Azure Stack Hub 中的待用資料加密Data at rest encryption in Azure Stack Hub

Azure Stack Hub 會使用待用加密,來保護儲存子系統層級的使用者和基礎結構資料。Azure Stack Hub protects user and infrastructure data at the storage subsystem level using encryption at rest. 根據預設,Azure Stack Hub 的儲存子系統會使用具有128位 AES 加密的 BitLocker 進行加密。By default, Azure Stack Hub's storage subsystem is encrypted using BitLocker with 128-bit AES encryption. BitLocker 金鑰會保存在內部祕密存放區中。BitLocker keys are persisted in an internal secret store. 在部署期間,您也可以將 BitLocker 設定為使用256位 AES 加密。At deployment time, it is also possible to configure BitLocker to use 256-bit AES encryption.

待用資料加密是許多主要合規性標準 (例如 PCI-DSS、FedRAMP、HIPAA) 的通用需求。Data at rest encryption is a common requirement for many of the major compliance standards (for example, PCI-DSS, FedRAMP, HIPAA). Azure Stack Hub 可讓您無須進行額外的工作或設定,即可符合這些需求。Azure Stack Hub enables you to meet those requirements with no extra work or configurations required. 如需有關 Azure Stack Hub 如何協助您符合合規性需求的詳細資訊,請參閱 Microsoft 服務信任入口網站For more information on how Azure Stack Hub helps you meet compliance standards, see the Microsoft Service Trust Portal.

注意

待用資料加密可防止實際竊取一或多個硬碟的人存取您的資料。Data at rest encryption protects your data against being accessed by someone who physically stole one or more hard drives. 待用資料加密無法在系統已啟動且正在執行的情況下,防護正透過網路攔截的資料 (傳輸中的資料)、目前使用中的資料 (記憶體中的資料),或更廣泛來說,正在外洩的資料。Data at rest encryption doesn't protect against data being intercepted over the network (data in transit), data currently being used (data in memory), or, more in general, data being exfiltrated while the system is up and running.

擷取 BitLocker 復原金鑰Retrieving BitLocker recovery keys

Azure Stack Hub BitLocker 的待用資料金鑰是內部受控金鑰。Azure Stack Hub BitLocker keys for data at rest are internally managed. 針對一般作業或在進行系統啟動期間,您都無須提供這些金鑰。You aren't required to provide them for regular operations or during system startup. 不過,支援案例可能會要求提供 BitLocker 復原金鑰以讓系統上線。However, support scenarios may require BitLocker recovery keys to bring the system online.

警告

請擷取您的 BitLocker 復原金鑰,並將其儲存在 Azure Stack Hub 外部的安全位置中。Retrieve your BitLocker recovery keys and store them in a secure location outside of Azure Stack Hub. 在某些支援案例中,如果未提供復原金鑰,可能會導致資料遺失,而必須從備份映像還原系統。Not having the recovery keys during certain support scenarios may result in data loss and require a system restore from a backup image.

若要擷取 BitLocker 復原金鑰,必須存取具特殊權限的端點 (PEP)。Retrieving the BitLocker recovery keys requires access to the privileged endpoint (PEP). 請從 PEP 工作階段,執行 Get-AzsRecoveryKeys Cmdlet。From a PEP session, run the Get-AzsRecoveryKeys cmdlet.

##This cmdlet retrieves the recovery keys for all the volumes that are encrypted with BitLocker.
Get-AzsRecoveryKeys -raw

Get-azsrecoverykeys Cmdlet 的參數:Parameters for Get-AzsRecoveryKeys cmdlet:

參數Parameter 描述Description 類型Type 必要Required
未經處理raw 傳回每個加密磁片區的修復金鑰、電腦名稱稱和密碼識別碼 (s) 之間的資料對應。Returns data mapping between recovery key, computer name, and password id(s) of each encrypted volume. SwitchSwitch 否,但建議使用No, but recommended

針對問題進行疑難排解Troubleshoot issues

在極端的情況下,BitLocker 解除鎖定要求可能發生失敗,而導致特定磁碟區無法啟動。In extreme circumstances, a BitLocker unlock request could fail resulting in a specific volume to not boot. 如果您沒有 BitLocker 復原金鑰,視某些架構元件的可用性而定,這個失敗可能會導致停機及可能讓資料遺失。Depending on the availability of some of the components of the architecture, this failure could result in downtime and potential data loss if you don't have your BitLocker recovery keys.

警告

請擷取您的 BitLocker 復原金鑰,並將其儲存在 Azure Stack Hub 外部的安全位置中。Retrieve your BitLocker recovery keys and store them in a secure location outside of Azure Stack Hub. 在某些支援案例中,如果未提供復原金鑰,可能會導致資料遺失,而必須從備份映像還原系統。Not having the recovery keys during certain support scenarios may result in data loss and require a system restore from a backup image.

如果您懷疑系統發生 BitLocker 問題 (例如 Azure Stack Hub 無法啟動),請與支援人員連絡。If you suspect your system is experiencing issues with BitLocker, such as Azure Stack Hub failing to start, contact support. 支援人員將需要您的 BitLocker 復原金鑰。Support requires your BitLocker recovery keys. 大多數 BitLocker 相關問題都可藉由該特定 VM/主機/磁碟區的 FRU 作業來解決。The majority of the BitLocker related issues can be resolved with a FRU operation for that specific VM/host/volume. 針對其他情況,可以執行使用 BitLocker 復原金鑰的手動解除鎖定程序。For the other cases, a manual unlocking procedure using BitLocker recovery keys can be done. 如果無法取得 BitLocker 復原金鑰,則唯一的選項是從備份映像進行還原。If BitLocker recovery keys aren't available, the only option is to restore from a backup image. 視上一次的備份時間而定,您可能會遇到資料遺失的情況。Depending on when the last backup was done, you may experience data loss.

後續步驟Next steps