您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

常见问题 (FAQ)Frequently asked questions (FAQ)

查找有关 Microsoft Azure 专用 HSM 的常见问题的解答。Find answers to common questions about Microsoft Azure Dedicated HSM.

基础知识The Basics

问:什么是硬件安全模块 (HSM)?Q: What is a hardware security module (HSM)?

硬件安全模块 (HSM) 是用于保护和管理加密密钥的物理计算设备。A Hardware Security Module (HSM) is a physical computing device used to safeguard and manage cryptographic keys. HSM 中存储的密钥可用于加密操作。Keys stored in HSMs can be used for cryptographic operations. 密钥材料安全保存在防篡改的硬件模块中。The key material stays safely in tamper-resistant, tamper-evident hardware modules. HSM 仅允许经过身份验证和授权的应用程序使用密钥。The HSM only allows authenticated and authorized applications to use the keys. 密匙材料永远不会离开 HSM 保护边界。The key material never leaves the HSM protection boundary.

问:什么是 Azure 专用 HSM 产品/服务?Q: What is the Azure Dedicated HSM offering?

Azure 专用 HSM 是一种基于云的服务,提供由可直接连接到客户虚拟网络的 Azure 数据中心托管的 HSM。Azure Dedicated HSM is a cloud-based service that provides HSMs hosted in Azure datacenters that are directly connected to a customer's virtual network. 这些 HSM 是专用的网络设备(Gemalto 的 SafeNet Network HSM 7 型号 A790)。These HSMs are dedicated network appliances (Gemalto's SafeNet Network HSM 7 Model A790). 它们直接部署到客户的专用 IP 地址空间,Microsoft 没有任何权限访问 HSM 的加密功能。They are deployed directly to a customers' private IP address space and Microsoft does not have any access to the cryptographic functionality of the HSMs. 只有客户才对这些设备拥有完全的管理和加密控制权。Only the customer has full administrative and cryptographic control over these devices. 客户负责设备的管理,他们可以直接从设备获取完整的活动日志。Customers are responsible for the management of the device and they can get full activity logs directly from their devices. 专用 HSM 可帮助客户满足合规性/法规要求,例如 FIPS 140-2 级别 3、HIPAA、PCI-DSS、eIDAS 等。Dedicated HSMs help customers meet compliance/regulatory requirements such as FIPS 140-2 Level 3, HIPAA, PCI-DSS, and eIDAS and many others.

问:专用 HSM 使用哪些硬件?Q: What hardware is used for Dedicated HSM?

Microsoft 与 Gemalto 合作提供 Azure 专用 HSM 服务。Microsoft has partnered with Gemalto to deliver the Azure Dedicated HSM service. 使用的特定设备是 SafeNet Luna Network HSM 7 型号 A790The specific device used is the SafeNet Luna Network HSM 7 Model A790. 此设备不仅提供 FIPS 140-2 级别 3 验证的固件,而且还通过 10 个分区提供低延迟、高性能和高容量。This device not only provides FIPS 140-2 Level 3 validated firmware, but also offers low-latency, high performance, and high capacity via 10 partitions.

问:HSM 有什么作用?Q: What is an HSM used for?

HSM 用于存储以下加密功能使用的加密密钥,这些功能包括 SSL(安全套接字层)、加密数据、PKI(公钥基础结构)、DRM(数字版权管理)以及签署文件等。HSMs are used for storing cryptographic keys that are used for cryptographic functionality such as SSL (secure socket layer), encrypting data, PKI (public key infrastructure), DRM (digital rights management), and signing documents.

问:专用 HSM 的工作原理是怎样的?Q: How does Dedicated HSM work?

客户可以使用 PowerShell 或命令行接口在特定区域内预配 HSM。Customers can provision HSMs in specific regions using PowerShell or command-line interface. 客户指定要将 HSM 连接到哪个虚拟网络;预配后,可以通过客户专用 IP 地址空间中分配的 IP 地址在指定的子网中使用 HSM。The customer specifies what virtual network the HSMs will be connected to and once provisioned the HSMs will be available in the designated subnet at assigned IP addresses in the customer's private IP address space. 然后,客户可以使用 SSH 连接到 HSM 进行设备管理和控制、建立 HSM 客户端连接、初始化 HSM、创建分区以及定义和分配角色(例如分区管理人员、加密管理人员和加密用户)。Then customers can connect to the HSMs using SSH for appliance management and administration, set up HSM client connections, initialize HSMs, create partitions, define, and assign roles such as partition officer, crypto officer, and crypto user. 接下来,客户使用 Gemalto 提供的 HSM 客户端工具/SDK/软件从其应用程序执行加密操作。Then the customer will use Gemalto provided HSM client tools/SDK/software to perform cryptographic operations from their applications.

