您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

关于密钥、机密和证书About keys, secrets, and certificates

凭借 Azure Key Vault,Microsoft Azure 应用程序和用户能够存储和使用多种类型的机密/密钥数据:Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data:

  • 加密密钥:支持多种密钥类型和算法,可以对高价值的密钥使用硬件安全模块 (HSM)。Cryptographic keys: Supports multiple key types and algorithms, and enables the use of Hardware Security Modules (HSM) for high value keys.
  • 机密:提供机密(例如密码和数据库连接字符串)的安全存储。Secrets: Provides secure storage of secrets, such as passwords and database connection strings.
  • 证书:支持基于密钥和机密并且添加了自动续订功能的证书。Certificates: Supports certificates, which are built on top of keys and secrets and add an automated renewal feature.
  • Azure 存储:可以管理 Azure 存储帐户的密钥。Azure Storage: Can manage keys of an Azure Storage account for you. 在内部,Key Vault 可以使用 Azure 存储帐户列出(同步)密钥,并定期重新生成(轮换)密钥。Internally, Key Vault can list (sync) keys with an Azure Storage Account, and regenerate (rotate) the keys periodically.

有关 Key Vault 的更多常规信息,请参阅什么是 Azure Key Vault?For more general information about Key Vault, see What is Azure Key Vault?

Azure 密钥保管库Azure Key Vault

以下部分提供在实现 Key Vault 服务中可以用到的常规信息。The following sections offer general information applicable across the implementation of the Key Vault service.

支持标准Supporting standards

JavaScript 对象表示法 (JSON) 与 JavaScript 对象的签名和加密 (JOSE) 规范是重要的背景信息。The JavaScript Object Notation (JSON) and JavaScript Object Signing and Encryption (JOSE) specifications are important background information.

数据类型Data types

请参阅 JOSE 规范,了解密钥、加密和签名的相关数据类型。Refer to the JOSE specifications for relevant data types for keys, encryption, and signing.

  • algorithm - 支持的密钥操作算法,例如 RSA1_5algorithm - a supported algorithm for a key operation, for example, RSA1_5
  • ciphertext-value - 密码文本八位组,使用 Base64URL 编码ciphertext-value - cipher text octets, encoded using Base64URL
  • digest-value - 哈希算法的输出,使用 Base64URL 编码digest-value - the output of a hash algorithm, encoded using Base64URL
  • key-type - 一种支持的密钥类型,例如 RSA (Rivest-Shamir-Adleman)。key-type - one of the supported key types, for example RSA (Rivest-Shamir-Adleman).
  • plaintext-value - 纯文本位组,使用 Base64URL 编码plaintext-value - plaintext octets, encoded using Base64URL
  • signature-value - 签名算法的输出,使用 Base64URL 编码signature-value - output of a signature algorithm, encoded using Base64URL
  • base64URL - Base64URL [RFC4648] 编码的二进制值base64URL - a Base64URL [RFC4648] encoded binary value
  • boolean - 要么为 true,要么为 falseboolean - either true or false
  • Identity - Azure Active Directory (AAD) 的标识。Identity - an identity from Azure Active Directory (AAD).
  • IntDate - 一个 JSON 十进制值,表示从 1970-01-01T0:0:0Z UTC 到指定 UTC 日期/时间的秒数。IntDate - a JSON decimal value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time. 请参阅 RFC3339,了解有关日期/时间的常规信息和 UTC 的特别信息。See RFC3339 for details regarding date/times, in general and UTC in particular.

对象、标识符和版本控制Objects, identifiers, and versioning

对于存储在 Key Vault 中的对象,在创建了某一对象的新实例后,这些对象就会受到版本控制。Objects stored in Key Vault are versioned whenever a new instance of an object is created. 每个版本都分配有唯一标识符和 URL。Each version is assigned a unique identifier and URL. 首次创建一个对象时,该对象被赋予了一个唯一的版本标识符,并标记为当前版本的对象。When an object is first created, it's given a unique version identifier and marked as the current version of the object. 创建与对象同名的新实例会向新对象赋予一个唯一的版本标识符,并使其成为当前版本。Creation of a new instance with the same object name gives the new object a unique version identifier, causing it to become the current version.

Key Vault 中的对象可以使用当前标识符或特定于版本的标识符进行寻址。Objects in Key Vault can be addressed using the current identifier or a version-specific identifier. 例如,给定一个名称为 MasterKey 的密钥,使用当前标识符执行操作会导致系统使用最新的可用版本。For example, given a Key with the name MasterKey, performing operations with the current identifier causes the system to use the latest available version. 使用特定于版本的标识符执行操作会导致系统使用该特定版本的对象。Performing operations with the version-specific identifier causes the system to use that specific version of the object.

Key Vault 中的对象通过 URL 唯一标识。Objects are uniquely identified within Key Vault using a URL. 不管地理位置如何,系统中都不存在两个具有相同 URL 的对象。No two objects in the system have the same URL, regardless of geo-location. 对象的完整 URL 称为对象标识符。The complete URL to an object is called the Object Identifier. URL 由标识 Key Vault 的前缀、对象类型、用户提供的对象名称和对象版本组成。The URL consists of a prefix that identifies the Key Vault, object type, user provided Object Name, and an Object Version. 对象名称不区分大小写且不可变。The Object Name is case-insensitive and immutable. 不包括对象版本的标识符称为基本标识符。Identifiers that don't include the Object Version are referred to as Base Identifiers.

有关详细信息,请参阅身份验证、请求和响应For more information, see Authentication, requests, and responses

对象标识符具有以下常规格式:An object identifier has the following general format:

https://{keyvault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}

其中:Where:

keyvault-name Microsoft Azure Key Vault 服务中的保管库名称。The name for a key vault in the Microsoft Azure Key Vault service.

Key Vault 名称由用户选择,并且全局唯一。Key Vault names are selected by the user and are globally unique.

Key Vault 的名称必须是 3-24 个字符,且仅包含 0-9、a-z、A-Z 和 - 的字符串。Key Vault name must be a 3-24 character string, containing only 0-9, a-z, A-Z, and -.
object-type 对象的类型,要么为“密钥”,要么为“机密”。The type of the object, either "keys" or "secrets".
object-name object-name 是用户提供名称,在 Key Vault 中必须保持唯一。An object-name is a user provided name for and must be unique within a Key Vault. 该名称必须是 1-127 个字符,且仅包含 0-9、a-z、A-Z 和 - 的字符串。The name must be a 1-127 character string, containing only 0-9, a-z, A-Z, and -.
object-version object-version 是系统生成的 32 个字符的字符串标识符,可以选择用来对某个对象的唯一版本进行寻址。An object-version is a system-generated, 32 character string identifier that is optionally used to address a unique version of an object.

