使用 Azure CLI 对虚拟机规模集中的 OS 和附加数据磁盘进行加密Encrypt OS and attached data disks in a virtual machine scale set with the Azure CLI

Azure CLI 用于从命令行或脚本创建和管理 Azure 资源。The Azure CLI is used to create and manage Azure resources from the command line or in scripts. 本快速入门演示如何使用 Azure CLI 创建和加密虚拟机规模集。This quickstart shows you how to use the Azure CLI to create and encrypt a virtual machine scale set. 若要详细了解如何将 Azure 磁盘加密应用于虚拟机规模集,请参阅适用于虚拟机规模集的 Azure 磁盘加密For more information on applying Azure Disk encryption to a virtual machine scale set, see Azure Disk Encryption for Virtual Machine Scale Sets.

如果选择在本地安装并使用 CLI,本教程要求运行 Azure CLI 2.0.31 或更高版本。If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version 2.0.31 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建规模集Create a scale set

使用 az group create 创建资源组,才能创建规模集。Before you can create a scale set, create a resource group with az group create. 以下示例在“chinanorth”位置创建名为“myResourceGroup”的资源组:The following example creates a resource group named myResourceGroup in the chinanorth location:

az group create --name myResourceGroup --location chinanorth

现在,使用 az vmss create 创建虚拟机规模集。Now create a virtual machine scale set with az vmss create. 以下示例创建名为 myScaleSet 的规模集,该规模集设置为在应用更改时自动更新;如果 ~/.ssh/id_rsa 中没有 SSH 密钥,此示例还会生成 SSH 密钥。The following example creates a scale set named myScaleSet that is set to automatically update as changes are applied, and generates SSH keys if they do not exist in ~/.ssh/id_rsa. 每个 VM 实例附有 32Gb 的数据磁盘,可使用 Azure 自定义脚本扩展通过 az vmss extension set 准备数据磁盘:A 32Gb data disk is attached to each VM instance, and the Azure Custom Script Extension is used to prepare the data disks with az vmss extension set:

# Create a scale set with attached data disk
az vmss create \
  --resource-group myResourceGroup \
  --name myScaleSet \
  --image UbuntuLTS \
  --upgrade-policy-mode automatic \
  --admin-username azureuser \
  --generate-ssh-keys \
  --data-disk-sizes-gb 32

# Prepare the data disk for use with the Custom Script Extension
az vmss extension set \
  --publisher Microsoft.Azure.Extensions \
  --version 2.0 \
  --name CustomScript \
  --resource-group myResourceGroup \
  --vmss-name myScaleSet \
  --settings '{"fileUris":["https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/prepare_vm_disks.sh"],"commandToExecute":"./prepare_vm_disks.sh"}'

创建和配置所有的规模集资源和 VM 需要几分钟时间。It takes a few minutes to create and configure all the scale set resources and VMs.

创建 Azure Key Vault(针对磁盘加密启用)Create an Azure key vault enabled for disk encryption

Azure 密钥保管库可以存储能够在应用程序和服务中安全实现的密钥、机密或密码。Azure Key Vault can store keys, secrets, or passwords that allow you to securely implement them in your applications and services. 可以使用软件保护将加密密钥存储在 Azure Key Vault 中。Cryptographic keys are stored in Azure Key Vault using software-protection. 这些加密密钥用于加密和解密附加到 VM 的虚拟磁盘。These cryptographic keys are used to encrypt and decrypt virtual disks attached to your VM. 可以控制这些加密密钥,以及审核对它们的使用。You retain control of these cryptographic keys and can audit their use.

定义自己的唯一 keyvault_name。Define your own unique keyvault_name. 然后,在规模集所在的同一订阅和区域中,通过 az keyvault create 创建 KeyVault,并设置 --enabled-for-disk-encryption 访问策略。Then, create a KeyVault with az keyvault create in the same subscription and region as the scale set, and set the --enabled-for-disk-encryption access policy.

# Provide your own unique Key Vault name
keyvault_name=myuniquekeyvaultname

# Create Key Vault
az keyvault create --resource-group myResourceGroup --name $keyvault_name --enabled-for-disk-encryption

使用现有的密钥保管库Use an existing Key Vault

仅当你要将现有的 Key Vault 用于磁盘加密时,才需要执行此步骤。This step is only required if you have an existing Key Vault that you wish to use with disk encryption. 如果在上一部分中创建了 Key Vault,请跳过此步骤。Skip this step if you created a Key Vault in the previous section.

