Azure 加密概觀Azure encryption overview

本文提供如何在 Microsoft Azure 中使用加密的概觀。This article provides an overview of how encryption is used in Microsoft Azure. 它涵蓋加密的主要領域,包括待用加密、傳輸中加密,以及使用 Azure Key Vault 的金鑰管理。It covers the major areas of encryption, including encryption at rest, encryption in flight, and key management with Azure Key Vault. 每節都包含更詳細資訊的連結。Each section includes links to more detailed information.

待用資料加密Encryption of data at rest

待用資料包含位於實體媒體之永續性儲存體中任何數位格式的資訊。Data at rest includes information that resides in persistent storage on physical media, in any digital format. 這個媒體包括磁性或光學媒體上的檔案、已封存的資料,以及資料備份。The media can include files on magnetic or optical media, archived data, and data backups. Microsoft Azure 提供各種資料儲存體解決方案來符合不同的需求,包括檔案、磁碟、Blob 和資料表儲存體。Microsoft Azure offers a variety of data storage solutions to meet different needs, including file, disk, blob, and table storage. Microsoft 也提供加密來保護 Azure SQL DatabaseAzure Cosmos DB 和 Azure Data Lake。Microsoft also provides encryption to protect Azure SQL Database, Azure Cosmos DB, and Azure Data Lake.

待用資料加密適用於軟體即服務 (SaaS)、平台即服務 (PaaS) 和基礎結構即服務 (IaaS) 雲端模型中的服務。Data encryption at rest is available for services across the software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) cloud models. 本文摘要說明並提供可協助您使用 Azure 加密選項的資源。This article summarizes and provides resources to help you use the Azure encryption options.

如需如何在 Azure 中加密待用資料的更詳細討論,請參閱 Azure 待用資料加密For a more detailed discussion of how data at rest is encrypted in Azure, see Azure Data Encryption-at-Rest.

Azure 加密模型Azure encryption models

Azure 支援各種加密模型,包括使用下列方式進行的伺服器端加密:服務管理的金鑰、Key Vault 中客戶管理的金鑰,或受客戶控制硬體上客戶管理的金鑰。Azure supports various encryption models, including server-side encryption that uses service-managed keys, customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware. 使用用戶端加密時,您可以在內部部署或另一個安全位置中管理和儲存金鑰。With client-side encryption, you can manage and store keys on-premises or in another secure location.

用戶端加密Client-side encryption

用戶端加密是在 Azure 外部執行。Client-side encryption is performed outside of Azure. 其中包括:It includes:

  • 由在客戶資料中心執行的應用程式或由服務應用程式加密的資料。Data encrypted by an application that’s running in the customer’s datacenter or by a service application.
  • Azure 收到時便已加密的資料。Data that is already encrypted when it is received by Azure.

使用用戶端加密時,雲端服務提供者無法存取加密金鑰,而且無法將此資料解密。With client-side encryption, cloud service providers don’t have access to the encryption keys and cannot decrypt this data. 您會維持對金鑰的完全掌控。You maintain complete control of the keys.

伺服器端加密Server-side encryption

這三種伺服器端加密模型提供不同的金鑰管理特性,您可以根據需求進行選擇:The three server-side encryption models offer different key management characteristics, which you can choose according to your requirements:

  • 服務管理的金鑰:結合控制能力與便利性,而且額外負荷很低。Service-managed keys: Provides a combination of control and convenience with low overhead.

  • 客戶管理的金鑰:可讓您控制金鑰,包括支援「攜帶您自己的金鑰」(BYOK),或允許您產生新的金鑰。Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK) support, or allows you to generate new ones.

  • 受客戶控制硬體中服務管理的金鑰:可讓您在不受 Microsoft 控制的專屬存放庫中管理金鑰。Service-managed keys in customer-controlled hardware: Enables you to manage keys in your proprietary repository, outside of Microsoft control. 這個特性稱為「裝載您自己的金鑰」(HYOK)。This characteristic is called Host Your Own Key (HYOK). 不過,設定很複雜,而且大多數 Azure 服務並不支援此模型。However, configuration is complex, and most Azure services don’t support this model.

