將您自己的金鑰 (BYOK) 詳細資料 Azure 資訊保護Bring your own key (BYOK) details for Azure Information Protection

*適用于Azure 資訊保護Office 365**Applies to: Azure Information Protection, Office 365*

*適用于AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

具有 Azure 資訊保護訂用帳戶的組織可以選擇使用自己的金鑰來設定其租使用者,而不是由 Microsoft 產生的預設金鑰。Organizations with an Azure Information Protection subscription can choose to configure their tenant with their own key, instead of a default key generated by Microsoft. 這項設定通常稱為攜帶您自己的金鑰 (BYOK) 。This configuration is often referred to as Bring Your Own Key (BYOK).

BYOK 和 使用方式記錄 可與整合 Azure 資訊保護所使用的 Azure Rights Management 服務的應用程式緊密搭配運作。BYOK and usage logging work seamlessly with applications that integrate with the Azure Rights Management service used by Azure Information Protection.

支援的應用程式包括:Supported applications include:

  • 雲端服務,例如 Microsoft SharePoint 或 Microsoft 365Cloud services, such as Microsoft SharePoint or Microsoft 365

  • 執行 Exchange 和 SharePoint 應用程式的內部 部署服務,其透過 RMS 連接器使用 Azure Rights Management 服務On-premises services running Exchange and SharePoint applications that use the Azure Rights Management service via the RMS connector

  • 用戶端應用程式,例如 office 2019、office 2016 和 office 2013Client applications, such as Office 2019, Office 2016, and Office 2013

提示

如有需要,請使用額外的內部部署金鑰,將額外的安全性套用至特定檔。If needed, apply additional security to specific documents using an additional on-premises key. 如需詳細資訊,請參閱 (DKE) 保護的雙重金鑰加密 (僅) 的統一標籤用戶端。For more information, see Double Key Encryption (DKE) protection (unified labeling client only).

如果您有傳統用戶端,而且需要額外的內部部署保護,請 將您自己的金鑰 (改為 HYOK) 保護 保護。If you have the classic client and need additional, on-premises protection, implement Hold your own key (HYOK) protection protection instead.

Azure Key Vault 金鑰儲存空間Azure Key Vault key storage

客戶產生的金鑰必須儲存在 Azure Key Vault 中,以 BYOK 保護。Customer-generated keys must be stored in the Azure Key Vault for BYOK protection.

注意

使用 Azure Key Vault 中受 HSM 保護的金鑰需要 Azure Key Vault Premium 服務層級,這會產生額外的每月訂閱費用。Using HSM-protected keys in the Azure Key Vault requires an Azure Key Vault Premium service tier, which incurs an additional monthly subscription fee.

共用金鑰保存庫和訂用帳戶Sharing key vaults and subscriptions

建議您針對您的租使用者金鑰使用 專用金鑰保存庫We recommend using a dedicated key vault for your tenant key. 專用金鑰保存庫可協助確保其他服務的呼叫不會造成超過 服務限制Dedicated key vaults help to ensure that calls by other services do not cause service limits to be exceeded. 在儲存租使用者金鑰的金鑰保存庫上超過服務限制,可能會導致 Azure Rights Management 服務的回應時間節流。Exceeding service limits on the key vault where your tenant key is stored may cause response time throttling for Azure Rights Management service.

當不同的服務有不同的金鑰管理需求時,Microsoft 也會建議您針對金鑰保存庫使用 專屬的 Azure 訂 用帳戶。As different services have varying key management requirements, Microsoft also recommends using a dedicated Azure subscription for your key vault. 專用的 Azure 訂用帳戶:Dedicated Azure subscriptions:

  • 協助防止錯誤的錯誤Help safeguard against misconfigurations

  • 當不同的服務具有不同的系統管理員時,更安全Are more secure when different services have different administrators

若要與使用 Azure Key Vault 的其他服務共用 Azure 訂用帳戶,請確定此訂用帳戶會共用一組通用的系統管理員。To share an Azure subscription with other services that use Azure Key Vault, make sure that the subscription shares a common set of administrators. 確認使用該訂用帳戶的所有系統管理員都能清楚瞭解他們可以存取的每個金鑰,這表示他們比較不可能 jeffv 您的金鑰。Confirming that all administrators who use the subscription have a solid understanding of every key they can access, means they are less likely to misconfigure your keys.

