使用 Azure 门户为托管磁盘启用使用客户管理的密钥的服务器端加密Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks

Azure 磁盘存储使你能在对托管磁盘使用服务器端加密 (SSE) 时管理自己的密钥(如果你选择)。Azure Disk Storage allows you to manage your own keys when using server-side encryption (SSE) for managed disks, if you choose. 有关使用客户管理的密钥的 SSE 以及其他托管磁盘加密类型的概念性信息,请参阅磁盘加密文章的 客户管理的密钥 部分:For conceptual information on SSE with customer managed keys, as well as other managed disk encryption types, see the Customer-managed keys section of our disk encryption article:

限制Restrictions

目前,客户托管密钥具有以下限制:For now, customer-managed keys have the following restrictions:

  • 如果为磁盘启用了此功能,则无法禁用它。If this feature is enabled for your disk, you cannot disable it. 如果需要解决此问题,必须将所有数据复制到一个完全不同的托管磁盘(未使用客户管理的密钥):If you need to work around this, you must copy all the data to an entirely different managed disk that isn't using customer-managed keys:

  • 仅支持大小为 2048 位、3,072 位和 4,096 位的软件密钥,不支持其他密钥或其他大小。Only software keys of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.

  • 从使用服务器端加密和客户托管密钥加密的自定义映像创建的磁盘必须使用相同的客户托管密钥进行加密,且必须位于同一订阅中。Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.

  • 从使用服务器端加密和客户托管密钥加密的磁盘创建的快照必须使用相同的客户托管密钥进行加密。Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.

  • 与客户托管密钥相关的所有资源(Azure Key Vault、磁盘加密集、VM、磁盘和快照)都必须位于同一订阅和区域中。All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.

  • 使用客户托管密钥加密的磁盘、快照和映像不能移至其他资源组和订阅。Disks, snapshots, and images encrypted with customer-managed keys cannot move to another resource group and subscription.

  • 当前或以前使用 Azure 磁盘加密加密的托管磁盘不能使用客户管理的密钥进行加密。Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.

  • 每个区域、每个订阅最多只能创建 1000 个磁盘加密集。Can only create up to 1000 disk encryption sets per region per subscription.

以下部分介绍如何为托管磁盘启用客户管理的密钥以及如何使用这种密钥:The following sections cover how to enable and use customer-managed keys for managed disks:

如果你是第一次执行此操作,则为磁盘设置客户托管密钥时将要求你按特定顺序创建资源。Setting up customer-managed keys for your disks will require you to create resources in a particular order, if you're doing it for the first time. 首先,需要创建并设置 Azure Key Vault。First, you will need to create and set up an Azure Key Vault.

设置 Azure 密钥保管库Set up your Azure Key Vault

  1. 登录到 Azure 门户Sign into the Azure portal.

  2. 搜索并选择“Key Vault”。Search for and select Key Vaults.

    server-side-encryption-key-vault-portal-search.png server-side-encryption-key-vault-portal-search.png

    重要

    Azure Key Vault、磁盘加密集、VM、磁盘和快照必须都位于同一区域和订阅中才能成功部署。Your Azure key vault, disk encryption set, VM, disks, and snapshots must all be in the same region and subscription for deployment to succeed.

  3. 选择“+添加”以创建新的 Key Vault。Select +Add to create a new Key Vault.

  4. 创建新的资源组。Create a new resource group.

  5. 输入 Key Vault 名称,选择区域,然后选择定价层。Enter a key vault name, select a region, and select a pricing tier.

    备注

    创建 Key Vault 实例时,必须启用软删除和清除保护。When creating the Key Vault instance, you must enable soft delete and purge protection. 软删除可确保 Key Vault 在给定的保留期(默认为 90 天)内保留已删除的密钥。Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). 清除保护可确保在保留期结束之前,无法永久删除已删除的密钥。Purge protection ensures that a deleted key cannot be permanently deleted until the retention period lapses. 这些设置可防止由于意外删除而丢失数据。These settings protect you from losing data due to accidental deletion. 使用 Key Vault 加密托管磁盘时,这些设置是必需的。These settings are mandatory when using a Key Vault for encrypting managed disks.

  6. 选择“审阅 + 创建”,验证选择,然后选择“创建” 。Select Review + Create, verify your choices, then select Create.

    Azure Key Vault 创建体验的屏幕截图。显示所创建的特定值

  7. Key Vault 部署完成后,请选择它。Once your key vault finishes deploying, select it.

  8. 在“设置”下,选择“密钥” 。Select Keys under Settings.

  9. 选择“生成/导入”。Select Generate/Import.

    Key Vault 资源设置窗格的屏幕截图。显示设置中的“生成/导入”按钮。

  10. 将“密钥类型”设置为“RSA”,将“RSA 密钥大小”设置为“2048” 。Leave both Key Type set to RSA and RSA Key Size set to 2048.

  11. 根据需要填写其余选项,然后选择“创建”。Fill in the remaining selections as you like and then select Create.

    选择“生成/导入”按钮后出现的“创建密钥”边栏选项卡的屏幕截图

设置磁盘加密集Set up your disk encryption set

  1. 搜索“磁盘加密集”并选择它。Search for Disk Encryption Sets and select it.

  2. 在“磁盘加密集”边栏选项卡上,选择“+添加” 。On the Disk Encryption Sets blade select +Add.

    磁盘加密门户主屏幕的屏幕截图。突出显示“添加”按钮

  3. 选择资源组,命名加密集,然后选择与 Key Vault 相同的区域。Select your resource group, name your encryption set, and select the same region as your key vault.

