BitLocker 與 Distributed Key Manager (DKM) 的加密BitLocker and Distributed Key Manager (DKM) for Encryption

Microsoft 伺服器使用 BitLocker,將包含客戶資料的磁片磁碟機加密在磁片區層級。Microsoft servers use BitLocker to encrypt the disk drives containing customer data at rest at the volume-level. BitLocker 加密是 Windows 內建的資料保護功能。BitLocker encryption is a data protection feature that is built into Windows. BitLocker 是用來保護威脅的技術之一,以防其他程式或控制措施(例如,對硬體的存取控制或回收)發生不足時,可能會導致某些人能夠實際存取包含客戶資料的磁片。BitLocker is one of the technologies used to safeguard against threats in case there are lapses in other processes or controls (e.g., access control or recycling of hardware) that could lead to someone gaining physical access to disks containing customer data. 在此情況下,BitLocker 會因遺失、被竊或無法正確解除委任的電腦和磁片,避免資料竊取或洩密的可能性。In this case, BitLocker eliminates the potential for data theft or exposure because of lost, stolen, or inappropriately decommissioned computers and disks.

在 Exchange Online、SharePoint 線上和商務用 Skype 中包含客戶資料的磁片上,使用進階加密標準(AES)256位加密來部署 BitLocker。BitLocker is deployed with Advanced Encryption Standard (AES) 256-bit encryption on disks containing customer data in Exchange Online, SharePoint Online, and Skype for Business. 磁片磁區是以完整大量加密金鑰(FVEK)加密,該金鑰是以「磁片區金鑰」(VMK)加密,該主金鑰又會系結至伺服器中的受信任的平臺模組(TPM)。Disk sectors are encrypted with a Full Volume Encryption Key (FVEK), which is encrypted with the Volume Master Key (VMK), which in turn is bound to the Trusted Platform Module (TPM) in the server. VMK 直接保護 FVEK,因此保護 VMK 變得很重要。The VMK directly protects the FVEK and therefore, protecting the VMK becomes critical. 下圖說明特定伺服器的 BitLocker 金鑰保護鏈的範例(在此情況下,使用 Exchange Online 伺服器)。The following figure illustrates an example of the BitLocker key protection chain for a given server (in this case, using an Exchange Online server).

下表說明特定伺服器(在此案例中為 Exchange Online 伺服器)的 BitLocker 金鑰保護鏈。The following table describes the BitLocker key protection chain for a given server (in this case, an Exchange Online server).

金鑰保護器KEY PROTECTOR 粒 度GRANULARITY 產生的方式?HOW GENERATED? 儲存在哪裡?WHERE IS IT STORED? 保護PROTECTION
AES 256 位外部金鑰AES 256-bit External Key 每個伺服器Per Server BitLocker APIsBitLocker APIs TPM 或機密安全TPM or Secret Safe 密碼箱/存取控制Lockbox / Access Control
信箱伺服器登錄Mailbox Server Registry TPM 加密TPM encrypted
48位數的數位密碼48-digit Numerical Password 每個磁片Per Disk BitLocker APIsBitLocker APIs Active DirectoryActive Directory 密碼箱/存取控制Lockbox / Access Control
X.509 憑證做為資料復原代理程式(DRA)也稱為公開金鑰保護器X.509 Certificate as Data Recovery Agent (DRA) also called Public Key Protector 環境(例如 Exchange Online 多租戶)Environment (e.g., Exchange Online multitenant) Microsoft CAMicrosoft CA 組建系統Build System 任何使用者都沒有私密金鑰的完整密碼。No one user has the full password to the private key. 密碼為實體防護。The password is under physical protection.

BitLocker 金鑰管理需要管理用於在 Microsoft 資料中心內解除鎖定/復原加密磁片的復原金鑰。BitLocker key management involves the management of recovery keys that are used to unlock/recover encrypted disks in a Microsoft datacenter. Microsoft 365 將主要金鑰儲存在安全的共用中,只能由已被篩選和核准的使用者存取。Microsoft 365 stores the master keys in a secured share, only accessible by individuals who have been screened and approved. 機碼的認證是儲存在存取控制資料(我們稱之為「機密存放區」)的安全存放庫中,這需要高層次的仰角和管理核准,才能使用即時存取提升工具進行存取。The credentials for the keys are stored in a secured repository for access control data (what we call a "secret store"), which requires a high level of elevation and management approvals to access using a just-in-time access elevation tool.

BitLocker 支援可以分為兩個管理類別的按鍵:BitLocker supports keys which fall into two management categories:

  • BitLocker 受管理的金鑰,通常是短暫存留的,且與安裝在伺服器上或指定磁片上之作業系統實例的存留時間相關聯。BitLocker-managed keys, which are generally short-lived and tied to the lifetime of an operating system instance installed on a server or to a given disk. 在重新安裝伺服器或格式化磁片時,這些機碼會被刪除並重設。These keys are deleted and reset during server reinstallation or disk formatting.

  • BitLocker 在 BitLocker 之外進行管理,但用於磁片解密的復原金鑰。BitLocker recovery keys, which are managed outside of BitLocker but used for disk decryption. BitLocker 會針對重新安裝作業系統的情況使用復原機碼,並已存在已加密的資料磁片。BitLocker uses recovery keys for the scenario in which an operating system is reinstalled, and encrypted data disks already exist. 在 Exchange Online 中,受管理的可用性監控探查也會使用復原機碼,在此情況下,回應程式可能需要解除磁片的鎖定。Recovery keys are also used by Managed Availability monitoring probes in Exchange Online where a responder may need to unlock a disk.

使用完整大量加密金鑰加密 BitLocker 受保護的磁片區,然後使用大量的主要金鑰加密。BitLocker-protected volumes are encrypted with a full volume encryption key, which in turn is encrypted with a volume master key. BitLocker 會使用 FIPS 相容的演算法,以確保加密金鑰永遠不會以明文儲存或傳送。BitLocker uses FIPS-compliant algorithms to ensure that encryption keys are never stored or sent over the wire in the clear. Microsoft 365 執行的客戶資料就地保護不會偏離預設的 BitLocker 實現。The Microsoft 365 implementation of customer data-at-rest-protection does not deviate from the default BitLocker implementation.