Azure 存储加密中客户管理的密钥和客户提供的密钥有什么区别
what is the difference between customer managed keys and customer provided keys in azure storage encryption
我正在使用 Microsoft 文档了解 Azure Blob 存储。当我看到这个页面时
https://docs.microsoft.com/en-us/learn/modules/explore-azure-blob-storage/4-blob-storage-security
我发现加密中有 3 种类型的密钥管理
- Microsoft 托管密钥
- 客户管理的密钥
- 客户提供的密钥
我无法理解最后两者之间的区别。如果是客户管理的密钥,Microsoft 提供的密钥是否?
请帮忙
提前致谢
请考虑阅读 Azure 文档中的这两篇文章。 first one describes in depth how customer managed keys work, whereas the second 对客户提供的密钥执行相同的操作。
简而言之,当您使用客户经理密钥时,您是在指示存储在 Azure Key Vault 中的密钥,您希望将其用于 encrypt/decrypt 存储帐户中的数据。
在后台,此密钥将用于 encrypt/decrypt 密钥,而该密钥又将实际用于 encrypt/decrypt 您存储帐户中的数据。
每次您与存储帐户交互时都会透明地执行此过程。
在我引用的第一篇文章中描述得很好:
- An Azure Key Vault admin grants permissions to encryption keys to the
managed identity that's associated with the storage account.
- An Azure Storage admin configures encryption with a customer-managed key
for the storage account.
- Azure Storage uses the managed identity that's associated with the
storage account to authenticate access to Azure Key Vault via Azure Active
Directory.
- Azure Storage wraps the account encryption key with the customer-managed
key in Azure Key Vault.
- For read/write operations, Azure Storage sends requests to Azure Key
Vault to unwrap the account encryption key to perform encryption and
decryption operations.
相反,当使用客户提供的密钥时,您需要提供 the encryption key itself among certain metadata 您想要在读取或写入您的 blob 数据时用于 encrypting/decrypting 数据,在执行您的请求时:
同样,现在从我引用的第二个文件开始:
When a client application provides an encryption key on the request, Azure
Storage performs encryption and decryption transparently while reading and
writing blob data. Azure Storage writes an SHA-256 hash of the encryption
key alongside the blob's contents. The hash is used to verify that all
subsequent operations against the blob use the same encryption key.
When a client creates or updates a blob using a customer-provided key on
the request, then subsequent read and write requests for that blob must
also provide the key.
To send the encryption key as part of the request, a client must establish
a secure connection to Azure Storage using HTTPS.
This article 也有帮助。
我正在使用 Microsoft 文档了解 Azure Blob 存储。当我看到这个页面时
https://docs.microsoft.com/en-us/learn/modules/explore-azure-blob-storage/4-blob-storage-security
我发现加密中有 3 种类型的密钥管理
- Microsoft 托管密钥
- 客户管理的密钥
- 客户提供的密钥
我无法理解最后两者之间的区别。如果是客户管理的密钥,Microsoft 提供的密钥是否?
请帮忙
提前致谢
请考虑阅读 Azure 文档中的这两篇文章。 first one describes in depth how customer managed keys work, whereas the second 对客户提供的密钥执行相同的操作。
简而言之,当您使用客户经理密钥时,您是在指示存储在 Azure Key Vault 中的密钥,您希望将其用于 encrypt/decrypt 存储帐户中的数据。
在后台,此密钥将用于 encrypt/decrypt 密钥,而该密钥又将实际用于 encrypt/decrypt 您存储帐户中的数据。
每次您与存储帐户交互时都会透明地执行此过程。
在我引用的第一篇文章中描述得很好:
- An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the storage account.
- An Azure Storage admin configures encryption with a customer-managed key for the storage account.
- Azure Storage uses the managed identity that's associated with the storage account to authenticate access to Azure Key Vault via Azure Active Directory.
- Azure Storage wraps the account encryption key with the customer-managed key in Azure Key Vault.
- For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.
相反,当使用客户提供的密钥时,您需要提供 the encryption key itself among certain metadata 您想要在读取或写入您的 blob 数据时用于 encrypting/decrypting 数据,在执行您的请求时:
同样,现在从我引用的第二个文件开始:
When a client application provides an encryption key on the request, Azure Storage performs encryption and decryption transparently while reading and writing blob data. Azure Storage writes an SHA-256 hash of the encryption key alongside the blob's contents. The hash is used to verify that all subsequent operations against the blob use the same encryption key.
When a client creates or updates a blob using a customer-provided key on the request, then subsequent read and write requests for that blob must also provide the key.
To send the encryption key as part of the request, a client must establish a secure connection to Azure Storage using HTTPS.
This article 也有帮助。