關於 Azure Key Vault 秘密About Azure Key Vault secrets

Key Vault 提供儲存通用祕密 (例如密碼和資料庫連接字串) 的安全機制。Key Vault provides secure storage of generic secrets, such as passwords and database connection strings.

從開發人員的觀點來看,Key Vault API 會以字串的形式接受和傳回秘密值。From a developer's perspective, Key Vault APIs accept and return secret values as strings. 在內部,Key Vault 會以八位元序列 (8 位元的位元組) 的形式來儲存和管理祕密,大小上限為 25k 位元組。Internally, Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k bytes each. Key Vault 服務不提供秘密的語意。The Key Vault service doesn't provide semantics for secrets. 它只會接受資料並加以加密和儲存,然後傳回祕密識別碼 ("id")。It merely accepts the data, encrypts it, stores it, and returns a secret identifier ("id"). 識別碼可用來在稍後擷取秘密。The identifier can be used to retrieve the secret at a later time.

對於高度敏感的資料,用戶端應考慮為資料提供更多層的保護。For highly sensitive data, clients should consider additional layers of protection for data. 使用個別的保護金鑰為資料加密再儲存到 Key Vault 中,即是一例。Encrypting data using a separate protection key prior to storage in Key Vault is one example.

Key Vault 也支援秘密的 contentType 欄位。Key Vault also supports a contentType field for secrets. 用戶端可以指定祕密的內容類型,以利在擷取秘密資料時進行解譯。Clients may specify the content type of a secret to assist in interpreting the secret data when it's retrieved. 此欄位的長度上限為 255 個字元。The maximum length of this field is 255 characters. 沒有任何預先定義的值。There are no pre-defined values. 建議的用法是作為解譯秘密資料的提示。The suggested usage is as a hint for interpreting the secret data. 例如,實作可能會將密碼和憑證儲存為秘密,然後使用此欄位來區分。For instance, an implementation may store both passwords and certificates as secrets, then use this field to differentiate. 沒有任何預先定義的值。There are no predefined values.

加密Encryption

您 Key Vault 中的所有秘密都會以加密方式儲存。All secrets in your Key Vault are stored encrypted. 這種加密是透明的,使用者無須執行任何動作。This encryption is transparent, and requires no action from the user. Azure Key Vault 服務會在您新增秘密時將其加密,並在您讀取秘密時自動加以解密。The Azure Key Vault service encrypts your secrets when you add them, and decrypts them automatically when you read them. 加密金鑰對每個金鑰保存庫而言都是唯一的。The encryption key is unique to each key vault.

秘密屬性Secret attributes

除了秘密內容,您可以指定下列屬性:In addition to the secret data, the following attributes may be specified:

  • exp:選擇性的 IntDate,預設值為永久 (forever)。exp: IntDate, optional, default is forever. Exp (到期時間) 屬性會識別到期時間,在此時間點或之後「不應」擷取秘密資料,除非在特定情況下The exp (expiration time) attribute identifies the expiration time on or after which the secret data SHOULD NOT be retrieved, except in particular situations. 此欄位僅供 參考 用,因為它告知金鑰保存庫的使用者服,特定祕密可能無法使用。This field is for informational purposes only as it informs users of key vault service that a particular secret may not be used. 其值必須是包含 IntDate 值的數字。Its value MUST be a number containing an IntDate value.
  • nbf:選擇性的 IntDate,預設值為現在 (now)。nbf: IntDate, optional, default is now. nbf (不早於) 屬性會識別一個時間,在此時間之前「不應」擷取秘密資料,除非在特定情況下The nbf (not before) attribute identifies the time before which the secret data SHOULD NOT be retrieved, except in particular situations. 此欄位僅供 參考 用。This field is for informational purposes only. 其值必須是包含 IntDate 值的數字。Its value MUST be a number containing an IntDate value.
  • enabled:選擇性的布林值,預設值是 trueenabled: boolean, optional, default is true. 此屬性會指定是否可以擷取秘密資料。This attribute specifies whether the secret data can be retrieved. 當作業發生於 nbfexp 之間時,enabled 屬性會用來搭配 nbfexp 使用,只有在 enabled 設定為 true 時,才能允許此作業。The enabled attribute is used in conjunction with nbf and exp when an operation occurs between nbf and exp, it will only be permitted if enabled is set to true. 發生於 nbf 和 exp 範圍外的作業將自動禁止,除了在特定情況下Operations outside the nbf and exp window are automatically disallowed, except in particular situations.

