您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 加密概述Azure encryption overview

本文概述了如何在 Microsoft Azure 中使用加密。This article provides an overview of how encryption is used in Microsoft Azure. 其中涵盖了加密的主要领域,包括 Azure Key Vault 的静态加密、动态加密以及密钥管理。It covers the major areas of encryption, including encryption at rest, encryption in flight, and key management with Azure Key Vault. 每个部分包括更详细信息的链接。Each section includes links to more detailed information.

静态数据加密Encryption of data at rest

静态数据包括以任何数字格式驻留在物理介质上的永久性存储中的信息。Data at rest includes information that resides in persistent storage on physical media, in any digital format. 该介质可包括磁性介质或光学介质上的文件、归档数据和数据备份。The media can include files on magnetic or optical media, archived data, and data backups. Microsoft Azure 提供各种数据存储解决方案,以满足不同需求,包括文件、磁盘、blob 和表存储。Microsoft Azure offers a variety of data storage solutions to meet different needs, including file, disk, blob, and table storage. Microsoft 还提供加密以保护 Azure SQL 数据库Azure Cosmos DB 和 Azure Data Lake。Microsoft also provides encryption to protect Azure SQL Database, Azure Cosmos DB, and Azure Data Lake.

静态数据加密可用于服务型软件 (SaaS)、平台即服务 (PaaS) 和基础结构即服务 (IaaS) 云模型中的服务。Data encryption at rest is available for services across the software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) cloud models. 本文总结并提供资源,以帮助使用 Azure 加密选项。This article summarizes and provides resources to help you use the Azure encryption options.

有关如何在 Azure 中加密静态数据的更详细的讨论,请参阅 Azure 静态数据加密For a more detailed discussion of how data at rest is encrypted in Azure, see Azure Data Encryption-at-Rest.

Azure 加密模型Azure encryption models

Azure 支持各种加密模型,包括使用服务托管密钥、Key Vault 中客户托管密钥或客户所控硬件上客户托管密钥的服务器端加密。Azure supports various encryption models, including server-side encryption that uses service-managed keys, customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware. 通过客户端加密,可在本地或另一个安全位置管理并存储密钥。With client-side encryption, you can manage and store keys on-premises or in another secure location.

客户端加密Client-side encryption

客户端加密在 Azure 之外执行。Client-side encryption is performed outside of Azure. 其中包括:It includes:

  • 由客户数据中心中运行的应用程序或服务应用程序加密的数据。Data encrypted by an application that’s running in the customer’s datacenter or by a service application.
  • 当 Azure 接收到数据时,数据已加密。Data that is already encrypted when it is received by Azure.

使用客户端加密时,云服务提供商无法访问加密密钥,因此无法解密该数据。With client-side encryption, cloud service providers don’t have access to the encryption keys and cannot decrypt this data. 你完全控制了密钥。You maintain complete control of the keys.

服务器端加密Server-side encryption

三个服务器端加密模型提供不同的密钥管理特性,可根据要求进行选择:The three server-side encryption models offer different key management characteristics, which you can choose according to your requirements:

  • 服务托管密钥:可带来低开销的控制和便利。Service-managed keys: Provides a combination of control and convenience with low overhead.

  • 客户管理的密钥:可用于控制密钥,包括支持“创建自己的密钥”(BYOK) 或生成新密钥。Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK) support, or allows you to generate new ones.

  • 客户所控硬件上的服务托管密钥:可用于管理不受 Microsoft 控制的专有存储库中的密钥。Service-managed keys in customer-controlled hardware: Enables you to manage keys in your proprietary repository, outside of Microsoft control. 此特性称为自留密钥 (HYOK)。This characteristic is called Host Your Own Key (HYOK). 但是,配置相当复杂,并且大多数 Azure 服务都不支持此模式。However, configuration is complex, and most Azure services don’t support this model.

