加密层次结构Encryption Hierarchy

适用于: 是SQL Server是Azure SQL 数据库否Azure SQL 数据仓库否并行数据仓库APPLIES TO: yesSQL Server yesAzure SQL Database noAzure SQL Data Warehouse noParallel Data Warehouse

SQL ServerSQL Server 用分层加密和密钥管理基础结构来加密数据。encrypts data with a hierarchical encryption and key management infrastructure. 每一层都使用证书、非对称密钥和对称密钥的组合对它下面的一层进行加密。Each layer encrypts the layer below it by using a combination of certificates, asymmetric keys, and symmetric keys. 非对称密钥和对称密钥可以存储在 SQL ServerSQL Server 之外的可扩展密钥管理 (EKM) 模块中。Asymmetric keys and symmetric keys can be stored outside of SQL ServerSQL Server in an Extensible Key Management (EKM) module.

下图说明了加密层次结构的每一层是如何对它下面的一层进行加密的,并且显示了最常用的加密配置。The following illustration shows that each layer of the encryption hierarchy encrypts the layer beneath it, and displays the most common encryption configurations. 对层次结构的开始进行的访问通常受密码保护。The access to the start of the hierarchy is usually protected by a password.

以堆积图形式显示一些加密组合。Displays some encryption combinations in a stack.

请记住以下概念:Keep in mind the following concepts:

  • 为了获得最佳性能,使用对称密钥(而不是证书或非对称密钥)加密数据。For best performance, encrypt data using symmetric keys instead of certificates or asymmetric keys.

  • 数据库主密钥受服务主密钥保护。Database master keys are protected by the Service Master Key. 服务主密钥由 SQL ServerSQL Server 安装程序创建,并且使用 Windows 数据保护 API (DPAPI) 进行加密。The Service Master Key is created by SQL ServerSQL Server setup and is encrypted with the Windows Data Protection API (DPAPI).

  • 堆叠其他层的其他加密层次结构是可能的。Other encryption hierarchies stacking additional layers are possible.

  • 可扩展密钥管理 (EKM) 模块将对称密钥或非对称密钥保存在 SQL Server 的外部。An Extensible Key Management (EKM) module holds symmetric or asymmetric keys outside of SQL Server.

  • 透明数据加密 (TDE) 必须使用称为数据库加密密钥的对称密钥,该密钥受由 master 数据库的数据库主密钥保护的证书保护,或者受存储在 EKM 中的非对称密钥保护。Transparent Data Encryption (TDE) must use a symmetric key called the database encryption key which is protected by either a certificate protected by the database master key of the master database, or by an asymmetric key stored in an EKM.

  • 服务主密钥和所有数据库主密钥是对称密钥。The Service Master Key and all Database Master Keys are symmetric keys.

下图以另一种方式显示了相同的信息。The following illustration shows the same information in an alternative manner.

以辐射轮形式显示一些加密组合。Displays some encryption combinations in a wheel.

此图说明了以下其他概念:This diagram illustrates the following additional concepts:

  • 在此图中,箭头表示常用的加密层次结构。In this illustration, arrows indicate common encryption hierarchies.

  • EKM 中的对称密钥和非对称密钥可以保护对存储在 SQL ServerSQL Server中的对称密钥和非对称密钥进行的访问。Symmetric and asymmetric keys in the EKM can protect access to the symmetric and asymmetric keys stored in SQL ServerSQL Server. 与 EKM 有关的虚线表示 EKM 中的密钥可以替换存储在 SQL ServerSQL Server中的对称密钥和非对称密钥。The dotted line associated with EKM indicates that keys in the EKM could replace the symmetric and asymmetric keys stored in SQL ServerSQL Server.

加密机制Encryption Mechanisms

SQL ServerSQL Server 提供了下列加密机制:provides the following mechanisms for encryption:

  • Transact-SQLTransact-SQL 函数functions

  • 非对称密钥Asymmetric keys

  • 对称密钥Symmetric keys

  • 证书Certificates

  • 透明数据加密Transparent Data Encryption

Transact-SQL 函数Transact-SQL Functions

插入或更新项时可使用 Transact-SQLTransact-SQL 函数对各个项进行加密。Individual items can be encrypted as they are inserted or updated using Transact-SQLTransact-SQL functions. 有关详细信息,请参阅 ENCRYPTBYPASSPHRASE (Transact SQL)DECRYPTBYPASSPHRASE (Transact SQL)For more information, see ENCRYPTBYPASSPHRASE (Transact-SQL) and DECRYPTBYPASSPHRASE (Transact-SQL).

证书Certificates

公钥证书(通常只称为证书)是一个数字签名语句,它将公钥的值绑定到拥有对应私钥的人员、设备或服务的标识上。A public key certificate, usually just called a certificate, is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. 证书是由证书颁发机构 (CA) 颁发和签名的。Certificates are issued and signed by a certification authority (CA). 从 CA 接收证书的实体是该证书的主体。The entity that receives a certificate from a CA is the subject of that certificate. 证书中通常包含下列信息。Typically, certificates contain the following information.

  • 主体的公钥。The public key of the subject.

