規劃及實作 Azure 資訊保護租用戶金鑰Planning and implementing your Azure Information Protection tenant key

適用 于: Azure 資訊保護*Applies to: Azure Information Protection*

*適用于AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

注意

為了提供一致且簡化的客戶體驗,在 2021 年3月 31 日起,Azure 入口網站中 Azure 資訊保護傳統用戶端標籤管理 即將 淘汰To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 此時間範圍可讓所有目前的 Azure 資訊保護客戶使用 Microsoft 資訊保護統一標籤平台轉換至我們統一的標籤解決方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 在正式的淘汰通知 (英文) 中深入了解。Learn more in the official deprecation notice.

Azure 資訊保護租用戶金鑰是組織的根金鑰。The Azure Information Protection tenant key is a root key for your organization. 您可以從這個根金鑰衍生其他金鑰,包括使用者金鑰、電腦金鑰或檔加密金鑰。Other keys can be derived from this root key, including user keys, computer keys, or document encryption keys. 每當 Azure 資訊保護針對您的組織使用這些金鑰時,他們就會以密碼編譯的方式在您的 Azure 資訊保護根租使用者金鑰。Whenever Azure Information Protection uses these keys for your organization, they cryptographically chain to your Azure Information Protection root tenant key.

除了您的租使用者根金鑰之外,您的組織可能需要特定檔的內部部署安全性。In addition to your tenant root key, your organization may require on-premises security for specific documents. 內部部署金鑰保護通常只需要少量的內容,因此會與租使用者根金鑰一起設定。On-premises key protection is typically required only for a small amount of content, and therefore is configured together with a tenant root key.

Azure 資訊保護金鑰類型Azure Information Protection key types

您的租使用者根金鑰可以是:Your tenant root key can either be:

如果您有高度機密的內容需要額外的內部部署保護,建議您 (DKE) 使用雙重金鑰加密 If you have highly sensitive content that requires additional, on-premises protection, we recommend using Double Key Encryption (DKE).

提示

如果您使用的是傳統用戶端,而且需要額外的內部部署保護,請改為使用 [ 保存您自己的金鑰 (HYOK) If you are using the classic client, and need additional, on-premises protection, use Hold Your Own Key (HYOK) instead.

Microsoft 所產生的租使用者根金鑰Tenant root keys generated by Microsoft

由 Microsoft 自動產生的預設金鑰是用來 Azure 資訊保護管理租使用者金鑰生命週期大部分層面的預設金鑰。The default key, automatically generated by Microsoft, is the default key used exclusively for Azure Information Protection to manage most aspects of your tenant key life cycle.

當您想要快速且不使用特殊的硬體、軟體或 Azure 訂用帳戶部署 Azure 資訊保護時,請繼續使用預設的 Microsoft 金鑰。Continue using the default Microsoft key when you want to deploy Azure Information Protection quickly and without special hardware, software, or an Azure subscription. 範例包括測試環境或組織,而沒有金鑰管理的法規需求。Examples include testing environments or organizations without regulatory requirements for key management.

針對預設金鑰,不需要進一步的步驟,而且您可以直接前往 租使用者根金鑰開始使用For the default key, no further steps are required, and you can go directly to Getting started with your tenant root key.

注意

Microsoft 產生的預設金鑰是具有最低系統管理負荷的最簡單選項。The default key generated by Microsoft is the simplest option with the lowest administrative overheads.

在大多數情況下,您可能甚至不知道您有租使用者金鑰,因為您可以註冊 Azure 資訊保護,而其餘的金鑰管理程式則由 Microsoft 處理。In most cases, you may not even know that you have a tenant key, as you can sign up for Azure Information Protection and the rest of the key management process is handled by Microsoft.

攜帶您自己的金鑰 (BYOK) 保護Bring Your Own Key (BYOK) protection

BYOK-保護會使用客戶建立的金鑰,不論是 Azure Key Vault 或客戶組織內部部署。BYOK-protection uses keys that are created by customers, either in the Azure Key Vault or on-premises in the customer organization. 這些金鑰接著會傳輸至 Azure Key Vault 以便進行進一步的管理。These keys are then transferred to Azure Key Vault for further management.

