适用于 Windows 和 Linux IaaS VM 的 Azure 磁盘加密Azure Disk Encryption for Windows and Linux IaaS VMs

Microsoft Azure 坚决承诺确保数据隐私权和数据所有权,并通过各种先进技术来加密、控制和管理加密密钥以及控制和审核对数据的访问,使你能够控制 Azure 托管的数据。Microsoft Azure is strongly committed to ensuring your data privacy, data sovereignty and enables you to control your Azure hosted data through a range of advanced technologies to encrypt, control and manage encryption keys, control & audit access of data. 这样,Azure 客户便可以灵活选择最符合其业务需求的解决方案。This provides Azure customers the flexibility to choose the solution that best meets their business needs. 在本文中,我们将会介绍新的技术解决方案“适用于 Windows 和 Linux IaaS VM 的 Azure 磁盘加密”,以帮助你保护数据,使你的组织能够信守在安全性与符合性方面所做的承诺。In this paper, we will introduce you to a new technology solution “Azure Disk Encryption for Windows and Linux IaaS VM’s” to help protect and safeguard your data to meet your organizational security and compliance commitments. 本文提供有关如何使用 Azure 磁盘加密功能的详细指导,包括支持的方案和用户体验。The paper provides detailed guidance on how to use the Azure disk encryption features including the supported scenarios and the user experiences.

Note

某些建议可能会导致数据、网络或计算资源使用量增加,从而产生额外的许可或订阅成本。Certain recommendations might increase data, network, or compute resource usage, resulting in additional license or subscription costs.

概述Overview

Azure 磁盘加密是用于加密 Windows 和 Linux IaaS 虚拟机磁盘的新功能。Azure Disk Encryption is a new capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure 磁盘加密利用 Windows 的行业标准 BitLocker 功能和 Linux 的 DM-Crypt 功能,为 OS 和数据磁盘提供卷加密。Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. 该解决方案与 Azure Key Vault 集成,帮助用户管理 Key Vault 订阅中的磁盘加密密钥和机密。The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. 此解决方案还可确保虚拟机磁盘上的所有数据在 Azure 存储中静态加密。The solution also ensures that all data on the virtual machine disks are encrypted at rest in your Azure storage.

在标准 VM 和使用高级存储的 VM 的所有 Azure 公共区域和 AzureGov 区域中,适用于 Windows 和 Linux IaaS VM 的 Azure 磁盘加密现在以通用版本提供。Azure disk encryption for Windows and Linux IaaS VMs is now in General Availability in all Azure public regions and AzureGov regions for Standard VMs and VMs with premium storage.

加密方案Encryption scenarios

Azure 磁盘加密解决方案支持以下客户方案:The Azure Disk Encryption solution supports the following customer scenarios:

  • 在通过预加密 VHD 和加密密钥创建的新 IaaS VM 上启用加密Enable encryption on new IaaS VMs created from pre-encrypted VHD and encryption keys
  • 在通过 Azure 库映像创建的新 IaaS VM 上启用加密Enable encryption on new IaaS VMs created from the Azure Gallery images
  • 在 Azure 中运行的现有 IaaS VM 上启用加密Enable encryption on existing IaaS VMs running in Azure
  • 在 Windows IaaS VM 上禁用加密Disable encryption on Windows IaaS VMs
  • 在 Linux IaaS VM 的数据驱动器上禁用加密Disable encryption on data drives for Linux IaaS VMs
  • 启用托管磁盘 VM 的加密Enable encryption of managed disk VMs
  • 更新现有加密的非高级存储 VM 的加密设置Update encryption settings of an existing encrypted non-premium storage VM
  • 备份和还原使用密钥加密密钥进行加密的已加密 VMBackup and restore of encrypted VMs, encrypted with key encryption key

在 Microsoft Azure 中启用 IaaS VM 时,该解决方案支持以下 IaaS VM 方案:The solution supports the following scenarios for IaaS VMs when they are enabled in Microsoft Azure:

  • 与 Azure 密钥保管库集成Integration with Azure Key Vault
  • 标准层 VM:A、D、DS、G、GS 和 F 等系列 IaaS VMStandard tier VMs: A, D, DS, G, GS, F, and so forth series IaaS VMs
  • 在 Windows 和 Linux IaaS VM 及托管磁盘 VM 上启用加密Enable encryption on Windows and Linux IaaS VMs and managed disk VMs
  • 在 Windows IaaS VM 和托管磁盘 VM 的 OS 和数据驱动器上禁用加密Disable encryption on OS and data drives for Windows IaaS VMs and managed disk VMs
  • 在 Linux IaaS VM 和托管磁盘 VM 的数据驱动器上禁用加密Disable encryption on data drives for Linux IaaS VMs and managed disk VMs
  • 在运行 Windows 客户端 OS 的 IaaS VM 上启用加密Enable encryption on IaaS VMs running Windows Client OS
  • 在包含装入路径的卷上启用加密Enable encryption on volumes with mount paths
  • 在使用 mdadm 配置了磁盘分段 (RAID) 的 Linux VM 上启用加密Enable encryption on Linux VMs configured with disk striping (RAID) using mdadm
  • 使用 LVM 对 Linux VM 上的数据磁盘启用加密Enable encryption on Linux VMs using LVM for data disks
  • 在配置有存储空间的 Windows VM 上启用加密Enable encryption on Windows VMs configured with Storage Spaces
  • 更新现有加密的非高级存储 VM 的加密设置Update encryption settings of an existing encrypted non-premium storage VM
  • 支持所有 Azure 公共和 AzureGov 区域All Azure Public and AzureGov regions are supported

该解决方案不支持以下方案、功能和技术:The solution does not support the following scenarios, features, and technology:

  • 基本层 IaaS VMBasic tier IaaS VMs
  • 在 Linux IaaS VM 的 OS 驱动器上禁用加密Disabling encryption on an OS drive for Linux IaaS VMs
  • 使用经典 VM 创建方法创建的 IaaS VMIaaS VMs that are created by using the classic VM creation method
  • 与本地密钥管理服务集成Integration with your on-premises Key Management Service
  • Azure 文件(文件共享系统)、网络文件系统 (NFS)、动态卷,以及配置了基于软件的 RAID 系统的 Windows VMAzure Files (shared file system), Network File System (NFS), dynamic volumes, and Windows VMs that are configured with software-based RAID systems
  • 备份和还原不使用密钥加密密钥进行加密的已加密 VM。Backup and restore of encrypted VMs, encrypted without key encryption key.
  • 更新现有加密的高级存储 VM 的加密设置。Update encryption settings of an existing encrypted premium storage VM.

Note

只有使用 KEK 配置加密的 VM 才支持已加密 VM 的备份和还原。Backup and restore of encrypted VMs is supported only for VMs that are encrypted with the KEK configuration. 未使用 KEK 加密的 VM 不支持。It is not supported on VMs that are encrypted without KEK. KEK 是用于启用 VM 加密的可选参数。KEK is an optional parameter that enables VM encryption. 即将推出此支持。This support is coming soon. 不支持更新现有加密的高级存储 VM 的加密设置。Update encryption settings of an existing encrypted premium storage VM are not supported. 即将推出此支持。This support is coming soon.

加密功能Encryption features

为 Azure IaaS VM 启用并部署 Azure 磁盘加密后,可根据提供的配置启用以下功能:When you enable and deploy Azure Disk Encryption for Azure IaaS VMs, the following capabilities are enabled, depending on the configuration provided:

  • 加密 OS 卷以轻松保护存储中的引导卷Encryption of the OS volume to protect the boot volume at rest in your storage
  • 加密数据卷以轻松保护存储中的数据卷Encryption of data volumes to protect the data volumes at rest in your storage
  • 在 Windows IaaS VM 的 OS 和数据驱动器上禁用加密Disabling encryption on the OS and data drives for Windows IaaS VMs
  • 在 Linux IaaS VM 的数据驱动器上禁用加密Disabling encryption on the data drives for Linux IaaS VMs
  • 保护 Key Vault 订阅中的加密密钥和机密Safeguarding the encryption keys and secrets in your key vault subscription
  • 报告已加密 IaaS VM 的加密状态Reporting the encryption status of the encrypted IaaS VM
  • 从 IaaS 虚拟机中删除磁盘加密配置设置Removal of disk-encryption configuration settings from the IaaS virtual machine
  • 使用 Azure 备份服务来备份和还原已加密 VMBackup and restore of encrypted VMs by using the Azure Backup service

Note

只有使用 KEK 配置加密的 VM 才支持已加密 VM 的备份和还原。Backup and restore of encrypted VMs is supported only for VMs that are encrypted with the KEK configuration. 未使用 KEK 加密的 VM 不支持。It is not supported on VMs that are encrypted without KEK. KEK 是用于启用 VM 加密的可选参数。KEK is an optional parameter that enables VM encryption.

适用于 Windows 和 Linux 解决方案的 IaaS VM 的 Azure 磁盘加密包括:Azure Disk Encryption for IaaS VMS for Windows and Linux solution includes:

  • 适用于 Windows 的磁盘加密扩展。The disk-encryption extension for Windows.
  • 适用于 Linux 的磁盘加密扩展。The disk-encryption extension for Linux.
  • 磁盘加密 PowerShell cmdlet。The disk-encryption PowerShell cmdlets.
  • 磁盘加密 Azure 命令行接口 (CLI) cmdlet。The disk-encryption Azure command-line interface (CLI) cmdlets.
  • 磁盘加密 Azure Resource Manager 模板。The disk-encryption Azure Resource Manager templates.

运行 Windows 或 Linux OS 的 IaaS VM 支持 Azure 磁盘加密解决方案。The Azure Disk Encryption solution is supported on IaaS VMs that are running Windows or Linux OS. 有关支持的操作系统的详细信息,请参阅“先决条件”部分。For more information about the supported operating systems, see the "Prerequisites" section.

Note

可以免费使用 Azure 磁盘加密来加密 VM 磁盘。There is no additional charge for encrypting VM disks with Azure Disk Encryption.

价值主张Value proposition

Azure 磁盘加密管理解决方案可以解决以下业务需求:When you apply the Azure Disk Encryption-management solution, you can satisfy the following business needs:

  • 使用行业标准的加密技术轻松保护 IaaS VM,满足组织的安全性与合规性要求。IaaS VMs are secured at rest, because you can use industry-standard encryption technology to address organizational security and compliance requirements.
  • IaaS VM 会根据客户控制的密钥和策略启动,客户可以在 Key Vault 中审核密钥和策略的使用方式。IaaS VMs boot under customer-controlled keys and policies, and you can audit their usage in your key vault.

加密工作流Encryption workflow

若要启用 Windows 和 Linux VM 的磁盘加密,请执行以下操作:To enable disk encryption for Windows and Linux VMs, do the following:

  1. 从之前的加密方案中选择一种加密方案。Choose an encryption scenario from among the preceding encryption scenarios.

  2. 选择通过 Azure 磁盘加密 Resource Manager 模板、PowerShell cmdlet 或 CLI 命令启用磁盘加密,并指定加密配置。Opt in to enabling disk encryption via the Azure Disk Encryption Resource Manager template, PowerShell cmdlets, or CLI command, and specify the encryption configuration.

    • 对于客户加密的 VHD 方案,将加密的 VHD 上传到存储帐户,并将加密密钥材料上传到 Key Vault。For the customer-encrypted VHD scenario, upload the encrypted VHD to your storage account and the encryption key material to your key vault. 然后,提供加密配置,在新的 IaaS VM 上启用加密。Then, provide the encryption configuration to enable encryption on a new IaaS VM.
    • 针对通过应用商店创建的新 VM 和已在 Azure 中运行的现有 VM,提供加密配置以便在 IaaS VM 上启用加密。For new VMs that are created from the Marketplace and existing VMs that are already running in Azure, provide the encryption configuration to enable encryption on the IaaS VM.
  3. 向 Azure 平台授予访问权限,使其能够从 Key Vault 中读取加密密钥数据(Windows 系统的 BitLocker 加密密钥和 Linux 密码),从而在 IaaS VM 上启用加密。Grant access to the Azure platform to read the encryption-key material (BitLocker encryption keys for Windows systems and Passphrase for Linux) from your key vault to enable encryption on the IaaS VM.

  4. 提供 Azure Active Directory (Azure AD) 应用程序标识,将加密密钥材料写入 Key Vault。Provide the Azure Active Directory (Azure AD) application identity to write the encryption key material to your key vault. 这样做,即可在步骤 2 所述方案中的 IaaS VM 上启用加密。Doing so enables encryption on the IaaS VM for the scenarios mentioned in step 2.

  5. Azure 使用加密和 Key Vault 配置更新 VM 服务模型,并设置加密的 VM。Azure updates the VM service model with encryption and the key vault configuration, and sets up your encrypted VM.

Azure 中的 Microsoft Antimalware

解密工作流Decryption workflow

若要为 IaaS VM 禁用磁盘加密,请完成以下高级步骤:To disable disk encryption for IaaS VMs, complete the following high-level steps:

  1. 选择通过 Azure 磁盘加密 Resource Manager 模板或 PowerShell cmdlet 在 Azure 中运行的 IaaS VM 上禁用加密(解密),并指定解密配置。Choose to disable encryption (decryption) on a running IaaS VM in Azure via the Azure Disk Encryption Resource Manager template or PowerShell cmdlets, and specify the decryption configuration.

此步骤将对正在运行的 Windows IaaS VM 禁用 OS 和/或数据卷加密。This step disables encryption of the OS or the data volume or both on the running Windows IaaS VM. 但是如前面部分所述,不支持对 Linux 禁用 OS 磁盘加密。However, as mentioned in the previous section, disabling OS disk encryption for Linux is not supported. 仅允许对 Linux VM 上的数据驱动器执行解密步骤。The decryption step is allowed only for data drives on Linux VMs. 2. Azure 更新 VM 服务模型后,IaaS VM 将被标记为已解密。Azure updates the VM service model, and the IaaS VM is marked decrypted. VM 的内容不再静态加密。The contents of the VM are no longer encrypted at rest.