Key Vault 密钥Key Vault keys

密钥和密钥类型Keys and key types

Key Vault 中的加密密钥表示为 JSON Web 密钥 [JWK] 对象。Cryptographic keys in Key Vault are represented as JSON Web Key [JWK] objects. 此外,还扩展了基本 JWK/JWA 规范,以启用对于 Key Vault 实现唯一的密钥类型。The base JWK/JWA specifications are also extended to enable key types unique to the Key Vault implementation. 例如,使用 HSM 供应商特定的包导入密钥,可以安全传输仅可在 Key Vault HSM 中使用的密钥。For example, importing keys using HSM vendor-specific packaging, enables secure transportation of keys that may only be used in Key Vault HSMs.

  • “软”密钥:由 Key Vault 在软件中处理,但使用 HSM 中的系统密钥进行静态加密的一种密钥。"Soft" keys: A key processed in software by Key Vault, but is encrypted at rest using a system key that is in an HSM. 客户端可以导入现有 RSA 或 EC(椭圆曲线)密钥,也可以请求 Key Vault 生成该密钥。Clients may import an existing RSA or EC (Elliptic Curve) key, or request that Key Vault generate one.

  • “硬”密钥:在 HSM(硬件安全模块)中处理的密钥。"Hard" keys: A key processed in an HSM (Hardware Security Module). 这些密钥在一个 Key Vault HSM 安全体系中受到保护(按地理位置设置安全体系,以保持隔离)。These keys are protected in one of the Key Vault HSM Security Worlds (there's one Security World per geography to maintain isolation). 客户端可以采用软性形式或通过从兼容 HSM 设备导出的方式来导入 RSA 或 EC 密钥。Clients may import an RSA or EC key, in soft form or by exporting from a compatible HSM device. 此外,客户端还可以请求 Key Vault 生成该密钥。Clients may also request Key Vault to generate a key. 此密钥类型可以将 T 属性添加到获得的 JWK 以携带 HSM 密钥材料。This key type adds the T attribute to the JWK obtain to carry the HSM key material.

    有关地理边界的详细信息,请参阅 Microsoft Azure 信任中心For more information on geographical boundaries, see Microsoft Azure Trust Center

Key Vault 仅支持 RSA 和椭圆曲线密钥。Key Vault supports RSA and Elliptic Curve keys only.

  • EC:“软”椭圆曲线密钥。EC: "Soft" Elliptic Curve key.
  • EC-HSM:“硬”椭圆曲线密钥。EC-HSM: "Hard" Elliptic Curve key.
  • RSA:“软”RSA 密钥。RSA: "Soft" RSA key.
  • RSA-HSM:“硬”RSA 密钥。RSA-HSM: "Hard" RSA key.

Key Vault 支持大小为 2048、3072 和 4096 的 RSA 密钥。Key Vault supports RSA keys of sizes 2048, 3072 and 4096. Key Vault 支持类型为 P-256、P-384、P-521 和 P-256K (SECP256K1) 的椭圆曲线密钥。Key Vault supports Elliptic Curve key types P-256, P-384, P-521, and P-256K (SECP256K1).

加密保护Cryptographic protection

Key Vault 使用的加密模块(HSM 或软件)经过 FIPS(美国联邦信息处理标准)验证。The cryptographic modules that Key Vault uses, whether HSM or software, are FIPS (Federal Information Processing Standards) validated. 因此不必执行任何特殊操作便可在 FIPS 模式下运行。You don’t need to do anything special to run in FIPS mode. “创建”或“导入”为受 HSM 保护的密钥在 HSM 内处理,且验证为 FIPS 140-2 级别 2 。Keys created or imported as HSM-protected are processed inside an HSM, validated to FIPS 140-2 Level 2. “创建”或“导入”为受软件保护的密钥在加密模块内处理,且验证为 FIPS 140-2 级别 1 。Keys created or imported as software-protected, are processed inside cryptographic modules validated to FIPS 140-2 Level 1. 有关详细信息,请参阅密钥和密钥类型For more information, see Keys and key types.

EC 算法EC algorithms

Key Vault 中的 EC 和 EC-HSM 密钥支持以下算法标识符。The following algorithm identifiers are supported with EC and EC-HSM keys in Key Vault.

曲线类型Curve Types

SIGN/VERIFYSIGN/VERIFY

  • ES256 - 使用曲线 P-256 创建的 SHA-256 摘要和密钥的 ECDSA。ES256 - ECDSA for SHA-256 digests and keys created with curve P-256. RFC7518 中描述了此算法。This algorithm is described at RFC7518.
  • ES256K - 使用曲线 P-256K 创建的 SHA-256 摘要和密钥的 ECDSA。ES256K - ECDSA for SHA-256 digests and keys created with curve P-256K. 此算法正在等待标准化。This algorithm is pending standardization.
  • ES384 - 使用曲线 P-384 创建的 SHA-384 摘要和密钥的 ECDSA。ES384 - ECDSA for SHA-384 digests and keys created with curve P-384. RFC7518 中描述了此算法。This algorithm is described at RFC7518.
  • ES512 - 使用曲线 P-521 创建的 SHA-512 摘要和密钥的 ECDSA。ES512 - ECDSA for SHA-512 digests and keys created with curve P-521. RFC7518 中描述了此算法。This algorithm is described at RFC7518.

RSA 算法RSA algorithms

Key Vault 中的 RSA 和 RSA-HSM 密钥支持以下算法标识符。The following algorithm identifiers are supported with RSA and RSA-HSM keys in Key Vault.

包装密钥/解包密钥、加密/解密WRAPKEY/UNWRAPKEY, ENCRYPT/DECRYPT

  • RSA1_5 - RSAES-PKCS1-V1_5 [RFC3447] 密钥加密RSA1_5 - RSAES-PKCS1-V1_5 [RFC3447] key encryption
  • RSA-OAEP - RSAES 使用最优非对称加密填充 (OAEP) [RFC3447] 以及 A.2.1. 节中 RFC 3447 指定的默认参数。RSA-OAEP - RSAES using Optimal Asymmetric Encryption Padding (OAEP) [RFC3447], with the default parameters specified by RFC 3447 in Section A.2.1. 这些默认参数使用 SHA-1 哈希函数和 SHA-1 附带的 MGF1 掩码生成函数。Those default parameters are using a hash function of SHA-1 and a mask generation function of MGF1 with SHA-1.

