适用于 Linux 的 Azure 磁盘加密 (Microsoft.Azure.Security.AzureDiskEncryptionForLinux)Azure Disk Encryption for Linux (Microsoft.Azure.Security.AzureDiskEncryptionForLinux)

概述Overview

Azure 磁盘加密利用 Linux 中的 dm-crypt 子系统在选择 Azure Linux 发行版上提供完整磁盘加密。Azure Disk Encryption leverages the dm-crypt subsystem in Linux to provide full disk encryption on select Azure Linux distributions. 此解决方案与 Azure Key Vault 集成,用于管理磁盘加密密钥和机密。This solution is integrated with Azure Key Vault to manage disk encryption keys and secrets.

先决条件Prerequisites

有关先决条件的完整列表,请参阅适用于 Linux VM 的 Azure 磁盘加密,特别是以下部分:For a full list of prerequisites, see Azure Disk Encryption for Linux VMs, specifically the following sections:

扩展架构Extension Schema

Azure 磁盘加密 (ADE) 的扩展架构有两个版本:There are two versions of extension schema for Azure Disk Encryption (ADE):

  • v1.1 - 建议使用的较新架构,它不使用 Azure Active Directory (AAD) 属性。v1.1 - A newer recommended schema that does not use Azure Active Directory (AAD) properties.
  • v0.1 - 需要 Azure Active Directory (AAD) 属性的较旧架构。v0.1 - An older schema that requires Azure Active Directory (AAD) properties.

若要选择目标架构,需要将 typeHandlerVersion 属性设置为要使用的架构版本。To select a target schema, the typeHandlerVersion property must be set equal to version of schema you want to use.

建议使用 v1.1 架构,它不需要 Azure Active Directory (AAD) 属性。The v1.1 schema is recommended and does not require Azure Active Directory (AAD) properties.

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "AzureDiskEncryptionForLinux",
        "typeHandlerVersion": "1.1",
        "autoUpgradeMinorVersion": true,
        "settings": {
          "DiskFormatQuery": "[diskFormatQuery]",
          "EncryptionOperation": "[encryptionOperation]",
          "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
          "KeyVaultURL": "[keyVaultURL]",
          "KeyVaultResourceId": "[KeyVaultResourceId]",
          "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
          "KekVaultResourceId": "[KekVaultResourceId",
          "SequenceVersion": "sequenceVersion]",
          "VolumeType": "[volumeType]"
        }
  }
}

架构 v0.1:使用 AADSchema v0.1: with AAD

0.1 版架构需要 AADClientIDAADClientSecretAADClientCertificateThe 0.1 schema requires AADClientID and either AADClientSecret or AADClientCertificate.

使用 AADClientSecretUsing AADClientSecret:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientSecret": "[aadClientSecret]",
      "Passphrase": "[passphrase]"
    },
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryptionForLinux",
    "typeHandlerVersion": "0.1",
    "settings": {
      "AADClientID": "[aadClientID]",
      "DiskFormatQuery": "[diskFormatQuery]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "KeyVaultURL": "[keyVaultURL]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    }
  }
}

使用 AADClientCertificateUsing AADClientCertificate:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientCertificate": "[aadClientCertificate]",
      "Passphrase": "[passphrase]"
    },
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryptionForLinux",
    "typeHandlerVersion": "0.1",
    "settings": {
      "AADClientID": "[aadClientID]",
      "DiskFormatQuery": "[diskFormatQuery]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "KeyVaultURL": "[keyVaultURL]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    }
  }
}

