您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 静态数据加密Azure Data Encryption-at-Rest

Microsoft Azure 提供了许多工具,可以使用它们根据你公司的安全性和符合性需求来保护数据。Microsoft Azure includes tools to safeguard data according to your company’s security and compliance needs. 本白皮书重点介绍:This paper focuses on:

  • 如何在 Microsoft Azure 上对数据进行静态保护How data is protected at rest across Microsoft Azure
  • 讨论参与数据保护实现的各个组件Discusses the various components taking part in the data protection implementation,
  • 查看不同密钥管理保护方法的优点和缺点。Reviews pros and cons of the different key management protection approaches.

静态加密是常见的安全要求。Encryption at Rest is a common security requirement. 在 Azure 中,组织可以加密静态数据,而不会造成自定义密钥管理解决方案的风险或成本。In Azure, organizations can encrypt data at rest without the risk or cost of a custom key management solution. 组织可以选择让 Azure 来全权管理静态加密。Organizations have the option of letting Azure completely manage Encryption at Rest. 另外,组织还可以通过各种选择来严格管理加密或加密密钥。Additionally, organizations have various options to closely manage encryption or encryption keys.

什么是静态加密?What is encryption at rest?

静态加密是指在持久保存数据时对数据进行编码(加密)。Encryption at Rest is the encoding (encryption) of data when it is persisted. Azure 中的静态加密设计使用对称加密根据简单的概念模型来快速加密和解密大量数据:The Encryption at Rest designs in Azure use symmetric encryption to encrypt and decrypt large amounts of data quickly according to a simple conceptual model:

  • 将使用对称加密密钥在将数据写入到存储时对数据进行加密。A symmetric encryption key is used to encrypt data as it is written to storage.
  • 当数据在内存中就绪可供使用时,将会使用同一加密密钥来解密该数据。The same encryption key is used to decrypt that data as it is readied for use in memory.
  • 可以将数据分区,并可对每个分区使用不同的密钥。Data may be partitioned, and different keys may be used for each partition.
  • 必须将密钥存储在实施了基于标识的访问控制和审核策略的安全位置。Keys must be stored in a secure location with identity-based access control and audit policies. 数据加密密钥通常使用非对称加密来加密,目的是进一步限制访问。Data encryption keys are often encrypted with asymmetric encryption to further limit access.

在实践中,密钥管理和控制方案以及规模和可用性保证都需要其他构造。In practice, key management and control scenarios, as well as scale and availability assurances, require additional constructs. 下面描述的是 Microsoft Azure 静态加密概念和组件。Microsoft Azure Encryption at Rest concepts and components are described below.

静态加密的目的The purpose of encryption at rest

静态加密为已存储的数据(静止的)提供数据保护。Encryption at rest provides data protection for stored data (at rest). 对静态数据进行的攻击包括:试图获得存储数据的硬件的物理访问机会,然后盗用其中包含的数据。Attacks against data at-rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromise the contained data. 发生此类攻击可能是由于服务器的硬盘驱动器在维护过程中处理不当,导致攻击者有机会拆除硬盘驱动器。In such an attack, a server’s hard drive may have been mishandled during maintenance allowing an attacker to remove the hard drive. 攻击者随后会将该硬盘驱动器置于受其控制的计算机中,尝试访问相关数据。Later the attacker would put the hard drive into a computer under their control to attempt to access the data.

静态加密旨在防止攻击者访问未加密的数据,其方法是确保这些数据在磁盘上时是加密的。Encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk. 如果攻击者获取了包含加密数据的硬盘驱动器但未获取加密密钥,则攻击者必须破解加密才能读取数据。If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data. 这种攻击比访问硬盘驱动器上的未加密数据要复杂得多,且消耗的资源也多得多。This attack is much more complex and resource consuming than accessing unencrypted data on a hard drive. 因此,强烈建议使用静态加密。对于许多组织来说,这是需要完成的高优先级事项。For this reason, encryption at rest is highly recommended and is a high priority requirement for many organizations.

当组织需要进行数据治理并确保符合性时,可能也需要使用静态加密。Encryption at rest may also be required by an organization’s need for data governance and compliance efforts. 行业和政府法规(例如 HIPAA、PCI 和 FedRAMP)就数据保护和加密要求制定了具体的保障措施。Industry and government regulations such as HIPAA, PCI and FedRAMP, lay out specific safeguards regarding data protection and encryption requirements. 要符合这其中的许多法规,静态加密是一种必需的强制措施。Encryption at rest is a mandatory measure required for compliance with some of those regulations.

除了满足合规要求以外,静态加密还能提供深层防御保护。In addition to satisfying compliance and regulatory requirements, encryption at rest provides defense-in-depth protection. Microsoft Azure 为服务、应用程序和数据提供合规的平台。Microsoft Azure provides a compliant platform for services, applications, and data. 此外,它还提供综合性的设施和物理安全性、数据访问控制和审核。It also provides comprehensive facility and physical security, data access control, and auditing. 但是,必须提供额外的“重叠性”安全措施,以免出现其他某个安全措施失效的情况,而静态加密正好提供这样一道安全措施However, it's important to provide additional “overlapping” security measures in case one of the other security measures fails and encryption at rest provides such a security measure

Microsoft 致力于提供跨云服务的静态加密选项,可让客户控制加密密钥和密钥使用日志。Microsoft is committed to encryption at rest options across cloud services and giving customers control of encryption keys and logs of key use. 另外,Microsoft 正在努力实现默认加密所有客户静态数据。Additionally, Microsoft is working towards encrypting all customer data at rest by default.