任何包含秘密屬性的回應中,可包含其他唯讀屬性:There are additional read-only attributes that are included in any response that includes secret attributes:

  • created:選擇性的 IntDate。created: IntDate, optional. created 屬性會指出建立此秘密版本的時間。The created attribute indicates when this version of the secret was created. 若秘密是在新增此屬性之前建立的,則此值為 Null。This value is null for secrets created prior to the addition of this attribute. 其值必須是包含 IntDate 值的數字。Its value must be a number containing an IntDate value.
  • updated:選擇性的 IntDate。updated: IntDate, optional. updated 屬性會指出更新此秘密版本的時間。The updated attribute indicates when this version of the secret was updated. 若秘密是在新增此屬性之前進行最後一次更新,則此值為 Null。This value is null for secrets that were last updated prior to the addition of this attribute. 其值必須是包含 IntDate 值的數字。Its value must be a number containing an IntDate value.

若要了解每個金鑰保存庫物件類型的一般屬性,請參閱 Azure Key Vault 金鑰、秘密和憑證概觀For information on common attributes for each key vault object type, see Azure Key Vault keys, secrets and certificates overview

受到日期時間控制的作業Date-time controlled operations

秘密的 取得 作業將會用於尚未生效和過期的秘密 (在 nbf / exp 範圍外)。A secret's get operation will work for not-yet-valid and expired secrets, outside the nbf / exp window. 呼叫祕密的 取得 作業來取得尚未生效的秘密,可以用於測試。Calling a secret's get operation, for a not-yet-valid secret, can be used for test purposes. 擷取 (取得) 過期的密碼,可用於復原作業。Retrieving (get ting) an expired secret, can be used for recovery operations.

秘密存取控制Secret access control

對於在 Key Vault 中管理的秘密,其存取控制會在 Key Vault 的層級上提供,也就是包含這些秘密的 Key Vault。Access Control for secrets managed in Key Vault, is provided at the level of the Key Vault that contains those secrets. 在相同 Key Vault 中,秘密的存取控制原則與金鑰的存取控制原則並不相同。The access control policy for secrets, is distinct from the access control policy for keys in the same Key Vault. 使用者可建立一個或多個保存庫來保存秘密,而且必須維護適當區分和管理秘密的案例。Users may create one or more vaults to hold secrets, and are required to maintain scenario appropriate segmentation and management of secrets.

下列權限可以在保存庫上的祕密存取控制項目中使用 (以每個主體為基礎),且密切地對映秘密物件上所允許的作業:The following permissions can be used, on a per-principal basis, in the secrets access control entry on a vault, and closely mirror the operations allowed on a secret object:

  • 秘密管理作業的權限Permissions for secret management operations

    • get:讀取祕密get: Read a secret
    • list:列出儲存在 Key Vault 中的祕密或祕密版本list: List the secrets or versions of a secret stored in a Key Vault
    • set:建立祕密set: Create a secret
    • delete:刪除祕密delete: Delete a secret
    • recover:復原已刪除的祕密recover: Recover a deleted secret
    • backup:備份金鑰保存庫中的祕密backup: Back up a secret in a key vault
    • restore:將備份的祕密還原至金鑰保存庫restore: Restore a backed up secret to a key vault
  • 特殊權限作業的權限Permissions for privileged operations