SIGN/VERIFYSIGN/VERIFY

  • RS256 - RSASSA-PKCS-v1_5 使用 SHA-256。RS256 - RSASSA-PKCS-v1_5 using SHA-256. 必须使用 SHA-256 计算应用程序提供的摘要值,并且该值的长度必须为 32 字节。The application supplied digest value must be computed using SHA-256 and must be 32 bytes in length.
  • RS384 - RSASSA-PKCS-v1_5 使用 SHA-384。RS384 - RSASSA-PKCS-v1_5 using SHA-384. 必须使用 SHA-384 计算应用程序提供的摘要值,并且该值的长度必须为 48 字节。The application supplied digest value must be computed using SHA-384 and must be 48 bytes in length.
  • RS512 - RSASSA-PKCS-v1_5 使用 SHA-512。RS512 - RSASSA-PKCS-v1_5 using SHA-512. 必须使用 SHA-512 计算应用程序提供的摘要值,并且该值的长度必须为 64 字节。The application supplied digest value must be computed using SHA-512 and must be 64 bytes in length.
  • RSNULL - 请参阅一种用于实现某种 TLS 方案的特殊用例 [RFC2437]。RSNULL - See [RFC2437], a specialized use-case to enable certain TLS scenarios.

密钥操作Key operations

Key Vault 支持对密钥对象执行以下操作:Key Vault supports the following operations on key objects:

  • 创建:允许客户端在 Key Vault 中创建密钥。Create: Allows a client to create a key in Key Vault. 密钥的值由 Key Vault 生成,存储但不发布到客户端。The value of the key is generated by Key Vault and stored, and isn't released to the client. 可在 Key Vault 中创建非对称密钥。Asymmetric keys may be created in Key Vault.
  • 导入:允许客户端将现有密钥导入到 Key Vault。Import: Allows a client to import an existing key to Key Vault. 非对称密钥可以使用 JWK 构造中的多种不同的打包方法导入到 Key Vault。Asymmetric keys may be imported to Key Vault using a number of different packaging methods within a JWK construct.
  • 更新:允许具有足够权限的客户端修改与以前存储在 Key Vault 中的密钥相关联的元数据(密钥属性)。Update: Allows a client with sufficient permissions to modify the metadata (key attributes) associated with a key previously stored within Key Vault.
  • 删除:允许具有足够权限的客户端删除 Key Vault 中的密钥。Delete: Allows a client with sufficient permissions to delete a key from Key Vault.
  • 列出:允许客户端列出给定 Key Vault 中的所有项。List: Allows a client to list all keys in a given Key Vault.
  • 列出版本:允许客户端列出给定 Key Vault 中的给定密钥的所有版本。List versions: Allows a client to list all versions of a given key in a given Key Vault.
  • 获取:允许客户端检索 Key Vault 中的给定密钥的公共部分。Get: Allows a client to retrieve the public parts of a given key in a Key Vault.
  • 备份:导出受保护窗体中的密钥。Backup: Exports a key in a protected form.
  • 还原:导入以前备份的密钥。Restore: Imports a previously backed up key.

有关详细信息,请参阅 Key Vault REST API 中的密钥操作参考For more information, see Key operations in the Key Vault REST API reference.

在 Key Vault 中创建密钥后,即可使用密钥执行以下加密操作:Once a key has been created in Key Vault, the following cryptographic operations may be performed using the key:

  • 签名并验证:严格来讲,此操作应该为“签名哈希”或“验证哈希”,因为 Key Vault 不支持创建签名过程中的内容哈希。Sign and Verify: Strictly, this operation is "sign hash" or "verify hash", as Key Vault doesn't support hashing of content as part of signature creation. 应用程序应哈希要在本地签名的数据,然后请求 Key Vault 对哈希签名。Applications should hash the data to be signed locally, then request that Key Vault sign the hash. 支持签名哈希的验证,作为可能无法访问 [公共] 密钥材料的应用程序的一种便捷操作。Verification of signed hashes is supported as a convenience operation for applications that may not have access to [public] key material. 为获得最佳应用程序性能,请验证操作在本地执行。For best application performance, verify that operations are performed locally.
  • 密钥加密/包装:Key Vault 中存储的一个密钥可以用来保护另一个密钥,通常是对称内容加密密钥 (CEK)。Key Encryption / Wrapping: A key stored in Key Vault may be used to protect another key, typically a symmetric content encryption key (CEK). 如果 Key Vault 中的密钥是非对称密钥,将使用密钥加密。When the key in Key Vault is asymmetric, key encryption is used. 例如,RSA-OAEP 和 WRAPKEY/UNWRAPKEY 操作等同于 ENCRYPT/DECRYPT。For example, RSA-OAEP and the WRAPKEY/UNWRAPKEY operations are equivalent to ENCRYPT/DECRYPT. 如果 Key Vault 中的密钥是对称密钥,则使用密钥包装。When the key in Key Vault is symmetric, key wrapping is used. 例如,AES-KW。For example, AES-KW. 支持 WRAPKEY 操作,作为可能无法访问 [公共] 密钥材料的应用程序的一种便捷操作。The WRAPKEY operation is supported as a convenience for applications that may not have access to [public] key material. 为获得最佳应用程序性能,WRAPKEY 操作应在本地执行。For best application performance, WRAPKEY operations should be performed locally.
  • 加密和解密:存储在 Key Vault 中的密钥可用于加密或解密单个数据块。Encrypt and Decrypt: A key stored in Key Vault may be used to encrypt or decrypt a single block of data. 块大小取决于密钥类型和所选加密算法。The size of the block is determined by the key type and selected encryption algorithm. 支持加密操作,作为可能无法访问 [公共] 密钥材料的应用程序的一种便捷操作。The Encrypt operation is provided for convenience, for applications that may not have access to [public] key material. 为获得最佳应用程序性能,加密操作应在本地执行。For best application performance, encrypt operations should be performed locally.

虽然使用非对称密钥的 WRAPKEY/UNWRAPKEY 可能看似多余(因为操作等同于 ENCRYPT/DECRYPT),但使用不同的操作却非常重要。While WRAPKEY/UNWRAPKEY using asymmetric keys may seem superfluous (as the operation is equivalent to ENCRYPT/DECRYPT), the use of distinct operations is important. 此不同提供了这些操作的语义和授权分离,并在服务支持其他密钥类型时提供一致性。The distinction provides semantic and authorization separation of these operations, and consistency when other key types are supported by the service.

Key Vault 不支持“导出”操作。Key Vault doesn't support EXPORT operations. 在系统中设置密钥后,便无法提取该密钥,也无法修改其密钥材料。Once a key is provisioned in the system, it cannot be extracted or its key material modified. 但是,Key Vault 的用户可能需要将密钥用于其他用例,例如删除密钥后。However, users of Key Vault may require their key for other use cases, such as after it has been deleted. 在这种情况下,可以使用“备份”和“还原”操作以受保护的形式导出/导入密钥。In this case, they may use the BACKUP and RESTORE operations to export/import the key in a protected form. “备份”操作创建的密钥无法在 Key Vault 外部使用。Keys created by the BACKUP operation are not usable outside Key Vault. 或者,可能会对多个 Key Vault 实例使用“导入”操作。Alternatively, the IMPORT operation may be used against multiple Key Vault instances.

