage management libraries, PowerShell, CLI Azure 存储 REST API(Blob 存储)、Azure 存储客户端库Azure Storage REST API (Blob storage), Azure Storage client libraries
密钥控制Key control MicrosoftMicrosoft 客户Customer 客户Customer

后续步骤Next steps