Azure 静态加密组件Azure Encryption at Rest Components

如前所述,静态加密的目标是使用机密加密密钥来加密持久保存在磁盘上的数据。As described previously, the goal of encryption at rest is that data that is persisted on disk is encrypted with a secret encryption key. 若要实现该目标,必须为加密密钥提供安全的密钥创建、存储、访问控制和管理措施。To achieve that goal secure key creation, storage, access control, and management of the encryption keys must be provided. 可以使用下图中介绍的术语来描述 Azure 服务静态加密实现,虽然细节可能有所不同。Though details may vary, Azure services Encryption at Rest implementations can be described in terms illustrated in the following diagram.

组件

Azure 密钥保管库Azure Key Vault

对于静态加密模型来说,最重要的是加密密钥的存储位置以及对这些密钥的访问控制。The storage location of the encryption keys and access control to those keys is central to an encryption at rest model. 密钥需要严格的保护,但同时又要能够由指定的用户进行管理,并可供特定的服务使用。The keys need to be highly secured but manageable by specified users and available to specific services. 对于 Azure 服务,建议使用 Azure Key Vault 作为密钥存储解决方案,它可以跨服务提供通常的管理体验。For Azure services, Azure Key Vault is the recommended key storage solution and provides a common management experience across services. 密钥在密钥保管库中存储和管理,对密钥保管库的访问权限可以提供给用户或服务。Keys are stored and managed in key vaults, and access to a key vault can be given to users or services. Azure Key Vault 支持客户创建密钥,也支持将导入的客户密钥用于客户管理的加密密钥方案。Azure Key Vault supports customer creation of keys or import of customer keys for use in customer-managed encryption key scenarios.

Azure Active DirectoryAzure Active Directory

可以为 Azure Active Directory 帐户提供存储在 Azure Key Vault 中的密钥的使用权限,以便通过管理或访问这些密钥来完成静态加密的加密和解密操作。Permissions to use the keys stored in Azure Key Vault, either to manage or to access them for Encryption at Rest encryption and decryption, can be given to Azure Active Directory accounts.

密钥层次结构Key Hierarchy

在实施静态加密时,使用多个加密密钥。More than one encryption key is used in an encryption at rest implementation. 非对称加密用于建立信任和完成身份验证,这是访问和管理密钥所必需的。Asymmetric encryption is useful for establishing the trust and authentication needed for key access and management. 对称加密在进行批量加密和解密时更有效,因此加密强度更大,性能更好。Symmetric encryption is more efficient for bulk encryption and decryption, allowing for stronger encryption and better performance. 限制单个加密密钥的使用降低了密钥被盗用的风险,也降低了必须更换密钥时的重新加密成本。Limiting the use of a single encryption key decreases the risk that the key will be compromised and the cost of re-encryption when a key must be replaced. Azure 静态加密模块使用一个键层次结构,它由以下类型的键构成:Azure encryptions at rest models use a key hierarchy made up of the following types of keys:

  • 数据加密密钥 (DEK) – 对称 AES256 密钥,用于加密数据分区或块。Data Encryption Key (DEK) – A symmetric AES256 key used to encrypt a partition or block of data. 单个资源可能有多个分区和多个数据加密密钥。A single resource may have many partitions and many Data Encryption Keys. 使用不同的密钥加密每个数据块可以增加加密分析攻击的难度。Encrypting each block of data with a different key makes crypto analysis attacks more difficult. 资源提供程序或应用程序实例需要 DEK 访问权限才能加密和解密特定的块。Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. 将 DEK 替换为新密钥时,仅其关联的块中的数据需要使用新密钥重新加密。When a DEK is replaced with a new key only the data in its associated block must be re-encrypted with the new key.
  • 密钥加密密钥 (KEK) – 非对称加密密钥,用于加密数据加密密钥。Key Encryption Key (KEK) – An asymmetric encryption key used to encrypt the Data Encryption Keys. 使用密钥加密密钥可以加密和控制数据加密密钥本身。Use of a Key Encryption Key allows the data encryption keys themselves to be encrypted and controlled. 具有 KEK 访问权限的实体可能不同于需要 DEK 的实体。The entity that has access to the KEK may be different than the entity that requires the DEK. 实体可能会代理对 DEK 的访问以将每个 DEK 的访问限制到特定分区。An entity may broker access to the DEK to limit the access of each DEK to a specific partition. 由于解密 DEK 需要 KEK,因此 KEK 实际上构成了一个单点机制:删除 KEK 即可删除 DEK。Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK.