Note

禁用加密操作不会删除 Key Vault 和加密密钥材料(Windows 的 BitLocker 加密密钥或 Linux 密码)。The disable-encryption operation does not delete your key vault and the encryption key material (BitLocker encryption keys for Windows systems or Passphrase for Linux). 不支持禁用 Linux 的 OS 磁盘加密。Disabling OS disk encryption for Linux is not supported. 仅允许对 Linux VM 上的数据驱动器执行解密步骤。The decryption step is allowed only for data drives on Linux VMs.

先决条件Prerequisites

针对“概述”部分所述支持的方案,在 Azure IaaS VM 上启用 Azure 磁盘加密之前,请查看以下先决条件:Before you enable Azure Disk Encryption on Azure IaaS VMs for the supported scenarios that were discussed in the "Overview" section, see the following prerequisites:

  • 必须具有有效的活动 Azure 订阅,才能在 Azure 的受支持区域中创建资源。You must have a valid active Azure subscription to create resources in Azure in the supported regions.
  • 以下 Windows 服务器版本支持 Azure 磁盘加密:Windows Server 2008 R2、Windows Server 2012、Windows Server 2012 R2 和 Windows Server 2016。Azure Disk Encryption is supported on the following Windows Server versions: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
  • 以下 Windows 客户端版本支持 Azure 磁盘加密:Windows 8 Client 和 Windows 10 Client。Azure Disk Encryption is supported on the following Windows client versions: Windows 8 client and Windows 10 client.

Note

对于 Windows Server 2008 R2,必须安装 .NET Framework 4.5 才能在 Azure 中启用加密。For Windows Server 2008 R2, you must have .NET Framework 4.5 installed before you enable encryption in Azure. 可通过安装可选更新“适用于 Windows Server 2008 R2 x64 系统的 Microsoft .NET Framework 4.5.2 (KB2901983)”,从 Windows 更新安装它。You can install it from Windows Update by installing the optional update Microsoft .NET Framework 4.5.2 for Windows Server 2008 R2 x64-based systems (KB2901983).

  • 在以下 Linux 服务器分发和版本上支持 Azure 磁盘加密:Azure Disk Encryption is supported on the following Linux server distributions and versions:
Linux 分发Linux Distribution 版本Version 支持加密的卷类型Volume Type Supported for Encryption
UbuntuUbuntu 16.04-DAILY-LTS16.04-DAILY-LTS OS 和数据磁盘OS and Data disk
UbuntuUbuntu 14.04.5-DAILY-LTS14.04.5-DAILY-LTS OS 和数据磁盘OS and Data disk
UbuntuUbuntu 12.1012.10 数据磁盘Data disk
UbuntuUbuntu 12.0412.04 数据磁盘Data disk
RHELRHEL 7.37.3 OS 和数据磁盘OS and Data disk
RHELRHEL 7.27.2 OS 和数据磁盘OS and Data disk
RHELRHEL 6.86.8 OS 和数据磁盘OS and Data disk
RHELRHEL 6.76.7 数据磁盘Data disk
CentOSCentOS 7.37.3 OS 和数据磁盘OS and Data disk
CentOSCentOS 7.2n7.2n OS 和数据磁盘OS and Data disk
CentOSCentOS 6.86.8 OS 和数据磁盘OS and Data disk
CentOSCentOS 7.17.1 数据磁盘Data disk
CentOSCentOS 7.07.0 数据磁盘Data disk
CentOSCentOS 6.76.7 数据磁盘Data disk
CentOSCentOS 6.66.6 数据磁盘Data disk
CentOSCentOS 6.56.5 数据磁盘Data disk
openSUSEopenSUSE 13.213.2 数据磁盘Data disk
SLESSLES 12 SP112 SP1 数据磁盘Data disk
SLESSLES 12-SP1(高级)12-SP1 (Premium) 数据磁盘Data disk
SLESSLES HPC 12HPC 12 数据磁盘Data disk
SLESSLES 11-SP4(高级)11-SP4 (Premium) 数据磁盘Data disk
SLESSLES 11 SP411 SP4 数据磁盘Data disk
  • Azure 磁盘加密要求 Key Vault 和 VM 位于同一 Azure 区域和订阅。Azure Disk Encryption requires that your key vault and VMs reside in the same Azure region and subscription.

Note

在不同区域中配置资源会导致启用 Azure 磁盘加密功能失败。Configuring the resources in separate regions causes a failure in enabling the Azure Disk Encryption feature.

  • 若要设置和配置 Azure 磁盘加密的 Key Vault,请参阅本文先决条件部分中的“设置和配置 Azure 磁盘加密的 Key Vault”部分。To set up and configure your key vault for Azure Disk Encryption, see section Set up and configure your key vault for Azure Disk Encryption in the Prerequisites section of this article.

  • 若要针对 Azure 磁盘加密在 Azure Active Drectory 中设置和配置 Azure AD 应用程序,请参阅本文先决条件部分中的“在 Azure Active Directory 中设置 Azure AD 应用程序”部分。To set up and configure Azure AD application in Azure Active directory for Azure Disk Encryption, see section Set up the Azure AD application in Azure Active Directory in the Prerequisites section of this article.

  • 若要设置和配置 Azure AD 应用程序的 Key Vault 访问策略,请参阅本文先决条件部分中的“为 Azure AD 应用程序设置 Key Vault 访问策略”部分。To set up and configure the key vault access policy for the Azure AD application, see section Set up the key vault access policy for the Azure AD application in the Prerequisites section of this article.

  • 若要准备预加密的 Windows VHD,请参阅附录中的“准备预加密的 Windows VHD”部分。To prepare a pre-encrypted Windows VHD, see section Prepare a pre-encrypted Windows VHD in the Appendix.

  • 若要准备预加密的 Linux VHD,请参阅附录中的“准备预加密的 Linux VHD”部分。To prepare a pre-encrypted Linux VHD, see section Prepare a pre-encrypted Linux VHD in the Appendix.

  • Azure 平台需要访问 Key Vault 中的加密密钥或机密,才能使这些密钥和机密可供虚拟机用来启动和解密虚拟机 OS 卷。The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the virtual machine when it boots and decrypts the virtual machine OS volume. 若要向 Azure 平台授予权限,请在 Key Vault 中设置 EnabledForDiskEncryption 属性。To grant permissions to Azure platform, set the EnabledForDiskEncryption property in the key vault. 有关详细信息,请参阅附录中的“为 Azure 磁盘加密设置和配置 Key Vault”。For more information, see Set up and configure your key vault for Azure Disk Encryption in the Appendix.

  • Key Vault 机密和 KEK URL 必须已设置版本。Your key vault secret and KEK URLs must be versioned. Azure 会强制实施这项版本控制限制。Azure enforces this restriction of versioning. 有关有效的机密和 KEK URL,请参阅以下示例:For valid secret and KEK URLs, see the following examples:

  • Azure 磁盘加密不支持将端口号指定为 Key Vault 机密和 KEK URL 的一部分。Azure Disk Encryption does not support specifying port numbers as part of key vault secrets and KEK URLs. 有关不支持和支持的 Key Vault URL 的示例,请参阅以下示例:For examples of non-supported and supported key vault URLs, see the following:

  • 若要启用 Azure 磁盘加密功能,IaaS VM 必须符合以下网络终结点配置要求:To enable the Azure Disk Encryption feature, the IaaS VMs must meet the following network endpoint configuration requirements:

    • IaaS VM 必须能够连接到 Azure Active Directory 终结点 [Login.windows.net],以获取用于连接 Key Vault 的令牌。To get a token to connect to your key vault, the IaaS VM must be able to connect to an Azure Active Directory endpoint, [Login.windows.net].
    • IaaS VM 必须能够连接到 Key Vault 终结点,以将加密密钥写入 Key Vault。To write the encryption keys to your key vault, the IaaS VM must be able to connect to the key vault endpoint.
    • IaaS VM 必须能够连接到托管 Azure 扩展存储库的 Azure 存储终结点和托管 VHD 文件的 Azure 存储帐户。The IaaS VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.

    Note

    如果安全策略限制从 Azure VM 到 Internet 的访问,可以解析上述 URI,并配置特定的规则以允许与这些 IP 建立出站连接。If your security policy limits access from Azure VMs to the Internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs.

    若要配置和访问防火墙保护下的 Azure Key Vault (https://docs.microsoft.com/zh-cn/azure/key-vault/key-vault-access-behind-firewall)To configure and access Azure Key Vault behind a firewall(https://docs.microsoft.com/en-us/azure/key-vault/key-vault-access-behind-firewall)

  • 使用最新版本的 Azure PowerShell SDK 来配置 Azure 磁盘加密。Use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. 下载最新的 Azure PowerShell 发行版Download the latest version of Azure PowerShell release

Note

Azure PowerShell SDK 版本 1.1.0 不支持 Azure 磁盘加密。Azure Disk Encryption is not supported on Azure PowerShell SDK version 1.1.0. 如果收到与使用 Azure PowerShell 1.1.0 相关的错误,请参阅 Azure Disk Encryption Error Related to Azure PowerShell 1.1.0(与 Azure PowerShell 1.1.0 相关的 Azure 磁盘加密错误)。If you are receiving an error related to using Azure PowerShell 1.1.0, see Azure Disk Encryption Error Related to Azure PowerShell 1.1.0.

  • 若要运行任何 Azure CLI 命令并将其与 Azure 订阅关联,必须首先安装 Azure CLI:To run any Azure CLI command and associate it with your Azure subscription, you must first install Azure CLI:

  • 使用 Azure 磁盘加密 PS cmdlet Set-AzureRmVMDiskEncryptionExtension 或 CLI 命令在 Azure 托管磁盘 VM 上启用加密时,必须使用 -skipVmBackup 参数。You must use -skipVmBackup parameter when using Azure disk encryption PS cmdlet Set-AzureRmVMDiskEncryptionExtension or CLI command to enable encryption on Azure Managed Disk VM.

Note

如果未指定 -skipVmBackup 参数,则启用加密步骤将失败。If you do not specify -skipVmBackup parameter, the enable encryption step will fail.

  • Azure 磁盘加密解决方案对 Windows IaaS VM 使用 BitLocker 外部密钥保护程序。The Azure Disk Encryption solution uses the BitLocker external key protector for Windows IaaS VMs. 对于已加入域的 VM,不要推送会强制执行 TPM 保护程序的任何组策略。For domain joined VMs, DO NOT push any group policies that enforce TPM protectors. 有关“在没有兼容 TPM 的情况下允许 BitLocker”的组策略信息,请参阅 BitLocker 组策略参考For information about the group policy for “Allow BitLocker without a compatible TPM,” see BitLocker Group Policy Reference.
  • 若要创建 Azure AD 应用程序、创建 Key Vault 或设置现有 Key Vault 并启用加密,请参阅 Azure 磁盘加密先决条件 PowerShell 脚本To create an Azure AD application, create a key vault, or set up an existing key vault and enable encryption, see the Azure Disk Encryption prerequisite PowerShell script.
  • 若要使用 Azure CLI 配置磁盘加密先决条件,请参阅此 Bash 脚本To configure disk-encryption prerequisites using the Azure CLI, see this Bash script.
  • 若要使用 Azure 备份服务来备份和还原加密的 VM,则使用 Azure 磁盘加密启用加密时,请使用 Azure 磁盘加密密钥配置加密 VM。To use the Azure Backup service to back up and restore encrypted VMs, when encryption is enabled with Azure Disk Encryption, encrypt your VMs by using the Azure Disk Encryption key configuration. 备份服务仅支持使用 KEK 配置加密的 VM。The Backup service supports VMs that are encrypted using KEK configuration only. 请参阅如何通过 Azure 备份加密来备份和还原加密的虚拟机See How to back up and restore encrypted virtual machines with Azure Backup encryption.

Note

只有使用 KEK 配置加密的 VM 才支持已加密 VM 的备份和还原。Backup and restore of encrypted VMs is supported only for VMs that are encrypted with the KEK configuration. 未使用 KEK 加密的 VM 不支持。It is not supported on VMs that are encrypted without KEK. KEK 是用于启用 VM 的可选参数。KEK is an optional parameter that enables VM.

在 Azure Active Directory 中设置 Azure AD 应用程序Set up the Azure AD application in Azure Active Directory

需要在 Azure 中正在运行的 VM 上启用加密时,Azure 磁盘加密将生成加密密钥并将其写入 Key Vault。When you need encryption to be enabled on a running VM in Azure, Azure Disk Encryption generates and writes the encryption keys to your key vault. 在 Key Vault 中管理加密密钥需要 Azure AD 身份验证。Managing encryption keys in your key vault requires Azure AD authentication.

为此,请创建 Azure AD 应用程序。For this purpose, create an Azure AD application. 有关注册应用程序的详细步骤,请参阅 Azure Key Vault - Step by Step(Azure Key Vault - 分步指南)博客文章的“Get an Identity for the Application(获取应用程序的标识)”部分。You can find detailed steps for registering an application in the “Get an Identity for the Application” section of the blog post Azure Key Vault - Step by Step. 这篇文章还包含一些有关设置和配置 Key Vault 的有用示例。This post also contains a number of helpful examples for setting up and configuring your key vault. 对于身份验证,可以使用基于客户端机密的身份验证或基于客户端证书的 Azure AD 身份验证。For authentication purposes, you can use either client secret-based authentication or client certificate-based Azure AD authentication.

Azure AD 基于客户端机密的身份验证Client secret-based authentication for Azure AD

以下部分介绍如何为 Azure AD 配置基于客户端机密的身份验证。The sections that follow can help you configure a client secret-based authentication for Azure AD.

