如何為 Azure 金鑰保存庫產生並傳輸受 HSM 保護的金鑰How to generate and transfer HSM-protected keys for Azure Key Vault

注意

本文已更新為使用新的 Azure PowerShell Az 模組。This article has been updated to use the new Azure PowerShell Az module. AzureRM 模組在至少 2020 年 12 月之前都還會持續收到錯誤 (Bug) 修正,因此您仍然可以持續使用。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要深入了解新的 Az 模組和 AzureRM 的相容性,請參閱新的 Azure PowerShell Az 模組簡介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 如需 Az 模組安裝指示,請參閱安裝 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

為了加強保證,當您使用 Azure 金鑰保存庫時,您可以在硬體安全模組 (HSM) 中匯入或產生無需離開 HSM 界限的金鑰。For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. 此案例通常稱為 自備金鑰或 BYOK。This scenario is often referred to as bring your own key, or BYOK. HSM 已通過 FIPS 140-2 Level 2 驗證。The HSMs are FIPS 140-2 Level 2 validated. Azure Key Vault 使用 Hsm 的 nCipher nShield 系列來保護您的金鑰。Azure Key Vault uses nCipher nShield family of HSMs to protect your keys.

使用本主題中的資訊,協助您規劃、產生然後傳送自己受 HSM 保護的金鑰,以搭配使用 Azure 金鑰保存庫。Use the information in this topic to help you plan for, generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.

此功能不適用於 Azure China。This functionality is not available for Azure China.

注意

如需 Azure 金鑰保存庫的詳細資訊,請參閱 什麼是 Azure 金鑰保存庫?For more information about Azure Key Vault, see What is Azure Key Vault?
如需入門教學課程 (包括建立受 HSM 保護之金鑰的金鑰保存庫),請參閱什麼是 Azure Key Vault?For a getting started tutorial, which includes creating a key vault for HSM-protected keys, see What is Azure Key Vault?.

有關產生及透過網際網路傳輸受 HSM 保護之金鑰的詳細資訊:More information about generating and transferring an HSM-protected key over the Internet:

  • 您可以從離線工作站產生金鑰,可減少受攻擊面。You generate the key from an offline workstation, which reduces the attack surface.
  • 此金鑰利用金鑰交換金鑰 (KEK) 加密,且加密狀態會維持到金鑰傳輸至 Azure 金鑰保存庫 HSM 為止。The key is encrypted with a Key Exchange Key (KEK), which stays encrypted until it is transferred to the Azure Key Vault HSMs. 只有加密版本的金鑰會離開原始工作站。Only the encrypted version of your key leaves the original workstation.
  • 工具組會在將您的金鑰繫結至 Azure 金鑰保存庫安全世界的租用戶金鑰上設定屬性。The toolset sets properties on your tenant key that binds your key to the Azure Key Vault security world. 因此,在 Azure 金鑰保存庫 HSM 接收和解密您的金鑰之後,只有這些 HSM 可使用它。So after the Azure Key Vault HSMs receive and decrypt your key, only these HSMs can use it. 無法匯出您的金鑰。Your key cannot be exported. 此系結是由 nCipher Hsm 強制執行。This binding is enforced by the nCipher HSMs.
  • 用來解密金鑰的金鑰互換金鑰 (KEK) 產生於 Azure 金鑰保存庫 HSM 內且不可匯出。The Key Exchange Key (KEK) that is used to encrypt your key is generated inside the Azure Key Vault HSMs and is not exportable. HSM 會強制執行使 HSM 外部沒有明確版本的 KEK。The HSMs enforce that there can be no clear version of the KEK outside the HSMs. 此外,工具組包含來自 nCipher 的證明,KEK 無法匯出,而且是在 nCipher 製造的正版 HSM 內產生。In addition, the toolset includes attestation from nCipher that the KEK is not exportable and was generated inside a genuine HSM that was manufactured by nCipher.
  • 此工具組包含來自 nCipher 的證明,在 nCipher 製造的正版 HSM 上也會產生 Azure Key Vault 的安全性世界。The toolset includes attestation from nCipher that the Azure Key Vault security world was also generated on a genuine HSM manufactured by nCipher. 這個證書向您證明 Microsoft 正在使用正版硬體。This attestation proves to you that Microsoft is using genuine hardware.
  • Microsoft 會在每個地理區域使用不同的 KEK 和不同的「安全世界」。Microsoft uses separate KEKs and separate Security Worlds in each geographical region. 這種區隔可確保您的金鑰只能用在您加密它時所在區域中的資料中心。This separation ensures that your key can be used only in data centers in the region in which you encrypted it. 例如,來自歐洲客戶的金鑰不能在北美或亞洲的資料中心使用。For example, a key from a European customer cannot be used in data centers in North American or Asia.

NCipher Hsm 和 Microsoft 服務的詳細資訊More information about nCipher HSMs and Microsoft services

nCipher Security 是對金融服務、高科技、製造、政府和技術部門而言,資料加密和網路安全性解決方案的領先全球提供者。nCipher Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, government, and technology sectors. 使用40年的追蹤記錄來保護公司和政府資訊,nCipher 的安全性密碼編譯解決方案會由五大能源和航空公司的四家使用。With a 40-year track record of protecting corporate and government information, nCipher Security cryptographic solutions are used by four of the five largest energy and aerospace companies. 其解決方案也會由22個 NATO 國家/地區使用,並可保護超過80的全球付款交易。Their solutions are also used by 22 NATO countries/regions, and secure more than 80 per cent of worldwide payment transactions.