範例:當 Azure 資訊保護租使用者金鑰的系統管理員與管理 Office 365 客戶金鑰與 CRM online 金鑰的同一個人時,使用共用的 Azure 訂用帳戶。Example: Using a shared Azure subscription when the administrators for your Azure Information Protection tenant key are the same individuals that administer your keys for Office 365 Customer Key and CRM online. 如果這些服務的金鑰系統管理員不同,建議您使用專用的訂用帳戶。If the key administrators for these services are different, we recommend using dedicated subscriptions.

使用 Azure 金鑰保存庫的優點Benefits of using Azure Key Vault

Azure Key Vault 針對使用加密的許多雲端式和內部部署服務,提供集中且一致的金鑰管理解決方案。Azure Key Vault provides a centralized and consistent key management solution for many cloud-based and on-premises services that use encryption.

除了管理金鑰之外,Azure 金鑰保存庫可讓安全性系統管理員擁有相同的管理體驗,來針對使用加密的其他服務及應用程式,儲存、存取和管理憑證與密碼。In addition to managing keys, Azure Key Vault offers your security administrators the same management experience to store, access, and manage certificates and secrets (such as passwords) for other services and applications that use encryption.

將您的租使用者金鑰儲存在 Azure Key Vault 可提供下列優點:Storing your tenant key in the Azure Key Vault provides the following advantages:

優點Advantage 描述Description
內建介面Built-in interfaces Azure 金鑰保存庫支援多種金鑰管理的內建介面,包括 PowerShell、CLI、REST API 和 Azure 入口網站。Azure Key Vault supports a number of built-in interfaces for key management, including PowerShell, CLI, REST APIs, and the Azure portal.

其他服務和工具已與 Key Vault 整合,以優化特定工作(例如監視)的功能。Other services and tools have integrated with Key Vault for optimized capabilities for specific tasks, such as monitoring.

例如,您可以使用 Operations Management Suite Log analytics 來分析金鑰使用狀況記錄、設定符合指定準則時的警示等等。For example, analyze your key usage logs with Operations Management Suite Log analytics, set alerts when specified criteria are met, and so on.
角色分隔Role separation Azure Key Vault 將角色隔離提供為公認的安全性最佳作法。Azure Key Vault provides role separation as a recognized security best practice.

角色分離可確保 Azure 資訊保護系統管理員可以專注于其最高優先順序,包括管理資料分類和保護,以及特定安全性或合規性需求的加密金鑰和原則。Role separation ensures that Azure Information Protection administrators can focus on their highest priorities, including managing data classification and protection, as well as encryption keys and policies for specific security or compliance requirements.
主要金鑰位置Master key location Azure Key Vault 可在各種不同的位置使用,並支援主要金鑰可以存留的限制組織。Azure Key Vault is available in a variety of locations, and supports organizations with restrictions where master keys can live.

如需詳細資訊,請參閱 Azure 網站上依區域提供的產品頁面。For more information, see the Products available by region page on the Azure site.
分隔的安全性網域Separated security domains Azure Key Vault 在北美洲、EMEA (歐洲、中東與非洲) 以及亞洲等區域中,將不同的安全性網域使用於其資料中心。Azure Key Vault uses separate security domains for its data centers in regions such as North America, EMEA (Europe, Middle East and Africa), and Asia.

Azure Key Vault 也會使用不同的 Azure 執行個體,例如 Microsoft Azure 德國和 Azure Government。Azure Key Vault also uses different instances of Azure, such as Microsoft Azure Germany, and Azure Government.
整合體驗Unified experience Azure Key Vault 也可讓安全性系統管理員針對其他使用加密的服務,儲存、存取及管理憑證和密碼(例如密碼)。Azure Key Vault also enables security administrators to store, access, and manage certificates and secrets, such as passwords, for other services that use encryption.

針對您的租使用者金鑰使用 Azure Key Vault,可為管理所有這些元素的系統管理員提供順暢的使用者體驗。Using Azure Key Vault for your tenant keys provides a seamless user experience for administrators who manage all of these elements.

