Azure 資料靜態加密Azure Data Encryption-at-Rest

Microsoft Azure 內有數項工具,可根據公司的安全性和合規性需求來保護資料。Microsoft Azure includes tools to safeguard data according to your company’s security and compliance needs. 本文著重於:This paper focuses on:

  • 在整個 Microsoft Azure 中保護資料的方式How data is protected at rest across Microsoft Azure
  • 討論參與資料保護實作的各種元件,Discusses the various components taking part in the data protection implementation,
  • 檢閱不同金鑰管理保護方法的優缺點。Reviews pros and cons of the different key management protection approaches.

靜態加密是常見的安全性需求。Encryption at Rest is a common security requirement. 在 Azure 中,組織可以在沒有自訂金鑰管理解決方案所帶來之風險或成本的情況下,對待用資料進行加密。In Azure, organizations can encrypt data at rest without the risk or cost of a custom key management solution. 組織可以選擇讓 Azure 完全管理靜態加密。Organizations have the option of letting Azure completely manage Encryption at Rest. 此外,組織擁有各種選項能密切管理加密或加密金鑰。Additionally, organizations have various options to closely manage encryption or encryption keys.

什麼是靜態加密?What is encryption at rest?

待用加密就是將存留的資料進行編碼 (加密)。Encryption at Rest is the encoding (encryption) of data when it is persisted. Azure 中的靜態加密設計是使用對稱加密,根據簡單概念模型,快速將大量資料加密及解密:The Encryption at Rest designs in Azure use symmetric encryption to encrypt and decrypt large amounts of data quickly according to a simple conceptual model:

  • 對稱式加密金鑰可用來在寫入儲存體時將資料加密。A symmetric encryption key is used to encrypt data as it is written to storage.
  • 當資料準備好在記憶體中使用時,相同的加密金鑰可用來將資料解密。The same encryption key is used to decrypt that data as it is readied for use in memory.
  • 資料可能會進行分割,每個分割區可能會使用不同的金鑰。Data may be partitioned, and different keys may be used for each partition.
  • 金鑰必須儲存在具備以身分識別為基礎的存取控制和稽核原則的安全位置。Keys must be stored in a secure location with identity-based access control and audit policies. 資料加密金鑰通常會使用非對稱式加密進行加密,以進一步限制存取。Data encryption keys are often encrypted with asymmetric encryption to further limit access.

在實務上,金鑰管理和控制情節,以及級別和可用性保證,都需要其他建構。In practice, key management and control scenarios, as well as scale and availability assurances, require additional constructs. 以下將說明 Microsoft Azure 靜態加密的概念和元件。Microsoft Azure Encryption at Rest concepts and components are described below.

靜態加密的目的The purpose of encryption at rest

待用加密可為儲存的資料 (待用) 提供資料保護。Encryption at rest provides data protection for stored data (at rest). 對靜態資料的攻擊包含嘗試取得儲存資料的硬體之實體存取,並洩露內含的資料。Attacks against data at-rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromise the contained data. 在這類攻擊中,伺服器的硬碟可能已在維護期間受到錯誤的處理,讓攻擊者能夠移除硬碟。In such an attack, a server’s hard drive may have been mishandled during maintenance allowing an attacker to remove the hard drive. 稍後,攻擊者會將硬碟放入受他們控制下的電腦,以嘗試存取資料。Later the attacker would put the hard drive into a computer under their control to attempt to access the data.

靜態加密旨在防止攻擊者存取未加密的資料,方法是確保資料在磁碟上時就已加密。Encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk. 如果攻擊者取得具有已加密資料的硬碟,但是沒有加密金鑰,則該攻擊者必須將加密破解才能讀取資料。If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data. 與存取硬碟上未加密的資料相比,此攻擊將會變得更為複雜,且需要耗用更多資源。This attack is much more complex and resource consuming than accessing unencrypted data on a hard drive. 基於這個理由,強烈建議您使用靜態加密,且對許多組織而言是高優先順序的需求。For this reason, encryption at rest is highly recommended and is a high priority requirement for many organizations.

組織致力於資料治理及合規性之際,也可能需要使用待用加密。Encryption at rest may also be required by an organization’s need for data governance and compliance efforts. 產業和政府規定 (例如 HIPAA、PCI 和 FedRAMP 等) 就資料保護和加密需求制定了具體的保護措施。Industry and government regulations such as HIPAA, PCI and FedRAMP, lay out specific safeguards regarding data protection and encryption requirements. 待用加密是符合這其中部分規範所需的必要手段。Encryption at rest is a mandatory measure required for compliance with some of those regulations.

除了能滿足合規性和法規要求之外,靜態加密也能提供深度防禦的保護。In addition to satisfying compliance and regulatory requirements, encryption at rest provides defense-in-depth protection. Microsoft Azure 針對服務、應用程式及資料提供符合規範的平台。Microsoft Azure provides a compliant platform for services, applications, and data. 它也提供全方位的設施和實體安全性、資料存取控制及稽核。It also provides comprehensive facility and physical security, data access control, and auditing. 不過,請務必提供「互相重疊的」額外安全性措施,以避免其中一個安全性措施失敗,而靜態加密便能提供這樣的安全性措施However, it's important to provide additional “overlapping” security measures in case one of the other security measures fails and encryption at rest provides such a security measure

Microsoft 致力於為所有雲端服務提供靜態加密選項,並給予客戶對加密金鑰和金鑰使用記錄的控制。Microsoft is committed to encryption at rest options across cloud services and giving customers control of encryption keys and logs of key use. 此外,Microsoft 也正朝著預設將所有客戶的待用資料加密的方向努力。Additionally, Microsoft is working towards encrypting all customer data at rest by default.