问:专用 HSM 服务提供哪些软件?Q: What software is provided with the Dedicated HSM service?

经过 Microsoft 预配后,Gemalto 将提供 HSM 设备的所有软件。Gemalto supplies all software for the HSM device once provisioned by Microsoft. Gemalto 客户支持门户中可以获取这些软件。The software is available at the Gemalto customer support portal. 使用专用 HSM 服务的客户需要注册 Gemalto 支持并获取一个客户 ID,这样才能访问和下载相关软件。Customers using the Dedicated HSM service are required to be registered for Gemalto support and have a Customer ID that enables access and download of relevant software. 支持的客户端软件是与 FIPS 140-2 级别 3 验证的固件版本 7.0.3 兼容的版本 7.2。The supported client software is version 7.2 which is compatible with the FIPS 140-2 Level 3 validated firmware version 7.0.3.

问:Azure 专用 HSM 是否提供了基于密码的和基于 PED 的身份验证?Q: Does Azure Dedicated HSM offer Password-based and PED-based authentication?

目前,Azure 专用 HSM 仅为 HSM 提供了基于密码的身份验证。At this time, Azure Dedicated HSM only provides HSMs with password-based authentication.

问:Azure 专用 HSM 是否将承载我的 HSM?Q: Will Azure Dedicated HSM host my HSMs for me?

Microsoft 仅通过专用 HSM 服务提供 Gemalto SafeNet Luna 网络 HSM,不能托管客户提供的任何设备。Microsoft only offers the Gemalto SafeNet Luna Network HSM via the Dedicated HSM service and cannot host any customer-provided devices.

问:Azure 专用 HSM 支持支付 (固定/ETF) 功能?Q: Does Azure Dedicated HSM support payment (PIN/ETF) features?

Azure 专用 HSM 服务使用 SafeNet Luna Network HSM 7(型号 A790)设备。The Azure Dedicated HSM service uses SafeNet Luna Network HSM 7 (model A790) devices. 这些设备不支持付款 HSM 特定功能(例如 PIN 或 ETF)或认证。These devices do not support payment HSM specific functionality (such as PIN or ETF) or certifications. 如果想要 Azure 专用 HSM 服务,以支持在将来付款 Hsm,请传递的反馈到你的 Microsoft 客户代表。If you would like Azure Dedicated HSM service to support payment HSMs in future, please pass on the feedback to your Microsoft Account Representative.

问:哪些 Azure 区域是专用 HSM 中可用?Q: Which Azure regions is Dedicated HSM available in?

截至后期年 3 月 2019,专用 HSM 中提供了 14 个区域下方列出。As of late March 2019, Dedicated HSM is available in the 14 regions listed below. 更多的区域计划,并通过你的 Microsoft 帐户代表还可以讨论。Further regions are planned and can be discussed via your Microsoft Account Representative.

  • 美国东部East US
  • 美国东部 2East US 2
  • 美国西部West US
  • 美国中南部South Central US
  • 东南亚Southeast Asia
  • 东亚East Asia
  • 北欧North Europe
  • 西欧West Europe
  • 英国南部UK South
  • 英国西部UK West
  • 加拿大中部Canada Central
  • 加拿大东部Canada East
  • 澳大利亚东部Australia East
  • 澳大利亚东南部Australia Southeast


问:应用程序如何连接到专用 HSM?Q: How does my application connect to a Dedicated HSM?

可以使用 Gemalto 提供的 HSM 客户端工具/SDK/软件从应用程序执行加密操作。You use Gemalto provided HSM client tools/SDK/software to perform cryptographic operations from your applications. Gemalto 客户支持门户中可以获取这些软件。The software is available at the Gemalto customer support portal. 使用专用 HSM 服务的客户需要注册 Gemalto 支持并获取一个客户 ID,这样才能访问和下载相关软件。Customers using the Dedicated HSM service are required to be registered for Gemalto support and have a Customer ID that enables access and download of relevant software.

