什麼是 Azure 金鑰保存庫?What is Azure Key Vault?

Azure Key Vault 可協助您解決下列問題:Azure Key Vault helps solve the following problems:

  • 祕密管理 - Azure Key Vault 可用來安全地儲存權杖、密碼、憑證、API 金鑰和其他祕密,並嚴密控制其存取Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
  • 金鑰管理 - Azure Key Vault 也可作為金鑰管理解決方案。Key Management - Azure Key Vault can also be used as a Key Management solution. Azure Key Vault 可讓您輕鬆地建立和控制用來加密資料的加密金鑰。Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
  • 憑證管理 - Azure Key Vault 也是一項服務,可讓您輕鬆地佈建、管理及部署 Azure 和您內部連線的資源所使用的公用和私人安全通訊端層/傳輸層安全性 (SSL/TLS) 憑證。Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
  • 儲存受到硬體安全性模型支援的祕密 - 祕密和金鑰可受到軟體的保護,或由通過 FIPS 140-2 Level 2 驗證的 HSM 保護Store secrets backed by Hardware Security Modules - The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs

為何使用 Azure Key Vault?Why use Azure Key Vault?

集中儲存應用程式祕密Centralize application secrets

在 Azure Key Vault 中集中儲存應用程式祕密,可讓您控制其散發。Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault 可大幅降低不小心洩露祕密的風險。Key Vault greatly reduces the chances that secrets may be accidentally leaked. 使用 Key Vault 時,應用程式開發人員不再需要在其應用程式中儲存安全性資訊。When using Key Vault, application developers no longer need to store security information in their application. 不需將安全性資訊儲存在應用程式中,就不需要讓此資訊成為程式碼的一部分。Not having to store security information in applications eliminates the need to make this information part of the code. 例如,應用程式可能需要連線到資料庫。For example, an application may need to connect to a database. 您可以在 Key Vault 中妥善儲存連接字串,而不用在應用程式程式碼中儲存連接字串。Instead of storing the connection string in the app's code, you can store it securely in Key Vault.

您的應用程式可以使用 URI 安全地存取其所需的資訊。Your applications can securely access the information they need by using URIs. 這些 URI 可讓應用程式擷取特定版本的祕密。These URIs allow the applications to retrieve specific versions of a secret. 您不需要撰寫自訂程式碼來保護任何儲存在 Key Vault 中的祕密資訊。There is no need to write custom code to protect any of the secret information stored in Key Vault.

安全地儲存秘密和金鑰Securely store secrets and keys

Azure 使用會業界標準演算法、金鑰長度和硬體安全性模組 (HSM) 來保護秘密和金鑰。Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). 使用的 HSM 經過美國聯邦資訊處理標準 (FIPS) 140-2 Level 2 驗證。The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.

金鑰保存庫的存取權需要先經過適當的驗證和授權,呼叫者 (使用者或應用程式) 才能取得存取權。Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. 驗證會建立呼叫者的身分識別,授權則會判斷呼叫者可以執行的作業。Authentication establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.

驗證會透過 Azure Active Directory 進行。Authentication is done via Azure Active Directory. 授權可以透過角色型存取控制 (RBAC) 或 Key Vault 存取原則進行。Authorization may be done via role-based access control (RBAC) or Key Vault access policy. 在處理保存庫的管理時會使用 RBAC,而在嘗試存取保存庫中儲存的資料時會使用金鑰保存庫存取原則。RBAC is used when dealing with the management of the vaults and key vault access policy is used when attempting to access data stored in a vault.

Azure Key Vault 可能受軟體或硬體 HSM 保護。Azure Key Vaults may be either software- or hardware-HSM protected. 在您需要加強保證的情況下,您可以在硬體安全模組 (HSM) 中匯入或產生無需離開 HSM 界限的金鑰。For situations where you require added assurance you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. Microsoft 使用 nCipher 硬體安全性模型。Microsoft uses nCipher hardware security modules. 您可以使用 nCipher 工具將金鑰從您的 HSM 移至 Azure Key Vault。You can use nCipher tools to move a key from your HSM to Azure Key Vault.

最後,Azure Key Vault 依設計會使 Microsoft 無法看見或擷取您的資料。Finally, Azure Key Vault is designed so that Microsoft does not see or extract your data.

監視存取和使用Monitor access and use

在您建立一些 Key Vault 之後,您會想要監視存取金鑰和祕密的方式和時機。Once you have created a couple of Key Vaults, you will want to monitor how and when your keys and secrets are being accessed. 您可以藉由啟用保存庫的記錄來監視活動。You can monitor activity by enabling logging for your vaults. 您可以如下設定 Azure Key Vault:You can configure Azure Key Vault to:

  • 封存至儲存體帳戶。Archive to a storage account.
  • 串流至事件中樞。Stream to an event hub.
  • 將記錄傳送至 Azure 監視器記錄。Send the logs to Azure Monitor logs.

您可以控制您的記錄,藉由限制存取權來保護它們,也可以刪除您不再需要的記錄。You have control over your logs and you may secure them by restricting access and you may also delete logs that you no longer need.

簡化應用程式祕密的管理Simplified administration of application secrets

在儲存珍貴資料時,您必須採取幾個步驟。When storing valuable data, you must take several steps. 安全性資訊必須受到保護,它必須遵循生命週期,同時必須保持高可用性。Security information must be secured, it must follow a life cycle, it must be highly available. Azure Key Vault 可藉由下列功能,簡化符合這些需求的程序:Azure Key Vault simplifies the process of meeting these requirements by:

  • 無須具備硬體安全性模組的內部知識Removing the need for in-house knowledge of Hardware Security Modules
  • 在短時間內相應增加,以符合組織的使用尖峰。Scaling up on short notice to meet your organization’s usage spikes.
  • 將區域內的 Key Vault 內容複寫到次要區域。Replicating the contents of your Key Vault within a region and to a secondary region. 資料複寫可確保高可用性,並可讓管理員無須執行任何動作來觸發容錯移轉。Data replication ensures high availability and takes away the need of any action from the administrator to trigger the failover.
  • 透過入口網站、Azure CLI 和 PowerShell 提供標準 Azure 系統管理選項。Providing standard Azure administration options via the portal, Azure CLI and PowerShell.
  • 自動對向公開 CA 購買的憑證執行一些作業,例如註冊或續約。Automating certain tasks on certificates that you purchase from Public CAs, such as enrollment and renewal.

此外,Azure Key Vault 可讓您隔離應用程式祕密。In addition, Azure Key Vaults allow you to segregate application secrets. 應用程式只能存取其有權存取的保存庫,且可能限定為只能執行特定作業。Applications may access only the vault that they are allowed to access, and they can be limited to only perform specific operations. 您可以為每個應用程式建立 Azure Key Vault,並將 Key Vault 中儲存的祕密限制於特定應用程式和開發人員小組。You can create an Azure Key Vault per application and restrict the secrets stored in a Key Vault to a specific application and team of developers.

與其他 Azure 服務整合Integrate with other Azure services

Key Vault 是 Azure 中的安全存放區,常用來簡化如下的案例:As a secure store in Azure, Key Vault has been used to simplify scenarios like:

Key Vault 本身可與儲存體帳戶、事件中樞和記錄分析整合。Key Vault itself can integrate with storage accounts, event hubs, and log analytics.

後續步驟Next steps