使用 Azure 备份还原已加密 VM 的密钥保管库密钥和机密Restore Key Vault key and secret for encrypted VMs using Azure Backup

本文介绍在密钥和机密不存在于密钥保管库中的情况下,如何使用 Azure VM 备份对已加密的 Azure VM 进行还原。This article talks about using Azure VM Backup to perform restore of encrypted Azure VMs, if your key and secret don't exist in the key vault. 如果要为还原的 VM 保留密钥(密钥加密密钥)和机密(BitLocker 加密密钥)的单独副本,也可以使用这些步骤。These steps can also be used if you want to maintain a separate copy of the key (Key Encryption Key) and secret (BitLocker Encryption Key) for the restored VM.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

  • 备份加密的 VM - 已使 Azure 备份备份加密的 Azure VM。Backup encrypted VMs - Encrypted Azure VMs have been backed up using Azure Backup. 有关如何备份已加密 Azure VM 的详细信息,请参阅使用 PowerShell 管理 Azure VM 的备份和还原一文。Refer to the article Manage backup and restore of Azure VMs using PowerShell for details about how to back up encrypted Azure VMs.
  • 配置 Azure Key Vault - 确保需将密钥和机密还原到其中的 Key Vault 已存在。Configure Azure Key Vault - Ensure that key vault to which keys and secrets need to be restored is already present. 请参阅文章 Azure Key Vault 入门,了解有关密钥保管库管理的详细信息。Refer to the article Get Started with Azure Key Vault for details about key vault management.
  • 还原磁盘 - 请确保已使用 PowerShell 步骤触发还原作业,还原加密 VM 的磁盘。Restore disk - Ensure that you've triggered the restore job for restoring disks for encrypted VM using PowerShell steps. 这是因为此作业会在存储帐户中生成一个 JSON 文件,其中包含要还原的加密 VM 的密钥和机密。This is because this job generates a JSON file in your storage account containing keys and secrets for the encrypted VM to be restored.

从 Azure 备份获取密钥和机密Get key and secret from Azure Backup

备注

为加密 VM 还原磁盘后,请确保:Once disk has been restored for the encrypted VM, ensure that:

查询已还原磁盘属性以获取作业详细信息。Query the restored disk properties for the job details.

$properties = $details.properties
$storageAccountName = $properties["Target Storage Account Name"]
$containerName = $properties["Config Blob Container Name"]
$encryptedBlobName = $properties["Encryption Info Blob Name"]

为加密 VM 设置 Azure 存储上下文,并还原包含密钥和机密详细信息的 JSON 配置文件。Set the Azure storage context and restore JSON configuration file containing key and secret details for encrypted VM.

Set-AzCurrentStorageAccount -Name $storageaccountname -ResourceGroupName '<rg-name>'
$destination_path = 'C:\vmencryption_config.json'
Get-AzStorageBlobContent -Blob $encryptedBlobName -Container $containerName -Destination $destination_path
$encryptionObject = Get-Content -Path $destination_path  | ConvertFrom-Json

还原密钥Restore key

在上述目标路径中生成了 JSON 文件后,从 JSON 生成密钥 Blob 文件,并将其提供给还原密钥 cmdlet,以便将密钥 (KEK) 放回 Key Vault。Once the JSON file is generated in the destination path mentioned above, generate key blob file from the JSON and feed it to restore key cmdlet to put the key (KEK) back in the key vault.

$keyDestination = 'C:\keyDetails.blob'
[io.file]::WriteAllBytes($keyDestination, [System.Convert]::FromBase64String($encryptionObject.OsDiskKeyAndSecretDetails.KeyBackupData))
Restore-AzureKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile $keyDestination

还原机密Restore secret

使用先前生成的 JSON 文件来获取密钥名称和值,并将其他提供给设置密钥 cmdlet,以便将机密 (BEK) 放回 Key Vault。Use the JSON file generated above to get secret name and value and feed it to set secret cmdlet to put the secret (BEK) back in the key vault. 如果 VM 通过 BEK 和 KEK 加密,请使用这些 cmdlet。 Use these cmdlets if your VM is encrypted using BEK and KEK.

如果 Windows VM 通过 BEK 和 KEK 加密,请使用这些 cmdlet。Use these cmdlets if your Windows VM is encrypted using BEK and KEK.

