步驟 2:軟體保護的金鑰移轉至 HSM 保護的金鑰Step 2: Software-protected key to HSM-protected key migration

*適用于: Active Directory Rights Management Services、 Azure 資訊保護**Applies to: Active Directory Rights Management Services, Azure Information Protection*

*適用于AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

這些指示屬於將路徑從 AD RMS 移轉至 Azure Information Protection,且只有在您的 AD RMS 金鑰是受軟體所保護,而且您想要使用 Azure 金鑰保存庫中受 HSM 保護的租用戶金鑰來移轉至 Azure Information Protection 時才適用。These instructions are part of the migration path from AD RMS to Azure Information Protection, and are applicable only if your AD RMS key is software-protected and you want to migrate to Azure Information Protection with a HSM-protected tenant key in Azure Key Vault.

如果這不是您選擇的設定案例,請回到 步驟4。從 AD RMS 匯出設定資料,並將其匯入 Azure RMS ,然後選擇不同的設定。If this is not your chosen configuration scenario, go back to Step 4. Export configuration data from AD RMS and import it to Azure RMS and choose a different configuration.

其為四部分的程序,可將 AD RMS 組態匯入 Azure Information Protection,以產生由您在 Azure 金鑰保存庫中管理的 Azure Information Protection 租用戶金鑰 (BYOK)。It’s a four-part procedure to import the AD RMS configuration to Azure Information Protection, to result in your Azure Information Protection tenant key that is managed by you (BYOK) in Azure Key Vault.

您必須先將伺服器授權人憑證從 AD RMS 設定資料解壓縮 (SLC) 金鑰,並將金鑰傳輸至內部部署 nCipher HSM、接著封裝並將 HSM 金鑰傳輸至 Azure Key Vault,然後從 Rights Management 授權 Azure Azure 資訊保護服務以存取您的金鑰保存庫,然後再匯入設定資料。You must first extract your server licensor certificate (SLC) key from the AD RMS configuration data and transfer the key to an on-premises nCipher HSM, next package and transfer your HSM key to Azure Key Vault, then authorize the Azure Rights Management service from Azure Information Protection to access your key vault, and then import the configuration data.

由於您的 Azure 資訊保護租用戶金鑰將由 Azure 金鑰保存庫儲存和管理,因此這部分的移轉除了 Azure 資訊保護外,還需要 Azure 金鑰保存庫中的管理。Because your Azure Information Protection tenant key will be stored and managed by Azure Key Vault, this part of the migration requires administration in Azure Key Vault, in addition to Azure Information Protection. 若組織的 Azure Key Vault 並非由您管理,而是由其他系統管理員所管理,則您需要與該系統管理員共同合作,才能完成這些程序。If Azure Key Vault is managed by a different administrator than you for your organization, you must co-ordinate and work with that administrator to complete these procedures.

在開始之前,請確定您的組織已在 Azure 金鑰保存庫中建立金鑰保存庫,且其支援 HSM 保護的金鑰。Before you begin, make sure that your organization has a key vault that has been created in Azure Key Vault, and that it supports HSM-protected keys. 雖然並非必要,但仍建議您具備 Azure 資訊保護的專用金鑰保存庫。Although it's not required, we recommend that you have a dedicated key vault for Azure Information Protection. 此金鑰保存庫會設定為允許 Azure Information Protection 的 Azure Rights Management Service 存取,因此此金鑰保存庫儲存的金鑰應該只限制為 Azure Information Protection 金鑰。This key vault will be configured to allow the Azure Rights Management service from Azure Information Protection to access it, so the keys that this key vault stores should be limited to Azure Information Protection keys only.

提示

若即將進行 Azure Key Vault 的設定步驟,但尚未熟悉這項 Azure 服務,建議您先檢閱開始使用 Azure Key VaultIf you are doing the configuration steps for Azure Key Vault and you are not familiar with this Azure service, you might find it useful to first review Get started with Azure Key Vault.

