您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

双重加密Double encryption

双加密是指启用了两个或更多独立加密层,以防止任何一层加密的损害。Double encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. 使用两个加密层可减少对数据加密所带来的威胁。Using two layers of encryption mitigates threats that come with encrypting data. 例如:For example:

  • 数据加密中的配置错误Configuration errors in the data encryption
  • 加密算法中的实现错误Implementation errors in the encryption algorithm
  • 泄露单个加密密钥Compromise of a single encryption key

Azure 为静态数据和传输中的数据提供双精度加密。Azure provides double encryption for data at rest and data in transit.

静态数据Data at rest

Microsoft 针对静态数据启用两层加密的方法是:Microsoft’s approach to enabling two layers of encryption for data at rest is:

  • 使用客户托管密钥的磁盘加密Disk encryption using customer-managed keys. 提供自己的密钥用于磁盘加密。You provide your own key for disk encryption. 你可以将自己的密钥带到 Key Vault (BYOK –创建自己的密钥) ,或在 Azure Key Vault 中生成新的密钥来加密所需的资源。You can bring your own keys to your Key Vault (BYOK – Bring Your Own Key), or generate new keys in Azure Key Vault to encrypt the desired resources.
  • 使用平台托管密钥的基础结构加密Infrastructure encryption using platform-managed keys. 默认情况下,使用平台托管的加密密钥自动对磁盘进行静态加密。By default, disks are automatically encrypted at rest using platform-managed encryption keys.

传输中的数据Data in transit

对于传输中的数据启用两层加密的方法是:Microsoft’s approach to enabling two layers of encryption for data in transit is:

  • 传输加密使用传输层安全性 (TLS) 1.2,用于在云服务和你之间传输数据时保护数据Transit encryption using Transport Layer Security (TLS) 1.2 to protect data when it’s traveling between the cloud services and you. 即使流量目标是同一区域中的另一个域控制器,离开数据中心的所有流量仍会在传输过程中加密。All traffic leaving a datacenter is encrypted in transit, even if the traffic destination is another domain controller in the same region. TLS 1.2 是使用的默认安全协议。TLS 1.2 is the default security protocol used. TLS 提供严格的身份验证,消息隐私性和完整性强(允许检测消息篡改、拦截和伪造),具有良好的互操作性,算法灵活,易于部署和使用。TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.
  • 基础结构层提供的其他加密层Additional layer of encryption provided at the infrastructure layer. 使用 IEEE 802.1 AE MAC 安全标准的数据链路层加密方法 (也称为 MACsec) 在基础网络硬件之间通过点到点应用。A data-link layer encryption method using the IEEE 802.1AE MAC Security Standards (also known as MACsec) is applied from point-to-point across the underlying network hardware. 每当 Azure 客户流量在数据中心之间移动时(不是由 Microsoft (或代表 Microsoft) 控制),包在发送之前将在设备上加密和解密,从而阻止物理 "中间人" 或侦听/wiretapping 攻击。Whenever Azure Customer traffic moves between datacenters-- outside physical boundaries not controlled by Microsoft (or on behalf of Microsoft)-- The packets are encrypted and decrypted on the devices before being sent, preventing physical “man-in-the-middle” or snooping/wiretapping attacks. 由于此技术在网络硬件本身上集成,因此它会在网络硬件上提供线路速率加密,而不会增加可度量的链路延迟。Because this technology is integrated on the network hardware itself, it provides line rate encryption on the network hardware with no measurable link latency increase. 默认情况下,此 MACsec 加密对于某个区域内或各区域之间的所有 Azure 流量都处于启用状态,并且在要启用的客户部件上无需执行任何操作。This MACsec encryption is on by default for all Azure traffic traveling within a region or between regions, and no action is required on customers’ part to enable.

后续步骤Next steps

了解如何 在 Azure 中使用加密Learn how encryption is used in Azure.