静态数据的 Azure 存储加密Azure Storage encryption for data at rest

Azure 存储在将数据保存到云时会自动加密数据。Azure Storage automatically encrypts your data when persisting it to the cloud. 加密可以保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。Encryption protects your data and to help you to meet your organizational security and compliance commitments. Azure 存储中的数据将使用 256 位 AES 加密法(可用的最强大块加密法之一)以透明方式进行加密和解密,并符合 FIPS 140-2 规范。Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure 存储加密法类似于 Windows 上的 BitLocker 加密法。Azure Storage encryption is similar to BitLocker encryption on Windows.

将针对所有新的和现有的存储帐户启用 Azure 存储加密,并且不能禁用加密。Azure Storage encryption is enabled for all new and existing storage accounts and cannot be disabled. 由于数据默认受到保护,因此无需修改代码或应用程序,即可利用 Azure 存储加密。Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

不管存储帐户的性能层(标准或高级)或部署模型(Azure 资源管理器或经典)是什么,都会将其加密。Storage accounts are encrypted regardless of their performance tier (standard or premium) or deployment model (Azure Resource Manager or classic). 所有 Azure 存储冗余选项都支持加密,存储帐户的所有副本都会加密。All Azure Storage redundancy options support encryption, and all copies of a storage account are encrypted. 所有 Azure 存储资源(包括 Blob、磁盘、文件、队列和表)都会加密。All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. 所有对象元数据也会加密。All object metadata is also encrypted.

加密不影响 Azure 存储的性能。Encryption does not affect Azure Storage performance. Azure 存储加密不会产生额外的费用。There is no additional cost for Azure Storage encryption.

有关 Azure 存储加密的底层加密模块的详细信息,请参见加密 API:下一代For more information about the cryptographic modules underlying Azure Storage encryption, see Cryptography API: Next Generation.

密钥管理Key management

可以依赖于使用 Azure 托管的密钥来加密存储帐户,或者,可以结合 Azure Key Vault 使用自己的密钥来管理加密。You can rely on Azure-managed keys for the encryption of your storage account, or you can manage encryption with your own keys, together with Azure Key Vault.

Azure 托管的密钥Azure-managed keys

存储帐户默认使用 Azure 托管的加密密钥。By default, your storage account uses Azure-managed encryption keys. 可以在 Azure 门户的“加密”部分查看存储帐户的加密设置,如下图所示。 You can see the encryption settings for your storage account in the Encryption section of the Azure portal, as shown in the following image.

查看使用 Microsoft 托管密钥加密的帐户

客户管理的密钥Customer-managed keys

可以使用客户管理的密钥来管理 Azure 存储加密。You can manage Azure Storage encryption with customer-managed keys. 使用客户管理的密钥可以灵活创建、轮换、禁用和撤销访问控制权。Customer-managed keys give you more flexibility to create, rotate, disable, and revoke access controls. 还可以审核用于保护数据的加密密钥。You can also audit the encryption keys used to protect your data.

使用 Azure Key Vault 管理密钥并审核密钥用法。Use Azure Key Vault to manage your keys and audit your key usage. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 存储帐户和 Key Vault 必须在同一个区域中,但可以在不同的订阅中。The storage account and the key vault must be in the same region, but they can be in different subscriptions. 有关 Azure Key Vault 的详细信息,请参阅什么是 Azure Key Vault?For more information about Azure Key Vault, see What is Azure Key Vault?.

若要撤销对客户管理的密钥的访问权限,请参阅 Azure Key Vault PowerShellAzure Key Vault CLITo revoke access to customer-managed keys, see Azure Key Vault PowerShell and Azure Key Vault CLI. 撤销访问权限会实际阻止对存储帐户中所有数据的访问,因为 Azure 存储帐户无法访问加密密钥。Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.

若要了解如何将客户管理的密钥与 Azure 存储配合使用,请参阅以下文章之一:To learn how to use customer-managed keys with Azure Storage, see one of these articles:

Note

Azure 托管磁盘不支持客户管理的密钥。Customer-managed keys are not supported for Azure managed disks.

后续步骤Next steps