适用于 Linux 的 Azure 磁盘加密 (Microsoft.Azure.Security.AzureDiskEncryptionForLinux)Azure Disk Encryption for Linux (Microsoft.Azure.Security.AzureDiskEncryptionForLinux)

概述Overview

Azure 磁盘加密利用 Linux 中的 dm-crypt 子系统在选定的 Azure Linux 发行版上提供完整磁盘加密。Azure Disk Encryption leverages the dm-crypt subsystem in Linux to provide full disk encryption on select Azure Linux distributions. 此解决方案与 Azure Key Vault 集成,用于管理磁盘加密密钥和机密。This solution is integrated with Azure Key Vault to manage disk encryption keys and secrets.

先决条件Prerequisites

有关先决条件的完整列表,请参阅适用于 Linux VM 的 Azure 磁盘加密,特别是以下部分:For a full list of prerequisites, see Azure Disk Encryption for Linux VMs, specifically the following sections:

扩展架构Extension schemata

Azure 磁盘加密有两种架构:v1.1,一种不使用 Azure Active Directory (AAD) 属性的较新推荐架构;v0.1,一种需要 AAD 属性的较旧架构。There are two schemata for Azure Disk Encryption: v1.1, a newer, recommended schema that does not use Azure Active Directory (AAD) properties, and v0.1, an older schema that requires AAD properties. 你必须使用与所使用的扩展对应的架构版本:架构 v1.1 用于 AzureDiskEncryptionForLinux 扩展版本 1.1,架构 v0.1 用于 AzureDiskEncryptionForLinux 扩展版本 0.1。You must use the schema version corresponding to the extension you are using: schema v1.1 for the AzureDiskEncryptionForLinux extension version 1.1, schema v0.1 for the AzureDiskEncryptionForLinux extension version 0.1.

建议使用 v1.1 架构,它不需要 Azure Active Directory 属性。The v1.1 schema is recommended and does not require Azure Active Directory properties.

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2015-06-15",
  "location": "[location]",
  "properties": {
        "publisher": "Microsoft.Azure.Security",
        "settings": {
          "DiskFormatQuery": "[diskFormatQuery]",
          "EncryptionOperation": "[encryptionOperation]",
          "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
          "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
          "KeyVaultURL": "[keyVaultURL]",
          "SequenceVersion": "sequenceVersion]",
          "VolumeType": "[volumeType]"
        },
        "type": "AzureDiskEncryptionForLinux",
        "typeHandlerVersion": "[extensionVersion]"
  }
}

架构 v0.1:使用 AADSchema v0.1: with AAD

0.1 版架构需要 aadClientIDaadClientSecretAADClientCertificateThe 0.1 schema requires aadClientID and either aadClientSecret or AADClientCertificate.

使用 aadClientSecretUsing aadClientSecret:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2015-06-15",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientSecret": "[aadClientSecret]",
      "Passphrase": "[passphrase]"
    },
    "publisher": "Microsoft.Azure.Security",
    "settings": {
      "AADClientID": "[aadClientID]",
      "DiskFormatQuery": "[diskFormatQuery]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "KeyVaultURL": "[keyVaultURL]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    },
    "type": "AzureDiskEncryptionForLinux",
    "typeHandlerVersion": "[extensionVersion]"
  }
}

使用 AADClientCertificateUsing AADClientCertificate:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2015-06-15",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientCertificate": "[aadClientCertificate]",
      "Passphrase": "[passphrase]"
    },
    "publisher": "Microsoft.Azure.Security",
    "settings": {
      "AADClientID": "[aadClientID]",
      "DiskFormatQuery": "[diskFormatQuery]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "KeyVaultURL": "[keyVaultURL]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    },
    "type": "AzureDiskEncryptionForLinux",
    "typeHandlerVersion": "[extensionVersion]"
  }
}

属性值Property values

名称Name 值/示例Value / Example 数据类型Data Type
apiVersionapiVersion 2015-06-152015-06-15 datedate
publisherpublisher Microsoft.Azure.SecurityMicrosoft.Azure.Security stringstring
typetype AzureDiskEncryptionForLinuxAzureDiskEncryptionForLinux stringstring
typeHandlerVersiontypeHandlerVersion 0.1、1.10.1, 1.1 intint
(0.1 版架构)AADClientID(0.1 schema) AADClientID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx GUIDguid
(0.1 版架构)AADClientSecret(0.1 schema) AADClientSecret passwordpassword stringstring
(0.1 版架构)AADClientCertificate(0.1 schema) AADClientCertificate thumbprintthumbprint stringstring
DiskFormatQueryDiskFormatQuery {"dev_path":"","name":"","file_system":""}{"dev_path":"","name":"","file_system":""} JSON 字典JSON dictionary
EncryptionOperationEncryptionOperation EnableEncryption, EnableEncryptionFormatAllEnableEncryption, EnableEncryptionFormatAll stringstring
KeyEncryptionAlgorithmKeyEncryptionAlgorithm 'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5''RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5' stringstring
KeyEncryptionKeyURLKeyEncryptionKeyURL urlurl stringstring
(可选)KeyVaultURL(optional) KeyVaultURL urlurl stringstring
通行短语Passphrase passwordpassword stringstring
SequenceVersionSequenceVersion uniqueidentifieruniqueidentifier stringstring
VolumeTypeVolumeType OS, Data, AllOS, Data, All stringstring

模板部署Template deployment

有关模板部署的示例,请参阅在正在运行的 Linux VM 上启用加密For an example of template deployment, see Enable Encryption on a running Linux VM.

备注

必须修改从 GitHub 存储库“azure-quickstart-templates”下载或参考的模板,以适应 Azure 中国云环境。Templates you downloaded or referenced from the GitHub Repo "azure-quickstart-templates" must be modified in order to fit in the Azure China Cloud Environment. 例如,替换某些终结点(将“blob.core.windows.net”替换为“blob.core.chinacloudapi.cn”,将“cloudapp.azure.com”替换为“chinacloudapp.cn”);必要时更改某些不受支持的 VM 映像、VM 大小、SKU 以及资源提供程序的 API 版本。For example, replace some endpoints -- "blob.core.windows.net" by "blob.core.chinacloudapi.cn", "cloudapp.azure.com" by "chinacloudapp.cn"; change some unsupported VM images, VM sizes, SKU and resource-provider's API Version when necessary.

Azure CLI 部署Azure CLI deployment

可以在最新 Azure CLI 文档中找到相关说明。Instructions can be found in the latest Azure CLI documentation.

故障排除和支持Troubleshoot and support

支持Support

如果对本文中的任何观点存在疑问,可以联系 Azure 支持上的 Azure 专家。If you need more help at any point in this article, you can contact the Azure experts on the Azure support. 或者,也可以提出 Azure 支持事件。Alternatively, you can file an Azure support incident. 请转到 Azure 支持站点提交请求。Go to the Azure support site and submit your request. 有关使用 Azure 支持的信息,请阅读 Azure 支持常见问题For information about using Azure Support, read the Azure support FAQ.

后续步骤Next steps

有关 VM 扩展的详细信息,请参阅适用于 Linux 的虚拟机扩展和功能For more information about VM extensions, see Virtual machine extensions and features for Linux.