使用 Azure PowerShell 创建 Azure AD 应用程序Create an Azure AD application by using Azure PowerShell

使用以下 PowerShell cmdlet 创建 Azure AD 应用程序:Use the following PowerShell cmdlet to create an Azure AD application:

$aadClientSecret = “yourSecret”
$azureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -Password $aadClientSecret
$servicePrincipal = New-AzureRmADServicePrincipal –ApplicationId $azureAdApplication.ApplicationId

Note

$azureAdApplication.ApplicationId 是 Azure AD ClientID,$aadClientSecret 是客户端机密,稍后启用 Azure 磁盘加密将用到这些信息。$azureAdApplication.ApplicationId is the Azure AD ClientID and $aadClientSecret is the client secret that you should use later to enable Azure Disk Encryption. 请妥善保存 Azure AD 客户端机密。Safeguard the Azure AD client secret appropriately.

通过 Azure 经典门户设置 Azure AD 客户端 ID 和机密Setting up the Azure AD client ID and secret from the Azure classic portal

还可通过 Azure 经典门户设置 Azure AD 客户端 ID 和机密。You can also set up your Azure AD client ID and secret by using the Azure classic portal. 若要执行此任务,请执行以下操作:To perform this task, do the following:

  1. 单击“Active Directory”选项卡。Click the Active Directory tab.

Azure 磁盘加密

  1. 单击“添加应用程序”,然后键入应用程序名称。Click Add Application, and then type the application name.

Azure 磁盘加密

  1. 单击箭头按钮并配置应用程序的属性。Click the arrow button, and then configure the application properties.

Azure 磁盘加密

  1. 单击左下角的复选标记完成操作。Click the check mark in the lower left corner to finish. 将出现应用程序配置页,页面底部显示 Azure AD 客户端 ID。The application configuration page appears, and the Azure AD client ID is displayed at the bottom of the page.

Azure 磁盘加密

  1. 单击“保存”按钮保存 Azure AD 客户端机密。Save the Azure AD client secret by clicking the Save button. 请注意密钥文本框中的 Azure AD 客户端机密。Note the Azure AD client secret in the keys text box. 请妥善保存。Safeguard it appropriately.

Azure 磁盘加密

Note

Azure 经典门户不支持先前的流。The preceding flow is not supported on the Azure classic portal.

使用现有的应用程序Use an existing application

若要执行以下命令,请获取并使用 Azure AD PowerShell 模块To execute the following commands, obtain and use the Azure AD PowerShell module.

Note

必须在新的 PowerShell 窗口中执行以下命令。The following commands must be executed from a new PowerShell window. 请不要使用 Azure PowerShell 或 Azure Resource Manager 窗口执行这些命令。Do not use Azure PowerShell or the Azure Resource Manager window to execute the commands. 提出这项建议是因为这些 cmdlet 位于 MSOnline 模块或 Azure AD PowerShell 中。We recommend this approach because these cmdlets are in the MSOnline module or Azure AD PowerShell.

$clientSecret = ‘<yourAadClientSecret>’
$aadClientID = '<Client ID of your Azure AD application>'
connect-msolservice
New-MsolServicePrincipalCredential -AppPrincipalId $aadClientID -Type password -Value $clientSecret

Azure AD 基于证书的身份验证Certificate-based authentication for Azure AD

Note

Linux VM 当前不支持 Azure AD 基于证书的身份验证。Azure AD certificate-based authentication is currently not supported on Linux VMs.

以下部分说明如何为 Azure AD 配置基于证书的身份验证。The sections that follow show how to configure a certificate-based authentication for Azure AD.

创建 Azure AD 应用程序Create an Azure AD application

若要创建 Azure AD 应用程序,请执行以下 PowerShell cmdlet:To create an Azure AD application, execute the following PowerShell cmdlets:

Note

请将 yourpassword 字符串替换为安全密码并保护该密码。Replace the following yourpassword string with your secure password, and safeguard the password.

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\certificates\examplecert.pfx", "yourpassword")
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$azureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -KeyValue $keyValue -KeyType AsymmetricX509Cert
$servicePrincipal = New-AzureRmADServicePrincipal –ApplicationId $azureAdApplication.ApplicationId

完成此步骤后,请将 .PFX 文件上传到 Key Vault,并启用将该证书部署到 VM 所需的访问策略。After you finish this step, upload a PFX file to your key vault and enable the access policy needed to deploy that certificate to a VM.

使用现有的 Azure AD 应用程序Use an existing Azure AD application

如果要为现有应用程序配置基于证书的身份验证,请使用此处的 PowerShell cmdlet。If you are configuring certificate-based authentication for an existing application, use the PowerShell cmdlets shown here. 请务必在新的 PowerShell 窗口中执行这些 cmdlet。Be sure to execute them from a new PowerShell window.

$certLocalPath = 'C:\certs\myaadapp.cer'
$aadClientID = '<Client ID of your Azure AD application>'
connect-msolservice
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import($certLocalPath)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId $aadClientID -Type asymmetric -Value $credValue -Usage verify

完成此步骤后,请将 .PFX 文件上传到 Key Vault,并启用将该证书部署到 VM 所需的访问策略。After you finish this step, upload a PFX file to your key vault and enable the access policy that's needed to deploy the certificate to a VM.

将 PFX 文件上传到 Key VaultUpload a PFX file to your key vault

有关此过程的详细说明,请参阅 Azure Key Vault 团队博客For a detailed explanation of this process, see The Official Azure Key Vault Team Blog. 不过,只需执行以下 PowerShell cmdlet 即可完成此任务。However, the following PowerShell cmdlets are all you need for the task. 请务必通过 Azure PowerShell 控制台执行这些 cmdlet。Be sure to execute them from Azure PowerShell console.

Note

请将 yourpassword 字符串替换为安全密码并保护该密码。Replace the following yourpassword string with your secure password, and safeguard the password.

$certLocalPath = 'C:\certs\myaadapp.pfx'
$certPassword = "yourpassword"
$resourceGroupName = ‘yourResourceGroup’
$keyVaultName = ‘yourKeyVaultName’
$keyVaultSecretName = ‘yourAadCertSecretName’

$fileContentBytes = get-content $certLocalPath -Encoding Byte
$fileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)

$jsonObject = @"
{
"data": "$filecontentencoded",
"dataType" :"pfx",
"password": "$certPassword"
}
"@

$jsonObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
$jsonEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)

Switch-AzureMode -Name AzureResourceManager
$secret = ConvertTo-SecureString -String $jsonEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName -SecretValue $secret
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName –EnabledForDeployment
将 Key Vault 中的证书部署到现有 VMDeploy a certificate in your key vault to an existing VM

上传完 PFX 后,使用以下代码将 Key Vault 中的证书部署到现有 VM:After you finish uploading the PFX, deploy a certificate in the key vault to an existing VM with the following:

   $resourceGroupName = ‘yourResourceGroup’
   $keyVaultName = ‘yourKeyVaultName’
   $keyVaultSecretName = ‘yourAadCertSecretName’
   $vmName = ‘yourVMName’
   $certUrl = (Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName).Id
   $sourceVaultId = (Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName).ResourceId
   $vm = Get-AzureRmVM -ResourceGroupName $resourceGroupName -Name $vmName
   $vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $sourceVaultId -CertificateStore "My" -CertificateUrl $certUrl
   Update-AzureRmVM -VM $vm  -ResourceGroupName $resourceGroupName

为 Azure AD 应用程序设置 Key Vault 访问策略Set up the key vault access policy for the Azure AD application

Azure AD 应用程序需有访问保管库中密钥或机密的权限。Your Azure AD application needs rights to access the keys or secrets in the vault. 使用 Set-AzureKeyVaultAccessPolicy cmdlet,并将客户端 ID(注册应用程序时生成)用作 –ServicePrincipalName 参数值,即可向应用程序授予权限。Use the Set-AzureKeyVaultAccessPolicy cmdlet to grant permissions to the application, using the client ID (which was generated when the application was registered) as the –ServicePrincipalName parameter value. 若要了解详细信息,请参阅博客文章 Azure Key Vault - Step by Step(Azure Key Vault - 分步指南)。To learn more, see the blog post Azure Key Vault - Step by Step. 以下是有关如何通过 PowerShell 执行此任务的示例:Here is an example of how to perform this task via PowerShell:

$keyVaultName = '<yourKeyVaultName>'
$aadClientID = '<yourAadAppClientID>'
$rgname = '<yourResourceGroup>'
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $rgname

Note

Azure 磁盘加密要求为 Azure AD 客户端应用程序配置以下访问策略 -“WrapKey”和“Set”权限。Azure Disk Encryption requires you to configure the following access policies to your Azure AD client application: WrapKey and Set permissions.

术语Terminology

若要理解该技术所用的一些常见术语,请参考下面的术语表:To understand some of the common terms used by this technology, use the following terminology table:

术语Terminology 定义Definition
Azure ADAzure AD Azure AD 是 Azure Active Directory 的缩写。Azure AD is Azure Active Directory. 若要从 Key Vault 进行身份验证以及存储和检索机密,必须具有 Azure AD 帐户。An Azure AD account is a prerequisite for authenticating, storing, and retrieving secrets from a key vault.
Azure Key VaultAzure Key Vault Key Vault 是基于联邦信息处理标准 (FIPS) 验证的硬件安全模块,可以帮助保护加密密钥和敏感机密。Key Vault is a cryptographic, key management service that's based on Federal Information Processing Standards (FIPS)-validated hardware security modules, which help safeguard your cryptographic keys and sensitive secrets. 有关详细信息,请参阅 Key Vault 文档。For more information, see Key Vault documentation.
ARMARM Azure Resource ManagerAzure Resource Manager
BitLockerBitLocker BitLocker 是一种行业认可的 Windows 卷加密技术,用于在 Windows IaaS VM 上启用磁盘加密。BitLocker is an industry-recognized Windows volume encryption technology that's used to enable disk encryption on Windows IaaS VMs.
BEKBEK BitLocker 加密密钥用于加密 OS 引导卷和数据卷。BitLocker encryption keys are used to encrypt the OS boot volume and data volumes. BitLocker 密钥在 Key Vault 中以机密形式进行保护。The BitLocker keys are safeguarded in a key vault as secrets.
CLICLI 请参阅 Azure 命令行界面See Azure command-line interface.
DM-CryptDM-Crypt DM-Crypt 是基于 Linux 的透明磁盘加密子系统,用于在 Linux IaaS VM 上启用磁盘加密。DM-Crypt is the Linux-based, transparent disk-encryption subsystem that's used to enable disk encryption on Linux IaaS VMs.
KEKKEK 密钥加密密钥是非对称密钥 (RSA 2048),用于在需要时保护或包装机密。Key encryption key is the asymmetric key (RSA 2048) that you can use to protect or wrap the secret. 可提供硬件安全模块 (HSM) 保护的密钥或软件保护的密钥。You can provide a hardware security modules (HSM)-protected key or software-protected key. 有关详细信息,请参阅 Azure Key Vault 文档。For more details, see Azure Key Vault documentation.
PS cmdletPS cmdlets 请参阅 Azure PowerShell cmdletSee Azure PowerShell cmdlets.

设置和配置 Azure 磁盘加密的 Key VaultSet up and configure your key vault for Azure Disk Encryption

Azure 磁盘加密有助于保护 Key Vault 中的磁盘加密密钥和机密。Azure Disk Encryption helps safeguard the disk-encryption keys and secrets in your key vault. 若要设置 Azure 磁盘加密的 Key Vault,请完成以下每个部分中的步骤。To set up your key vault for Azure Disk Encryption, complete the steps in each of the following sections.

创建密钥保管库Create a key vault

若要创建 Key Vault,请使用以下选项之一:To create a key vault, use one of the following options:

Note

如果已设置了订阅的 Key Vault,请跳至下一部分。If you have already set up a key vault for your subscription, skip to the next section.

Azure Key Vault

设置密钥加密密钥(可选)Set up a key encryption key (optional)

如果想要使用 KEK 为 BitLocker 加密密钥增强安全性,请将 KEK 添加到 Key Vault。If you want to use a KEK for an additional layer of security for the BitLocker encryption keys, add a KEK to your key vault. 使用 Add-AzureKeyVaultKey cmdlet 在 Key Vault 中创建密钥加密密钥。Use the Add-AzureKeyVaultKey cmdlet to create a key encryption key in the key vault. 还可从本地密钥管理 HSM 导入 KEK。You can also import a KEK from your on-premises key management HSM. 有关详细信息,请参阅 Key Vault 文档For more details, see Key Vault Documentation.

Add-AzureKeyVaultKey [-VaultName] <string> [-Name] <string> -Destination <string> {HSM | Software}

可通过 Azure Resource Manager 或 Key Vault 接口添加 KEK。You can add the KEK by going to Azure Resource Manager or by using your key vault interface.

Azure Key Vault

设置 Key Vault 权限Set key vault permissions

Azure 平台需要访问 Key Vault 中的加密密钥或机密,才能使这些密钥和机密可供 VM 用来启动和解密卷。The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. 若要向 Azure 平台授予权限,请使用以下 Key Vault PowerShell cmdlet 在 Key Vault 上设置 EnabledForDiskEncryption 属性:To grant permissions to the Azure platform, set the EnabledForDiskEncryption property in the key vault by using the key vault PowerShell cmdlet:

Set-AzureRmKeyVaultAccessPolicy -VaultName <yourVaultName> -ResourceGroupName <yourResourceGroup> -EnabledForDiskEncryption

还可通过访问 Azure 资源浏览器来设置 EnabledForDiskEncryption 属性。You can also set the EnabledForDiskEncryption property by visiting the Azure Resource Explorer.

如前所述,必须在 Key Vault 上设置 EnabledForDiskEncryption 属性。As mentioned earlier, you must set the EnabledForDiskEncryption property on your key vault. 否则,部署将失败。Otherwise, the deployment will fail.

可从 Key Vault 接口设置 Azure AD 应用程序的访问策略,如下所示:You can set up access policies for your Azure AD application from the key vault interface, as shown here:

Azure Key Vault

Azure Key Vault

在“高级访问策略”上,确保为 Azure 磁盘加密启用了 Key Vault:On the Advanced access policies tab, make sure that your key vault is enabled for Azure Disk Encryption:

Azure Key Vault

磁盘加密部署方案和用户体验Disk-encryption deployment scenarios and user experiences

可启用多种磁盘加密方案,具体步骤因方案而异。You can enable many disk-encryption scenarios, and the steps may vary according to the scenario. 以下部分更加详细地介绍了各种方案。The following sections cover the scenarios in greater detail.

