简体繁体 English

使用 Azure CosmosDB 与存储进行端到端加密

[英]End-to-end encryption with Azure CosmosDB vs Storage

原文 2019-03-13 09:22:44 4 3 azure/ security/ encryption/ azure-storage/ azure-cosmosdb

We develop a cloud based SaaS solution suitable for multiple tenants.我们开发了适用于多个租户的基于云的 SaaS 解决方案。 For very sensitive data, we need to isolate tenants and provide end-to-end encryption for users assigned to this tenant.对于非常敏感的数据，我们需要隔离租户，并为分配给该租户的用户提供端到端加密。 Not even the operators of the SaaS solution provider should be able to decrypt the data.即使是 SaaS 解决方案提供商的运营商也不应该能够解密数据。

Azure Storage Azure 存储

I see that i could use the client-side encryption feature along with Azure Key Value for Azure Storage to accomplish this, allowing every tenant to provide a separate Azure KeyVault account which manages the encryption keys.我发现我可以使用客户端加密功能和 Azure 存储的 Azure 密钥值来实现这一点，允许每个租户提供一个单独的 Azure KeyVault 帐户来管理加密密钥。

Azure Cosmos DB Azure Cosmos 数据库

As Azure Cosmos DB provides superior features regarding scalability, we would like to use Cosmos over Azure Storage.由于 Azure Cosmos DB 提供了有关可伸缩性的卓越功能，我们希望在 Azure 存储上使用 Cosmos。 However, i didn't find a comparable feature for Cosmos DB providing end-to-end encryption capabilitys.但是，我没有找到 Cosmos DB 提供端到端加密功能的类似功能。 The only Cosmos DB encryption feature i found is encryption at rest .我发现的唯一 Cosmos DB 加密功能是静态加密。

So my question is:所以我的问题是：

Is there a comparable feature for Azure Cosmos DB i could use to achieve the same goal (end-to-end encryption)?我可以使用 Azure Cosmos DB 的类似功能来实现相同的目标（端到端加密）吗？

3 个解决方案

I've got an answer from the Azure Cosmos DB Team on Twitter我在 Twitter 上从 Azure Cosmos DB 团队那里得到了答案

Cosmos DB currently only supports encryption at rest and in transit. Cosmos DB 目前仅支持静态和传输中的加密。 BYOK scenarios are on their roadmap . BYOK 方案在他们的路线图上。

Update: The Feature is now generally available .更新：该功能现已正式发布。

In May 2020, Microsoft have made customer-managed-keys feature GA which means you can choose to add a second layer of encryption with keys you manage (customer-managed keys). 2020 年 5 月，Microsoft 使客户管理的密钥功能成为 GA，这意味着您可以选择使用您管理的密钥（客户管理的密钥）添加第二层加密。

Note: This feature can be enabled only for New Azure Cosmos Accounts.注意：只能为新 Azure Cosmos 帐户启用此功能。 Can't enable for existing accounts.无法为现有帐户启用。

https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk

Is there a comparable feature for Azure Cosmos DB i could use to achieve the same goal (end-to-end encryption)?我可以使用 Azure Cosmos DB 的类似功能来实现相同的目标（端到端加密）吗？

Based on the encryption at rest , all user data stored in Cosmos DB is encrypted at rest and in transport, you don't have to take any action.基于静态加密，存储在 Cosmos DB 中的所有用户数据都是静态和传输加密的，您无需采取任何操作。 But it is transparent for multi-tenants.但它对多租户是透明的。 So,if you want to implement end-to-end encryption which is similar to the Client-Side Encryption in Blob storage , you need to encapsulate your own encryption methods before the operations to your cosmos db data.因此，如果要实现类似于Blob 存储中的客户端加密的端到端加密，则需要在对 Cosmos db 数据进行操作之前封装自己的加密方法。

Moreover,if your data is formatted as files,I suggest you using Blob Storage because the cost of cosmos db is maybe a little higher.此外，如果您的数据被格式化为文件，我建议您使用 Blob Storage，因为 cosmos db 的成本可能会高一点。