步骤 2:软件保护密钥到 HSM 保护密钥的迁移Step 2: Software-protected key to HSM-protected key migration

适用于:Active Directory Rights Management Services、Azure 信息保护**Applies to: Active Directory Rights Management Services, Azure Information Protection

此说明是从 AD RMS 到 Azure 信息保护的迁移路径中的一部分,仅当你的 AD RMS 密钥是软件保护密钥,且希望使用 Azure 密钥保管库中 HSM 保护的租户密钥迁移到 Azure 信息保护时才适用。These instructions are part of the migration path from AD RMS to Azure Information Protection, and are applicable only if your AD RMS key is software-protected and you want to migrate to Azure Information Protection with a HSM-protected tenant key in Azure Key Vault.

如果这不是你选择的配置方案,请返回到步骤4。从 AD RMS 导出配置数据并将其导入到 Azure RMS ,然后选择其他配置。If this is not your chosen configuration scenario, go back to Step 4. Export configuration data from AD RMS and import it to Azure RMS and choose a different configuration.

此过程分为四部分,可将 AD RMS 配置导入到 Azure 信息保护,以在 Azure 密钥保管库中生成由你管理的 Azure 信息保护租户密钥 (BYOK)。It’s a four-part procedure to import the AD RMS configuration to Azure Information Protection, to result in your Azure Information Protection tenant key that is managed by you (BYOK) in Azure Key Vault.

必须先从 AD RMS 配置数据中提取服务器许可方证书(SLC)密钥,然后将该密钥传输到本地 nCipher HSM,接下来,将 HSM 密钥传输到 Azure Key Vault,然后授权 azure 信息保护中的 Azure Rights Management 服务访问密钥保管库,然后导入配置数据。You must first extract your server licensor certificate (SLC) key from the AD RMS configuration data and transfer the key to an on-premises nCipher HSM, next package and transfer your HSM key to Azure Key Vault, then authorize the Azure Rights Management service from Azure Information Protection to access your key vault, and then import the configuration data.

因为你的 Azure 信息保护租户密钥将由 Azure 密钥保管库存储并进行管理,所以除 Azure 信息保护以外,此部分的迁移还需要 Azure 密钥保管库中的管理。Because your Azure Information Protection tenant key will be stored and managed by Azure Key Vault, this part of the migration requires administration in Azure Key Vault, in addition to Azure Information Protection. 如果 Azure Key Vault 由你以外的其他管理员为贵组织进行管理,则你必须与该管理员协作完成这些过程。If Azure Key Vault is managed by a different administrator than you for your organization, you must co-ordinate and work with that administrator to complete these procedures.

在开始之前,请确保你的组织有一个已在 Azure 密钥保管库中创建的密钥保管库,且该保管库支持 HSM 保护的密钥。Before you begin, make sure that your organization has a key vault that has been created in Azure Key Vault, and that it supports HSM-protected keys. 尽管不是必需的,但我们建议你有一个专用于 Azure 信息保护的密钥保管库。Although it's not required, we recommend that you have a dedicated key vault for Azure Information Protection. 此密钥保管库将配置为允许 Azure 信息保护中的 Azure Rights Management 服务访问,所以此密钥保管库存储的密钥应限制为仅适用于 Azure 信息保护密钥。This key vault will be configured to allow the Azure Rights Management service from Azure Information Protection to access it, so the keys that this key vault stores should be limited to Azure Information Protection keys only.

提示

如果即将对 Azure 密钥保管库执行配置步骤,而尚不熟悉此 Azure 服务,则可能会发现先阅读 Azure Key Vault 入门可能会有所帮助。If you are doing the configuration steps for Azure Key Vault and you are not familiar with this Azure service, you might find it useful to first review Get started with Azure Key Vault.