在通过应用商店创建的新 IaaS VM 上启用加密Enable encryption on new IaaS VMs that are created from the Marketplace

可通过 Resource Manager 模板从 Azure 应用商店为新的 IaaS Windows VM 启用磁盘加密。You can enable disk encryption on new IaaS Windows VM from the Marketplace in Azure by using the Resource Manager template.

  1. 在 Azure 快速入门模板上,单击“部署到 Azure”,在“参数”边栏选项卡中输入加密配置,然后单击“确定”。On the Azure quick-start template, click Deploy to Azure, enter the encryption configuration on the Parameters blade, and then click OK.

  2. 选择订阅、资源组、资源组位置、法律条款和协议,然后单击“创建”以在新 IaaS VM 上启用加密。Select the subscription, resource group, resource group location, legal terms, and agreement, and then click Create to enable encryption on a new IaaS VM.

Note

此模板使用 Windows Server 2012 库映像创建新的加密 Windows VM。This template creates a new encrypted Windows VM that uses the Windows Server 2012 gallery image.

可以使用此 Resource Manager 模板在带有 200 GB RAID-0 数组的新 IaaS RedHat Linux 7.2 VM 上启用磁盘加密。You can enable disk encryption on a new IaaS RedHat Linux 7.2 VM with a 200-GB RAID-0 array by using this Resource Manager template. 部署模板后,请按照“在正在运行的 Linux VM 上加密 OS 驱动器”所述使用 Get-AzureRmVmDiskEncryptionStatus cmdlet 验证 VM 加密状态。After you deploy the template, verify the VM encryption status by using the Get-AzureRmVmDiskEncryptionStatus cmdlet, as described in Encrypting OS drive on a running Linux VM. 计算机返回 VMRestartPending 状态时,重启 VM。When the machine returns a status of VMRestartPending, restart the VM.

下表列出了应用商店方案中使用 Azure AD 客户端 ID 的新 VM 的 Resource Manager 模板参数:The following table lists the Resource Manager template parameters for new VMs from the Marketplace scenario using Azure AD client ID:

参数Parameter 说明Description
adminUserNameadminUserName 虚拟机的管理员用户名。Admin user name for the virtual machine.
adminPasswordadminPassword 虚拟机的管理员用户密码。Admin user password for the virtual machine.
newStorageAccountNamenewStorageAccountName 用于存储 OS 和数据 VHD 的存储帐户的名称。Name of the storage account to store OS and data VHDs.
vmSizevmSize VM 的大小。Size of the VM. 目前仅支持标准 A、D、G 系列。Currently, only Standard A, D, and G series are supported.
virtualNetworkNamevirtualNetworkName VM NIC 所属的 VNet 的名称。Name of the VNet that the VM NIC should belong to.
subnetNamesubnetName VM NIC 所属的 VNet 中子网的名称。Name of the subnet in the VNet that the VM NIC should belong to.
AADClientIDAADClientID 有权将机密写入 Key Vault 的 Azure AD 应用程序的客户端 ID。Client ID of the Azure AD application that has permissions to write secrets to your key vault.
AADClientSecretAADClientSecret 有权将机密写入 Key Vault 的 Azure AD 应用程序的客户端机密。Client secret of the Azure AD application that has permissions to write secrets to your key vault.
keyVaultURLkeyVaultURL BitLocker 密钥应上传到的 Key Vault 的 URL。URL of the key vault that the BitLocker key should be uploaded to. 可使用 (Get-AzureRmKeyVault -VaultName,-ResourceGroupName ).VaultURI cmdlet 获取它。You can get it by using the cmdlet (Get-AzureRmKeyVault -VaultName,-ResourceGroupName ).VaultURI.
keyEncryptionKeyURLkeyEncryptionKeyURL 用于加密生成的 BitLocker 密钥的密钥加密密钥的 URL(可选)。URL of the key encryption key that's used to encrypt the generated BitLocker key (optional).
keyVaultResourceGroupkeyVaultResourceGroup Key Vault 的资源组。Resource group of the key vault.
vmNamevmName 要对其执行加密操作的 VM 的名称。Name of the VM that the encryption operation is to be performed on.

Note

KeyEncryptionKeyURL 是可选参数。KeyEncryptionKeyURL is an optional parameter. 可使用自己的 KEK 在 Key Vault 中进一步保护数据加密密钥(密码)。You can bring your own KEK to further safeguard the data encryption key (Passphrase secret) in your key vault.

在通过客户加密 VHD 和加密密钥创建的新 IaaS VM 上启用加密Enable encryption on new IaaS VMs that are created from customer-encrypted VHD and encryption keys

在此方案中,可以通过使用 Resource Manager 模板、PowerShell cmdlet 或 CLI 命令启用加密。In this scenario, you can enable encrypting by using the Resource Manager template, PowerShell cmdlets, or CLI commands. 以下部分详细介绍了 Resource Manager 模板和 CLI 命令。The following sections explain in greater detail the Resource Manager template and CLI commands.

按照以下某一部分的说明操作,准备可在 Azure 中使用的预先加密映像。Follow the instructions from one of these sections for preparing pre-encrypted images that can be used in Azure. 创建映像后,可使用下一部分中的步骤创建加密的 Azure VM。After the image is created, you can use the steps in the next section to create an encrypted Azure VM.

使用 Resource Manager 模板Using the Resource Manager template

也可通过 Resource Manager 模板在加密 VHD 上启用磁盘加密。You can enable disk encryption on your encrypted VHD by using the Resource Manager template.

  1. 在 Azure 快速入门模板上,单击“部署到 Azure”,在“参数”边栏选项卡中输入加密配置,然后单击“确定”。On the Azure quick-start template, click Deploy to Azure, enter the encryption configuration on the Parameters blade, and then click OK.

  2. 选择订阅、资源组、资源组位置、法律条款和协议,然后单击“创建”以在新 IaaS VM 上启用加密。Select the subscription, resource group, resource group location, legal terms, and agreement, and then click Create to enable encryption on the new IaaS VM.

下表列出了加密 VHD 的 Resource Manager 模板参数:The following table lists the Resource Manager template parameters for your encrypted VHD:

参数Parameter 说明Description
newStorageAccountNamenewStorageAccountName 用于存储加密 OS VHD 的存储帐户的名称。Name of the storage account to store the encrypted OS VHD. 应已在与 VM 相同的资源组和相同的位置中创建此存储帐户。This storage account should already have been created in the same resource group and same location as the VM.
osVhdUriosVhdUri 存储帐户中 OS VHD 的 URI。URI of the OS VHD from the storage account.
osTypeosType OS 产品类型 (Windows/Linux)。OS product type (Windows/Linux).
virtualNetworkNamevirtualNetworkName VM NIC 所属的 VNet 的名称。Name of the VNet that the VM NIC should belong to. 应已在与 VM 相同的资源组和相同的位置中创建此名称。The name should already have been created in the same resource group and same location as the VM.
subnetNamesubnetName VM NIC 所属的 VNet 中子网的名称。Name of the subnet on the VNet that the VM NIC should belong to.
vmSizevmSize VM 的大小。Size of the VM. 目前仅支持标准 A、D、G 系列。Currently, only Standard A, D, and G series are supported.
keyVaultResourceIDkeyVaultResourceID 在 Azure Resource Manager 中标识 Key Vault 资源的资源 ID。The ResourceID that identifies the key vault resource in Azure Resource Manager. 可使用 PowerShell cmdlet (Get-AzureRmKeyVault -VaultName &lt;yourKeyVaultName&gt; -ResourceGroupName &lt;yourResourceGroupName&gt;).ResourceId 获取它。You can get it by using the PowerShell cmdlet (Get-AzureRmKeyVault -VaultName &lt;yourKeyVaultName&gt; -ResourceGroupName &lt;yourResourceGroupName&gt;).ResourceId.
keyVaultSecretUrlkeyVaultSecretUrl 在 Key Vault 中设置的磁盘加密密钥的 URL。URL of the disk-encryption key that's set up in the key vault.
keyVaultKekUrlkeyVaultKekUrl 用于加密生成的磁盘加密密钥的密钥加密密钥的 URL。URL of the key encryption key for encrypting the generated disk-encryption key.
vmNamevmName IaaS VM 的名称。Name of the IaaS VM.

使用 PowerShell cmdletUsing PowerShell cmdlets

可通过 PowerShell cmdlet Set-AzureRmVMOSDisk 在加密 VHD 上启用磁盘加密。You can enable disk encryption on your encrypted VHD by using the PowerShell cmdlet Set-AzureRmVMOSDisk.

使用 CLI 命令Using CLI commands

若要使用 CLI 命令为此方案启用磁盘加密,请执行以下步骤:To enable disk encryption for this scenario by using CLI commands, do the following:

  1. 在 Key Vault 中设置访问策略:Set access policies in your key vault:

    • 设置“EnabledForDiskEncryption”标志:Set the EnabledForDiskEncryption flag:

    azure keyvault set-policy --vault-name <keyVaultName> --enabled-for-disk-encryption true

    • 设置 Azure AD 应用程序的权限,将机密写入 Key Vault:Set permissions to Azure AD application to write secrets to your key vault:

    azure keyvault set-policy --vault-name <keyVaultName> --spn <aadClientID> --perms-to-keys '["wrapKey"]' --perms-to-secrets '["set"]'

  2. 若要在现有或正在运行的 VM 上启用加密,请键入:To enable encryption on an existing or running VM, type:

azure vm enable-disk-encryption --resource-group <resourceGroupName> --name <vmName> --aad-client-id <aadClientId> --aad-client-secret <aadClientSecret> --disk-encryption-key-vault-url <keyVaultURL> --disk-encryption-key-vault-id <keyVaultResourceId> --volume-type [All|OS|Data]

  1. 获取加密状态:Get encryption status:

azure vm show-disk-encryption-status --resource-group <resourceGroupName> --name <vmName> --json

  1. 若要通过加密的 VHD 在新 VM 上启用加密,请将以下参数与 azure vm create 命令结合使用:To enable encryption on a new VM from your encrypted VHD, use the following parameters with the azure vm create command:
  * disk-encryption-key-vault-id <disk-encryption-key-vault-id>
  * disk-encryption-key-url <disk-encryption-key-url>
  * key-encryption-key-vault-id <key-encryption-key-vault-id>
  * key-encryption-key-url <key-encryption-key-url>

在 Azure 中现有或正在运行的 IaaS Windows VM 上启用加密Enable encryption on existing or running IaaS Windows VM in Azure

在此方案中,可以通过使用 Resource Manager 模板、PowerShell cmdlet 或 CLI 命令启用加密。In this scenario, you can enable encrypting by using the Resource Manager template, PowerShell cmdlets, or CLI commands. 以下部分详细介绍了如何通过 Resource Manager 模板和 CLI 命令启用它。The following sections explain in greater detail how to enable it by using the Resource Manager template and CLI commands.

使用 Resource Manager 模板Using the Resource Manager template

可通过 Resource Manager 模板 在 Azure 中为现有或正在运行的 IaaS Windows VM 启用磁盘加密。You can enable disk encryption on existing or running IaaS Windows VMs in Azure by using the Resource Manager template.

  1. 在 Azure 快速入门模板上,单击“部署到 Azure”,在“参数”边栏选项卡中输入加密配置,然后单击“确定”。On the Azure quick-start template, click Deploy to Azure, enter the encryption configuration on the Parameters blade, and then click OK.

  2. 选择订阅、资源组、资源组位置、法律条款和协议,然后单击“创建”以在现有或正在运行的 IaaS VM 上启用加密。Select the subscription, resource group, resource group location, legal terms, and agreement, and then click Create to enable encryption on the existing or running IaaS VM.

下表列出了使用 Azure AD 客户端 ID 的现有或正在运行的 VM 的 Resource Manager 模板参数:The following table lists the Resource Manager template parameters for existing or running VMs that use an Azure AD client ID:

参数Parameter 说明Description
AADClientIDAADClientID 有权将机密写入 Key Vault 的 Azure AD 应用程序的客户端 ID。Client ID of the Azure AD application that has permissions to write secrets to the key vault.
AADClientSecretAADClientSecret 有权将机密写入 Key Vault 的 Azure AD 应用程序的客户端机密。Client secret of the Azure AD application that has permissions to write secrets to the key vault.
KeyVaultNamekeyVaultName BitLocker 密钥应上传到的 Key Vault 的名称。Name of the key vault that the BitLocker key should be uploaded to. 可使用 (Get-AzureRmKeyVault -ResourceGroupName <yourResourceGroupName>). Vaultname cmdlet 获取它。You can get it by using the cmdlet (Get-AzureRmKeyVault -ResourceGroupName <yourResourceGroupName>). Vaultname.
keyEncryptionKeyURLkeyEncryptionKeyURL 用于加密所生成 BitLocker 密钥的密钥加密密钥的 URL。URL of the key encryption key that's used to encrypt the generated BitLocker key. 如果在 UseExistingKek 下拉列表中选择“nokek”,则此参数为可选参数。This parameter is optional if you select nokek in the UseExistingKek drop-down list. 如果在 UseExistingKek 下拉列表中选择“kek”,则必须输入 keyEncryptionKeyURL 值。If you select kek in the UseExistingKek drop-down list, you must enter the keyEncryptionKeyURL value.
volumeTypevolumeType 要对其执行加密操作的卷的类型。Type of volume that the encryption operation is performed on. 有效值为“OS”、“Data”和“All”。Valid values are OS, Data, and All.
sequenceVersionsequenceVersion BitLocker 操作的序列版本。Sequence version of the BitLocker operation. 每当在同一个 VM 上执行磁盘加密操作时,此版本号便会递增。Increment this version number every time a disk-encryption operation is performed on the same VM.
vmNamevmName 要对其执行加密操作的 VM 的名称。Name of the VM that the encryption operation is to be performed on.

