静态数据的 Azure 存储加密Azure Storage encryption for data at rest

在数据保存到云时,Azure 存储会自动加密数据。Azure Storage automatically encrypts your data when it is persisted to the cloud. Azure 存储加密可以保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。Azure Storage encryption protects your data and to help you to meet your organizational security and compliance commitments.

关于 Azure 存储加密About Azure Storage encryption

Azure 存储中的数据将使用 256 位 AES 加密法(可用的最强大块加密法之一)以透明方式进行加密和解密,并符合 FIPS 140-2 规范。Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure 存储加密法类似于 Windows 上的 BitLocker 加密法。Azure Storage encryption is similar to BitLocker encryption on Windows.

已为所有存储帐户(包括资源管理器和经典存储帐户)启用 Azure 存储加密。Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. 无法禁用 Azure 存储加密。Azure Storage encryption cannot be disabled. 由于数据默认受到保护,因此无需修改代码或应用程序,即可利用 Azure 存储加密。Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

不管存储帐户的性能层级(标准或高级)、访问层级(热访问层或冷访问层)或部署模型(Azure 资源管理器或经典)如何,都会将存储帐户中的数据加密。Data in a storage account is encrypted regardless of performance tier (standard or premium), access tier (hot or cool), or deployment model (Azure Resource Manager or classic). 存档层级中的所有 blob 也都是加密的。All blobs in the archive tier are also encrypted. 所有 Azure 存储冗余选项都支持加密,当启用了异地复制时,会对主要区域和次要区域中的所有数据进行加密。All Azure Storage redundancy options support encryption, and all data in both the primary and secondary regions is encrypted when geo-replication is enabled. 所有 Azure 存储资源(包括 Blob、磁盘、文件、队列和表)都会加密。All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. 所有对象元数据也会加密。All object metadata is also encrypted. Azure 存储加密不会产生额外的费用。There is no additional cost for Azure Storage encryption.

2017 年 10 月 20 日后写入 Azure 存储的每个块 Blob、追加 Blob 或页 Blob 均已加密。Every block blob, append blob, or page blob that was written to Azure Storage after October 20, 2017 is encrypted. 在此日期之前创建的 Blob 继续由后台进程加密。Blobs created prior to this date continue to be encrypted by a background process. 若要强制对 2017 年 10 月 20 日之前创建的 Blob 进行加密,可以重写 Blob。To force the encryption of a blob that was created before October 20, 2017, you can rewrite the blob. 若要了解如何检查 Blob 的加密状态,请参阅 检查 Blob 的加密状态To learn how to check the encryption status of a blob, see Check the encryption status of a blob.

有关 Azure 存储加密的底层加密模块的详细信息,请参见加密 API:下一代For more information about the cryptographic modules underlying Azure Storage encryption, see Cryptography API: Next Generation.

有关 Azure 托管磁盘的加密和密钥管理的信息,请参阅适用于 Windows VM 的 Azure 托管磁盘的服务器端加密或适用于 Linux VM 的 Azure 托管磁盘的服务器端加密For information about encryption and key management for Azure managed disks, see Server-side encryption of Azure managed disks for Windows VMs or Server-side encryption of Azure managed disks for Linux VMs.

关于加密密钥管理About encryption key management

默认情况下,新存储帐户中的数据使用 Microsoft 管理的密钥进行加密。Data in a new storage account is encrypted with Microsoft-managed keys by default. 你可以继续依赖于使用 Microsoft 管理的密钥来加密数据,也可以使用你自己的密钥来管理加密。You can continue to rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. 如果你选择使用自己的密钥来管理加密,则有两种选择。If you choose to manage encryption with your own keys, you have two options. 可以使用任何一种类型的密钥管理,或者使用这两种类型:You can use either type of key management, or both:

下表比较了 Azure 存储加密的密钥管理选项。The following table compares key management options for Azure Storage encryption.

密钥管理参数Key management parameter Microsoft 管理的密钥Microsoft-managed keys 客户管理的密钥Customer-managed keys 客户提供的密钥Customer-provided keys
加密/解密操作Encryption/decryption operations AzureAzure AzureAzure AzureAzure
支持的 Azure 存储服务Azure Storage services supported 全部All Blob 存储、Azure 文件存储Blob storage, Azure Files Blob 存储Blob storage
密钥存储Key storage Microsoft 密钥存储Microsoft key store Azure Key VaultAzure Key Vault 客户自己的密钥存储Customer's own key store
密钥轮换责任Key rotation responsibility MicrosoftMicrosoft 客户Customer 客户Customer
密钥控制Key control MicrosoftMicrosoft 客户Customer 客户Customer

备注

Microsoft 管理的密钥会根据合规性要求进行适当的轮换。Microsoft-managed keys are rotated appropriately per compliance requirements. 如果有特定密钥轮换要求,Microsoft 建议你改为使用客户管理的密钥,以便自行管理和审核轮换。If you have specific key rotation requirements, Microsoft recommends that you move to customer-managed keys so that you can manage and audit the rotation yourself.