定义自己的唯一 keyvault_name。Define your own unique keyvault_name. 然后,通过 az keyvault update 更新 KeyVault 并设置 --enabled-for-disk-encryption 访问策略。Then, updated your KeyVault with az keyvault update and set the --enabled-for-disk-encryption access policy.

# Provide your own unique Key Vault name
keyvault_name=myuniquekeyvaultname

# Create Key Vault
az keyvault update --name $keyvault_name --enabled-for-disk-encryption

启用加密功能Enable encryption

若要加密规模集中的 VM 实例,请先使用 az keyvault show 获取有关 Key Vault 资源 ID 的信息。To encrypt VM instances in a scale set, first get some information on the Key Vault resource ID with az keyvault show. 然后,通过 az vmss encryption enable 使用这些变量启动加密过程:These variables are used to then start the encryption process with az vmss encryption enable:

# Get the resource ID of the Key Vault
vaultResourceId=$(az keyvault show --resource-group myResourceGroup --name $keyvault_name --query id -o tsv)

# Enable encryption of the data disks in a scale set
az vmss encryption enable \
    --resource-group myResourceGroup \
    --name myScaleSet \
    --disk-encryption-keyvault $vaultResourceId \
    --volume-type DATA

启动加密过程可能需要一到两分钟时间。It may take a minute or two for the encryption process to start.

因为之前步骤中创建的规模集上的升级策略设置为自动,所以 VM 实例将自动启动加密过程。As the scale set is upgrade policy on the scale set created in an earlier step is set to automatic, the VM instances automatically start the encryption process. 在升级策略设为手动的规模集上,通过 az vmss update-instances 在 VM 实例上启动加密策略。On scale sets where the upgrade policy is to manual, start the encryption policy on the VM instances with az vmss update-instances.

使用 KEK 包装密钥以实现加密Enable encryption using KEK to wrap the key

加密虚拟机规模集时,还可以使用密钥加密密钥来增强安全性。You can also use a Key Encryption Key for added security when encrypting the virtual machine scale set.

# Get the resource ID of the Key Vault
vaultResourceId=$(az keyvault show --resource-group myResourceGroup --name $keyvault_name --query id -o tsv)

# Enable encryption of the data disks in a scale set
az vmss encryption enable \
    --resource-group myResourceGroup \
    --name myScaleSet \
    --disk-encryption-keyvault $vaultResourceId \
    --key-encryption-key myKEK \
    --key-encryption-keyvault $vaultResourceId \
    --volume-type DATA

备注

disk-encryption-keyvault 参数值的语法是完整的标识符字符串:The syntax for the value of disk-encryption-keyvault parameter is the full identifier string:
/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]

key-encryption-key 参数值的语法是 KEK 的完整 URI,如下所示:The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in:
https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]

查看加密进度Check encryption progress

若要检查磁盘加密状态,请使用 az vmss encryption showTo check on the status of disk encryption, use az vmss encryption show:

az vmss encryption show --resource-group myResourceGroup --name myScaleSet

加密 VM 实例后,状态代码将报告 EncryptionState/encrypted,如下面的示例输出所示:When VM instances are encrypted, the status code reports EncryptionState/encrypted, as shown in the following example output:

[
  {
    "disks": [
      {
        "encryptionSettings": null,
        "name": "myScaleSet_myScaleSet_0_disk2_3f39c2019b174218b98b3dfae3424e69",
        "statuses": [
          {
            "additionalProperties": {},
            "code": "EncryptionState/encrypted",
            "displayStatus": "Encryption is enabled on disk",
            "level": "Info",
            "message": null,
            "time": null
          }
        ]
      }
    ],
    "id": "/subscriptions/guid/resourceGroups/MYRESOURCEGROUP/providers/Microsoft.Compute/virtualMachineScaleSets/myScaleSet/virtualMachines/0",
    "resourceGroup": "MYRESOURCEGROUP"
  }
]

禁用加密功能Disable encryption

如果不再想要使用加密的 VM 实例磁盘,可以使用 az vmss encryption disable 禁用加密,如下所示:If you no longer wish to use encrypted VM instances disks, you can disable encryption with az vmss encryption disable as follows:

az vmss encryption disable --resource-group myResourceGroup --name myScaleSet

后续步骤Next steps