Note

KeyEncryptionKeyURL 是可选参数。KeyEncryptionKeyURL is an optional parameter. 可使用自己的 KEK 在 Key Vault 中进一步保护数据加密密钥(BitLocker 加密机密)。You can bring your own KEK to further safeguard the data encryption key (BitLocker encryption secret) in the key vault.

使用 PowerShell cmdletUsing PowerShell cmdlets

若要了解如何使用 PowerShell cmdlet 通过 Azure 磁盘加密启用加密,请参阅博客文章 Explore Azure Disk Encryption with Azure PowerShell - Part 1(了解如何使用 Azure PowerShell 启用 Azure 磁盘加密 - 第 1 部分)和 Explore Azure Disk Encryption with Azure PowerShell - Part 2(了解如何使用 Azure PowerShell 启用 Azure 磁盘加密 - 第 2 部分)。For information about enabling encryption with Azure Disk Encryption by using PowerShell cmdlets, see the blog posts Explore Azure Disk Encryption with Azure PowerShell - Part 1 and Explore Azure Disk Encryption with Azure PowerShell - Part 2.

使用 CLI 命令Using CLI commands

若要使用 CLI 命令在 Azure 中现有/正在运行的 IaaS Windows VM 上启用加密,请执行以下步骤:To enable encryption on existing or running IaaS Windows VM in Azure using CLI commands, do the following:

  1. 在 Key Vault 中设置访问策略:To set access policies in the key vault:

    • 设置“EnabledForDiskEncryption”标志:Set the EnabledForDiskEncryption flag:

    azure keyvault set-policy --vault-name <keyVaultName> --enabled-for-disk-encryption true

    • 设置 Azure AD 应用程序的权限,将机密写入 Key Vault:Set permissions to Azure AD application to write secrets to your key vault:

    azure keyvault set-policy --vault-name <keyVaultName> --spn <aadClientID> --perms-to-keys '["wrapKey"]' --perms-to-secrets '["set"]'

  2. 在现有或正在运行的 VM 上启用加密:To enable encryption on an existing or running VM:

azure vm enable-disk-encryption --resource-group <resourceGroupName> --name <vmName> --aad-client-id <aadClientId> --aad-client-secret <aadClientSecret> --disk-encryption-key-vault-url <keyVaultURL> --disk-encryption-key-vault-id <keyVaultResourceId> --volume-type [All|OS|Data] 3. 获取加密状态:To get encryption status:

azure vm show-disk-encryption-status --resource-group <resourceGroupName> --name <vmName> --json 4. 若要通过加密的 VHD 在新 VM 上启用加密,请将以下参数与 azure vm create 命令结合使用:To enable encryption on a new VM from your encrypted VHD, use the following parameters with the azure vm create command:

  * disk-encryption-key-vault-id <disk-encryption-key-vault-id>
  * disk-encryption-key-url <disk-encryption-key-url>
  * key-encryption-key-vault-id <key-encryption-key-vault-id>
  * key-encryption-key-url <key-encryption-key-url>

在 Azure 中现有或正在运行的 IaaS Linux VM 上启用加密Enable encryption on an existing or running IaaS Linux VM in Azure

可通过 Resource Manager 模板 在 Azure 中为现有或正在运行的 IaaS Linux VM 启用磁盘加密。You can enable disk encryption on an existing or running IaaS Linux VM in Azure by using the Resource Manager template.

  1. 在 Azure 快速入门模板上,单击“部署到 Azure”,在“参数”边栏选项卡中输入加密配置,然后单击“确定”。Click Deploy to Azure on the Azure quick-start template, enter the encryption configuration on the Parameters blade, and then click OK.

  2. 选择订阅、资源组、资源组位置、法律条款和协议,然后单击“创建”以在现有或正在运行的 IaaS VM 上启用加密。Select the subscription, resource group, resource group location, legal terms, and agreement, and then click Create to enable encryption on the existing or running IaaS VM.

下表列出了使用 Azure AD 客户端 ID 的现有或正在运行的 VM 的 Resource Manager 模板参数:The following table lists Resource Manager template parameters for existing or running VMs that use an Azure AD client ID:

参数Parameter 说明Description
AADClientIDAADClientID 有权将机密写入 Key Vault 的 Azure AD 应用程序的客户端 ID。Client ID of the Azure AD application that has permissions to write secrets to the key vault.
AADClientSecretAADClientSecret 有权将机密写入 Key Vault 的 Azure AD 应用程序的客户端机密。Client secret of the Azure AD application that has permissions to write secrets to your key vault.
KeyVaultNamekeyVaultName BitLocker 密钥应上传到的 Key Vault 的名称。Name of the key vault that the BitLocker key should be uploaded to. 可使用 (Get-AzureRmKeyVault -ResourceGroupName <yourResourceGroupName>). Vaultname cmdlet 获取它。You can get it by using the cmdlet (Get-AzureRmKeyVault -ResourceGroupName <yourResourceGroupName>). Vaultname.
keyEncryptionKeyURLkeyEncryptionKeyURL 用于加密所生成 BitLocker 密钥的密钥加密密钥的 URL。URL of the key encryption key that's used to encrypt the generated BitLocker key. 如果在 UseExistingKek 下拉列表中选择“nokek”,则此参数为可选参数。This parameter is optional if you select nokek in the UseExistingKek drop-down list. 如果在 UseExistingKek 下拉列表中选择“kek”,则必须输入 keyEncryptionKeyURL 值。If you select kek in the UseExistingKek drop-down list, you must enter the keyEncryptionKeyURL value.
volumeTypevolumeType 要对其执行加密操作的卷的类型。Type of volume that the encryption operation is performed on. 受支持的有效值为“OS”或“All”(对于 RHEL 7.2、CentOS 7.2 和 Ubuntu 16.04)和“Data”(对于所有其他发行版)。Valid supported values are OS or All (for RHEL 7.2, CentOS 7.2, and Ubuntu 16.04), and Data (for all other distributions).
sequenceVersionsequenceVersion BitLocker 操作的序列版本。Sequence version of the BitLocker operation. 每当在同一个 VM 上执行磁盘加密操作时,此版本号便会递增。Increment this version number every time a disk-encryption operation is performed on the same VM.
vmNamevmName 要对其执行加密操作的 VM 的名称。Name of the VM that the encryption operation is to be performed on.
passPhrasepassPhrase 键入强密码作为数据加密密钥。Type a strong passphrase as the data encryption key.

Note

KeyEncryptionKeyURL 是可选参数。KeyEncryptionKeyURL is an optional parameter. 可使用自己的 KEK 在 Key Vault 中进一步保护数据加密密钥(密码)。You can bring your own KEK to further safeguard the data encryption key (passphrase secret) in your key vault.

CLI 命令CLI commands

可通过安装并使用 CLI 命令在加密 VHD 上启用磁盘加密。You can enable disk encryption on your encrypted VHD by installing and using the CLI command. 若要使用 CLI 命令在 Azure 中现有/正在运行的 IaaS Linux VM 上启用加密,请执行以下步骤:To enable encryption on existing or running IaaS Linux VMs in Azure by using CLI commands, do the following:

  1. 在 Key Vault 中设置访问策略:Set access policies in the key vault:
  • 设置“EnabledForDiskEncryption”标志:Set the EnabledForDiskEncryption flag:

    azure keyvault set-policy --vault-name <keyVaultName> --enabled-for-disk-encryption true

  • 设置 Azure AD 应用程序的权限,将机密写入 Key Vault:Set permissions to Azure AD application to write secrets to your key vault:

    azure keyvault set-policy --vault-name <keyVaultName> --spn <aadClientID> --perms-to-keys '["wrapKey"]' --perms-to-secrets '["set"]'

  1. 在现有或正在运行的 VM 上启用加密:To enable encryption on an existing or running VM:

azure vm enable-disk-encryption --resource-group <resourceGroupName> --name <vmName> --aad-client-id <aadClientId> --aad-client-secret <aadClientSecret> --disk-encryption-key-vault-url <keyVaultURL> --disk-encryption-key-vault-id <keyVaultResourceId> --volume-type [All|OS|Data]

  1. 获取加密状态:Get encryption status:

azure vm show-disk-encryption-status --resource-group <resourceGroupName> --name <vmName> --json

  1. 若要通过加密的 VHD 在新 VM 上启用加密,请将以下参数与 azure vm create 命令结合使用:To enable encryption on a new VM from your encrypted VHD, use the following parameters with the azure vm create command:
  * disk-encryption-key-vault-id <disk-encryption-key-vault-id>
  * disk-encryption-key-url <disk-encryption-key-url>
  * key-encryption-key-vault-id <key-encryption-key-vault-id>
  * key-encryption-key-url <key-encryption-key-url>

获取已加密 IaaS VM 的加密状态Get the encryption status of an encrypted IaaS VM

可以使用 Azure Resource Manager、PowerShell cmdlets 或 CLI 命令获取加密状态。You can get the encryption status by using Azure Resource Manager, PowerShell cmdlets, or CLI commands. 以下部分将说明如何使用 Azure 经典门户和 CLI 命令来获取加密状态。The following sections explain how to use the Azure classic portal and CLI commands to get the encryption status.

使用 Azure Resource Manager 获取已加密 Windows VM 的加密状态Get the encryption status of an encrypted Windows VM by using Azure Resource Manager

可通过以下步骤从 Azure Resource Manager 获取 IaaS VM 的加密状态:You can get the encryption status of the IaaS VM from Azure Resource Manager by doing the following:

  1. 登录 Azure 经典门户,然后在左窗格中单击“虚拟机”,查看订阅中虚拟机的摘要视图。Sign in to the Azure classic portal, and then click Virtual machines in the left pane to see a summary view of the virtual machines in your subscription. 可以通过从“订阅”下拉列表中选择订阅名称来筛选虚拟机视图。You can filter the virtual machines view by selecting the subscription name in the Subscription drop-down list.

  2. 在“虚拟机”页的顶部,单击“列”。At the top of the Virtual machines page, click Columns.

  3. 从“选择列”边栏选项卡中选择“磁盘加密”,然后单击“更新”。On the Choose column blade, select Disk Encryption, and then click Update. 应会看到,对于每个 VM,磁盘加密列会显示加密状态“已启用”或“未启用”,如下图所示:You should see the disk-encryption column showing the encryption state Enabled or Not Enabled for each VM, as shown in the following figure:

Azure 中的 Microsoft Antimalware

使用磁盘加密 PowerShell cmdlet 获取已加密 (Windows/Linux) IaaS VM 的加密状态Get the encryption status of an encrypted (Windows/Linux) IaaS VM by using the disk-encryption PowerShell cmdlet

可使用磁盘加密 PowerShell cmdlet Get-AzureRmVMDiskEncryptionStatus 获取 IaaS VM 的加密状态。You can get the encryption status of the IaaS VM from the disk-encryption PowerShell cmdlet Get-AzureRmVMDiskEncryptionStatus. 若要获取 VM 的加密设置,请输入以下内容:To get the encryption settings for your VM, enter the following:

C:\> Get-AzureRmVmDiskEncryptionStatus  -ResourceGroupName $ResourceGroupName -VMName $VMName
-ExtensionName $ExtensionName

OsVolumeEncrypted          : NotEncrypted
DataVolumesEncrypted       : Encrypted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage            : https://rheltest1keyvault.vault.azure.net/secrets/bdb6bfb1-5431-4c28-af46-b18d0025ef2a/abebacb83d864a5fa729508315020f8a

可以检查 Get-AzureRmVMDiskEncryptionStatus 的输出来获取加密密钥 URL。You can inspect the output of Get-AzureRmVMDiskEncryptionStatus for encryption key URLs.

C:\> $status = Get-AzureRmVmDiskEncryptionStatus  -ResourceGroupName $ResourceGroupName -VMName
e $VMName -ExtensionName $ExtensionName
C:\> $status.OsVolumeEncryptionSettings

DiskEncryptionKey                                                 KeyEncryptionKey                                               Enabled
-----------------                                                 ----------------                                               -------
Microsoft.Azure.Management.Compute.Models.KeyVaultSecretReference Microsoft.Azure.Management.Compute.Models.KeyVaultKeyReference    True


C:\> $status.OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl
https://rheltest1keyvault.vault.azure.net/secrets/bdb6bfb1-5431-4c28-af46-b18d0025ef2a/abebacb83d864a5fa729508315020f8a
C:\> $status.OsVolumeEncryptionSettings.DiskEncryptionKey

SecretUrl                                                                                                               SourceVault
---------                                                                                                               -----------
https://rheltest1keyvault.vault.azure.net/secrets/bdb6bfb1-5431-4c28-af46-b18d0025ef2a/abebacb83d864a5fa729508315020f8a Microsoft.Azure.Management....

OSVolumeEncrypted 和 DataVolumesEncrypted 设置值为“Encrypted”,表明这两个卷都已使用 Azure 磁盘加密进行加密。The OSVolumeEncrypted and DataVolumesEncrypted settings values are set to Encrypted, which shows that both volumes are encrypted using Azure Disk Encryption. 若要了解如何使用 PowerShell cmdlet 通过 Azure 磁盘加密启用加密,请参阅博客文章 Explore Azure Disk Encryption with Azure PowerShell - Part 1(了解如何使用 Azure PowerShell 启用 Azure 磁盘加密 - 第 1 部分)和 Explore Azure Disk Encryption with Azure PowerShell - Part 2(了解如何使用 Azure PowerShell 启用 Azure 磁盘加密 - 第 2 部分)。For information about enabling encryption with Azure Disk Encryption by using PowerShell cmdlets, see the blog posts Explore Azure Disk Encryption with Azure PowerShell - Part 1 and Explore Azure Disk Encryption with Azure PowerShell - Part 2.

Note

在 Linux VM 上,需要三到四分钟 Get-AzureRmVMDiskEncryptionStatus cmdlet 才会报告加密状态。On Linux VMs, it takes three to four minutes for the Get-AzureRmVMDiskEncryptionStatus cmdlet to report the encryption status.

