Microsoft 托管:租户密钥生命周期操作Microsoft-managed: Tenant key life cycle operations

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

如果由 Microsoft 管理 Azure 信息保护的租户密钥(默认),请阅读以下部分,获取与此拓扑相关的生命周期操作的详细信息。If Microsoft manages your tenant key for Azure Information Protection (the default), use the following sections for more information about the life cycle operations that are relevant to this topology.

撤消你的租户密钥Revoke your tenant key

取消 Azure 信息保护订阅时,Azure 信息保护会停止使用租户密钥,用户无需执行任何操作。When you cancel your subscription for Azure Information Protection, Azure Information Protection stops using your tenant key and no action is needed from you.

重新生成租户密钥Rekey your tenant key

重新生成密钥也称为滚动密钥。Rekeying is also known as rolling your key. 执行此操作时,Azure 信息保护会停止使用现有租户密钥保护文档和电子邮件,而开始使用其他密钥。When you do this operation, Azure Information Protection stops using the existing tenant key to protect documents and emails, and starts to use a different key. 策略和模板将立即进行重新签名,但对于使用 Azure 信息保护的现有客户端和服务,此转换将逐渐完成。Policies and templates are immediately resigned but this changeover is gradual for existing clients and services using Azure Information Protection. 因此在一段时间内,有些新内容继续使用旧租户密钥进行保护。So for some time, some new content continues to be protected with the old tenant key.

要重新生成密钥,必须配置租户密钥对象并指定要使用的备用密钥。To rekey, you must configure the tenant key object and specify the alternative key to use. 然后,以前使用的密钥将自动为 Azure 信息保护 标记为“已存档”。Then, the previously used key is automatically marked as archived for Azure Information Protection. 此配置可确保通过使用此密钥进行保护的内容仍可访问。This configuration ensures that content that was protected by using this key remains accessible.

可能需要重新生成 Azure 信息保护密钥的情况示例:Examples of when you might need to rekey for Azure Information Protection:

  • 使用加密模式 1 密钥从 Active Directory Rights Management Services (AD RMS) 迁移。You have migrated from Active Directory Rights Management Services (AD RMS) with a cryptographic mode 1 key. 迁移完成后,想要改为使用加密模式 2 密钥。When the migration is complete, you want to change to using a key that uses cryptographic mode 2.

  • 你的公司拆分为两家或更多公司。Your company has split into two or more companies. 在重新生成租户密钥时,新公司将无法访问员工发布的新内容。When you rekey your tenant key, the new company will not have access to new content that your employees publish. 如果有旧租户密钥的副本,他们可以访问旧内容。They can access the old content if they have a copy of the old tenant key.

  • 想从一个密钥管理拓扑移动到另一个拓扑。You want to move from one key management topology to another.

  • 你认为租户密钥的主控副本已泄露。You believe the master copy of your tenant key is compromised.

要重新生成密钥,可选择其他 Microsoft 托管密钥作为租户密钥,但不能创建新的 Microsoft 托管密钥。To rekey, you can select a different Microsoft-managed key to become your tenant key, but you cannot create a new Microsoft-managed key. 要创新新密钥,必须将密钥拓扑更改为客户托管 (BYOK)。To create a new key, you must change your key topology to be customer-managed (BYOK).

如果从 Active Directory Rights Management Services (AD RMS) 进行迁移,并且为 Azure 信息保护选择 Microsoft 托管密钥拓扑,那么将具有多个 Microsoft 托管密钥。You have more than one Microsoft-managed key if you migrated from Active Directory Rights Management Services (AD RMS) and chose the Microsoft-managed key topology for Azure Information Protection. 在此方案中,租户具有至少 2 个 Microsoft 托管密钥。In this scenario, you have at least two Microsoft-managed keys for your tenant. 这一个密钥或多个密钥是从 AD RMS 导出的密钥。One key, or more, is the key or keys that you imported from AD RMS. 还将拥有为 Azure 信息保护租户自动创建的默认密钥。You will also have the default key that was automatically created for your Azure Information Protection tenant.

若要将其他密钥选为 Azure 信息保护的活动租户密钥,请使用 AIPService 模块中的AipServiceKeyProperties cmdlet。To select a different key to be your active tenant key for Azure Information Protection, use the Set-AipServiceKeyProperties cmdlet from the AIPService module. 若要帮助你确定要使用的密钥,请使用AipServiceKeys cmdlet。To help you identify which key to use, use the Get-AipServiceKeys cmdlet. 通过运行以下命令,可以确定为 Azure 信息保护租户自动创建的默认密钥:You can identify the default key that was automatically created for your Azure Information Protection tenant by running the following command:

(Get-AipServiceKeys) | Sort-Object CreationTime | Select-Object -First 1

若要将密钥拓扑更改为客户托管(BYOK),请参阅计划和实现 Azure 信息保护租户密钥To change your key topology to be customer-managed (BYOK), see Planning and implementing your Azure Information Protection tenant key.

