步骤 2:HSM 保护密钥到 HSM 保护密钥的迁移Step 2: HSM-protected key to HSM-protected key migration

适用于:Active Directory Rights Management Services、Azure 信息保护**Applies to: Active Directory Rights Management Services, Azure Information Protection

此说明是从 AD RMS 到 Azure 信息保护的迁移路径中的一部分,仅当你的 AD RMS 密钥是 HSM 保护密钥,且希望使用 Azure 密钥保管库中 HSM 保护的租户密钥迁移到 Azure 信息保护时才适用。These instructions are part of the migration path from AD RMS to Azure Information Protection, and are applicable only if your AD RMS key is HSM-protected and you want to migrate to Azure Information Protection with a HSM-protected tenant key in Azure Key Vault.

如果这不是你选择的配置方案,请返回到步骤4。从 AD RMS 导出配置数据并将其导入到 Azure RMS ,然后选择其他配置。If this is not your chosen configuration scenario, go back to Step 4. Export configuration data from AD RMS and import it to Azure RMS and choose a different configuration.

备注

这些说明假定你的 AD RMS 密钥受模块保护。These instructions assume your AD RMS key is module-protected. 这是最典型的情况。This is the most typical case.

此过程分为两部分,可将 HSM 密钥和 AD RMS 配置导入到 Azure 信息保护,以生成由你管理的 Azure 信息保护租户密钥 (BYOK)。It’s a two-part procedure to import your HSM key and AD RMS configuration to Azure Information Protection, to result in your Azure Information Protection tenant key that is managed by you (BYOK).

因为你的 Azure 信息保护租户密钥将由 Azure 密钥保管库存储并进行管理,所以除 Azure 信息保护以外,此部分的迁移还需要 Azure 密钥保管库中的管理。Because your Azure Information Protection tenant key will be stored and managed by Azure Key Vault, this part of the migration requires administration in Azure Key Vault, in addition to Azure Information Protection. 如果 Azure Key Vault 由你以外的其他管理员为贵组织进行管理,则你必须与该管理员协作完成这些过程。If Azure Key Vault is managed by a different administrator than you for your organization, you must co-ordinate and work with that administrator to complete these procedures.

在开始之前,请确保你的组织有一个已在 Azure 密钥保管库中创建的密钥保管库,且该保管库支持 HSM 保护的密钥。Before you begin, make sure that your organization has a key vault that has been created in Azure Key Vault, and that it supports HSM-protected keys. 尽管不是必需的,但我们建议你有一个专用于 Azure 信息保护的密钥保管库。Although it's not required, we recommend that you have a dedicated key vault for Azure Information Protection. 此密钥保管库将配置为允许 Azure Rights Management 服务访问,所以此密钥保管库存储的密钥应限制为仅适用于 Azure 信息保护密钥。This key vault will be configured to allow the Azure Rights Management service to access it, so the keys that this key vault stores should be limited to Azure Information Protection keys only.

提示

如果即将对 Azure 密钥保管库执行配置步骤,而尚不熟悉此 Azure 服务,则可能会发现先阅读 Azure Key Vault 入门可能会有所帮助。If you are doing the configuration steps for Azure Key Vault and you are not familiar with this Azure service, you might find it useful to first review Get started with Azure Key Vault.

第 1 部分:将 HSM 密钥传送到 Azure 密钥保管库Part 1: Transfer your HSM key to Azure Key Vault

由 Azure 密钥保管库的管理员完成这些过程。These procedures are done by the administrator for Azure Key Vault.

  1. 对于想存储在 Azure Key Vault 中的每个导出的 SLC 密钥,请按照 Azure Key Vault 文档中的说明,使用为 Azure Key Vault 实现自带密钥 (BYOK),但以下情况例外:For each exported SLC key that you want to store in Azure Key Vault, follow the instructions from the Azure Key Vault documentation, using Implementing bring your own key (BYOK) for Azure Key Vault with the following exception:

    • 不要执行生成你的租户密钥中的步骤,因为你已从 AD RMS 部署获得等效物。Do not do the steps for Generate your tenant key, because you already have the equivalent from your AD RMS deployment. 相反,请从 nCipher 安装中标识 AD RMS 服务器使用的密钥,并准备这些密钥以进行传输,然后将它们传输到 Azure Key Vault。Instead, identify the keys used by your AD RMS server from the nCipher installation and prepare these keys for transfer, and then transfer them to Azure Key Vault.

      NCipher 的加密密钥文件被命名为 key_ 在服务器上本地 **<keyAppName><keyIdentifier > ** 。Encrypted key files for nCipher are named **key<keyAppName>_<keyIdentifier>** locally on the server. 例如 C:\Users\All Users\nCipher\Key Management Data\local\key_mscapi_f829e3d888f6908521fe3d91de51c25d27116a54For example, C:\Users\All Users\nCipher\Key Management Data\local\key_mscapi_f829e3d888f6908521fe3d91de51c25d27116a54. 当你运行 Keytransferremote.exe 命令来创建具有降低的权限的密钥副本时,你将需要mscapi值作为 keyAppName,并为密钥标识符提供自己的值。You will need the mscapi value as the keyAppName, and your own value for the key identifier when you run the KeyTransferRemote command to create a copy of the key with reduced permissions.