Azure 磁碟加密Azure disk encryption

您可以使用 Azure 磁碟加密來保護 Windows 和 Linux 虛擬機器,其會使用 Windows BitLocker (英文) 技術和 Linux DM-Crypt (英文),透過完整磁碟區加密來保護作業系統磁碟和資料磁碟。You can protect Windows and Linux virtual machines by using Azure disk encryption, which uses Windows BitLocker technology and Linux DM-Crypt to protect both operating system disks and data disks with full volume encryption.

加密金鑰和祕密會在您的 Azure Key Vault 訂用帳戶中受到保護。Encryption keys and secrets are safeguarded in your Azure Key Vault subscription. 使用 Azure 備份服務,您可以備份及還原使用金鑰加密金鑰 (KEK) 設定的已加密虛擬機器 (VM)。By using the Azure Backup service, you can back up and restore encrypted virtual machines (VMs) that use Key Encryption Key (KEK) configuration.

Azure 儲存體服務加密Azure Storage Service Encryption

Azure Blob 儲存體和 Azure 檔案共用中的待用資料可以在伺服器端和用戶端案例中進行加密。Data at rest in Azure Blob storage and Azure file shares can be encrypted in both server-side and client-side scenarios.

Azure 儲存體服務加密 (SSE) 可以在儲存資料前自動加密資料,並在您擷取資料時自動將資料解密。Azure Storage Service Encryption (SSE) can automatically encrypt data before it is stored, and it automatically decrypts the data when you retrieve it. 此程序是在背景自動執行,完全不需要使用者介入。The process is completely transparent to users. 「儲存體服務加密」會使用 256 位元的進階加密標準 (AES) 加密 (英文),這是可供使用的最強區塊編碼器之一。Storage Service Encryption uses 256-bit Advanced Encryption Standard (AES) encryption, which is one of the strongest block ciphers available. AES 會在背景自動處理加密、解密和金鑰管理。AES handles encryption, decryption, and key management transparently.

Azure Blob 的用戶端加密Client-side encryption of Azure blobs

您可以利用各種方式來執行 Azure Blob 的用戶端加密。You can perform client-side encryption of Azure blobs in various ways.

您可以使用適用於 .NET NuGet 套件的 Azure 儲存體用戶端程式庫,將用戶端應用程式中的資料加密,然後將它上傳到您的 Azure 儲存體。You can use the Azure Storage Client Library for .NET NuGet package to encrypt data within your client applications prior to uploading it to your Azure storage.

若要深入了解並下載適用於 .NET NuGet 套件的 Azure 儲存體用戶端程式庫,請參閱 Windows Azure 儲存體 8.3.0 (英文)。To learn more about and download the Azure Storage Client Library for .NET NuGet package, see Windows Azure Storage 8.3.0.

當搭配 Key Vault 使用用戶端加密時,您的資料會使用 Azure 儲存體用戶端 SDK 所產生的一次性對稱內容加密金鑰 (CEK) 進行加密。When you use client-side encryption with Key Vault, your data is encrypted using a one-time symmetric Content Encryption Key (CEK) that is generated by the Azure Storage client SDK. 使用金鑰加密金鑰 (KEK) 加密的 CEK 可以是對稱金鑰或非對稱金鑰組。The CEK is encrypted using a Key Encryption Key (KEK), which can be either a symmetric key or an asymmetric key pair. 您可以在本機進行管理,或將它儲存在 Key Vault 中。You can manage it locally or store it in Key Vault. 然後,加密的資料會上傳到 Azure 儲存體。The encrypted data is then uploaded to Azure Storage.

若要深入了解如何搭配 Key Vault 使用用戶端加密,並使用作法指示開始執行,請參閱教學課程:在 Azure 儲存體中使用 Key Vault 加密和解密 BlobTo learn more about client-side encryption with Key Vault and get started with how-to instructions, see Tutorial: Encrypt and decrypt blobs in Azure Storage by using Key Vault.

最後,您也可以使用適用於 Java 的 Azure 儲存體用戶端程式庫,在將資料上傳到 Azure 儲存體前先執行用戶端加密,並且在將資料下載到用戶端時將它解密。Finally, you can also use the Azure Storage Client Library for Java to perform client-side encryption before you upload data to Azure Storage, and to decrypt the data when you download it to the client. 此程式庫也支援與 Key Vault 整合,以進行儲存體帳戶金鑰管理。This library also supports integration with Key Vault for storage account key management.