用户可以使用 JWK 对象的 key_ops 属性按密钥限制 Key Vault 支持的任何加密操作。Users may restrict any of the cryptographic operations that Key Vault supports on a per-key basis using the key_ops property of the JWK object.

有关 JWK 对象的详细信息,请参阅 JSON Web 密钥 (JWK)For more information on JWK objects, see JSON Web Key (JWK).

密钥属性Key attributes

除密钥材料外,还可以指定以下属性。In addition to the key material, the following attributes may be specified. 在 JSON 请求中,即使未指定任何属性,也需要属性关键字和大括号“{”“}”。In a JSON Request, the attributes keyword and braces, ‘{‘ ‘}’, are required even if there are no attributes specified.

  • enabled:布尔型,可选,默认值为 true 。enabled: boolean, optional, default is true. 指定密钥是否已启用并可用于加密操作。Specifies whether the key is enabled and useable for cryptographic operations. enabled 属性结合 nbf 和 exp 使用 。如果在 nbf 和 exp 之间出现操作,只有在 enabled 设置为 true 时,才允许该操作 。The enabled attribute is used in conjunction with nbf and exp. When an operation occurs between nbf and exp, it will only be permitted if enabled is set to true. nbf / exp 时段外的操作会自动禁止,特定条件下的某些操作类型除外 。Operations outside the nbf / exp window are automatically disallowed, except for certain operation types under particular conditions.
  • nbf:IntDate,可选,默认值为“now”。nbf: IntDate, optional, default is now. nbf(非过去)属性识别密钥不得用于加密操作以前的时间,特定条件下的某些操作类型除外 。The nbf (not before) attribute identifies the time before which the key MUST NOT be used for cryptographic operations, except for certain operation types under particular conditions. 处理 nbf 属性要求当前日期/时间必须晚于或等于 nbf 属性中列出的非过去日期/时间 。The processing of the nbf attribute requires that the current date/time MUST be after or equal to the not-before date/time listed in the nbf attribute. Key Vault 可能会稍微留有一些余地(通常不超过几分钟),以适应时钟偏差。Key Vault MAY provide for some small leeway, normally no more than a few minutes, to account for clock skew. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.
  • exp:IntDate,可选,默认值为“forever”。exp: IntDate, optional, default is "forever". exp(过期时间)属性识别密钥不得用于加密操作当时或之后的过期时间,特定条件下的某些操作类型除外 。The exp (expiration time) attribute identifies the expiration time on or after which the key MUST NOT be used for cryptographic operation, except for certain operation types under particular conditions. 处理 exp 属性要求当前日期/时间必须早于 exp 属性中列出的过期日期/时间 。The processing of the exp attribute requires that the current date/time MUST be before the expiration date/time listed in the exp attribute. Key Vault 可能会稍微留有一些余地(通常不超过几分钟),以适应时钟偏差。Key Vault MAY provide for some small leeway, typically no more than a few minutes, to account for clock skew. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.

在包含密钥属性的任何响应中还包括以下其他只读属性:There are additional read-only attributes that are included in any response that includes key attributes:

  • created:IntDate,可选。created: IntDate, optional. created 属性指示创建此版本的密钥的时间 。The created attribute indicates when this version of the key was created. 如果密钥在添加此属性之前创建,此值为 NULL。The value is null for keys created prior to the addition of this attribute. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.
  • updated:IntDate,可选。updated: IntDate, optional. updated 属性指示更新此版本的密钥的时间 。The updated attribute indicates when this version of the key was updated. 如果密钥上次更新的时间早于添加此属性的时间,此值为 NULL。The value is null for keys that were last updated prior to the addition of this attribute. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.

有关 IntDate 和其他数据类型的详细信息,请参阅数据类型For more information on IntDate and other data types, see Data types

日期时间控制的操作Date-time controlled operations

这些在 nbf / exp 时段外的尚未生效的密钥和过期密钥适合 decrypt、unwrap 和 verify 操作(不会返回 403 禁止访问) 。Not-yet-valid and expired keys, outside the nbf / exp window, will work for decrypt, unwrap, and verify operations (won’t return 403, Forbidden). 使用尚未生效状态的基本原理是允许在投入生产前测试密钥。The rationale for using the not-yet-valid state is to allow a key to be tested before production use. 使用过期状态的基本原理是允许对秘钥有效期间创建的数据执行恢复操作。The rationale for using the expired state is to allow recovery operations on data that was created when the key was valid. 此外,使用 Key Vault 策略,或通过将 enabled 密钥属性更新为 false 可以禁用访问密钥 。Also, you can disable access to a key using Key Vault policies, or by updating the enabled key attribute to false.

有关数据类型的详细信息,请参阅数据类型For more information on data types, see Data types.

有关其他可能的属性的详细信息,请参阅 JSON Web 密钥 (JWK)For more information on other possible attributes, see the JSON Web Key (JWK).

密钥标记Key tags

可以用标记的形式指定其他特定于应用程序的元数据。You can specify additional application-specific metadata in the form of tags. Key Vault 支持多达 15 种标记,每种标记可以有 256 个字符的名称和 256 个字符的值。Key Vault supports up to 15 tags, each of which can have a 256 character name and a 256 character value.

备注

如果调用方具有该对象类型(密钥、机密或证书)的列出或获取权限,则调用方可读取标记 。Tags are readable by a caller if they have the list or get permission to that object type (keys, secrets, or certificates).

密钥访问控制Key access control

Key Vault 托管的密钥的访问控制是在充当密钥容器的 Key Vault 级别提供的。Access control for keys managed by Key Vault is provided at the level of a Key Vault that acts as the container of keys. 在同一 Key Vault 中,密钥的访问控制策略不同于机密的访问控制策略。The access control policy for keys, is distinct from the access control policy for secrets in the same Key Vault. 用户可以创建一个或多个保管库来保存密钥,并且需要维护方案相应的密钥分段和管理。Users may create one or more vaults to hold keys, and are required to maintain scenario appropriate segmentation and management of keys. 密钥的访问控制与机密的访问控制无关。Access control for keys is independent of access control for secrets.

在保管库上的密钥访问控制条目中可以按用户/服务主体授予以下权限。The following permissions can be granted, on a per user / service principal basis, in the keys access control entry on a vault. 这些权限严密镜像对密钥对象允许的操作。These permissions closely mirror the operations allowed on a key object. 授予对服务主体密钥保管库中的访问是一次性操作,并且它将保持为所有 Azure 订阅相同。Granting access to an service principal in key vault is a onetime operation, and it will remain same for all Azure subscriptions. 可用于部署所需的任意数目的证书。You can use it to deploy as many certificates as you want.