Azure 靜態加密元件Azure Encryption at Rest Components

如先前所述,靜態加密的目的,是使用祕密加密金鑰將保存在磁碟上的資料進行加密。As described previously, the goal of encryption at rest is that data that is persisted on disk is encrypted with a secret encryption key. 若要達到這個目標,就必須提供安全的金鑰建立、儲存、存取控制,以及加密金鑰管理。To achieve that goal secure key creation, storage, access control, and management of the encryption keys must be provided. 儘管細節可能有所差異,但 Azure 服務「待用加密」實作可以下圖所示的術語來加以說明。Though details may vary, Azure services Encryption at Rest implementations can be described in terms illustrated in the following diagram.

元件

Azure 金鑰保存庫Azure Key Vault

加密金鑰的儲存位置以及這些金鑰的存取控制是靜態加密模型的核心。The storage location of the encryption keys and access control to those keys is central to an encryption at rest model. 金鑰必須是高度安全的,但需可由指定使用者進行管理,且可用於特定服務。The keys need to be highly secured but manageable by specified users and available to specific services. 針對 Azure 服務,Azure Key Vault 是建議的金鑰儲存體解決方案,並提供常見的跨服務管理體驗。For Azure services, Azure Key Vault is the recommended key storage solution and provides a common management experience across services. 金鑰是儲存在金鑰保存庫並加以管理,可以將存取金鑰保存庫提供給使用者或服務。Keys are stored and managed in key vaults, and access to a key vault can be given to users or services. Azure Key Vault 支援客戶建立金鑰或匯入客戶金鑰,可供在客戶管理的加密金鑰情節下使用。Azure Key Vault supports customer creation of keys or import of customer keys for use in customer-managed encryption key scenarios.

Azure Active DirectoryAzure Active Directory

使用 Azure Key Vault 中儲存的金鑰加以管理或存取,從而進行靜態加密及靜態解密的權限,可以提供給 Azure Active Directory 帳戶。Permissions to use the keys stored in Azure Key Vault, either to manage or to access them for Encryption at Rest encryption and decryption, can be given to Azure Active Directory accounts.

金鑰階層Key Hierarchy

在靜態加密實作中,會使用一個以上的加密金鑰。More than one encryption key is used in an encryption at rest implementation. 非對稱加密可用於建立金鑰存取和管理所需的信任和驗證。Asymmetric encryption is useful for establishing the trust and authentication needed for key access and management. 對稱式加密對於大量加密和解密效率較高,允許更強式的加密和更佳的效能。Symmetric encryption is more efficient for bulk encryption and decryption, allowing for stronger encryption and better performance. 限制使用單一加密金鑰會降低金鑰洩露的風險,以及在必須更換金鑰時的重新加密成本。Limiting the use of a single encryption key decreases the risk that the key will be compromised and the cost of re-encryption when a key must be replaced. Azure 待用加密模型使用下列金鑰類型組成的金鑰階層:Azure encryptions at rest models use a key hierarchy made up of the following types of keys:

  • 資料加密金鑰 (DEK) – 用於將分割區或資料區塊加密的對稱 AES256 金鑰。Data Encryption Key (DEK) – A symmetric AES256 key used to encrypt a partition or block of data. 單一資源可能會有多個分割區和多個資料加密金鑰。A single resource may have many partitions and many Data Encryption Keys. 使用不同金鑰將每個資料區塊進行加密,會使密碼編譯分析攻擊更加困難。Encrypting each block of data with a different key makes crypto analysis attacks more difficult. 資源提供者或要將特定區塊加密和解密的應用程式執行個體都需要存取 DEK。Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. 當新的金鑰取代 DEK 時,只有在相關聯區塊中的資料才需要使用新的金鑰重新加密。When a DEK is replaced with a new key only the data in its associated block must be re-encrypted with the new key.
  • 金鑰加密金鑰 (KEK) – 用來將資料加密金鑰加密的非對稱式加密金鑰。Key Encryption Key (KEK) – An asymmetric encryption key used to encrypt the Data Encryption Keys. 使用金鑰加密金鑰可讓資料加密金鑰本身進行加密和控制。Use of a Key Encryption Key allows the data encryption keys themselves to be encrypted and controlled. 可存取 KEK 的實體可能不同於需要 DEK 的實體。The entity that has access to the KEK may be different than the entity that requires the DEK. 實體可以代理存取 DEK,以限制每個 DEK 只能由特定分割區存取。An entity may broker access to the DEK to limit the access of each DEK to a specific partition. 因為需要 KEK 才能將 DEK 解密,KEK 實際上就是單一點,藉以透過刪除 KEK 來有效地刪除 DEK。Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK.