备份和恢复你的租户密钥Backup and recover your tenant key

Microsoft 负责备份你的租户密钥,无需你进行任何操作。Microsoft is responsible for backing up your tenant key and no action is required from you.

导出你的租户密钥Export your tenant key

可以按照以下 3 个步骤的说明,导出 Azure 信息保护配置和租户密钥:You can export your Azure Information Protection configuration and tenant key by following the instructions in the following three steps:

步骤 1:启动导出Step 1: Initiate export

  • 与 Microsoft 支持部门联系,以打开带有 Azure 信息保护密钥导出请求的 Azure 信息保护支持案例Contact Microsoft Support to open an Azure Information Protection support case with a request for an Azure Information Protection key export. 你必须证明你是租户的全局管理员,并了解此过程需要几天的时间来确认。You must prove you are a Global administrator for your tenant, and understand that this process takes several days to confirm. 收取标准支持费用;导出租户密钥并不是免费支持服务。Standard support charges apply; exporting your tenant key is not a free-of-charge support service.

步骤 2:等待验证Step 2: Wait for verification

  • Microsoft 将验证发放 Azure 信息保护租户密钥的请求是否合法。Microsoft verifies that your request to release your Azure Information Protection tenant key is legitimate. 此过程最多可能需要三周时间。This process can take up to three weeks.

步骤 3:接收来自 CSS 的密钥说明Step 3: Receive key instructions from CSS

  • Microsoft 客户支持服务 (CSS) 将 Azure 信息保护配置和在一个受密码保护的文件中加密的租户密钥发送给用户。Microsoft Customer Support Services (CSS) sends you your Azure Information Protection configuration and tenant key encrypted in a password-protected file. 此文件的文件扩展名为 .tpd****。This file has a .tpd file name extension. 执行此操作时,CSS 首先通过电子邮件向你(即启动导出的人员)发送一个工具。To do this, CSS first sends you (as the person who initiated the export) a tool by email. 你必须从命令提示符处运行该工具,如下所示:You must run the tool from a command prompt as follows:

    AadrmTpd.exe -createkey
    

    这样可以生成 RSA 密钥对,并将公有部分和私有部分保存为当前文件夹中的文件。This generates an RSA key pair and saves the public and private halves as files in the current folder. 例如:PublicKey-FA29D0FE-5049-4C8E-931B-96C6152B0441.txtPrivateKey-FA29D0FE-5049-4C8E-931B-96C6152B0441.txtFor example: PublicKey-FA29D0FE-5049-4C8E-931B-96C6152B0441.txt and PrivateKey-FA29D0FE-5049-4C8E-931B-96C6152B0441.txt.

    回复来自 CSS 的电子邮件,附加名称以 PublicKey 开头的文件。Respond to the email from CSS, attaching the file that has a name that starts with PublicKey. CSS 随后向你发送一个作为 .xml 文件的 TPD 文件,该文件使用你的 RSA 密钥进行加密。CSS next sends you a TPD file as an .xml file that is encrypted with your RSA key. 将此文件复制到与你最初运行 AadrmTpd 工具时的相同文件夹,并使用以 PrivateKey 开头的文件和来自 CSS 的文件再次运行该工具。Copy this file to the same folder as you ran the AadrmTpd tool originally, and run the tool again, using your file that starts with PrivateKey and the file from CSS. 例如:For example:

    AadrmTpd.exe -key PrivateKey-FA29D0FE-5049-4C8E-931B-96C6152B0441.txt -target TPD-77172C7B-8E21-48B7-9854-7A4CEAC474D0.xml
    

    此命令应输出两个文件:一个文件包含受密码保护的 TPD 的纯文本密码,另一个文件则是受密码保护的 TPD 本身。The output of this command should be two files: One contains the plain text password for the password-protected TPD, and the other is the password-protected TPD itself. 这些文件具有新的 GUID,例如:The files have a new GUID, for example:

    • Password-5E4C2018-8C8C-4548-8705-E3218AA1544E.txtPassword-5E4C2018-8C8C-4548-8705-E3218AA1544E.txt

    • ExportedTPD-5E4C2018-8C8C-4548-8705-E3218AA1544E.xmlExportedTPD-5E4C2018-8C8C-4548-8705-E3218AA1544E.xml

      备份这些文件并将其安全存储,以确保用户能够继续解密使用此租户密钥保护的内容。Back up these files and store them safely to ensure that you can continue to decrypt content that is protected with this tenant key. 此外,如果你要迁移到 AD RMS,则可将此 TPD 文件(以 ExportedTDP 开头的文件)导入到 AD RMS 服务器。In addition, if you are migrating to AD RMS, you can import this TPD file (the file that starts with ExportedTDP) to your AD RMS server.