Microsoft 已與 nCipher 安全性共同合作,以加強 Hsm 的美工狀態。Microsoft has collaborated with nCipher Security to enhance the state of art for HSMs. 這些增強內容可讓您取得裝載服務的典型優勢,而且不用放棄金鑰的控制權。These enhancements enable you to get the typical benefits of hosted services without relinquishing control over your keys. 具體而言,這些增強內容可讓 Microsoft 管理 HSM,如此您就不必費心管理。Specifically, these enhancements let Microsoft manage the HSMs so that you do not have to. 做為雲端服務,Azure 金鑰保存庫無需通知就會相應增加,以符合組織的使用尖峰。As a cloud service, Azure Key Vault scales up at short notice to meet your organization’s usage spikes. 同時,您的金鑰也受 Microsoft 的 HSM 所保護:因為您產生金鑰並將它傳輸到 Microsoft 的 HSM,所以您保有金鑰生命週期的控制權。At the same time, your key is protected inside Microsoft’s HSMs: You retain control over the key lifecycle because you generate the key and transfer it to Microsoft’s HSMs.

實作 Azure 金鑰保存庫的自備金鑰 (BYOK)Implementing bring your own key (BYOK) for Azure Key Vault

如果您將產生您自己受 HSM 保護的金鑰,然後將它傳輸到 Azure 金鑰保存庫,請使用下列資訊和程序—自備金鑰 (BYOK) 案例。Use the following information and procedures if you will generate your own HSM-protected key and then transfer it to Azure Key Vault—the bring your own key (BYOK) scenario.

BYOK 的必要條件Prerequisites for BYOK

請參閱下表的必要條件清單以取得 Azure 金鑰保存庫的自備金鑰 (BYOK)。See the following table for a list of prerequisites for bring your own key (BYOK) for Azure Key Vault.

需求Requirement 詳細資訊More information
Azure 訂用帳戶A subscription to Azure 若要建立 Azure Key Vault,您需要 Azure 訂用帳戶:註冊免費試用To create an Azure Key Vault, you need an Azure subscription: Sign up for free trial
可支援受 HSM 保護之金鑰的 Azure 金鑰保存庫進階服務層級The Azure Key Vault Premium service tier to support HSM-protected keys 如需 Azure 金鑰保存庫的服務層級和功能的詳細資訊,請參閱 Azure 金鑰保存庫價格 網站。For more information about the service tiers and capabilities for Azure Key Vault, see the Azure Key Vault Pricing website.
nCipher nShield Hsm、智慧卡和支援軟體nCipher nShield HSMs, smartcards, and support software 您必須能夠存取 nCipher 硬體安全性模組,以及 nCipher nShield Hsm 的基本操作知識。You must have access to a nCipher Hardware Security Module and basic operational knowledge of nCipher nShield HSMs. 如需相容模型的清單,請參閱NCipher NShield 硬體安全性模組,或購買 HSM (如果沒有的話)。See nCipher nShield Hardware Security Module for the list of compatible models, or to purchase an HSM if you do not have one.
下列的硬體和軟體︰The following hardware and software:
  1. 一個離線的 x64 工作站,其中至少有 windows 7 和 nCipher nShield 軟體的 Windows 作業系統,最低版本為11.50。An offline x64 workstation with a minimum Windows operation system of Windows 7 and nCipher nShield software that is at least version 11.50.

    如果此工作站執行 Windows 7,您必須安裝 Microsoft .NET Framework 4.5If this workstation runs Windows 7, you must install Microsoft .NET Framework 4.5.
  2. 連線至網際網路且 Windows 作業系統至少為 Windows 7 的工作站,並已安裝至少為 1.1.0 版的 Azure PowerShellA workstation that is connected to the Internet and has a minimum Windows operating system of Windows 7 and Azure PowerShell minimum version 1.1.0 installed.
  3. 至少有 16 MB 可用空間的 USB 磁碟機或其他可攜式儲存裝置。A USB drive or other portable storage device that has at least 16 MB free space.
基於安全性理由,建議第一個工作站不要連線到網路。For security reasons, we recommend that the first workstation is not connected to a network. 不過,在程式設計方面並不強迫採取這項建議。However, this recommendation is not programmatically enforced.

在接下來的指示中,此工作站稱為中斷連線的工作站。In the instructions that follow, this workstation is referred to as the disconnected workstation.


此外,如果您的租用戶金鑰適用於生產網路,建議您另外使用第二個工作站來下載工具組,並上傳租用戶金鑰。In addition, if your tenant key is for a production network, we recommend that you use a second, separate workstation to download the toolset, and upload the tenant key. 但如果只是測試,您可以直接使用第一個工作站。But for testing purposes, you can use the same workstation as the first one.

在接下來的指示中,此第二個工作站稱為網際網路連線的工作站。In the instructions that follow, this second workstation is referred to as the Internet-connected workstation.