使用金鑰加密金鑰加密的資料加密金鑰會分別儲存,只有可存取金鑰加密金鑰的實體能取得任何使用該金鑰加密的資料加密金鑰。The Data Encryption Keys, encrypted with the Key Encryption Keys are stored separately and only an entity with access to the Key Encryption Key can get any Data Encryption Keys encrypted with that key. 支援不同模型的金鑰儲存。Different models of key storage are supported. 我們稍後將在下一節更深入討論每個模型。We will discuss each model in more detail later in the next section.

資料加密模型Data Encryption Models

若要了解 Azure 中的各種資源提供者如何實作待用加密,就務必了解各種加密模式及其優缺點。An understanding of the various encryption models and their pros and cons is essential for understanding how the various resource providers in Azure implement encryption at Rest. 這些定義會跨 Azure 中的所有資源提供者進行共用,以確保為通用的語言和分類法。These definitions are shared across all resource providers in Azure to ensure common language and taxonomy.

伺服器端加密有三種情節:There are three scenarios for server-side encryption:

  • 使用服務管理之金鑰的伺服器端加密Server-side encryption using Service-Managed keys

    • Azure 資源提供者執行加密和解密作業Azure Resource Providers perform the encryption and decryption operations
    • Microsoft 管理金鑰Microsoft manages the keys
    • 完整的雲端功能Full cloud functionality
  • 在 Azure Key Vault 中使用客戶管理金鑰的伺服器端加密Server-side encryption using customer-managed keys in Azure Key Vault

    • Azure 資源提供者執行加密和解密作業Azure Resource Providers perform the encryption and decryption operations
    • 客戶透過 Azure Key Vault 控制金鑰Customer controls keys via Azure Key Vault
    • 完整的雲端功能Full cloud functionality
  • 在客戶控制的硬體上使用客戶管理金鑰的伺服器端加密Server-side encryption using customer-managed keys on customer-controlled hardware

    • Azure 資源提供者執行加密和解密作業Azure Resource Providers perform the encryption and decryption operations
    • 客戶在客戶控制的硬體上控制金鑰Customer controls keys on customer-controlled hardware
    • 完整的雲端功能Full cloud functionality

針對用戶端加密,請考慮下列各項:For client-side encryption, consider the following:

  • Azure 服務無法查看解密的資料Azure services cannot see decrypted data
  • 客戶在內部部署環境 (或其他安全的儲存區中) 管理或儲存金鑰。Customers manage and store keys on-premises (or in other secure stores). 金鑰無法供 Azure 服務使用Keys are not available to Azure services
  • 縮減的雲端功能Reduced cloud functionality

Azure 中支援的加密模型區分成兩個主要群組:「用戶端加密」和「伺服器端加密」,如先前所述。The supported encryption models in Azure split into two main groups: “Client Encryption” and “Server-side Encryption” as mentioned previously. 除了所使用的加密靜態模型之外,Azure 服務一律建議使用諸如 TLS 或 HTTPS 等安全的傳輸。Independent of the encryption at rest model used, Azure services always recommend the use of a secure transport such as TLS or HTTPS. 因此,傳輸中的加密應該由傳輸通訊協定來處理,且不應作為要使用哪個靜態加密模型的主要判斷因素。Therefore, encryption in transport should be addressed by the transport protocol and should not be a major factor in determining which encryption at rest model to use.

用戶端加密模型Client encryption model

用戶端加密模型是指由服務或呼叫應用程式在資源提供者或 Azure 外部執行的加密。Client Encryption model refers to encryption that is performed outside of the Resource Provider or Azure by the service or calling application. 加密可由 Azure 中的服務應用程式或客戶資料中心內執行的應用程式執行。The encryption can be performed by the service application in Azure, or by an application running in the customer data center. 在任一案例中,利用此加密模型時,Azure 資源提供者無需以任何方式解密的能力或具有加密金鑰的存取權,即可接收加密的 blob 資料。In either case, when leveraging this encryption model, the Azure Resource Provider receives an encrypted blob of data without the ability to decrypt the data in any way or have access to the encryption keys. 在此模型中,金鑰管理是由呼叫服務/應用程式所完成,且對 Azure 服務不透明。In this model, the key management is done by the calling service/application and is opaque to the Azure service.

用戶端

伺服器端加密模型Server-side encryption model

伺服器端加密模型是指 Azure 服務所執行的加密。Server-side Encryption models refer to encryption that is performed by the Azure service. 在這個模型中,資源提供者會執行加密和解密作業。In that model, the Resource Provider performs the encrypt and decrypt operations. 例如,Azure 儲存體可能會在純文字作業中接收資料,並在內部執行加密和解密。For example, Azure Storage may receive data in plain text operations and will perform the encryption and decryption internally. 資源提供者可能會使用由 Microsoft 或客戶管理的加密金鑰,根據提供的設定而定。The Resource Provider might use encryption keys that are managed by Microsoft or by the customer depending on the provided configuration.

伺服器

伺服器端加密金鑰管理模型Server-side encryption key management models

每個伺服器端靜態加密模型都表示金鑰管理的特殊特性。Each of the server-side encryption at rest models implies distinctive characteristics of key management. 這包括加密金鑰所建立及儲存的位置和方式,以及存取模型和金鑰輪替程序。This includes where and how encryption keys are created, and stored as well as the access models and the key rotation procedures.