问:应用程序是否可以从不同的 VNET 或跨区域连接到专用 HSM?Q: Can an application connect to Dedicated HSM from a different VNET in or across regions?

是的。需要在某个区域中使用 VNET 对等互连跨虚拟网络建立连接。Yes, you will need to use VNET peering within a region to establish connectivity across virtual networks. 对于跨区域连接,必须使用 VPN 网关For cross-region connectivity, you must use VPN Gateway.

问:是否可将专用 HSM 与本地 HSM 同步?Q: Can I synchronize Dedicated HSM with on-premises HSMs?

是的,可将本地 HSM 与专用 HSM 同步。Yes, you can sync on-premises HSMs with Dedicated HSM. 可以使用点到点 VPN 或点到站点连接来与本地网络建立连接。Point-to-point VPN or point-to-site connectivity can be used to establish connectivity with your on-premises network.

问:是否可以使用专用 HSM 中存储的密钥来加密其他 Azure 服务所用的数据?Q: Can I encrypt data used by other Azure services using keys stored in Dedicated HSM?

不。No. 只能从虚拟网络内部访问 Azure 专用 HSM。Azure Dedicated HSMs are only accessible from inside your virtual network.

问:是否可将现有本地 HSM 中的密钥导入到专用 HSM?Q: Can I import keys from an existing On-premises HSM to Dedicated HSM?

如果有本地的 Gemalto SafeNet HSM,则可以。Yes, if you have on-premises Gemalto SafeNet HSMs. 可以使用多种方法,There are multiple methods. 具体请参阅 Gemalto HSM 文档。Refer to the Gemalto HSM documentation.

问:专用 HSM 客户端软件支持哪些操作系统?Q: What operating systems are supported by Dedicated HSM client software?

  • Windows、Linux、Solaris、AIX、HP-UX、FreeBSDWindows, Linux, Solaris, AIX, HP-UX, FreeBSD
  • 虚拟:VMware、hyperv、Xen、KVMVirtual: VMware, hyperv, Xen, KVM

问:如何将客户端应用程序配置为使用多个 HSM 中的多个分区创建高可用性配置?Q: How do I configure my client application to create a high availability configuration with multiple partitions from multiple HSMs?

若要获得高可用性,需将 HSM 客户端应用程序配置设置为使用每个 HSM 中的分区。To have high availability, you need to set up your HSM client application configuration to use partitions from each HSM. 请参阅 Gemalto HSM 客户端软件文档。Refer to the Gemalto HSM client software documentation.

问:专用 HSM 支持哪些身份验证机制?Q: What authentication mechanisms are supported by Dedicated HSM?

Azure 专用 HSM 使用 SafeNet Network HSM 7 设备(型号 A790),支持基于密码的身份验证。Azure Dedicated HSM uses SafeNet Network HSM 7 appliances (model A790) and they support password-based authentication.

问:可在专用 HSM 中使用哪些 SDK、API 和客户端软件?Q: What SDKs, APIs, client software is available to use with Dedicated HSM?

PKCS#11、Java (JCA/JCE)、Microsoft CAPI、CNG 和 OpenSSLPKCS#11, Java (JCA/JCE), Microsoft CAPI, and CNG, OpenSSL

问:是否可将 Luna 5/6 HSM 中的密钥导入/迁移到 Azure 专用 HSM?Q: Can I import/migrate keys from Luna 5/6 HSMs to Azure Dedicated HSMs?

可以。Yes. 请参阅 Gemalto 迁移指南。Please refer to the Gemalto migration guide.

使用 HSMUsing your HSM

问:如何确定是要使用 Azure Key Vault 还是 Azure 专用 HSM?Q: How do I decide whether to use Azure Key Vault or Azure Dedicated HSM?