Azure 磁盘加密Azure disk encryption

可使用 Azure 磁盘加密保护 Windows 和 Linux 虚拟机,它采用 Windows BitLocker 技术和 Linux DM-Crypt通过全卷加密来保护操作系统磁盘和数据磁盘。You can protect Windows and Linux virtual machines by using Azure disk encryption, which uses Windows BitLocker technology and Linux DM-Crypt to protect both operating system disks and data disks with full volume encryption.

Azure Key Vault 订阅中的加密密钥和机密会得到保护。Encryption keys and secrets are safeguarded in your Azure Key Vault subscription. 使用 Azure 备份服务,可备份和还原使用密钥加密密钥 (KEK) 配置的加密虚拟机 (VM)。By using the Azure Backup service, you can back up and restore encrypted virtual machines (VMs) that use Key Encryption Key (KEK) configuration.

Azure 存储服务加密Azure Storage Service Encryption

Azure Blob 存储和 Azure 文件共享中的静态数据都可以在服务器端和客户端方案中进行加密。Data at rest in Azure Blob storage and Azure file shares can be encrypted in both server-side and client-side scenarios.

Azure 存储服务加密 (SSE) 可在数据存储前自动加密数据,并在检索数据时自动解密数据。Azure Storage Service Encryption (SSE) can automatically encrypt data before it is stored, and it automatically decrypts the data when you retrieve it. 此过程对用户是完全透明的。The process is completely transparent to users. 存储服务加密使用 256 位高级加密标准 (AES) 加密,这是可用的最强分组加密中的一种。Storage Service Encryption uses 256-bit Advanced Encryption Standard (AES) encryption, which is one of the strongest block ciphers available. AES 采用透明方式处理加密、解密和密钥管理。AES handles encryption, decryption, and key management transparently.

Azure blob 的客户端加密Client-side encryption of Azure blobs

可通过各种方式执行 Azure blob 的客户端加密。You can perform client-side encryption of Azure blobs in various ways.

可使用适用于 .NET NuGet 包的 Azure 存储客户端库在客户端应用程序内加密数据,然后再将其上传到 Azure 存储。You can use the Azure Storage Client Library for .NET NuGet package to encrypt data within your client applications prior to uploading it to your Azure storage.

若要详细了解和下载适用于.NET NuGet 包的 Azure 存储客户端库,请参阅 Windows Azure 存储 8.3.0To learn more about and download the Azure Storage Client Library for .NET NuGet package, see Windows Azure Storage 8.3.0.

在 Key Vault 中使用客户端加密时,将使用 Azure 存储客户端 SDK 生成的一次性对称内容加密密钥 (CEK) 加密数据。When you use client-side encryption with Key Vault, your data is encrypted using a one-time symmetric Content Encryption Key (CEK) that is generated by the Azure Storage client SDK. CEK 在使用密钥加密密钥 (KEK) 加密后,可以是对称密钥,也可以是非对称密钥对。The CEK is encrypted using a Key Encryption Key (KEK), which can be either a symmetric key or an asymmetric key pair. 可在本地进行管理或将其存储在 Key Vault 中。You can manage it locally or store it in Key Vault. 然后,将加密数据上传到 Azure 存储。The encrypted data is then uploaded to Azure Storage.

若要详细了解 Key Vault 的客户端加密和学习使用操作说明,请参阅教程:在 Azure 存储中使用 Key Vault 加密和解密 BlobTo learn more about client-side encryption with Key Vault and get started with how-to instructions, see Tutorial: Encrypt and decrypt blobs in Azure Storage by using Key Vault.

最后,还可使用适用于 Java 的 Azure 存储客户端库执行客户端加密,之后再将数据上传到 Azure 存储,并在将数据下载到客户端时解密数据。Finally, you can also use the Azure Storage Client Library for Java to perform client-side encryption before you upload data to Azure Storage, and to decrypt the data when you download it to the client. 此库还支持与 Key Vault 集成,以便管理存储帐户密钥。This library also supports integration with Key Vault for storage account key management.