當您的組織具有適用于金鑰產生的合規性法規,包括對所有生命週期作業的控制時,請使用 BYOK。Use BYOK when your organization has compliance regulations for key generation, including control over all life-cycle operations. 例如,當您的金鑰必須受到硬體安全模組的保護時。For example, when your key must be protected by a hardware security module.

如需詳細資訊,請參閱 設定 BYOK 保護For more information, see Configure BYOK protection.

一旦設定之後,請繼續 開始使用您的租使用者根金鑰 ,以取得使用和管理金鑰的詳細資訊。Once configured, continue to Getting started with your tenant root key for more information about using and managing your key.

(DKE) 的雙重金鑰加密Double Key Encryption (DKE)

適用于:僅限 AIP 統一標籤用戶端Relevant for: AIP unified labeling client only

DKE 保護可讓您使用兩個金鑰來為您的內容提供額外的安全性:一個是 Microsoft 在 Azure 中建立和保留的金鑰,另一個則是由客戶建立並保留在內部部署。DKE protection provides additional security for your content by using two keys: one created and held by Microsoft in Azure, and another created and held on-premises by the customer.

DKE 需要這兩個金鑰來存取受保護的內容,確保 Microsoft 和其他協力廠商永遠無法存取受保護的資料。DKE requires both keys to access protected content, ensuring that Microsoft and other third parties never have access to protected data on their own.

DKE 可以部署在雲端或內部部署中,以提供儲存位置的完整彈性。DKE can be deployed either in the cloud or on-premises, providing full flexibility for storage locations.

在您的組織中使用 DKE:Use DKE when your organization:

  • 希望確保只有在所有情況下,才可以將受保護的內容解密。Wants to ensure that only they can ever decrypt protected content, under all circumstances.
  • 不要讓 Microsoft 自行存取受保護的資料。Don't want Microsoft to have access to protected data on its own.
  • 具有在地理界限內保存金鑰的法規需求。Has regulatory requirements to hold keys within a geographical boundary. 使用 DKE 時,客戶保留的金鑰會保留在客戶資料中心內。With DKE, customer-held keys are maintained within the customer data center.

注意

DKE 類似于安全存款方塊,需要銀行金鑰和客戶金鑰才能取得存取權。DKE is similar to a safety deposit box that requires both a bank key and a customer key to gain access. DKE 保護需要 Microsoft 持有的金鑰和客戶持有的金鑰來解密受保護的內容。DKE-protection requires both the Microsoft-held key and the customer-held key to decrypt protected content.

如需詳細資訊,請參閱 Microsoft 365 檔中的 雙重金鑰加密For more information, see Double key encryption in the Microsoft 365 documentation.

保存您自己的金鑰 (HYOK) Hold Your Own Key (HYOK)

適用于:僅限 AIP 傳統用戶端Relevant for: AIP classic client only

HYOK-保護會使用客戶在與雲端隔離的位置中所建立和保留的金鑰。HYOK-protection uses a key that is created and held by customers, in a location isolated from the cloud. 由於 HYOK 保護只會啟用內部部署應用程式和服務的資料存取,因此使用 HYOK 的客戶也會有雲端檔的雲端式金鑰。Since HYOK-protection only enables access to data for on-premises applications and services, customers that use HYOK also have a cloud-based key for cloud documents.

針對下列檔使用 HYOK:Use HYOK for documents that are:

  • 僅限少數人員Restricted to just a few people
  • 未在組織外共用Not shared outside the organization
  • 只在內部網路上使用。Are consumed only on the internal network.

這些檔在您的組織中通常會有最高的分類,作為「最高密碼」。These documents typically have the highest classification in your organization, as "Top Secret".

只有當您有傳統用戶端時,才能使用 HYOK 保護來加密內容。Content can be encrypted using HYOK protection only if you have the classic client. 但是,如果您有受 HYOK 保護的內容,就可以在傳統和統一標籤用戶端中同時查看。However, if you have HYOK-protected content, it can be viewed in both the classic and unified labeling client.

如需詳細資訊,請參閱 保存您自己的金鑰 (HYOK) 詳細資料For more information, see Hold Your Own Key (HYOK) details.