使用服務管理金鑰的伺服器端加密Server-side encryption using service-managed keys

對許多客戶而言,基本需求就是確保在靜態時會將資料加密。For many customers, the essential requirement is to ensure that the data is encrypted whenever it is at rest. 使用服務管理之金鑰的伺服器端加密會啟用這個模型,方法是允許客戶標示特定的資源 (儲存體帳戶、SQL DB 等) 以進行加密,並將諸如金鑰發佈、輪替和備份等所有金鑰管理層面保留給 Microsoft。Server-side encryption using service-managed Keys enables this model by allowing customers to mark the specific resource (Storage Account, SQL DB, etc.) for encryption and leaving all key management aspects such as key issuance, rotation, and backup to Microsoft. 大部分支援靜態加密的 Azure 服務通常會支援這個將加密金鑰管理卸載至 Azure 的模型。Most Azure Services that support encryption at rest typically support this model of offloading the management of the encryption keys to Azure. Azure 資源提供者會建立金鑰、將它們放置在安全的儲存體,並在需要時加以擷取。The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. 這表示服務具有金鑰的完整存取權,且服務可完整控制認證生命週期管理。This means that the service has full access to the keys and the service has full control over the credential lifecycle management.

受控

使用服務管理之金鑰的伺服器端加密因此能快速解決靜態加密的需求,並為客戶提供低額外負荷。Server-side encryption using service-managed keys therefore quickly addresses the need to have encryption at rest with low overhead to the customer. 情況允許時,客戶通常會開啟目標訂用帳戶和資源提供者的 Azure 入口網站,並勾選方塊以指示要加密資料。When available a customer typically opens the Azure portal for the target subscription and resource provider and checks a box indicating, they would like the data to be encrypted. 在部分 Resource Manager 中,使用服務管理金鑰的伺服器端加密預設為開啟。In some Resource Managers server-side encryption with service-managed keys is on by default.

搭配 Microsoft 管理之金鑰的伺服器端加密確實表示服務具有儲存及管理金鑰的完整存取權。Server-side encryption with Microsoft-managed keys does imply the service has full access to store and manage the keys. 雖然部分客戶會因為認為可獲得更高的安全性而要管理金鑰,但在評估此模型時,應該考慮自訂金鑰儲存解決方案的相關成本和風險。While some customers may want to manage the keys because they feel they gain greater security, the cost and risk associated with a custom key storage solution should be considered when evaluating this model. 在許多情況下,組織可能會判斷資源限制或內部部署解決方案的風險可能會大於在雲端管理靜態加密金鑰的風險。In many cases, an organization may determine that resource constraints or risks of an on-premises solution may be greater than the risk of cloud management of the encryption at rest keys. 不過,對於需要控制加密金鑰的建立或生命週期,或是使用與管理服務不同的人員來管理服務的加密金鑰 (也就是說,將金鑰管理與服務的整體管理模型隔離) 的組織而言,此模型可能並不足夠。However, this model might not be sufficient for organizations that have requirements to control the creation or lifecycle of the encryption keys or to have different personnel manage a service’s encryption keys than those managing the service (that is, segregation of key management from the overall management model for the service).

金鑰存取Key access

使用具服務管理之金鑰的伺服器端加密時,金鑰建立、儲存和存取服務都是由服務所管理。When Server-side encryption with service-managed keys is used, the key creation, storage, and service access are all managed by the service. 一般而言,基本的 Azure 資源提供者會將資料加密金鑰儲存在接近資料、快速可用且可存取的儲存區中,而金鑰加密金鑰則是儲存在安全的內部儲存區中。Typically, the foundational Azure resource providers will store the Data Encryption Keys in a store that is close to the data and quickly available and accessible while the Key Encryption Keys are stored in a secure internal store.

優點Advantages

  • 簡單設定Simple setup
  • Microsoft 會管理金鑰輪替、備份與備援Microsoft manages key rotation, backup, and redundancy
  • 客戶沒有與實作相關聯的成本,或自訂金鑰管理配置的風險。Customer does not have the cost associated with implementation or the risk of a custom key management scheme.

缺點Disadvantages

  • 沒有加密金鑰 (金鑰規格、生命週期、撤銷等) 的客戶控制權No customer control over the encryption keys (key specification, lifecycle, revocation, etc.)
  • 無法從服務的整體管理模型將金鑰管理隔離No ability to segregate key management from overall management model for the service

在 Azure Key Vault 中使用客戶管理金鑰的伺服器端加密Server-side encryption using customer-managed keys in Azure Key Vault

在需要將待用資料加密並控制加密金鑰的情節中,客戶可以使用 Key Vault 中使用客戶管理之金鑰的伺服器端加密。For scenarios where the requirement is to encrypt the data at rest and control the encryption keys customers can use server-side encryption using customer-managed Keys in Key Vault. 某些服務可能只會在 Azure Key Vault 中儲存根金鑰加密金鑰,並將加密的資料加密金鑰儲存在較接近資料的內部位置。Some services may store only the root Key Encryption Key in Azure Key Vault and store the encrypted Data Encryption Key in an internal location closer to the data. 在該案例中,客戶可以將自己的金鑰帶到 Key Vault (BYOK – 自備金鑰) 或產生新的金鑰,並使用它們來加密所需的資源。In that scenario customers can bring their own keys to Key Vault (BYOK – Bring Your Own Key), or generate new ones, and use them to encrypt the desired resources. 資源提供者執行加密和解密作業時,它會使用設定的金鑰作為所有加密作業的根金鑰。While the Resource Provider performs the encryption and decryption operations it uses the configured key as the root key for all encryption operations.