如需最新的更新,以及瞭解其他服務如何使用 Azure Key Vault,請造訪 Azure Key Vault team blogFor the latest updates and to learn how other services use Azure Key Vault, visit the Azure Key Vault team blog.

BYOK 的使用量記錄Usage logging for BYOK

使用記錄是由向 Azure Rights Management 服務提出要求的每個應用程式所產生。Usage logs are generated by every application that makes requests to the Azure Rights Management service.

雖然使用記錄是選擇性的,但我們建議使用來自 Azure 資訊保護的近乎即時使用量記錄,以查看您的租使用者金鑰的使用方式和時機。Although usage logging is optional, we recommend using the near real-time usage logs from Azure Information Protection to see exactly how and when your tenant key is being used.

如需 BYOK 的金鑰使用記錄的詳細資訊,請參閱 記錄和分析 Azure 資訊保護的保護使用方式。For more information about key usage logging for BYOK, see Logging and analyzing the protection usage from Azure Information Protection.

提示

如需其他保證,Azure 資訊保護使用方式記錄可與 Azure Key Vault 記錄交互參考。For additional assurance, Azure Information Protection usage logging can be cross referenced with Azure Key Vault logging. Key Vault 記錄提供可靠的方法來獨立監視您的金鑰僅供 Azure Rights Management 服務使用。Key Vault logs provide a reliable method to independently monitor that your key is only used by Azure Rights Management service.

如有必要,請移除金鑰保存庫的許可權,以立即撤銷金鑰的存取權。If necessary, immediately revoke access to your key by removing permissions on the key vault.

建立和儲存金鑰的選項Options for creating and storing your key

注意

Azure 資訊保護 Azure Key Vault 受管理的 HSM 支援,僅供非生產租使用者使用,目前為預覽狀態。The Azure Information Protection Azure Key Vault Managed HSM support, for use with non-production tenants only, is currently in PREVIEW. Azure 預覽補充條款 包含適用於 Azure 功能 (搶鮮版 (Beta)、預覽版,或尚未發行的版本) 的其他法律條款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

如需有關受控 HSM 供應專案的詳細資訊,以及如何設定保存庫和金鑰的詳細資訊,請參閱 Azure Key Vault 檔For more information about the Managed HSM offering, and how to set up a vault and a key, see the Azure Key Vault documentation.

以下說明授與金鑰授權的其他指示。Additional instructions on granting key authorization are described below.

BYOK 支援在 Azure Key Vault 或內部部署中建立的金鑰。BYOK supports keys that are created either in Azure Key Vault or on-premises.

如果您在內部部署環境中建立您的金鑰,則必須將它傳輸或匯入 Key Vault,並設定 Azure 資訊保護使用金鑰。If you create your key on-premises, you must then transfer or import it into your Key Vault and configure Azure Information Protection to use the key. 從 Azure Key Vault 內執行任何額外的金鑰管理。Perform any additional key management from within Azure Key Vault.

建立和儲存您自己的金鑰的選項:Options to create and store your own key:

  • 在 Azure Key Vault 中建立Created in Azure Key Vault. 在 Azure Key Vault 中建立金鑰,並將其儲存為受 HSM 保護的金鑰或軟體保護的金鑰。Create and store your key in Azure Key Vault as an HSM-protected key or a software-protected key.

  • 在內部部署建立Created on-premises. 使用下列其中一個選項,在內部部署環境中建立您的金鑰,並將它傳送至 Azure Key Vault:Create your key on-premises and transfer it to Azure Key Vault using one of the following options:

    • 以 hsm 保護的金鑰傳輸的 hsm 保護金鑰HSM-protected key, transferred as an HSM-protected key. 最常見的選擇方法。The most typical method chosen.

      雖然此方法具有最高的系統管理負擔,但您的組織可能需要遵循特定的規定。While this method has the most administrative overhead, it may be required for your organization to follow specific regulations. Azure Key Vault 使用的 Hsm 是驗證的 FIPS 140-2 層級2。The HSMs used by Azure Key Vault are FIPS 140-2 Level 2 validated.

    • 受軟體保護的金鑰,會以受 HSM 保護的金鑰的形式轉換和傳輸至 Azure Key VaultSoftware-protected key that is converted and transferred to Azure Key Vault as an HSM-protected key. 只有 從 Active Directory Rights Management Services (AD RMS) 進行遷移 時,才支援這個方法。This method is supported only when migrating from Active Directory Rights Management Services (AD RMS).

