您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure 专用 HSM?What is Azure Dedicated HSM?

Azure 专用 HSM 是一项 Azure 服务,用于提供 Azure 中的加密密钥存储。Azure Dedicated HSM is an Azure service that provides cryptographic key storage in Azure. 专用 HSM 符合最严格的安全要求。Dedicated HSM meets the most stringent security requirements. 对于需要 FIPS 140-2 级别 3 验证设备并需对 HSM 设备进行全权控制的客户来说,专用 HSM 是理想的解决方案。It's the ideal solution for customers who require FIPS 140-2 Level 3-validated devices and complete and exclusive control of the HSM appliance.

HSM 设备在全球多个 Azure 区域部署。HSM devices are deployed globally across several Azure regions. 可以很容易地将它们预配为一对设备并配置为高可用性。They can be easily provisioned as a pair of devices and configured for high availability. HSM 设备还可跨区域预配,目的是防范区域级故障转移的情况。HSM devices can also be provisioned across regions to assure against regional-level failover. Microsoft 使用 Gemalto 的 SafeNet Luna 网络 HSM 7(型号:A790)设备提供专用 HSM 服务。Microsoft delivers the Dedicated HSM service by using the SafeNet Luna Network HSM 7 (Model A790) appliance from Gemalto. 此设备提供最高级别的性能和加密集成选项。This device offers the highest levels of performance and cryptographic integration options.

预配完成后,HSM 设备将直接连接到客户的虚拟网络。After they're provisioned, HSM devices are connected directly to a customer’s virtual network. 在配置点到站点或站点到站点 VPN 连接时,也可以通过本地应用程序和管理工具访问它们。They can also be accessed by on-premises application and management tools when you configure point-to-site or site-to-site VPN connectivity. 客户会从 Gemalto 的支持门户获得配置和管理 HSM 设备所需的软件和文档。Customers get the software and documentation to configure and manage HSM devices from Gemalto’s support portal.

为何使用 Azure 专用 HSM?Why use Azure Dedicated HSM?

FIPS 140-2 级别 3 符合性FIPS 140-2 Level-3 compliance

许多组织有严格的行业规范,规定加密密钥存储必须符合 FIPS 140-2 级别 3 要求。Many organizations have stringent industry regulations that dictate that cryptographic key storage meets FIPS 140-2 Level-3 requirements. Microsoft 的多租户 Azure Key Vault 服务目前只提供 FIPS 140-2 级别 2 认证。Microsoft’s multi-tenant Azure Key Vault service currently only provides FIPS 140-2 Level-2 certification. Azure 专用 HSM 可以满足金融服务行业、政府机构和其他必须符合 FIPS 140-2 级别 3 要求的用户的实际需求。Azure Dedicated HSM fulfills a real need for the financial services industry, government agencies, and others who must meet FIPS 140-2 Level-3 requirements.

单租户设备Single-tenant devices

我们的许多客户要求使用单租户的加密存储设备。Many of our customers have a requirement for single tenancy of the cryptographic storage device. 使用 Azure 专用 HSM 服务,可以通过 Microsoft 的全球分布数据中心之一预配物理设备。The Azure Dedicated HSM service enables them to provision a physical device from one of Microsoft’s globally distributed datacenters. 将设备预配到某个客户之后,只有该客户才能访问设备。After it's provisioned to a customer, only that customer can access the device.

完全管理控制Full administrative control

许多客户要求进行完全的管理控制和对设备的单独访问,以便管理。Many customers require full administrative control and sole access to their device for administrative purposes. 设备预配后,只有该客户可以对设备进行管理级别或应用程序级别的访问。After a device is provisioned, only the customer has administrative or application-level access to the device.

客户第一次访问设备并在当时更改密码后,Microsoft 将不再有管理控制权。Microsoft has no administrative control after the customer accesses the device for the first time, at which point the customer changes the password. 从那时候起,客户就是一个真正的单租户,可以进行完全的管理控制并具有应用程序管理权限。From that point, the customer is a true single-tenant with full administrative control and application-management capability. Microsoft 通过串行端口维护遥测的监视器级别访问权限(不是管理员角色)。Microsoft does maintain monitor-level access (not an admin role) for telemetry via serial port connection. 此访问权限涵盖硬件监视器,如温度、电源运行状况和风扇运行状况。This access covers hardware monitors such as temperature, power supply health, and fan health.

客户可以随意禁用这种需要的监视。The customer is free to disable this monitoring needed. 但是,如果禁用监视,客户不会收到 Microsoft 的主动运行状况警报。However, if they disable it, they won't receive proactive health alerts from Microsoft.

高性能High performance

出于多种原因,Gemalto 设备被选中用于此项服务。The Gemalto device was selected for this service for a variety of reasons. 它提供多种加密算法支持、多种受支持的操作系统和广泛的 API 支持。It offers a broad range of cryptographic algorithm support, a variety of supported operating systems, and broad API support. 部署的特定机型提供卓越的性能,对于 RSA-2048 来说,性能可以达到每秒 10,000 次操作的程度。The specific model that's deployed offers excellent performance with 10,000 operations per second for RSA-2048. 它支持 10 个分区,这些分区可以用于唯一的应用程序实例。It supports 10 partitions that can be used for unique application instances. 该设备是低延迟、大容量、高吞吐量的设备。This device is a low latency, high capacity, and high throughput device.