金鑰存取Key Access

Azure Key Vault 中使用客戶管理之金鑰的伺服器端加密模型,需讓服務視需要存取金鑰來進行加密和解密。The server-side encryption model with customer-managed keys in Azure Key Vault involves the service accessing the keys to encrypt and decrypt as needed. 透過存取控制原則,服務可以存取靜態加密金鑰。Encryption at rest keys are made accessible to a service through an access control policy. 此原則授與服務身分識別存取,以接收金鑰。This policy grants the service identity access to receive the key. 代表相關聯的訂用帳戶所執行的 Azure 服務,可以使用該訂用帳戶中的身分識別來加以設定。An Azure service running on behalf of an associated subscription can be configured with an identity in that subscription. 服務可以執行 Azure Active Directory 驗證,並接收驗證權杖,會將其本身識別為代表訂用帳戶的該服務。The service can perform Azure Active Directory authentication and receive an authentication token identifying itself as that service acting on behalf of the subscription. 接著會將該權杖提供給 Key Vault,從而取得已獲得存取權的金鑰。That token can then be presented to Key Vault to obtain a key it has been given access to.

針對使用加密金鑰的作業,可以授與服務識別存取任何下列作業:解密、加密、解除包裝金鑰、包裝金鑰、驗證、簽署、取得、列出、更新、建立、匯入、刪除、備份和還原。For operations using encryption keys, a service identity can be granted access to any of the following operations: decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, and restore.

若要取得用於將靜態資料加密或解密的金鑰,Resource Manager 服務執行個體所要執行的服務識別必須擁有「解除包裝金鑰」(可取得解密金鑰) 和「包裝金鑰」(建立新的金鑰時,可將金鑰插入保存庫金鑰)。To obtain a key for use in encrypting or decrypting data at rest the service identity that the Resource Manager service instance will run as must have UnwrapKey (to get the key for decryption) and WrapKey (to insert a key into key vault when creating a new key).

注意

如需關於 Key Vault 授權的詳細資訊,請參閱 Azure Key Vault 文件中的「保護您的金鑰保存庫」頁面。For more detail on Key Vault authorization see the secure your key vault page in the Azure Key Vault documentation.

優點Advantages

  • 完整控制所使用的金鑰 – 加密金鑰會在客戶控制下的 Key Vault 中進行管理。Full control over the keys used – encryption keys are managed in the customer’s Key Vault under the customer’s control.
  • 能夠將多個服務加密到一個主機Ability to encrypt multiple services to one master
  • 可從服務的整體管理模型將金鑰管理隔離Can segregate key management from overall management model for the service
  • 可跨區域定義服務與金鑰位置Can define service and key location across regions

缺點Disadvantages

  • 客戶對於金鑰存取管理擁有完全責任Customer has full responsibility for key access management
  • 客戶對於金鑰生命週期管理擁有完全責任Customer has full responsibility for key lifecycle management
  • 安裝與設定的其他額外負荷Additional Setup & configuration overhead

在客戶控制的硬碟上,使用服務管理金鑰的伺服器端加密Server-side encryption using service-managed keys in customer-controlled hardware

某些 Azure 服務可允許「裝載您自己的金鑰」(HYOK) 金鑰管理模型。Some Azure services enable the Host Your Own Key (HYOK) key management model. 當需要加密待用資料並在不受 Microsoft 控制的專屬存放庫中管理金鑰時,便適用此管理模式。This management mode is useful in scenarios where there is a need to encrypt the data at rest and manage the keys in a proprietary repository outside of Microsoft’s control. 在此模型中,服務必須從外部網站擷取金鑰。In this model, the service must retrieve the key from an external site. 效能和可用性保證會受到影響,且設定會更為複雜。Performance and availability guarantees are impacted, and configuration is more complex. 此外,因為服務在加密和解密作業期間可存取 DEK,此模型的整體安全性保證會與在 Azure Key Vault 中由客戶管理金鑰時類似。Additionally, since the service does have access to the DEK during the encryption and decryption operations the overall security guarantees of this model are similar to when the keys are customer-managed in Azure Key Vault. 因此,此模型不適用於大部分的組織,除非組織有特定金鑰管理需求。As a result, this model is not appropriate for most organizations unless they have specific key management requirements. 由於這些限制,大部分的 Azure 服務不支援在客戶所控制的硬體中使用伺服器管理金鑰的伺服器端加密。Due to these limitations, most Azure Services do not support server-side encryption using server-managed keys in customer-controlled hardware.

金鑰存取Key Access

在客戶所控制的硬體中採用使用服務管理之金鑰的伺服器端加密時,金鑰會保留在客戶所設定的系統上。When server-side encryption using service-managed keys in customer-controlled hardware is used the keys are maintained on a system configured by the customer. 支援這個模型的 Azure 服務可提供方法,來建立與客戶提供之金鑰儲存區的安全連線。Azure services that support this model provide a means of establishing a secure connection to a customer supplied key store.

