步驟 2:HSM 保護的金鑰移轉至 HSM 保護的金鑰Step 2: HSM-protected key to HSM-protected key migration

*適用于: Active Directory Rights Management Services、 Azure 資訊保護**Applies to: Active Directory Rights Management Services, Azure Information Protection*

*適用于AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

這些指示屬於將路徑從 AD RMS 移轉至 Azure 資訊保護,且只有在您的 AD RMS 金鑰是受 HSM 所保護,而且您想要使用 Azure 金鑰保存庫中受 HSM 保護的租用戶金鑰來移轉至 Azure 資訊保護時才適用。These instructions are part of the migration path from AD RMS to Azure Information Protection, and are applicable only if your AD RMS key is HSM-protected and you want to migrate to Azure Information Protection with a HSM-protected tenant key in Azure Key Vault.

如果這不是您選擇的設定案例,請回到 步驟4。從 AD RMS 匯出設定資料,並將其匯入 Azure RMS ,然後選擇不同的設定。If this is not your chosen configuration scenario, go back to Step 4. Export configuration data from AD RMS and import it to Azure RMS and choose a different configuration.


這些指示假設您的 AD RMS 金鑰是模組保護的。These instructions assume your AD RMS key is module-protected. 這是最典型的情況。This is the most typical case.

其為兩部分的程序,可將 HSM 金鑰及 AD RMS 組態匯入 Azure Information Protection,以產生由您管理的 (BYOK) Azure 資訊保護租用戶金鑰。It’s a two-part procedure to import your HSM key and AD RMS configuration to Azure Information Protection, to result in your Azure Information Protection tenant key that is managed by you (BYOK).

由於您的 Azure 資訊保護租用戶金鑰將由 Azure 金鑰保存庫儲存和管理,因此這部分的移轉除了 Azure 資訊保護外,還需要 Azure 金鑰保存庫中的管理。Because your Azure Information Protection tenant key will be stored and managed by Azure Key Vault, this part of the migration requires administration in Azure Key Vault, in addition to Azure Information Protection. 若組織的 Azure Key Vault 並非由您管理,而是由其他系統管理員所管理,則您需要與該系統管理員共同合作,才能完成這些程序。If Azure Key Vault is managed by a different administrator than you for your organization, you must co-ordinate and work with that administrator to complete these procedures.

在開始之前,請確定您的組織已在 Azure 金鑰保存庫中建立金鑰保存庫,且其支援 HSM 保護的金鑰。Before you begin, make sure that your organization has a key vault that has been created in Azure Key Vault, and that it supports HSM-protected keys. 雖然並非必要,但仍建議您具備 Azure 資訊保護的專用金鑰保存庫。Although it's not required, we recommend that you have a dedicated key vault for Azure Information Protection. 此金鑰保存庫會設定為允許 Azure Rights Management Service 存取,因此此金鑰保存庫儲存的金鑰應該只限制為 Azure 資訊保護金鑰。This key vault will be configured to allow the Azure Rights Management service to access it, so the keys that this key vault stores should be limited to Azure Information Protection keys only.


若即將進行 Azure Key Vault 的設定步驟,但尚未熟悉這項 Azure 服務,建議您先檢閱開始使用 Azure Key VaultIf you are doing the configuration steps for Azure Key Vault and you are not familiar with this Azure service, you might find it useful to first review Get started with Azure Key Vault.

第 1 篇:將您的 HSM 金鑰傳輸至 Azure 金鑰保存庫Part 1: Transfer your HSM key to Azure Key Vault

這些程序由 Azure 金鑰保存庫的系統管理員完成。These procedures are done by the administrator for Azure Key Vault.

  1. 針對您要儲存在 Azure Key Vault 的每個匯出 SLC 金鑰,請遵循 Azure Key Vault 文件中的指示,執行實作 Azure Key Vault 的自備金鑰 (BYOK) 中的步驟,但下列除外:For each exported SLC key that you want to store in Azure Key Vault, follow the instructions from the Azure Key Vault documentation, using Implementing bring your own key (BYOK) for Azure Key Vault with the following exception:

    • 請勿執行 產生您的租用戶金鑰 步驟,因為您已從 AD RMS 部署取得對等項目。Do not do the steps for Generate your tenant key, because you already have the equivalent from your AD RMS deployment. 相反地,請從 nCipher 安裝中找出您的 AD RMS 伺服器所使用的金鑰,並準備這些金鑰以進行傳輸,然後將它們傳送至 Azure Key Vault。Instead, identify the keys used by your AD RMS server from the nCipher installation and prepare these keys for transfer, and then transfer them to Azure Key Vault.

      NCipher 的加密金鑰檔案會命名為 key_<keyAppName>_ >< 在伺服器本機上的 keyIdentifier。Encrypted key files for nCipher are named key_<keyAppName>_<keyIdentifier> locally on the server. 例如: C:\Users\All Users\nCipher\Key Management Data\local\key_mscapi_f829e3d888f6908521fe3d91de51c25d27116a54For example, C:\Users\All Users\nCipher\Key Management Data\local\key_mscapi_f829e3d888f6908521fe3d91de51c25d27116a54. 當您執行 >keytransferremote.exe 命令以降低許可權建立金鑰的複本時,您將需要 mscapi 值作為 keyAppName,以及您自己的金鑰識別碼值。You will need the mscapi value as the keyAppName, and your own value for the key identifier when you run the KeyTransferRemote command to create a copy of the key with reduced permissions.