使用 Azure SQL Database 加密待用資料Encryption of data at rest with Azure SQL Database

Azure SQL Database 是 Azure 中的一般用途關聯式資料庫服務,可支援關聯式資料、JSON、空間和 XML 等結構。Azure SQL Database is a general-purpose relational database service in Azure that supports structures such as relational data, JSON, spatial, and XML. SQL Database 透過透明資料加密 (TDE) 功能支援伺服器端加密,並透過 Always Encrypted 功能支援用戶端加密。SQL Database supports both server-side encryption via the Transparent Data Encryption (TDE) feature and client-side encryption via the Always Encrypted feature.

透明資料加密Transparent Data Encryption

TDE 可用來使用資料庫加密金鑰 (DEK) 即時加密 SQL ServerAzure SQL DatabaseAzure SQL 資料倉儲資料檔案,該金鑰儲存在資料庫開機記錄中,以在復原期間使用。TDE is used to encrypt SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data files in real time, using a Database Encryption Key (DEK), which is stored in the database boot record for availability during recovery.

TDE 會使用 AES 和三重資料加密標準 (3DES) 加密演算法來保護資料和記錄檔。TDE protects data and log files, using AES and Triple Data Encryption Standard (3DES) encryption algorithms. 資料庫檔案的加密會在頁面層級執行。Encryption of the database file is performed at the page level. 已加密資料庫中的頁面會在寫入磁碟之前進行加密,並會在讀入記憶體時進行解密。The pages in an encrypted database are encrypted before they are written to disk and are decrypted when they’re read into memory. 現在預設會在新建立的 Azure SQL 資料庫上啟用 TDE。TDE is now enabled by default on newly created Azure SQL databases.

Always Encrypted 功能Always Encrypted feature

透過 Azure SQL 中的 Always Encrypted 功能,您可以先在用戶端應用程式內將資料加密,然後將它儲存於 Azure SQL Database 中。With the Always Encrypted feature in Azure SQL you can encrypt data within client applications prior to storing it in Azure SQL Database. 您也可以將內部部署資料庫系統管理作業委派給第三方,並持續將擁有且可檢視資料的人員與可管理資料但不應存取資料的人員區隔開來。You can also enable delegation of on-premises database administration to third parties and maintain separation between those who own and can view the data and those who manage it but should not have access to it.

資料格層級或資料行層級的加密Cell-level or column-level encryption

使用 Azure SQL Database 時,您可以使用 Transact-SQL 將對稱式加密套用到資料行。With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. 這個方法稱為資料格層級加密或資料行層級加密 (CLE),因為您可以使用它,透過不同的加密金鑰來加密資料的特定資料行或更特定的資料格。This approach is called cell-level encryption or column-level encryption (CLE), because you can use it to encrypt specific columns or even specific cells of data with different encryption keys. 這樣做可為您提供比 TDE 更細微的加密功能,它可以加密頁面中的資料。Doing so gives you more granular encryption capability than TDE, which encrypts data in pages.

CLE 具有內建函式,可供您使用對稱或非對稱金鑰、憑證的公開金鑰,或使用 3DES 的複雜密碼來加密資料。CLE has built-in functions that you can use to encrypt data by using either symmetric or asymmetric keys, the public key of a certificate, or a passphrase using 3DES.

Cosmos DB 資料庫加密Cosmos DB database encryption

Azure Cosmos DB 是 Microsoft 之全域散發的多模型資料庫。Azure Cosmos DB is Microsoft's globally distributed, multi-model database. 預設會加密儲存在 Cosmos DB 非揮發性儲存體 (固態硬碟) 中的使用者資料。User data that's stored in Cosmos DB in non-volatile storage (solid-state drives) is encrypted by default. 沒有可開啟或關閉它的控制項。There are no controls to turn it on or off. 待用加密是使用數種安全性技術來實作的,這些技術包括安全金鑰儲存體系統、加密的網路,以及密碼編譯 API。Encryption at rest is implemented by using a number of security technologies, including secure key storage systems, encrypted networks, and cryptographic APIs. 加密金鑰是由 Microsoft 管理,並根據 Microsoft 內部方針來輪替。Encryption keys are managed by Microsoft and are rotated per Microsoft internal guidelines.

