你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn

使用 Azure CLI 为 Azure Database for MySQL 灵活服务器设置数据加密

适用于 Azure Database for MySQL 灵活服务器

本教程介绍如何使用 Azure CLI 为 Azure Database for MySQL 灵活服务器设置和管理数据加密。

本教程介绍如何执行下列操作:

  • 使用数据加密来创建 Azure Database for MySQL 灵活服务器实例
  • 使用数据加密更新现有的 Azure Database for MySQL 灵活服务器实例
  • 使用 Azure 资源管理器模板启用数据加密

先决条件

az login
  • 如果你有多个订阅,请使用 az account set 命令选择要在其中创建服务器的相应订阅:
az account set --subscription \<subscription id\>
  • 在 Azure Key Vault 中,创建密钥保管库或托管 HSM 和密钥。 该密钥保管库或托管 HSM 必须具有以下属性才能用作客户托管的密钥:

软删除

az resource update --id $(az keyvault show --name \ \<key\_vault\_name\> -o tsv | awk '{print $1}') --set \ properties.enableSoftDelete=true

清除保护

az keyvault update --name \<key\_vault\_name\> --resource-group \<resource\_group\_name\> --enable-purge-protection true

保留天数设置为 90 天:

az keyvault update --name \<key\_vault\_name\> --resource-group \<resource\_group\_name\> --retention-days 90

该密钥必须具有以下属性才能用作客户管理的密钥:

  • 无过期日期
  • 未禁用
  • 执行“列出”、“获取”、“包装”、“解包”操作
  • recoverylevel 属性设置为 Recoverable(这需要启用软删除,并将保留期设置为 90 天)
  • 已启用清除保护

可以使用以下命令来验证密钥的上述属性:

az keyvault key show --vault-name \<key\_vault\_name\> -n \<key\_name\>

使用数据加密更新现有的 Azure Database for MySQL 灵活服务器实例

设置或更改用于数据加密的密钥和标识:

az mysql flexible-server update --resource-group testGroup --name testserver \\ --key \<key identifier of newKey\> --identity newIdentity

禁用 Azure Database for MySQL 灵活服务器的数据加密:

az mysql flexible-server update --resource-group testGroup --name testserver --disable-data-encryption

创建启用了异地冗余备份和数据加密的 Azure Database for MySQL 灵活服务器实例

az mysql flexible-server create -g testGroup -n testServer --location testLocation \\
--geo-redundant-backup Enabled \\
--key <key identifier of testKey> --identity testIdentity \\
--backup-key <key identifier of testBackupKey> --backup-identity testBackupIdentity

使用异地冗余备份设置或更改用于数据加密的密钥、标识、备份密钥和备份标识:

az mysql flexible-server update --resource-group testGroup --name testserver \\ --key \<key identifier of newKey\> --identity newIdentity \\  --backup-key \<key identifier of newBackupKey\> --backup-identity newBackupIdentity

使用 Azure 资源管理器模板启用数据加密

参数 identityUri 和 primaryKeyUri 分别是用户托管标识和用户托管密钥的资源 ID。

    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "administratorLogin": {
            "type": "string"
        },
        "administratorLoginPassword": {
            "type": "securestring"
        },
        "location": {
            "type": "string"
        },
        "serverName": {
            "type": "string"
        },
        "serverEdition": {
            "type": "string"
        },
        "vCores": {
            "type": "int",
            "defaultValue": 4
        },
        "storageSizeGB": {
            "type": "int"
        },
        "haEnabled": {
            "type": "string",
            "defaultValue": "Disabled"
        },
        "availabilityZone": {
            "type": "string"
        },
        "standbyAvailabilityZone": {
            "type": "string"
        },
        "version": {
            "type": "string"
        },
        "tags": {
            "type": "object",
            "defaultValue": {}
        },
        "backupRetentionDays": {
            "type": "int"
        },
        "geoRedundantBackup": {
            "type": "string"
        },
        "vmName": {
            "type": "string",
            "defaultValue": "Standard_B1ms"
        },
        "storageIops": {
            "type": "int"
        },
        "storageAutogrow": {
            "type": "string",
            "defaultValue": "Enabled"
        },
        "autoIoScaling": {
            "type": "string",
            "defaultValue": "Disabled"
        },
        "vnetData": {
            "type": "object",
            "metadata": {
                "description": "Vnet data is an object which contains all parameters pertaining to vnet and subnet"
            },
            "defaultValue": {
                "virtualNetworkName": "testVnet",
                "subnetName": "testSubnet",
                "virtualNetworkAddressPrefix": "10.0.0.0/16",
                "virtualNetworkResourceGroupName": "[resourceGroup().name]",
                "location": "eastus2",
                "subscriptionId": "[subscription().subscriptionId]",
                "subnetProperties": {},
                "isNewVnet": false,
                "subnetNeedsUpdate": false,
                "Network": {}
            }
        },
        "identityUri": {
            "type": "string",
            "metadata": {
                "description": "The resource ID of the identity used for data encryption"
            }
        },
        "primaryKeyUri": {
            "type": "string",
            "metadata": {
                "description": "The resource ID of the key used for data encryption"
            }
        }
    },
    "variables": {
        "api": "2021-05-01",
        "identityData": "[if(empty(parameters('identityUri')), json('null'), createObject('type', 'UserAssigned', 'UserAssignedIdentities', createObject(parameters('identityUri'), createObject())))]",
        "dataEncryptionData": "[if(or(empty(parameters('identityUri')), empty(parameters('primaryKeyUri'))), json('null'), createObject('type', 'AzureKeyVault', 'primaryUserAssignedIdentityId', parameters('identityUri'), 'primaryKeyUri', parameters('primaryKeyUri')))]"
    },
    "resources": [
        {
            "apiVersion": "[variables('api')]",
            "location": "[parameters('location')]",
            "name": "[parameters('serverName')]",
            "identity": "[variables('identityData')]",
            "properties": {
                "version": "[parameters('version')]",
                "administratorLogin": "[parameters('administratorLogin')]",
                "administratorLoginPassword": "[parameters('administratorLoginPassword')]",
                "Network": "[if(empty(parameters('vnetData').Network), json('null'), parameters('vnetData').Network)]",
                "Storage": {
                    "StorageSizeGB": "[parameters('storageSizeGB')]",
                    "Iops": "[parameters('storageIops')]",
                    "Autogrow": "[parameters('storageAutogrow')]",
                    "AutoIoScaling": "[parameters('autoIoScaling')]"
                },
                "Backup": {
                    "backupRetentionDays": "[parameters('backupRetentionDays')]",
                    "geoRedundantBackup": "[parameters('geoRedundantBackup')]"
                },
                "availabilityZone": "[parameters('availabilityZone')]",
                "highAvailability": {
                    "mode": "[parameters('haEnabled')]",
                    "standbyAvailabilityZone": "[parameters('standbyAvailabilityZone')]"
                },
                "dataEncryption": "[variables('dataEncryptionData')]"
            },
            "sku": {
                "name": "[parameters('vmName')]",
                "tier": "[parameters('serverEdition')]",
                "capacity": "[parameters('vCores')]"
            },
            "tags": "[parameters('tags')]",
            "type": "Microsoft.DBforMySQL/flexibleServers"
        }
    ]
}

后续步骤