您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure 密钥保管库?What is Azure Key Vault?

Azure Key Vault 有助于解决以下问题:Azure Key Vault helps solve the following problems:

  • 机密管理 - Azure Key Vault 可以用来安全地存储令牌、密码、证书、API 密钥和其他机密,并对其访问进行严格控制Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
  • 密钥管理 - Azure Key Vault 也可用作密钥管理解决方案。Key Management - Azure Key Vault can also be used as a Key Management solution. 可以通过 Azure Key Vault 轻松创建和控制用于加密数据的加密密钥。Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
  • 证书管理 - Azure Key Vault 也是一项服务,可以用来轻松地预配、管理和部署公用和专用安全套接字层/传输层安全性 (SSL/TLS) 证书,这些证书可以与 Azure 以及你的内部连接资源配合使用。Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
  • 存储由硬件安全模块提供支持的机密 - 这些机密和密钥可以通过软件或 FIPS 140-2 级别 2 验证 HSM 进行保护Store secrets backed by Hardware Security Modules - The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs

为何使用 Azure Key Vault?Why use Azure Key Vault?

集中管理应用程序机密Centralize application secrets

在 Azure Key Vault 中集中存储应用程序机密就可以控制其分发。Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault 可以大大减少机密意外泄露的可能性。Key Vault greatly reduces the chances that secrets may be accidentally leaked. 有了 Key Vault,应用程序开发人员就再也不需要将安全信息存储在应用程序中。When using Key Vault, application developers no longer need to store security information in their application. 无需将安全信息存储在应用程序中,因此也无需将此信息作为代码的一部分。Not having to store security information in applications eliminates the need to make this information part of the code. 例如,如果某个应用程序需要连接到数据库,For example, an application may need to connect to a database. 则可将连接字符串安全地存储在 Key Vault 中,而不是存储在应用代码中。Instead of storing the connection string in the app's code, you can store it securely in Key Vault.

应用程序可以使用 URI 安全访问其所需的信息。Your applications can securely access the information they need by using URIs. 这些 URI 允许应用程序检索特定版本的机密。These URIs allow the applications to retrieve specific versions of a secret. 这样就不需编写自定义代码来保护存储在 Key Vault 中的任何机密信息。There is no need to write custom code to protect any of the secret information stored in Key Vault.

安全地存储机密和密钥Securely store secrets and keys

机密和密钥由 Azure 使用行业标准的算法、密钥长度和硬件安全模块 (HSM) 进行保护。Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). 使用的 HSM 是经验证的联邦信息处理标准 (FIPS) 140-2 级别 2。The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.

访问密钥保管库需要适当的身份验证和授权,否则调用方(用户或应用程序)无法进行访问。Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. 身份验证用于确定调用方的身份,而授权则决定了调用方能够执行的操作。Authentication establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.

身份验证通过 Azure Active Directory 来完成。Authentication is done via Azure Active Directory. 授权可以通过基于角色的访问控制 (RBAC) 或 Key Vault 访问策略来完成。Authorization may be done via role-based access control (RBAC) or Key Vault access policy. 进行保管库的管理时,使用 RBAC;尝试访问存储在保管库中的数据时,使用密钥保管库访问策略。RBAC is used when dealing with the management of the vaults and key vault access policy is used when attempting to access data stored in a vault.

可以对 Azure Key Vault 进行软件或硬件 HSM 保护。Azure Key Vaults may be either software- or hardware-HSM protected. 如果需要提高可靠性,可以在硬件安全模块 (HSM) 中导入或生成永不超出 HSM 边界的密钥。For situations where you require added assurance you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. Microsoft 使用 nCipher 硬件安全模块。Microsoft uses nCipher hardware security modules. 你可以使用 nCipher 工具将密钥从 HSM 移动到 Azure Key Vault。You can use nCipher tools to move a key from your HSM to Azure Key Vault.

最后需要指出的是,根据 Azure Key Vault 的设计,Microsoft 无法查看或提取数据。Finally, Azure Key Vault is designed so that Microsoft does not see or extract your data.

监视访问和使用情况Monitor access and use

创建多个 Key Vault 以后,需监视用户对密钥和机密进行访问的方式和时间。Once you have created a couple of Key Vaults, you will want to monitor how and when your keys and secrets are being accessed. 可以通过启用保管库的日志记录来监视活动。You can monitor activity by enabling logging for your vaults. 可以将 Azure Key Vault 配置为执行以下操作:You can configure Azure Key Vault to:

  • 存档到存储帐户。Archive to a storage account.
  • 流式传输到事件中心。Stream to an event hub.
  • 将日志发送到 Azure Monitor 日志。Send the logs to Azure Monitor logs.

可以控制自己的日志,可以通过限制访问权限来确保日志的安全,还可以删除不再需要的日志。You have control over your logs and you may secure them by restricting access and you may also delete logs that you no longer need.

简化应用程序机密的管理Simplified administration of application secrets

存储有价值的数据时,必须执行多项步骤。When storing valuable data, you must take several steps. 安全信息必须受到保护,必须遵循某个生命周期,必须高度可用。Security information must be secured, it must follow a life cycle, it must be highly available. Azure Key Vault 可通过以下操作简化满足这些要求的过程:Azure Key Vault simplifies the process of meeting these requirements by:

  • 无需内部硬件安全模块知识Removing the need for in-house knowledge of Hardware Security Modules
  • 收到通知后很快就可以进行纵向扩展,满足组织的使用高峰需求。Scaling up on short notice to meet your organization’s usage spikes.
  • 在某个区域内复制 Key Vault 的内容,并将其复制到次要区域。Replicating the contents of your Key Vault within a region and to a secondary region. 数据复制可确保高可用性,不需管理员操作即可触发故障转移。Data replication ensures high availability and takes away the need of any action from the administrator to trigger the failover.
  • 通过门户、Azure CLI 和 PowerShell 提供标准的 Azure 管理选项。Providing standard Azure administration options via the portal, Azure CLI and PowerShell.
  • 针对从公共 CA 购买的证书自动执行某些任务,如注册和续订。Automating certain tasks on certificates that you purchase from Public CAs, such as enrollment and renewal.

另外,还可以通过 Azure Key Vault 来隔离应用程序机密。In addition, Azure Key Vaults allow you to segregate application secrets. 应用程序只能访问其有权访问的保管库,并且只能执行特定的操作。Applications may access only the vault that they are allowed to access, and they can be limited to only perform specific operations. 可以为每个应用程序创建一个 Azure Key Vault,仅限特定的应用程序和开发人员团队访问存储在 Key Vault 中的机密。You can create an Azure Key Vault per application and restrict the secrets stored in a Key Vault to a specific application and team of developers.

与其他 Azure 服务集成Integrate with other Azure services

作为 Azure 中的安全存储,Key Vault 已用于简化如下方案:As a secure store in Azure, Key Vault has been used to simplify scenarios like:

Key Vault 本身可以与存储帐户、事件中心和 Log Analytics 集成。Key Vault itself can integrate with storage accounts, event hubs, and log analytics.

后续步骤Next steps