第 1 部分:从配置数据中提取 SLC 密钥,并将密钥导入到本地 HSMPart 1: Extract your SLC key from the configuration data and import the key to your on-premises HSM

  1. Azure Key Vault 管理员:对于想存储在 Azure Key Vault 中的每个导出的 SLC 密钥,请使用 Azure Key Vault 文档的为 Azure Key Vault 实现自带密钥 (BYOK) 部分中的以下步骤:Azure Key Vault administrator: For each exported SLC key that you want to store in Azure Key Vault, use the following steps in the Implementing bring your own key (BYOK) for Azure Key Vault section of the Azure Key Vault documentation:

    不用按照这些步骤生成租户密钥,因为你在导出的配置数据 (.xml) 文件中已有等效项。Do not follow the steps to generate your tenant key, because you already have the equivalent in the exported configuration data (.xml) file. 你将改为运行工具以从该文件中提取此密钥并将其导入到本地 HSM。Instead, you will run a tool to extract this key from the file and import it to your on-premises HSM. 在运行时,该工具将创建两个文件:The tool creates two files when you run it:

    • 新的不含密钥的配置数据文件(之后准备将其导入到你的 Azure 信息保护租户)。A new configuration data file without the key, which is then ready to be imported to your Azure Information Protection tenant.

    • 含密钥的 PEM 文件(为密钥容器,之后准备将其导入到你的本地 HSM)。A PEM file (key container) with the key, which is then ready to be imported to your on-premises HSM.

  2. Azure 信息保护管理员或 Azure 密钥保管库管理员:在未连接工作站上,从 Azure RMS migration toolkit(Azure RMS 迁移工具包)中运行 TpdUtil 工具。Azure Information Protection administrator or Azure Key Vault administrator: On the disconnected workstation, run the TpdUtil tool from the Azure RMS migration toolkit. 例如,在 E 驱动器(在此驱动器上复制名为 ContosoTPD.xml 的配置数据文件)上安装了该工具时:For example, if the tool is installed on your E drive where you copy your configuration data file named ContosoTPD.xml:

    E:\TpdUtil.exe /tpd:ContosoTPD.xml /otpd:ContosoTPD.xml /opem:ContosoTPD.pem
    

    如果你有多个 RMS 配置数据文件,请对这些文件的其余部分运行此工具。If you have more than one RMS configuration data files, run this tool for the remainder of these files.

    若要查看有关该工具的帮助(包含说明、用法和示例),请运行不带参数的 TpdUtil.exeTo see Help for this tool, which includes a description, usage, and examples, run TpdUtil.exe with no parameters

    此命令的其他信息:Additional information for this command:

    • /Tpd:指定导出的 AD RMS 配置数据文件的完整路径和名称。The /tpd: specifies the full path and name of the exported AD RMS configuration data file. 参数的全称是 TpdFilePathThe full parameter name is TpdFilePath.

    • /Otpd:指定不带密钥的配置数据文件的输出文件名。The /otpd: specifies the output file name for the configuration data file without the key. 参数的全称是 OutPfxFileThe full parameter name is OutPfxFile. 如果不指定此参数,默认输出文件为带有后缀 _keyless 的原始文件名,且将其存储在当前文件夹中。If you do not specify this parameter, the output file defaults to the original file name with the suffix _keyless, and it is stored in the current folder.

    • /Opem:指定 PEM 文件的输出文件名,其中包含提取的密钥。The /opem: specifies the output file name for the PEM file, which contains the extracted key. 参数的全称是 OutPemFileThe full parameter name is OutPemFile. 如果不指定此参数,默认输出文件为带有后缀 _key 的原始文件名,且将其存储在当前文件夹中。If you do not specify this parameter, the output file defaults to the original file name with the suffix _key, and it is stored in the current folder.

    • 如果运行此命令(通过使用 TpdPassword**** 参数全称或 pwd**** 参数简称)时未指定密码,那么系统将提示你指定它。If you don't specify the password when you run this command (by using the TpdPassword full parameter name or pwd short parameter name), you are prompted to specify it.

  3. 在同一工作站上,根据 nCipher 文档附加和配置 nCipher HSM。On the same disconnected workstation, attach and configure your nCipher HSM, according to your nCipher documentation. 你现在可以使用以下命令将你的密钥导入到附加的 nCipher HSM 中,你需要将自己的文件名替换为 Contosotpd.pem:You can now import your key into your attached nCipher HSM by using the following command where you need to substitute your own file name for ContosoTPD.pem:

    generatekey --import simple pemreadfile=e:\ContosoTPD.pem plainname=ContosoBYOK protect=module ident=contosobyok type=RSA
    

    备注

    如果有多个文件,请选择与 HSM 密钥对应的文件,你要在 Azure RMS 中使用该文件以在迁移后保护内容。If you have more than one file, choose the file that corresponds to the HSM key you want to use in Azure RMS to protect content after the migration.