    • purge:清除 (永久刪除) 已刪除的祕密purge: Purge (permanently delete) a deleted secret

如需使用秘密的詳細資訊,請參閱 Key Vault REST API 參考中的秘密作業For more information on working with secrets, see Secret operations in the Key Vault REST API reference. 如需建立權限的相關資訊,請參閱保存庫 - 建立或更新保存庫 - 更新存取原則For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

在 Key Vault 中控制存取的操作指南:How-to guides to control access in Key Vault:

秘密標記Secret tags

您可以將其他應用程式專屬的中繼資料指定為標記形式。You can specify additional application-specific metadata in the form of tags. Key Vault 支援最多 15 個標記,各標記可以有 256 個字元的名稱和 256 個字元的值。Key Vault supports up to 15 tags, each of which can have a 256 character name and a 256 character value.

注意

如果呼叫者具有 列出取得 權限,其便可讀取標籤。Tags are readable by a caller if they have the list or get permission.

Azure 儲存體帳戶金鑰管理Azure Storage account key management

Key Vault 可管理 Azure 儲存體帳戶金鑰:Key Vault can manage Azure storage account keys:

  • 在內部,Key Vault 可列出 (同步) Azure 儲存體帳戶金鑰。Internally, Key Vault can list (sync) keys with an Azure storage account.
  • Key Vault 會定期重新產生 (輪替) 金鑰。Key Vault regenerates (rotates) the keys periodically.
  • 永遠不會傳回金鑰值以回應呼叫者。Key values are never returned in response to caller.
  • Key Vault 可管理儲存體帳戶和傳統儲存體帳戶的金鑰。Key Vault manages keys of both storage accounts and classic storage accounts.

如需詳細資訊,請參閱:For more information, see:

儲存體帳戶存取控制Storage account access control

為使用者或應用程式主體授與在受控儲存體帳戶上執行作業的權限時,可以使用下列權限:The following permissions can be used when authorizing a user or application principal to perform operations on a managed storage account:

  • 受控儲存體帳戶和 SaS 定義作業的權限Permissions for managed storage account and SaS-definition operations

    • get:取得儲存體帳戶的相關資訊get: Gets information about a storage account
    • list:列出由 Key Vault 管理的儲存體帳戶list: List storage accounts managed by a Key Vault
    • update:更新儲存體帳戶update: Update a storage account
    • delete:刪除儲存體帳戶delete: Delete a storage account
    • recover:復原已刪除的儲存體帳戶recover: Recover a deleted storage account
    • backup:備份儲存體帳戶backup: Back up a storage account
    • restore:將備份的儲存體帳戶還原至 Key Vaultrestore: Restore a backed-up storage account to a Key Vault
    • set:建立或更新儲存體帳戶set: Create or update a storage account
    • regeneratekey:為儲存體帳戶重新產生指定的金鑰值regeneratekey: Regenerate a specified key value for a storage account
    • getsas:取得與儲存體帳戶的 SAS 定義有關的資訊getsas: Get information about a SAS definition for a storage account
    • listsas:列出儲存體帳戶的儲存體 SAS 定義listsas: List storage SAS definitions for a storage account
    • deletesas:從儲存體帳戶中刪除 SAS 定義deletesas: Delete a SAS definition from a storage account
    • setsas:為儲存體帳戶建立或更新新的 SAS 定義/屬性setsas: Create or update a new SAS definition/attributes for a storage account
  • 特殊權限作業的權限Permissions for privileged operations

    • purge:清除 (永久刪除) 受控儲存體帳戶purge: Purge (permanently delete) a managed storage account

如需詳細資訊,請參閱 Key Vault REST API 參考中的儲存體帳戶作業For more information, see the Storage account operations in the Key Vault REST API reference. 如需建立權限的相關資訊,請參閱保存庫 - 建立或更新保存庫 - 更新存取原則For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

在 Key Vault 中控制存取的操作指南:How-to guides to control access in Key Vault:

後續步驟Next steps