对于想要迁移到使用 HSM 的 Azure 本地应用程序的企业而言,Azure 专用 HSM 是适当的选择。Azure Dedicated HSM is the appropriate choice for enterprises migrating to Azure on-premises applications that use HSMs. 使用专用 HSM 提供的某个选项,只需进行极少量的更改即可迁移应用程序。Dedicated HSMs present an option to migrate an application with minimal changes. 如果在 Azure VM 或 Web 应用上运行的应用程序代码中执行加密操作,则客户可以使用专用 HSM。If cryptographic operations are performed in the application's code running in an Azure VM or Web App, they can use Dedicated HSM. 一般而言,在支持使用 HSM 作为密钥存储的 IaaS(基础结构即服务)模型中运行的套装软件可以使用专用 HSM,例如,适用于无密钥 SSL 的应用程序网关或流量管理器、ADCS(Active Directory 证书服务)或类似 PKI 工具、用于文档签名或代码签名的工具/应用程序,或者配置为使用 EKM(可扩展密钥管理)提供程序通过 HSM 中的主密钥进行 TDE(透明数据库加密)的 SQL Server (IaaS)。In general, shrink-wrapped software running in IaaS (infrastructure as a service) models, that support HSMs as a key store can use Dedicate HSM, such as Application gateway or traffic manager for keyless SSL, ADCS (Active Directory Certificate Services), or similar PKI tools, tools/applications used for document signing, code signing, or a SQL Server (IaaS) configured with TDE (transparent database encryption) with master key in an HSM using an EKM (extensible key management) provider. Azure Key Vault 适合用于“云原生的”应用程序或静态加密方案,其中,客户数据由 PaaS(平台即服务)或 SaaS(软件即服务)方案处理,这些方案包括 Office 365 客户密钥、Azure 信息保护、Azure 磁盘加密、使用客户管理的密钥进行的 Azure Data Lake Store 加密、使用客户管理的密钥进行的 Azure 存储加密,以及使用客户管理的密钥的 Azure SQL。Azure Key Vault is suitable for “born-in-cloud” applications or for encryption at rest scenarios where customer data is processed by PaaS (platform as a service) or SaaS (Software as a service) scenarios such as Office 365 Customer Key, Azure Information Protection, Azure Disk Encryption, Azure Data Lake Store encryption with customer-managed key, Azure Storage encryption with customer managed key, and Azure SQL with customer managed key.

问:Azure 专用 HSM 最适合哪些使用方案?Q: What usage scenarios best suit Azure Dedicated HSM?

Azure 专用 HSM 是最适合迁移方案。Azure Dedicated HSM is most suitable for migration scenarios. 即,将已在使用 HSM 的本地应用程序迁移到 Azure。This means that if you are migrating on-premises applications to Azure that are already using HSMs. 使用专用 HSM 提供的一个低冲突选项,只需对应用程序进行极少量的更改,即可迁移到 Azure。This provides a low-friction option to migrate to Azure with minimal changes to the application. 如果在 Azure VM 或 Web 应用上运行的应用程序代码中执行加密操作,则可以使用专用 HSM。If cryptographic operations are performed in the application's code running in Azure VM or Web App, Dedicated HSM may be used. 一般而言,在支持使用 HSM 作为密钥存储的 IaaS(基础结构即服务)模型中运行的套装软件可以使用专用 HSM,例如:In general, shrink-wrapped software running in IaaS (infrastructure as a service) models, that support HSMs as a key store can use Dedicate HSM, such as:

  • 适用于无密钥 SSL 的应用程序网关或流量管理器Application gateway or traffic manager for keyless SSL
  • ADCS(Active Directory 证书服务)ADCS (Active Directory Certificate Services)
  • 类似的 PKI 工具Similar PKI tools
  • 用于文档签名的工具/应用程序Tools/applications used for document signing
  • 代码签名Code signing
  • 配置为使用 EKM(可扩展密钥管理)提供程序通过 HSM 中的主密钥进行 TDE(透明数据库加密)的 SQL Server (IaaS)SQL Server (IaaS) configured with TDE (transparent database encryption) with master key in an HSM using an EKM (extensible key management) provider

问:专用 HSM 是否可与 Office 365 客户密钥、Azure 信息保护、Azure Data Lake Store、磁盘加密、Azure 存储加密和 Azure SQL TDE 一起使用?Q: Can Dedicated HSM be used with Office 365 Customer Key, Azure Information Protection, Azure Data Lake Store, Disk Encryption, Azure Storage encryption, Azure SQL TDE?