使用密钥加密密钥加密的数据加密密钥单独进行存储,只有能够访问密钥加密密钥的实体才能获取使用该密钥加密的数据加密密钥。The Data Encryption Keys, encrypted with the Key Encryption Keys are stored separately and only an entity with access to the Key Encryption Key can get any Data Encryption Keys encrypted with that key. 支持各种不同的密钥存储模型。Different models of key storage are supported. 我们会在后面(下一部分)更详细地讨论每个模型。We will discuss each model in more detail later in the next section.

数据加密模型Data Encryption Models

了解各种加密模型及其优缺点很重要,有助于了解 Azure 中的各个资源提供程序是如何实施静态加密的。An understanding of the various encryption models and their pros and cons is essential for understanding how the various resource providers in Azure implement encryption at Rest. 这些定义在 Azure 的所有资源提供程序中是共享的,目的是确保共同的语言和分类。These definitions are shared across all resource providers in Azure to ensure common language and taxonomy.

服务器端加密有三种方案:There are three scenarios for server-side encryption:

  • 使用服务托管密钥进行服务器端加密Server-side encryption using Service-Managed keys

    • Azure 资源提供程序执行加密和解密操作Azure Resource Providers perform the encryption and decryption operations
    • Microsoft 管理密钥Microsoft manages the keys
    • 完整云功能Full cloud functionality
  • 使用 Azure Key Vault 中客户托管密钥的服务器端加密Server-side encryption using customer-managed keys in Azure Key Vault

    • Azure 资源提供程序执行加密和解密操作Azure Resource Providers perform the encryption and decryption operations
    • 客户通过 Azure Key Vault 控制密钥Customer controls keys via Azure Key Vault
    • 完整云功能Full cloud functionality
  • 使用客户所控制硬件上的客户托管密钥的服务器端加密Server-side encryption using customer-managed keys on customer-controlled hardware

    • Azure 资源提供程序执行加密和解密操作Azure Resource Providers perform the encryption and decryption operations
    • 客户控制其所控制的硬件上的密钥Customer controls keys on customer-controlled hardware
    • 完整云功能Full cloud functionality

对于客户端加密,请注意以下事项:For client-side encryption, consider the following:

  • Azure 服务无法看到已解密的数据Azure services cannot see decrypted data
  • 客户在本地(或其他安全存储中)管理和存储密钥。Customers manage and store keys on-premises (or in other secure stores). Azure 服务无法使用密钥Keys are not available to Azure services
  • 精简云功能Reduced cloud functionality

Azure 中支持的加密模型分为两大类:如前所述,“客户端加密”和“服务器端加密”。The supported encryption models in Azure split into two main groups: “Client Encryption” and “Server-side Encryption” as mentioned previously. Azure 服务始终建议使用独立于所用静态加密模型的安全传输(例如 TLS 或 HTTPS)。Independent of the encryption at rest model used, Azure services always recommend the use of a secure transport such as TLS or HTTPS. 因此,传输过程中的加密应由传输协议来处理,不应成为决定要使用的静态加密模型的主要因素。Therefore, encryption in transport should be addressed by the transport protocol and should not be a major factor in determining which encryption at rest model to use.

客户端加密模型Client encryption model

客户端加密模型是指由服务或调用应用程序在资源提供程序或 Azure 外部执行的加密。Client Encryption model refers to encryption that is performed outside of the Resource Provider or Azure by the service or calling application. 加密可以由 Azure 中的服务应用程序执行,也可以由在客户数据中心运行的应用程序执行。The encryption can be performed by the service application in Azure, or by an application running in the customer data center. 不管哪种情况,在采用此加密模型时,Azure 资源提供程序都会收到加密的数据 blob,但却无法以任何方式解密数据,也无法访问加密密钥。In either case, when leveraging this encryption model, the Azure Resource Provider receives an encrypted blob of data without the ability to decrypt the data in any way or have access to the encryption keys. 在此模型中,密钥管理由调用服务/应用程序执行,对 Azure 服务来说是不透明的。In this model, the key management is done by the calling service/application and is opaque to the Azure service.

Client

服务器端加密模型Server-side encryption model

服务器端加密模型是指由 Azure 服务执行的加密。Server-side Encryption models refer to encryption that is performed by the Azure service. 在该模型中,资源提供程序执行加密和解密操作。In that model, the Resource Provider performs the encrypt and decrypt operations. 例如,Azure 存储可能会以纯文本操作方式接收数据,并且会在内部进行加密和解密。For example, Azure Storage may receive data in plain text operations and will perform the encryption and decryption internally. 资源提供程序可能使用由 Microsoft 或客户管理的加密密钥,具体取决于提供的配置。The Resource Provider might use encryption keys that are managed by Microsoft or by the customer depending on the provided configuration.

服务器

服务器端加密密钥管理模型Server-side encryption key management models

每个服务器端静态加密模型都暗含密钥管理的独特特征。Each of the server-side encryption at rest models implies distinctive characteristics of key management. 其中包括:加密密钥的创建和存储位置和方式,以及访问模型和密钥轮换过程。This includes where and how encryption keys are created, and stored as well as the access models and the key rotation procedures.