優點Advantages

  • 完整控制所使用的根金鑰 – 金鑰加密會由客戶提供的儲存區進行管理Full control over the root key used – encryption keys are managed by a customer provided store
  • 能夠將多個服務加密到一個主機Ability to encrypt multiple services to one master
  • 可從服務的整體管理模型將金鑰管理隔離Can segregate key management from overall management model for the service
  • 可跨區域定義服務與金鑰位置Can define service and key location across regions

缺點Disadvantages

  • 對於金鑰儲存、安全性、效能和可用性擁有完全責任Full responsibility for key storage, security, performance, and availability
  • 對於金鑰存取管理擁有完全責任Full responsibility for key access management
  • 對於金鑰生命週期管理擁有完全責任Full responsibility for key lifecycle management
  • 安裝、設定和持續維護的成本高昂Significant setup, configuration, and ongoing maintenance costs
  • 客戶資料中心與 Azure 資料中心之間網路可用性的相依性增加。Increased dependency on network availability between the customer datacenter and Azure datacenters.

Microsoft 雲端服務中的靜態加密Encryption at rest in Microsoft cloud services

這三種雲端模型中全都是使用 Microsoft 雲端服務:IaaS、PaaS、SaaS。Microsoft Cloud services are used in all three cloud models: IaaS, PaaS, SaaS. 下列範例說明它們如何符合每個模型:Below you have examples of how they fit on each model:

  • 軟體服務是指「軟體即服務」或 SaaS,具有雲端所提供的應用程式,例如 Office 365。Software services, referred to as Software as a Server or SaaS, which have application provided by the cloud such as Office 365.
  • 平台服務是指客戶在其應用程式中利用雲端,會針對諸如儲存、分析和服務匯流排功能等項目使用雲端。Platform services which customers leverage the cloud in their applications, using the cloud for things like storage, analytics, and service bus functionality.
  • 基礎結構服務或基礎結構即服務 (IaaS) 可供客戶在其中部署裝載於雲端中且可能運用其他雲端服務的作業系統和應用程式。Infrastructure services, or Infrastructure as a Service (IaaS) in which customer deploys operating systems and applications that are hosted in the cloud and possibly leveraging other cloud services.

SaaS 客戶的靜態加密Encryption at rest for SaaS customers

軟體即服務 (SaaS) 客戶通常會啟用或可在每個服務中使用靜態加密。Software as a Service (SaaS) customers typically have encryption at rest enabled or available in each service. Office 365 有幾個選項可供客戶確認或啟用靜態加密。Office 365 has several options for customers to verify or enable encryption at rest. 如需 Office 365 服務的相關資訊,請參閱 Office 365 中的加密 (機器翻譯)。For information about Office 365 services, see Encryption in Office 365.

PaaS 客戶的靜態加密Encryption at rest for PaaS customers

平台即服務 (PaaS) 客戶的資料通常是位於應用程式執行環境,以及用來儲存客戶資料的任何 Azure 資源提供者。Platform as a Service (PaaS) customer’s data typically resides in an application execution environment and any Azure Resource Providers used to store customer data. 若要查看您可使用的靜態加密選項,請檢查下表以查看您所使用的儲存體和應用程式平台。To see the encryption at rest options available to you, examine the table below for the storage and application platforms that you use. 在支援的位置中,會為每個資源提供者提供啟用靜態加密指示的連結。Where supported, links to instructions on enabling Encryption at Rest are provided for each resource provider.

IaaS 客戶的靜態加密Encryption at rest for IaaS customers

基礎結構即服務 (IaaS) 客戶可以有各種不同的使用中服務和應用程式。Infrastructure as a Service (IaaS) customers can have a variety of services and applications in use. IaaS 服務可以在其 Azure 裝載的虛擬機器和使用 Azure 磁碟加密的 VHD 中啟用靜態加密。IaaS services can enable encryption at rest in their Azure hosted virtual machines and VHDs using Azure Disk Encryption.

加密的儲存體Encrypted storage

諸如 PaaS、IaaS 等解決方案可以運用儲存資料靜態加密的其他 Azure 服務。Like PaaS, IaaS solutions can leverage other Azure services that store data encrypted at rest. 在這些情況下,您可以啟用每個已使用 Azure 服務所提供的靜態加密支援。In these cases, you can enable the Encryption at Rest support as provided by each consumed Azure service. 下表列舉出主要儲存體、服務和應用程式平台,以及支援的待用加密模型。The below table enumerates the major storage, services, and application platforms and the model of Encryption at Rest supported. 在支援的位置中,會為啟用靜態加密的指示提供連結。Where supported, links are provided to instructions on enabling Encryption at Rest.

加密的計算Encrypted compute

完整的靜態加密中,不得以未加密的形式來保存資料。A complete Encryption at Rest solution requires that the data is never persisted in unencrypted form. 使用時,在記憶體中載入資料的伺服器上,會以各種方式在本機上保留資料,包括 Windows 分頁檔、損毀傾印及應用程式可能會執行的任何記錄。While in use, on a server loading the data in memory, data can be persisted locally in various ways including the Windows page file, a crash dump, and any logging the application may perform. 若要確保此資料會進行靜態加密,IaaS 應用程式可以在 Azure IaaS 虛擬機器 (Windows 或 Linux) 和虛擬磁碟上使用 Azure 磁碟加密。To ensure this data is encrypted at rest, IaaS applications can use Azure Disk Encryption on an Azure IaaS virtual machine (Windows or Linux) and virtual disk.

