您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 磁盘存储的服务器端加密Server-side encryption of Azure Disk Storage

服务器端加密 (SSE) 可保护数据,并帮助实现组织安全性和符合性承诺。Server-side encryption (SSE) protects your data and helps you meet your organizational security and compliance commitments. 将存储在 Azure 托管磁盘(OS 和数据磁盘)上的数据保存到云时,SSE 在默认情况下会自动对这些数据进行静态加密。SSE automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud.

Azure 托管磁盘中的数据使用 256 位 AES 加密(可用的最强大分组加密之一)以透明方式加密,且符合 FIPS 140-2 规范。Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. 有关加密模块基础 Azure 托管磁盘的详细信息,请参阅加密 API:下一代For more information about the cryptographic modules underlying Azure managed disks, see Cryptography API: Next Generation

服务器端加密不会影响托管磁盘的性能,并且不会产生额外的费用。Server-side encryption does not impact the performance of managed disks and there is no additional cost.

备注

临时磁盘不是托管磁盘,并且不是由 SSE 加密的,除非你在主机上启用了加密。Temporary disks are not managed disks and are not encrypted by SSE, unless you enable encryption at host.

关于加密密钥管理About encryption key management

可以依赖于平台托管的密钥来加密托管磁盘,也可以使用自己的密钥来管理加密。You can rely on platform-managed keys for the encryption of your managed disk, or you can manage encryption using your own keys. 如果选择使用自己的密钥管理加密,可以指定一个客户托管密钥,用于加密和解密托管磁盘中的所有数据。If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all data in managed disks.

以下部分更详细地介绍了密钥管理的每个选项。The following sections describe each of the options for key management in greater detail.

平台托管的密钥Platform-managed keys

默认情况下,托管磁盘使用平台托管的加密密钥。By default, managed disks use platform-managed encryption keys. 所有写入现有托管磁盘的托管磁盘、快照、映像和数据都会自动使用平台托管密钥进行静态加密。All managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys.

客户管理的密钥Customer-managed keys

可以选择使用自己的密钥在每个托管磁盘的级别管理加密。You can choose to manage encryption at the level of each managed disk, with your own keys. 使用客户托管密钥对托管磁盘进行服务器端加密提供了与 Azure Key Vault 的集成体验。Server-side encryption for managed disks with customer-managed keys offers an integrated experience with Azure Key Vault. 可以将 RSA 密钥导入 Key Vault,也可以在 Azure Key Vault 中生成新的 RSA 密钥。You can either import your RSA keys to your Key Vault or generate new RSA keys in Azure Key Vault.

Azure 托管磁盘使用信封加密以完全透明的方式处理加密和解密。Azure managed disks handles the encryption and decryption in a fully transparent fashion using envelope encryption. 它使用基于 AES 256 的数据加密密钥 (DEK) 对数据进行加密,DEK 反过来使用你的密钥进行保护。It encrypts data using an AES 256 based data encryption key (DEK), which is, in turn, protected using your keys. 存储服务生成数据加密密钥,并使用 RSA 加密通过客户托管密钥对其进行加密。The Storage service generates data encryption keys and encrypts them with customer-managed keys using RSA encryption. 通过信封加密,可以根据合规性策略定期轮替(更改)密钥,而不会影响 VM。The envelope encryption allows you to rotate (change) your keys periodically as per your compliance policies without impacting your VMs. 轮替密钥时,存储服务会使用新的客户托管密钥对数据加密密钥进行重新加密。When you rotate your keys, the Storage service re-encrypts the data encryption keys with the new customer-managed keys.

完全控制密钥Full control of your keys

必须授予对 Key Vault 中的托管磁盘的访问权限,才能使用你的密钥来加密和解密 DEK。You must grant access to managed disks in your Key Vault to use your keys for encrypting and decrypting the DEK. 这允许你完全控制数据和密钥。This allows you full control of your data and keys. 可以随时禁用密钥或撤销对托管磁盘的访问权限。You can disable your keys or revoke access to managed disks at any time. 还可以通过 Azure Key Vault 监视来审核加密密钥用法,以确保仅托管磁盘或其他受信任的 Azure 服务访问你的密钥。You can also audit the encryption key usage with Azure Key Vault monitoring to ensure that only managed disks or other trusted Azure services are accessing your keys.