使用服务托管密钥的服务器端加密Server-side encryption using service-managed keys

对许多客户来说,基本要求就是确保数据在静态时能够获得加密。For many customers, the essential requirement is to ensure that the data is encrypted whenever it is at rest. 使用服务托管密钥的服务器端加密实现该模型的方式是:让客户标出适用于加密的特定资源(存储帐户、SQL DB 等),将所有密钥管理事项(例如密钥的颁发、轮换和备份)留给 Microsoft。Server-side encryption using service-managed Keys enables this model by allowing customers to mark the specific resource (Storage Account, SQL DB, etc.) for encryption and leaving all key management aspects such as key issuance, rotation, and backup to Microsoft. 大多数支持静态加密的 Azure 服务通常支持这种将加密密钥管理任务留给 Azure 的模型。Most Azure Services that support encryption at rest typically support this model of offloading the management of the encryption keys to Azure. Azure 资源提供程序创建密钥,将其置于安全的存储中,然后根据需要对其进行检索。The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. 这意味着,服务具有密钥的完全访问权限,且服务可以全权控制凭据生命周期管理。This means that the service has full access to the keys and the service has full control over the credential lifecycle management.

托管式

因此,使用服务托管密钥的服务器端加密可以快速满足进行静态加密并降低客户开销的需求。Server-side encryption using service-managed keys therefore quickly addresses the need to have encryption at rest with low overhead to the customer. 在可用的情况下,客户通常会打开适用于目标订阅和资源提供程序的 Azure 门户,选中一个表明其希望数据加密的复选框。When available a customer typically opens the Azure portal for the target subscription and resource provider and checks a box indicating, they would like the data to be encrypted. 在某些资源管理器中,使用服务托管密钥的服务器端加密默认处于启用状态。In some Resource Managers server-side encryption with service-managed keys is on by default.

使用 Microsoft 托管密钥的服务器端加密意味着服务对存储具有完全访问权限,并且可以管理密钥。Server-side encryption with Microsoft-managed keys does imply the service has full access to store and manage the keys. 某些客户可能希望对密钥进行管理,因为他们觉得自己可以获得更高的安全性,但在评估此模型时,应该考虑与自定义密钥存储解决方案相关联的成本和风险。While some customers may want to manage the keys because they feel they gain greater security, the cost and risk associated with a custom key storage solution should be considered when evaluating this model. 在许多情况下,组织可能觉得本地解决方案的资源约束或风险会大于对静态加密密钥进行云管理的风险。In many cases, an organization may determine that resource constraints or risks of an on-premises solution may be greater than the risk of cloud management of the encryption at rest keys. 但是,此模型可能满足不了某些组织的需求,这些组织需要控制加密密钥的创建或生命周期,或者需要安排某个人来管理服务,安排另一个人来管理该服务的加密密钥(也就是说,这是一种将密钥管理与总体管理分开的服务管理模型)。However, this model might not be sufficient for organizations that have requirements to control the creation or lifecycle of the encryption keys or to have different personnel manage a service’s encryption keys than those managing the service (that is, segregation of key management from the overall management model for the service).

密钥访问权限Key access

使用服务托管密钥的服务器端加密在使用时,密钥的创建、存储和服务访问均由服务管理。When Server-side encryption with service-managed keys is used, the key creation, storage, and service access are all managed by the service. 通常情况下,基础 Azure 资源提供程序会将数据加密密钥存储在靠近数据且能快速使用和访问的存储中,而将密钥加密密钥存储在安全的内部存储中。Typically, the foundational Azure resource providers will store the Data Encryption Keys in a store that is close to the data and quickly available and accessible while the Key Encryption Keys are stored in a secure internal store.

优点Advantages

  • 安装简单Simple setup
  • Microsoft 管理密钥轮换、备份和冗余Microsoft manages key rotation, backup, and redundancy
  • 客户没有与实施相关联的成本,也没有自定义密钥管理方案的风险。Customer does not have the cost associated with implementation or the risk of a custom key management scheme.

缺点Disadvantages

  • 客户无法控制加密密钥(密钥规范、生命周期、吊销等)No customer control over the encryption keys (key specification, lifecycle, revocation, etc.)
  • 此服务的管理模型无法将密钥管理与总体管理分开No ability to segregate key management from overall management model for the service

使用 Azure Key Vault 中客户托管密钥的服务器端加密Server-side encryption using customer-managed keys in Azure Key Vault

对于需要加密静态数据并控制加密密钥的情况,客户可以选择使用 Key Vault 中客户托管密钥的服务器端加密。For scenarios where the requirement is to encrypt the data at rest and control the encryption keys customers can use server-side encryption using customer-managed Keys in Key Vault. 某些服务可能仅将根密钥加密密钥存储在 Azure Key Vault 中,而将加密的数据加密密钥存储在更靠近数据的内部位置。Some services may store only the root Key Encryption Key in Azure Key Vault and store the encrypted Data Encryption Key in an internal location closer to the data. 在这种情况下,客户可以将自己的密钥带到 Key Vault 中(BYOK – 自带密钥),或者生成新的密钥,以便加密所需资源。In that scenario customers can bring their own keys to Key Vault (BYOK – Bring Your Own Key), or generate new ones, and use them to encrypt the desired resources. 资源提供程序在执行加密和解密操作时,会将配置的密钥用作所有加密操作的根密钥。While the Resource Provider performs the encryption and decryption operations it uses the configured key as the root key for all encryption operations.