  • 针对密钥管理操作的权限Permissions for key management operations

    • get:读取密钥的公共部分及其属性get: Read the public part of a key, plus its attributes
    • list:列出密钥保管库中存储的密钥或密钥版本list: List the keys or versions of a key stored in a key vault
    • update:更新键的属性update: Update the attributes for a key
    • create:新建密钥create: Create new keys
    • import:将密钥导入到密钥保管库import: Import a key to a key vault
    • delete:删除密钥对象delete: Delete the key object
    • recover:恢复已删除的密钥recover: Recover a deleted key
    • backup:备份密钥保管库中的密钥backup: Back up a key in a key vault
    • restore:将备份密钥还原到密钥保管库restore: Restore a backed up key to a key vault
  • 针对加密操作的权限Permissions for cryptographic operations

    • decrypt:使用密钥取消保护字节序列decrypt: Use the key to unprotect a sequence of bytes
    • encrypt:使用密钥保护任意字节序列encrypt: Use the key to protect an arbitrary sequence of bytes
    • unwrapKey:使用密钥取消保护包装的对称密钥unwrapKey: Use the key to unprotect wrapped symmetric keys
    • wrapKey:使用密钥保护对称密钥wrapKey: Use the key to protect a symmetric key
    • verify:使用密钥验证摘要verify: Use the key to verify digests
    • sign:使用密钥签名摘要sign: Use the key to sign digests
  • 针对特权操作的权限Permissions for privileged operations

    • purge:清除(永久删除)已删除的密钥purge: Purge (permanently delete) a deleted key

有关使用密钥的详细信息,请参阅 Key Vault REST API 中的密钥操作参考For more information on working with keys, see Key operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 创建或更新保管库 - 更新访问策略For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

Key Vault 机密Key Vault secrets

使用机密Working with secrets

从开发人员的角度来看,Key Vault API 接受机密值并将其作为字符串返回。From a developer's perspective, Key Vault APIs accept and return secret values as strings. 在内部,Key Vault 存储机密并将其作为八位字节序列(8 位字节)管理,每个字节的最大大小为 25k 字节。Internally, Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k bytes each. Key Vault 服务不提供机密的语义。The Key Vault service doesn't provide semantics for secrets. 它只是接受数据,然后加密和存储该数据,最后返回机密标识符(“id”)。It merely accepts the data, encrypts it, stores it, and returns a secret identifier ("id"). 该标识符可用于稍后检索机密。The identifier can be used to retrieve the secret at a later time.

对于高度敏感的数据,客户端应考虑对数据进行额外的保护。For highly sensitive data, clients should consider additional layers of protection for data. 例如,在 Key Vault 中存储数据之前,使用单独的保护密钥加密数据。Encrypting data using a separate protection key prior to storage in Key Vault is one example.

Key Vault 还支持机密的 contentType 字段。Key Vault also supports a contentType field for secrets. 客户端可以指定机密的内容类型,以帮助在检索时解释机密数据。Clients may specify the content type of a secret to assist in interpreting the secret data when it's retrieved. 此字段的最大长度为 255 个字符。The maximum length of this field is 255 characters. 没有预定义的值。There are no pre-defined values. 建议用于解释机密数据的提示。The suggested usage is as a hint for interpreting the secret data. 例如,实现可以将密码和证书都存储为机密,然后使用此字段进行区分。For instance, an implementation may store both passwords and certificates as secrets, then use this field to differentiate. 没有预定义的值。There are no predefined values.

机密属性Secret attributes

除机密数据外,还可以指定以下属性:In addition to the secret data, the following attributes may be specified:

  • exp:IntDate,可选,默认值为 foreverexp: IntDate, optional, default is forever. exp(过期时间)属性标识在不应检索机密数据当时或之后的过期时间,特定情况除外 。The exp (expiration time) attribute identifies the expiration time on or after which the secret data SHOULD NOT be retrieved, except in particular situations. 此字段仅供参考,因为它通知密钥保管库服务用户可能无法使用特定机密 。This field is for informational purposes only as it informs users of key vault service that a particular secret may not be used. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.
  • nbf:IntDate,可选,默认值为 nownbf: IntDate, optional, default is now. nbf(非过去)属性标识在不应检索机密数据之前的时间,特定情况除外 。The nbf (not before) attribute identifies the time before which the secret data SHOULD NOT be retrieved, except in particular situations. 此字段仅供参考 。This field is for informational purposes only. 其值必须是包含 IntDate 值的数字。Its value MUST be a number containing an IntDate value.
  • enabled:布尔型,可选,默认值为 true 。enabled: boolean, optional, default is true. 此属性指定是否可以检索机密数据。This attribute specifies whether the secret data can be retrieved. enabled 属性与 nbf 和 exp 结合使用,如果在 nbf 和 exp 之间出现操作,只有在 enabled 设置为 true 时,才允许该操作 。The enabled attribute is used in conjunction with nbf and exp when an operation occurs between nbf and exp, it will only be permitted if enabled is set to true. nbf 和 exp 时段外的操作会自动禁止,特定情况除外 。Operations outside the nbf and exp window are automatically disallowed, except in particular situations.

在包含机密属性的任何响应中还包括以下其他只读属性:There are additional read-only attributes that are included in any response that includes secret attributes:

  • created:IntDate,可选。created: IntDate, optional. created 属性指示创建此版本的机密的时间。The created attribute indicates when this version of the secret was created. 如果机密在添加此属性之前创建,此值为 NULL。This value is null for secrets created prior to the addition of this attribute. 其值必须是包含 IntDate 值的数字。Its value must be a number containing an IntDate value.
  • updated:IntDate,可选。updated: IntDate, optional. updated 属性指示更新此版本的机密的时间。The updated attribute indicates when this version of the secret was updated. 如果机密上次更新的时间早于添加此属性的时间,此值为 NULL。This value is null for secrets that were last updated prior to the addition of this attribute. 其值必须是包含 IntDate 值的数字。Its value must be a number containing an IntDate value.

日期时间控制的操作Date-time controlled operations

机密的获取操作在 nbf / exp 时段外适合尚未生效的机密和过期的机密 。A secret's get operation will work for not-yet-valid and expired secrets, outside the nbf / exp window. 对于尚未生效的机密,调用机密的“获取”操作可用于测试目的 。Calling a secret's get operation, for a not-yet-valid secret, can be used for test purposes. 检索(获取)过期的密钥可以用于恢复操作 。Retrieving (getting) an expired secret, can be used for recovery operations.

有关数据类型的详细信息,请参阅数据类型For more information on data types, see Data types.

