客戶金鑰服務加密Service encryption with Customer Key

Microsoft 365 提供使用 BitLocker 和分散式金鑰管理員 (DKM) 所啟用的基準、磁片區層級加密。Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Microsoft 365 在應用層級為您的內容提供額外的加密層級。Microsoft 365 offers an added layer of encryption at the application layer for your content. 此內容包含 Exchange Online 中的資料、商務用 Skype、SharePoint 線上、商務 OneDrive,以及小組檔案。This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files. 這個新增的加密層稱為「服務加密」。This added layer of encryption is called service encryption.

服務加密、BitLocker 及客戶金鑰共同運作的方式How service encryption, BitLocker, and Customer Key work together

服務加密可確保在服務層級加密靜止的內容。Service encryption ensures that content at rest is encrypted at the service layer. Microsoft 365 服務中,您的資料會永遠以靜態方式加密,並 BitLocker 和 DKMYour data is always encrypted at rest in the Microsoft 365 service with BitLocker and DKM. 如需詳細資訊,請參閱《安全性、隱私權和規範資訊》,以及 Exchange Online 如何保護您的電子郵件機密For more information, see the "Security, Privacy, and Compliance Information", and How Exchange Online secures your email secrets. 客戶金鑰提供額外的保護,以防止未經授權的系統或人員查看資料,以及在 Microsoft 資料中心中補充 BitLocker 磁片加密。Customer Key provides additional protection against viewing of data by unauthorized systems or personnel, and complements BitLocker disk encryption in Microsoft datacenters. 服務加密不是為了防止 Microsoft 人員存取客戶資料。Service encryption is not meant to prevent Microsoft personnel from accessing customer data. 主要用途是協助客戶滿足控制根機碼的管制或合規性義務。The primary purpose is to assist customers in meeting regulatory or compliance obligations for controlling root keys. 客戶會明確授權 O365 服務使用加密金鑰,以提供增值的雲端服務,例如 eDiscovery、反惡意程式碼、反垃圾郵件、搜尋索引等等。Customers explicitly authorize O365 services to use their encryption keys to provide value added cloud services, such as eDiscovery, anti-malware, anti-spam, search indexing, etc.

客戶金鑰是以服務加密為基礎,可讓您提供和控制加密金鑰。Customer Key is built on service encryption and lets you provide and control encryption keys. 然後,Microsoft 365 會使用這些金鑰來加密您的資料,如 線上服務條款 (OST) 所述。Microsoft 365 then uses these keys to encrypt your data at rest as described in the Online Services Terms (OST). 客戶金鑰可協助您符合法規遵從性義務,因為您可以控制 Microsoft 365 用來加密及解密資料的加密金鑰。Customer Key helps you meet compliance obligations because you control the encryption keys that Microsoft 365 uses to encrypt and decrypt data.

客戶金鑰可提升您的組織符合規範需求的能力,以指定與雲端服務提供者的重要安排。Customer Key enhances the ability of your organization to meet the demands of compliance requirements that specify key arrangements with the cloud service provider. 使用客戶金鑰,您可以在應用層級為您的 Microsoft 365 資料同時提供及控制根加密金鑰。With Customer Key, you provide and control the root encryption keys for your Microsoft 365 data at-rest at the application level. 因此,您會練習控制組織的按鍵。As a result, you exercise control over your organization's keys. 如果您決定要退出服務,請撤銷您組織的根機碼的存取權。If you decide to exit the service, you revoke access to your organization's root keys. 針對所有 Microsoft 365 服務,撤銷機碼存取權的第一步是資料刪除的路徑。For all Microsoft 365 services, revoking access to the keys is the first step on the path towards data deletion. 透過撤銷對機碼的存取權,無法將資料從服務中讀取。By revoking access to the keys, the data is unreadable to the service.

客戶金鑰會在 Office 365 中加密靜態資料Customer Key encrypts data at rest in Office 365

使用您提供的金鑰,應用層級的客戶機碼會加密:Using keys you provide, Customer Key at the application level encrypts:

  • SharePoint 線上、商務及小組檔案的 OneDrive。SharePoint Online, OneDrive for Business, and Teams files.
  • 上傳至商務 OneDrive 的檔案。Files uploaded to OneDrive for Business.
  • Exchange Online 信箱內容,包括電子郵件內文內容、行事曆專案,以及電子郵件附件中的內容。Exchange Online mailbox content including e-mail body content, calendar entries, and the content within email attachments.
  • 商務用 Skype 中的文字交談。Text conversations from Skype for Business.

目前我們並不會為 Skype 會議廣播和 Skype 會議內容上傳的加密金鑰提供客戶控制權。We don't currently offer customer control of the encryption keys for Skype Meeting Broadcast and Skype Meeting content uploads. 相反地,此內容會與 Office 365 中的所有其他內容一起加密。Instead, this content is encrypted along with all other content in Office 365.

具有混合式部署的客戶金鑰Customer Key with hybrid deployments

客戶金鑰只會加密雲端中靜態的資料。Customer Key only encrypts data at rest in the cloud. 客戶金鑰不會用來保護您的內部部署信箱和檔案。Customer Key does not work to protect your on-premises mailboxes and files. 您可以使用另一種方法(例如 BitLocker)來加密您的內部部署資料。You can encrypt your on-premises data using another method, such as BitLocker.