禁用或删除密钥后,包含使用该密钥的磁盘的任何 VM 都会自动关闭。When you disable or delete your key, any VMs with disks using that key will automatically shut down. 之后,VM 将无法使用,除非再次启用密钥或分配新密钥。After this, the VMs will not be usable unless the key is enabled again or you assign a new key.

对于高级 SSD、标准 SSD 和标准 HDD:禁用或删除密钥后,包含使用该密钥的磁盘的任何 VM 都会自动关闭。For premium SSDs, standard SSDs, and standard HDDs: When you disable or delete your key, any VMs with disks using that key will automatically shut down. 之后,VM 将无法使用,除非再次启用密钥或分配新密钥。After this, the VMs will not be usable unless the key is enabled again or you assign a new key.

对于超磁盘:禁用或删除密钥时,任何使用该密钥的虚拟机都不会自动关闭。For ultra disks: when you disable or delete a key, any VMs with ultra disks using the key won't automatically shut down. 解除分配并重新启动 VM 后,磁盘将停止使用该密钥,且之后 VM 不会恢复联机。Once you deallocate and restart the VMs then the disks will stop using the key and then VMs won't come back online. 若要使 VM 恢复联机,必须分配新密钥或启用现有密钥。To bring the VMs back online, you must assign a new key or enable the existing key.

下图显示了托管磁盘如何借助 Azure Active Directory 和 Azure Key Vault 使用客户托管密钥发出请求:The following diagram shows how managed disks use Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:

托管磁盘和客户管理的密钥工作流。管理员创建 Azure Key Vault,然后创建并设置磁盘加密集。该集与 VM 关联,这允许磁盘使用 Azure AD 进行身份验证

下表更详细地介绍了该图:The following list explains the diagram in more detail:

  1. Azure Key Vault 管理员创建密钥保管库资源。An Azure Key Vault administrator creates key vault resources.
  2. 密钥保管库管理员可以将 RSA 密钥导入 Key Vault,也可以在 Key Vault 中生成新的 RSA 密钥。The key vault admin either imports their RSA keys to Key Vault or generate new RSA keys in Key Vault.
  3. 该管理员创建磁盘加密集资源的实例,指定 Azure Key Vault ID 和密钥 URL。That administrator creates an instance of Disk Encryption Set resource, specifying an Azure Key Vault ID and a key URL. 磁盘加密集是为了简化托管磁盘的密钥管理而引入的新资源。Disk Encryption Set is a new resource introduced for simplifying the key management for managed disks.
  4. 创建磁盘加密集时,将在 Azure Active Directory (AD) 中创建系统分配的托管标识,并将其与磁盘加密集相关联。When a disk encryption set is created, a system-assigned managed identity is created in Azure Active Directory (AD) and associated with the disk encryption set.
  5. 然后,Azure Key Vault 管理员授予托管标识权限,以在密钥保管库中执行操作。The Azure key vault administrator then grants the managed identity permission to perform operations in the key vault.
  6. VM 用户可以通过将磁盘与磁盘加密集相关联来创建磁盘。A VM user creates disks by associating them with the disk encryption set. VM 用户还可以通过将现有资源的客户托管密钥与磁盘加密集相关联来启用客户托管密钥的服务器端加密。The VM user can also enable server-side encryption with customer-managed keys for existing resources by associating them with the disk encryption set.
  7. 托管磁盘使用托管标识将请求发送到 Azure Key Vault。Managed disks use the managed identity to send requests to the Azure Key Vault.
  8. 若要读取或写入数据,托管磁盘会将请求发送到 Azure Key Vault 以加密(包装)和解密(解包)数据加密密钥,以便执行数据的加密和解密。For reading or writing data, managed disks sends requests to Azure Key Vault to encrypt (wrap) and decrypt (unwrap) the data encryption key in order to perform encryption and decryption of the data.

若要撤销对客户托管密钥的访问权限,请参阅 Azure Key Vault PowerShellAzure Key Vault CLITo revoke access to customer-managed keys, see Azure Key Vault PowerShell and Azure Key Vault CLI. 撤销访问权限会实际阻止对存储帐户中所有数据的访问权限,因为 Azure 存储无法访问加密密钥。Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.