$secretdata = $encryptionObject.OsDiskKeyAndSecretDetails.SecretData
$Secret = ConvertTo-SecureString -String $secretdata -AsPlainText -Force
$secretname = 'B3284AAA-DAAA-4AAA-B393-60CAA848AAAA'
$Tags = @{'DiskEncryptionKeyEncryptionAlgorithm' = 'RSA-OAEP';'DiskEncryptionKeyFileName' = 'B3284AAA-DAAA-4AAA-B393-60CAA848AAAA.BEK';'DiskEncryptionKeyEncryptionKeyURL' = $encryptionObject.OsDiskKeyAndSecretDetails.KeyUrl;'MachineName' = 'vm-name'}
Set-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -Name $secretname -SecretValue $Secret -ContentType  'Wrapped BEK' -Tags $Tags

如果 Linux VM 通过 BEK 和 KEK 加密,请使用这些 cmdlet。Use these cmdlets if your Linux VM is encrypted using BEK and KEK.

$secretdata = $encryptionObject.OsDiskKeyAndSecretDetails.SecretData
$Secret = ConvertTo-SecureString -String $secretdata -AsPlainText -Force
$secretname = 'B3284AAA-DAAA-4AAA-B393-60CAA848AAAA'
$Tags = @{'DiskEncryptionKeyEncryptionAlgorithm' = 'RSA-OAEP';'DiskEncryptionKeyFileName' = 'LinuxPassPhraseFileName';'DiskEncryptionKeyEncryptionKeyURL' = <Key_url_of_newly_restored_key>;'MachineName' = 'vm-name'}
Set-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -Name $secretname -SecretValue $Secret -ContentType  'Wrapped BEK' -Tags $Tags

使用先前生成的 JSON 文件来获取密钥名称和值,并将其他提供给设置密钥 cmdlet,以便将机密 (BEK) 放回 Key Vault。Use the JSON file generated above to get secret name and value and feed it to set secret cmdlet to put the secret (BEK) back in the key vault. 如果 VM 仅通过 BEK 加密,请使用这些 cmdlet。 Use these cmdlets if your VM is encrypted using BEK only.

$secretDestination = 'C:\secret.blob'
[io.file]::WriteAllBytes($secretDestination, [System.Convert]::FromBase64String($encryptionObject.OsDiskKeyAndSecretDetails.KeyVaultSecretBackupData))
Restore-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -InputFile $secretDestination -Verbose

备注

  • 可以通过引用 $encryptionObject.OsDiskKeyAndSecretDetails.SecretUrl 的输出并使用 secrets/ 后的文本来获取 $secretname 值,例如假设输出机密 URL 为 https://keyvaultname.vault.azure.cn/secrets/B3284AAA-DAAA-4AAA-B393-60CAA848AAAA/xx000000xx0849999f3xx30000003163,则机密名称为 B3284AAA-DAAA-4AAA-B393-60CAA848AAAAThe value for $secretname can be obtained by referring to the output of $encryptionObject.OsDiskKeyAndSecretDetails.SecretUrl and using text after secrets/ For example, the output secret URL is https://keyvaultname.vault.azure.cn/secrets/B3284AAA-DAAA-4AAA-B393-60CAA848AAAA/xx000000xx0849999f3xx30000003163 and secret name is B3284AAA-DAAA-4AAA-B393-60CAA848AAAA
  • 标记 DiskEncryptionKeyFileName 的值与机密名称相同。The value of the tag DiskEncryptionKeyFileName is the same as the secret name.

从还原磁盘创建虚拟机Create virtual machine from restored disk

如果已使用“Azure VM 备份”备份加密 VM,上述 PowerShell cmdlet 有助于将密钥和机密还原到密钥保管库。If you've backed up encrypted VM using Azure VM Backup, the PowerShell cmdlets mentioned above help you restore key and secret back to the key vault. 完成还原后,请参阅文章使用 PowerShell 管理 Azure VM 的备份和还原,使用还原的磁盘、密钥和机密创建加密 VM。After restoring them, refer to the article Manage backup and restore of Azure VMs using PowerShell to create encrypted VMs from restored disk, key, and secret.