使用 Azure SQL 数据库加密静态数据Encryption of data at rest with Azure SQL Database

Azure SQL 数据库是 Azure 中通用的关系数据库服务,支持关系数据、JSON、空间和 XML 等结构。Azure SQL Database is a general-purpose relational database service in Azure that supports structures such as relational data, JSON, spatial, and XML. SQL 数据库通过透明数据加密 (TDE) 功能支持服务器端加密,通过 Always Encrypted 功能支持客户端加密。SQL Database supports both server-side encryption via the Transparent Data Encryption (TDE) feature and client-side encryption via the Always Encrypted feature.

透明数据加密Transparent Data Encryption

TDE 可通过数据库加密密钥 (DEK) 实时加密 SQL ServerAzure SQL 数据库Azure SQL 数据仓库数据文件,该加密密钥存储在数据库启动记录中,可在恢复期间使用。TDE is used to encrypt SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data files in real time, using a Database Encryption Key (DEK), which is stored in the database boot record for availability during recovery.

TDE 使用 AES 和三重数据加密标准 (3DES) 加密算法保护数据和日志文件。TDE protects data and log files, using AES and Triple Data Encryption Standard (3DES) encryption algorithms. 数据库文件加密在页面级执行。Encryption of the database file is performed at the page level. 加密数据库中的页面在写入磁盘之前被加密,在读入内存后被解密。The pages in an encrypted database are encrypted before they are written to disk and are decrypted when they’re read into memory. 默认情况下,新创建的 Azure SQL 数据库启用 TDE。TDE is now enabled by default on newly created Azure SQL databases.

Always Encrypted 功能Always Encrypted feature

借助 Azure SQL 中的 Always Encrypted 功能,可在客户端应用程序中加密数据,之后再将其存储在 Azure SQL 数据库中。With the Always Encrypted feature in Azure SQL you can encrypt data within client applications prior to storing it in Azure SQL Database. 还可将本地数据库管理工作委派给第三方,并将数据拥有者和可查看数据的人员,以及管理数据但无权访问数据的人员分开。You can also enable delegation of on-premises database administration to third parties and maintain separation between those who own and can view the data and those who manage it but should not have access to it.

单元级加密或列级加密Cell-level or column-level encryption

借助 Azure SQL 数据库,可使用 Transact-SQL 对数据列应用对称加密。With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. 这种方法被称为单元级加密或列级加密 (CLE),因为可使用这种方法通过不同加密密钥来加密特定列,甚至是特定数据单元。This approach is called cell-level encryption or column-level encryption (CLE), because you can use it to encrypt specific columns or even specific cells of data with different encryption keys. 这样可以提供比 TDE 更加精细的加密功能,能够加密页面中的数据。Doing so gives you more granular encryption capability than TDE, which encrypts data in pages.

CLE 具有内置函数,可通过函数使用对称或非对称密钥、证书的公钥或 3DES 的密码来加密数据。CLE has built-in functions that you can use to encrypt data by using either symmetric or asymmetric keys, the public key of a certificate, or a passphrase using 3DES.

Cosmos DB 数据库加密Cosmos DB database encryption

Azure Cosmos DB 由 Microsoft 提供,是全球分布式多模型数据库。Azure Cosmos DB is Microsoft's globally distributed, multi-model database. 存储在非易失性存储(固态硬盘)中的 Cosmos DB 中的用户数据默认加密。User data that's stored in Cosmos DB in non-volatile storage (solid-state drives) is encrypted by default. 无法将其打开或关闭。There are no controls to turn it on or off. 静态加密是通过许多安全技术实现的,其中包括安全密钥存储系统、加密网络以及加密 API。Encryption at rest is implemented by using a number of security technologies, including secure key storage systems, encrypted networks, and cryptographic APIs. 加密密钥由 Microsoft 管理,并根据 Microsoft 的内部指南进行轮换。Encryption keys are managed by Microsoft and are rotated per Microsoft internal guidelines.