机密访问控制Secret access control

Key Vault 中托管的机密的访问控制是在包含这些机密的 Key Vault 级别提供的。Access Control for secrets managed in Key Vault, is provided at the level of the Key Vault that contains those secrets. 在同一 Key Vault 中,机密的访问控制策略不同于密钥的访问控制策略。The access control policy for secrets, is distinct from the access control policy for keys in the same Key Vault. 用户可以创建一个或多个保管库来保存机密,并且需要维护方案相应的机密分段和管理。Users may create one or more vaults to hold secrets, and are required to maintain scenario appropriate segmentation and management of secrets.

在保管库上的机密访问控制条目中可以按主体使用以下权限,这些权限对机密对象上允许的操作采取严密的镜像操作:The following permissions can be used, on a per-principal basis, in the secrets access control entry on a vault, and closely mirror the operations allowed on a secret object:

  • 针对机密管理操作的权限Permissions for secret management operations

    • get:读取机密get: Read a secret
    • list:列出 Key Vault 中存储的机密或机密版本list: List the secrets or versions of a secret stored in a Key Vault
    • set:创建机密set: Create a secret
    • delete:删除机密delete: Delete a secret
    • recover:恢复已删除的机密recover: Recover a deleted secret
    • backup:备份密钥保管库中的机密backup: Back up a secret in a key vault
    • restore:将备份机密还原到密钥保管库restore: Restore a backed up secret to a key vault
  • 针对特权操作的权限Permissions for privileged operations

    • purge:清除(永久删除)已删除的机密purge: Purge (permanently delete) a deleted secret

有关使用机密的详细信息,请参阅 Key Vault REST API 中的机密操作参考For more information on working with secrets, see Secret operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 创建或更新保管库 - 更新访问策略For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

机密标记Secret tags

可以用标记的形式指定其他特定于应用程序的元数据。You can specify additional application-specific metadata in the form of tags. Key Vault 支持多达 15 种标记,每种标记可以有 256 个字符的名称和 256 个字符的值。Key Vault supports up to 15 tags, each of which can have a 256 character name and a 256 character value.

备注

如果调用方具有该对象类型(密钥、机密或证书)的列出或获取权限,则调用方可读取标记 。Tags are readable by a caller if they have the list or get permission to that object type (keys, secrets, or certificates).

Key Vault 证书Key Vault Certificates

密钥保管库证书支持提供 x509 证书的管理和下列行为:Key Vault certificates support provides for management of your x509 certificates and the following behaviors:

  • 允许证书所有者通过密钥保管库创建过程或通过导入现有证书来创建证书。Allows a certificate owner to create a certificate through a Key Vault creation process or through the import of an existing certificate. 包括自签名证书和证书颁发机构生成的证书。Includes both self-signed and Certificate Authority generated certificates.
  • 允许密钥保管库证书所有者实现 X509 证书的安全存储和管理,无需与私钥材料交互。Allows a Key Vault certificate owner to implement secure storage and management of X509 certificates without interaction with private key material.
  • 允许证书所有者创建一个策略,指示密钥保管库来管理证书的生命周期。Allows a certificate owner to create a policy that directs Key Vault to manage the life-cycle of a certificate.
  • 允许证书所有者为有关证书的过期和续订生命周期事件的通知提供联系信息。Allows certificate owners to provide contact information for notification about life-cycle events of expiration and renewal of certificate.
  • 支持向所选的颁发者(密钥保管库合作伙伴 X509 的证书提供者/证书颁发机构)进行自动续订。Supports automatic renewal with selected issuers - Key Vault partner X509 certificate providers / certificate authorities.

备注

也允许使用非合作伙伴提供者/颁发机构,但将不支持自动续订功能。Non-partnered providers/authorities are also allowed but, will not support the auto renewal feature.

证书组合Composition of a Certificate

创建 Key Vault 证书后,还可以创建具有相同名称的可寻址密钥和机密。When a Key Vault certificate is created, an addressable key and secret are also created with the same name. Key Vault 密钥允许密钥操作,Key Vault 机密允许以机密的形式检索证书值。The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. Key Vault 证书还包含公共 x509 证书元数据。A Key Vault certificate also contains public x509 certificate metadata.

标识符和证书版本与密钥和机密的类似。The identifier and version of certificates is similar to that of keys and secrets. 使用 Key Vault 证书版本创建的特定版本的可寻址密钥和机密可用于 Key Vault 证书响应。A specific version of an addressable key and secret created with the Key Vault certificate version is available in the Key Vault certificate response.

证书是复杂的对象

可导出或不可导出密钥Exportable or Non-exportable key

创建 Key Vault 证书后,可以使用 PFX 或 PEM 格式的私钥从可寻址机密中检索该证书。When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format. 用于创建证书的策略必须指示密钥可导出。The policy used to create the certificate must indicate that the key is exportable. 如果策略指示密钥不可导出,则在作为机密检索私钥时,该私钥不包括在值中。If the policy indicates non-exportable, then the private key isn't a part of the value when retrieved as a secret.

可寻址密钥与不可导出的 KV 证书的相关性变得更高。The addressable key becomes more relevant with non-exportable KV certificates. 可寻址 KV 密钥的操作从用于创建 KV 证书的 KV 证书策略的“密钥使用情况”字段映射 。The addressable KV key’s operations are mapped from keyusage field of the KV certificate policy used to create the KV Certificate.

证书支持以下两种类型的密钥:RSA 或 RSA HSM 。Two types of key are supported – RSA or RSA HSM with certificates. 仅 RSA 允许可导出,RSA HSM 不支持。Exportable is only allowed with RSA, not supported by RSA HSM.

证书属性和标记Certificate Attributes and Tags

除了证书元数据、可寻址密钥和可寻址机密外,Key Vault 证书还包含属性和标记。In addition to certificate metadata, an addressable key and addressable secret, a Key Vault certificate also contains attributes and tags.

特性Attributes

证书属性将镜像到创建 KV 证书时创建的可寻址密钥和机密的属性。The certificate attributes are mirrored to attributes of the addressable key and secret created when KV certificate is created.

Key Vault 证书具有以下属性:A Key Vault certificate has the following attributes:

  • enabled:布尔型,可选,默认值为 true 。enabled: boolean, optional, default is true. 可以指定,以指示证书数据是否可以作为机密进行检索,或者可以作为密钥进行操作。Can be specified to indicate if the certificate data can be retrieved as secret or operable as a key. 还可与 nbf 和 exp 结合使用,如果在 nbf 和 exp 之间出现操作,只有在 enabled 设置为 true 时,才允许该操作 。Also used in conjunction with nbf and exp when an operation occurs between nbf and exp, and will only be permitted if enabled is set to true. nbf 和 exp 时段外的操作会自动禁止。Operations outside the nbf and exp window are automatically disallowed.

