Azure 托管磁盘的服务器端加密Server-side encryption of Azure managed disks

默认情况下,在将数据保存到云时,Azure 托管磁盘会自动加密数据。Azure managed disks automatically encrypt your data by default when persisting it to the cloud. 服务器端加密可保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。Server-side encryption protects your data and helps you meet your organizational security and compliance commitments. Azure 托管磁盘中的数据将使用 256 位 AES 加密法(可用的最强大块加密法之一)以透明方式进行加密,并符合 FIPS 140-2 规范。Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.

加密不会影响托管磁盘的性能。Encryption does not impact the performance of managed disks. 加密不会产生额外的费用。There is no additional cost for the encryption.

有关 Azure 托管磁盘底层加密模块的详细信息,请参见加密 API:下一代For more information about the cryptographic modules underlying Azure managed disks, see Cryptography API: Next Generation

关于加密密钥管理About encryption key management

可以依赖于平台托管的密钥来加密托管磁盘,也可以使用自己的密钥来管理加密。You can rely on platform-managed keys for the encryption of your managed disk, or you can manage encryption using your own keys. 如果选择使用自己的密钥来管理加密,则可以指定客户管理的密钥,用于加密和解密托管磁盘中的所有数据。If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all data in managed disks.

以下部分更详细地介绍了每个密钥管理选项。The following sections describe each of the options for key management in greater detail.

平台托管的密钥Platform-managed keys

默认情况下,托管磁盘使用平台托管的加密密钥。By default, managed disks use platform-managed encryption keys. 自 2017 年 6 月 10 日起,所有写入现有托管磁盘的新托管磁盘、快照、映像和新数据都会自动使用平台托管密钥进行静态加密。As of June 10, 2017, all new managed disks, snapshots, images, and new data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys.

服务器端加密与 Azure 磁盘加密Server-side encryption versus Azure disk encryption

Azure 磁盘加密利用 Windows 的 BitLocker 功能和 Linux 的 DM-Crypt 功能,在来宾 VM 中使用客户托管密钥来加密托管磁盘。Azure Disk Encryption leverages the BitLocker feature of Windows and the DM-Crypt feature of Linux to encrypt managed disks with customer-managed keys within the guest VM. 使用客户托管密钥的服务器端加密通过加密存储服务中的数据,使你能够将任何 OS 类型和映像用于 VM,从而改进了 ADE。Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.

后续步骤Next steps