Data Lake 中的静态加密At-rest encryption in Data Lake

Azure Data Lake 是在正式定义需求或架构之前,在单个位置收集的每种类型数据的企业级存储库。Azure Data Lake is an enterprise-wide repository of every type of data collected in a single place prior to any formal definition of requirements or schema. Data Lake Store 支持“默认启用”透明加密静态数据,可以在创建帐户期间设置。Data Lake Store supports "on by default," transparent encryption of data at rest, which is set up during the creation of your account. 默认情况下,Azure Data Lake Store 替你管理密钥,但你可以选择自己管理密钥。By default, Azure Data Lake Store manages the keys for you, but you have the option to manage them yourself.

有三种类型的密钥用于加密和解密数据:主加密密钥 (MEK)、数据加密密钥 (DEK) 和块加密密钥 (BEK)。Three types of keys are used in encrypting and decrypting data: the Master Encryption Key (MEK), Data Encryption Key (DEK), and Block Encryption Key (BEK). MEK 用于加密存储在永久性介质上的 DEK,BEK 派生自 DEK 和数据块。The MEK is used to encrypt the DEK, which is stored on persistent media, and the BEK is derived from the DEK and the data block. 如果管理自己的密钥,可以轮换 MEK。If you are managing your own keys, you can rotate the MEK.

传输中的数据加密Encryption of data in transit

Azure 提供了许多机制,用于在迁移数据时保持数据的私密性。Azure offers many mechanisms for keeping data private as it moves from one location to another.

Azure 中的 TLS/SSL 加密TLS/SSL encryption in Azure

Microsoft 使用传输层安全性 (TLS) 协议,在云服务和客户之间传输数据时提供保护。Microsoft uses the Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Microsoft 的数据中心与连接到 Azure 服务的客户端系统协商建立 TLS 连接。Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS 提供严格的身份验证,消息隐私性和完整性强(允许检测消息篡改、拦截和伪造),具有良好的互操作性,算法灵活,易于部署和使用。TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.

完美正向保密 (PFS) 通过唯一密钥保护客户的客户端系统与 Microsoft 云服务间的连接。Perfect Forward Secrecy (PFS) protects connections between customers’ client systems and Microsoft cloud services by unique keys. 连接还使用基于 RSA 的 2,048 位加密密钥长度。Connections also use RSA-based 2,048-bit encryption key lengths. 此组合使得别人难以拦截和访问传输中的数据。This combination makes it difficult for someone to intercept and access data that is in transit.

Azure 存储事务Azure Storage transactions

当通过 Azure 门户与 Azure 存储交互时,所有事务都通过 HTTPS 发生。When you interact with Azure Storage through the Azure portal, all transactions take place over HTTPS. 也可根据 HTTPS 使用存储 REST API 与 Azure 存储交互。You can also use the Storage REST API over HTTPS to interact with Azure Storage. 在调用 REST API 来访问存储帐户中的对象时,可通过启用存储帐户所需的安全传输来强制使用 HTTPS。You can enforce the use of HTTPS when you call the REST APIs to access objects in storage accounts by enabling the secure transfer that's required for the storage account.

使用共享访问签名 (SAS) 除了能委派对 Azure 存储对象的访问权限,还能包含一个选项,指定在使用共享访问签名时只能使用 HTTPS 协议。Shared Access Signatures (SAS), which can be used to delegate access to Azure Storage objects, include an option to specify that only the HTTPS protocol can be used when you use Shared Access Signatures. 通过此方法,可确保只能使用正确的协议发送有 SAS 令牌的链接。This approach ensures that anybody who sends links with SAS tokens uses the proper protocol.

用于访问 Azure 文件共享的 SMB 3.0 支持加密,并且可以在 Windows Server 2012 R2、Windows 8、Windows 8.1 和 Windows 10 中使用。SMB 3.0, which used to access Azure Files shares, supports encryption, and it's available in Windows Server 2012 R2, Windows 8, Windows 8.1, and Windows 10. 它允许跨区域访问,甚至在桌面上访问。It allows cross-region access and even access on the desktop.

在将数据发送到 Azure 存储实例前,客户端加密会对数据加密,所以在通过网络传输时数据是加密的。Client-side encryption encrypts the data before it’s sent to your Azure Storage instance, so that it’s encrypted as it travels across the network.