    这将生成与以下类似的输出显示:This generates an output display similar to the following:

    密钥生成参数:key generation parameters:

    **          执行                             导入操作的操作操作**operation       Operation to perform                import

    应用         程序应用程序                                                               简单application     Application                                simple

    验证                           验证配置密钥的安全性                                 是verify               Verify security of configuration key                 yes

    类型                               键类型                                                                       RSAtype                 Key type                                     RSA

    **    包含 RSA key e:\ContosoTPD.pem 的 pemreadfile PEM 文件    **pemreadfile    PEM file containing RSA key    e:\ContosoTPD.pem

    ident                             密钥标识符                                                       contosobyokident                Key identifier                             contosobyok

    plainname           密钥名称                                                                   ContosoBYOKplainname       Key name                                   ContosoBYOK

    已成功导入密钥。Key successfully imported.

    密钥路径:C:\ProgramData\nCipher\Key Management Data\local\key_simple_contosobyokPath to key: C:\ProgramData\nCipher\Key Management Data\local\key_simple_contosobyok

此输出确认已使用保存到密钥的加密副本(在我们的示例中为 "key_simple_contosobyok")将私钥迁移到你的本地 nCipher HSM 设备。This output confirms that the private key is now migrated to your on-premises nCipher HSM device with an encrypted copy that is saved to a key (in our example, "key_simple_contosobyok").

现已提取 SLC 密钥,并将其导入到本地 HSM,可以打包 HSM 保护的密钥并将其传送到 Azure 密钥保管库。Now that your SLC key has been extracted and imported to your on-premises HSM, you’re ready to package the HSM-protected key and transfer it to Azure Key Vault.

重要

完成此步骤后,从未连接工作站安全地清除这些 PEM 文件,以确保未经授权的人员不能访问这些文件。When you have completed this step, securely erase these PEM files from the disconnected workstation to ensure that they cannot be accessed by unauthorized people. 例如,运行“cipher /w: E”安全地从 E: 驱动器删除所有文件。For example, run "cipher /w: E" to securely delete all files from the E: drive.

第 2 部分:打包 HSM 密钥并将其传送到 Azure 密钥保管库Part 2: Package and transfer your HSM key to Azure Key Vault

Azure Key Vault 管理员:对于想存储在 Azure Key Vault 中的每个导出的 SLC 密钥,请使用 Azure Key Vault 文档的为 Azure Key Vault 实现自带密钥 (BYOK) 部分中的以下步骤:Azure Key Vault administrator: For each exported SLC key that you want to store in Azure Key vault, use the following steps from the Implementing bring your own key (BYOK) for Azure Key Vault section of the Azure Key Vault documentation:

请勿按照这些步骤来生成你的密钥对,因为你已经具有该密钥。Do not follow the steps to generate your key pair, because you already have the key. 而是运行命令从本地 HSM 传送此密钥(本例中,KeyIdentifier 参数使用“contosobyok”)。Instead, you will run a command to transfer this key (in our example, our KeyIdentifier parameter uses "contosobyok") from your on-premises HSM.

将密钥传送到 Azure 密钥保管库之前,请确保在创建具有降低的权限的密钥副本(步骤 4.1)时,以及在加密密钥(步骤 4.3)时,KeyTransferRemote.exe 实用工具返回“结果:成功”****。Before you transfer your key to Azure Key Vault, make sure that the KeyTransferRemote.exe utility returns Result: SUCCESS when you create a copy of your key with reduced permissions (step 4.1) and when you encrypt your key (step 4.3).

将密钥上传到 Azure 密钥保管库时,可以看到显示的密钥属性,其中包括密钥 ID。When the key uploads to Azure Key Vault, you see the properties of the key displayed, which includes the key ID. 它的外观将类似于 https://contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333It will look similar to https://contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333. 请记下此 URL,因为 Azure 信息保护管理员需要用它命令 Azure 信息保护中的 Azure Rights Management 服务将此密钥用作租户密钥。Make a note of this URL because the Azure Information Protection administrator will need it to tell the Azure Rights Management service from Azure Information Protection to use this key for its tenant key.