Data Lake 中的待用加密At-rest encryption in Data Lake

Azure Data Lake 是企業級的存放庫,可於單一位置收集每種資料類型,再正式定義任何需求或結構描述。Azure Data Lake is an enterprise-wide repository of every type of data collected in a single place prior to any formal definition of requirements or schema. Data Lake Store 支援「預設開啟」的透明待用資料加密,您可以在建立帳戶期間進行設定。Data Lake Store supports "on by default," transparent encryption of data at rest, which is set up during the creation of your account. 根據預設,Azure Data Lake Store 會為您管理金鑰,但您可以選擇自行管理這些金鑰。By default, Azure Data Lake Store manages the keys for you, but you have the option to manage them yourself.

您有三種金鑰類型可用於加密和解密資料:主要加密金鑰 (MEK)、資料加密金鑰 (DEK) 和區塊加密金鑰 (BEK)。Three types of keys are used in encrypting and decrypting data: the Master Encryption Key (MEK), Data Encryption Key (DEK), and Block Encryption Key (BEK). MEK 可用來加密 DEK,並將它儲存在永續性媒體中,而 BEK 衍生自 DEK 和資料區塊。The MEK is used to encrypt the DEK, which is stored on persistent media, and the BEK is derived from the DEK and the data block. 如果您要管理自己的金鑰,您可以輪替 MEK。If you are managing your own keys, you can rotate the MEK.

傳輸中資料加密Encryption of data in transit

Azure 提供許多機制,可在將資料從一個位置移至另一個位置時,確保資料的隱私權。Azure offers many mechanisms for keeping data private as it moves from one location to another.

Azure 的 TLS/SSL 加密TLS/SSL encryption in Azure

在雲端服務與客戶之間移動資料時,Microsoft 使用傳輸層安全性 (TLS) 通訊協定來保護資料。Microsoft uses the Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Microsoft 資料中心會與連線到 Azure 服務的用戶端系統進行交涉以達成 TLS 連線。Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS 提供增強式驗證、訊息隱私權、完整性 (可偵測訊息竄改、攔截和偽造)、互通性、演算法彈性,以及方便部署和使用。TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.

完整轉寄密碼 (PFS) (英文) 會透過唯一金鑰來保護客戶的用戶端系統與 Microsoft 雲端服務之間的連線。Perfect Forward Secrecy (PFS) protects connections between customers’ client systems and Microsoft cloud services by unique keys. 這些連線也會使用 RSA 型 2048 位元加密金鑰長度。Connections also use RSA-based 2,048-bit encryption key lengths. 這種組合讓其他人很難攔截和存取傳輸中的資料。This combination makes it difficult for someone to intercept and access data that is in transit.

Azure 儲存體交易Azure Storage transactions

當您透過 Azure 入口網站與 Azure 儲存體互動時,所有交易都會透過 HTTPS 進行。When you interact with Azure Storage through the Azure portal, all transactions take place over HTTPS. 您也可以透過 HTTPS 使用儲存體 REST API 來與 Azure 儲存體互動。You can also use the Storage REST API over HTTPS to interact with Azure Storage. 透過啟用儲存體帳戶所需的安全傳輸,您可於呼叫 REST API 來存取儲存體帳戶中的物件時強制使用 HTTPS。You can enforce the use of HTTPS when you call the REST APIs to access objects in storage accounts by enabling the secure transfer that's required for the storage account.

共用存取簽章 (SAS) 可用來委派 Azure 儲存體物件的存取權,包含一個選項,可指定在您使用共用存取簽章時只能使用 HTTPS 通訊協定。Shared Access Signatures (SAS), which can be used to delegate access to Azure Storage objects, include an option to specify that only the HTTPS protocol can be used when you use Shared Access Signatures. 這個方法可確保任何傳送具有 SAS 權杖的連結的人都會使用正確的通訊協定。This approach ensures that anybody who sends links with SAS tokens uses the proper protocol.

用來存取 Azure 檔案共用的 SMB 3.0 (英文) 支援加密,而且可在 Windows Server 2012 R2、Windows 8、Windows 8.1 和 Windows 10 中找到。SMB 3.0, which used to access Azure Files shares, supports encryption, and it's available in Windows Server 2012 R2, Windows 8, Windows 8.1, and Windows 10. 它允許跨區域存取,甚至可在電腦上存取。It allows cross-region access and even access on the desktop.