唯一的基于云的产品/服务Unique cloud-based offering

Microsoft 了解特定用户组的特定需求。Microsoft recognized a specific need for a unique set of customers. 这是唯一为新客户提供经 FIPS 140-2 级别 3 验证的专用 HSM 服务的云服务提供商,并提供相应程度的基于云和本地的应用程序集成。It is the only cloud provider that offers new customers a dedicated HSM service that is FIPS 140-2 Level 3-validated and offers such an extent of cloud-based and on-premises application integration.

Azure 专用 HSM 是否适合你?Is Azure Dedicated HSM right for you?

Azure 专用 HSM 是一种专用服务,解决特定类型的大型组织的独特需求。Azure Dedicated HSM is a specialized service that addresses unique requirements for a specific type of large-scale organization. 因此,正常情况下,很多 Azure 客户不适合使用此服务。As a result, it's expected that the bulk of Azure customers will not fit the profile of use for this service. 许多客户会发现 Azure Key Vault 服务更合适且更经济高效。Many will find the Azure Key Vault service to be more appropriate and cost effective. 我们确定了以下标准,用于判断本服务是否符合你的要求。To help you decide if it's a fit for your requirements, we've identified the following criteria.

特别适合Best fit

Azure 专用 HSM 特别适合需要直接直接和单独访问 HSM 设备的“直接迁移”方案。Azure Dedicated HSM is most suitable for “lift-and-shift” scenarios that require direct and sole access to HSM devices. 示例包括:Examples include:

  • 将应用程序从本地迁移到 Azure 虚拟机Migrating applications from on-premises to Azure Virtual Machines
  • 将应用程序从 Amazon AWS EC2 迁移到使用 AWS Cloud HSM Classic 服务(Amazon 不向新客户提供此服务)的虚拟机Migrating applications from Amazon AWS EC2 to virtual machines that use the AWS Cloud HSM Classic service (Amazon is not offering this service to new customers)
  • 在 Azure 虚拟机中运行 Apache/Ngnix SSL Offload、Oracle TDE、ADCS 之类的现成软件Running shrink-wrapped software such as Apache/Ngnix SSL Offload, Oracle TDE, and ADCS in Azure Virtual Machines

不适合Not a fit

Azure 专用 HSM 不适合以下类型的方案:支持通过客户托管密钥进行加密的 Microsoft 云服务(例如 Azure 信息保护、Azure 磁盘加密、Azure Data Lake Store、Azure 存储、Azure SQL 数据库,以及适用于 Office 365 的客户密匙)不与 Azure 专用 HSM 集成。Azure Dedicated HSM is not a good fit for the following type of scenario: Microsoft cloud services that support encryption with customer-managed keys (such as Azure Information Protection, Azure Disk Encryption, Azure Data Lake Store, Azure Storage, Azure SQL Database, and Customer Key for Office 365) that are not integrated with Azure Dedicated HSM.

视情况而定It depends

Azure 专用 HSM 是否适合取决于你能否做出需求和妥协的复杂组合。Whether Azure Dedicated HSM will work for you depends on a potentially complex mix of requirements and compromises that you can or cannot make. 例如 FIPS 140-2 级别 3 要求。An example is the FIPS 140-2 Level 3 requirement. 此要求很常见,且专用 HSM 目前是满足它的唯一选择。This requirement is common, and Dedicated HSM is currently the only option for meeting it. 如果这些强制要求不相关,那么通常可以选择 Azure Key Vault 和专用 HSM。If these mandated requirements aren't relevant, then often it's a choice between Azure Key Vault and Dedicated HSM. 在做出决定之前评估要求。Assess your requirements before making a decision.

需要权衡选择的情况包括:Situations in which you will have to weigh your options include:

  • 在客户的 Azure 虚拟机中运行的新代码New code running in a customer’s Azure virtual machine
  • Azure 虚拟机中的 SQL Server TDESQL Server TDE in an Azure virtual machine
  • Azure 存储客户端加密Azure Storage client-side encryption
  • SQL Server 和 Azure SQL DB Always EncryptedSQL Server and Azure SQL DB Always Encrypted

后续步骤Next steps

这是一项高度专业化的服务。This is a highly specialized service. 因此,我们建议你完全理解本文档集中的关键概念,包括定价、支持和服务级别协议。Therefore, we recommend that you fully understand the key concepts in this documentation set, including pricing, support, and service-level agreements.

Gemalto 集成指南有助于简化将 HSM 配置到现有虚拟网络环境中的过程。The Gemalto integration guides help you facilitate the provisioning of HSMs into an existing virtual network environment. 还有一些操作指南可帮助你确定如何设置部署体系结构。There are also are how-to guides for helping you determine how to set up your deployment architecture.