在Windows Azure中的密钥管理 [英] Key Management in Windows Azure
问题描述
我有点困惑如何键(数据加密)存储在Windows Azure中。
I'm a bit confused about how to store keys (for data encryption) in Windows Azure.
根据以下两个链接(#1 时,<一href=\"http://blogs.msdn.com/b/usisvde/archive/2012/03/15/windows-azure-security-best-practices-part-7-tips-tools-coding-best-practices.aspx\">#2),建议存储密钥/在Windows Azure存储密钥库:
According to the following two links (#1, #2), it is recommended to store the keys/key library in the Windows Azure Storage:
在Windows Azure存储服务中存储自己的密钥库是坚持一些秘密信息,因为你可以依靠这些数据是在多租户环境中的安全,并通过自己的存储密钥保护的好方法。
Storing your own key library within the Windows Azure Storage services is a good way to persist some secret information since you can rely on this data being secure in the multi-tenant environment and secured by your own storage keys.
但安全最佳实践开发Windows Azure应用程序(<一href=\"http://download.microsoft.com/download/7/3/e/73e4ee93-559f-4d0f-a6fc-7fec5f1542d1/securitybestpracticeswindowsazureapps.docx\">#3)建议不要对任何关键材料的相关存储在Windows Azure中:
But the "Security Best Practices For Developing Windows Azure Applications" (#3) recommends NOT to store any key related material in Windows Azure:
此外,开发人员不应该上传
键或任一密钥材料到Windows Azure存储,无论他们是关于隐藏它是如何小心。如果
任何计算机或存储服务被破坏,就可能导致被暴露的加密密钥。
Also, developers should not upload the key or any keying material to Windows Azure Storage, regardless of how careful they are about hiding it. If any computer or storage services were compromised, it could lead to encryption keys being exposed.
什么是Windows Azure的存储密钥的最佳方法进行加密?
What is the best approach to store keys for encryption in Windows Azure?
推荐答案
您会从我在我与您的问题同意,第一个链接的评论看。 :)
You'll see from my comment in that first link that I agree with your concerns. :)
Azure的存储有比它自己的证书存储其它键没有安全的方式。这是一篇关于使用此方法:
Azure has no secure way of storing keys other than it's own Certificate Storage. Here is an article on using this method:
<一个href=\"http://blogs.msdn.com/b/windowsazure/archive/2011/09/07/field-note-using-certificate-based-encryption-in-windows-azure-applications.aspx\"相对=nofollow>字段注意:在Windows Azure应用程序使用基于证书加密
您会注意到我还评论该文章的缺点也链接到这个问题:
You'll notice I've also commented on that article's shortcomings too, linking to this question:
<一个href=\"http://stackoverflow.com/questions/11288233/read-azure-serviceconfiguration-files-certificate-section-using-c-sharp\">Read蔚蓝ServiceConfiguration文件的证书部分使用C#
使用的一个例子Azure中的内置存储证书来加密AES密钥(避免对加密数据长度的RSA的限制,同时保持AES密钥的安全),可以在这个项目中找到:
An example of using Azure's built in certificate storage to encrypt AES keys (avoiding the RSA restrictions on encrypted data length, while keeping the AES key secure) can be found in this project:
在EncryptDecrypt项目中的 SymmetricKeyHelper 类是特别感兴趣的。
The SymmetricKeyHelper class in the EncryptDecrypt project is of particular interest.
荣誉给@breischl的提到它,以及他对这个项目的贡献。
Kudos to @breischl for mentioning it, and for his contributions to the project.
这篇关于在Windows Azure中的密钥管理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
