静态数据的 Azure 存储加密Azure Storage encryption for data at rest

Azure 存储在将数据保存到云时会自动加密数据。Azure Storage automatically encrypts your data when it is persisted it to the cloud. Azure 存储加密可以保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。Azure Storage encryption protects your data and to help you to meet your organizational security and compliance commitments.

关于 Azure 存储加密About Azure Storage encryption

Azure 存储中的数据将使用 256 位 AES 加密法(可用的最强大块加密法之一)以透明方式进行加密和解密,并符合 FIPS 140-2 规范。Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure 存储加密法类似于 Windows 上的 BitLocker 加密法。Azure Storage encryption is similar to BitLocker encryption on Windows.

已为所有新存储帐户(包括资源管理器和经典存储帐户)启用 Azure 存储加密。Azure Storage encryption is enabled for all new storage accounts, including both Resource Manager and classic storage accounts. 无法禁用 Azure 存储加密。Azure Storage encryption cannot be disabled. 由于数据默认受到保护,因此无需修改代码或应用程序,即可利用 Azure 存储加密。Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

不管存储帐户的性能层(标准或高级)或部署模型(Azure 资源管理器或经典)是什么,都会将其加密。Storage accounts are encrypted regardless of their performance tier (standard or premium) or deployment model (Azure Resource Manager or classic). 所有 Azure 存储冗余选项都支持加密,存储帐户的所有副本都会加密。All Azure Storage redundancy options support encryption, and all copies of a storage account are encrypted. 所有 Azure 存储资源(包括 Blob、磁盘、文件、队列和表)都会加密。All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. 所有对象元数据也会加密。All object metadata is also encrypted.

加密不影响 Azure 存储的性能。Encryption does not affect Azure Storage performance. Azure 存储加密不会产生额外的费用。There is no additional cost for Azure Storage encryption.

2017 年 10 月 20 日后写入 Azure 存储的每个块 Blob、追加 Blob 或页 Blob 均已加密。Every block blob, append blob, or page blob that was written to Azure Storage after October 20, 2017 is encrypted. 在此日期之前创建的 Blob 继续由后台进程加密。Blobs created prior to this date continue to be encrypted by a background process. 若要强制对 2017 年 10 月 20 日之前创建的 Blob 进行加密,可以重写 Blob。To force the encryption of a blob that was created before October 20, 2017, you can rewrite the blob. 若要了解如何检查 Blob 的加密状态,请参阅 检查 Blob 的加密状态To learn how to check the encryption status of a blob, see Check the encryption status of a blob.

有关 Azure 存储加密的底层加密模块的详细信息,请参见加密 API:下一代For more information about the cryptographic modules underlying Azure Storage encryption, see Cryptography API: Next Generation.

关于加密密钥管理About encryption key management

可以依赖于使用 Azure 托管的密钥来加密存储帐户,或者,可以使用自己的密钥来管理加密。You can rely on Azure-managed keys for the encryption of your storage account, or you can manage encryption with your own keys. 如果你选择使用自己的密钥来管理加密,则可以采用两种做法:If you choose to manage encryption with your own keys, you have two options:

  • 可以使用 Azure 密钥保管库指定客户管理的密钥,用于对 Blob 存储和 Azure 文件中的数据进行加密和解密 。You can specify a customer-managed key with Azure Key Vault to use for encrypting and decrypting data in Blob storage and in Azure Files.
  • 可以在 Blob 存储操作中指定客户提供的密钥。 You can specify a customer-provided key on Blob storage operations. 对 Blob 存储发出读取或写入请求的客户端可以在请求中包含加密密钥,以便精细控制 Blob 数据的加密和解密方式。A client making a read or write request against Blob storage can include an encryption key on the request for granular control over how blob data is encrypted and decrypted.

下表比较了 Azure 存储加密的密钥管理选项。The following table compares key management options for Azure Storage encryption.