不。No. 专用 HSM 直接在客户的专用 IP 地址空间中预配,因此,其他 Azure 或 Microsoft 服务无法访问它。Dedicated HSM is provisioned directly into a customer’s private IP Address space so it does not accessible by other Azure or Microsoft services.

管理、访问和控制Administration, access, and control

问:客户是否可以获取专用 HSM 中 HSM 的完全独占控制权?Q: Does the customer get full exclusive control over the HSMs with Dedicated HSMs?

可以。Yes. 每个 HSM 设备完全由一个客户专用,经预配或者更改管理员密码后,其他任何人都对它没有管理控制权。Each HSM appliance is fully dedicated to one single customer and no one else has administrative control once provisioned and the administrator password changed.

问:Microsoft 对我的 HSM 拥有哪种访问级别?Q: What level of access does Microsoft have to my HSM?

Microsoft 对 HSM 没有任何管理或加密控制权。Microsoft does not have any administrative or cryptographic control over the HSM. 但 Microsoft 确实拥有监视级别的访问权限,它可以通过串行端口连接来检索基本的遥测数据,例如温度和组件运行状况。Microsoft does have monitor level access via serial port connection to retrieve basic telemetry such as temperature and component health. 这样,Microsoft 便可以针对运行状况问题提供主动通知。This allows Microsoft to provide proactive notification of health issues. 客户可根据需要禁用此帐户。If required, the customer can disable this account.

问:什么是 Microsoft 的"tenantadmin"帐户使用,我使用到管理员用户正在 SafeNet Hsm 上的"admin"?Q: What is the "tenantadmin" account Microsoft uses, I am used to the admin user being "admin" on SafeNet HSMs?

HSM 设备附带了默认用户的管理员使用其常见默认密码。The HSM device ships with a default user of admin with its usual default password. Microsoft 不想在使用具有默认的密码,而任何设备处于等待由客户将其预配的池。Microsoft did not want to have default passwords in use while any device is in a pool waiting to be provisioned by customers. 这不会满足我们的严格的安全要求。This would not meet our strict security requirements. 出于此原因,我们在预配时设置强密码将丢弃。For this reason, we set a strong password which is discarded at provisioning time. 此外,在预配时我们创建一个新用户在名为"tenantadmin"的管理员角色中。Also, at provisioning time we create a new user in the admin role called "tenantadmin". 此用户具有默认密码和客户时更改此行为的第一个操作作为第一次登录到新预配设备。This user has the default password and customers change this as the first action when first logging into the newly provisioned device. 此过程可确保高程度的安全,并且还为我们的客户保留我们的承诺的唯一管理控制。This process ensures high degrees of security and maintains our promise of sole administrative control for our customers. 应注意"tenantadmin"用户可用于重置的管理员用户密码,如果客户倾向于使用该帐户。It should be noted that the "tenantadmin" user can be used to reset the admin user password if a customer prefers to use that account.

问:Microsoft 或 Microsoft 的任何员工是否可以访问我的专用 HSM 中的密钥?Q: Can Microsoft or anyone at Microsoft access keys in my Dedicated HSM?

不。No. Microsoft 对客户分配的专用 HSM 中存储的密钥没有任何访问权限。Microsoft does not have any access to the keys stored in customer allocated Dedicated HSM.

问:是否可以在分配给我的 HSM 上升级软件/固件?Q: Can I upgrade software/firmware on HSMs allocated to me?

为获得最好的支持,Microsoft 强烈建议不要在 HSM 上升级软件/固件。To get best support, Microsoft strongly recommends not to upgrade software/firmware on the HSM. 但是,如果客户需要其他固件版本中的特定功能,他们确实拥有完全的管理控制权,包括升级软件/固件的权限。However, the customer does have full administrative control including upgrading software/firmware if specific features are required from different firmware versions. 在进行更改之前,必须了解这样做所造成的影响,例如,对 FIPS 验证状态的影响。Before making changes, the implications must be understood as this could, for example, effect FIPS validated status.

问:如何管理专用 HSM?Q: How do I manage Dedicated HSM?

可以使用 SSH 访问专用 HSM,然后对其进行管理。You can manage Dedicated HSMs by accessing them using SSH.

问:如何管理专用 HSM 上的分区?Q: How do I manage partitions on the Dedicated HSM?