    • 在內部部署中建立為受軟體保護的金鑰,並傳輸至 Azure Key Vault 作為受軟體保護的金鑰Created on-premises as a software-protected key and transferred to Azure Key Vault as a software-protected key. 這個方法需要。PFX 憑證檔案。This method requires a .PFX certificate file.

例如,請執行下列動作以使用在內部部署環境中建立的金鑰:For example, do the following to use a key created on-premises:

  1. 依據您組織的 IT 和安全性原則,在您的內部部署環境中產生您的租使用者金鑰。Generate your tenant key on your premises, in line with your organization's IT and security policies. 這個金鑰是主要複本。This key is the master copy. 它會保留在內部部署環境中,因此您必須進行備份。It remains on-premises, and you are required for its backup.

  2. 建立主要金鑰的複本,並將它從 HSM 安全地傳輸至 Azure Key Vault。Create a copy of the master key, and securely transfer it from your HSM to Azure Key Vault. 在整個過程中,金鑰的主要複本永遠不會離開硬體保護界限。Throughout this process, the master copy of the key never leaves the hardware protection boundary.

一旦傳輸之後,金鑰的複本就會受到 Azure Key Vault 保護。Once transferred, the copy of the key is protected by Azure Key Vault.

匯出信任的發行網域Exporting your trusted publishing domain

如果您決定停止使用 Azure 資訊保護,您將需要信任的發行網域 (TPD) 來解密 Azure 資訊保護所保護的內容。If you ever decide to stop using Azure Information Protection, you'll need a trusted publishing domain (TPD) to decrypt content that was protected by Azure Information Protection.

但是,如果您的 Azure 資訊保護金鑰使用 BYOK,則不支援匯出您的 TPD。However, exporting your TPD isn't supported if you're using BYOK for your Azure Information Protection key.

若要為此案例做好準備,請務必事先建立適當的 TPD。To prepare for this scenario, make sure to create a suitable TPD ahead of time. 如需詳細資訊,請參閱 如何準備 Azure 資訊保護的「雲端離開」計畫For more information, see How to prepare an Azure Information Protection "Cloud Exit" plan.

實作 BYOK 作為 Azure 資訊保護租用戶金鑰Implementing BYOK for your Azure Information Protection tenant key

使用下列步驟來執行 BYOK:Use the following steps to implement BYOK:

  1. 複習 BYOK 必要條件Review BYOK prerequisites
  2. 選擇 Key Vault 位置Choose a Key Vault location
  3. 建立並設定您的金鑰Create and configure your key

BYOK 的必要條件Prerequisites for BYOK

BYOK 必要條件會因您的系統設定而有所不同。BYOK prerequisites vary, depending on your system configuration. 請視需要確認您的系統符合下列必要條件:Verify that your system complies with the following prerequisites as needed:

需求Requirement 描述Description
Azure 訂用帳戶Azure subscription 所有設定都需要。Required for all configurations.
如需詳細資訊,請參閱 驗證您是否有與 BYOK 相容的 Azure 訂用帳戶。For more information, see Verifying that you have a BYOK-compatible Azure subscription.
適用于 Azure 資訊保護的 AIPService PowerShell 模組AIPService PowerShell module for Azure Information Protection 所有設定都需要。Required for all configurations.
如需詳細資訊,請參閱 安裝 AIPService PowerShell 模組For more information, see Installing the AIPService PowerShell module.
BYOK 的 Azure Key Vault 必要條件Azure Key Vault prerequisites for BYOK 如果您使用的是在內部部署環境中建立的受 HSM 保護金鑰,請確定您也符合 Azure Key Vault 檔中所列的 BYOK 必要條件If you are using an HSM-protected key that was created on-premises, ensure that you also comply with the prerequisites for BYOK listed in the Azure Key Vault documentation.
Thales 固件版本11.62Thales firmware version 11.62 如果您要使用軟體金鑰從 AD RMS 遷移至 Azure 資訊保護,您的 Thales 固件11.62 版本必須使用硬體金鑰,並使用 Thales 的 HSM。You must have a Thales firmware version of 11.62 if you are migrating from AD RMS to Azure Information Protection by using software key to hardware key and are using Thales firmware for your HSM.
信任 Microsoft 服務的防火牆略過Firewall bypass for trusted Microsoft services 如果包含您租使用者金鑰的金鑰保存庫使用虛擬網路服務端點進行 Azure Key Vault,您必須允許受信任的 Microsoft 服務略過此防火牆。If the key vault that contains your tenant key uses Virtual Network Service Endpoints for Azure Key Vault, you must allow trusted Microsoft services to bypass this firewall.
如需詳細資訊,請參閱 Virtual Network Service Endpoints for Azure Key Vault (Azure Key Vault 的虛擬網路服務端點)。For more information, see Virtual Network Service Endpoints for Azure Key Vault.