自訂靜態加密Custom encryption at rest

建議您盡可能讓 IaaS 應用程式運用任何已使用 Azure 服務所提供的 Azure 磁碟加密及靜態加密選項。It is recommended that whenever possible, IaaS applications leverage Azure Disk Encryption and Encryption at Rest options provided by any consumed Azure services. 在某些情況下,例如異常加密需求或非以 Azure 為基礎的儲存體,IaaS 應用程式的開發人員可能需要自行實作靜態加密。In some cases, such as irregular encryption requirements or non-Azure based storage, a developer of an IaaS application may need to implement encryption at rest themselves. IaaS 解決方案的開發人員可以運用某些 Azure 元件,更妥善與 Azure 管理和客戶期望進行整合。Developers of IaaS solutions can better integrate with Azure management and customer expectations by leveraging certain Azure components. 具體來說,開發人員應該使用 Azure Key Vault 服務來提供安全的金鑰儲存體,並為客戶提供一致的金鑰管理選項,以及大部分 Azure 平台服務的選項。Specifically, developers should use the Azure Key Vault service to provide secure key storage as well as provide their customers with consistent key management options with that of most Azure platform services. 此外,自訂的解決方案應該使用 Azure 受控服務識別,讓服務帳戶可存取加密金鑰。Additionally, custom solutions should use Azure-Managed Service Identities to enable service accounts to access encryption keys. 如需關於 Azure Key Vault 和受控服務識別的開發人員資訊,請參閱其個別的 SDK。For developer information on Azure Key Vault and Managed Service Identities, see their respective SDKs.

Azure 資源提供者加密模型支援Azure resource providers encryption model support

每個 Microsoft Azure 服務都支援一或多個靜態加密模型。Microsoft Azure Services each support one or more of the encryption at rest models. 不過,針對某些服務,一或多個加密模型不可能適用。For some services, however, one or more of the encryption models may not be applicable. 支援客戶管理金鑰案例的服務所支援的金鑰類型,可能只有 Azure Key Vault 所支援用於金鑰加密金鑰的一小部分。For services that support customer-managed key scenarios, they may support only a subset of the key types that Azure Key Vault supports for key encryption keys. 此外,這些服務可能會在不同的排程發行這些案例和金鑰類型的支援。Additionally, services may release support for these scenarios and key types at different schedules. 本章節針對每個主要 Azure 資料儲存體服務描述撰寫本文時的靜態加密支援。This section describes the encryption at rest support at the time of this writing for each of the major Azure data storage services.

Azure 磁碟加密Azure disk encryption

任何使用 Azure 基礎結構即服務 (IaaS) 功能的客戶都可透過 Azure 磁碟加密讓其 IaaS VM 和磁碟達到靜態加密。Any customer using Azure Infrastructure as a Service (IaaS) features can achieve encryption at rest for their IaaS VMs and disks through Azure Disk Encryption. 如需有關 Azure 磁碟加密的詳細資訊,請參閱 Azure 磁碟加密文件For more information on Azure Disk encryption, see the Azure Disk Encryption documentation.

Azure 儲存體Azure storage

所有 Azure 儲存體服務 (Blob 儲存體、佇列儲存體、資料表儲存體和 Azure 檔案) 都支援伺服器端靜態加密,某些服務支援客戶管理的金鑰和用戶端加密。All Azure Storage services (Blob storage, Queue storage, Table storage, and Azure Files) support server-side encryption at rest, with some services supporting customer-managed keys and client-side encryption.

Azure SQL DatabaseAzure SQL Database

Azure SQL Database 目前支援針對由 Microsoft 管理之服務端和用戶端加密案例的靜態加密。Azure SQL Database currently supports encryption at rest for Microsoft-managed service side and client-side encryption scenarios.

伺服器加密的支援目前是透過稱為「透明資料加密」的 SQL 功能所提供。Support for server encryption is currently provided through the SQL feature called Transparent Data Encryption. 一旦 Azure SQL Database 客戶啟用 TDE 後,就會為他們自動建立和管理金鑰。Once an Azure SQL Database customer enables TDE key are automatically created and managed for them. 可以在資料庫和伺服器等級啟用靜態加密。Encryption at rest can be enabled at the database and server levels. 自 2017 年 6 月起,透明資料加密 (TDE) 依預設會在新建立的資料庫上啟用。As of June 2017, Transparent Data Encryption (TDE) is enabled by default on newly created databases. Azure SQL Database 支援 Azure Key Vault 中的 RSA 2048 位元客戶管理金鑰。Azure SQL Database supports RSA 2048-bit customer-managed keys in Azure Key Vault. 如需詳細資訊,請參閱 Azure SQL Database 和資料倉儲的透明資料加密與攜帶您自己的金鑰支援For more information, see Transparent Data Encryption with Bring Your Own Key support for Azure SQL Database and Data Warehouse.