限制Restrictions

目前,客户托管密钥具有以下限制:For now, customer-managed keys have the following restrictions:

  • 如果为磁盘启用了此功能,则无法禁用它。If this feature is enabled for your disk, you cannot disable it. 如果需要解决这种情况,必须使用 Azure PowerShell 模块Azure CLI将所有数据复制到完全不同的托管磁盘,而不使用客户管理的密钥。If you need to work around this, you must copy all the data using either the Azure PowerShell module or the Azure CLI, to an entirely different managed disk that isn't using customer-managed keys.
  • 仅支持2048位、3072位和4096位大小的 软件和 HSM RSA 密钥 ,无其他密钥或大小。Only software and HSM RSA keys of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
    • HSM 密钥需要 Azure 密钥保管库的 高级 层。HSM keys require the premium tier of Azure Key vaults.
  • 从使用服务器端加密和客户托管密钥加密的自定义映像创建的磁盘必须使用相同的客户托管密钥进行加密,且必须位于同一订阅中。Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.
  • 从使用服务器端加密和客户托管密钥加密的磁盘创建的快照必须使用相同的客户托管密钥进行加密。Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
  • 与客户托管密钥相关的所有资源(Azure Key Vault、磁盘加密集、VM、磁盘和快照)都必须位于同一订阅和区域中。All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
  • 用客户管理的密钥加密的磁盘、快照和映像不能移到其他资源组和订阅。Disks, snapshots, and images encrypted with customer-managed keys cannot move to another resource group and subscription.
  • 当前或以前使用 Azure 磁盘加密加密的托管磁盘不能使用客户管理的密钥进行加密。Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.
  • 每个区域、每个订阅最多只能创建 50 个磁盘加密集。Can only create up to 50 disk encryption sets per region per subscription.
  • 有关将客户托管密钥与共享映像库结合使用的信息,请参阅预览版:使用客户托管密钥加密映像For information about using customer-managed keys with shared image galleries, see Preview: Use customer-managed keys for encrypting images.

支持的区域Supported regions

客户管理的密钥在托管磁盘可用的所有区域中都可用。Customer-managed keys are available in all regions that managed disks are available.

重要

客户托管密钥依赖于 Azure 资源的托管标识(Azure Active Directory (Azure AD) 的一项功能)。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 配置客户托管密钥时,实际上会自动将托管标识分配给你的资源。When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. 如果随后将订阅、资源组或托管磁盘从一个 Azure AD 目录移到另一个目录,则与托管磁盘关联的托管标识不会传输到新租户,因此,客户管理的密钥可能不再工作。If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks isn't transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅在 Azure AD 目录之间转移订阅For more information, see Transferring a subscription between Azure AD directories.

主机加密 - VM 数据的端到端加密Encryption at host - End-to-end encryption for your VM data

当你在主机上启用加密时,将在 VM 主机上启动该加密,并将 VM 分配到 Azure 服务器。When you enable encryption at host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. 临时磁盘和 OS/数据磁盘缓存的数据存储在该虚拟机主机上。The data for your temporary disk and OS/data disk caches are stored on that VM host. 在主机上启用加密后,将静态加密所有这些数据,并将其传输到存储服务,并在其中保存。After enabling encryption at host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. 实质上,主机加密会从端到端加密数据。Essentially, encryption at host encrypts your data from end-to-end. 主机加密不会使用 VM 的 CPU,并且不会影响 VM 的性能。Encryption at host does not use your VM's CPU and doesn't impact your VM's performance.

当你启用端对端加密时,临时磁盘和临时操作系统磁盘使用平台托管的密钥进行加密。Temporary disks and ephemeral OS disks are encrypted at rest with platform-managed keys when you enable end-to-end encryption. 操作系统和数据磁盘缓存会根据所选的磁盘加密类型,与客户管理的或平台管理的密钥加密。The OS and data disk caches are encrypted at rest with either customer-managed or platform-managed keys, depending on the selected disk encryption type. 例如,如果使用客户管理的密钥对磁盘进行加密,则使用客户管理的密钥对磁盘的缓存进行加密,如果使用平台管理的密钥对磁盘进行加密,则使用平台管理的密钥对磁盘的缓存进行加密。For example, if a disk is encrypted with customer-managed keys, then the cache for the disk is encrypted with customer-managed keys, and if a disk is encrypted with platform-managed keys then the cache for the disk is encrypted with platform-managed keys.