通过磁盘加密 CLI 命令获取 IaaS VM 的加密状态Get the encryption status of the IaaS VM from the disk-encryption CLI command

可通过磁盘加密 CLI 命令 azure vm show-disk-encryption-status 获取 IaaS VM 的加密状态。You can get the encryption status of the IaaS VM by using the disk-encryption CLI command azure vm show-disk-encryption-status. 若要获取 VM 的加密设置,请在 Azure CLI 会话中键入:To get the encryption settings for your VM, enter your Azure CLI session:

azure vm show-disk-encryption-status --resource-group <yourResourceGroupName> --name <yourVMName> --json  

在正在运行的 Windows IaaS VM 上禁用加密Disable encryption on running Windows IaaS VM

可通过 Azure 磁盘加密 Resource Manager 模板或 PowerShell cmdlet 在正在运行的 Windows 或 Linux IaaS VM 上禁用加密,并指定解密配置。You can disable encryption on a running Windows or Linux IaaS VM via the Azure Disk Encryption Resource Manager template or PowerShell cmdlets and specify the decryption configuration.

Windows VMWindows VM

禁用加密步骤将禁用正在运行的 Windows IaaS VM 上的 OS 和/或数据卷的加密。The disable-encryption step disables encryption of the OS, the data volume, or both on the running Windows IaaS VM. 无法禁用 OS 卷并保持数据卷的加密状态。You cannot disable the OS volume and leave the data volume encrypted. 执行禁用加密步骤后,Azure 经典部署模型会更新 VM 服务模型,Windows IaaS VM 将标记为已解密。When the disable-encryption step is performed, the Azure classic deployment model updates the VM service model, and the Windows IaaS VM is marked decrypted. VM 的内容不再静态加密。The contents of the VM are no longer encrypted at rest. 解密操作不会删除 Key Vault 和加密密钥材料(Windows 的 BitLocker 加密密钥或 Linux 密码)。The decryption does not delete your key vault and the encryption key material (BitLocker encryption keys for Windows and Passphrase for Linux).

Linux VMLinux VM

禁用加密步骤将禁用正在运行的 Linux IaaS VM 上的数据卷的加密。The disable-encryption step disables encryption of the data volume on the running Linux IaaS VM.

Note

在 Linux VM 上不允许禁用 OS 磁盘上的加密。Disabling encryption on the OS disk is not allowed on Linux VMs.

在现有或正在运行的 IaaS VM 上禁用加密Disable encryption on an existing or running IaaS VM

可使用 Resource Manager 模板在正在运行的 Windows IaaS VM 上禁用磁盘加密。You can disable disk encryption on running Windows IaaS VMs by using the Resource Manager template.

  1. 在 Azure 快速入门模板上,单击“部署到 Azure”,在“参数”边栏选项卡中输入解密配置,然后单击“确定”。On the Azure quick-start template, click Deploy to Azure, enter the decryption configuration on the Parameters blade, and then click OK.

  2. 选择订阅、资源组、资源组位置、法律条款和协议,然后单击“创建”以在新 IaaS VM 上启用加密。Select the subscription, resource group, resource group location, legal terms, and agreement, and then click Create to enable encryption on a new IaaS VM.

对于 Linux VM,可通过在正在运行的 Linux VM 上禁用加密模板禁用加密。For Linux VMs, you can disable encryption by using the Disable encryption on a running Linux VM template.

下表列出了用于在正在运行的 IaaS VM 上禁用加密的 Resource Manager 模板参数:The following table lists Resource Manager template parameters for disabling encryption on a running IaaS VM:

参数Parameter 说明Description
vmNamevmName 要对其执行加密操作的 VM 的名称。Name of the VM that the encryption operation is to be performed on.
volumeTypevolumeType 要对其执行解密操作的卷的类型。Type of volume that a decryption operation is performed on. 有效值为“OS”、“Data”和“All”。Valid values are OS, Data, and All. 如果未在“Data”卷上禁用加密,则无法在运行中的 Windows IaaS VM OS/引导卷上禁用加密。You cannot disable encryption on running Windows IaaS VM OS/boot volume without disabling encryption on the Data volume. 另请注意,在 Linux VM 上不允许禁用 OS 磁盘上的加密。Also note that disabling encryption on the OS disk is not allowed on Linux VMs.
sequenceVersionsequenceVersion BitLocker 操作的序列版本。Sequence version of the BitLocker operation. 每当在同一个 VM 上执行磁盘解密操作时,此版本号便会递增。Increment this version number every time a disk decryption operation is performed on the same VM.
在现有或正在运行的 IaaS VM 上禁用加密Disable encryption on an existing or running IaaS VM

若要使用 PowerShell cmdlet 在现有或正在运行的 IaaS VM 上禁用加密,请参阅 Disable-AzureRmVMDiskEncryptionTo disable encryption on an existing or running IaaS VM by using the PowerShell cmdlet, see Disable-AzureRmVMDiskEncryption. 此 cmdlet 同时支持 Windows 和 Linux VM。This cmdlet supports both Windows and Linux VMs. 为禁用加密,此 cmdlet 将在虚拟机上安装一个扩展。To disable encryption, it installs an extension on the virtual machine. 如果未指定 Name 参数,将创建默认名称为“AzureDiskEncryption for Windows VMs”的扩展。If the Name parameter is not specified, an extension with the default name AzureDiskEncryption for Windows VMs is created.

在 Linux VM 上,使用 AzureDiskEncryptionForLinux 扩展。On Linux VMs, the AzureDiskEncryptionForLinux extension is used.

Note

运行此 cmdlet 会重启虚拟机。This cmdlet reboots the virtual machine.

在具有 Azure 托管磁盘的预加密的 IaaS VM 上启用加密Enable encryption on pre-encrypted IaaS VM with Azure Managed Disk

使用 Azure 托管磁盘 ARM 模板,以便借助该 ARM 模板从预加密的 VHD 创建加密的 VM,该模板位于Use the Azure Managed Disk ARM template to create a encrypted VM from a pre-encrypted VHD using the ARM template located at
[从预加密的 VHD/存储 blob 创建新的加密托管磁盘] (https://github.com/Azure/azure-quickstart-templates/tree/master/201-create-encrypted-managed-disk)[Create a new encrypted managed disk from a pre-encrypted VHD/storage blob] (https://github.com/Azure/azure-quickstart-templates/tree/master/201-create-encrypted-managed-disk)

在具有 Azure 托管磁盘的新 Linux IaaS VM 上启用加密Enable encryption on a new Linux IaaS VM with Azure Managed Disk

使用 Azure 托管磁盘 ARM 模板,以便借助该 ARM 模板创建新的加密 Linux IaaS VM,该模板位于Use the Azure Managed Disk ARM template to create a new encrypted Linux IaaS VM using the ARM template located at
[使用全磁盘加密的 RHEL 7.2 部署] (https://github.com/Azure/azure-quickstart-templates/tree/master/101-vm-full-disk-encrypted-rhel)[Deployment of RHEL 7.2 with full disk encryption] (https://github.com/Azure/azure-quickstart-templates/tree/master/101-vm-full-disk-encrypted-rhel)

在具有 Azure 托管磁盘的新 Windows IaaS VM 上启用加密Enable encryption on a new Windows IaaS VM with Azure Managed Disk

使用 Azure 托管磁盘 ARM 模板,以便借助该 ARM 模板创建新的加密 Linux IaaS VM,该模板位于Use the Azure Managed Disk ARM template to create a new encrypted Linux IaaS VM using the ARM template located at
[从库映像创建新的加密 Windows IaaS 托管磁盘 VM] (https://github.com/Azure/azure-quickstart-templates/tree/master/201-encrypt-create-new-vm-gallery-image-managed-disks)[Create a new encrypted Windows IaaS Managed Disk VM from gallery image] (https://github.com/Azure/azure-quickstart-templates/tree/master/201-encrypt-create-new-vm-gallery-image-managed-disks)

Note

使用 Azure 磁盘加密 PS cmdlet Set-AzureRmVMDiskEncryptionExtension 或 CLI 命令在 Azure 托管磁盘 VM 上启用加密时,必须使用 -skipVmBackup 参数。You must use -skipVmBackup parameter when using Azure disk encryption PS cmdlet Set-AzureRmVMDiskEncryptionExtension or CLI command to enable encryption on Azure Managed Disk VM.

最好先备份运行中的 VM 实例,然后再在 Linux 托管磁盘 VM 上使用 PS cmdlet Set-AzureRmVMDiskEncryptionExtension 启用加密。It is advisable to backup your running VM instance before you enable encryption using the PS cmdlet Set-AzureRmVMDiskEncryptionExtension on your Linux Managed Disk VM.

更新现有加密的非高级 VM 的加密设置Update encryption settings of an existing encrypted non-premium VM

针对运行中的 VM 使用现有 Azure 磁盘加密支持的接口 [PS cmdlet、CLI 或 ARM 模板],来更新加密设置,如 AAD 客户端 ID/密钥、密钥加密密钥 [KEK]、用于 Windows VM 的 BitLocker 加密密钥或用于 Linux VM 的密码等。只有非高级存储支持的 VM 才支持更新加密设置。Use the existing Azure disk encryption supported interfaces for running VM [PS cmdlets, CLI or ARM templates] to update the encryption settings like AAD client ID/secret, Key encryption key [KEK], BitLocker encryption key for Windows VM or Passphrase for Linux VM etc. The update encryption setting is supported only for VMs backed by non-premium storage. 高级存储支持的 VM 不支持更新加密设置。It is NNOT supported for VMs backed by premium storage.

附录Appendix

连接到订阅Connect to your subscription

在继续操作前,请查看本文的先决条件部分。Before you proceed, review the Prerequisites section in this article. 确保已满足所有先决条件后,请执行以下步骤,以便连接到订阅:After you ensure that all prerequisites have been met, connect to your subscription by doing the following:

  1. 启动 Azure PowerShell 会话,然后使用以下命令登录 Azure 帐户:Start an Azure PowerShell session, and sign in to your Azure account with the following command:

    Login-AzureRmAccount

  2. 如果有多个订阅,并想要指定其中一个要使用的订阅,请键入以下内容以查看帐户的订阅:If you have multiple subscriptions and want to specify one to use, type the following to see the subscriptions for your account:

    Get-AzureRmSubscription

  3. 若要指定要使用的订阅,请键入:To specify the subscription you want to use, type:

    Select-AzureRmSubscription -SubscriptionName <Yoursubscriptionname>

  4. 若要验证配置的订阅是否正确,请键入:To verify that the subscription configured is correct, type:

    Get-AzureRmSubscription

  5. 若要确认已安装 Azure 磁盘加密 cmdlet,请键入:To confirm the Azure Disk Encryption cmdlets are installed, type:

    Get-command *diskencryption*

  6. 以下输出可确认已安装 Azure 磁盘加密 PowerShell:The following output confirms the Azure Disk Encryption PowerShell installation:

    PS C:\Windows\System32\WindowsPowerShell\v1.0> get-command *diskencryption*
    CommandType  Name                                         Source                                                             
    Cmdlet       Get-AzureRmVMDiskEncryptionStatus            AzureRM.Compute                                                    
    Cmdlet       Disable-AzureRmVMDiskEncryption              AzureRM.Compute                                                    
    Cmdlet       Set-AzureRmVMDiskEncryptionExtension         AzureRM.Compute                                                     

准备预加密的 Windows VHDPrepare a pre-encrypted Windows VHD

以下部分介绍了必要操作,让你在 Azure IaaS 中准备将预加密的 Windows VHD 部署为加密 VHD。The sections that follow are necessary to prepare a pre-encrypted Windows VHD for deployment as an encrypted VHD in Azure IaaS. 使用该信息在 Azure Site Recovery 或 Azure 上准备和启动全新的 Windows VM (VHD)。Use the information to prepare and boot a fresh Windows VM (VHD) on Azure Site Recovery or Azure.

更新组策略以允许使用非 TPM 保护 OSUpdate group policy to allow non-TPM for OS protection

在“本地计算机策略” > “计算机设置” > “管理模板” > “Windows 组件”下配置名为“BitLocker 驱动器加密”的 BitLocker 组策略设置。Configure the BitLocker Group Policy setting BitLocker Drive Encryption, which you'll find under Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components. 如下图所示,将此设置更改为“操作系统驱动器” > “启动时需要附加身份验证” > “没有兼容的 TPM 时允许 BitLocker”:Change this setting to Operating System Drives > Require additional authentication at startup > Allow BitLocker without a compatible TPM, as shown in the following figure:

Azure 中的 Microsoft Antimalware

安装 BitLocker 功能组件Install BitLocker feature components

对于 Windows Server 2012 或更高版本,请使用以下命令:For Windows Server 2012 and later, use the following command:

dism /online /Enable-Feature /all /FeatureName:BitLocker /quiet /norestart

对于 Windows Server 2008 R2,请使用以下命令:For Windows Server 2008 R2, use the following command:

ServerManagerCmd -install BitLockers

使用 bdehdcfg 为 BitLocker 准备 OS 卷Prepare the OS volume for BitLocker by using bdehdcfg

执行以下命令压缩 OS 分区并为 BitLocker 准备计算机:To compress the OS partition and prepare the machine for BitLocker, execute the following command:

bdehdcfg -target c: shrink -quiet

使用 BitLocker 保护 OS 卷Protect the OS volume by using BitLocker

使用 manage-bde 命令在使用外部密钥保护程序的引导卷上启用加密。Use the manage-bde command to enable encryption on the boot volume using an external key protector. 此外将外部密钥(.bek 文件)放在外部驱动器或卷上。Also place the external key (.bek file) on the external drive or volume. 下次重启后,将会在系统/引导卷上启用加密。Encryption is enabled on the system/boot volume after the next reboot.

manage-bde -on %systemdrive% -sk [ExternalDriveOrVolume]
reboot

Note

使用独立的数据/资源 VHD 准备 VM,以使用 BitLocker 获取外部密钥。Prepare the VM with a separate data/resource VHD for getting the external key by using BitLocker.