密钥访问权限Key Access

将客户托管密钥置于 Azure Key Vault 中的服务器端加密模型涉及到的操作是,服务会根据需要访问用于加密和解密的密钥。The server-side encryption model with customer-managed keys in Azure Key Vault involves the service accessing the keys to encrypt and decrypt as needed. 可以通过访问控制策略来允许服务访问静态加密密钥。Encryption at rest keys are made accessible to a service through an access control policy. 此策略授予服务标识接收密钥所需的访问权限。This policy grants the service identity access to receive the key. 可以为代表关联的订阅运行的 Azure 服务配置一个该订阅中的标识。An Azure service running on behalf of an associated subscription can be configured with an identity in that subscription. 该服务可以执行 Azure Active Directory 身份验证,然后会收到一个身份验证令牌,将服务本身标识为代表该订阅的服务。The service can perform Azure Active Directory authentication and receive an authentication token identifying itself as that service acting on behalf of the subscription. 然后,该服务可以将该令牌出示给 Key Vault,以便获取有权访问的密钥。That token can then be presented to Key Vault to obtain a key it has been given access to.

对于使用加密密钥的操作,可以为服务标识授予以下任何操作的访问权限:decrypt、encrypt、unwrapKey、wrapKey、verify、sign、get、list、update、create、import、delete、backup、restore。For operations using encryption keys, a service identity can be granted access to any of the following operations: decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, and restore.

若要获取用于加密或解密静态数据的密钥,服务标识(将由资源管理器服务实例在运行时充当)必须使用 UnwrapKey 来获取解密用的密钥,并在创建新密钥时使用 WrapKey 将密钥插入密钥保管库中。To obtain a key for use in encrypting or decrypting data at rest the service identity that the Resource Manager service instance will run as must have UnwrapKey (to get the key for decryption) and WrapKey (to insert a key into key vault when creating a new key).

备注

有关 Key Vault 授权的更多详细信息,请参阅 Azure Key Vault 文档中的“保护密钥保管库”页。For more detail on Key Vault authorization see the secure your key vault page in the Azure Key Vault documentation.

优点Advantages

  • 全权控制所用密钥 – 加密密钥在客户的 Key Vault 中管理,受客户的控制。Full control over the keys used – encryption keys are managed in the customer’s Key Vault under the customer’s control.
  • 能够通过加密将多个服务转换成一个主服务Ability to encrypt multiple services to one master
  • 此服务的管理模型可以将密钥管理与总体管理分开Can segregate key management from overall management model for the service
  • 可以跨区域定义服务和密钥位置Can define service and key location across regions

缺点Disadvantages

  • 客户全权负责密钥访问管理Customer has full responsibility for key access management
  • 客户全权负责密钥生命周期管理Customer has full responsibility for key lifecycle management
  • 额外的安装和配置开销Additional Setup & configuration overhead

使用客户所控制硬件中的服务托管密钥的服务器端加密Server-side encryption using service-managed keys in customer-controlled hardware

某些 Azure 服务启用了“托管自己的密钥 (HYOK)”密钥管理模型。Some Azure services enable the Host Your Own Key (HYOK) key management model. 当需要对静止的数据进行加密并在不受 Microsoft 控制的专有存储库中管理密钥时,此管理模式非常有用。This management mode is useful in scenarios where there is a need to encrypt the data at rest and manage the keys in a proprietary repository outside of Microsoft’s control. 在此模型中,服务必须从外部站点检索密钥。In this model, the service must retrieve the key from an external site. 性能和可用性担保会受影响,并且配置更复杂。Performance and availability guarantees are impacted, and configuration is more complex. 另外,由于服务可以在加密和解密操作过程中访问 DEK,此模型的总体安全保证类似于密钥在 Azure Key Vault 中由客户托管的情况。Additionally, since the service does have access to the DEK during the encryption and decryption operations the overall security guarantees of this model are similar to when the keys are customer-managed in Azure Key Vault. 因此,此模型不适合大多数组织,除非该组织有特定的密钥管理要求。As a result, this model is not appropriate for most organizations unless they have specific key management requirements. 由于这些限制,大多数 Azure 服务不支持使用客户所控制硬件中的服务托管密钥的服务器端加密。Due to these limitations, most Azure Services do not support server-side encryption using server-managed keys in customer-controlled hardware.

密钥访问权限Key Access

选择使用客户所控制硬件中的服务托管密钥的服务器端加密时,密钥保留在客户配置的系统上。When server-side encryption using service-managed keys in customer-controlled hardware is used the keys are maintained on a system configured by the customer. 支持此模型的 Azure 服务提供了一种建立安全连接的方法,用于连接到客户提供的密钥存储。Azure services that support this model provide a means of establishing a secure connection to a customer supplied key store.