產生金鑰並將其傳輸至 Azure 金鑰保存庫 HSMGenerate and transfer your key to Azure Key Vault HSM

您將使用下列五個步驟產生金鑰並將其傳輸至 Azure 金鑰保存庫 HSM:You will use the following five steps to generate and transfer your key to an Azure Key Vault HSM:

步驟 1:準備網際網路連線的工作站Step 1: Prepare your Internet-connected workstation

在第一個步驟中,請在連線到網際網路的工作站上執行下列程序。For this first step, do the following procedures on your workstation that is connected to the Internet.

步驟 1.1:安裝 Azure PowerShellStep 1.1: Install Azure PowerShell

從網際網路連線的工作站,下載並安裝 Azure PowerShell 模組,其包含 cmdlet 以管理 Azure 金鑰保存庫。From the Internet-connected workstation, download and install the Azure PowerShell module that includes the cmdlets to manage Azure Key Vault. 如需安裝指示,請參閱 如何安裝和設定 Azure PowerShellFor installation instructions, see How to install and configure Azure PowerShell.

步驟 1.2:取得您的 Azure 訂用帳戶識別碼Step 1.2: Get your Azure subscription ID

使用下列命令開始 Azure PowerShell 工作階段,並登入您的 Azure 帳戶:Start an Azure PowerShell session and sign in to your Azure account by using the following command:

   Connect-AzAccount

在快顯瀏覽器視窗中,輸入您的 Azure 帳戶使用者名稱與密碼。In the pop-up browser window, enter your Azure account user name and password. 然後,使用 Get-AzSubscription 命令:Then, use the Get-AzSubscription command:

   Get-AzSubscription

從輸出中,找出您將用於 Azure 金鑰保存庫的訂用帳戶識別碼。From the output, locate the ID for the subscription you will use for Azure Key Vault. 您稍後將需要此訂用帳戶識別碼。You will need this subscription ID later.

請勿關閉 Azure PowerShell 視窗。Do not close the Azure PowerShell window.

步驟 1.3:下載 Azure Key Vault 的 BYOK 工具組Step 1.3: Download the BYOK toolset for Azure Key Vault

移至 Microsoft 下載中心並為您的地理區域或 Azure 執行個體 下載 Azure 金鑰保存庫 BYOK 工具組Go to the Microsoft Download Center and download the Azure Key Vault BYOK toolset for your geographic region or instance of Azure. 使用下列資訊來識別要下載封裝雜湊與其對應的 SHA-256 封裝雜湊︰Use the following information to identify the package name to download and its corresponding SHA-256 package hash:


美國:United States:

KeyVault-BYOK-Tools-UnitedStates.zipKeyVault-BYOK-Tools-UnitedStates.zip

2E8C00320400430106366A4E8C67B79015524E4EC24A2D3A6DC513CA1823B0D42E8C00320400430106366A4E8C67B79015524E4EC24A2D3A6DC513CA1823B0D4


歐洲︰Europe:

KeyVault-BYOK-Tools-Europe.zipKeyVault-BYOK-Tools-Europe.zip

9AAA63E2E7F20CF9BB62485868754203721D2F88D300910634A32DFA1FB19E4A9AAA63E2E7F20CF9BB62485868754203721D2F88D300910634A32DFA1FB19E4A


亞洲︰Asia:

KeyVault-BYOK-Tools-AsiaPacific.zipKeyVault-BYOK-Tools-AsiaPacific.zip

4BC14059BF0FEC562CA927AF621DF665328F8A13616F44C977388EC7121EF6B54BC14059BF0FEC562CA927AF621DF665328F8A13616F44C977388EC7121EF6B5


拉丁美洲︰Latin America:

KeyVault-BYOK-Tools-LatinAmerica.zipKeyVault-BYOK-Tools-LatinAmerica.zip

E7DFAFF579AFE1B9732C30D6FD80C4D03756642F25A538922DD1B01A4FACB619E7DFAFF579AFE1B9732C30D6FD80C4D03756642F25A538922DD1B01A4FACB619


日本︰Japan:

KeyVault-BYOK-Tools-Japan.zipKeyVault-BYOK-Tools-Japan.zip

3933C13CC6DC06651295ADC482B027AF923A76F1F6BF98B4D4B8E94632DEC7DF3933C13CC6DC06651295ADC482B027AF923A76F1F6BF98B4D4B8E94632DEC7DF


南韓:Korea:

KeyVault-BYOK-Tools-Korea.zipKeyVault-BYOK-Tools-Korea.zip

71AB6BCFE06950097C8C18D532A9184BEF52A74BB944B8610DDDA05344ED136F71AB6BCFE06950097C8C18D532A9184BEF52A74BB944B8610DDDA05344ED136F


南非:South Africa:

KeyVault-BYOK-Tools-SouthAfrica.zipKeyVault-BYOK-Tools-SouthAfrica.zip

C41060C5C0170AAAAD896DA732E31433D14CB9FC83AC3C67766F46D98620784AC41060C5C0170AAAAD896DA732E31433D14CB9FC83AC3C67766F46D98620784A


阿拉伯聯合大公國UAE:

KeyVault-BYOK-Tools-UAE.zipKeyVault-BYOK-Tools-UAE.zip

FADE80210B06962AA0913EA411DAB977929248C65F365FD953BB9F241D5FC0D3FADE80210B06962AA0913EA411DAB977929248C65F365FD953BB9F241D5FC0D3