Blob 存储的加密范围(预览)Encryption scopes for Blob storage (preview)

默认情况下,使用范围为存储帐户的密钥对存储帐户进行加密。By default, a storage account is encrypted with a key that is scoped to the storage account. 你可以选择使用 Microsoft 管理的密钥或存储在 Azure Key Vault 中的客户管理的密钥来保护和控制对用于加密数据的密钥的访问。You can choose to use either Microsoft-managed keys or customer-managed keys stored in Azure Key Vault to protect and control access to the key that encrypts your data.

通过加密范围,可以选择在容器或单个 Blob 级别管理加密。Encryption scopes enable you to optionally manage encryption at the level of the container or an individual blob. 可以使用加密范围在驻留在同一存储帐户中但属于不同客户的数据之间创建安全边界。You can use encryption scopes to create secure boundaries between data that resides in the same storage account but belongs to different customers.

可以使用 Azure 存储资源提供程序为存储帐户创建一个或多个加密范围。You can create one or more encryption scopes for a storage account using the Azure Storage resource provider. 创建加密范围时,可以指定是使用 Microsoft 管理的密钥还是使用存储在 Azure Key Vault 中的客户管理的密钥来保护该范围。When you create an encryption scope, you specify whether the scope is protected with a Microsoft-managed key or with a customer-managed key that is stored in Azure Key Vault. 同一存储帐户上的不同加密范围可以使用 Microsoft 管理的密钥或客户管理的密钥。Different encryption scopes on the same storage account can use either Microsoft-managed or customer-managed keys.

创建加密范围后,可以对创建容器或 Blob 的请求指定加密范围。After you have created an encryption scope, you can specify that encryption scope on a request to create a container or a blob. 有关如何创建加密范围的详细信息,请参阅创建和管理加密范围(预览)For more information about how to create an encryption scope, see Create and manage encryption scopes (preview).

备注

读取访问异地冗余存储 (RA-GRS) 帐户不支持加密范围预览版。Encryption scopes are not supported with read-access geo-redundant storage (RA-GRS) accounts during preview.

重要

此加密范围预览版仅用于非生产用途。The encryption scopes preview is intended for non-production use only. 生产服务级别协议 (SLA) 当前不可用。Production service-level agreements (SLAs) are not currently available.

为避免意外费用,请确保禁用当前不需要的任何加密范围。To avoid unexpected costs, be sure to disable any encryption scopes that you do not currently need.

创建具有加密范围的容器或 BlobCreate a container or blob with an encryption scope

在加密范围下创建的 Blob 使用为该范围指定的密钥进行加密。Blobs that are created under an encryption scope are encrypted with the key specified for that scope. 在创建单个 Blob 时,可以为该 Blob 指定加密范围,也可以在创建容器时指定默认的加密范围。You can specify an encryption scope for an individual blob when you create the blob, or you can specify a default encryption scope when you create a container. 若在容器级别指定了默认加密范围,该容器中的所有 Blob 都将使用与该默认范围相关联的密钥进行加密。When a default encryption scope is specified at the level of a container, all blobs in that container are encrypted with the key associated with the default scope.

在具有默认加密范围的容器中创建 Blob 时,如果该容器配置为允许替代默认加密范围,则可以指定用于替代默认加密范围的加密范围。When you create a blob in a container that has a default encryption scope, you can specify an encryption scope that overrides the default encryption scope if the container is configured to allow overrides of the default encryption scope. 若要防止替代默认加密范围,请将容器配置为拒绝单个 Blob 的替代。To prevent overrides of the default encryption scope, configure the container to deny overrides for an individual blob.

只要未禁用加密范围,对属于该加密范围的 Blob 执行读取操作以透明方式执行。Read operations on a blob that belongs to an encryption scope happen transparently, so long as the encryption scope is not disabled.

禁用加密范围Disable an encryption scope

禁用加密范围时,使用该加密范围进行的任何后续读取或写入操作都将失败,并显示 HTTP 错误代码 403(已禁止)。When you disable an encryption scope, any subsequent read or write operations made with the encryption scope will fail with HTTP error code 403 (Forbidden). 如果重新启用加密范围,读取和写入操作将再次正常进行。If you re-enable the encryption scope, read and write operations will proceed normally again.

禁用加密范围后,将不再为此付费。When an encryption scope is disabled, you are no longer billed for it. 禁用不需要的任何加密范围以避免不必要的费用。Disable any encryption scopes that are not needed to avoid unnecessary charges.

如果你的加密范围受 Azure Key Vault 的客户管理的密钥保护,则还可以删除密钥保管库中的关联密钥来禁用加密范围。If your encryption scope is protected with customer-managed keys for Azure Key Vault, then you can also delete the associated key in the key vault in order to disable the encryption scope. 请记住,Azure Key Vault 中的客户管理的密钥受到软删除和清除保护的保护,删除的密钥受这些属性定义的行为的约束。Keep in mind that customer-managed keys in Azure Key Vault are protected by soft delete and purge protection, and a deleted key is subject to the behavior defined for by those properties. 有关详细信息,请参阅 Azure Key Vault 文档中的以下主题之一:For more information, see one of the following topics in the Azure Key Vault documentation:

备注

不能删除加密范围。It is not possible to delete an encryption scope.

后续步骤Next steps