關於資料加密原則 (DEP) About the data encryption policy (DEP)

資料加密原則定義加密階層,使用您提供的每個金鑰以及 Microsoft 所保護的可用性金鑰來加密資料。A data encryption policy defines the encryption hierarchy to encrypt data using each of the keys you provide as well as the availability key protected by Microsoft. 您可以使用 PowerShell Cmdlet 來建立 DEPs,這些 Cmdlet 會不同于每個服務,並指派這些 DEPs 以加密應用程式資料。You create DEPs using PowerShell cmdlets, which are different for each service, and assign those DEPs to encrypt application data. 例如:For example:

Exchange Online 和商務用 Skype 每個租使用者最多可以建立 50 DEPs。Exchange Online and Skype for Business You can create up to 50 DEPs per tenant. 您可以將 DEPs 關聯到 Azure Key Vault 中的客戶機碼,然後將 DEPs 指派給個別信箱。You associate DEPs to your Customer Keys in Azure Key Vault and then assign DEPs to individual mailboxes. 當您為信箱指派 DEP 時:When you assign a DEP to a mailbox:

  • 信箱已標記為要移動信箱。the mailbox is marked for a mailbox move. 根據此處所述的 Microsoft 365 中的優先順序,在 microsoft 365 服務中移動要求Based on priorities in Microsoft 365 as described here Move requests in the Microsoft 365 service.

  • 移動信箱時,會進行加密。The encryption takes place while the mailbox is moved. 允許信箱的72小時使用新的 DEP 進行加密。Allow 72 hours for the mailbox to become encrypted with the new DEP. 如果信箱在您指派 DEP 的時間之後,等待72小時之後未加密,請與 Microsoft 聯繫。If the mailboxes aren't encrypted after waiting 72 hours from the time you assigned the DEP, contact Microsoft.

稍後,您可以依照 管理 Office 365 的客戶金鑰中所述的方式,重新整理 DEP 或指派不同的 dep 至信箱。Later, you can either refresh the DEP or assign a different DEP to the mailbox as described in Manage Customer Key for Office 365. 每個信箱都必須有適當的授權,才可指派 DEP。Each mailbox must have appropriate licenses in order to assign a DEP. 如需授權的詳細資訊,請參閱 設定客戶金鑰之前For more information about licensing, see Before you set up Customer Key.

注意

您可以將 DEP 套用至共用信箱、公用資料夾信箱,365以及適用于租使用者信箱授權需求的承租人信箱,即使某些信箱類型無法指派授權 (公用資料夾信箱和 Microsoft 365 群組信箱) 或需要增加儲存 (共用信箱) 的授權。The DEP can be applied to a shared mailbox, public folder mailbox, and Microsoft 365 group mailbox for tenants that meet the licensing requirement for user mailboxes, even though some of these mailbox types cannot be an assigned license (public folder mailbox and Microsoft 365 group mailbox) or need a license for increasing storage (shared mailbox).

SharePoint 線上、商務及小組檔案的 OneDrive 如果您使用的是多地理位置功能,您的組織可以為每個地理位置建立多個 DEP。SharePoint Online, OneDrive for Business, and Teams files If you're using the multi-geo feature, you can create up to one DEP per geo for your organization. 您可以針對每個地理位置使用不同的客戶金鑰。You can use different Customer Keys for each geo. 如果您不是使用多地理位置功能,則每個承租人只能建立一個 DEP。If you're not using the multi-geo feature, you can only create one DEP per tenant. 當您指派 DEP 時,加密會自動開始,但可能需要一些時間才能完成。When you assign the DEP, encryption begins automatically but can take some time to complete. 請參閱 設定客戶金鑰中的詳細資料。Refer to the details in Set up Customer Key.

離開服務Leaving the service

客戶金鑰可協助您在離開 Microsoft 365 服務時撤銷您的金鑰,以協助您履行法規遵從性義務。Customer Key assists you in meeting compliance obligations by allowing you to revoke your keys when you leave the Microsoft 365 service. 當您在離開服務時撤銷您的金鑰時,會刪除可用性機碼,以加密刪除您的資料。When you revoke your keys as part of leaving the service, the availability key is deleted resulting in cryptographic deletion of your data. 加密刪除可降低資料 remanence 的風險,這對於迎接安全性和合規性義務很重要。Cryptographic deletion mitigates the risk of data remanence which is important for meeting both security and compliance obligations. 如需有關資料清除程式和金鑰吊銷的詳細資訊,請參閱 撤銷您的金鑰,然後啟動資料清除路徑處理程式。For information about the data purge process and key revocation, see Revoke your keys and start the data purge path process.

客戶金鑰使用的加密密碼Encryption ciphers used by Customer Key

客戶金鑰使用各種加密密碼來加密金鑰,如下圖所示。Customer Key uses a variety of encryption ciphers to encrypt keys as shown in the following figures.

加密密碼,用來加密 Exchange Online 和商務用 Skype 的金鑰Encryption ciphers used to encrypt keys for Exchange Online and Skype for Business

Exchange Online 客戶機碼的加密密碼

用來加密 SharePoint 線上、商務 OneDrive 與小組檔案的金鑰的加密密碼Encryption ciphers used to encrypt keys for SharePoint Online, OneDrive for Business, and Teams files

SharePoint Online 客戶機碼的加密密碼