用戶端加密會先將資料加密,然後傳送到 Azure 儲存體執行個體,因此在網路中傳送時會處於加密狀態。Client-side encryption encrypts the data before it’s sent to your Azure Storage instance, so that it’s encrypted as it travels across the network.

Azure 虛擬網路上的 SMB 加密SMB encryption over Azure virtual networks

透過在執行 Windows Server 2012 或更新版本的 VM 中使用 SMB 3.0 (機器翻譯),您可以透過將在 Azure 虛擬網路上傳輸的資料加密,來保護資料傳輸的安全。By using SMB 3.0 in VMs that are running Windows Server 2012 or later, you can make data transfers secure by encrypting data in transit over Azure Virtual Networks. 透過加密資料,您可以協助防止竄改和竊聽攻擊。By encrypting data, you help protect against tampering and eavesdropping attacks. 系統管理員可以針對整部伺服器啟用 SMB 加密,或只針對特定共用來啟用。Administrators can enable SMB encryption for the entire server, or just specific shares.

根據預設,在針對共用或伺服器開啟 SMB 加密之後,只有 SMB 3.0 用戶端才能存取加密的共用。By default, after SMB encryption is turned on for a share or server, only SMB 3.0 clients are allowed to access the encrypted shares.

VM 中的傳輸中加密In-transit encryption in VMs

在執行 Windows 的 VM 之間來回傳輸的資料是根據連線本質透過數種方式加密的。Data in transit to, from, and between VMs that are running Windows is encrypted in a number of ways, depending on the nature of the connection.

RDP 工作階段RDP sessions

您可以從 Windows 用戶端電腦或已安裝 RDP 用戶端的 Mac 電腦,使用遠端桌面通訊協定 (RDP) (英文) 連線到 VM 並登入。You can connect and sign in to a VM by using the Remote Desktop Protocol (RDP) from a Windows client computer, or from a Mac with an RDP client installed. RDP 工作階段中透過網路傳輸的資料可由 TLS 保護。Data in transit over the network in RDP sessions can be protected by TLS.

您也可以使用遠端桌面連線到 Azure 中的 Linux VM。You can also use Remote Desktop to connect to a Linux VM in Azure.

使用 SSH 對 Linux VM 進行安全存取Secure access to Linux VMs with SSH

針對遠端管理,您可以使用安全殼層 (SSH) 連線到在 Azure 中執行的 Linux VM。For remote management, you can use Secure Shell (SSH) to connect to Linux VMs running in Azure. SSH 是允許透過不安全連線進行安全登入的已加密連線通訊協定。SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. 它是 Azure 中裝載之 Linux VM 的預設連線通訊協定。It is the default connection protocol for Linux VMs hosted in Azure. 使用 SSH 金鑰進行驗證時,不需要密碼就可以登入。By using SSH keys for authentication, you eliminate the need for passwords to sign in. SSH 使用公開/私密金鑰組 (非對稱式加密) 進行驗證。SSH uses a public/private key pair (asymmetric encryption) for authentication.

Azure VPN 加密Azure VPN encryption

您可以透過虛擬私人網路連線到 Azure,以建立安全通道來保護透過網路所傳送資料的隱私權。You can connect to Azure through a virtual private network that creates a secure tunnel to protect the privacy of the data being sent across the network.

Azure VPN 閘道Azure VPN gateways

您可以使用 Azure VPN 閘道,透過公用連線在您的虛擬網路和內部部署位置之間傳送加密的流量,或在虛擬網路之間傳送流量。You can use an Azure VPN gateway to send encrypted traffic between your virtual network and your on-premises location across a public connection, or to send traffic between virtual networks.

站對站 VPN 使用 IPsec (英文) 進行傳輸加密。Site-to-site VPNs use IPsec for transport encryption. Azure VPN 閘道使用一組預設提案。Azure VPN gateways use a set of default proposals. 您可以設定 Azure VPN 閘道搭配特定密碼編譯演算法和金鑰長度使用自訂 IPsec/IKE 原則,而不是 Azure 預設原則集。You can configure Azure VPN gateways to use a custom IPsec/IKE policy with specific cryptographic algorithms and key strengths, rather than the Azure default policy sets.