      您會在金鑰上傳至 Azure 金鑰保存庫時看到金鑰的屬性,其中包含金鑰識別碼。When the key uploads to Azure Key Vault, you see the properties of the key displayed, which includes the key ID. 它看起來會類似 HTTPs : //contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333。It will look similar to https://contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333. 請記下此 URL,因為 Azure 資訊保護系統管理員需要使用它來告訴 Azure Rights Management 服務使用此金鑰作為其租用戶金鑰。Make a note of this URL because the Azure Information Protection administrator needs it to tell the Azure Rights Management service to use this key for its tenant key.

  2. 在連線到網際網路的工作站上,使用 >set-azkeyvaultaccesspolicy 指令程式 ,以授權 Azure Rights Management 服務主體存取將儲存 Azure 資訊保護租使用者金鑰的金鑰保存庫。On the internet-connected workstation, in a PowerShell session, use the Set-AzKeyVaultAccessPolicy cmdlet to authorize the Azure Rights Management service principal to access the key vault that will store the Azure Information Protection tenant key. 所需的權限包括解密、加密、解除包裝金鑰、包裝金鑰、驗證及簽署。The permissions required are decrypt, encrypt, unwrapkey, wrapkey, verify, and sign.

    例如,若您已建立的 Azure 資訊保護金鑰保存庫名為 contoso-byok-ky,且資源群組名為 contoso-byok-rg,則執行下列命令︰For example, if the key vault that you have created for Azure Information Protection is named contoso-byok-ky, and your resource group is named contoso-byok-rg, run the following command:

    Set-AzKeyVaultAccessPolicy -VaultName "contoso-byok-kv" -ResourceGroupName "contoso-byok-rg" -ServicePrincipalName 00000012-0000-0000-c000-000000000000 -PermissionsToKeys decrypt,sign,get

現在您已在 Azure 資訊保護的 Azure Rights Management Service 的 Azure 金鑰保存庫中備妥 HSM 金鑰,可開始匯入您的 AD RMS 組態資料。Now that you’ve prepared your HSM key in Azure Key Vault for the Azure Rights Management service from Azure Information Protection, you’re ready to import your AD RMS configuration data.

第 2 篇:將組態資料匯入 Azure 資訊保護Part 2: Import the configuration data to Azure Information Protection

這些程序由 Azure 資訊保護的系統管理員完成。These procedures are done by the administrator for Azure Information Protection.

  1. 在連線到網際網路的工作站上,以及在 PowerShell 會話中,使用 AipService Cmdlet 連線到 Azure Rights Management 服務。On the internet-connect workstation and in the PowerShell session, connect to the Azure Rights Management service by using the Connect-AipService cmdlet.

    然後使用 AipServiceTpd 指令程式,將每個信任的發行網域 ( .xml) 檔案上傳。Then upload each trusted publishing domain (.xml) file, by using the Import-AipServiceTpd cmdlet. 例如,如果您已升級 AD RMS 叢集來支援「密碼編譯模式 2」,您應該至少會有一個額外的檔案要匯入。For example, you should have at least one additional file to import if you upgraded your AD RMS cluster for Cryptographic Mode 2.

    若要執行這個 Cmdlet,您會需要先前為每個設定資料檔指定的密碼,以及在上一步驟中所識別金鑰的 URL。To run this cmdlet, you need the password that you specified earlier for each configuration data file, and the URL for the key that was identified in the previous step.

    例如,使用組態資料檔 C:\contoso_tpd1.xml,以及來自先前步驟的金鑰 URL 值,先執行下列步驟來儲存密碼:For example, using a configuration data file of C:\contoso-tpd1.xml and our key URL value from the previous step, first run the following to store the password:

    $TPD_Password = Read-Host -AsSecureString

    輸入您匯出組態資料檔所指定的密碼。Enter the password that you specified to export the configuration data file. 接著,執行下列命令並確認您要執行此動作:Then, run the following command and confirm that you want to perform this action:

    Import-AipServiceTpd -TpdFile "C:\contoso-tpd1.xml" -ProtectionPassword $TPD_Password –KeyVaultKeyUrl https://contoso-byok-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333 -Verbose

    在匯入過程中,將會匯入 SLC 金鑰並自動設為封存。As part of this import, the SLC key is imported and automatically set as archived.

  2. 當您上傳每個檔案時,請執行 AipServiceKeyProperties ,以指定哪一個匯入的金鑰符合 AD RMS 叢集中目前作用中 SLC 的金鑰。When you have uploaded each file, run Set-AipServiceKeyProperties to specify which imported key matches the currently active SLC key in your AD RMS cluster. 此金鑰會成為您 Azure Rights Management 服務的作用中租用戶金鑰。This key becomes the active tenant key for your Azure Rights Management service.

  3. 使用 AipServiceService Cmdlet 來中斷與 Azure Rights Management 服務的連線:Use the Disconnect-AipServiceService cmdlet to disconnect from the Azure Rights Management service:


如果您稍後需要確認 Azure 資訊保護租使用者金鑰在 Azure Key Vault 中使用哪個金鑰,請使用 AipServiceKeys Azure RMS Cmdlet。If you later need to confirm which key your Azure Information Protection tenant key is using in Azure Key Vault, use the Get-AipServiceKeys Azure RMS cmdlet.

您現在已經準備好移至 步驟5。啟動 Azure Rights Management 服務You’re now ready to go to Step 5. Activate the Azure Rights Management service.