Azure 虚拟网络上的 SMB 加密SMB encryption over Azure virtual networks

在运行 Windows Server 2012 或更高版本的 VM 中使用 SMB 3.0 后,可对在 Azure 虚拟网络上传输数据进行加密,以此确保数据安全传输。By using SMB 3.0 in VMs that are running Windows Server 2012 or later, you can make data transfers secure by encrypting data in transit over Azure Virtual Networks. 加密数据有助于防止数据遭到篡改和窃听攻击。By encrypting data, you help protect against tampering and eavesdropping attacks. 管理员可以为整个服务器启用 SMB 加密,也可以启用特定的共享。Administrators can enable SMB encryption for the entire server, or just specific shares.

默认情况下,为共享或服务器启用 SMB 加密后,只允许 SMB 3.0 客户端访问加密共享。By default, after SMB encryption is turned on for a share or server, only SMB 3.0 clients are allowed to access the encrypted shares.

VM 中的传输中加密In-transit encryption in VMs

根据连接的性质,通过多种方式对在运行 Windows 的 VM 间传输的数据进行加密。Data in transit to, from, and between VMs that are running Windows is encrypted in a number of ways, depending on the nature of the connection.

RDP 会话RDP sessions

可以使用 Windows 客户端计算机或者安装了 RDP 客户端的 Mac 上的远程桌面协议 (RDP) 连接并登录 VM。You can connect and sign in to a VM by using the Remote Desktop Protocol (RDP) from a Windows client computer, or from a Mac with an RDP client installed. 在 RDP 会话中通过网络传输的数据可以受到 TLS 的保护。Data in transit over the network in RDP sessions can be protected by TLS.

还可使用远程桌面连接到 Azure 中的 Linux VM。You can also use Remote Desktop to connect to a Linux VM in Azure.

使用 SSH 安全访问 Linux VMSecure access to Linux VMs with SSH

若要进行远程管理,可以使用安全外壳 (SSH) 连接到在 Azure 中运行的 Linux VM。For remote management, you can use Secure Shell (SSH) to connect to Linux VMs running in Azure. SSH 是一种加密的连接协议,利用该协议可以通过未受保护的连接进行安全登录。SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. 它是在 Azure 中托管的 Linux VM 的默认连接协议。It is the default connection protocol for Linux VMs hosted in Azure. 使用 SSH 密钥进行身份验证,无需使用密码即可登录。By using SSH keys for authentication, you eliminate the need for passwords to sign in. SSH 使用公钥/私钥对(非对称加密)进行身份验证。SSH uses a public/private key pair (asymmetric encryption) for authentication.

Azure VPN 加密Azure VPN encryption

连接到 Azure 时可以使用虚拟专用网络,它可以创建安全通道以保护通过网络发送的数据的隐私。You can connect to Azure through a virtual private network that creates a secure tunnel to protect the privacy of the data being sent across the network.

Azure VPN 网关Azure VPN gateways

可使用 Azure VPN 网关跨公共连接在虚拟网络和本地位置间发送加密流量,或在虚拟网络间发送流量。You can use an Azure VPN gateway to send encrypted traffic between your virtual network and your on-premises location across a public connection, or to send traffic between virtual networks.

站点到站点 VPN 使用 IPsec 进行传输加密。Site-to-site VPNs use IPsec for transport encryption. Azure VPN网关使用一组默认提议。Azure VPN gateways use a set of default proposals. 可将 Azure VPN 网关配置为使用具有特定加密算法和关键优势的自定义 IPsec/IKE 策略,而不是 Azure 默认策略集。You can configure Azure VPN gateways to use a custom IPsec/IKE policy with specific cryptographic algorithms and key strengths, rather than the Azure default policy sets.