在正在运行的 Linux VM 上加密 OS 驱动器Encrypting an OS drive on a running Linux VM

以下发行版支持在正在运行的 Linux VM 上加密 OS 驱动器:Encryption of an OS drive on a running Linux VM is supported on the following distributions:

  • RHEL 7.2RHEL 7.2
  • CentOS 7.2CentOS 7.2
  • Ubuntu 16.04Ubuntu 16.04
OS 磁盘加密的先决条件Prerequisites for OS disk encryption

  • 必须从 Azure Resource Manager 中的应用商店映像创建 VM。The VM must be created from the Marketplace image in Azure Resource Manager.
  • Azure VM,至少具有 4 GB RAM(建议大小为 7 GB)。Azure VM with at least 4 GB of RAM (recommended size is 7 GB).
  • (针对 RHEL 和 CentOS)禁用 SELinux。(For RHEL and CentOS) Disable SELinux. 若要禁用 SELinux,请参阅To disable SELinux, see "4.4.2. SELinux User's and Administrator's Guide(SELinux 用户和管理员指南)中针对 VM 的“4.4.2. Disabling SELinux(4.4.2. 禁用 SELinux)”。Disabling SELinux" in the SELinux User's and Administrator's Guide on the VM.
  • 禁用 SELinux 后,重启 VM 至少一次。After you disable SELinux, reboot the VM at least once.
步骤Steps

  1. 通过之前指定的分发版之一创建 VM。Create a VM by using one of the distributions specified previously.

对于 CentOS 7.2,通过专门的映像支持 OS 磁盘加密。For CentOS 7.2, OS disk encryption is supported via a special image. 若要使用此映像,请在创建 VM 时将“7.2n”指定为 SKU:To use this image, specify "7.2n" as the SKU when you create the VM:

   Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName "OpenLogic" -Offer "CentOS" -Skus "7.2n" -Version "latest"
  1. 根据需要配置 VM。Configure the VM according to your needs. 如果打算加密所有(OS + 数据)驱动器,需要指定数据驱动器且可从 /etc/fstab 处装载数据驱动器。If you are going to encrypt all the (OS + data) drives, the data drives need to be specified and mountable from /etc/fstab.

Note

使用 UUID =... 在 /etc/fstab 中指定数据驱动器(而不是指定 /dev/sdb1 等块设备名称)。Use UUID=... to specify data drives in /etc/fstab instead of specifying the block device name (for example, /dev/sdb1). 在加密过程中,驱动器的顺序将在 VM 上有所改变。During encryption, the order of drives changes on the VM. 如果 VM 依赖于特定块设备顺序,加密后将无法装载。If your VM relies on a specific order of block devices, it will fail to mount them after encryption.

  1. 注销 SSH 会话。Sign out of the SSH sessions.

  2. 若要加密 OS,请在启用加密时将 volumeType 指定为“All”或“OS”。To encrypt the OS, specify volumeType as All or OS when you enable encryption.

Note

未作为 systemd 服务运行的所有用户空间进程应使用 SIGKILL 终止。All user-space processes that are not running as systemd services should be killed with a SIGKILL. 重启 VM。Reboot the VM. 在正在运行的 VM 上启用 OS 磁盘加密时,请计划 VM 停机时间。When you enable OS disk encryption on a running VM, plan on VM downtime.

  1. 使用下一部分中的说明,定期监视加密进度。Periodically monitor the progress of encryption by using the instructions in the next section.

  2. Get-AzureRmVmDiskEncryptionStatus 显示“VMRestartPending”后,通过登录 VM 或通过 Portal/PowerShell/CLI 重启 VM。After Get-AzureRmVmDiskEncryptionStatus shows "VMRestartPending," restart your VM either by signing in to it or by using the portal, PowerShell, or CLI.

    C:\> Get-AzureRmVmDiskEncryptionStatus  -ResourceGroupName $ResourceGroupName -VMName $VMName
    -ExtensionName $ExtensionName
    
    OsVolumeEncrypted          : VMRestartPending
    DataVolumesEncrypted       : NotMounted
    OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
    ProgressMessage            : OS disk successfully encrypted, reboot the VM
    

重启之前,建议保存 VM 的启动诊断Before you reboot, we recommend that you save boot diagnostics of the VM.

监视 OS 加密进度Monitoring OS encryption progress

可通过三种方法监视 OS 加密进度:You can monitor OS encryption progress in three ways:

  • 使用 Get-AzureRmVmDiskEncryptionStatus cmdlet 并检查“ProgressMessage”字段:Use the Get-AzureRmVmDiskEncryptionStatus cmdlet and inspect the ProgressMessage field:
    OsVolumeEncrypted          : EncryptionInProgress
    DataVolumesEncrypted       : NotMounted
    OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
    ProgressMessage            : OS disk encryption started
    

VM 变为“OS 磁盘加密开始”后,在支持高级存储的 VM 上将需要花费大约 40-50 分钟。After the VM reaches "OS disk encryption started," it takes about 40 to 50 minutes on a Premium-storage backed VM.

由于 WALinuxAgent 出现问题 #388OsVolumeEncryptedDataVolumesEncrypted 在某些发行版中显示为 UnknownBecause of issue #388 in WALinuxAgent, OsVolumeEncrypted and DataVolumesEncrypted show up as Unknown in some distributions. 在 WALinuxAgent 2.1.5 版及更高版本中,将自动修复此问题。With WALinuxAgent version 2.1.5 and later, this issue is fixed automatically. 如果在输出中看到 Unknown,可通过使用 Azure 资源浏览器验证磁盘加密状态。If you see Unknown in the output, you can verify disk-encryption status by using the Azure Resource Explorer.

转到 Azure 资源浏览器,然后在左侧的选择面板中展开此层次结构:Go to Azure Resource Explorer, and then expand this hierarchy in the selection panel on left:

|-- subscriptions
    |-- [Your subscription]
         |-- resourceGroups
              |-- [Your resource group]
                   |-- providers
                        |-- Microsoft.Compute
                             |-- virtualMachines
                                  |-- [Your virtual machine]
                                       |-- InstanceView

在 InstanceView 中,向下滚动以查看驱动器的加密状态。In the InstanceView, scroll down to see the encryption status of your drives.

VM 实例视图

  • 查看启动诊断Look at boot diagnostics. 来自 ADE 扩展的消息应带有前缀 [AzureDiskEncryption]Messages from the ADE extension should be prefixed with [AzureDiskEncryption].

  • 通过 SSH 登录 VM 并从以下位置获取扩展日志:Sign in to the VM via SSH, and get the extension log from:

    /var/log/azure/Microsoft.Azure.Security.AzureDiskEncryptionForLinux/var/log/azure/Microsoft.Azure.Security.AzureDiskEncryptionForLinux

建议不要在 OS 加密正在进行时登录 VM。We recommend that you do not sign in to the VM while OS encryption is in progress. 仅当其他两个方法都失败时再复制日志。Copy the logs only when the other two methods have failed.

准备预加密的 Linux VHDPrepare a pre-encrypted Linux VHD

Ubuntu 16Ubuntu 16

通过执行以下步骤在分发安装过程中配置加密:Configure encryption during the distribution installation by doing the following:

  1. 对磁盘进行分区时选择“配置加密卷”。Select Configure encrypted volumes when you partition the disks.

Ubuntu 16.04 安装

  1. 创建一个单独的不得加密的启动驱动器。Create a separate boot drive, which must not be encrypted. 对根驱动器进行加密。Encrypt your root drive.

Ubuntu 16.04 安装

  1. 提供通行短语。Provide a passphrase. 这是将上传到 Key Vault 的密码。This is the passphrase that you upload to the key vault.

Ubuntu 16.04 安装

  1. 完成分区。Finish partitioning.

Ubuntu 16.04 安装

  1. 启动 VM 并被要求提供密码时,请使用步骤 3 中提供的密码。When you boot the VM and are asked for a passphrase, use the passphrase you provided in step 3.

Ubuntu 16.04 安装

  1. 使用这些说明准备 VM 以上传到 Azure。Prepare the VM for uploading into Azure using these instructions. 不要运行最后一步(取消预配 VM)。Do not run the last step (deprovisioning the VM) yet.

执行以下步骤,配置加密以便使用 Azure:Configure encryption to work with Azure by doing the following:

  1. 在 /usr/local/sbin/azure_crypt_key.sh 下创建一个包含以下脚本的文件。Create a file under /usr/local/sbin/azure_crypt_key.sh, with the content in the following script. 请注意 KeyFileName,因为它是 Azure 使用的密码文件名。Pay attention to the KeyFileName, because it is the passphrase file name used by Azure.

    #!/bin/sh
    MountPoint=/tmp-keydisk-mount
    KeyFileName=LinuxPassPhraseFileName
    echo "Trying to get the key from disks ..." >&2
    mkdir -p $MountPoint
    modprobe vfat >/dev/null 2>&1
    modprobe ntfs >/dev/null 2>&1
    sleep 2
    OPENED=0
    cd /sys/block
    for DEV in sd*; do
    
        echo "> Trying device: $DEV ..." >&2
        mount -t vfat -r /dev/${DEV}1 $MountPoint >/dev/null||
        mount -t ntfs -r /dev/${DEV}1 $MountPoint >/dev/null
        if [ -f $MountPoint/$KeyFileName ]; then
                cat $MountPoint/$KeyFileName
                umount $MountPoint 2>/dev/null
                OPENED=1
                break
        fi
        umount $MountPoint 2>/dev/null
    done
    
      if [ $OPENED -eq 0 ]; then
        echo "FAILED to find suitable passphrase file ..." >&2
        echo -n "Try to enter your password: " >&2
        read -s -r A </dev/console
        echo -n "$A"
     else
        echo "Success loading keyfile!" >&2
    fi
    