確認您有與 BYOK 相容的 Azure 訂用帳戶Verifying that you have a BYOK-compatible Azure subscription

您的 Azure 資訊保護租用戶必須有 Azure 訂用帳戶。Your Azure Information Protection tenant must have an Azure subscription. 如果您還沒有帳戶,可以註冊 免費帳戶If you don't have one yet, you can sign up for a free account. 不過,若要使用受 HSM 保護的金鑰,您必須有 Azure Key Vault Premium 服務層級。However, to use an HSM-protected key, you must have the Azure Key Vault Premium service tier.

提供存取 Azure Active Directory 設定和 Azure Rights Management 自訂範本設定的免費 Azure 訂用帳戶 ,不足 以使用 Azure Key Vault。The free Azure subscription that provides access to Azure Active Directory configuration and Azure Rights Management custom template configuration is not sufficient for using Azure Key Vault.

若要確認您是否有與 BYOK 相容的 Azure 訂用帳戶,請執行下列動作以使用 Azure PowerShell Cmdlet 進行驗證:To confirm whether you have an Azure subscription that is compatible with BYOK, do the following to verify, using Azure PowerShell cmdlets:

  1. 以系統管理員身分啟動 Azure PowerShell 會話。Start an Azure PowerShell session as an administrator.

  2. 使用 Azure 資訊保護租使用者的全域管理員身分登入 Connect-AzAccountSign in as a global admin for your Azure Information Protection tenant using Connect-AzAccount.

  3. 將顯示的權杖複製到剪貼簿。Copy the token displayed to your clipboard. 然後,在瀏覽器中,移至 https://microsoft.com/devicelogin 並輸入複製的權杖。Then, in a browser, go to https://microsoft.com/devicelogin and enter the copied token.

    如需詳細資訊,請參閱 使用 Azure PowerShell 登入For more information, see Sign in with Azure PowerShell.

  4. 在您的 PowerShell 會話中,輸入 Get-AzSubscription 並確認顯示下列值:In your PowerShell session, enter Get-AzSubscription, and confirm that the following values are displayed:

    • 您的訂用帳戶名稱和識別碼Your subscription name and ID
    • 您 Azure 資訊保護租使用者識別碼Your Azure Information Protection tenant ID
    • 確認狀態為 [已啟用]Confirmation that the state is enabled

    如果未顯示任何值,而且您傳回提示,表示您沒有可用於 BYOK 的 Azure 訂用帳戶。If no values are displayed and you are returned to the prompt, you do not have an Azure subscription that can be used for BYOK.

選擇金鑰保存庫位置Choosing your key vault location

當您建立金鑰保存庫以包含要用作 Azure Information 之租用戶金鑰的金鑰時,必須指定位置。When you create a key vault to contain the key to be used as your tenant key for Azure Information, you must specify a location. 這個位置是 Azure 區域或 Azure 執行個體。This location is an Azure region, or Azure instance.

先選擇相容性,然後將網路延遲降至最低:Make your choice first for compliance, and then to minimize network latency:

  • 如果您基於合規性理由選擇了 BYOK 金鑰方法,則這些合規性需求可能也會規定哪些 Azure 區域或實例可以用來儲存您的 Azure 資訊保護租使用者金鑰。If you have chosen the BYOK key method for compliance reasons, those compliance requirements might also mandate which Azure region or instance can be used to store your Azure Information Protection tenant key.