      将密钥上传到 Azure 密钥保管库时,可以看到显示的密钥属性,其中包括密钥 ID。When the key uploads to Azure Key Vault, you see the properties of the key displayed, which includes the key ID. 它看起来将类似于 https : //contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333。It will look similar to https://contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333. 请记下此 URL,因为 Azure 信息保护管理员需要用它命令 Azure Rights Management 服务将此密钥用作其租户密钥。Make a note of this URL because the Azure Information Protection administrator needs it to tell the Azure Rights Management service to use this key for its tenant key.

  2. 在连接 internet 的工作站上的 PowerShell 会话中,使用AzKeyVaultAccessPolicy cmdlet 来授权 Azure Rights Management 服务主体访问将存储 Azure 信息保护租户密钥的密钥保管库。On the internet-connected workstation, in a PowerShell session, use the Set-AzKeyVaultAccessPolicy cmdlet to authorize the Azure Rights Management service principal to access the key vault that will store the Azure Information Protection tenant key. 所需的权限有解密、加密、unwrapkey、wrapkey、验证和签名。The permissions required are decrypt, encrypt, unwrapkey, wrapkey, verify, and sign.

    例如,如果已为 Azure 信息保护创建的密钥保管库名为 contoso-byok-ky,并且你的资源组名为 contoso-byok-rg,请运行以下命令:For example, if the key vault that you have created for Azure Information Protection is named contoso-byok-ky, and your resource group is named contoso-byok-rg, run the following command:

    Set-AzKeyVaultAccessPolicy -VaultName "contoso-byok-kv" -ResourceGroupName "contoso-byok-rg" -ServicePrincipalName 00000012-0000-0000-c000-000000000000 -PermissionsToKeys decrypt,sign,get
    

现在,你已经在 Azure 密钥保管库中为 Azure 信息保护中的 Azure Rights Management 服务准备好了 HSM 密钥,接下来可以导入 AD RMS 配置数据。Now that you’ve prepared your HSM key in Azure Key Vault for the Azure Rights Management service from Azure Information Protection, you’re ready to import your AD RMS configuration data.

步骤 2:将配置数据导入到 Azure 信息保护Part 2: Import the configuration data to Azure Information Protection

由 Azure 信息保护的管理员完成这些过程。These procedures are done by the administrator for Azure Information Protection.

  1. 在 internet 连接工作站和 PowerShell 会话中,使用AipService cmdlet 连接到 Azure Rights Management 服务。On the internet-connect workstation and in the PowerShell session, connect to the Azure Rights Management service by using the Connect-AipService cmdlet.

    然后,使用AipServiceTpd cmdlet 上传每个受信任的发布域(.xml)文件。Then upload each trusted publishing domain (.xml) file, by using the Import-AipServiceTpd cmdlet. 例如,如果已将 AD RMS 群集升级到加密模式 2,则至少应拥有一个要导入的其他文件。For example, you should have at least one additional file to import if you upgraded your AD RMS cluster for Cryptographic Mode 2.

    若要运行此 cmdlet,需要先前为每个配置数据文件指定的密码以及在上一步中标识的密钥的 URL。To run this cmdlet, you need the password that you specified earlier for each configuration data file, and the URL for the key that was identified in the previous step.

    例如,使用 C:\contoso-tpd1.xml 配置数据文件和我们上一步中的密钥 URL 值,首先运行以下命令以存储密码:For example, using a configuration data file of C:\contoso-tpd1.xml and our key URL value from the previous step, first run the following to store the password:

    $TPD_Password = Read-Host -AsSecureString
    

    输入指定的密码以导出配置数据文件。Enter the password that you specified to export the configuration data file. 然后,运行以下命令并确认希望执行此操作:Then, run the following command and confirm that you want to perform this action:

    Import-AipServiceTpd -TpdFile "C:\contoso-tpd1.xml" -ProtectionPassword $TPD_Password –KeyVaultKeyUrl https://contoso-byok-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333 -Verbose
    

    作为此导入的一部分,将导入 SLC 密钥并且密钥将被自动设置为已存档。As part of this import, the SLC key is imported and automatically set as archived.

  2. 上传每个文件后,请运行AipServiceKeyProperties以指定与 AD RMS 群集中当前活动的 SLC 密钥相匹配的导入密钥。When you have uploaded each file, run Set-AipServiceKeyProperties to specify which imported key matches the currently active SLC key in your AD RMS cluster. 该密钥将成为 Azure Rights Management 服务的活动租户密钥。This key becomes the active tenant key for your Azure Rights Management service.

  3. 使用AipServiceService cmdlet 断开与 Azure Rights Management 服务的连接:Use the Disconnect-AipServiceService cmdlet to disconnect from the Azure Rights Management service:

    Disconnect-AipServiceService
    

如果以后需要确认 Azure 信息保护租户密钥在 Azure Key Vault 中使用的密钥,请使用AipServiceKeys Azure RMS cmdlet。If you later need to confirm which key your Azure Information Protection tenant key is using in Azure Key Vault, use the Get-AipServiceKeys Azure RMS cmdlet.

你现在已准备好进入步骤5。激活 Azure Rights Management 服务You’re now ready to go to Step 5. Activate the Azure Rights Management service.