第 1 篇:從設定資料中擷取 SLC 金鑰,並將金鑰匯入內部部署 HSMPart 1: Extract your SLC key from the configuration data and import the key to your on-premises HSM

  1. Azure Key Vault 系統管理員︰針對要儲存在 Azure Key Vault 中的每個匯出 SLC 金鑰,請遵循 Azure Key Vault 文件中實作 Azure Key Vault 的自備金鑰 (BYOK) 章節的下列步驟︰Azure Key Vault administrator: For each exported SLC key that you want to store in Azure Key Vault, use the following steps in the Implementing bring your own key (BYOK) for Azure Key Vault section of the Azure Key Vault documentation:

    請不要遵循這些步驟來產生租用戶金鑰,因為您在匯出的組態資料 (.xml) 檔案中已經有對等項目。Do not follow the steps to generate your tenant key, because you already have the equivalent in the exported configuration data (.xml) file. 相反地,您將執行工具,從檔案中擷取這個金鑰,並將其匯入內部部署 HSM。Instead, you will run a tool to extract this key from the file and import it to your on-premises HSM. 此工具會在您加以執行時建立兩個檔案︰The tool creates two files when you run it:

    • 新的組態資料檔沒有金鑰,且隨時可以匯入您的 Azure Information Protection 租用戶中。A new configuration data file without the key, which is then ready to be imported to your Azure Information Protection tenant.

    • 具有金鑰的 PEM 檔案 (金鑰容器),且已就緒匯入您的內部部署 HSM 中。A PEM file (key container) with the key, which is then ready to be imported to your on-premises HSM.

  2. Azure Information Protection 系統管理員或 Azure 金鑰保存庫系統管理員︰在中斷連線的工作站上,執行 Azure RMS 移轉工具組 TpdUtil 工具。Azure Information Protection administrator or Azure Key Vault administrator: On the disconnected workstation, run the TpdUtil tool from the Azure RMS migration toolkit. 例如,若工具安裝在 E 磁碟機上,也就是您複製名為 ContosoTPD.xml 的設定資料檔之處︰For example, if the tool is installed on your E drive where you copy your configuration data file named ContosoTPD.xml:

    E:\TpdUtil.exe /tpd:ContosoTPD.xml /otpd:ContosoTPD.xml /opem:ContosoTPD.pem
    

    如果您有多個 RMS 設定資料檔,請針對這些檔案的其餘檔案執行此工具。If you have more than one RMS configuration data files, run this tool for the remainder of these files.

    若要查看這項工具的說明 (內含描述、使用方式及範例),請執行 TpdUtil.exe 而不使用任何參數To see Help for this tool, which includes a description, usage, and examples, run TpdUtil.exe with no parameters

    此命令的其他資訊︰Additional information for this command:

    • /tpd︰指定匯出的 AD RMS 設定資料檔的完整路徑及名稱。The /tpd: specifies the full path and name of the exported AD RMS configuration data file. 完整的參數名稱是 TpdFilePathThe full parameter name is TpdFilePath.

    • /otpd︰為不具金鑰的設定資料檔指定輸出檔案名稱。The /otpd: specifies the output file name for the configuration data file without the key. 完整的參數名稱是 OutPfxFileThe full parameter name is OutPfxFile. 若未指定此參數,輸出檔案預設為原始檔案名稱,尾碼為 _keyless,並儲存在目前資料夾中。If you do not specify this parameter, the output file defaults to the original file name with the suffix _keyless, and it is stored in the current folder.

    • /opem︰指定 PEM 檔案的輸出檔案名稱,其中內含擷取的金鑰。The /opem: specifies the output file name for the PEM file, which contains the extracted key. 完整的參數名稱是 OutPemFileThe full parameter name is OutPemFile. 若未指定此參數,輸出檔案預設為原始檔案名稱,尾碼為 _key,並儲存在目前資料夾中。If you do not specify this parameter, the output file defaults to the original file name with the suffix _key, and it is stored in the current folder.

    • 若在執行此命令時未指定密碼 (透過使用 TpdPassword 完整參數名稱或 pwd 簡短參數名稱),系統會提示您加以指定。If you don't specify the password when you run this command (by using the TpdPassword full parameter name or pwd short parameter name), you are prompted to specify it.

  3. 在相同的中斷連線工作站上,根據您的 nCipher 檔連結和設定 nCipher HSM。On the same disconnected workstation, attach and configure your nCipher HSM, according to your nCipher documentation. 您現在可以使用下列命令將您的金鑰匯入至附加的 nCipher HSM,您必須在此使用您自己的檔案名取代 Contosotpd.pem:You can now import your key into your attached nCipher HSM by using the following command where you need to substitute your own file name for ContosoTPD.pem:

    generatekey --import simple pemreadfile=e:\ContosoTPD.pem plainname=ContosoBYOK protect=module ident=contosobyok type=RSA
    

    注意

    若您有多個檔案,則您所選擇的檔案應對應至您在轉移後要用來在 Azure RMS 保護內容的 HSM 金鑰。If you have more than one file, choose the file that corresponds to the HSM key you want to use in Azure RMS to protect content after the migration.