Microsoft 管理的密钥Microsoft-managed keys 客户管理的密钥Customer-managed keys 客户提供的密钥Customer-provided keys
加密/解密操作Encryption/decryption operations AzureAzure AzureAzure AzureAzure
支持的 Azure 存储服务Azure Storage services supported 全部All Blob 存储、Azure 文件存储Blob storage, Azure Files Blob 存储Blob storage
密钥存储Key storage Microsoft 密钥存储Microsoft key store Azure Key VaultAzure Key Vault Azure Key Vault 或任何其他密钥存储Azure Key Vault or any other key store
密钥轮换责任Key rotation responsibility MicrosoftMicrosoft 客户Customer 客户Customer
密钥使用情况Key usage MicrosoftMicrosoft Azure 门户、存储资源提供程序 REST API、Azure 存储管理库、PowerShell、CLIAzure portal, Storage Resource Provider REST API, Azure Storage management libraries, PowerShell, CLI Azure 存储 REST API(Blob 存储)、Azure 存储客户端库Azure Storage REST API (Blob storage), Azure Storage client libraries
密钥访问权限Key access 仅限 MicrosoftMicrosoft only Microsoft、客户Microsoft, Customer 仅限客户Customer only

以下部分更详细地介绍了每个密钥管理选项。The following sections describe each of the options for key management in greater detail.

Azure 托管的密钥Azure-managed keys

存储帐户默认使用 Azure 托管的加密密钥。By default, your storage account uses Azure-managed encryption keys. 可以在 Azure 门户的“加密”部分查看存储帐户的加密设置,如下图所示。 You can see the encryption settings for your storage account in the Encryption section of the Azure portal, as shown in the following image.

查看使用 Microsoft 托管密钥加密的帐户

客户管理的密钥与 Azure Key VaultCustomer-managed keys with Azure Key Vault

可以使用自己的密钥在存储帐户级别管理 Azure 存储加密。You can manage Azure Storage encryption at the level of the storage account with your own keys. 当在存储帐户级别指定客户管理的密钥时,该密钥用于保护和控制对存储帐户的根加密密钥的访问,而根加密密钥又用于加密和解密所有 Blob 和文件数据。When you specify a customer-managed key at the level of the storage account, that key is used to protect and control access the root encryption key for the storage account which in turn is used to encrypt and decrypt all blob and file data. 使用客户管理的密钥可以更灵活地创建、轮换、禁用和撤销访问控制。Customer-managed keys offer greater flexibility to create, rotate, disable, and revoke access controls. 还可以审核用于保护数据的加密密钥。You can also audit the encryption keys used to protect your data.

必须使用 Azure Key Vault 来存储客户管理的密钥。You must use Azure Key Vault to store your customer-managed keys. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 存储帐户和 Key Vault 必须在同一个区域中,但可以在不同的订阅中。The storage account and the key vault must be in the same region, but they can be in different subscriptions. 有关 Azure Key Vault 的详细信息,请参阅什么是 Azure Key Vault?For more information about Azure Key Vault, see What is Azure Key Vault?.

此图显示了 Azure 存储如何使用 Azure Active Directory 和 Azure Key Vault 通过客户管理的密钥发出请求:This diagram shows how Azure Storage uses Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:

Azure 存储中客户管理的密钥的工作原理示意图

以下列表解释了示意图中带编号的步骤:The following list explains the numbered steps in the diagram:

  1. Azure Key Vault 管理员向与存储帐户关联的托管标识授予对加密密钥的权限。An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the storage account.
  2. Azure 存储管理员使用存储帐户的客户管理密钥配置加密。An Azure Storage admin configures encryption with a customer-managed key for the storage account.
  3. Azure 存储使用与存储帐户关联的托管标识,对通过 Azure Active Directory 访问 Azure Key Vault 的活动进行身份验证。Azure Storage uses the managed identity that's associated with the storage account to authenticate access to Azure Key Vault via Azure Active Directory.
  4. Azure 存储使用 Azure Key Vault 中的客户密钥包装帐户加密密钥。Azure Storage wraps the account encryption key with the customer key in Azure Key Vault.
  5. 对于读/写操作,Azure 存储将向 Azure Key Vault 发送包装和解包帐户加密密钥的请求,以执行加密和解密操作。For read/write operations, Azure Storage sends requests to Azure Key Vault to wrap and unwrap the account encryption key to perform encryption and decryption operations.