  • 保護鏈對您 Azure 資訊保護金鑰的所有密碼編譯呼叫。All cryptographic calls for protection chain to your Azure Information Protection key. 因此,您可能會想要將您的金鑰保存庫建立在與 Azure 資訊保護租使用者相同的 Azure 區域或實例中,以將這些呼叫所需的網路延遲降到最低。Therefore, you may want to minimize the network latency these calls require by creating your key vault in the same Azure region or instance as your Azure Information Protection tenant.

若要識別 Azure 資訊保護租使用者的位置,請使用 AipServiceConfiguration PowerShell Cmdlet,並從 url 識別區域。To identify the location of your Azure Information Protection tenant, use the Get-AipServiceConfiguration PowerShell cmdlet and identify the region from the URLs. 例如:For example:

LicensingIntranetDistributionPointUrl : https://5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com/_wmcs/licensing

區域可以從 rms.na.aadrm.com 進行識別,而在此範例中是北美洲。The region is identifiable from rms.na.aadrm.com, and for this example, it is in North America.

下表列出建議的 Azure 區域和實例,以將網路延遲降至最低:The following table lists recommended Azure regions and instances for minimizing network latency:

Azure 區域或執行個體Azure region or instance 建議的金鑰保存庫位置Recommended location for your key vault
rms.na.aadrm.comrms.na.aadrm.com 美國中北部美國東部North Central US or East US
rms.eu.aadrm.comrms.eu.aadrm.com 北歐或 西歐North Europe or West Europe
rms.ap.aadrm.comrms.ap.aadrm.com 東亞東南亞East Asia or Southeast Asia
rms.sa.aadrm.comrms.sa.aadrm.com 美國西部美國東部West US or East US
rms.govus.aadrm.comrms.govus.aadrm.com 美國中部美國東部 2Central US or East US 2
rms.aadrm.usrms.aadrm.us US Gov 維吉尼亞州US Gov 亞利桑那州US Gov Virginia or US Gov Arizona
rms.aadrm.cnrms.aadrm.cn 中國東部 2中國北部 2China East 2 or China North 2

建立並設定您的金鑰Create and configure your key

重要

如需受管理 Hsm 的特定資訊,請參閱透過 Azure CLI 啟用受控 hsm 金鑰的金鑰授權For information specific for Managed HSMs, see Enabling key authorization for Managed HSM keys via Azure CLI.

建立 Azure Key Vault 以及您想要用於 Azure 資訊保護的金鑰。Create an Azure Key Vault and the key you want to use for Azure Information Protection. 如需詳細資訊,請參閱 Azure Key Vault 檔For more information, see the Azure Key Vault documentation.

請注意下列設定 BYOK 的 Azure Key Vault 和金鑰:Note the following for configuring your Azure Key Vault and key for BYOK:

金鑰長度需求Key length requirements

建立金鑰時,請確定金鑰長度是2048位 (建議的) 或1024位。When creating your key, make sure that the key length is either 2048 bits (recommended) or 1024 bits. Azure 資訊保護不支援其他金鑰長度。Other key lengths are not supported by Azure Information Protection.

注意

1024位金鑰不會被視為提供適用于作用中租使用者金鑰的適當保護層級。1024-bit keys are not considered to offer an adequate level of protection for active tenant keys.

Microsoft 不會背書使用較低的金鑰長度,例如1024位 RSA 金鑰,以及提供不適當保護層級(例如 SHA-1)的相關通訊協定用法。Microsoft doesn't endorse the use of lower key lengths, such as 1024-bit RSA keys, and the associated use of protocols that offer inadequate levels of protection, such as SHA-1.

在內部部署建立受 HSM 保護的金鑰,並將它傳輸至您的金鑰保存庫Creating an HSM-protected key on-premises and transferring it to your key vault

若要在內部部署建立受 HSM 保護的金鑰,並將它傳輸至您的 key vault 作為受 HSM 保護的金鑰,請遵循 Azure Key Vault 檔中的程式: 如何產生及傳輸受 hsm 保護的金鑰以進行 Azure Key VaultTo create an HSM-protected key on-premises and transfer it to your key vault as an HSM-protected key, follow the procedures in the Azure Key Vault documentation: How to generate and transfer HSM-protected keys for Azure Key Vault.

