备份和还原已加密的 Azure VMBack up and restore encrypted Azure VM

本文介绍如何使用 Azure 备份服务来备份和还原包含已加密磁盘的 Windows 或 Linux Azure 虚拟机 (VM)。This article describes how to back up and restore Windows or Linux Azure virtual machines (VMs) with encrypted disks using the Azure Backup service.

在开始之前,若要详细了解 Azure 备份如何与 Azure VM 交互,请查看以下资源:If you want to learn more about how Azure Backup interacts with Azure VMs before you begin, review these resources:

  • 查看 Azure VM 备份体系结构。Review the Azure VM backup architecture.
  • 了解 Azure VM 备份和 Azure 备份备份扩展。Learn about Azure VM backup, and the Azure Backup extension.

支持加密Encryption support

Azure 备份支持备份已使用 Azure 磁盘加密 (ADE) 功能加密了其 OS/数据磁盘的 Azure VM。Azure Backup supports backup of Azure VMs that have their OS/data disks encrypted with Azure Disk Encryption (ADE). ADE 使用 BitLocker 加密 Windows VM,使用 dm-crypt 功能加密 Linux VM。ADE uses BitLocker for encryption of Windows VMs, and the dm-crypt feature for Linux VMs. ADE 与 Azure Key Vault 集成,可以管理磁盘加密密钥和机密。ADE integrates with Azure Key Vault to manage disk-encryption keys and secrets. 使用 Key Vault Key 加密密钥 (KEk) 可以额外增加一个安全层,这样可以在将加密机密写入 Key Vault 之前对其进行加密。Key Vault Key Encryption Keys (KEKs) can be used to add an additional layer of security, encrypting encryption secrets before writing them to Key Vault.

Azure 备份可以在使用或者不使用 Azure AD 应用的情况下,通过 ADE 备份和还原 Azure VM。下表提供了相关摘要内容。Azure Backup can back up and restore Azure VMs using ADE with and without the Azure AD app, as summarized in the following table.

VM 磁盘类型VM disk type ADE (BEK/dm-crypt)ADE (BEK/dm-crypt) ADE 和 KEKADE and KEK
非托管Unmanaged Yes Yes
托管Managed Yes Yes

限制Limitations

  • 可以备份和还原同一订阅与区域中的已加密 VM。You can back up and restore encrypted VMs within the same subscription and region.
  • Azure 备份支持使用独立密钥加密的 VM。Azure Backup supports VMs encrypted using standalone keys. 目前不支持属于用于加密 VM 的证书的任何密钥。Any key which is a part of a certificate used to encrypt a VM isn't currently supported.
  • 可以备份和还原恢复服务备份保管库所在的同一订阅与区域中的已加密 VM。You can back up and restore encrypted VMs within the same subscription and region as the Recovery Services Backup vault.
  • 无法在文件/文件夹级别恢复已加密的 VM。Encrypted VMs can't be recovered at the file/folder level. 需要恢复整个 VM 才能还原文件和文件夹。You need to recover the entire VM to restore files and folders.
  • 还原 VM 时,无法对已加密的 VM 的使用替换现有 VM 选项。When restoring a VM, you can't use the replace existing VM option for encrypted VMs. 只有未加密的托管磁盘才支持此选项。This option is only supported for unencrypted managed disks.

开始之前Before you start

开始之前,请执行以下操作:Before you start, do the following:

  1. 创建一个恢复服务备份保管库(如果没有)。Create a Recovery Services Backup vault if you don't have one.
  2. 如果为已启用备份的 VM 启用加密,则只需为备份服务提供 Key Vault 访问权限,这样,备份就可以继续进行,而不会发生中断。If you enable encryption for VMs that are already enabled for backup, you simply need to provide Backup with permissions to access the Key Vault so that backups can continue without disruption. 详细了解如何分配这些权限。Learn more about assigning these permissions.

此外,在某些情况下,还需要完成几项操作:In addition, there are a couple of things that you might need to do in some circumstances:

  • 在 VM 上安装 VM 代理:Azure 备份通过为在计算机上运行的 Azure VM 代理安装一个扩展来备份 Azure VM。Install the VM agent on the VM: Azure Backup backs up Azure VMs by installing an extension to the Azure VM agent running on the machine. 如果 VM 是从 Azure 市场映像创建的,则代理已安装并正在运行。If your VM was created from an Azure marketplace image, the agent is installed and running. 如果创建了自定义 VM 或者迁移了本地计算机,则可能需要手动安装代理If you create a custom VM, or you migrate an on-premises machine, you might need to install the agent manually.

配置备份策略Configure a backup policy

  1. 如果尚未创建恢复服务备份保管库,请遵照这些说明操作If you haven't yet created a Recovery Services backup vault, follow these instructions

  2. 在门户中打开保管库,在“开始”部分选择“备份”。Open the vault in the portal, and select Backup in the Getting Started section.

    “备份”边栏选项卡

  3. 在“备份目标” > “工作负荷在哪里运行?”中,选择“Azure”。In Backup goal > Where is your workload running? select Azure.

  4. 在“要备份哪些内容?”中,选择“虚拟机” > “确定”。In What do you want to back up? select Virtual machine > OK.

    “方案”边栏选项卡

  5. 在“备份策略” > “选择备份策略”中,选择要与保管库关联的策略。In Backup policy > Choose backup policy, select the policy that you want to associate with the vault. Then click OK.

