Azure 磁盘存储的服务器端加密Server-side encryption of Azure Disk Storage

服务器端加密 (SSE) 可保护数据,并帮助实现组织安全性和符合性承诺。Server-side encryption (SSE) protects your data and helps you meet your organizational security and compliance commitments. 将存储在 Azure 托管磁盘(OS 和数据磁盘)上的数据保存到云时,SSE 在默认情况下会自动对这些数据进行静态加密。SSE automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud.

Azure 托管磁盘中的数据使用 256 位 AES 加密(可用的最强大分组加密之一)以透明方式加密,且符合 FIPS 140-2 规范。Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. 有关加密模块基础 Azure 托管磁盘的详细信息,请参阅加密 API:下一代For more information about the cryptographic modules underlying Azure managed disks, see Cryptography API: Next Generation

服务器端加密不会影响托管磁盘的性能,并且不会产生额外的费用。Server-side encryption does not impact the performance of managed disks and there is no additional cost.

备注

临时磁盘不是托管磁盘,不会由 SSE 加密,除非在主机上启用了加密。Temporary disks are not managed disks and are not encrypted by SSE, unless you enable encryption at host.

关于加密密钥管理About encryption key management

可以依赖于平台托管的密钥来加密托管磁盘,也可以使用自己的密钥来管理加密。You can rely on platform-managed keys for the encryption of your managed disk, or you can manage encryption using your own keys. 如果选择使用自己的密钥管理加密,可以指定一个客户托管密钥,用于加密和解密托管磁盘中的所有数据。If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all data in managed disks.

以下部分更详细地介绍了密钥管理的每个选项。The following sections describe each of the options for key management in greater detail.

平台托管的密钥Platform-managed keys

默认情况下,托管磁盘使用平台托管的加密密钥。By default, managed disks use platform-managed encryption keys. 所有写入现有托管磁盘的托管磁盘、快照、映像和数据都会自动使用平台托管密钥进行静态加密。All managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys.

客户管理的密钥Customer-managed keys

可以选择使用自己的密钥在每个托管磁盘的级别管理加密。You can choose to manage encryption at the level of each managed disk, with your own keys. 使用客户托管密钥对托管磁盘进行服务器端加密提供了与 Azure Key Vault 的集成体验。Server-side encryption for managed disks with customer-managed keys offers an integrated experience with Azure Key Vault.

Azure 托管磁盘使用信封加密以完全透明的方式处理加密和解密。Azure managed disks handles the encryption and decryption in a fully transparent fashion using envelope encryption. 它使用基于 AES 256 的数据加密密钥 (DEK) 对数据进行加密,DEK 反过来使用你的密钥进行保护。It encrypts data using an AES 256 based data encryption key (DEK), which is, in turn, protected using your keys. 存储服务生成数据加密密钥,并使用 RSA 加密通过客户托管密钥对其进行加密。The Storage service generates data encryption keys and encrypts them with customer-managed keys using RSA encryption. 通过信封加密,可以根据合规性策略定期轮替(更改)密钥,而不会影响 VM。The envelope encryption allows you to rotate (change) your keys periodically as per your compliance policies without impacting your VMs. 轮替密钥时,存储服务会使用新的客户托管密钥对数据加密密钥进行重新加密。When you rotate your keys, the Storage service re-encrypts the data encryption keys with the new customer-managed keys.

完全控制密钥Full control of your keys

必须授予对 Key Vault 中的托管磁盘的访问权限,才能使用你的密钥来加密和解密 DEK。You must grant access to managed disks in your Key Vault to use your keys for encrypting and decrypting the DEK. 这允许你完全控制数据和密钥。This allows you full control of your data and keys. 可以随时禁用密钥或撤销对托管磁盘的访问权限。You can disable your keys or revoke access to managed disks at any time. 还可以通过 Azure Key Vault 监视来审核加密密钥用法,以确保仅托管磁盘或其他受信任的 Azure 服务访问你的密钥。You can also audit the encryption key usage with Azure Key Vault monitoring to ensure that only managed disks or other trusted Azure services are accessing your keys.

禁用或删除密钥后,包含使用该密钥的磁盘的任何 VM 都会自动关闭。When you disable or delete your key, any VMs with disks using that key will automatically shut down. 之后,VM 将无法使用,除非再次启用密钥或分配新密钥。After this, the VMs will not be usable unless the key is enabled again or you assign a new key.

对于高级 SSD、标准 SSD 和标准 HDD:禁用或删除密钥后,包含使用该密钥的磁盘的任何 VM 都会自动关闭。For premium SSDs, standard SSDs, and standard HDDs: When you disable or delete your key, any VMs with disks using that key will automatically shut down. 之后,VM 将无法使用,除非再次启用密钥或分配新密钥。After this, the VMs will not be usable unless the key is enabled again or you assign a new key.