优点Advantages

  • 全权控制所用的根密钥 – 加密密钥由客户提供的存储托管Full control over the root key used – encryption keys are managed by a customer provided store
  • 能够通过加密将多个服务转换成一个主服务Ability to encrypt multiple services to one master
  • 此服务的管理模型可以将密钥管理与总体管理分开Can segregate key management from overall management model for the service
  • 可以跨区域定义服务和密钥位置Can define service and key location across regions

缺点Disadvantages

  • 全权负责密钥的存储、安全、性能和可用性Full responsibility for key storage, security, performance, and availability
  • 全权负责密钥访问管理Full responsibility for key access management
  • 全权负责密钥生命周期管理Full responsibility for key lifecycle management
  • 极高的安装、配置和持续维护成本Significant setup, configuration, and ongoing maintenance costs
  • 增强了对客户数据中心和 Azure 数据中心之间网络可用性的依赖。Increased dependency on network availability between the customer datacenter and Azure datacenters.

Microsoft 云服务中的静态加密Encryption at rest in Microsoft cloud services

Microsoft 云服务用于下述所有三个云模型:IaaS、PaaS、SaaS。Microsoft Cloud services are used in all three cloud models: IaaS, PaaS, SaaS. 下面是在每个模型上使用该服务的示例:Below you have examples of how they fit on each model:

  • 软件服务,也称软件即服务(简称 SaaS),包含云提供的应用程序,例如 Office 365。Software services, referred to as Software as a Server or SaaS, which have application provided by the cloud such as Office 365.
  • 平台服务,方便客户在其应用程序中利用云,将云用于存储、分析和服务总线功能等。Platform services which customers leverage the cloud in their applications, using the cloud for things like storage, analytics, and service bus functionality.
  • 基础结构服务,也称基础结构即服务 (IaaS),方便客户部署托管在云中的操作系统和应用程序,并尽可能利用其他云服务。Infrastructure services, or Infrastructure as a Service (IaaS) in which customer deploys operating systems and applications that are hosted in the cloud and possibly leveraging other cloud services.

适合 SaaS 客户的静态加密Encryption at rest for SaaS customers

软件即服务 (SaaS) 客户通常会在每个服务中启用或提供静态加密。Software as a Service (SaaS) customers typically have encryption at rest enabled or available in each service. Office 365 为客户提供多个验证或启用静态加密的选项。Office 365 has several options for customers to verify or enable encryption at rest. 有关 Office 365 服务的信息,请参阅 Office 365 中的加密For information about Office 365 services, see Encryption in Office 365.

适合 PaaS 客户的静态加密Encryption at rest for PaaS customers

平台即服务 (PaaS) 客户的数据通常驻留在 Blob 存储之类的存储服务,但可能还会缓存或存储在应用程序执行环境,例如虚拟机。Platform as a Service (PaaS) customer’s data typically resides in a storage service such as Blob Storage but may also be cached or stored in the application execution environment, such as a virtual machine. 若要查看适用的静态加密选项,请检查下表中是否存在所用的存储和应用程序平台。To see the encryption at rest options available to you, examine the table below for the storage and application platforms that you use.

适合 IaaS 客户的静态加密Encryption at rest for IaaS customers

基础结构即服务 (IaaS) 客户可以使用各种服务和应用程序。Infrastructure as a Service (IaaS) customers can have a variety of services and applications in use. IaaS 服务可以在其 Azure 托管的虚拟机和 VHD 中通过 Azure 磁盘加密来启用静态加密。IaaS services can enable encryption at rest in their Azure hosted virtual machines and VHDs using Azure Disk Encryption.

加密的存储Encrypted storage

与 PaaS 一样,IaaS 解决方案可以利用其他存储静态加密数据的 Azure 服务。Like PaaS, IaaS solutions can leverage other Azure services that store data encrypted at rest. 在此类情况下,可以启用每个所用 Azure 服务提供的静态加密支持。In these cases, you can enable the Encryption at Rest support as provided by each consumed Azure service. 下表枚举了主要的存储、服务和应用程序平台以及所支持的静态加密模型。The below table enumerates the major storage, services, and application platforms and the model of Encryption at Rest supported.

加密的计算Encrypted compute

所有托管磁盘、 快照和映像是使用存储服务加密使用服务托管密钥加密。All Managed Disks, Snapshots, and Images are encrypted using Storage Service Encryption using a service-managed key. 更完整静态加密解决方案可确保永远不会使用未加密形式持久保存数据。A more complete Encryption at Rest solution ensures that the data is never persisted in unencrypted form. 在处理虚拟机上的数据时,Windows 页面文件或 Linux 交换文件,故障转储,或应用程序日志,可保留数据。While processing the data on a virtual machine, data can be persisted to the Windows page file or Linux swap file, a crash dump, or to an application log. 为了确保对该数据进行静态加密,IaaS 应用程序可以在 Azure IaaS 虚拟机(Windows 或 Linux)和虚拟磁盘上使用 Azure 磁盘加密。To ensure this data is encrypted at rest, IaaS applications can use Azure Disk Encryption on an Azure IaaS virtual machine (Windows or Linux) and virtual disk.