为存储帐户启用客户管理的密钥Enable customer-managed keys for a storage account

当为存储帐户启用客户管理的密钥加密时,Azure 存储会使用关联的密钥保管库中的客户密钥包装帐户加密密钥。When you enable encryption with customer-managed keys for a storage account, Azure Storage wraps the account encryption key with the customer key in the associated key vault. 启用客户管理的密钥不会影响性能,并且会立即用新密钥对帐户加密,而不会有任何时间延迟。Enabling customer-managed keys does not impact performance, and the account is encrypted with the new key immediately, without any time delay.

新的存储帐户始终使用 Microsoft 管理的密钥进行加密。A new storage account is always encrypted using Microsoft-managed keys. 当创建帐户时,无法启用客户管理的密钥。It's not possible to enable customer-managed keys at the time that the account is created. 客户管理的密钥存储在 Azure Key Vault 中,并且必须使用访问策略对密钥保管库进行预配,这些策略将密钥权限授予与存储帐户关联的托管标识。Customer-managed keys are stored in Azure Key Vault, and the key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the storage account. 托管标识仅在存储帐户创建后可用。The managed identity is available only after the storage account is created.

要了解如何将客户管理的密钥与 Azure 密钥保管库配合使用来对 Azure 存储进行加密,请参阅以下文章之一:To learn how to use customer-managed keys with Azure Key Vault for Azure Storage encryption, see one of these articles:

Important

客户托管密钥依赖于 Azure 资源的托管标识,后者是 Azure Active Directory (Azure AD) 的一项功能。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 在 Azure 门户中配置客户管理的密钥时,系统会在幕后自动将一个托管标识分配到你的存储帐户。When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned to your storage account under the covers. 如果随后将订阅、资源组或存储帐户从一个 Azure AD 目录移到另一个目录,与存储帐户关联的托管标识不会传输到新租户,因此客户管理的密钥可能不再起作用。If you subsequently move the subscription, resource group, or storage account from one Azure AD directory to another, the managed identity associated with the storage account is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅 Azure 资源的常见问题解答和已知问题中的“在 Azure AD 目录之间转移订阅” 。For more information, see Transferring a subscription between Azure AD directories in FAQs and known issues with managed identities for Azure resources.

将客户管理的密钥存储在 Azure 密钥保管库Store customer-managed keys in Azure Key Vault

若要在存储帐户上启用客户管理的密钥,必须使用 Azure 密钥保管库来存储密钥。To enable customer-managed keys on a storage account, you must use an Azure Key Vault to store your keys. 必须同时启用密钥保管库上的“软删除”和“不清除”属性 。You must enable both the Soft Delete and Do Not Purge properties on the key vault.

密钥保管库必须与存储帐户位于同一订阅中。The key vault must be located in the same subscription as the storage account. Azure 存储使用 Azure 资源的托管标识向密钥保管库进行身份验证,以便执行加密和解密操作。Azure Storage uses managed identities for Azure resources to authenticate to the key vault for encryption and decryption operations. 托管标识当前不支持跨目录方案。Managed identities do not currently support cross-directory scenarios.

轮换客户管理的密钥Rotate customer-managed keys

可以根据自己的合规性策略,在 Azure 密钥保管库中轮换客户管理的密钥。You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. 轮换密钥后,需要更新存储帐户以使用新的密钥 URI。When the key is rotated, you must update the storage account to use the new key URI. 若要了解如何更新存储帐户以在 Azure 门户中使用新版本的密钥,请参阅使用 Azure 门户配置 Azure 存储的客户管理的密钥中标题为“更新密钥版本”的部分 。To learn how to update the storage account to use a new version of the key in the Azure portal, see the section titled Update the key version in Configure customer-managed keys for Azure Storage by using the Azure portal.

