Azure Stack Hub 中的静态数据加密Data at rest encryption in Azure Stack Hub

Azure Stack Hub 使用静态加密来保护存储子系统级别的用户数据和基础结构数据。Azure Stack Hub protects user and infrastructure data at the storage subsystem level using encryption at rest. 默认情况下,Azure Stack Hub 的存储子系统按照 128 位 AES 加密法使用 BitLocker 进行加密。By default, Azure Stack Hub's storage subsystem is encrypted using BitLocker with 128-bit AES encryption. BitLocker 密钥保存在内部机密存储中。BitLocker keys are persisted in an internal secret store. 在部署时,还可以将 BitLocker 配置为使用 256 位 AES 加密。At deployment time, it is also possible to configure BitLocker to use 256-bit AES encryption.

静态数据加密是许多主流合规标准(例如 PCI-DSS、FedRAMP、HIPAA)的共同要求。Data at rest encryption is a common requirement for many of the major compliance standards (for example, PCI-DSS, FedRAMP, HIPAA). Azure Stack Hub 使你无需进行额外的工作或配置即可满足这些要求。Azure Stack Hub enables you to meet those requirements with no extra work or configurations required. 有关 Azure Stack Hub 如何帮助你符合合规性标准的详细信息,请参阅 Microsoft 服务信任门户For more information on how Azure Stack Hub helps you meet compliance standards, see the Microsoft Service Trust Portal.

备注

静态数据加密可防止窃取一个或多个硬盘实物的人员访问你的数据。Data at rest encryption protects your data against being accessed by someone who physically stole one or more hard drives. 静态数据加密不能防止通过网络截取数据(传输中的数据),也无法保护当前正在使用的数据(内存中的数据),或者更一般而言,在系统已启动且正在运行时无法防止数据泄露。Data at rest encryption doesn't protect against data being intercepted over the network (data in transit), data currently being used (data in memory), or, more in general, data being exfiltrated while the system is up and running.

检索 BitLocker 恢复密钥Retrieving BitLocker recovery keys

静态数据的 Azure Stack Hub BitLocker 密钥在内部进行管理。Azure Stack Hub BitLocker keys for data at rest are internally managed. 你不需要为常规操作或在系统启动期间提供这些密钥。You aren't required to provide them for regular operations or during system startup. 但是,支持方案可能要求提供 BitLocker 恢复密钥来让系统联机。However, support scenarios may require BitLocker recovery keys to bring the system online.

警告

检索 BitLocker 恢复密钥,并将其存储在 Azure Stack Hub 外部的安全位置。Retrieve your BitLocker recovery keys and store them in a secure location outside of Azure Stack Hub. 在某些支持方案中,不提供恢复密钥可能会导致数据丢失,并需要从备份映像还原系统。Not having the recovery keys during certain support scenarios may result in data loss and require a system restore from a backup image.

检索 BitLocker 恢复密钥需要访问特权终结点 (PEP)。Retrieving the BitLocker recovery keys requires access to the privileged endpoint (PEP). 在 PEP 会话中运行 Get-AzsRecoveryKeys cmdlet。From a PEP session, run the Get-AzsRecoveryKeys cmdlet.

##This cmdlet retrieves the recovery keys for all the volumes that are encrypted with BitLocker.
Get-AzsRecoveryKeys -raw

Get-AzsRecoveryKeys cmdlet 的参数:Parameters for Get-AzsRecoveryKeys cmdlet:

参数Parameter 说明Description 类型Type 必选Required
rawraw 返回每个加密卷的恢复密钥、计算机名和密码 ID 之间映射的数据。Returns data mapping between recovery key, computer name, and password id(s) of each encrypted volume. 开关Switch 否,但建议使用No, but recommended

排查问题Troubleshoot issues

在极端情况下,BitLocker 解锁请求可能失败,并导致特定卷无法启动。In extreme circumstances, a BitLocker unlock request could fail resulting in a specific volume to not boot. 如果没有 BitLocker 恢复密钥,根据某些体系结构组件的可用性,这种失败可能会导致停机以及潜在的数据丢失。Depending on the availability of some of the components of the architecture, this failure could result in downtime and potential data loss if you don't have your BitLocker recovery keys.

警告

检索 BitLocker 恢复密钥,并将其存储在 Azure Stack Hub 外部的安全位置。Retrieve your BitLocker recovery keys and store them in a secure location outside of Azure Stack Hub. 在某些支持方案中,不提供恢复密钥可能会导致数据丢失,并需要从备份映像还原系统。Not having the recovery keys during certain support scenarios may result in data loss and require a system restore from a backup image.

如果你怀疑系统遇到 BitLocker 问题(例如 Azure Stack Hub 无法启动),请与客户支持联系。If you suspect your system is experiencing issues with BitLocker, such as Azure Stack Hub failing to start, contact support. 支持人员需要你的 BitLocker 恢复密钥。Support requires your BitLocker recovery keys. 对该特定 VM/主机/卷执行 FRU 操作可以解决大多数 BitLocker 相关问题。The majority of the BitLocker related issues can be resolved with a FRU operation for that specific VM/host/volume. 对于其他情况,可以使用 BitLocker 恢复密钥执行手动解锁过程。For the other cases, a manual unlocking procedure using BitLocker recovery keys can be done. 如果 BitLocker 恢复密钥不可用,唯一的选择是从备份映像进行还原。If BitLocker recovery keys aren't available, the only option is to restore from a backup image. 根据上一次备份的完成时间,你可能会遇到数据丢失的情况。Depending on when the last backup was done, you may experience data loss.

后续步骤Next steps