Azure密钥保险库与存储加密 [英] Azure Key vault vs Storage encryption

问题描述

我有一个高级存储帐户，在创建此帐户后立即启用了加密功能，并且找到了此链接

I have premium storage account for which I enabled Encryption just after creating this and I found this link https://docs.microsoft.com/en-us/azure/storage/storage-service-encryption to check whether blob are encrypted or not.

现在，如果我使用Azure密钥保管库加密OS磁盘和数据磁盘，该密钥库还用于保护静态数据，但是加密的存储帐户也可以执行相同的操作.谁能解释这两者之间的区别.我知道密钥，机密等信息，所以我不需要这种差异.

Now if I encrypt OS disk and data disk using Azure key vault which is also used to protect data at rest but encrypted storage account also does same thing. Could any one explain what difference among these two. I know about keys, secrets etc. so I don't want this diff.

推荐答案

它们是不同级别的服务.您可以将加密用于 传输中的数据或使用SSE写入Azure存储的数据. 您可以将敏感的存储访问密钥保留在Azure Key Vault中.

They are different levels of service. You can use encryption for the data in transit or for the data written to Azure Storage using SSE. You can keep your sensitive storage access keys in Azure Key Vault.

Azure Key Vault是一项Azure服务，可帮助您加密和保留密钥和秘密，包括存储帐户密钥，数据加密密钥，.PXF文件等.在几分钟之内为这些键授予权限.

Azure Key Vault is an Azure service to help you encrypt and keep keys and secrets, including storage account keys, data encryption keys, .PXF files, etc. It’s a great way to maintain keys and grant permissions to these keys in minutes.

从Azure存储安全性的角度来看，您可以将存储帐户密钥放入Azure Key Vault中，并从此处将其提供给客户端和应用程序.这将帮助您的应用程序直接从保险柜中检索访问密钥.在Vault中重新生成主存储密钥或辅助存储密钥时，应用程序将检索更新的密钥，而无需重新部署它们.请参考什么是Azure Key Vault?.

From an Azure Storage Security perspective, you can put your storage account keys into Azure Key Vault and service them from here to your clients and applications. That will help your applications retrieve access keys directly from Vault. When you regenerate your primary or secondary storage key in Vault, applications will retrieve updated keys without redeploying them. Please refer to What is Azure Key Vault?.

存储服务加密(SSE)允许您请求将存储服务写入数据到Azure存储时自动对数据进行加密.从Azure存储读取数据时，存储服务加密将被解密.退回之前的存储服务.这使您无需修改​​代码或将代码添加到任何应用程序即可保护数据安全. 现在，密钥由Microsoft管理，您无法使用密钥和管理密钥.SSE仅支持ARM模式存储帐户.您可以查看Azure存储安全性指南

Storage Service Encryption (SSE) allows you to request that the storage service automatically encrypt the data when writing it to Azure Storage. When you read the data from Azure Storage, it will be decrypted by the storage service before being returned. This enables you to secure your data without having to modify code or add code to any applications. Now, keys are managed by Microsoft, you could not use your keys and manage keys.SSE only supports ARM mode storage account. You can check Azure storage security guide here. Many encryption technology is optional, make appropriate choice based on your organizations compliance needs.

这篇关于Azure密钥保险库与存储加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！