    這會產生類似下列的輸出顯示︰This generates an output display similar to the following:

    金鑰產生參數:key generation parameters:

    **          執行匯                             入作業的作業作業**operation       Operation to perform                import

    應用         程式                                                               簡單application     Application                                simple

    確認設定                           金鑰的安全性為                                 yesverify               Verify security of configuration key                 yes

    類型                               金鑰類型                                                                       RSAtype                 Key type                                     RSA

    **    包含 RSA 金鑰     e:\ContosoTPD.pem 的 pemreadfile PEM 檔案**pemreadfile    PEM file containing RSA key    e:\ContosoTPD.pem

    ident                             金鑰識別碼                                                       contosobyokident                Key identifier                             contosobyok

    plainname 索引           鍵名稱                                                                   ContosoBYOKplainname       Key name                                   ContosoBYOK

    已成功匯入金鑰。Key successfully imported.

    金鑰路徑: C:\ProgramData\nCipher\Key Management Data\local\key_simple_contosobyokPath to key: C:\ProgramData\nCipher\Key Management Data\local\key_simple_contosobyok

此輸出確認私密金鑰現在已遷移至您的內部部署 nCipher HSM 裝置,並已將加密的複本儲存至 (在我們的範例 "key_simple_contosobyok" ) 中的金鑰。This output confirms that the private key is now migrated to your on-premises nCipher HSM device with an encrypted copy that is saved to a key (in our example, "key_simple_contosobyok").

現已擷取 SLC 金鑰並將其匯入內部部署 HSM,您便已就緒封裝 HSM 保護的金鑰,並將其傳輸至 Azure 金鑰保存庫。Now that your SLC key has been extracted and imported to your on-premises HSM, you’re ready to package the HSM-protected key and transfer it to Azure Key Vault.

重要

完成此步驟後,請安全地從中斷連線的工作站清除這些 PEM 檔案,以確保未經授權的人員無法加以存取。When you have completed this step, securely erase these PEM files from the disconnected workstation to ensure that they cannot be accessed by unauthorized people. 例如,執行 "cipher /w: E" 以便安全地從 E: 磁碟機刪除所有檔案。For example, run "cipher /w: E" to securely delete all files from the E: drive.

第 2 篇:將 HSM 金鑰封裝並傳輸至 Azure 金鑰保存庫Part 2: Package and transfer your HSM key to Azure Key Vault

Azure Key Vault 系統管理員︰針對要儲存在 Azure Key Vault 中的每個匯出 SLC 金鑰,請遵循 Azure Key Vault 文件中實作 Azure Key Vault 的自備金鑰 (BYOK) 章節的下列步驟︰Azure Key Vault administrator: For each exported SLC key that you want to store in Azure Key vault, use the following steps from the Implementing bring your own key (BYOK) for Azure Key Vault section of the Azure Key Vault documentation:

您已具備金鑰,因此請勿遵循這些步驟產生您的金鑰組。Do not follow the steps to generate your key pair, because you already have the key. 請改為執行命令,從您的內部部署 HSM 傳輸此金鑰 (在本例中,KeyIdentifier 參數使用 "contosobyok")。Instead, you will run a command to transfer this key (in our example, our KeyIdentifier parameter uses "contosobyok") from your on-premises HSM.

在您將金鑰傳輸至 Azure 金鑰保存庫之前,請確認 KeyTransferRemote.exe 公用程式會在您使用降低權限建立金鑰複本 (步驟 4.1) 及加密金鑰 (步驟 4.3) 時,傳回 結果: SUCCESSBefore you transfer your key to Azure Key Vault, make sure that the KeyTransferRemote.exe utility returns Result: SUCCESS when you create a copy of your key with reduced permissions (step 4.1) and when you encrypt your key (step 4.3).

您會在金鑰上傳至 Azure 金鑰保存庫時看到金鑰的屬性,其中包含金鑰識別碼。When the key uploads to Azure Key Vault, you see the properties of the key displayed, which includes the key ID. 它看起來會像這樣 https://contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333It will look similar to https://contosorms-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333. 請記下此 URL,因為 Azure Information Protection 管理員會需要它來告知 Azure Information Protection 的 Azure Rights Management Service 將這個金鑰用於其租用戶金鑰。Make a note of this URL because the Azure Information Protection administrator will need it to tell the Azure Rights Management service from Azure Information Protection to use this key for its tenant key.