透過 Always Encrypted 功能可支援 Azure SQL Database 資料的用戶端加密。Client-side encryption of Azure SQL Database data is supported through the Always Encrypted feature. Always Encrypted 會使用用戶端所建立及儲存的金鑰。Always Encrypted uses a key that created and stored by the client. 客戶可以將主要金鑰儲存在 Windows 憑證存放區、Azure Key Vault 或硬體安全性模組中。Customers can store the master key in a Windows certificate store, Azure Key Vault, or a local Hardware Security Module. SQL 使用者可以使用 SQL Server Management Studio 來選擇他們要用來加密資料行的金鑰。Using SQL Server Management Studio, SQL users choose what key they’d like to use to encrypt which column.

加密模型和金鑰管理Encryption Model and Key Management
使用服務管理金鑰的伺服器端Server-Side Using Service-Managed Key 在 Key Vault 中使用客戶管理的伺服器端Server-Side Using Customer-Managed in Key Vault 使用用戶端管理的用戶端Client-Side Using Client-Managed
AI 和機器學習服務AI and Machine Learning
Azure 搜尋服務Azure Search Yes - -
Azure Machine Learning 服務Azure Machine Learning Service Yes - -
Azure Machine Learning StudioAzure Machine Learning Studio Yes 預覽,RSA 2048 位元Preview, RSA 2048-bit -
Power BIPower BI Yes - -
分析Analytics
Azure 串流分析Azure Stream Analytics Yes - -
事件中樞Event Hubs Yes - -
Azure Analysis ServicesAzure Analysis Services Yes - -
Azure 資料目錄Azure Data Catalog Yes - -
HDInsightHDInsight Yes 適用於 Apache Kafka,所有的 RSA 長度的預覽Preview for Apache Kafka, All RSA Lengths -
Azure Data FactoryAzure Data Factory Yes - -
Azure Data Lake StoreAzure Data Lake Store Yes 是,RSA 2048 位元Yes, RSA 2048-bit -
計算Compute
虛擬機器Virtual Machines - 是,RSA 2048 位元Yes, RSA 2048-bit -
虛擬機器擴展集Virtual Machine Scale Set - 是,RSA 2048 位元Yes, RSA 2048-bit -
資料庫Databases
虛擬機器上的 SQL ServerSQL Server on Virtual Machines Yes 是,RSA 2048 位元Yes, RSA 2048-bit Yes
Azure SQL DatabaseAzure SQL Database Yes 是,RSA 2048 位元Yes, RSA 2048-bit Yes
Azure SQL 資料倉儲Azure SQL Data Warehouse Yes 是,RSA 2048 位元Yes, RSA 2048-bit Yes
SQL Server Stretch DatabaseSQL Server Stretch Database Yes 是,RSA 2048 位元Yes, RSA 2048-bit Yes
表格儲存體Table Storage Yes - Yes
Azure Cosmos DBAzure Cosmos DB Yes - -
DevOpsDevOps
Azure DevOpsAzure DevOps Yes - Yes
Azure ReposAzure Repos Yes - Yes
身分識別Identity
Azure Active DirectoryAzure Active Directory Yes - -
Azure Active Directory Domain ServicesAzure Active Directory Domain Services Yes 是,RSA 2048 位元Yes, RSA 2048-bit -
整合Integration
服務匯流排Service Bus Yes - Yes
Event GridEvent Grid Yes - -
API 管理API Management Yes - -
IoT 服務IoT Services
IoT 中樞IoT Hub - - Yes
管理和控管Management and Governance
Azure Site RecoveryAzure Site Recovery Yes 是,RSA 2048 位元Yes, RSA 2048-bit Yes
媒體Media
媒體服務Media Services Yes - Yes
儲存體Storage
Blob 儲存體Blob Storage Yes 是,RSA 2048 位元Yes, RSA 2048-bit Yes
磁碟儲存體Disk Storage Yes - -
受控磁碟儲存體Managed Disk Storage Yes - -
檔案儲存體File Storage Yes 是,RSA 2048 位元Yes, RSA 2048-bit -
佇列儲存體Queue Storage Yes - Yes
Avere vFXTAvere vFXT Yes - -
封存儲存體Archive Storage Yes 是,RSA 2048 位元Yes, RSA 2048-bit -
StorSimpleStorSimple Yes - Yes
Azure 備份Azure Backup Yes - Yes
資料箱Data Box Yes - Yes

結論Conclusion

對於 Microsoft 而言,保護儲存在 Azure 服務內的客戶資料是至關重要的。Protection of customer data stored within Azure Services is of paramount importance to Microsoft. 所有的 Azure 託管服務都致力於提供靜態加密選項。All Azure hosted services are committed to providing Encryption at Rest options. 諸如 Azure 儲存體、Azure SQL Database 與金鑰分析和智慧服務等基本的服務,都已經提供待用加密選項。Foundational services such as Azure Storage, Azure SQL Database, and key analytics and intelligence services already provide Encryption at Rest options. 這些服務有部分會支援客戶控制的金鑰和用戶端加密,以及服務管理的金鑰和加密。Some of these services support either customer controlled keys and client-side encryption as well as service-managed keys and encryption. Microsoft Azure 服務正廣泛提高靜態加密可用性,新的選項已規劃提供預覽,並即將於幾個月內公開上市。Microsoft Azure services are broadly enhancing Encryption at Rest availability and new options are planned for preview and general availability in the upcoming months.