使用 Azure Key Vault 的可扩展密钥管理 (SQL Server)Extensible Key Management Using Azure Key Vault (SQL Server)

适用对象:是SQL Server 否Azure SQL 数据库 否Azure Synapse Analytics (SQL DW) 否并行数据仓库 APPLIES TO: yesSQL Server noAzure SQL Database noAzure Synapse Analytics (SQL DW) noParallel Data Warehouse

借助 MicrosoftMicrosoft Azure 密钥保管库的 SQL ServerSQL Server 连接器,SQL ServerSQL Server 加密可以将 Azure 密钥保管库服务用作可扩展密钥管理 (EKM)提供程序,以保护 SQL ServerSQL Server 加密密钥。The SQL ServerSQL Server Connector for MicrosoftMicrosoft Azure Key Vault enables SQL ServerSQL Server encryption to use the Azure Key Vault service as an Extensible Key Management (EKM) provider to protect SQL ServerSQL Server encryption keys.

本主题介绍了 SQL ServerSQL Server 连接器。This topic describes the SQL ServerSQL Server connector. 有关其他信息,你可以参阅 使用 Azure 密钥保管库的可扩展密钥管理的设置步骤使用具有 SQL 加密功能的 SQL Server 连接器SQL Server 连接器维护与故障排除Additional information is available in Setup Steps for Extensible Key Management Using the Azure Key Vault, Use SQL Server Connector with SQL Encryption Features, and SQL Server Connector Maintenance & Troubleshooting.

什么是可扩展密钥管理 (EKM),为什么要使用它?

What is Extensible Key Management (EKM) and Why Use it?
SQL ServerSQL Server 提供了帮助保护敏感数据的几种加密类型,包括透明数据加密 (TDE)列级加密 (CLE) 和备份加密provides several types of encryption that help protect sensitive data, including Transparent Data Encryption (TDE), Column Level Encryption (CLE), and Backup Encryption. 在传统的密钥层次结构中,上述三种加密类型均使用对称数据加密密钥 (DEK) 对数据进行加密。In all of these cases, in this traditional key hierarchy, the data is encrypted using a symmetric data encryption key (DEK). 通过使用存储在 SQL ServerSQL Server中的密钥层次结构对对称数据加密密钥进行加密而使其获得进一步的保护。The symmetric data encryption key is further protected by encrypting it with a hierarchy of keys stored in SQL ServerSQL Server. 可替代这种模型的是 EKM 提供程序模型。Instead of this model, the alternative is the EKM Provider Model. 使用 EKM 提供程序体系结构, SQL ServerSQL Server 可通过使用存储在 SQL ServerSQL Server 之外的外部加密提供程序中的非对称密钥来保护数据加密密钥。Using the EKM provider architecture enables SQL ServerSQL Server to protect the data encryption keys by using an asymmetric key stored outside of SQL ServerSQL Server in an external cryptographic provider. 该模型额外添加了一个安全层,将密钥和数据分开管理。This model adds an additional layer of security and separates the management of keys and data.

下图对传统服务管理密钥层次结构与 Azure 密钥保管库系统进行比较。The following image compares the traditional service-manage key hierarchy with the Azure Key Vault system.

ekm-key-hierarchy-traditionalekm-key-hierarchy-traditional

SQL ServerSQL Server 连接器用作 SQL ServerSQL Server 和 Azure 密钥保管库之间的桥梁,因此 SQL ServerSQL Server 可以利用 Azure 密钥保管库服务的可伸缩性、高性能和高可用性。The SQL ServerSQL Server Connector serves as a bridge between SQL ServerSQL Server and Azure Key Vault, so SQL ServerSQL Server can leverage the scalability, high performance, and highly availability of the Azure Key Vault service. 下图显示了在使用 Azure 密钥保管库和 SQL ServerSQL Server 连接器的 EKM 提供程序体系结构中如何使用密钥层次结构。The following image represents how the key hierarchy works in the EKM provider architecture with Azure Key Vault and SQL ServerSQL Server Connector.

密钥保管库服务可用于 SQL ServerSQL Server Azure 虚拟机和本地服务器上的 MicrosoftMicrosoft 安装。Azure Key Vault can be used with SQL ServerSQL Server installations on MicrosoftMicrosoft Azure Virtual Machines and for on-premises servers. Key Vault 服务还提供一种选择,即使用受到严格控制和监视的硬件安全模块 (HSM) 来实现对非对称加密密钥的更高级别的保护。The key vault service also provides the option to use tightly controlled and monitored Hardware Security Modules (HSMs) for a higher level of protection for asymmetric encryption keys. 有关密钥保管库的详细信息,请参阅 Azure 密钥保管库For more information about the key vault, see Azure Key Vault.

下图总结了使用密钥保管库的 EKM 处理流程。The following image summarizes the process flow of EKM using the key vault. (图中的处理步骤数与图下的设置步骤数并不一致。)(The process step numbers in the image are not meant to match the setup step numbers that follow the image.)

使用 Azure Key Vault 的 SQL Server EKMSQL Server EKM using the Azure Key Vault

备注

已替换版本 1.0.0.440 和更早的版本,且生产环境不再支持这些版本。Versions 1.0.0.440 and older have been replaced and are no longer supported in production environments. 要升级至版本 1.0.1.0 或更高版本,请访问 Microsoft 下载中心 ,并参照“升级 SQL Server 连接器”下 SQL Server 连接器维护与故障排除页面上的指南。Upgrade to version 1.0.1.0 or later by visiting the Microsoft Download Center and using the instructions on the SQL Server Connector Maintenance & Troubleshooting page under "Upgrade of SQL Server Connector."

有关下一步的信息,请参阅 Setup Steps for Extensible Key Management Using the Azure Key Vault(使用 Azure 密钥保管库的可扩展密钥管理的设置步骤)For the next step, see Setup Steps for Extensible Key Management Using the Azure Key Vault.

有关使用场景,请参阅 Use SQL Server Connector with SQL Encryption Features(使用具有 SQL 加密功能的 SQL Server 连接器)For use scenarios, see Use SQL Server Connector with SQL Encryption Features.

另请参阅See Also

SQL Server 连接器维护与故障排除 SQL Server Connector Maintenance & Troubleshooting.