可以使用 Gemalto HSM 客户端软件管理 HSM 和分区。The Gemalto HSM client software is used to manage the HSMs and partitions.

问:如何监视 HSM?Q: How do I monitor my HSM?

客户可以通过 syslog 和 SNMP 全权访问 HSM 活动日志。A customer has full access to HSM activity logs via syslog and SNMP. 客户需要设置 syslog 服务器或 SNMP 服务器才能从 HSM 接收日志或事件。A customer will need to set up a syslog server or SNMP server to receive the logs or events from the HSMs.

问:是否可以全权访问专用 HSM 中所有 HSM 操作的日志?Q: Can I get full access log of all HSM operations from Dedicated HSM?

可以。Yes. 可将来自 HSM 设备的日志发送到 syslog 服务器You can send logs from the HSM appliance to a syslog server

高可用性High availability

问:是否可以在同一区域或跨多个区域配置高可用性?Q: Is it possible to configure high availability in the same region or across multiple regions?

可以。Yes. 高可用性配置和设置在 Gemalto 提供的 HSM 客户端软件中执行。High availability configuration and setup are performed in the HSM client software provided by Gemalto. 从同一个 VNET 或其他 Vnet 位于同一区域或跨区域,或在本地 Hsm Hsm 连接到 VNET 使用站点到站点或点到点 VPN 可以添加到相同的高可用性配置。HSMs from the same VNET or other VNETs in the same region or across regions, or on premises HSMs connected to a VNET using site-to-site or point-to-point VPN can be added to same high availability configuration. 应注意这会同步密钥材料,如角色不是与特定配置项目。It should be noted that this synchronizes key material only and not specific configuration items such as roles.

问:是否可将本地网络中的 HSM 添加到包含 Azure 专用 HSM 的高可用性组?Q: Can I add HSMs from my on-premises network to a high availability group with Azure Dedicated HSM?

可以。Yes. 这些 HSM 必须符合 SafeNet Luna Network HSM 7 的高可用性要求。They must meet the high availability requirements for SafeNet Luna Network HSM 7.

问:是否可将本地网络中的 Luna 5/6 HSM 添加到包含 Azure 专用 HSM 的高可用性组?Q: Can I add Luna 5/6 HSMs from on-premises networks to a high availability group with Azure Dedicated HSM?


问:在一个应用程序中可将多少个 HSM 添加到相同的高可用性配置?Q: How many HSMs can I add to the same high availability configuration from one single application?

16 高可用性组的成员具有下消失,完全限制测试很好的效果。16 members of an HA group has under-gone, full-throttle testing with excellent results.


问:专用 HSM 服务的 SLA 是什么?Q: What is the SLA for Dedicated HSM service?

没有为专用 HSM 服务提供任何特定的运行时间保证。There is no specific uptime guarantee provided for the Dedicated HSM service. Microsoft 确保设备的网络级访问,因此标准 Azure 网络 SLA 适用。Microsoft will ensure network level access to the device, and hence standard Azure networking SLAs apply.

问:Azure 专用 HSM 中使用的 HSM 受到怎样的保护?Q: How are the HSMs used in Azure Dedicated HSM protected?

Azure 数据中心提供全面的物理和程序性安全控制。Azure datacenters have extensive physical and procedural security controls. 除此之外,专用 HSM 托管在数据中心内进一步限制访问的区域。In addition to that Dedicated HSMs are hosted in a further restricted access area of the datacenter. 这些区域装配了其他物理访问控制机制和监控摄像头,安全性得到进一步提高。These areas have additional physical access controls and video camera surveillance for added security.

问:如果出现安全漏洞或硬件篡改事件,会发生什么情况?Q: What happens if there is a security breach or hardware tampering event?

专用 HSM 服务使用 SafeNet Network HSM 7 设备。Dedicated HSM service uses SafeNet Network HSM 7 appliances. 这些设备支持物理和逻辑篡改检测。These appliances support physical and logical tamper detection. 如果出现篡改事件,HSM 将自动归零。If there is ever a tamper event the HSMs are automatically zeroized.

问:如何确保错误或恶意内部攻击不会导致专用 HSM 中的密钥丢失?Q: How do I ensure that keys in my Dedicated HSMs are not lost due to error or a malicious insider attack?