Azure 資訊保護若要使用傳輸的金鑰,則必須允許所有的 Key Vault 作業,包括:For Azure Information Protection to use the transferred key, all Key Vault operations must be permitted for the key, including:

  • encryptencrypt
  • 解密decrypt
  • wrapKeywrapKey
  • unwrapKeyunwrapKey
  • Signsign
  • 驗證verify

依預設,所有 Key Vault 作業都是允許的。By default, all Key Vault operations are permitted.

若要檢查特定金鑰的允許作業,請執行下列 PowerShell 命令:To check the permitted operations for a specific key, run the following PowerShell command:

(Get-AzKeyVaultKey -VaultName <key vault name> -Name <key name>).Attributes.KeyOps

如有必要,請使用 AzKeyVaultKeyKeyOps 參數新增允許的作業。If necessary, add permitted operations by using Update-AzKeyVaultKey and the KeyOps parameter.

使用金鑰識別碼設定 Azure 資訊保護Configuring Azure Information Protection with your key ID

儲存在 Azure Key Vault 中的金鑰都有金鑰識別碼。Keys stored in the Azure Key Vault each have a key ID.

金鑰識別碼是包含金鑰保存庫名稱、金鑰容器、金鑰名稱及金鑰版本的 URL。The key ID is a URL that contains the name of the key vault, the keys container, the name of the key, and the key version. 例如:For example:

https://contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333.https://contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333.

藉由指定金鑰保存庫 URL,將 Azure 資訊保護設定為使用您的金鑰。Configure Azure Information Protection to use your key by specifying its key vault URL.

授權 Azure Rights Management 服務使用您的金鑰Authorizing the Azure Rights Management service to use your key

Azure Rights Management 服務必須獲得授權才能使用您的金鑰。The Azure Rights Management service must be authorized to use your key. Azure Key Vault 系統管理員可以使用 Azure 入口網站或 Azure PowerShell 來啟用此授權。Azure Key Vault administrators can enable this authorization using the Azure portal or Azure PowerShell.

使用 Azure 入口網站啟用金鑰授權Enabling key authorization using the Azure portal
  1. 登入 Azure 入口網站,然後移至 [金鑰保存庫 > <your key vault name> > 存取原則 > 新增]。Sign in to the Azure portal, and go to Key vaults > <your key vault name> > Access policies > Add new.

  2. 從 [ 新增存取原則 ] 窗格中,從 [ 設定來源] 範本 (選用) ] 清單方塊中,選取 [ Azure 資訊保護 BYOK],然後按一下 [確定]From the Add access policy pane, from the Configure from template (optional) list box, select Azure Information Protection BYOK, and then click OK.

    選取的範本具有下列設定:The selected template has the following configuration:

    • Select principal 值會設定為 Microsoft Rights Management ServicesThe Select principal value is set to Microsoft Rights Management Services.
    • 選取的 金鑰許可權 包括 取得解密簽署Selected key permissions include Get, Decrypt, and Sign.
使用 PowerShell 啟用金鑰授權Enabling key authorization using PowerShell

執行 Key Vault PowerShell Cmdlet、 >set-azkeyvaultaccesspolicy,並使用 GUID 00000012-0000-0000-c000-000000000000 將許可權授與 Azure Rights Management 服務主體。Run the Key Vault PowerShell cmdlet, Set-AzKeyVaultAccessPolicy, and grant permissions to the Azure Rights Management service principal using the GUID 00000012-0000-0000-c000-000000000000.

例如:For example:

Set-AzKeyVaultAccessPolicy -VaultName 'ContosoRMS-kv' -ResourceGroupName 'ContosoRMS-byok-rg' -ServicePrincipalName 00000012-0000-0000-c000-000000000000 -PermissionsToKeys decrypt,sign,get
透過 Azure CLI 啟用受控 HSM 金鑰的金鑰授權Enabling key authorization for Managed HSM keys via Azure CLI

若要將 Azure Rights Management 服務主體使用者權限授與 受管理的 HSM 加密 使用者,請執行下列命令:To grant the Azure Rights Management service principal user permissions as a Managed HSM Crypto user, run the following command:

az keyvault role assignment create --hsm-name "ContosoMHSM" --role "Managed HSM Crypto User" --assignee 00000012-0000-0000-c000-000000000000 --scope /keys/contosomhsmkey

其中:Where:

  • 00000012-0000-0000-c000-000000000000 是要在此命令中使用的 GUID00000012-0000-0000-c000-000000000000 is the GUID to use in this command
  • ContosoMHSM 是範例 HSM 名稱。ContosoMHSM is a sample HSM name. 執行此命令時,請以您自己的 HSM 名稱取代此值。When running this command, replace this value with your own HSM name.