澳大利亞:Australia:

KeyVault-BYOK-Tools-Australia.zipKeyVault-BYOK-Tools-Australia.zip

CD0FB7365053DEF8C35116D7C92D203C64A3D3EE2452A025223EEB166901C40ACD0FB7365053DEF8C35116D7C92D203C64A3D3EE2452A025223EEB166901C40A


Azure Government: Azure Government:

KeyVault-BYOK-Tools-USGovCloud.zipKeyVault-BYOK-Tools-USGovCloud.zip

F8DB2FC914A7360650922391D9AA79FF030FD3048B5795EC83ADC59DB018621AF8DB2FC914A7360650922391D9AA79FF030FD3048B5795EC83ADC59DB018621A


美國政府國防部:US Government DOD:

KeyVault-BYOK-Tools-USGovernmentDoD.zipKeyVault-BYOK-Tools-USGovernmentDoD.zip

A79DD8C6DFFF1B00B91D1812280207A205442B3DDF861B79B8B991BB55C35263A79DD8C6DFFF1B00B91D1812280207A205442B3DDF861B79B8B991BB55C35263


加拿大:Canada:

KeyVault-BYOK-Tools-Canada.zipKeyVault-BYOK-Tools-Canada.zip

61BE1A1F80AC79912A42DEBBCC42CF87C88C2CE249E271934630885799717C7B61BE1A1F80AC79912A42DEBBCC42CF87C88C2CE249E271934630885799717C7B


德國:Germany:

KeyVault-BYOK-Tools-Germany.zipKeyVault-BYOK-Tools-Germany.zip

5385E615880AAFC02AFD9841F7BADD025D7EE819894AA29ED3C71C3F844C45D65385E615880AAFC02AFD9841F7BADD025D7EE819894AA29ED3C71C3F844C45D6


德國公用:Germany Public:

KeyVault-BYOK-Tools-Germany-Public .zipKeyVault-BYOK-Tools-Germany-Public.zip

54534936D0A0C99C8117DB724C34A5E50FD204CFCBD75C78972B785865364A2954534936D0A0C99C8117DB724C34A5E50FD204CFCBD75C78972B785865364A29


印度:India:

KeyVault-BYOK-Tools-India.zipKeyVault-BYOK-Tools-India.zip

49EDCEB3091CF1DF7B156D5B495A4ADE1CFBA77641134F61B0E0940121C436C849EDCEB3091CF1DF7B156D5B495A4ADE1CFBA77641134F61B0E0940121C436C8


法國:France:

KeyVault-BYOK-Tools-France.zipKeyVault-BYOK-Tools-France.zip

5C9D1F3E4125B0C09E9F60897C9AE3A8B4CB0E7D13A14F3EDBD280128F8FE7DF5C9D1F3E4125B0C09E9F60897C9AE3A8B4CB0E7D13A14F3EDBD280128F8FE7DF


英國:United Kingdom:

KeyVault-BYOK-Tools-UnitedKingdom.zipKeyVault-BYOK-Tools-UnitedKingdom.zip

432746BD0D3176B708672CCFF19D6144FCAA9E5EB29BB056489D3782B3B80849432746BD0D3176B708672CCFF19D6144FCAA9E5EB29BB056489D3782B3B80849


瑞士:Switzerland:

KeyVault-BYOK-Tools-Switzerland .zipKeyVault-BYOK-Tools-Switzerland.zip

88CF8D39899E26D456D4E0BC57E5C94913ABF1D73A89013FCE3BBD9599AD2FE988CF8D39899E26D456D4E0BC57E5C94913ABF1D73A89013FCE3BBD9599AD2FE9


若要驗證您已下載之 BYOK 工具組的完整性,請從您的 Azure PowerShell 工作階段,使用 Get-FileHash Cmdlet。To validate the integrity of your downloaded BYOK toolset, from your Azure PowerShell session, use the Get-FileHash cmdlet.

Get-FileHash KeyVault-BYOK-Tools-*.zip

此工具組包含:The toolset includes:

  • 具有以 BYOK-KEK-pkg-A Key Exchange Key (KEK) package that has a name beginning with BYOK-KEK-pkg-.
  • 具有以 BYOK-SecurityWorld-pkg-A Security World package that has a name beginning with BYOK-SecurityWorld-pkg-.
  • 名為 verifykeypackage.py 的 python 指令碼。A python script named verifykeypackage.py.
  • 名為 KeyTransferRemote.exe 的命令列可執行檔和相關聯的 DLL。A command-line executable file named KeyTransferRemote.exe and associated DLLs.
  • Visual C++ 可轉散發套件,名為 vcredist_x64.exeA Visual C++ Redistributable Package, named vcredist_x64.exe.

將封裝複製到 USB 磁碟機或其他可攜式儲存裝置。Copy the package to a USB drive or other portable storage.

步驟 2:準備中斷連線的工作站Step 2: Prepare your disconnected workstation

在第二個步驟中,請在未連線到網路 (網際網路或內部網路) 的工作站上執行下列程序。For this second step, do the following procedures on the workstation that is not connected to a network (either the Internet or your internal network).