下图显示了托管磁盘如何借助 Azure Active Directory 和 Azure Key Vault 使用客户托管密钥发出请求:The following diagram shows how managed disks use Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:

托管磁盘和客户管理的密钥工作流。管理员创建 Azure Key Vault,然后创建并设置磁盘加密集。该集与 VM 关联,这允许磁盘使用 Azure AD 进行身份验证

下表更详细地介绍了该图:The following list explains the diagram in more detail:

  1. Azure Key Vault 管理员创建密钥保管库资源。An Azure Key Vault administrator creates key vault resources.
  2. 密钥保管库管理员可以将 RSA 密钥导入 Key Vault,也可以在 Key Vault 中生成新的 RSA 密钥。The key vault admin either imports their RSA keys to Key Vault or generate new RSA keys in Key Vault.
  3. 该管理员创建磁盘加密集资源的实例,指定 Azure Key Vault ID 和密钥 URL。That administrator creates an instance of Disk Encryption Set resource, specifying an Azure Key Vault ID and a key URL. 磁盘加密集是为了简化托管磁盘的密钥管理而引入的新资源。Disk Encryption Set is a new resource introduced for simplifying the key management for managed disks.
  4. 创建磁盘加密集时,将在 Azure Active Directory (AD) 中创建系统分配的托管标识,并将其与磁盘加密集相关联。When a disk encryption set is created, a system-assigned managed identity is created in Azure Active Directory (AD) and associated with the disk encryption set.
  5. 然后,Azure Key Vault 管理员授予托管标识权限,以在密钥保管库中执行操作。The Azure key vault administrator then grants the managed identity permission to perform operations in the key vault.
  6. VM 用户可以通过将磁盘与磁盘加密集相关联来创建磁盘。A VM user creates disks by associating them with the disk encryption set. VM 用户还可以通过将现有资源的客户托管密钥与磁盘加密集相关联来启用客户托管密钥的服务器端加密。The VM user can also enable server-side encryption with customer-managed keys for existing resources by associating them with the disk encryption set.
  7. 托管磁盘使用托管标识将请求发送到 Azure Key Vault。Managed disks use the managed identity to send requests to the Azure Key Vault.
  8. 若要读取或写入数据,托管磁盘会将请求发送到 Azure Key Vault 以加密(包装)和解密(解包)数据加密密钥,以便执行数据的加密和解密。For reading or writing data, managed disks sends requests to Azure Key Vault to encrypt (wrap) and decrypt (unwrap) the data encryption key in order to perform encryption and decryption of the data.

若要撤销对客户托管密钥的访问权限,请参阅 Azure Key Vault PowerShellAzure Key Vault CLITo revoke access to customer-managed keys, see Azure Key Vault PowerShell and Azure Key Vault CLI. 撤销访问权限会实际阻止对存储帐户中所有数据的访问权限,因为 Azure 存储无法访问加密密钥。Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.

限制Restrictions

目前,客户托管密钥具有以下限制:For now, customer-managed keys have the following restrictions:

  • 如果为磁盘启用了此功能,则无法禁用它。If this feature is enabled for your disk, you cannot disable it. 如果需要解决此问题,必须使用 Azure PowerShell 模块Azure CLI 将所有数据复制到完全不同的托管磁盘(未使用客户管理的密钥)。If you need to work around this, you must copy all the data using either the Azure PowerShell module or the Azure CLI, to an entirely different managed disk that isn't using customer-managed keys.
  • 仅支持大小为 2048 位、3,072 位和 4,096 位的软件密钥,不支持其他密钥或其他大小。Only software keys of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.

  • 从使用服务器端加密和客户托管密钥加密的自定义映像创建的磁盘必须使用相同的客户托管密钥进行加密,且必须位于同一订阅中。Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.

  • 从使用服务器端加密和客户托管密钥加密的磁盘创建的快照必须使用相同的客户托管密钥进行加密。Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.

  • 与客户托管密钥相关的所有资源(Azure Key Vault、磁盘加密集、VM、磁盘和快照)都必须位于同一订阅和区域中。All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.

  • 使用客户托管密钥加密的磁盘、快照和映像不能移至另一个订阅。Disks, snapshots, and images encrypted with customer-managed keys cannot move to another subscription.

  • 当前或以前使用 Azure 磁盘加密加密的托管磁盘不能使用客户管理的密钥进行加密。Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.

  • 每个区域、每个订阅最多只能创建 50 个磁盘加密集。Can only create up to 50 disk encryption sets per region per subscription.

支持的区域Supported regions

可在提供托管磁盘的所有区域中使用客户管理的密钥。Customer-managed keys are available in all regions that managed disks are available.

重要

客户托管密钥依赖于 Azure 资源的托管标识(Azure Active Directory (Azure AD) 的一项功能)。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 配置客户托管密钥时,实际上会自动将托管标识分配给你的资源。When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. 如果随后将订阅、资源组或托管磁盘从一个 Azure AD 目录移动到另一个目录,则与托管磁盘关联的托管标识不会转移到新租户,因此,客户管理的密钥可能不再有效。If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks isn't transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅在 Azure AD 目录之间转移订阅For more information, see Transferring a subscription between Azure AD directories.

服务器端加密与 Azure 磁盘加密Server-side encryption versus Azure disk encryption

Azure 磁盘加密利用 Linux 的 DM-Crypt 功能或 Windows 的 BitLocker 功能,在来宾 VM 中使用客户管理的密钥来加密托管磁盘。Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. 使用客户托管密钥的服务器端加密改进了 ADE,它通过加密存储服务中的数据使你可以为 VM 使用任何 OS 类型和映像。Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.

重要

客户托管密钥依赖于 Azure 资源的托管标识(Azure Active Directory (Azure AD) 的一项功能)。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 配置客户托管密钥时,实际上会自动将托管标识分配给你的资源。When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. 如果随后将订阅、资源组或托管磁盘从一个 Azure AD 目录移动到另一个目录,则与托管磁盘关联的托管标识不会转移到新租户,因此,客户托管密钥可能不再有效。If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅在 Azure AD 目录之间转移订阅For more information, see Transferring a subscription between Azure AD directories.

后续步骤Next steps