传统方法Legacy approach

上述方法适用于所有恢复点。The approach mentioned above would work for all the recovery points. 然而,对于使用 BEK 和 KEK 加密的 VM,从恢复点获取密钥和机密信息的老方法对 2017 年 7 月 11 日之前的恢复点仍然有效。However, the older approach of getting key and secret information from recovery point, would be valid for recovery points older than July 11, 2017 for VMs encrypted using BEK and KEK. 使用 PowerShell 步骤完成加密 VM 的还原磁盘作业后,请确保在 $rp 中填写有效值。Once restore disk job is complete for encrypted VM using PowerShell steps, ensure that $rp is populated with a valid value.

还原密钥(传统方法)Restore key (legacy approach)

使用下列 cmdlet 从恢复点获取密钥 (KEK) 信息,并将其提供给还原密钥 cmdlet,以将其放回 Key Vault。Use the following cmdlets to get key (KEK) information from recovery point and feed it to restore key cmdlet to put it back in the key vault.

$rp1 = Get-AzRecoveryServicesBackupRecoveryPoint -RecoveryPointId $rp[0].RecoveryPointId -Item $backupItem -KeyFileDownloadLocation 'C:\Users\downloads'
Restore-AzureKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile 'C:\Users\downloads'

还原机密(传统方法)Restore secret (legacy approach)

使用下列 cmdlet 从恢复点获取机密 (BEK) 信息,并将其提供给设置机密 cmdlet,以将其放回 Key Vault。Use the following cmdlets to get secret (BEK) information from recovery point and feed it to set secret cmdlet to put it back in the key vault.

$secretname = 'B3284AAA-DAAA-4AAA-B393-60CAA848AAAA'
$secretdata = $rp1.KeyAndSecretDetails.SecretData
$Secret = ConvertTo-SecureString -String $secretdata -AsPlainText -Force
$Tags = @{'DiskEncryptionKeyEncryptionAlgorithm' = 'RSA-OAEP';'DiskEncryptionKeyFileName' = 'B3284AAA-DAAA-4AAA-B393-60CAA848AAAA.BEK';'DiskEncryptionKeyEncryptionKeyURL' = 'https://mykeyvault.vault.azure.cn:443/keys/KeyName/84daaac999949999030bf99aaa5a9f9';'MachineName' = 'vm-name'}
Set-AzureKeyVaultSecret -VaultName '<target_key_vault_name>' -Name $secretname -SecretValue $secret -Tags $Tags -SecretValue $Secret -ContentType  'Wrapped BEK'

备注

  • 可以通过引用 $rp1.KeyAndSecretDetails.SecretUrl 的输出和使用 secrets/ 后的文本来获取 $secretname 值,例如假设输出机密 URL 为 https://keyvaultname.vault.azure.cn/secrets/B3284AAA-DAAA-4AAA-B393-60CAA848AAAA/xx000000xx0849999f3xx30000003163,则机密名称为 B3284AAA-DAAA-4AAA-B393-60CAA848AAAAValue for $secretname can be obtained by referring to the output of $rp1.KeyAndSecretDetails.SecretUrl and using text after secrets/ For example, the output secret URL is https://keyvaultname.vault.azure.cn/secrets/B3284AAA-DAAA-4AAA-B393-60CAA848AAAA/xx000000xx0849999f3xx30000003163 and secret name is B3284AAA-DAAA-4AAA-B393-60CAA848AAAA
  • 标记 DiskEncryptionKeyFileName 的值与机密名称相同。Value of the tag DiskEncryptionKeyFileName is same as secret name.
  • 还原密钥并使用 Get-AzureKeyVaultKey cmdlet 后,即可从密钥保管库获得 DiskEncryptionKeyEncryptionKeyURL 的值Value for DiskEncryptionKeyEncryptionKeyURL can be obtained from key vault after restoring the keys back and using Get-AzureKeyVaultKey cmdlet

后续步骤Next steps

将密钥和机密还原回密钥保管库后,请参阅文章使用 PowerShell 管理 Azure VM 的备份和还原,使用还原的磁盘、密钥和机密创建加密 VM。After restoring key and secret back to key vault, refer to the article Manage backup and restore of Azure VMs using PowerShell to create encrypted VMs from restored disk, key, and secret.