通过 Azure PowerShell 对虚拟机规模集中的 OS 和附加数据磁盘进行加密Encrypt OS and attached data disks in a virtual machine scale set with Azure PowerShell

Azure PowerShell 模块用于从 PowerShell 命令行或脚本创建和管理 Azure 资源。The Azure PowerShell module is used to create and manage Azure resources from the PowerShell command line or in scripts. 本文介绍如何使用 Azure PowerShell 创建和加密虚拟机规模集。This article shows you how to use Azure PowerShell to create and encrypt a virtual machine scale set. 若要详细了解如何将 Azure 磁盘加密应用于虚拟机规模集,请参阅适用于虚拟机规模集的 Azure 磁盘加密For more information on applying Azure Disk Encryption to a virtual machine scale set, see Azure Disk Encryption for Virtual Machine Scale Sets.

创建支持磁盘加密的 Azure Key VaultCreate an Azure Key Vault enabled for disk encryption

Azure 密钥保管库可以存储能够在应用程序和服务中安全实现的密钥、机密或密码。Azure Key Vault can store keys, secrets, or passwords that allow you to securely implement them in your applications and services. 可以使用软件保护将加密密钥存储在 Azure Key Vault 中。Cryptographic keys are stored in Azure Key Vault using software-protection. 这些加密密钥用于加密和解密附加到 VM 的虚拟磁盘。These cryptographic keys are used to encrypt and decrypt virtual disks attached to your VM. 可以控制这些加密密钥,以及审核对它们的使用。You retain control of these cryptographic keys and can audit their use.

使用 New-AzKeyVault 创建一个密钥保管库。Create a Key Vault with New-AzKeyVault. 若要将 Key Vault 用于磁盘加密,请设置 EnabledForDiskEncryption 参数。To allow the Key Vault to be used for disk encryption, set the EnabledForDiskEncryption parameter. 以下示例还会定义资源组名称、Key Vault 名称和位置的变量。The following example also defines variables for resource group name, Key Vault Name, and location. 请提供自己的唯一 Key Vault 名称:Provide your own unique Key Vault name:

$rgName="myResourceGroup"
$vaultName="myuniquekeyvault"
$location = "ChinaNorth"

New-AzResourceGroup -Name $rgName -Location $location
New-AzKeyVault -VaultName $vaultName -ResourceGroupName $rgName -Location $location -EnabledForDiskEncryption

使用现有的密钥保管库Use an existing Key Vault

仅当你要将现有的 Key Vault 用于磁盘加密时,才需要执行此步骤。This step is only required if you have an existing Key Vault that you wish to use with disk encryption. 如果在上一部分中创建了 Key Vault,请跳过此步骤。Skip this step if you created a Key Vault in the previous section.

可以使用 Set-AzKeyVaultAccessPolicy,在规模集所在的同一订阅和区域中启用现有的 Key Vault 进行磁盘加密。You can enable an existing Key Vault in the same subscription and region as the scale set for disk encryption with Set-AzKeyVaultAccessPolicy. 按如下所示,在 $vaultName 变量中定义现有 Key Vault 的名称:Define the name of your existing Key Vault in the $vaultName variable as follows:

$vaultName="myexistingkeyvault"
Set-AzKeyVaultAccessPolicy -VaultName $vaultName -EnabledForDiskEncryption

创建规模集Create a scale set

首先,使用 Get-Credential 设置 VM 实例的管理员用户名和密码:First, set an administrator username and password for the VM instances with Get-Credential:

$cred = Get-Credential

现在,使用 New-AzVmss 创建虚拟机规模集。Now create a virtual machine scale set with New-AzVmss. 若要将流量分配到单独的 VM 实例,则还要创建负载均衡器。To distribute traffic to the individual VM instances, a load balancer is also created. 负载均衡器包含的规则可在 TCP 端口 80 上分配流量,并允许 TCP 端口 3389 上的远程桌面流量,以及 TCP 端口 5985 上的 PowerShell 远程流量:The load balancer includes rules to distribute traffic on TCP port 80, as well as allow remote desktop traffic on TCP port 3389 and PowerShell remoting on TCP port 5985:

$vmssName="myScaleSet"