點對站 VPNPoint-to-site VPNs

點對站 VPN 可讓個別用戶端電腦存取 Azure 虛擬網路。Point-to-site VPNs allow individual client computers access to an Azure virtual network. 安全通訊端通道通訊協定 (SSTP) (英文) 可用來建立 VPN 通道。The Secure Socket Tunneling Protocol (SSTP) is used to create the VPN tunnel. 它可以周遊防火牆 (通道會顯示為 HTTPS 連線)。It can traverse firewalls (the tunnel appears as an HTTPS connection). 您可以使用自己的內部公開金鑰基礎結構 (PKI) 根憑證授權單位 (CA),來取得點對站連線能力。You can use your own internal public key infrastructure (PKI) root certificate authority (CA) for point-to-site connectivity.

您可以使用 Azure 入口網站搭配憑證驗證或 PowerShell,來設定可連線到虛擬網路的點對站 VPN 連線。You can configure a point-to-site VPN connection to a virtual network by using the Azure portal with certificate authentication or PowerShell.

若要深入了解 Azure 虛擬網路的點對站 VPN 連線詳細資訊,請參閱:To learn more about point-to-site VPN connections to Azure virtual networks, see:

使用憑證驗證設定虛擬網路的點對站連線:Azure 入口網站Configure a point-to-site connection to a virtual network by using certification authentication: Azure portal

使用憑證驗證設定虛擬網路的點對站連線:PowerShellConfigure a point-to-site connection to a virtual network by using certificate authentication: PowerShell

站對站 VPNSite-to-site VPNs

您可以使用站對站 VPN 閘道連線,透過 IPsec/IKE (IKEv1 或 IKEv2) VPN 通道,將內部部署網路連線到 Azure 虛擬網路。You can use a site-to-site VPN gateway connection to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此類型的連線需要內部部署 VPN 裝置,且該裝置必須已獲指派面向外部的公用 IP 位址。This type of connection requires an on-premises VPN device that has an external-facing public IP address assigned to it.

您可以使用 Azure 入口網站、PowerShell 或 Azure CLI,來設定虛擬網路的站對站 VPN 連線。You can configure a site-to-site VPN connection to a virtual network by using the Azure portal, PowerShell, or Azure CLI.

如需詳細資訊,請參閱For more information, see:

在 Azure 入口網站中建立站對站連線Create a site-to-site connection in the Azure portal

在 PowerShell 中建立站對站連線Create a site-to-site connection in PowerShell

使用 CLI 建立具有站對站 VPN 連線的虛擬網路Create a virtual network with a site-to-site VPN connection by using CLI

Data Lake 中的傳輸中加密In-transit encryption in Data Lake

傳輸中的資料 (也稱為移動中的資料) 也一律會在 Data Lake Store 中加密。Data in transit (also known as data in motion) is also always encrypted in Data Lake Store. 除了在將資料儲存至持續性媒體之前加密資料,也一律會使用 HTTPS 保護傳輸中的資料。In addition to encrypting data prior to storing it in persistent media, the data is also always secured in transit by using HTTPS. HTTPS 是 Data Lake Store REST 介面支援的唯一通訊協定。HTTPS is the only protocol that is supported for the Data Lake Store REST interfaces.

若要深入了解 Data Lake 中的傳輸中資料加密,請參閱 Data Lake Store 中的資料加密To learn more about encryption of data in transit in Data Lake, see Encryption of data in Data Lake Store.

使用 Key Vault 的金鑰管理Key management with Key Vault

若未適當保護及管理金鑰,加密會變成沒有用。Without proper protection and management of the keys, encryption is rendered useless. Key Vault 是 Microsoft 建議使用的解決方案,可用來管理及控制雲端服務所使用加密金鑰的存取權。Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services. 存取金鑰的權限可透過 Azure Active Directory 帳戶指派給服務或使用者。Permissions to access keys can be assigned to services or to users through Azure Active Directory accounts.

Key Vault 讓組織不需要設定、修補及維護硬體安全模組 (HSM) 和金鑰管理軟體。Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. 當您使用 Key Vault 時,將會保有控制權。When you use Key Vault, you maintain control. Microsoft 永遠不會看到您的金鑰,而且應用程式無法直接存取它們。Microsoft never sees your keys, and applications don’t have direct access to them. 您也可以在 HSM 中匯入或產生金鑰。You can also import or generate keys in HSMs.

後續步驟Next steps