我们强烈建议使用本地 HSM 备份设备定期备份 HSM,以实现灾难恢复。It is highly recommended to use an on-premises HSM backup device to perform regular periodic backup of the HSMs for disaster recovery. 需要与连接到 HSM 备份设备的本地工作站建立对等连接或站点到站点 VPN 连接。You will need to use a peer-to-peer or site-to-site VPN connection to an on-premises workstation connected to an HSM backup device.

问:如何获取对专用 HSM 的支持?Q: How do I get support for Dedicated HSM?

由 Microsoft 和 Gemalto 提供支持。Support is provided by both Microsoft and Gemalto. 如果您遇到的问题与硬件或网络访问,则引发与 Microsoft 和如果存在问题,HSM 配置、 软件和应用程序开发请引发 Gemalto 的支持请求的支持请求。If you have an issue with the hardware or network access, raise a support request with Microsoft and if you have an issue with HSM configuration, software and application development please raise a support request with Gemalto. 如果具有不确定的问题,与 Microsoft 的支持请求,然后可以为参与 Gemalto 必需。If you have an undetermined issue, raise a support request with Microsoft and then Gemalto can be engaged as required.

问:如何获取客户端软件、 文档和整合指南,SafeNet Luna 7 HSM 访问?Q: How do I get the client software, documentation and access to integration guidance for the SafeNet Luna 7 HSM?

注册服务之后, Gemalto 客户 ID 会提供,可实现 Gemalto 客户支持门户中注册。After registering for the service, a Gemalto Customer ID will be provided that allows for registration in the Gemalto customer support portal. 这将启用对所有软件和文档以及直接与 Gemalto 启用支持请求的访问。This will enable access to all software and documentation as well as enabling support requests directly with Gemalto.

问:如果发现了安全漏洞,而 Gemalto 发布了相关的修补程序,由谁负责升级或修补 OS/固件?Q: If there is a security vulnerability found and a patch is released by Gemalto, who is responsible for upgrading/patching OS/Firmware?

Microsoft 无法连接到分配给客户的 HSM。Microsoft does not have the ability to connect to HSMs allocated to customers. 客户必须自行升级和修补其 HSM。Customers must upgrade and patch their HSMs.

问:如果需要重新启动我的 HSM?Q: What if I need to reboot my HSM?

HSM 具有一个命令行重新启动选项,但是,我们间歇性地遇到重启挂起问题,因此建议将其用于最安全的方法重新启动,引发与 Microsoft 的支持请求,以物理方式重新启动设备。The HSM has a command line reboot option, however, we are experiencing reboot hang issues intermittently and for this reason it is recommended for the safest reboot that you raise a support request with Microsoft to have the device physically rebooted.

加密和标准Cryptography and standards

问:是否可以在专用 HSM 中安全存储最重要数据的加密密钥?Q: Is it safe to store encryption keys for my most important data in Dedicated HSM?

是的,专用 HSM 将预配 SafeNet Network HSM 7 设备,这些设备使用 FIPS 140-2 级别 3 验证的 HSM。Yes, Dedicated HSM provisions SafeNet Network HSM 7 appliances that use FIPS 140-2 Level 3 validated HSMs.

问:专用 HSM 支持哪些加密密钥和算法?Q: What cryptographic keys and algorithms are supported by Dedicated HSM?

专用 HSM 服务将预配 SafeNet Network HSM 7 设备。Dedicated HSM service provisions SafeNet Network HSM 7 appliances. 这些设备支持多种加密密钥类型和算法,包括:完全支持 Suite BThey support a wide range of cryptographic key types and algorithms including: Full Suite B support