自定义静态加密Custom encryption at rest

建议让 IaaS 应用程序尽可能利用 Azure 磁盘加密以及任何所用 Azure 服务提供的静态加密选项。It is recommended that whenever possible, IaaS applications leverage Azure Disk Encryption and Encryption at Rest options provided by any consumed Azure services. 在某些情况下(例如加密要求异乎寻常,或者存储不是基于 Azure 的),IaaS 应用程序开发人员可能需要自行实施静态加密。In some cases, such as irregular encryption requirements or non-Azure based storage, a developer of an IaaS application may need to implement encryption at rest themselves. IaaS 解决方案开发人员可以利用某些 Azure 组件,改进与 Azure 管理的集成并更好地满足客户期望。Developers of IaaS solutions can better integrate with Azure management and customer expectations by leveraging certain Azure components. 具体说来,开发人员应该使用 Azure Key Vault 服务为其客户提供安全的密钥存储,以及提供与大多数 Azure 平台服务一致的密钥管理选项。Specifically, developers should use the Azure Key Vault service to provide secure key storage as well as provide their customers with consistent key management options with that of most Azure platform services. 另外,自定义解决方案应通过 Azure 托管服务标识来允许服务帐户访问加密密钥。Additionally, custom solutions should use Azure-Managed Service Identities to enable service accounts to access encryption keys. 有关 Azure Key Vault 和托管服务标识的开发人员信息,请参阅各自的 SDK。For developer information on Azure Key Vault and Managed Service Identities, see their respective SDKs.

Azure 资源提供程序加密模型支持Azure resource providers encryption model support

每个 Microsoft Azure 服务都支持一个或多个静态加密模型。Microsoft Azure Services each support one or more of the encryption at rest models. 但是,对于某些服务来说,其中的一个或多个加密模型可能并不适用。For some services, however, one or more of the encryption models may not be applicable. 对于支持客户管理的密钥方案的服务,它们可能只支持 Azure Key Vault 支持用于密钥加密密钥的密钥类型的一个子集。For services that support customer-managed key scenarios, they may support only a subset of the key types that Azure Key Vault supports for key encryption keys. 另外,服务可能会按不同的计划发布对这些方案和密钥类型的支持。Additionally, services may release support for these scenarios and key types at different schedules. 此部分介绍的静态加密支持在撰写本文时仍适用于每个主要的 Azure 数据存储服务。This section describes the encryption at rest support at the time of this writing for each of the major Azure data storage services.

Azure 磁盘加密Azure disk encryption

任何使用 Azure 基础结构即服务 (IaaS) 功能的客户都可以通过 Azure 磁盘加密为其 IaaS VM 和磁盘实施静态加密。Any customer using Azure Infrastructure as a Service (IaaS) features can achieve encryption at rest for their IaaS VMs and disks through Azure Disk Encryption. 有关 Azure 磁盘加密的详细信息,请参阅 Azure 磁盘加密文档For more information on Azure Disk encryption, see the Azure Disk Encryption documentation.

Azure 存储Azure storage

所有 Azure 存储服务 (Blob 存储、 队列存储、 表存储和 Azure 文件) 都支持静态; 的服务器端加密此外,某些服务支持客户托管密钥和客户端加密。All Azure Storage services (Blob storage, Queue storage, Table storage, and Azure Files) support server-side encryption at rest; some services additionally support customer-managed keys and client-side encryption.

Azure SQL 数据库Azure SQL Database

Azure SQL 数据库目前支持将静态加密用于 Microsoft 托管的服务器端和客户端加密方案。Azure SQL Database currently supports encryption at rest for Microsoft-managed service side and client-side encryption scenarios.

对服务器加密的支持目前通过名为“透明数据加密”的 SQL 功能来提供。Support for server encryption is currently provided through the SQL feature called Transparent Data Encryption. 在 Azure SQL 数据库客户启用 TDE 后,系统会自动为其创建和管理密钥。Once an Azure SQL Database customer enables TDE key are automatically created and managed for them. 可以在数据库和服务器级别启用静态加密。Encryption at rest can be enabled at the database and server levels. 从 2017 年 6 月开始,会在新创建的数据库上默认启用透明数据加密 (TDE)As of June 2017, Transparent Data Encryption (TDE) is enabled by default on newly created databases. Azure SQL 数据库支持 Azure Key Vault 中客户管理的 RSA 2048 位密钥。Azure SQL Database supports RSA 2048-bit customer-managed keys in Azure Key Vault. 有关详细信息,请参阅使用 Azure SQL 数据库和数据仓库的“创建自己的密钥”支持进行透明数据加密For more information, see Transparent Data Encryption with Bring Your Own Key support for Azure SQL Database and Data Warehouse.

可以通过 Always Encrypted 功能启用对 Azure SQL 数据库数据的客户端加密。Client-side encryption of Azure SQL Database data is supported through the Always Encrypted feature. Always Encrypted 使用由客户端创建和存储的密钥。Always Encrypted uses a key that created and stored by the client. 客户可以将主密钥存储在 Windows 证书存储、Azure Key Vault 或本地硬件安全模块中。Customers can store the master key in a Windows certificate store, Azure Key Vault, or a local Hardware Security Module. 使用 SQL Server Management Studio 时,SQL 用户可以选择想要使用什么密钥来加密哪个列。Using SQL Server Management Studio, SQL users choose what key they’d like to use to encrypt which column.