在响应中还包括以下其他只读属性:There are additional read-only attributes that are included in response:

  • created:IntDate:指示创建此版本的证书的时间。created: IntDate: indicates when this version of the certificate was created.
  • updated:IntDate:指示更新此版本的证书的时间。updated: IntDate: indicates when this version of the certificate was updated.
  • exp:IntDate:包含 x509 证书的过期日期的值。exp: IntDate: contains the value of the expiry date of the x509 certificate.
  • nbf:IntDate:包含 x509 证书的日期的值。nbf: IntDate: contains the value of the date of the x509 certificate.

备注

如果 Key Vault 证书过期,则它是可寻址密钥,机密会无法操作。If a Key Vault certificate expires, it’s addressable key and secret become inoperable.

TagsTags

客户端指定的键值对字典,类似于密钥和机密中的标记。Client specified dictionary of key value pairs, similar to tags in keys and secrets.

备注

如果调用方具有该对象类型(密钥、机密或证书)的列出或获取权限,则调用方可读取标记 。Tags are readable by a caller if they have the list or get permission to that object type (keys, secrets, or certificates).

证书策略Certificate policy

证书策略包含有关如何创建和管理 Key Vault 证书生命周期的信息。A certificate policy contains information on how to create and manage lifecycle of a Key Vault certificate. 具有私钥的证书导入到密钥保管库时,将通过阅读 x509 证书创建一个默认策略。When a certificate with private key is imported into the key vault, a default policy is created by reading the x509 certificate.

从零开始创建 Key Vault 证书时,需要提供策略。When a Key Vault certificate is created from scratch, a policy needs to be supplied. 该策略指定如何创建此 Key Vault 证书版本或下一个 Key Vault 证书版本。The policy specifies how to create this Key Vault certificate version, or the next Key Vault certificate version. 建立策略后,便不需要使用连续创建操作创建将来的版本。Once a policy has been established, it isn't required with successive create operations for future versions. 所有版本的 Key Vault 证书只有一个策略实例。There's only one instance of a policy for all the versions of a Key Vault certificate.

在高级别,证书策略包含以下信息:At a high level, a certificate policy contains the following information:

  • X509 证书属性:包含主题名称、主题备用名称以及用于创建 x509 证书请求的其他属性。X509 certificate properties: Contains subject name, subject alternate names, and other properties used to create an x509 certificate request.

  • 密钥属性:包含密钥类型、密钥长度、可导出密钥字段和重用密钥字段。Key Properties: contains key type, key length, exportable, and reuse key fields. 这些字段指示密钥保管库如何生成密钥。These fields instruct key vault on how to generate a key.

  • 机密属性:包含可寻址机密的内容类型等机密属性以生成机密值,用于以机密的形式检索证书。Secret properties: contains secret properties such as content type of addressable secret to generate the secret value, for retrieving certificate as a secret.

  • 生存期操作:包含 KV 证书生命周期的操作。Lifetime Actions: contains lifetime actions for the KV Certificate. 每个生存期操作包含:Each lifetime action contains:

    • 触发器:通过距离到期的天数或生存期范围百分比指定Trigger: specified via days before expiry or lifetime span percentage

    • 操作:指定操作类型 - emailContacts 或 autoRenew Action: specifying action type – emailContacts or autoRenew

  • 颁发者:有关用于颁发 x509 证书的证书颁发者的参数。Issuer: Parameters about the certificate issuer to use to issue x509 certificates.

  • 策略属性:包含与策略关联的属性Policy Attributes: contains attributes associated with the policy

X509 到 Key Vault 使用情况的映射X509 to Key Vault usage mapping

下表表示 x509 密钥使用策略映射到在创建 Key Vault 证书过程中创建的密钥的有效密钥操作。The following table represents the mapping of x509 key usage policy to effective key operations of a key created as part of a Key Vault certificate creation.

X.509 密钥使用情况标记 X509 Key Usage flags Key Vault 密钥的操作 Key Vault key ops 默认行为 Default behavior
DataEnciphermentDataEncipherment 加密、解密encrypt, decrypt 不可用N/A
DecipherOnlyDecipherOnly 解密decrypt 不可用N/A
DigitalSignatureDigitalSignature 签名、验证sign, verify Key Vault 在创建证书时默认为无使用规范Key Vault default without a usage specification at certificate creation time
EncipherOnlyEncipherOnly encryptencrypt 不可用N/A
KeyCertSignKeyCertSign 签名、验证sign, verify 不可用N/A
KeyEnciphermentKeyEncipherment 包装密钥、解包密钥wrapKey, unwrapKey Key Vault 在创建证书时默认为无使用规范Key Vault default without a usage specification at certificate creation time
NonRepudiationNonRepudiation 签名、验证sign, verify 不可用N/A
crlsigncrlsign 签名、验证sign, verify 不可用N/A

证书颁发者Certificate Issuer

Key Vault 证书对象包含与所选证书颁发者提供者进行通信的配置以订购 x509 证书。A Key Vault certificate object holds a configuration used to communicate with a selected certificate issuer provider to order x509 certificates.

  • 具有以下 SSL 证书的证书颁发者提供者的 Key Vault 合作伙伴Key Vault partners with following certificate issuer providers for SSL certificates
提供者名称 Provider Name 位置Locations
DigiCertDigiCert 公有云和 Azure 政府中的所有密钥保管库服务位置均支持Supported in all key vault service locations in public cloud and Azure Government
GlobalSignGlobalSign 公有云和 Azure 政府中的所有密钥保管库服务位置均支持Supported in all key vault service locations in public cloud and Azure Government

可以在 Key Vault 中创建的证书颁发者之前,必须成功完成以下必需的步骤 1 和 2。Before a certificate issuer can be created in a Key Vault, following prerequisite steps 1 and 2 must be successfully accomplished.

  1. 加入证书颁发机构 (CA) 提供者Onboard to Certificate Authority (CA) Providers

    • 组织管理员必须将他们的公司(例如,An organization administrator must on-board their company (ex. Contoso)加入到至少一个 CA 提供者。Contoso) with at least one CA provider.
  2. 管理员创建 Key Vault 的请求者证书以注册(和续订)SSL 证书Admin creates requester credentials for Key Vault to enroll (and renew) SSL certificates

    • 提供用于在密钥保管库中创建提供程序的颁发者对象的配置Provides the configuration to be used to create an issuer object of the provider in the key vault

有关从证书门户创建颁发者对象的详细信息,请参阅 Key Vault 证书博客For more information on creating Issuer objects from the Certificates portal, see the Key Vault Certificates blog

Key Vault 允许使用其他颁发者提供者的配置创建多个颁发者对象。Key Vault allows for creation of multiple issuer objects with different issuer provider configuration. 在创建颁发者对象以后,即可在一个或多个证书的策略中引用其名称。Once an issuer object is created, its name can be referenced in one or multiple certificate policies. 在创建和续订证书的过程中从 CA 提供者请求 x509 证书时,引用颁发者对象可以指示 Key Vault 按颁发者对象中的规定使用配置。Referencing the issuer object instructs Key Vault to use configuration as specified in the issuer object when requesting the x509 certificate from CA provider during the certificate creation and renewal.

