对表数据进行加密Encrypt table data

.NET Azure 存储客户端库支持对插入和替换操作的字符串实体属性进行加密。The .NET Azure Storage Client Library supports encryption of string entity properties for insert and replace operations. 加密的字符串作为二进制属性存储在服务中,并在解密之后转换回字符串。The encrypted strings are stored on the service as binary properties, and they are converted back to strings after decryption.

对于表,除了加密策略以外,用户还必须指定要加密的属性。For tables, in addition to the encryption policy, users must specify the properties to be encrypted. 可以通过指定 [EncryptProperty] 特性(适用于从 TableEntity 派生的 POCO 实体)或在请求选项中指定加密解析程序来完成此操作。This can be done by either specifying an [EncryptProperty] attribute (for POCO entities that derive from TableEntity) or an encryption resolver in request options. 加密解析程序是一个委托,它接受分区键、行键和属性名称并返回一个布尔值以指示是否应加密该属性。An encryption resolver is a delegate that takes a partition key, row key, and property name and returns a Boolean that indicates whether that property should be encrypted. 在加密过程中,客户端库使用此信息来确定是否在写入到网络时对属性进行加密。During encryption, the client library uses this information to decide whether to encrypt a property while writing to the wire. 该委托还可以围绕如何加密属性实现逻辑的可能性。The delegate also provides for the possibility of logic around how properties are encrypted. (例如,如果 X,则加密属性 A,否则加密属性 A 和 B。)在读取或查询实体时,不需要提供此信息。(For example, if X, then encrypt property A; otherwise encrypt properties A and B.) It is not necessary to provide this information while reading or querying entities.

合并支持Merge support

当前不支持合并。Merge is not currently supported. 由于一部分属性可能以前已使用不同的密钥加密,因此只合并新属性和更新元数据会导致数据丢失。Because a subset of properties may have been encrypted previously using a different key, simply merging the new properties and updating the metadata results in data loss. 合并需要进行额外的服务调用以从服务中读取预先存在的实体,或者需要为属性使用一个新密钥,由于性能方面的原因,这两种方案都不适用。Merging either requires making extra service calls to read the pre-existing entity from the service, or using a new key per property, both of which are not suitable for performance reasons.

有关对表数据进行加密的信息,请参阅 Azure 存储的客户端加密和 Azure Key VaultFor information about encrypting table data, see Client-Side Encryption and Azure Key Vault for Azure Storage.

后续步骤Next steps