使用儲存在 Azure Key Vault 受控 HSM (preview) 中的客戶管理金鑰來設定加密Configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM (preview)

Azure 儲存體會加密待用儲存體帳戶中的所有資料。Azure Storage encrypts all data in a storage account at rest. 根據預設,資料是以使用 Microsoft 管理的金鑰加密。By default, data is encrypted with Microsoft-managed keys. 若要進一步控制加密金鑰,您可以管理自己的金鑰。For additional control over encryption keys, you can manage your own keys. 客戶管理的金鑰必須儲存在 Azure Key Vault 或 Key Vault 受控硬體安全性模型 (HSM) (preview) 。Customer-managed keys must be stored in Azure Key Vault or Key Vault Managed Hardware Security Model (HSM) (preview). 受 Azure Key Vault 管理的 HSM 是經過 FIPS 140-2 層級3驗證的 HSM。An Azure Key Vault Managed HSM is an FIPS 140-2 Level 3 validated HSM.

本文說明如何使用 Azure CLI,透過受管理的 HSM 中儲存的客戶管理金鑰來設定加密。This article shows how to configure encryption with customer-managed keys stored in a managed HSM by using Azure CLI. 若要瞭解如何使用儲存在金鑰保存庫中客戶管理的金鑰來設定加密,請參閱 使用儲存在 Azure Key Vault 中的客戶管理金鑰來設定加密To learn how to configure encryption with customer-managed keys stored in a key vault, see Configure encryption with customer-managed keys stored in Azure Key Vault.

重要

以客戶管理的金鑰加密,儲存在 Azure Key Vault 受控 HSM 中,目前為 預覽 狀態。Encryption with customer-managed keys stored in Azure Key Vault Managed HSM is currently in PREVIEW. 如需適用于 Azure 功能(Beta、預覽或尚未發行正式運作)的法律條款,請參閱 Microsoft Azure 預覽的補充使用條款See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Azure Key Vault 和 Azure Key Vault 受控 HSM 支援相同的 Api 和管理介面進行設定。Azure Key Vault and Azure Key Vault Managed HSM support the same APIs and management interfaces for configuration.

將身分識別指派給儲存體帳戶Assign an identity to the storage account

首先,將系統指派的受控識別指派給儲存體帳戶。First, assign a system-assigned managed identity to the storage account. 您將使用此受控識別來授與儲存體帳戶存取受控 HSM 的許可權。You'll use this managed identity to grant the storage account permissions to access the managed HSM. 如需系統指派的受控識別的詳細資訊,請參閱 什麼是適用于 Azure 資源的受控識別?For more information about system-assigned managed identities, see What are managed identities for Azure resources?.

若要使用 Azure CLI 指派受控識別,請呼叫 az storage account updateTo assign a managed identity using Azure CLI, call az storage account update. 請記得以您自己的值取代括弧中的預留位置值:Remember to replace the placeholder values in brackets with your own values:

az storage account update \
    --name <storage-account> \
    --resource-group <resource_group> \
    --assign-identity

將角色指派給儲存體帳戶,以存取受管理的 HSMAssign a role to the storage account for access to the managed HSM

接下來,將 受控 Hsm 加密服務加密 角色指派給儲存體帳戶的受控識別,讓儲存體帳戶具有受控 hsm 的許可權。Next, assign the Managed HSM Crypto Service Encryption role to the storage account's managed identity so that the storage account has permissions to the managed HSM. Microsoft 建議您將角色指派的範圍設為個別金鑰的層級,以便將最少的可能許可權授與受控識別。Microsoft recommends that you scope the role assignment to the level of the individual key in order to grant the fewest possible privileges to the managed identity.

若要建立儲存體帳戶的角色指派,請呼叫 az key vault 角色指派 createTo create the role assignment for storage account, call az key vault role assignment create. 請記得以您自己的值取代括弧中的預留位置值。Remember to replace the placeholder values in brackets with your own values.

storage_account_principal = $(az storage account show \
    --name <storage-account> \
    --resource-group <resource-group> \
    --query identity.principalId \
    --output tsv)

az keyvault role assignment create \
    --hsm-name <hsm-name> \
    --role "Managed HSM Crypto Service Encryption" \
    --assignee $storage_account_principal \
    --scope /keys/<key-name>

使用受控 HSM 中的金鑰設定加密Configure encryption with a key in the managed HSM

最後,使用客戶管理的金鑰來設定 Azure 儲存體加密,以使用儲存在受控 HSM 中的金鑰。Finally, configure Azure Storage encryption with customer-managed keys to use a key stored in the managed HSM. 支援的金鑰類型包括 RSA-HSM 金鑰,大小為2048、3072和4096。Supported key types include RSA-HSM keys of sizes 2048, 3072 and 4096. 若要瞭解如何在受管理的 HSM 中建立金鑰,請參閱 建立 HSM 金鑰To learn how to create a key in a managed HSM, see Create an HSM key.

安裝 Azure CLI 2.12.0 或更新版本,以將加密設定為在受管理的 HSM 中使用客戶管理的金鑰。Install Azure CLI 2.12.0 or later to configure encryption to use a customer-managed key in a managed HSM. 如需詳細資訊,請參閱 安裝 Azure CLIFor more information, see Install the Azure CLI.

若要自動更新客戶管理金鑰的金鑰版本,請在您針對儲存體帳戶使用客戶管理的金鑰設定加密時,省略金鑰版本。To automatically update the key version for a customer-managed key, omit the key version when you configure encryption with customer-managed keys for the storage account. 呼叫 az storage account update 以更新儲存體帳戶的加密設定,如下列範例所示。Call az storage account update to update the storage account's encryption settings, as shown in the following example. 包含 --encryption-key-source parameter 並將它設定為, Microsoft.Keyvault 以針對帳戶啟用客戶管理的金鑰。Include the --encryption-key-source parameter and set it to Microsoft.Keyvault to enable customer-managed keys for the account. 請記得以您自己的值取代括弧中的預留位置值。Remember to replace the placeholder values in brackets with your own values.

hsmurl = $(az keyvault show \
    --hsm-name <hsm-name> \
    --query properties.hsmUri \
    --output tsv)

az storage account update \
    --name <storage-account> \
    --resource-group <resource_group> \
    --encryption-key-name <key> \
    --encryption-key-source Microsoft.Keyvault \
    --encryption-key-vault $hsmurl

若要手動更新客戶管理金鑰的版本,請在設定儲存體帳戶的加密時,包含金鑰版本:To manually update the version for a customer-managed key, include the key version when you configure encryption for the storage account:

az storage account update
    --name <storage-account> \
    --resource-group <resource_group> \
    --encryption-key-name <key> \
    --encryption-key-version $key_version \
    --encryption-key-source Microsoft.Keyvault \
    --encryption-key-vault $hsmurl

當您手動更新金鑰版本時,您必須將儲存體帳戶的加密設定更新為使用新版本。When you manually update the key version, you'll need to update the storage account's encryption settings to use the new version. 首先,藉由呼叫 az keyvault show來查詢金鑰保存庫 URI,並藉由呼叫 az keyvault key list-version 來查詢金鑰版本。First, query for the key vault URI by calling az keyvault show, and for the key version by calling az keyvault key list-versions. 然後呼叫 az storage account update 更新儲存體帳戶的加密設定,以使用新版本的金鑰,如先前範例所示。Then call az storage account update to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.

下一步Next steps