加密模型和密钥管理Encryption Model and Key Management
使用服务托管密钥的服务器端Server-Side Using Service-Managed Key 服务器端使用客户托管密钥Server-Side Using Customer-Managed Key 使用客户端托管密钥的客户端Client-Side Using Client-Managed
AI 和机器学习AI and Machine Learning
Azure 搜索Azure Search Yes - -
Azure 机器学习服务Azure Machine Learning Service Yes - -
Azure 机器学习工作室Azure Machine Learning Studio Yes 预览,RSA 2048 位Preview, RSA 2048-bit -
Power BIPower BI Yes 预览,RSA 2048 位Preview, RSA 2048-bit -
分析Analytics
Azure 流分析Azure Stream Analytics Yes - -
事件中心Event Hubs Yes - -
Azure Analysis ServicesAzure Analysis Services Yes - -
Azure 数据目录Azure Data Catalog Yes - -
HDInsightHDInsight Yes 适用于所有 RSA 长度的 Apache Kafka 预览版Preview for Apache Kafka, All RSA Lengths -
Azure 数据工厂Azure Data Factory Yes - -
Azure Data Lake StoreAzure Data Lake Store Yes 是,RSA 2048 位Yes, RSA 2048-bit -
容器Containers
Azure Kubernetes 服务Azure Kubernetes Service Yes - -
容器注册表Container Registry Yes - -
计算Compute
虚拟机Virtual Machines Yes 是,RSA 2048 位Yes, RSA 2048-bit -
虚拟机规模集Virtual Machine Scale Set Yes 是,RSA 2048 位Yes, RSA 2048-bit -
SAP HANASAP HANA Yes 是,RSA 2048 位Yes, RSA 2048-bit -
数据库Databases
虚拟机上的 SQL ServerSQL Server on Virtual Machines Yes 是,RSA 2048 位Yes, RSA 2048-bit Yes
Azure SQL 数据库Azure SQL Database Yes 是,RSA 2048 位Yes, RSA 2048-bit Yes
MariaDB 的 azure SQL 数据库Azure SQL Database for MariaDB Yes - -
用于 MySQL 的 azure SQL 数据库Azure SQL Database for MySQL Yes - -
用于 PostgreSQL 的 azure SQL 数据库Azure SQL Database for PostgreSQL Yes - -
Azure SQL 数据仓库Azure SQL Data Warehouse Yes 是,RSA 2048 位Yes, RSA 2048-bit Yes
SQL Server Stretch DatabaseSQL Server Stretch Database Yes 是,RSA 2048 位Yes, RSA 2048-bit Yes
表存储Table Storage Yes - Yes
Azure Cosmos DBAzure Cosmos DB Yes - -
DevOpsDevOps
Azure DevOpsAzure DevOps Yes - Yes
Azure ReposAzure Repos Yes - Yes
标识Identity
Azure Active DirectoryAzure Active Directory Yes - -
Azure Active Directory 域服务Azure Active Directory Domain Services Yes 是,RSA 2048 位Yes, RSA 2048-bit -
集成Integration
服务总线Service Bus Yes - Yes
事件网格Event Grid Yes - -
API 管理API Management Yes - -
IoT 服务 IoT Services
IoT 中心IoT Hub - - Yes
管理与控制Management and Governance
Azure Site RecoveryAzure Site Recovery Yes 是,RSA 2048 位Yes, RSA 2048-bit Yes
媒体Media
媒体服务Media Services Yes - Yes
存储Storage
Blob 存储Blob Storage Yes 是,RSA 2048 位Yes, RSA 2048-bit Yes
磁盘存储Disk Storage Yes - -
托管磁盘存储Managed Disk Storage Yes - -
文件存储File Storage Yes 是,RSA 2048 位Yes, RSA 2048-bit -
队列存储Queue Storage Yes - Yes
Avere vFXTAvere vFXT Yes - -
Azure NetApp 文件Azure NetApp Files Yes - -
存档存储Archive Storage Yes 是,RSA 2048 位Yes, RSA 2048-bit -
StorSimpleStorSimple Yes 是,RSA 2048 位Yes, RSA 2048-bit Yes
Azure 备份Azure Backup Yes - Yes
Data BoxData Box Yes - Yes

结束语Conclusion

保护存储在 Azure 服务中的客户数据对于 Microsoft 来说至关重要。Protection of customer data stored within Azure Services is of paramount importance to Microsoft. 所有 Azure 托管服务都会始终提供静态加密选项。All Azure hosted services are committed to providing Encryption at Rest options. 基础服务(例如 Azure 存储、Azure SQL 数据库以及密钥分析和智能服务)已经提供静态加密选项。Foundational services such as Azure Storage, Azure SQL Database, and key analytics and intelligence services already provide Encryption at Rest options. 其中的某些服务既支持客户控制的密钥和客户端加密,又支持服务托管的密钥和加密。Some of these services support either customer controlled keys and client-side encryption as well as service-managed keys and encryption. Microsoft Azure 服务正在大范围地增强静态加密的可用性,计划在未来数月中推出新功能的预览版和公开发行版。Microsoft Azure services are broadly enhancing Encryption at Rest availability and new options are planned for preview and general availability in the upcoming months.