New-AzVmss `
    -ResourceGroupName $rgName `
    -VMScaleSetName $vmssName `
    -Location $location `
    -VirtualNetworkName "myVnet" `
    -SubnetName "mySubnet" `
    -PublicIpAddressName "myPublicIPAddress" `
    -LoadBalancerName "myLoadBalancer" `
    -UpgradePolicy "Automatic" `
    -Credential $cred

启用加密功能Enable encryption

若要在规模集中加密 VM 实例,请先使用 Get-AzKeyVault 获取有关 Key Vault URI 和资源 ID 的某些信息。To encrypt VM instances in a scale set, first get some information on the Key Vault URI and resource ID with Get-AzKeyVault. 然后,可以使用 Set-AzVmssDiskEncryptionExtension 结合这些变量来启动加密过程:These variables are used to then start the encryption process with Set-AzVmssDiskEncryptionExtension:

$diskEncryptionKeyVaultUrl=(Get-AzKeyVault -ResourceGroupName $rgName -Name $vaultName).VaultUri
$keyVaultResourceId=(Get-AzKeyVault -ResourceGroupName $rgName -Name $vaultName).ResourceId

Set-AzVmssDiskEncryptionExtension -ResourceGroupName $rgName -VMScaleSetName $vmssName `
    -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -VolumeType "All"

出现提示时,请键入 y,以便继续对规模集 VM 实例执行磁盘加密过程。When prompted, type y to continue the disk encryption process on the scale set VM instances.

使用 KEK 启用加密以包装密钥Enable encryption using KEK to wrap the key

加密虚拟机规模集时,还可以使用密钥加密密钥来增强安全性。You can also use a Key Encryption Key for added security when encrypting the virtual machine scale set.

$diskEncryptionKeyVaultUrl=(Get-AzKeyVault -ResourceGroupName $rgName -Name $vaultName).VaultUri
$keyVaultResourceId=(Get-AzKeyVault -ResourceGroupName $rgName -Name $vaultName).ResourceId
$keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $vaultName -Name $keyEncryptionKeyName).Key.kid;

Set-AzVmssDiskEncryptionExtension -ResourceGroupName $rgName -VMScaleSetName $vmssName `
    -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId `
    -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -VolumeType "All"

备注

disk-encryption-keyvault 参数值的语法是完整的标识符字符串:The syntax for the value of disk-encryption-keyvault parameter is the full identifier string:
/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]

key-encryption-key 参数值的语法是 KEK 的完整 URI,如下所示:The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in:
https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]

查看加密进度Check encryption progress

若要检查磁盘加密状态,请使用 Get-AzVmssDiskEncryptionTo check on the status of disk encryption, use Get-AzVmssDiskEncryption:

Get-AzVmssDiskEncryption -ResourceGroupName $rgName -VMScaleSetName $vmssName

加密 VM 实例后,EncryptionSummary 代码会报告 ProvisioningState/succeeded,如以下示例输出所示:When VM instances are encrypted, the EncryptionSummary code reports ProvisioningState/succeeded as shown in the following example output:

ResourceGroupName            : myResourceGroup
VmScaleSetName               : myScaleSet
EncryptionSettings           :
  KeyVaultURL                : https://myuniquekeyvault.vault.azure.cn/
  KeyEncryptionKeyURL        :
  KeyVaultResourceId         : /subscriptions/guid/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myuniquekeyvault
  KekVaultResourceId         :
  KeyEncryptionAlgorithm     :
  VolumeType                 : All
  EncryptionOperation        : EnableEncryption
EncryptionSummary[0]         :
  Code                       : ProvisioningState/succeeded
  Count                      : 2
EncryptionEnabled            : True
EncryptionExtensionInstalled : True

禁用加密功能Disable encryption

如果不再希望使用加密的 VM 实例磁盘,可以使用 Disable-AzVmssDiskEncryption 禁用加密,如下所示:If you no longer wish to use encrypted VM instances disks, you can disable encryption with Disable-AzVmssDiskEncryption as follows:

Disable-AzVmssDiskEncryption -ResourceGroupName $rgName -VMScaleSetName $vmssName

后续步骤Next steps