  • 主体的标识符信息,如姓名和电子邮件地址。The identifier information of the subject, such as the name and e-mail address.

  • 有效期。The validity period. 这是指证书被认为有效的时间长度。This is the length of time that the certificate is considered valid.

    证书只有在指定的有效期内有效,每个证书都包含一个“有效期始于” 和“有效期至” 日期。A certificate is valid only for the period of time specified within it; every certificate contains Valid From and Valid To dates. 这两个日期设置了有效期的界限。These dates set the boundaries of the validity period. 证书超过有效期后,必须由已过期证书的主体请求一个新证书。When the validity period for a certificate has passed, a new certificate must be requested by the subject of the now-expired certificate.

  • 颁发者标识符信息。Issuer identifier information.

  • 颁发者的数字签名。The digital signature of the issuer.

    此签名用于证明主体的公钥和标识符信息之间的绑定的有效性。This signature attests to the validity of the binding between the public key and the identifier information of the subject. (在对信息进行数字签名的过程中,信息以及发件人拥有的一些秘密信息将被转换成一个称为“签名”的标记。)(The process of digitally signing information entails transforming the information, as well as some secret information held by the sender, into a tag called a signature.)

证书的主要好处是使主机不再需要为每个主体维护一组密码。A primary benefit of certificates is that they relieve hosts of the need to maintain a set of passwords for individual subjects. 相反,主机只需要与证书颁发者建立信任关系,然后证书颁发者就可以签名无限数量的证书。Instead, the host merely establishes trust in a certificate issuer, which may then sign an unlimited number of certificates.

当主机(如安全 Web 服务器)将某个颁发者指定为受信任的根颁发机构时,主机将隐式信任该颁发者用来建立它所发出的证书绑定的策略。When a host, such as a secure Web server, designates an issuer as a trusted root authority, the host implicitly trusts the policies that the issuer has used to establish the bindings of certificates it issues. 也就是说,主机将相信该颁发者已经验证了证书主体的标识。In effect, the host trusts that the issuer has verified the identity of the certificate subject. 主机可以通过将颁发者自签名的证书(其中包含颁发者的公钥)放入主机的受信任根证书颁发机构证书存储区,将此颁发者指定为受信任的根颁发机构。A host designates an issuer as a trusted root authority by putting the self-signed certificate of the issuer, which contains the public key of the issuer, into the trusted root certification authority certificate store of the host computer. 对于中间证书颁发机构或从属证书颁发机构,只有当它们具有受信任根证书颁发机构的合法路径时才会受到信任。Intermediate or subordinate certification authorities are trusted only if they have a valid certification path from a trusted root certification authority.

颁发者可以在证书到期之前便撤消该证书。The issuer can revoke a certificate before it expires. 撤消后,将解除公钥与证书中声明的标识之间的绑定。Revocation cancels the binding of a public key to an identity that is asserted in the certificate. 每个颁发者都维护一个证书撤消列表,此列表可由程序在检查任何给定证书的有效性时使用。Each issuer maintains a certificate revocation list that can be used by programs when they are checking the validity of any given certificate.

SQL ServerSQL Server 创建的自签名证书遵循 X.509 标准并支持 X.509 v1 字段。The self-signed certificates created by SQL ServerSQL Server follow the X.509 standard and support the X.509 v1 fields.

非对称密钥Asymmetric Keys

非对称密钥由私钥和对应的公钥组成。An asymmetric key is made up of a private key and the corresponding public key. 每个密钥都可以解密另一个密钥加密的数据。Each key can decrypt data encrypted by the other. 非对称加密和解密相对来说会消耗大量资源,但它们比对称加密提供了更高的安全级别。Asymmetric encryption and decryption are relatively resource-intensive, but they provide a higher level of security than symmetric encryption. 非对称密钥可用于加密对称密钥,以便存储在数据库中。An asymmetric key can be used to encrypt a symmetric key for storage in a database.

对称密钥Symmetric Keys

对称密钥是加密和解密都使用的一个密钥。A symmetric key is one key that is used for both encryption and decryption. 使用对称密钥进行加密和解密非常快,适用于对数据库中敏感数据的日常使用。Encryption and decryption by using a symmetric key is fast, and suitable for routine use with sensitive data in the database.

透明数据加密Transparent Data Encryption

透明数据加密 (TDE) 是使用对称密钥进行加密的一种特殊情况。Transparent Data Encryption (TDE) is a special case of encryption using a symmetric key. TDE 使用称为数据库加密密钥的对称密钥加密整个数据库。TDE encrypts an entire database using that symmetric key called the database encryption key. 数据库加密密钥受由数据库主密钥或存储在 EKM 模块中的非对称密钥保护的其他密钥或证书保护。The database encryption key is protected by other keys or certificates which are protected either by the database master key or by an asymmetric key stored in an EKM module. 有关详细信息,请参阅透明数据加密 (TDE)For more information, see Transparent Data Encryption (TDE).

保护 SQL ServerSecuring SQL Server

安全函数 (Transact-SQL)Security Functions (Transact-SQL)

另请参阅See Also

权限层次结构(数据库引擎) Permissions Hierarchy (Database Engine)
安全对象Securables