受管理的 Hsm 加密使用者 使用者角色可讓使用者解密、簽署和取得金鑰的許可權,這些都是受管理的 hsm 功能所需。The Managed HSM Crypto User user role allows the user to decrypt, sign, and get permissions to the key, which are all required for the Managed HSM functionality.

注意

受控 HSM 處於公開預覽狀態時,只會透過 Azure CLI 支援授與 受管理的 Hsm 加密使用者 角色。While Managed HSM is in public preview, granting the Managed HSM Crypto User role is supported only via Azure CLI.

設定 Azure 資訊保護使用您的金鑰Configure Azure Information Protection to use your key

完成上述所有步驟之後,您就可以設定 Azure 資訊保護使用此金鑰作為組織的租使用者金鑰。Once you've completed all of the steps above, you're ready to configure Azure Information Protection to use this key as your organization's tenant key.

使用 Azure RMS Cmdlet,執行下列命令:Using Azure RMS cmdlets, run the following commands:

  1. 連線到 Azure Rights Management 服務並登入:Connect to the Azure Rights Management service and sign in:

    Connect-AipService
    
  2. 執行 AipServiceKeyVaultKey Cmdlet,並指定金鑰 URL。Run the Use-AipServiceKeyVaultKey cmdlet, specifying the key URL. 例如:For example:

    Use-AipServiceKeyVaultKey -KeyVaultKeyUrl "https://contosorms-kv.vault.azure.net/keys/contosorms-byok/<key-version>"
    

    重要

    在此範例中, <key-version> 是您想要使用的金鑰版本。In this example, <key-version> is the version of the key you want to use. 如果您未指定版本,預設會使用目前版本的金鑰,而且命令可能會顯示為可運作。If you do not specify the version, the current version of the key is used by default, and the command may appear to work. 不過,如果您的金鑰稍後已更新或更新,即使您再次執行 AipServiceKeyVaultKey 命令,Azure Rights Management 服務仍會停止對您的租使用者運作。However, if your key is later updated or renewed, the Azure Rights Management service will stop working for your tenant, even if you run the Use-AipServiceKeyVaultKey command again.

    視需要使用 AzKeyVaultKey 命令來取得目前金鑰的版本號碼。Use the Get-AzKeyVaultKey command as needed to get the version number of the current key.

    例如:Get-AzKeyVaultKey -VaultName 'contosorms-kv' -KeyName 'contosorms-byok'For example: Get-AzKeyVaultKey -VaultName 'contosorms-kv' -KeyName 'contosorms-byok'

    若要確認是否已針對 Azure 資訊保護正確設定金鑰 URL,請在 Azure Key Vault 中執行 AzKeyVaultKey 命令,以顯示金鑰 url。To confirm that the key URL is set correctly for Azure Information Protection, run the Get-AzKeyVaultKey command in the Azure Key Vault to display the key URL.

  3. 如果已啟用 Azure Rights Management 服務,請執行 AipServiceKeyProperties ,告知 Azure 資訊保護使用此金鑰作為 Azure Rights Management 服務的作用中租使用者金鑰。If the Azure Rights Management service is already activated, run Set-AipServiceKeyProperties to tell Azure Information Protection to use this key as the active tenant key for the Azure Rights Management service.

Azure 資訊保護現在已設定為使用您的金鑰,而不是針對您的租使用者自動建立的預設 Microsoft 建立金鑰。Azure Information Protection is now configured to use your key instead of the default Microsoft-created key that was automatically created for your tenant.

後續步驟Next steps

設定 BYOK 保護之後,請繼續 開始使用您的租使用者根金鑰 ,以取得使用和管理金鑰的詳細資訊。Once you've configured BYOK protection, continue to Getting started with your tenant root key for more information about using and managing your key.