您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

静态数据的 Azure 存储加密Azure Storage encryption for data at rest

Azure 存储在将数据保存到云时会自动加密数据。Azure Storage automatically encrypts your data when persisting it to the cloud. 加密可以保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。Encryption protects your data and to help you to meet your organizational security and compliance commitments. Azure 存储中的数据将使用 256 位 AES 加密法(可用的最强大块加密法之一)以透明方式进行加密和解密,并符合 FIPS 140-2 规范。Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure 存储加密法类似于 Windows 上的 BitLocker 加密法。Azure Storage encryption is similar to BitLocker encryption on Windows.

将针对所有新的和现有的存储帐户启用 Azure 存储加密,并且不能禁用加密。Azure Storage encryption is enabled for all new and existing storage accounts and cannot be disabled. 由于数据默认受到保护,因此无需修改代码或应用程序,即可利用 Azure 存储加密。Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

不管存储帐户的性能层(标准或高级)或部署模型(Azure 资源管理器或经典)是什么,都会将其加密。Storage accounts are encrypted regardless of their performance tier (standard or premium) or deployment model (Azure Resource Manager or classic). 所有 Azure 存储冗余选项都支持加密,存储帐户的所有副本都会加密。All Azure Storage redundancy options support encryption, and all copies of a storage account are encrypted. 所有 Azure 存储资源(包括 Blob、磁盘、文件、队列和表)都会加密。All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. 所有对象元数据也会加密。All object metadata is also encrypted.

加密不影响 Azure 存储的性能。Encryption does not affect Azure Storage performance. Azure 存储加密不会产生额外的费用。There is no additional cost for Azure Storage encryption.

有关 Azure 存储加密的底层加密模块的详细信息,请参见加密 API:下一代For more information about the cryptographic modules underlying Azure Storage encryption, see Cryptography API: Next Generation.

密钥管理Key management

您可以依赖于 Microsoft 托管密钥进行加密的存储帐户,或使用你自己的密钥,与 Azure 密钥保管库一起加密。You can rely on Microsoft-managed keys for the encryption of your storage account, or you can manage encryption with your own keys, together with Azure Key Vault.

Microsoft 托管密钥Microsoft-managed keys

默认情况下,你的存储帐户使用 Microsoft 托管的加密密钥。By default, your storage account uses Microsoft-managed encryption keys. 可以在 Azure 门户的“加密”部分查看存储帐户的加密设置,如下图所示。 You can see the encryption settings for your storage account in the Encryption section of the Azure portal, as shown in the following image.

查看使用 Microsoft 托管密钥加密的帐户

客户管理的密钥Customer-managed keys

可以使用客户管理的密钥来管理 Azure 存储加密。You can manage Azure Storage encryption with customer-managed keys. 使用客户管理的密钥可以灵活创建、轮换、禁用和撤销访问控制权。Customer-managed keys give you more flexibility to create, rotate, disable, and revoke access controls. 还可以审核用于保护数据的加密密钥。You can also audit the encryption keys used to protect your data.

使用 Azure Key Vault 管理密钥并审核密钥用法。Use Azure Key Vault to manage your keys and audit your key usage. 可以创建自己的密钥并将其存储在 Key Vault 中,或者使用 Azure Key Vault API 来生成密钥。You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. 存储帐户和 Key Vault 必须在同一个区域中,但可以在不同的订阅中。The storage account and the key vault must be in the same region, but they can be in different subscriptions. 有关 Azure Key Vault 的详细信息,请参阅什么是 Azure Key Vault?For more information about Azure Key Vault, see What is Azure Key Vault?.

若要撤销对客户管理的密钥的访问权限,请参阅 Azure Key Vault PowerShellAzure Key Vault CLITo revoke access to customer-managed keys, see Azure Key Vault PowerShell and Azure Key Vault CLI. 撤销访问权限会实际阻止对存储帐户中所有数据的访问,因为 Azure 存储帐户无法访问加密密钥。Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.

若要了解如何将客户管理的密钥与 Azure 存储配合使用,请参阅以下文章之一:To learn how to use customer-managed keys with Azure Storage, see one of these articles:

重要

客户托管密钥依赖于 Azure 资源的管理的标识 Azure Active Directory (Azure AD) 的一项功能。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 传输时订阅从一个 Azure AD 目录与另一个托管的标识不会进行更新和客户托管密钥可能不再起作用。When you transfer a subscription from one Azure AD directory to another, managed identities are not updated and customer-managed keys may no longer work. 有关详细信息,请参阅转让订阅 Azure AD 目录之间常见问题解答和已知的问题的管理 Azure 资源的标识For more information, see Transferring a subscription between Azure AD directories in FAQs and known issues with managed identities for Azure resources.

备注

Azure 托管磁盘不支持客户管理的密钥。Customer-managed keys are not supported for Azure managed disks.

与磁盘加密的 azure 存储加密Azure Storage encryption versus disk encryption

使用 Azure 存储加密,所有 Azure 存储帐户和它们所包含的资源进行加密,包括备份 Azure 虚拟机磁盘的页 blob。With Azure Storage encryption, all Azure Storage accounts and the resources they contain are encrypted, including the page blobs that back Azure virtual machine disks. 此外,可以使用加密 Azure 虚拟机磁盘Azure 磁盘加密Additionally, Azure virtual machine disks may be encrypted with Azure Disk Encryption. Azure 磁盘加密使用行业标准BitLocker在 Windows 上并Dm-crypt提供与 Azure 密钥保管库集成的基于操作系统的加密解决方案在 Linux 上。Azure Disk Encryption uses industry-standard BitLocker on Windows and DM-Crypt on Linux to provide operating system-based encryption solutions that are integrated with Azure Key Vault.

后续步骤Next steps