轮换密钥不会触发存储帐户中数据的重新加密。Rotating the key does not trigger re-encryption of data in the storage account. 用户无需执行任何其他操作。There is no further action required from the user.

撤消对客户管理的密钥的访问权限Revoke access to customer-managed keys

若要撤消对客户管理的密钥的访问权限,请使用 PowerShell 或 Azure CLI。To revoke access to customer-managed keys, use PowerShell or Azure CLI. 有关详细信息,请参阅 Azure Key Vault PowerShellAzure 密钥保管库 CLIFor more information, see Azure Key Vault PowerShell or Azure Key Vault CLI. 撤销访问权限会实际阻止对存储帐户中所有数据的访问,因为 Azure 存储帐户无法访问加密密钥。Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.

Azure 托管磁盘的客户管理的密钥(预览版)Customer-managed keys for Azure managed disks (preview)

客户管理的密钥也可用于管理 Azure 托管磁盘(预览版)的加密。Customer-managed keys are also available for managing encryption of Azure managed disks (preview). 客户管理的密钥对托管磁盘的行为不同于对 Azure 存储资源的行为。Customer-managed keys behave differently for managed disks than for Azure Storage resources. 有关详细信息,请参阅适用于 Windows 的 Azure 托管磁盘的服务器端加密或适用于 Linux 的 Azure 托管磁盘的服务器端加密For more information, see Server side encryption of Azure managed disks for Windows or Server side encryption of Azure managed disks for Linux.

客户提供的密钥(预览版)Customer-provided keys (preview)

对 Azure Blob 存储发出请求的客户端可以选择在单个请求中提供加密密钥。Clients making requests against Azure Blob storage have the option to provide an encryption key on an individual request. 在请求中包含加密密钥可以精细控制 Blob 存储操作的加密设置。Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. 客户提供的密钥(预览版)可以存储在 Azure Key Vault 或另一密钥存储中。Customer-provided keys (preview) can be stored in Azure Key Vault or in another key store.

有关如何为对 Blob 存储的请求指定客户提供的密钥的示例,请参阅使用 .NET 为对 Blob 存储的请求指定客户提供的密钥For an example that shows how to specify a customer-provided key on a request to Blob storage, see Specify a customer-provided key on a request to Blob storage with .NET.

加密读取和写入操作Encrypting read and write operations

当客户端应用程序在请求中提供加密密钥时,Azure 存储将在读取和写入 Blob 数据时以透明方式执行加密和解密。When a client application provides an encryption key on the request, Azure Storage performs encryption and decryption transparently while reading and writing blob data. Azure 存储会将加密密钥的 SHA-256 哈希与 Blob 的内容一起写入。Azure Storage writes an SHA-256 hash of the encryption key alongside the blob's contents. 哈希用于验证对 Blob 的所有后续操作是否都使用相同的加密密钥。The hash is used to verify that all subsequent operations against the blob use the same encryption key.

Azure 存储不会存储或管理客户端连同请求一起发送的加密密钥。Azure Storage does not store or manage the encryption key that the client sends with the request. 加密或解密过程完成后,会立即以安全方式丢弃该密钥。The key is securely discarded as soon as the encryption or decryption process is complete.

当客户端使用客户提供的密钥创建或更新 Blob 时,针对该 Blob 的后续读取和写入请求也必须提供该密钥。When a client creates or updates a blob using a customer-provided key, then subsequent read and write requests for that blob must also provide the key. 如果在针对已使用客户提供的密钥加密的 Blob 的请求中未提供该密钥,则请求将会失败并返回错误代码 409(冲突)。If the key is not provided on a request for a blob that has already been encrypted with a customer-provided key, then the request fails with error code 409 (Conflict).