步驟 2.1:使用 nCipher nShield HSM 準備中斷連線的工作站Step 2.1: Prepare the disconnected workstation with nCipher nShield HSM

在 Windows 電腦上安裝 nCipher 支援軟體,然後將 nCipher nShield HSM 附加至該電腦。Install the nCipher support software on a Windows computer, and then attach a nCipher nShield HSM to that computer.

確定 nCipher 工具位於您的路徑( %nfast_home%\bin)。Ensure that the nCipher tools are in your path (%nfast_home%\bin). 例如,輸入下列內容:For example, type the following:

set PATH=%PATH%;"%nfast_home%\bin"

如需詳細資訊,請參閱 nShield HSM 隨附的使用者指南。For more information, see the user guide included with the nShield HSM.

步驟 2.2:在中斷連線的工作站上安裝 BYOK 工具組Step 2.2: Install the BYOK toolset on the disconnected workstation

從 USB 磁碟機或其他可攜式儲存裝置複製 BYOK 工具組封裝,然後執行下列動作:Copy the BYOK toolset package from the USB drive or other portable storage, and then do the following:

  1. 將檔案從下載的封裝解壓縮至任何資料夾。Extract the files from the downloaded package into any folder.
  2. 從該資料夾執行 vcredist_x64.exe。From that folder, run vcredist_x64.exe.
  3. 遵循指示以安裝 Visual Studio 2013 的 Visual C++ 執行階段元件。Follow the instructions to the install the Visual C++ runtime components for Visual Studio 2013.

步驟 3:產生金鑰Step 3: Generate your key

在第三個步驟中,請在中斷連線的工作站上執行下列程序。For this third step, do the following procedures on the disconnected workstation. 若要完成此步驟,您的 HSM 必須是初始化模式。To complete this step your HSM must be in initialization mode.

步驟 3.1:將 HSM 模式變更為 'I'Step 3.1: Change the HSM mode to 'I'

如果您使用 nCipher nShield Edge,則變更模式:1.If you are using nCipher nShield Edge, to change the mode: 1. 使用 [Mode (模式)] 按鈕來反白顯示必要的模式。Use the Mode button to highlight the required mode. 2.2. 在幾秒鐘之內,按住 [Clear (清除)] 按鈕幾秒鐘。Within a few seconds, press and hold the Clear button for a couple of seconds. 如果模式變更,新模式的 LED 會停止閃爍,並保持亮燈。If the mode changes, the new mode’s LED stops flashing and remains lit. 狀態 LED 可能會不規則閃爍幾秒鐘的時間,當裝置就緒後則規則地閃爍。The Status LED might flash irregularly for a few seconds and then flashes regularly when the device is ready. 否則,裝置會維持目前的模式,適當的模式 LED 會亮起。Otherwise, the device remains in the current mode, with the appropriate mode LED lit.

步驟 3.2:建立安全世界Step 3.2: Create a security world

啟動命令提示字元,並執行 nCipher 新世界程式。Start a command prompt and run the nCipher new-world program.

 new-world.exe --initialize --cipher-suite=DLf3072s256mRijndael --module=1 --acs-quorum=2/3

此程式會在 %NFAST_KMDATA%\local\world 建立安全世界檔案,並對應到 C:\ProgramData\nCipher\Key Management Data\local 資料夾。This program creates a Security World file at %NFAST_KMDATA%\local\world, which corresponds to the C:\ProgramData\nCipher\Key Management Data\local folder. 您可以使用不同的值進行仲裁,但是在我們的範例中,系統會提示您輸入三個空白的卡片和其個別的 pin。You can use different values for the quorum but in our example, you’re prompted to enter three blank cards and pins for each one. 然後,任兩張卡片可提供安全世界的完整存取權。Then, any two cards give full access to the security world. 這些卡片將成為新安全世界的 系統管理員卡組These cards become the Administrator Card Set for the new security world.

注意

如果您的 HSM 不支援較新的加密套件 DLf3072s256mRijndael,您可以使用 --cipher-suite=DLf1024s160mRijndael 來取代 --cipher-suite= DLf3072s256mRijndaelIf your HSM does not support the newer cypher suite DLf3072s256mRijndael, you can replace --cipher-suite= DLf3072s256mRijndael with --cipher-suite=DLf1024s160mRijndael

然後執行以下動作:Then do the following:

  • 備份世界檔案。Back up the world file. 保障和保護世界檔案、系統管理員卡及其 pin,並確定沒有一個人可存取多張卡。Secure and protect the world file, the Administrator Cards, and their pins, and make sure that no single person has access to more than one card.

步驟 3.3:將 HSM 模式變更為 'O'Step 3.3: Change the HSM mode to 'O'

如果您使用 nCipher nShield Edge,則變更模式:1.If you are using nCipher nShield Edge, to change the mode: 1. 使用 [Mode (模式)] 按鈕來反白顯示必要的模式。Use the Mode button to highlight the required mode. 2.2. 在幾秒鐘之內,按住 [Clear (清除)] 按鈕幾秒鐘。Within a few seconds, press and hold the Clear button for a couple of seconds. 如果模式變更,新模式的 LED 會停止閃爍,並保持亮燈。If the mode changes, the new mode’s LED stops flashing and remains lit. 狀態 LED 可能會不規則閃爍幾秒鐘的時間,當裝置就緒後則規則地閃爍。The Status LED might flash irregularly for a few seconds and then flashes regularly when the device is ready. 否則,裝置會維持目前的模式,適當的模式 LED 會亮起。Otherwise, the device remains in the current mode, with the appropriate mode LED lit.