2. <span data-ttu-id="b81d6-771">在 */etc/crypttab* 中更改加密配置。</span><span class="sxs-lookup"><span data-stu-id="b81d6-771">Change the crypt config in */etc/crypttab*.</span></span> <span data-ttu-id="b81d6-772">它看起来应该如下所示:</span><span class="sxs-lookup"><span data-stu-id="b81d6-772">It should look like this:</span></span>
xxx_crypt uuid=xxxxxxxxxxxxxxxxxxxxx none luks,discard,keyscript=/usr/local/sbin/azure_crypt_key.sh
```
  1. 如果要在 Windows 中编辑 azure_crypt_key.sh但却将其复制到了 Linux,请运行 dos2unix /usr/local/sbin/azure_crypt_key.shIf you are editing azure_crypt_key.sh in Windows and you copied it to Linux, run dos2unix /usr/local/sbin/azure_crypt_key.sh.

  2. 将可执行文件的权限添加到脚本:Add executable permissions to the script:

   chmod +x /usr/local/sbin/azure_crypt_key.sh
  1. 通过追加行编辑 /etc/initramfs-tools/modulesEdit /etc/initramfs-tools/modules by appending lines:
   vfat
   ntfs
   nls_cp437
   nls_utf8
   nls_iso8859-1
  1. 运行 update-initramfs -u -k all 更新 initramfs 以使 keyscript 生效。Run update-initramfs -u -k all to update the initramfs to make the keyscript take effect.

  2. 现在可以取消预配 VM。Now you can deprovision the VM.

Ubuntu 16.04 安装

  1. 继续下一步,上传 VHD 到 Azure。Continue to the next step and upload your VHD into Azure.
openSUSE 13.2openSUSE 13.2

执行以下步骤,在分发安装过程中配置加密:To configure encryption during the distribution installation, do the following:

  1. 对磁盘进行分区时,选择“加密卷组”,然后输入密码。When you partition the disks, select Encrypt Volume Group, and then enter a password. 这是将上传到 Key Vault 的密码。This is the password that you will upload to your key vault.

openSUSE 13.2 安装

  1. 使用密码启动 VM。Boot the VM using your password.

openSUSE 13.2 安装

  1. 遵循 Prepare a SLES or openSUSE virtual machine for Azure(为 Azure 准备 SLES 或 openSUSE 虚拟机)中的说明准备 VM,以上传到 Azure。Prepare the VM for uploading to Azure by following the instructions in Prepare a SLES or openSUSE virtual machine for Azure. 不要运行最后一步(取消预配 VM)。Do not run the last step (deprovisioning the VM) yet.

执行以下步骤,配置加密以便使用 Azure:To configure encryption to work with Azure, do the following:

  1. 编辑 /etc/dracut.conf 并添加以下行:Edit the /etc/dracut.conf, and add the following line:
    add_drivers+=" vfat ntfs nls_cp437 nls_iso8859-1"
    
  2. 注释掉文件 /usr/lib/dracut/modules.d/90crypt/module-setup.sh 末尾的这些代码行:Comment out these lines by the end of the file /usr/lib/dracut/modules.d/90crypt/module-setup.sh:
   #        inst_multiple -o \
   #        $systemdutildir/system-generators/systemd-cryptsetup-generator \
   #        $systemdutildir/systemd-cryptsetup \
   #        $systemdsystemunitdir/systemd-ask-password-console.path \
   #        $systemdsystemunitdir/systemd-ask-password-console.service \
   #        $systemdsystemunitdir/cryptsetup.target \
   #        $systemdsystemunitdir/sysinit.target.wants/cryptsetup.target \
   #        systemd-ask-password systemd-tty-ask-password-agent
   #        inst_script "$moddir"/crypt-run-generator.sh /sbin/crypt-run-generator
  1. 在文件 /usr/lib/dracut/modules.d/90crypt/parse-crypt.sh 的开头附加以下行:Append the following line at the beginning of the file /usr/lib/dracut/modules.d/90crypt/parse-crypt.sh:
   DRACUT_SYSTEMD=0

并更改所有匹配项:And change all occurrences of:

   if [ -z "$DRACUT_SYSTEMD" ]; then

to:to:

    if [ 1 ]; then
  1. 编辑 /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh 并将其附加在“# Open LUKS device”的后面:Edit /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh and append it to “# Open LUKS device”:

    MountPoint=/tmp-keydisk-mount
    KeyFileName=LinuxPassPhraseFileName
    echo "Trying to get the key from disks ..." >&2
    mkdir -p $MountPoint >&2
    modprobe vfat >/dev/null >&2
    modprobe ntfs >/dev/null >&2
    for SFS in /dev/sd*; do
    echo "> Trying device:$SFS..." >&2
    mount ${SFS}1 $MountPoint -t vfat -r >&2 ||
    mount ${SFS}1 $MountPoint -t ntfs -r >&2
    if [ -f $MountPoint/$KeyFileName ]; then
        echo "> keyfile got..." >&2
        cp $MountPoint/$KeyFileName /tmp-keyfile >&2
        luksfile=/tmp-keyfile
        umount $MountPoint >&2
        break
    fi
    done
    
  2. 运行 /usr/sbin/dracut -f -v 以更新 initrd。Run /usr/sbin/dracut -f -v to update the initrd.

  3. 现在取消预配 VM,并上传 VHD 到 Azure。Now you can deprovision the VM and upload your VHD into Azure.

CentOS 7CentOS 7

执行以下步骤,在分发安装过程中配置加密:To configure encryption during the distribution installation, do the following:

  1. 对磁盘进行分区时,选择“加密我的数据”。Select Encrypt my data when you partition disks.

CentOS 7 安装

  1. 确保为根分区选择了“加密”。Make sure Encrypt is selected for root partition.

CentOS 7 安装

  1. 提供通行短语。Provide a passphrase. 这是将上传到 Key Vault 的密码。This is the passphrase that you will upload to your key vault.

CentOS 7 安装

  1. 启动 VM 并被要求提供密码时,请使用步骤 3 中提供的密码。When you boot the VM and are asked for a passphrase, use the passphrase you provided in step 3.

CentOS 7 安装

  1. 通过 Prepare a CentOS-based virtual machine for Azure(为 Azure 准备基于 CentOS 的虚拟机)中的“CentOS 7.0+”说明准备 VM 以上传到 Azure。Prepare the VM for uploading into Azure by using the "CentOS 7.0+" instructions in Prepare a CentOS-based virtual machine for Azure. 不要运行最后一步(取消预配 VM)。Do not run the last step (deprovisioning the VM) yet.

  2. 现在取消预配 VM,并上传 VHD 到 Azure。Now you can deprovision the VM and upload your VHD into Azure.

执行以下步骤,配置加密以便使用 Azure:To configure encryption to work with Azure, do the following:

  1. 编辑 /etc/dracut.conf 并添加以下行:Edit the /etc/dracut.conf, and add the following line:

    add_drivers+=" vfat ntfs nls_cp437 nls_iso8859-1"
    
  2. 注释掉文件 /usr/lib/dracut/modules.d/90crypt/module-setup.sh 末尾的这些代码行:Comment out these lines by the end of the file /usr/lib/dracut/modules.d/90crypt/module-setup.sh:

    #        inst_multiple -o \
    #        $systemdutildir/system-generators/systemd-cryptsetup-generator \
    #        $systemdutildir/systemd-cryptsetup \
    #        $systemdsystemunitdir/systemd-ask-password-console.path \
    #        $systemdsystemunitdir/systemd-ask-password-console.service \
    #        $systemdsystemunitdir/cryptsetup.target \
    #        $systemdsystemunitdir/sysinit.target.wants/cryptsetup.target \
    #        systemd-ask-password systemd-tty-ask-password-agent
    #        inst_script "$moddir"/crypt-run-generator.sh /sbin/crypt-run-generator
  1. 在文件 /usr/lib/dracut/modules.d/90crypt/parse-crypt.sh 的开头附加以下行:Append the following line at the beginning of the file /usr/lib/dracut/modules.d/90crypt/parse-crypt.sh:
    DRACUT_SYSTEMD=0

并更改所有匹配项:And change all occurrences of:

    if [ -z "$DRACUT_SYSTEMD" ]; then

toto

    if [ 1 ]; then
  1. 编辑 /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh 并将其附加在“# Open LUKS device”的后面:Edit /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh and append this after the “# Open LUKS device”:
    MountPoint=/tmp-keydisk-mount
    KeyFileName=LinuxPassPhraseFileName
    echo "Trying to get the key from disks ..." >&2
    mkdir -p $MountPoint >&2
    modprobe vfat >/dev/null >&2
    modprobe ntfs >/dev/null >&2
    for SFS in /dev/sd*; do
    echo "> Trying device:$SFS..." >&2
    mount ${SFS}1 $MountPoint -t vfat -r >&2 ||
    mount ${SFS}1 $MountPoint -t ntfs -r >&2
    if [ -f $MountPoint/$KeyFileName ]; then
        echo "> keyfile got..." >&2
        cp $MountPoint/$KeyFileName /tmp-keyfile >&2
        luksfile=/tmp-keyfile
        umount $MountPoint >&2
        break
    fi
    done
    
  2. 运行“/usr/sbin/dracut -f -v”以更新 initrd。Run the “/usr/sbin/dracut -f -v” to update the initrd.

CentOS 7 安装

将加密的 VHD 上传到 Azure 存储帐户Upload encrypted VHD to an Azure storage account

启用 BitLocker 加密或 DM-Crypt 加密后,需要将本地加密的 VHD 上传到存储帐户。After BitLocker encryption or DM-Crypt encryption is enabled, the local encrypted VHD needs to be uploaded to your storage account.

Add-AzureRmVhd [-Destination] <Uri> [-LocalFilePath] <FileInfo> [[-NumberOfUploaderThreads] <Int32> ] [[-BaseImageUriToPatch] <Uri> ] [[-OverWrite]] [ <CommonParameters>]

将预加密的 VM 的磁盘加密机密上传到 Key VaultUpload the disk-encryption secret for the pre-encrypted VM to your key vault

需要将前面获取的磁盘加密机密作为机密上传到 Key Vault 中。The disk-encryption secret that you obtained previously must be uploaded as a secret in your key vault. Key Vault 需要具有对 Azure AD 客户端启用的磁盘加密等权限。The key vault needs to have disk encryption and permissions enabled for your Azure AD client.

$AadClientId = "YourAADClientId"
$AadClientSecret = "YourAADClientSecret"

$key vault = New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -Location $Location

Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -ServicePrincipalName $AadClientId -PermissionsToKeys all -PermissionsToSecrets all
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -EnabledForDiskEncryption

未使用 KEK 加密的磁盘加密机密Disk encryption secret not encrypted with a KEK

使用 Set-AzureKeyVaultSecret 在 Key Vault 中设置机密。To set up the secret in your key vault, use Set-AzureKeyVaultSecret. 对于 Windows 虚拟机,需将 bek 文件编码为 base64 字符串,然后使用 Set-AzureKeyVaultSecret cmdlet 将其上传到 Key Vault。If you have a Windows virtual machine, the bek file is encoded as a base64 string and then uploaded to your key vault using the Set-AzureKeyVaultSecret cmdlet. 对于 Linux,需将密码编码为 base64 字符串,然后将其上传到 Key Vault。For Linux, the passphrase is encoded as a base64 string and then uploaded to the key vault. 此外,请确保在 Key Vault 中创建机密时设置以下标记。In addition, make sure that the following tags are set when you create the secret in the key vault.

# This is the passphrase that was provided for encryption during the distribution installation
$passphrase = "contoso-password"

$tags = @{"DiskEncryptionKeyEncryptionAlgorithm" = "RSA-OAEP"; "DiskEncryptionKeyFileName" = "LinuxPassPhraseFileName"}
$secretName = [guid]::NewGuid().ToString()
$secretValue = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($passphrase))
$secureSecretValue = ConvertTo-SecureString $secretValue -AsPlainText -Force

$secret = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $secretName -SecretValue $secureSecretValue -tags $tags
$secretUrl = $secret.Id

在下一步中使用 $secretUrl 以便在不使用 KEK 的情况下附加 OS 磁盘Use the $secretUrl in the next step for attaching the OS disk without using KEK.

使用 KEK 加密的磁盘加密机密Disk encryption secret encrypted with a KEK

将机密上传到 Key Vault 之前,可根据需要使用密钥加密密钥对其进行加密。Before you upload the secret to the key vault, you can optionally encrypt it by using a key encryption key. 先使用包装 API 加密使用密钥加密密钥的机密。Use the wrap API to first encrypt the secret using the key encryption key. 此包装操作的输出是 base64 URL 编码的字符串,可以使用 Set-AzureKeyVaultSecret cmdlet 将其作为机密上传。The output of this wrap operation is a base64 URL encoded string, which you can then upload as a secret by using the Set-AzureKeyVaultSecret cmdlet.

# This is the passphrase that was provided for encryption during the distribution installation
$passphrase = "contoso-password"

Add-AzureKeyVaultKey -VaultName $KeyVaultName -Name "keyencryptionkey" -Destination Software
$KeyEncryptionKey = Get-AzureKeyVaultKey -VaultName $KeyVault.OriginalVault.Name -Name "keyencryptionkey"

$apiversion = "2015-06-01"

##############################
# Get Auth URI
##############################

$uri = $KeyVault.VaultUri + "/keys"
$headers = @{}

$response = try { Invoke-RestMethod -Method GET -Uri $uri -Headers $headers } catch { $_.Exception.Response }

$authHeader = $response.Headers["www-authenticate"]
$authUri = [regex]::match($authHeader, 'authorization="(.*?)"').Groups[1].Value

Write-Host "Got Auth URI successfully"

##############################
# Get Auth Token
##############################

$uri = $authUri + "/oauth2/token"
$body = "grant_type=client_credentials"
$body += "&client_id=" + $AadClientId
$body += "&client_secret=" + [Uri]::EscapeDataString($AadClientSecret)
$body += "&resource=" + [Uri]::EscapeDataString("https://vault.azure.net")
$headers = @{}

$response = Invoke-RestMethod -Method POST -Uri $uri -Headers $headers -Body $body

$access_token = $response.access_token

Write-Host "Got Auth Token successfully"

##############################
# Get KEK info
##############################

$uri = $KeyEncryptionKey.Id + "?api-version=" + $apiversion
$headers = @{"Authorization" = "Bearer " + $access_token}

$response = Invoke-RestMethod -Method GET -Uri $uri -Headers $headers

$keyid = $response.key.kid

Write-Host "Got KEK info successfully"

##############################
# Encrypt passphrase using KEK
##############################

$passphraseB64 = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($Passphrase))
$uri = $keyid + "/encrypt?api-version=" + $apiversion
$headers = @{"Authorization" = "Bearer " + $access_token; "Content-Type" = "application/json"}
$bodyObj = @{"alg" = "RSA-OAEP"; "value" = $passphraseB64}
$body = $bodyObj | ConvertTo-Json

$response = Invoke-RestMethod -Method POST -Uri $uri -Headers $headers -Body $body

$wrappedSecret = $response.value

Write-Host "Encrypted passphrase successfully"

##############################
# Store secret
##############################

$secretName = [guid]::NewGuid().ToString()
$uri = $KeyVault.VaultUri + "/secrets/" + $secretName + "?api-version=" + $apiversion
$secretAttributes = @{"enabled" = $true}
$secretTags = @{"DiskEncryptionKeyEncryptionAlgorithm" = "RSA-OAEP"; "DiskEncryptionKeyFileName" = "LinuxPassPhraseFileName"}
$headers = @{"Authorization" = "Bearer " + $access_token; "Content-Type" = "application/json"}
$bodyObj = @{"value" = $wrappedSecret; "attributes" = $secretAttributes; "tags" = $secretTags}
$body = $bodyObj | ConvertTo-Json

$response = Invoke-RestMethod -Method PUT -Uri $uri -Headers $headers -Body $body

Write-Host "Stored secret successfully"

$secretUrl = $response.id

将在下一步中使用 $KeyEncryptionKey$secretUrl 以便在使用 KEK 的情况下附加 OS 磁盘Use $KeyEncryptionKey and $secretUrl in the next step for attaching the OS disk using KEK.

附加 OS 磁盘时指定机密 URLSpecify a secret URL when you attach an OS disk

不使用 KEKWithout using a KEK

附加 OS 磁盘时,需要传递 $secretUrlWhile you are attaching the OS disk, you need to pass $secretUrl. 该 URL 是在“不使用 KEK 对磁盘加密机密进行加密”部分中生成的。The URL was generated in the "Disk-encryption secret not encrypted with a KEK" section.

Set-AzureRmVMOSDisk `
        -VM $VirtualMachine `
        -Name $OSDiskName `
        -SourceImageUri $VhdUri `
        -VhdUri $OSDiskUri `
        -Linux `
        -CreateOption FromImage `
        -DiskEncryptionKeyVaultId $KeyVault.ResourceId `
        -DiskEncryptionKeyUrl $SecretUrl

使用 KEKUsing a KEK

附加 OS 磁盘时,传递 $KeyEncryptionKey$secretUrlWhen you attach the OS disk, pass $KeyEncryptionKey and $secretUrl. 该 URL 是在“不使用 KEK 对磁盘加密机密进行加密”部分中生成的。The URL was generated in the "Disk-encryption secret not encrypted with a KEK" section.

Set-AzureRmVMOSDisk `
        -VM $VirtualMachine `
        -Name $OSDiskName `
        -SourceImageUri $CopiedTemplateBlobUri `
        -VhdUri $OSDiskUri `
        -Linux `
        -CreateOption FromImage `
        -DiskEncryptionKeyVaultId $KeyVault.ResourceId `
        -DiskEncryptionKeyUrl $SecretUrl `
        -KeyEncryptionKeyVaultId $KeyVault.ResourceId `
        -KeyEncryptionKeyURL $KeyEncryptionKey.Id

下载此指南Download this guide

可以从 TechNet 库下载此指南。You can download this guide from the TechNet Gallery.

更多信息For more information

Explore Azure Disk Encryption with Azure PowerShell - Part 1(了解如何使用 Azure PowerShell 启用 Azure 磁盘加密 - 第 1 部分)Explore Azure Disk Encryption with Azure PowerShell - Part 1
Explore Azure Disk Encryption with Azure PowerShell - Part 2(了解如何使用 Azure PowerShell 启用 Azure 磁盘加密 - 第 2 部分)Explore Azure Disk Encryption with Azure PowerShell - Part 2