  • 非对称:Asymmetric:
    • RSARSA
    • DSADSA
    • Diffie-HellmanDiffie-Hellman
    • 椭圆曲线Elliptic Curve
    • 采用命名曲线、用户定义的曲线和 Brainpool 曲线的加密法(ECDSA、ECDH、Ed25519、ECIES);KCDSACryptography (ECDSA, ECDH, Ed25519, ECIES) with named, user-defined, and Brainpool curves, KCDSA
  • 对称:Symmetric:
    • 三重 DESTriple DES
    • DESDES
    • RC2RC2
    • RC4RC4
    • RC5RC5
    • 哈希/消息摘要/HMAC:SHA-1、SHA-2、SM3Hash/Message Digest/HMAC: SHA-1, SHA-2, SM3
    • 密钥派生:SP800-108 计数器模式Key Derivation: SP800-108 Counter Mode
    • 密钥包装:SP800-38FKey Wrapping: SP800-38F
    • 随机数生成:FIPS 140-2 批准的 DRBG(SP 800-90 CTR 模式),符合 BSI DRG.4Random Number Generation: FIPS 140-2 approved DRBG (SP 800-90 CTR mode), complying with BSI DRG.4

问:专用 HSM 是否已通过 FIPS 140-2 级别 3 验证?Q: Is Dedicated HSM FIPS 140-2 Level 3 validated?

可以。Yes. 专用 HSM 服务将预配 SafeNet Network HSM 7 设备,这些设备使用 FIPS 140-2 级别 3 验证的 HSM。Dedicated HSM service provisions SafeNet Network HSM 7 appliances that use FIPS 140-2 Level 3 validated HSMs.

问:如何确保在 FIPS 140-2 级别 3 验证模式下运行专用 HSM?Q: What do I need to do to make sure I operate Dedicated HSM in FIPS 140-2 Level 3 validated mode?

专用 HSM 服务将预配 SafeNet Luna Network HSM 7 设备。The Dedicated HSM service provisions SafeNet Luna Network HSM 7 appliances. 这些设备使用 FIPS 140-2 级别 3 验证的 HSM。These appliances use FIPS 140-2 Level 3 validated HSMs. 默认部署的配置、操作系统和固件也已通过 FIPS 验证。The default deployed configuration, operating system, and firmware are also FIPS validated. 无需采取任何措施即可符合 FIPS 140-2 级别 3 的要求。You do not need to take any action for FIPS 140-2 Level 3 compliance.

问:客户如何确保在取消预配 HSM 时擦除所有密钥材料?Q: How does a customer ensure that when an HSM is deprovisioned all the key material is wiped out?

在请求取消预配之前,客户必须使用 Gemalto 提供的 HSM 客户端工具将 HSM 归零。Before requesting deprovisioning, a customer must have zeroized the HSM using Gemalto provided HSM client tools.

性能和缩放性Performance and scale

问:专用 HSM 支持每秒多少次加密操作?Q: How many cryptographic operations are supported per second with Dedicated HSM?

专用 HSM 将预配 SafeNet Network HSM 7 设备(型号 A790)。Dedicated HSM provisions SafeNet Network HSM 7 appliances (model A790). 下面是某些操作的最大性能摘要:Here's a summary of maximum performance for some operations:

  • RSA-2048:10,000 个事务/秒RSA-2048: 10,000 transactions per second
  • ECC P256:20,000 个事务/秒ECC P256: 20,000 transactions per second
  • AES-GCM:17,000 个事务/秒AES-GCM: 17,000 transactions per second

问:在专用 HSM 中可以创建多少个分区?Q: How many partitions can be created in Dedicated HSM?

A790 所使用的 SafeNet Luna HSM 7 模型中的服务成本包括 10 个分区的许可证。The SafeNet Luna HSM 7 model A790 used includes a license for 10 partitions in the cost of the service. 设备有 100 个分区的限制,添加高达此限制的分区会产生额外的许可成本,并需要在设备上的新许可证文件的安装。The device has a limit of 100 partitions and adding partitions up to this limit would incur extra licensing costs and require installation of a new license file on the device.

问:专用 HSM 支持多少个密钥?Q: How many keys can be supported in Dedicated HSM?

最大键数取决于可用内存。The maximum number of keys is a function of the memory available. 在使用 SafeNet Luna 7 模型 A790 具有 32 MB 的内存。The SafeNet Luna 7 model A790 in use has 32MB of memory. 下面的编号,还有适用于密钥对,如果使用非对称密钥。The following numbers are also applicable to key pairs if using asymmetric keys.

  • RSA-2048 - 19,000RSA-2048 - 19,000
  • ECC-P256 - 91,000ECC-P256 - 91,000

容量根据密钥生成模板中设置的特定密钥属性和分区数而异。Capacity will vary depending on specific key attributes set in the key generation template and number of partitions.