步驟 3.4:驗證下載的套件Step 3.4: Validate the downloaded package

此步驟為選擇性但建議使用,以便您可以驗證下列項目:This step is optional but recommended so that you can validate the following:

  • 工具組中所包含的金鑰交換金鑰已從正版 nCipher nShield HSM 產生。The Key Exchange Key that is included in the toolset has been generated from a genuine nCipher nShield HSM.
  • 工具組中所包含的安全世界雜湊已在正版 nCipher nShield HSM 中產生。The hash of the Security World that is included in the toolset has been generated in a genuine nCipher nShield HSM.
  • 金鑰交換金鑰不可匯出。The Key Exchange Key is non-exportable.

注意

若要驗證下載的封裝,HSM 必須連線、開啟電源,而且必須在其上具有安全世界 (如同您剛才所建立的那一個)。To validate the downloaded package, the HSM must be connected, powered on, and must have a security world on it (such as the one you’ve just created).

驗證下載的封裝:To validate the downloaded package:

  1. 根據您的地理區域或 Azure 的執行個體輸入下列其中一個區域,以執行 verifykeypackage.py 指令碼:Run the verifykeypackage.py script by typing one of the following, depending on your geographic region or instance of Azure:

    • 北美洲:For North America:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-NA-1 -w BYOK-SecurityWorld-pkg-NA-1
      
    • 歐洲:For Europe:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-EU-1 -w BYOK-SecurityWorld-pkg-EU-1
      
    • 亞洲:For Asia:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-AP-1 -w BYOK-SecurityWorld-pkg-AP-1
      
    • 拉丁美洲:For Latin America:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-LATAM-1 -w BYOK-SecurityWorld-pkg-LATAM-1
      
    • 日本:For Japan:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-JPN-1 -w BYOK-SecurityWorld-pkg-JPN-1
      
    • 南韓︰For Korea:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-KOREA-1 -w BYOK-SecurityWorld-pkg-KOREA-1
      
    • 針對南非:For South Africa:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-SA-1 -w BYOK-SecurityWorld-pkg-SA-1
      
    • 針對阿拉伯聯合大公國:For UAE:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-UAE-1 -w BYOK-SecurityWorld-pkg-UAE-1
      
    • 澳大利亞:For Australia:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-AUS-1 -w BYOK-SecurityWorld-pkg-AUS-1
      
    • 對於 Azure Government,它會使用美國政府的 Azure 執行個體:For Azure Government, which uses the US government instance of Azure:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-USGOV-1 -w BYOK-SecurityWorld-pkg-USGOV-1
      
    • 美國政府國防部:For US Government DOD:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-USDOD-1 -w BYOK-SecurityWorld-pkg-USDOD-1
      
    • 針對加拿大:For Canada:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-CANADA-1 -w BYOK-SecurityWorld-pkg-CANADA-1
      
    • 針對德國:For Germany:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-GERMANY-1 -w BYOK-SecurityWorld-pkg-GERMANY-1
      
    • 針對德國公用:For Germany Public:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-GERMANY-1 -w BYOK-SecurityWorld-pkg-GERMANY-1
      
    • 針對印度︰For India:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-INDIA-1 -w BYOK-SecurityWorld-pkg-INDIA-1
      
    • 針對法國:For France:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-FRANCE-1 -w BYOK-SecurityWorld-pkg-FRANCE-1
      
    • 針對英國:For United Kingdom:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-UK-1 -w BYOK-SecurityWorld-pkg-UK-1
      
    • 針對瑞士:For Switzerland:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-SUI-1 -w BYOK-SecurityWorld-pkg-SUI-1
      

      提示

      NCipher nShield software 包含 python at%NFAST_HOME%\python\binThe nCipher nShield software includes python at %NFAST_HOME%\python\bin

  2. 確認您看到下列訊息,這表示驗證成功:Result:SUCCESSConfirm that you see the following, which indicates successful validation: Result: SUCCESS

此腳本會驗證簽章者鏈,直到 nShield 根金鑰為止。This script validates the signer chain up to the nShield root key. 此根金鑰的雜湊內嵌於指令碼中,而且其值應為 59178a47 de508c3f 291277ee 184f46c4 f1d9c639The hash of this root key is embedded in the script and its value should be 59178a47 de508c3f 291277ee 184f46c4 f1d9c639. 您也可以造訪nCipher 網站,個別確認此值。You can also confirm this value separately by visiting the nCipher website.

您現在可以開始建立新的金鑰。You’re now ready to create a new key.

步驟 3.5:建立新金鑰Step 3.5: Create a new key

使用 nCipher nShield generatekey程式來產生金鑰。Generate a key by using the nCipher nShield generatekey program.