步骤 4:日常:保护你的租户密钥。Step 4: Ongoing: Protect your tenant key

在收到你的租户密钥后,对其进行良好的保护,因为如果有人得到了它,他们将可以解密由该密钥保护的所有文档。After you receive your tenant key, keep it well-guarded, because if somebody gets access to it, they can decrypt all documents that are protected by using that key.

如果导出租户密钥的原因是不再需要使用 Azure 信息保护,最佳做法是立即从 Azure 信息保护租户中停用 Azure Rights Management 服务。If the reason for exporting your tenant key is because you no longer want to use Azure Information Protection, as a best practice, now deactivate the Azure Rights Management service from your Azure Information Protection tenant. 不要拖延到收到租户密钥后再执行此操作,因为此预防措施可以帮助用户将不该得到租户密钥的人得到它后导致的后果降至最低。Do not delay doing this after you receive your tenant key because this precaution helps to minimize the consequences if your tenant key is accessed by somebody who should not have it. 相关说明请参阅解除 Azure Rights Management 授权和停用 Azure Rights ManagementFor instructions, see Decommissioning and deactivating Azure Rights Management.

对违规行为做出响应Respond to a breach

如果没有违规响应流程,无论如何强大的安全系统都是不完整的。No security system, no matter how strong, is complete without a breach response process. 你的租户密钥可能泄漏或失窃。Your tenant key might be compromised or stolen. 即便它得到了很好的保护,在当前这代密钥技术或当前的密钥长度和算法方面也可以找到一些漏洞。Even when it’s protected well, vulnerabilities might be found in current generation key technology or in current key lengths and algorithms.

Microsoft 拥有一个专业团队,负责响应其产品和服务中的安全事件。Microsoft has a dedicated team to respond to security incidents in its products and services. 当收到某个事件的可信报告时,该团队将参与调查事件的范围、根本原因和缓解办法。As soon as there is a credible report of an incident, this team engages to investigate the scope, root cause, and mitigations. 如果此事件影响到资产,Microsoft 将通过电子邮件通知你的租户的全局管理员。If this incident affects your assets, Microsoft will notify the Global administrators for your tenant by email.

如果你发现了安全违规行为,则你或 Microsoft 能够采取的最佳行动取决于安全违规的范围;Microsoft 将与你共同完成这个过程。If you have a breach, the best action that you or Microsoft can take depends on the scope of the breach; Microsoft will work with you through this process. 下表显示了一些典型情况以及可能的响应,但具体的响应要取决于在调查过程中揭示的所有信息。The following table shows some typical situations and the likely response, although the exact response depends on all the information that is revealed during the investigation.

事件描述Incident description 可能的响应Likely response
你的租户密钥泄露。Your tenant key is leaked. 重新生成租户密钥。Rekey your tenant key. 请参阅本文中的重新生成你的租户密钥部分。See the Rekey your tenant key section in this article.
未经授权的个人或恶意软件获取了使用你的租户密钥的权限,但密钥本身并未泄露。An unauthorized individual or malware got rights to use your tenant key but the key itself did not leak. 重新生成租户密钥在这种情况下并不奏效,需要进行根源分析。Rekeying your tenant key does not help here and requires root-cause analysis. 如果进程或软件 Bug 是导致未经授权的个人获得访问权限的原因,则必须解决这一问题。If a process or software bug was responsible for the unauthorized individual to get access, that situation must be resolved.
在 RSA 算法、密钥长度或暴力攻击方面发现的漏洞可能被利用。Vulnerability discovered in the RSA algorithm, or key length, or brute-force attacks become computationally feasible. Microsoft 必须更新 Azure 信息保护以支持新的算法和具有弹性的更长密钥长度,并指示所有客户重新生成他们的租户密钥。Microsoft must update Azure Information Protection to support new algorithms and longer key lengths that are resilient, and instruct all customers to rekey their tenant key.