然後使用 >set-azkeyvaultaccesspolicy 指令 Cmdlet 來授權 Azure Rights Management 服務主體存取金鑰保存庫。Then use the Set-AzKeyVaultAccessPolicy cmdlet to authorize the Azure Rights Management service principal to access the key vault. 所需的權限包括解密、加密、解除包裝金鑰、包裝金鑰、驗證及簽署。The permissions required are decrypt, encrypt, unwrapkey, wrapkey, verify, and sign.

例如,如果您為 Azure 資訊保護所建立的金鑰保存庫名為 contosorms-byok-kv,而您的資源群組名為 contosorms-byok-rg,請執行下列命令:For example, if the key vault that you have created for Azure Information Protection is named contosorms-byok-kv, and your resource group is named contosorms-byok-rg, run the following command:

Set-AzKeyVaultAccessPolicy -VaultName "contosorms-byok-kv" -ResourceGroupName "contosorms-byok-rg" -ServicePrincipalName 00000012-0000-0000-c000-000000000000 -PermissionsToKeys decrypt,encrypt,unwrapkey,wrapkey,verify,sign,get

現在您已將 HSM 金鑰傳輸至 Azure 金鑰保存庫,可開始匯入您的 AD RMS 設定資料。Now that you’ve transferred your HSM key to Azure Key Vault, you’re ready to import your AD RMS configuration data.

第 3 篇:將組態資料匯入 Azure Information ProtectionPart 3: Import the configuration data to Azure Information Protection

  1. Azure 資訊保護系統管理員:在連線到網際網路的工作站上及 PowerShell 會話中,複製您在執行 TpdUtil 工具後移除 SLC 金鑰的新設定資料檔案 ( .xml) 。Azure Information Protection administrator: On the internet-connected workstation and in the PowerShell session, copy over your new configuration data files (.xml) that have the SLC key removed after running the TpdUtil tool.

  2. 使用 AipServiceTpd Cmdlet 來上傳每個 .xml 檔案。Upload each .xml file, by using the Import-AipServiceTpd cmdlet. 例如,如果您已升級 AD RMS 叢集來支援「密碼編譯模式 2」,您應該至少會有一個額外的檔案要匯入。For example, you should have at least one additional file to import if you upgraded your AD RMS cluster for Cryptographic Mode 2.

    若要執行這個 Cmdlet,您會需要先前為設定資料檔指定的密碼,以及在上一步驟中所識別金鑰的 URL。To run this cmdlet, you need the password that you specified earlier for the configuration data file, and the URL for the key that was identified in the previous step.

    例如,使用組態資料檔 C:\contoso_keyless.xml,以及來自先前步驟的金鑰 URL 值,先執行下列步驟來儲存密碼:For example, using a configuration data file of C:\contoso_keyless.xml and our key URL value from the previous step, first run the following to store the password:

    $TPD_Password = Read-Host -AsSecureString
    

    輸入您匯出組態資料檔所指定的密碼。Enter the password that you specified to export the configuration data file. 接著,執行下列命令並確認您要執行此動作:Then, run the following command and confirm that you want to perform this action:

    Import-AipServiceTpd -TpdFile "C:\contoso_keyless.xml" -ProtectionPassword $TPD_Password –KeyVaultStringUrl https://contoso-byok-kv.vault.azure.net/keys/contosorms-byok/aaaabbbbcccc111122223333 -Verbose
    

    在匯入過程中,將會匯入 SLC 金鑰並自動設為封存。As part of this import, the SLC key is imported and automatically set as archived.

  3. 當您上傳每個檔案時,請執行 AipServiceKeyProperties ,以指定哪一個匯入的金鑰符合 AD RMS 叢集中目前作用中 SLC 的金鑰。When you have uploaded each file, run Set-AipServiceKeyProperties to specify which imported key matches the currently active SLC key in your AD RMS cluster.

  4. 使用 AipServiceService Cmdlet 來中斷與 Azure Rights Management 服務的連線:Use the Disconnect-AipServiceService cmdlet to disconnect from the Azure Rights Management service:

    Disconnect-AipServiceService
    

如果您稍後需要確認 Azure 資訊保護租使用者金鑰在 Azure Key Vault 中使用哪個金鑰,請使用 AipServiceKeys Azure RMS Cmdlet。If you later need to confirm which key your Azure Information Protection tenant key is using in Azure Key Vault, use the Get-AipServiceKeys Azure RMS cmdlet.

您現在已經準備好移至 步驟5。啟動 Azure Rights Management 服務You’re now ready to go to Step 5. Activate the Azure Rights Management service.