執行下列命令來產生金鑰:Run the following command to generate the key:

generatekey --generate simple type=RSA size=2048 protect=module ident=contosokey plainname=contosokey nvram=no pubexp=

當您執行此命令時,請使用下列指示:When you run this command, use these instructions:

  • 參數 protect 必須如所示般設定為值 moduleThe parameter protect must be set to the value module, as shown. 這會建立受模組保護的金鑰。This creates a module-protected key. BYOK 工具組不支援受 OCS 保護的金鑰。The BYOK toolset does not support OCS-protected keys.
  • 以任意字串值取代 identplainnamecontosokey 值。Replace the value of contosokey for the ident and plainname with any string value. 若要將系統管理負擔降至最低並減少錯誤的風險,建議您同時對兩者使用相同的值。To minimize administrative overheads and reduce the risk of errors, we recommend that you use the same value for both. Ident 值只能包含數字、連字號和小寫字母。The ident value must contain only numbers, dashes, and lower case letters.
  • 在這個範例中,Pubexp 保留空白 (預設值),但是您可以指定特定值。The pubexp is left blank (default) in this example, but you can specify specific values. 如需詳細資訊,請參閱nCipher 檔。For more information, see the nCipher documentation.

此命令會在您的 %NFAST_KMDATA%\local 資料夾建立名稱開頭為 key_simple_ 的語彙基元化金鑰檔案,後面接著在命令中指定的 identThis command creates a Tokenized Key file in your %NFAST_KMDATA%\local folder with a name starting with key_simple_, followed by the ident that was specified in the command. 例如:key_simple_contosokeyFor example: key_simple_contosokey. 此檔案包含已加密的金鑰。This file contains an encrypted key.

在安全的位置備份此語彙基元化金鑰檔案。Back up this Tokenized Key File in a safe location.

重要

當您稍後將您的金鑰傳輸至 Azure 金鑰保存庫時,Microsoft 就無法將此金鑰匯出給您,因此,請務必安全地備份您的金鑰和安全世界。When you later transfer your key to Azure Key Vault, Microsoft cannot export this key back to you so it becomes extremely important that you back up your key and security world safely. 請聯絡nCipher以取得備份金鑰的指引和最佳作法。Contact nCipher for guidance and best practices for backing up your key.

您現在已準備好將金鑰傳輸至 Azure 金鑰保存庫。You are now ready to transfer your key to Azure Key Vault.

步驟 4:準備要傳輸的金鑰Step 4: Prepare your key for transfer

在第四個步驟中,請在中斷連線的工作站上執行下列程序。For this fourth step, do the following procedures on the disconnected workstation.

步驟 4.1:使用降低的權限建立金鑰的複本Step 4.1: Create a copy of your key with reduced permissions

開啟新的命令提示字元,並將目前的目錄變更為解壓縮 BYOK ZIP 檔案的位置。Open a new command prompt and change the current directory to the location where you unzipped the BYOK zip file. 若要減少金鑰的權限,請從命令提示字元,根據您的地理區域或 Azure 執行個體,執行下列其中一個區域:To reduce the permissions on your key, from a command prompt, run one of the following, depending on your geographic region or instance of Azure:

  • 北美洲:For North America:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-NA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-NA-1
    
  • 歐洲:For Europe:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-EU-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-EU-1
    
  • 亞洲:For Asia:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-AP-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-AP-1
    
  • 拉丁美洲:For Latin America:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-LATAM-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-LATAM-1
    
  • 日本:For Japan:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-JPN-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-JPN-1
    
  • 南韓︰For Korea:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-KOREA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-KOREA-1
    
  • 針對南非:For South Africa:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-SA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-SA-1
    
  • 針對阿拉伯聯合大公國:For UAE:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-UAE-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-UAE-1
    
  • 澳大利亞:For Australia:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-AUS-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-AUS-1
    
  • 對於 Azure Government,它會使用美國政府的 Azure 執行個體:For Azure Government, which uses the US government instance of Azure:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-USGOV-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-USGOV-1
    
  • 美國政府國防部:For US Government DOD:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-USDOD-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-USDOD-1
    
  • 針對加拿大:For Canada:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-CANADA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-CANADA-1
    
  • 針對德國:For Germany:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-GERMANY-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-GERMANY-1
    
  • 針對德國公用:For Germany Public:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-GERMANY-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-GERMANY-1
    
  • 針對印度︰For India:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-INDIA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-INDIA-1
    
  • 針對法國:For France:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-FRANCE-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-FRANCE-1
    
  • 針對英國:For United Kingdom:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-UK-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-UK-1
    
  • 針對瑞士:For Switzerland:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-SUI-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-SUI-1
    

當您執行此命令時,請將 contosokey 取代為您在下列步驟中指定的同一個值:步驟 3.5:建立新的金鑰 (在產生您的金鑰步驟中)。When you run this command, replace contosokey with the same value you specified in Step 3.5: Create a new key from the Generate your key step.

系統會要求您插入您的安全世界系統管理員卡。You are asked to plug in your security world admin cards.

當命令完成時,您會看到 Result:成功 ,而且具有較低許可權的金鑰複本會在名為 key_xferacId_<contosokey > 的檔案中。When the command completes, you see Result: SUCCESS and the copy of your key with reduced permissions are in the file named key_xferacId_<contosokey>.