然后使用AzKeyVaultAccessPolicy cmdlet 来授权 Azure Rights Management 服务主体访问密钥保管库。Then use the Set-AzKeyVaultAccessPolicy cmdlet to authorize the Azure Rights Management service principal to access the key vault. 所需的权限有解密、加密、unwrapkey、wrapkey、验证和签名。The permissions required are decrypt, encrypt, unwrapkey, wrapkey, verify, and sign.

例如,如果已将为 Azure 信息保护创建的密钥保管库命名为 contosorms-byok-kv,且资源组名为 contosorms-byok-rg,请运行以下命令:For example, if the key vault that you have created for Azure Information Protection is named contosorms-byok-kv, and your resource group is named contosorms-byok-rg, run the following command:

Set-AzKeyVaultAccessPolicy -VaultName "contosorms-byok-kv" -ResourceGroupName "contosorms-byok-rg" -ServicePrincipalName 00000012-0000-0000-c000-000000000000 -PermissionsToKeys decrypt,encrypt,unwrapkey,wrapkey,verify,sign,get

现在,你已将 HSM 密钥传送到 Azure 密钥保管库,接下来可以导入 AD RMS 配置数据。Now that you’ve transferred your HSM key to Azure Key Vault, you’re ready to import your AD RMS configuration data.

步骤 3:将配置数据导入到 Azure 信息保护Part 3: Import the configuration data to Azure Information Protection

  1. Azure 信息保护管理员:在连接 internet 的工作站和 PowerShell 会话中,复制在运行 TpdUtil 工具后删除了 SLC 密钥的新配置数据文件(.xml)。Azure Information Protection administrator: On the internet-connected workstation and in the PowerShell session, copy over your new configuration data files (.xml) that have the SLC key removed after running the TpdUtil tool.

  2. 使用AipServiceTpd cmdlet 上传每个 .xml 文件。Upload each .xml file, by using the Import-AipServiceTpd cmdlet. 例如,如果已将 AD RMS 群集升级到加密模式 2,则至少应拥有一个要导入的其他文件。For example, you should have at least one additional file to import if you upgraded your AD RMS cluster for Cryptographic Mode 2.

    若要运行此 cmdlet,需要先前为配置数据文件指定的密码以及在上一步中标识的密钥的 URL。To run this cmdlet, you need the password that you specified earlier for the configuration data file, and the URL for the key that was identified in the previous step.

    例如,使用 C:\contoso_keyless.xml 配置数据文件和我们上一步中的密钥 URL 值,首先运行以下命令以存储密码:For example, using a configuration data file of C:\contoso_keyless.xml and our key URL value from the previous step, first run the following to store the password:

    $TPD_Password = Read-Host -AsSecureString
    

    输入指定的密码以导出配置数据文件。Enter the password that you specified to export the configuration data file. 然后,运行以下命令并确认希望执行此操作:Then, run the following command and confirm that you want to perform this action:

    Import-AipServiceTpd -TpdFile "C:\contoso_keyless.xml" -ProtectionPassword $TPD_Password –KeyVaultStringUrl https://contoso-byok-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333 -Verbose
    

    作为此导入的一部分,将导入 SLC 密钥并且密钥将被自动设置为已存档。As part of this import, the SLC key is imported and automatically set as archived.

  3. 上传每个文件后,请运行AipServiceKeyProperties以指定与 AD RMS 群集中当前活动的 SLC 密钥相匹配的导入密钥。When you have uploaded each file, run Set-AipServiceKeyProperties to specify which imported key matches the currently active SLC key in your AD RMS cluster.

  4. 使用AipServiceService cmdlet 断开与 Azure Rights Management 服务的连接:Use the Disconnect-AipServiceService cmdlet to disconnect from the Azure Rights Management service:

    Disconnect-AipServiceService
    

如果以后需要确认 Azure 信息保护租户密钥在 Azure Key Vault 中使用的密钥,请使用AipServiceKeys Azure RMS cmdlet。If you later need to confirm which key your Azure Information Protection tenant key is using in Azure Key Vault, use the Get-AipServiceKeys Azure RMS cmdlet.

你现在已准备好进入步骤5。激活 Azure Rights Management 服务You’re now ready to go to Step 5. Activate the Azure Rights Management service.