点到站点 VPNPoint-to-site VPNs

点到站点 VPN 允许单个客户端计算机访问 Azure 虚拟网络。Point-to-site VPNs allow individual client computers access to an Azure virtual network. 安全套接字隧道协议 (SSTP) 可用于创建 VPN 隧道。The Secure Socket Tunneling Protocol (SSTP) is used to create the VPN tunnel. 它可遍历防火墙(隧道显示为 HTTPS 连接)。It can traverse firewalls (the tunnel appears as an HTTPS connection). 你可使用自己的内部公钥基础结构 (PKI) 根证书颁发机构 (CA) 实现点到站点的连接。You can use your own internal public key infrastructure (PKI) root certificate authority (CA) for point-to-site connectivity.

可以使用具有证书身份验证或 PowerShell 的 Azure 门户,将点到站点 VPN 连接配置到虚拟网络。You can configure a point-to-site VPN connection to a virtual network by using the Azure portal with certificate authentication or PowerShell.

若要详细了解点到站点 VPN 连接与 Azure 虚拟网络,请参阅:To learn more about point-to-site VPN connections to Azure virtual networks, see:

使用证书身份验证将点到站点连接配置到虚拟网络:Azure 门户Configure a point-to-site connection to a virtual network by using certification authentication: Azure portal

使用证书身份验证将点到站点连接配置到虚拟网络:PowerShellConfigure a point-to-site connection to a virtual network by using certificate authentication: PowerShell

站点到站点 VPNSite-to-site VPNs

可使用站点到站点 VPN 网关连接,通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道将本地网络连接到 Azure 虚拟网络。You can use a site-to-site VPN gateway connection to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此类型的连接需要一个分配有面向外部的公共 IP 地址的本地 VPN 设备。This type of connection requires an on-premises VPN device that has an external-facing public IP address assigned to it.

可以使用 Azure门户、PowerShell 或 Azure CLI 将站点到站点 VPN 连接配置到虚拟网络。You can configure a site-to-site VPN connection to a virtual network by using the Azure portal, PowerShell, or Azure CLI.

有关详细信息,请参阅:For more information, see:

在 Azure 门户中创建站点到站点连接Create a site-to-site connection in the Azure portal

在 PowerShell 门户中创建站点到站点连接Create a site-to-site connection in PowerShell

使用 CLI 创建具有站点到站点 VPN 连接的虚拟网络Create a virtual network with a site-to-site VPN connection by using CLI

Data Lake 中的传输中加密In-transit encryption in Data Lake

此外,还会始终在 Data Lake Store 中对传输数据(也称移动数据)加密。Data in transit (also known as data in motion) is also always encrypted in Data Lake Store. 除在将数据存储到永久性介质前进行加密外,还始终会在数据传输过程中使用 HTTPS 保护数据。In addition to encrypting data prior to storing it in persistent media, the data is also always secured in transit by using HTTPS. HTTPS 是 Data Lake Store REST 接口唯一支持的协议。HTTPS is the only protocol that is supported for the Data Lake Store REST interfaces.

若要详细了解 Data Lake 中的传输中数据加密,请参阅 Data Lake Store 中的数据加密To learn more about encryption of data in transit in Data Lake, see Encryption of data in Data Lake Store.

使用 Key Vault 的密钥管理Key management with Key Vault

如果没有适当地保护和管理密钥,加密会变得毫无用处。Without proper protection and management of the keys, encryption is rendered useless. Key Vault 是 Microsoft 推荐的解决方案,用于管理和控制云服务使用的对加密密钥的访问。Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services. 访问密钥的权限可以通过 Azure Active Directory 帐户分配给服务或用户。Permissions to access keys can be assigned to services or to users through Azure Active Directory accounts.

Key Vault 可帮助组织减少对配置、修补以及维护硬件安全模块 (HSM) 和密钥管理软件的需求。Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. 使用 Key Vault 时,一切由你控制。When you use Key Vault, you maintain control. Microsoft 永远看不到你的密钥,应用程序无法直接访问密钥。Microsoft never sees your keys, and applications don’t have direct access to them. 也可以在 HSM 中导入或生成密钥。You can also import or generate keys in HSMs.

后续步骤Next steps