    • 备份策略指定备份创建时间以及这些备份的存储时长。A backup policy specifies when backups are taken, and how long they are stored.
    • 默认策略的详细信息会在下拉菜单下列出。The details of the default policy are listed under the drop-down menu.

    打开“方案”边栏选项卡

  6. 如果不想要使用默认策略,请选择“新建”,然后创建自定义策略If you don't want to use the default policy, select Create New, and create a custom policy.

  7. 选择要使用所选策略备份的已加密 VM,然后选择“确定”。 Choose the encrypted VMs you want to back up using the select policy, and select OK.

    选择加密型 VM

  8. 如果使用的是 Azure Key Vault,则保管库页上会显示一条消息,指出 Azure 备份需要对 Key Vault 中的密钥和机密拥有只读访问权限。If you're using Azure Key Vault, on the vault page, you see a message that Azure Backup needs read-only access to the keys and secrets in the Key Vault.

    • 如果收到此消息,不需要执行任何操作。If you receive this message, no action is required.

      访问正常

    • 如果收到此消息,需要按以下过程中所述设置权限。If you receive this message, you need to set permissions as described in the procedure below.

      访问警告

  9. 单击“启用备份”以在保管库中部署该备份策略,并为选定的 VM 启用备份。Click Enable Backup to deploy the backup policy in the vault, and enable backup for the selected VMs.

触发备份作业Trigger a backup job

初始备份将根据计划运行,但你可以按如下所述手动运行:The initial backup will run in accordance with the schedule, but you can run it immediately as follows:

  1. 在保管库菜单中,单击“备份项”。In the vault menu, click Backup items.
  2. 在“备份项”中,单击“Azure 虚拟机”。In Backup Items click Azure Virtual Machine.
  3. 在“备份项”列表中,单击省略号 (...)。In the Backup Items list, click the ellipses (...).
  4. 单击“立即备份”。Click Backup now.
  5. 在“立即备份”中,使用日历控件选择恢复点的最后保留日期。In Backup Now, use the calendar control to select the last day that the recovery point should be retained. Then click OK.
  6. 监视门户通知。Monitor the portal notifications. 可以在保管库仪表板 >“备份作业” > “进行中”监视作业进度。You can monitor the job progress in the vault dashboard > Backup Jobs > In progress. 创建初始备份可能需要一些时间,具体取决于 VM 的大小。Depending on the size of your VM, creating the initial backup may take a while.

提供权限Provide permissions

Azure VM 需要拥有只读访问权限才能备份密钥和机密以及关联的 VM。Azure VM needs read-only access to back up the keys and secrets, along with the associated VMs.

  • Key Vault 与 Azure 订阅的 Azure AD 租户相关联。Your Key Vault is associated with the Azure AD tenant of the Azure subscription. 如果你是成员用户,则 Azure 备份需要有权访问 Key Vault,但不需要你执行进一步的操作。If you're a Member user, Azure Backup acquires access to the Key Vault without further action.
  • 如果你是来宾用户,则必须为 Azure 备份提供 Key Vault 访问权限。If you're a Guest user, you must provide permissions for Azure Backup to access the key vault.

设置权限:To set permissions:

  1. 在 Azure 门户中,选择“所有服务”并搜索 Key VaultIn the Azure portal, select All services, and search for Key vaults.

  2. 选择与要备份的已加密 VM 相关联的 Key Vault。Select the key vault associated with the encrypted VM you're backing up.

  3. 选择“访问策略” > “新增”。Select Access policies > Add new.

  4. 选择“选择主体”,然后键入“备份管理”。Select Select principal, and then type Backup Management.

  5. 选择“备份管理服务” > “选择”。Select Backup Management Service > Select.

    备份服务选择

  6. 在“添加访问策略” > “从模板配置(可选)”中,选择“Azure 备份”。In Add access policy > Configure from template (optional), select Azure Backup.

    • “密钥权限”和“机密权限”中已预先填充所需的权限。The required permissions are prefilled for Key permissions and Secret permissions.
    • 如果 VM 是仅使用 BEK 加密的,请删除“密钥权限”对应的选择内容,因为只需要机密的权限。If your VM is encrypted using BEK only, remove the selection for Key permissions since you only need permissions for secrets.

    Azure 备份选择

  7. 单击 “确定”Click OK. “备份管理服务”随即会添加到“访问策略”中。Backup Management Service is added to Access policies.

    访问策略

  8. 单击“保存”,为 Azure 备份提供权限。Click Save to provide Azure Backup with the permissions.

还原已加密的 VMRestore an encrypted VM

按如下所述还原已加密的 VM:You restore encrypted VMs as follows:

  1. 还原 VM 磁盘Restore the VM disk.
  2. 通过执行以下操作之一来重新创建虚拟机实例:Recreate the virtual machine instance by doing one of the following:
    1. 使用执行还原操作期间生成的模板来自定义 VM 设置,并触发 VM 部署。Use the template that's generated during the restore operation to customize VM settings, and trigger VM deployment. 了解详细信息Learn more.
    2. 使用 PowerShell 从已还原的磁盘创建新的 VM。Create a new VM from the restored disks using PowerShell. 了解详细信息Learn more.
  3. 对于 Linux VM,请重新安装 ADE 扩展,以便打开并装载数据磁盘。For Linux VMs, reinstall the ADE extension so the data disks are open and mounted.

后续步骤Next steps

如果遇到任何问题,请查看If you run into any issues, review