限制Restrictions

  • 不支持 ultra 磁盘。Does not support ultra disks.
  • 如果在你的 VM/虚拟机规模集上启用了 Azure 磁盘加密(使用 bitlocker/VM-Decrypt 的来宾 VM 加密),则无法启用。Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/VM-Decrypt) is enabled on your VMs/virtual machine scale sets.
  • 无法在启用了主机加密的磁盘上启用 Azure 磁盘加密。Azure Disk Encryption cannot be enabled on disks that have encryption at host enabled.
  • 可以在现有的虚拟机规模集上启用加密。The encryption can be enabled on existing virtual machine scale set. 但是,只有启用加密后新建的 VM 才会自动加密。However, only new VMs created after enabling the encryption are automatically encrypted.
  • 现有 VM 只有在经过释放和重新分配后才能加密。Existing VMs must be deallocated and reallocated in order to be encrypted.

支持的区域Supported regions

当前仅在以下区域提供:Currently available only in the following regions:

  • 美国西部West US
  • 美国西部 2West US 2
  • 美国东部East US
  • 美国东部 2East US 2
  • 美国中南部South Central US
  • 加拿大中部Central Canada
  • 加拿大东部East Canada
  • 法国中部Central France
  • 西欧West Europe
  • 北欧North Europe
  • 日本东部East Japan
  • 日本西部West Japan
  • US Gov 弗吉尼亚州US Gov Virginia
  • US Gov 亚利桑那州US Gov Arizona

支持的 VM 大小Supported VM sizes

所有最新一代的 VM,无论容量多大,都支持主机加密:All the latest generation of VM sizes support encryption at host:

类型Type 不支持Not Supported 支持Supported
常规用途General purpose Dv3、Dav4、Dv2、Av2Dv3, Dav4, Dv2, Av2 B、DSv2、Dsv3、DC、DCv2、Dasv4B, DSv2, Dsv3, DC, DCv2, Dasv4
计算优化Compute optimized Fsv2Fsv2
内存优化Memory optimized Ev3、Eav4Ev3, Eav4 DSv2、Esv3、M、Mv2、Easv4DSv2, Esv3, M, Mv2, Easv4
存储优化Storage optimized Ls、Lsv2 (NVMe 磁盘未加密) Ls, Lsv2 (NVMe disks not encrypted)
GPUGPU NC,NVNC, NV NCv2、NCv3、ND、NVv3、NVv4、NDv2 (preview) NCv2, NCv3, ND, NVv3, NVv4, NDv2 (preview)
高性能计算High performance compute HH HB-ACCT-WC、HC、HBv2HB, HC, HBv2
前几代Previous generations F、A、D、L、GF, A, D, L, G DS、GS、Fs、NVv2DS, GS, Fs, NVv2

升级 VM 大小将导致进行验证,以检查新 VM 大小是否支持 EncryptionAtHost 功能。Upgrading the VM size will result in validation to check if the new VM size supports the EncryptionAtHost feature.

双静态加密Double encryption at rest

如果高安全敏感客户担心与任何特定加密算法、实现或密钥相关的风险,则现在可以选择使用平台托管的加密密钥,在基础结构层使用不同的加密算法/模式。High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can now opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. 这一新的层可以应用于持久化的 OS 和数据磁盘、快照和映像,所有这些都将以双加密方式进行静态加密。This new layer can be applied to persisted OS and data disks, snapshots, and images, all of which will be encrypted at rest with double encryption.

支持的区域Supported regions

在托管磁盘可用的所有区域中都提供双加密。Double encryption is available in all regions that managed disks are available.

服务器端加密与 Azure 磁盘加密Server-side encryption versus Azure disk encryption

Azure 磁盘加密 利用 Linux 的 DM Dm-crypt 功能或 Windows 的 BITLOCKER 功能,通过来宾 VM 中的客户托管密钥来加密托管磁盘。Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. 使用客户托管密钥的服务器端加密改进了 ADE,它通过加密存储服务中的数据使你可以为 VM 使用任何 OS 类型和映像。Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.

重要

客户托管密钥依赖于 Azure 资源的托管标识(Azure Active Directory (Azure AD) 的一项功能)。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 配置客户托管密钥时,实际上会自动将托管标识分配给你的资源。When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. 如果随后将订阅、资源组或托管磁盘从一个 Azure AD 目录移动到另一个目录,则与托管磁盘关联的托管标识不会转移到新租户,因此,客户托管密钥可能不再有效。If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅在 Azure AD 目录之间转移订阅For more information, see Transferring a subscription between Azure AD directories.

后续步骤Next steps