属性值Property values

名称Name 值/示例Value / Example 数据类型Data Type
apiVersionapiVersion 2019-07-012019-07-01 datedate
publisherpublisher Microsoft.Azure.SecurityMicrosoft.Azure.Security stringstring
typetype AzureDiskEncryptionForLinuxAzureDiskEncryptionForLinux stringstring
typeHandlerVersiontypeHandlerVersion 1.1、0.11.1, 0.1 intint
(0.1 版架构)AADClientID(0.1 schema) AADClientID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx GUIDguid
(0.1 版架构)AADClientSecret(0.1 schema) AADClientSecret passwordpassword stringstring
(0.1 版架构)AADClientCertificate(0.1 schema) AADClientCertificate thumbprintthumbprint stringstring
(可选)(0.1 版架构)密码(optional) (0.1 schema) Passphrase passwordpassword stringstring
DiskFormatQueryDiskFormatQuery {"dev_path":"","name":"","file_system":""}{"dev_path":"","name":"","file_system":""} JSON 字典JSON dictionary
EncryptionOperationEncryptionOperation EnableEncryption, EnableEncryptionFormatAllEnableEncryption, EnableEncryptionFormatAll stringstring
(可选 - 默认 RSA-OAEP)KeyEncryptionAlgorithm(optional - default RSA-OAEP ) KeyEncryptionAlgorithm 'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5''RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5' stringstring
KeyVaultURLKeyVaultURL urlurl stringstring
KeyVaultResourceIdKeyVaultResourceId urlurl stringstring
(可选)KeyEncryptionKeyURL(optional) KeyEncryptionKeyURL urlurl stringstring
(可选)KekVaultResourceId(optional) KekVaultResourceId urlurl stringstring
(可选)SequenceVersion(optional) SequenceVersion uniqueidentifieruniqueidentifier stringstring
VolumeTypeVolumeType OS, Data, AllOS, Data, All stringstring

模板部署Template deployment

有关基于架构 v1.1 的模板部署的示例,请参阅 Azure 快速入门模板 201-encrypt-running-linux-vm-without-aadFor an example of template deployment based on schema v1.1, see the Azure Quickstart Template 201-encrypt-running-linux-vm-without-aad.

有关基于架构 v0.1 的模板部署的示例,请参阅 Azure 快速入门模板 201-encrypt-running-linux-vmFor an example of template deployment based on schema v0.1, see the Azure Quickstart Template 201-encrypt-running-linux-vm.

警告

  • 如果之前是使用 Azure 磁盘加密与 Azure AD 来加密 VM,则必须继续使用此选项来加密 VM。If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM.
  • 加密 Linux OS 卷时,应将 VM 视为不可用。When encrypting Linux OS volumes, the VM should be considered unavailable. 我们强烈建议在加密过程中避免 SSH 登录,以避免阻止加密过程中需要访问的任何打开文件的问题。We strongly recommend to avoid SSH logins while the encryption is in progress to avoid issues blocking any open files that will need to be accessed during the encryption process. 若要检查进度,请使用 Get-AzVMDiskEncryptionStatus PowerShell cmdlet 或 vm encryption show CLI 命令。To check progress, use the Get-AzVMDiskEncryptionStatus PowerShell cmdlet or the vm encryption show CLI command. 对于 30GB 操作系统卷,此过程可能需要几小时才能完成,还需要额外的时间来加密数据卷。This process can be expected to take a few hours for a 30GB OS volume, plus additional time for encrypting data volumes. 除非使用“encrypt format all”选项,否则数据卷加密时间将与数据卷的大小和数量成比例。Data volume encryption time will be proportional to the size and quantity of the data volumes unless the encrypt format all option is used.
  • 在 Linux VM 上,仅支持对数据卷禁用加密。Disabling encryption on Linux VMs is only supported for data volumes. 如果 OS 卷已加密,则不支持对数据卷或 OS 卷禁用加密。It is not supported on data or OS volumes if the OS volume has been encrypted.

备注

此外,如果 VolumeType 参数设置为 All,则仅当数据磁盘正确装载时才会对其进行加密。Also if VolumeType parameter is set to All, data disks will be encrypted only if they are properly mounted.

故障排除和支持Troubleshoot and support

故障排除Troubleshoot

有关故障排除,请参阅 Azure 磁盘加密故障排除指南For troubleshooting, refer to the Azure Disk Encryption troubleshooting guide.

支持Support

如果对本文中的任何观点存在疑问,可以联系 Azure 支持上的 Azure 专家。If you need more help at any point in this article, you can contact the Azure experts on the Azure support.

或者,也可以提出 Azure 支持事件。Alternatively, you can file an Azure support incident. 访问 [Azure 支持](https://www.azure.cn/support/contact/Go to [Azure support](https://www.azure.cn/support/contact/. 有关使用 Azure 支持的信息,请阅读 Azure 支持常见问题For information about using Azure Support, read the Azure Support FAQ.

后续步骤Next steps