  4. 对于“加密类型”,请选择“使用客户管理的密钥进行静态加密” 。For Encryption type select Encryption at-rest with a customer-managed key.

    备注

    一旦创建了具有特定加密类型的磁盘加密集,就无法对其进行更改。Once you create a disk encryption set with a particular encryption type, it cannot be changed. 如果要使用其他加密类型,则必须创建新的磁盘加密集。If you want to use a different encryption type, you must create a new disk encryption set.

  5. 选择“单击以选择密钥”。Select Click to select a key.

  6. 选择先前创建的 Key Vault 和密钥,以及版本。Select the key vault and key you created previously, as well as the version.

  7. 按“选择”。Press Select.

  8. 选择“审阅 + 创建”,然后选择“创建” 。Select Review + Create and then Create.

    磁盘加密创建边栏选项卡的屏幕截图。显示订阅、资源组、磁盘加密集名称、区域以及 Key Vault + 密钥选择器。

  9. 完成创建后,打开磁盘加密集,然后选择弹出的警报。Open the disk encryption set once it finishes creating and select the alert that pops up.

    警报弹出窗口的屏幕截图:“若要将磁盘、映像或快照与磁盘加密设置相关联,必须向 Key Vault 授予权限”。选择此警报以继续

    应弹出两个通知并成功。Two notifications should pop up and succeed. 这将使你能够将磁盘加密集与 Key Vault 协同使用。This allows you to use the disk encryption set with your key vault.

    Key Vault 的成功权限和角色分配的屏幕截图。

部署 VMDeploy a VM

创建并设置好 Key Vault 和磁盘加密集之后,接下来即可使用加密来部署 VM。Now that you've created and set up your key vault and the disk encryption set, you can deploy a VM using the encryption. VM 部署过程与标准部署过程类似,唯一的差别在于,你需要将 VM 部署到与其他资源相同的区域中,并选择使用客户托管密钥。The VM deployment process is similar to the standard deployment process, the only differences are that you need to deploy the VM in the same region as your other resources and you opt to use a customer managed key.

  1. 搜索“虚拟机”,然后选择“+ 添加”以创建 VM 。Search for Virtual Machines and select + Add to create a VM.

  2. 在“基本信息”边栏选项卡上,选择与磁盘加密集和 Azure Key Vault 相同的区域。On the Basic blade, select the same region as your disk encryption set and Azure Key Vault.

  3. 根据需要,在“基本信息”边栏选项卡上填写其他值。Fill in the other values on the Basic blade as you like.

    VM 创建体验的屏幕截图,其中突出显示了区域值。

  4. 在“磁盘”边栏选项卡上,选择“使用客户管理的密钥进行静态加密” 。On the Disks blade, select Encryption at rest with a customer-managed key.

  5. 在“磁盘加密集”下拉列表中选择磁盘加密集。Select your disk encryption set in the Disk encryption set drop-down.

  6. 根据需要进行剩余选择。Make the remaining selections as you like.

    VM 创建体验(“磁盘”边栏选项卡)的屏幕截图。其中突出显示了“磁盘加密集”下拉列表。

在现有磁盘上启用Enable on an existing disk

注意

在附加到 VM 的任何磁盘上启用磁盘加密将需要你停止 VM。Enabling disk encryption on any disks attached to a VM will require that you stop the VM.

  1. 导航到与磁盘加密集位于同一区域中的 VM。Navigate to a VM that is in the same region as one of your disk encryption sets.

  2. 打开 VM 并选择“停止”。Open the VM and select Stop.

    示例 VM 的主覆盖的屏幕截图,其中突出显示了“停止”按钮。

  3. VM 停止后,选择“磁盘”,然后选择要加密的磁盘。After the VM has finished stopping, select Disks and then select the disk you want to encrypt.

    示例 VM 的屏幕截图,其中“磁盘”边栏选项卡处于打开状态。OS 磁盘突出显示,作为示例磁盘供你选择。

  4. 依次选择“加密”、“使用客户托管密钥进行静态加密”,然后在下拉列表中选择“磁盘加密集” 。Select Encryption and select Encryption at rest with a customer-managed key and then select your disk encryption set in the drop-down list.

  5. 选择“保存” 。Select Save.

    示例 OS 磁盘的屏幕截图。“加密”边栏选项卡处于打开状态,“使用客户托管密钥进行静态加密”处于选中状态以及示例 Azure Key Vault。在完成这些选择之后,“保存”按钮处于选中状态。

  6. 对于附加到你想要加密的 VM 的任何其他磁盘,请重复此过程。Repeat this process for any other disks attached to the VM you'd like to encrypt.

  7. 当磁盘完成切换到客户托管密钥后,如果没有其他需要进行加密的附加磁盘,则可以启动 VM。When your disks finish switching over to customer-managed keys, if there are no there no other attached disks you'd like to encrypt, you may start your VM.

重要

客户托管密钥依赖于 Azure 资源的托管标识(Azure Active Directory (Azure AD) 的一项功能)。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 配置客户托管密钥时,实际上会自动将托管标识分配给你的资源。When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. 如果随后将订阅、资源组或托管磁盘从一个 Azure AD 目录移动到另一个目录,则与托管磁盘关联的托管标识不会转移到新租户,因此,客户托管密钥可能不再有效。If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with the managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅在 Azure AD 目录之间转移订阅For more information, see Transferring a subscription between Azure AD directories.

后续步骤Next steps