颁发者对象在保管库中创建,并且仅可用于同一个保管库中的 KV 证书。Issuer objects are created in the vault and can only be used with KV certificates in the same vault.

证书联系人Certificate contacts

证书联系人包含联系人信息以发送由证书生存期事件触发的通知。Certificate contacts contain contact information to send notifications triggered by certificate lifetime events. 密钥保管库中的所有证书共享联系人信息。The contacts information is shared by all the certificates in the key vault. 如果保管库中的任何证书发生事件,所有指定联系人都会收到通知。A notification is sent to all the specified contacts for an event for any certificate in the key vault.

如果证书的策略设置为自动续订,则在发生以下事件时发送通知。If a certificate's policy is set to auto renewal, then a notification is sent on the following events.

  • 证书续订之前Before certificate renewal

  • 证书续订之后,指出是否已成功续订证书,或是否存在错误,需要手动续订证书。After certificate renewal, stating if the certificate was successfully renewed, or if there was an error, requiring manual renewal of the certificate.

    如果证书策略设置为手动续订(仅限电子邮件),则在续订证书时发送通知。When a certificate policy that is set to be manually renewed (email only), a notification is sent when it’s time to renew the certificate.

证书访问控制Certificate Access Control

证书的访问控制由 Key Vault 托管,并且由包含这些证书的 Key Vault 提供。Access control for certificates is managed by Key Vault, and is provided by the Key Vault that contains those certificates. 在同一 Key Vault 中,证书的访问控制策略不同于密钥和机密的访问控制策略。The access control policy for certificates is distinct from the access control policies for keys and secrets in the same Key Vault. 用户可以创建一个或多个保管库来保存证书,以维护方案相应的证书分段和管理。Users may create one or more vaults to hold certificates, to maintain scenario appropriate segmentation and management of certificates.

在密钥保管库上的机密访问控制条目中可以按主体使用以下权限,这些权限对机密对象上允许的操作采取严密的镜像操作:The following permissions can be used, on a per-principal basis, in the secrets access control entry on a key vault, and closely mirrors the operations allowed on a secret object:

  • 针对证书管理操作的权限Permissions for certificate management operations

    • get:获取最新版本的证书或任何版本的证书get: Get the current certificate version, or any version of a certificate
    • list:列出最新版本的证书或任何版本的证书list: List the current certificates, or versions of a certificate
    • update:更新证书update: Update a certificate
    • create:创建 Key Vault 证书create: Create a Key Vault certificate
    • import:将证书材料导入到 Key Vault 证书import: Import certificate material into a Key Vault certificate
    • delete:删除证书、策略及其所有版本delete: Delete a certificate, its policy, and all of its versions
    • recover:恢复已删除的证书recover: Recover a deleted certificate
    • backup:备份密钥保管库中的证书backup: Back up a certificate in a key vault
    • restore:将备份证书还原到密钥保管库restore: Restore a backed-up certificate to a key vault
    • managecontacts:管理 Key Vault 证书联系人managecontacts: Manage Key Vault certificate contacts
    • manageissuers:管理 Key Vault 证书颁发机构/颁发者manageissuers: Manage Key Vault certificate authorities/issuers
    • getissuers:获取证书的颁发机构/颁发者getissuers: Get a certificate's authorities/issuers
    • listissuers:列出证书的颁发机构/颁发者listissuers: List a certificate's authorities/issuers
    • setissuers:创建或更新 Key Vault 证书的颁发机构/颁发者setissuers: Create or update a Key Vault certificate's authorities/issuers
    • deleteissuers:删除 Key Vault 证书的颁发机构/颁发者deleteissuers: Delete a Key Vault certificate's authorities/issuers
  • 针对特权操作的权限Permissions for privileged operations

    • purge:清除(永久删除)已删除的证书purge: Purge (permanently delete) a deleted certificate

有关详细信息,请参阅 Key Vault REST API 中的证书操作参考For more information, see the Certificate operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 创建或更新保管库 - 更新访问策略For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

Azure 存储帐户密钥管理Azure Storage account key management

Key Vault 可以管理 Azure 存储帐户密钥:Key Vault can manage Azure storage account keys:

  • 在内部,Key Vault 可以使用 Azure 存储帐户列出(同步)密钥。Internally, Key Vault can list (sync) keys with an Azure storage account.
  • Key Vault 定期重新生成(轮换)密钥。Key Vault regenerates (rotates) the keys periodically.
  • 响应调用方时永远不会返回密钥值。Key values are never returned in response to caller.
  • Key Vault 管理存储帐户和经典存储帐户的密钥。Key Vault manages keys of both storage accounts and classic storage accounts.

有关详细信息,请参阅 Azure Key Vault 存储帐户密钥For more information, see Azure Key Vault Storage Account Keys

存储帐户访问控制Storage account access control

授权用户或应用程序主体对托管的存储帐户执行操作时,可以使用以下权限:The following permissions can be used when authorizing a user or application principal to perform operations on a managed storage account:

  • 针对托管存储帐户和 SaS 定义操作的权限Permissions for managed storage account and SaS-definition operations

    • get:获取有关存储帐户的信息get: Gets information about a storage account
    • list:列出 Key Vault 托管的存储帐户list: List storage accounts managed by a Key Vault
    • update:更新存储帐户update: Update a storage account
    • delete:删除存储帐户delete: Delete a storage account
    • recover:恢复删除的存储帐户recover: Recover a deleted storage account
    • backup:备份存储帐户backup: Back up a storage account
    • restore:将备份存储帐户还原到 Key Vaultrestore: Restore a backed-up storage account to a Key Vault
    • set:创建或更新存储帐户set: Create or update a storage account
    • regeneratekey:为存储帐户重写指定的密钥值regeneratekey: Regenerate a specified key value for a storage account
    • getsas:获取有关存储帐户的 SAS 定义的信息getsas: Get information about a SAS definition for a storage account
    • listsas:列出存储帐户的存储 SAS 定义listsas: List storage SAS definitions for a storage account
    • deletesas:从存储帐户中删除 SAS 定义deletesas: Delete a SAS definition from a storage account
    • setsas:创建或更新存储帐户的新 SAS 定义/属性setsas: Create or update a new SAS definition/attributes for a storage account
  • 针对特权操作的权限Permissions for privileged operations

    • purge:清除(永久删除)托管存储帐户purge: Purge (permanently delete) a managed storage account

有关详细信息,请参阅 Key Vault REST API 中的存储帐户操作参考For more information, see the Storage account operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 创建或更新保管库 - 更新访问策略For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

请参阅See Also