如果客户端应用程序在请求中发送加密密钥,同时使用 Azure 托管的密钥或客户管理的密钥加密了存储帐户,则 Azure 存储将使用请求中提供的密钥进行加密和解密。If the client application sends an encryption key on the request, and the storage account is also encrypted using a Azure-managed key or a customer-managed key, then Azure Storage uses the key provided on the request for encryption and decryption.

若要在请求中发送加密密钥,客户端必须使用 HTTPS 来与 Azure 存储建立安全连接。To send the encryption key as part of the request, a client must establish a secure connection to Azure Storage using HTTPS.

每个 Blob 快照可以有自身的加密密钥。Each blob snapshot can have its own encryption key.

用于指定客户提供的密钥的请求标头Request headers for specifying customer-provided keys

对于 REST 调用,客户端可以使用以下标头在请求中向 Blob 存储安全传递加密密钥信息:For REST calls, clients can use the following headers to securely pass encryption key information on a request to Blob storage:

请求标头Request Header 说明Description
x-ms-encryption-key 对于写入和读取请求都是必需的。Required for both write and read requests. Base64 编码的 AES-256 加密密钥值。A Base64-encoded AES-256 encryption key value.
x-ms-encryption-key-sha256 对于写入和读取请求都是必需的。Required for both write and read requests. 加密密钥的 Base64 编码 SHA256。The Base64-encoded SHA256 of the encryption key.
x-ms-encryption-algorithm 对于写入请求是必需的,对于读取请求是可选的。Required for write requests, optional for read requests. 指定在通过给定密钥加密数据时要使用的算法。Specifies the algorithm to use when encrypting data using the given key. 必须是 AES256。Must be AES256.

在请求中指定加密密钥是可选操作。Specifying encryption keys on the request is optional. 但是,如果为写入操作指定上面列出的标头之一,则必须指定所有这些标头。However, if you specify one of the headers listed above for a write operation, then you must specify all of them.

支持客户提供的密钥的 Blob 存储操作Blob storage operations supporting customer-provided keys

以下 Blob 存储操作支持在请求中发送客户提供的加密密钥:The following Blob storage operations support sending customer-provided encryption keys on a request:

轮换客户提供的密钥Rotate customer-provided keys

若要轮换在请求中传递的加密密钥,请下载 Blob,并使用新的加密密钥重新上传该 Blob。To rotate an encryption key passed on the request, download the blob and re-upload it with the new encryption key.

Important

无法使用 Azure 门户来读取或写入通过请求中提供的密钥加密的容器或 Blob。The Azure portal cannot be used to read from or write to a container or blob that is encrypted with a key provided on the request.

请务必在 Azure Key Vault 等安全密钥存储中,保护在对 Blob 存储发出的请求中提供的加密密钥。Be sure to protect the encryption key that you provide on a request to Blob storage in a secure key store like Azure Key Vault. 如果你尝试在不使用加密密钥的情况下对容器或 Blob 执行写入操作,该操作将会失败,并且你会失去对象访问权限。If you attempt a write operation on a container or blob without the encryption key, the operation will fail, and you will lose access to the object.

Azure 存储加密与磁盘加密Azure Storage encryption versus disk encryption

Azure 存储加密对支持 Azure 虚拟机磁盘的页 Blob 进行加密。Azure Storage encryption encrypts the page blobs that back Azure virtual machine disks. 此外,还可以选择使用 Azure 磁盘加密来对所有 Azure 虚拟机磁盘(包括本地临时磁盘)进行加密。Additionally, all Azure virtual machine disks, including local temp disks, may optionally be encrypted with Azure Disk Encryption. Azure 磁盘加密使用 Windows 上的行业标准 BitLocker 或者 Linux 上的 DM-Crypt 来提供与 Azure Key Vault 集成的基于操作系统的加密解决方案。Azure Disk Encryption uses industry-standard BitLocker on Windows and DM-Crypt on Linux to provide operating system-based encryption solutions that are integrated with Azure Key Vault.

后续步骤Next steps