您可以使用 nCipher nShield 公用程式,使用下列命令來檢查 ACL:You may inspects the ACLS using following commands using the nCipher nShield utilities:

  • aclprint.py:aclprint.py:

      "%nfast_home%\bin\preload.exe" -m 1 -A xferacld -K contosokey "%nfast_home%\python\bin\python" "%nfast_home%\python\examples\aclprint.py"
    
  • kmfile-dump.exe:kmfile-dump.exe:

      "%nfast_home%\bin\kmfile-dump.exe" "%NFAST_KMDATA%\local\key_xferacld_contosokey"
    

    當您執行這些命令時,請將 contosokey 取代為您在下列步驟中指定的同一個值:步驟 3.5:建立新的金鑰 (在產生您的金鑰步驟中)。When you run these commands, replace contosokey with the same value you specified in Step 3.5: Create a new key from the Generate your key step.

步驟 4.2:使用 Microsoft 的金鑰交換金鑰來加密您的金鑰Step 4.2: Encrypt your key by using Microsoft’s Key Exchange Key

根據您的地理區域或 Azure 執行個體,執行下列其中一個命令:Run one of the following commands, depending on your geographic region or instance of Azure:

  • 北美洲:For North America:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-NA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-NA-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 歐洲:For Europe:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-EU-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-EU-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 亞洲:For Asia:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-AP-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-AP-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 拉丁美洲:For Latin America:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-LATAM-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-LATAM-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 日本:For Japan:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-JPN-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-JPN-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 南韓︰For Korea:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-KOREA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-KOREA-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 針對南非:For South Africa:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-SA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-SA-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 針對阿拉伯聯合大公國:For UAE:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-UAE-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-UAE-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 澳大利亞:For Australia:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-AUS-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-AUS-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 對於 Azure Government,它會使用美國政府的 Azure 執行個體:For Azure Government, which uses the US government instance of Azure:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-USGOV-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-USGOV-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 美國政府國防部:For US Government DOD:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-USDOD-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-USDOD-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 針對加拿大:For Canada:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-CANADA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-CANADA-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 針對德國:For Germany:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-GERMANY-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-GERMANY-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 針對德國公用:For Germany Public:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-GERMANY-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-GERMANY-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 針對印度︰For India:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-INDIA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-INDIA-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 針對法國:For France:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-France-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-France-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 針對英國:For United Kingdom:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-UK-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-UK-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • 針對瑞士:For Switzerland:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-SUI-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-SUI-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    

當您執行此命令時,請使用下列指示:When you run this command, use these instructions:

  • 請將 contosokey 取代為您在下列步驟中產生金鑰用的識別碼:步驟 3.5:建立新的金鑰 (在產生您的金鑰步驟中)。Replace contosokey with the identifier that you used to generate the key in Step 3.5: Create a new key from the Generate your key step.
  • 以包含金鑰保存庫的 Azure 訂用帳戶識別碼取代 SubscriptionIDReplace SubscriptionID with the ID of the Azure subscription that contains your key vault. 您先前已在下列步驟中擷取此值:步驟 1.2:取得 Azure 訂用帳戶識別碼 (在準備網際網路連線的工作站步驟中)。You retrieved this value previously, in Step 1.2: Get your Azure subscription ID from the Prepare your Internet-connected workstation step.
  • 以用於輸出檔案名稱的標籤取代 ContosoFirstHSMKeyReplace ContosoFirstHSMKey with a label that is used for your output file name.

當此命令成功完成時,它會顯示 Result:SUCCESS,然後目前具有下列名稱的資料夾中會有新檔案:KeyTransferPackage-ContosoFirstHSMkey.byokWhen this completes successfully, it displays Result: SUCCESS and there is a new file in the current folder that has the following name: KeyTransferPackage-ContosoFirstHSMkey.byok

步驟 4.3:將金鑰傳輸套件複製到網際網路連線的工作站Step 4.3: Copy your key transfer package to the Internet-connected workstation

使用 USB 磁碟機或其他可攜式儲存裝置,將上一個步驟的輸出檔案 (KeyTransferPackage-ContosoFirstHSMkey.byok) 複製到網際網路連線的工作站。Use a USB drive or other portable storage to copy the output file from the previous step (KeyTransferPackage-ContosoFirstHSMkey.byok) to your Internet-connected workstation.

步驟 5:將金鑰傳輸至 Azure Key VaultStep 5: Transfer your key to Azure Key Vault

針對這最後一個步驟,在連線到網際網路的工作站上,使用 Add-AzKeyVaultKey Cmdlet,將您從已中斷連線之工作站複製的金鑰傳輸套件上傳到 Azure Key Vault HSM:For this final step, on the Internet-connected workstation, use the Add-AzKeyVaultKey cmdlet to upload the key transfer package that you copied from the disconnected workstation to the Azure Key Vault HSM:

     Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -Name 'ContosoFirstHSMkey' -KeyFilePath 'c:\KeyTransferPackage-ContosoFirstHSMkey.byok' -Destination 'HSM'

如果上傳成功,就會顯示您剛才加入之金鑰的屬性。If the upload is successful, you see displayed the properties of the key that you just added.

後續步驟Next steps

您現在可以在您的金鑰保存庫中使用這個受 HSM 保護的金鑰。You can now use this HSM-protected key in your key vault. 如需詳細資訊,請參閱此價格與功能比較For more information, see this price and feature comparison.