适用于 Windows 的 Azure 磁盘加密 (Microsoft.Azure.Security.AzureDiskEncryption)Azure Disk Encryption for Windows (Microsoft.Azure.Security.AzureDiskEncryption)

概述Overview

Azure 磁盘加密利用 BitLocker 在运行 Windows 的 Azure 虚拟机上提供完全磁盘加密。Azure Disk Encryption leverages BitLocker to provide full disk encryption on Azure virtual machines running Windows. 此解决方案与 Azure Key Vault 集成,以管理 Key Vault 订阅中的磁盘加密密钥和机密。This solution is integrated with Azure Key Vault to manage disk encryption keys and secrets in your key vault subscription.

先决条件Prerequisites

有关先决条件的完整列表,请参阅适用于 Windows VM 的 Azure 磁盘加密,特别是以下部分:For a full list of prerequisites, see Azure Disk Encryption for Windows VMs, specifically the following sections:

扩展架构Extension Schema

Azure 磁盘加密 (ADE) 的扩展架构有两个版本:There are two versions of extension schema for Azure Disk Encryption (ADE):

  • v2.2 - 建议使用的较新架构,它不使用 Azure Active Directory (AAD) 属性。v2.2 - A newer recommended schema that does not use Azure Active Directory (AAD) properties.
  • v1.1 - 需要 Azure Active Directory (AAD) 属性的较旧架构。v1.1 - An older schema that requires Azure Active Directory (AAD) properties.

若要选择目标架构,需要将 typeHandlerVersion 属性设置为要使用的架构版本。To select a target schema, the typeHandlerVersion property must be set equal to version of schema you want to use.

v2.2 架构建议用于所有新 VM,并且不需要 Azure Active Directory 属性。The v2.2 schema is recommended for all new VMs and does not require Azure Active Directory properties.

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "AzureDiskEncryption",
        "typeHandlerVersion": "2.2",
        "autoUpgradeMinorVersion": true,
        "settings": {
          "EncryptionOperation": "[encryptionOperation]",
          "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
          "KeyVaultURL": "[keyVaultURL]",
          "KekVaultResourceId": "[keyVaultResourceID]",
          "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
          "KeyVaultResourceId": "[keyVaultResourceID]",
          "SequenceVersion": "sequenceVersion]",
          "VolumeType": "[volumeType]"
        }
  }
}

架构 v1.1:使用 AADSchema v1.1: with AAD

1.1 架构需要 aadClientIDaadClientSecretAADClientCertificate,建议不要用于新 VM。The 1.1 schema requires aadClientID and either aadClientSecret or AADClientCertificate and is not recommended for new VMs.

使用 aadClientSecretUsing aadClientSecret:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientSecret": "[aadClientSecret]"
    },    
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryption",
    "typeHandlerVersion": "1.1",
    "settings": {
      "AADClientID": "[aadClientID]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyVaultURL": "[keyVaultURL]",
      "KeyVaultResourceId": "[keyVaultResourceID]",
      "KekVaultResourceId": "[keyVaultResourceID]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    }
  }
}

使用 AADClientCertificateUsing AADClientCertificate:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientCertificate": "[aadClientCertificate]"
    },    
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryption",
    "typeHandlerVersion": "1.1",
    "settings": {
      "AADClientID": "[aadClientID]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyVaultURL": "[keyVaultURL]",
      "KeyVaultResourceId": "[keyVaultResourceID]",
      "KekVaultResourceId": "[keyVaultResourceID]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    }
  }
}

属性值Property values

名称Name 值/示例Value / Example 数据类型Data Type
apiVersionapiVersion 2019-07-012019-07-01 datedate
publisherpublisher Microsoft.Azure.SecurityMicrosoft.Azure.Security stringstring
typetype AzureDiskEncryptionAzureDiskEncryption stringstring
typeHandlerVersiontypeHandlerVersion 2.2、1.12.2, 1.1 stringstring
(1.1 架构)AADClientID(1.1 schema) AADClientID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx GUIDguid
(1.1 架构)AADClientSecret(1.1 schema) AADClientSecret passwordpassword stringstring
(1.1 架构)AADClientCertificate(1.1 schema) AADClientCertificate thumbprintthumbprint stringstring
EncryptionOperationEncryptionOperation EnableEncryption, EnableEncryptionFormatAllEnableEncryption, EnableEncryptionFormatAll stringstring
(可选 - 默认 RSA-OAEP)KeyEncryptionAlgorithm(optional - default RSA-OAEP ) KeyEncryptionAlgorithm 'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5''RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5' stringstring
KeyVaultURLKeyVaultURL urlurl stringstring
KeyVaultResourceIdKeyVaultResourceId urlurl stringstring
(可选)KeyEncryptionKeyURL(optional) KeyEncryptionKeyURL urlurl stringstring
(可选)KekVaultResourceId(optional) KekVaultResourceId urlurl stringstring
(可选)SequenceVersion(optional) SequenceVersion uniqueidentifieruniqueidentifier stringstring
VolumeTypeVolumeType OS, Data, AllOS, Data, All stringstring

模板部署Template deployment

有关基于架构 v2.2 的模板部署的示例,请参阅 Azure 快速入门模板 201-encrypt-running-windows-vm-without-aadFor an example of template deployment based on schema v2.2, see Azure QuickStart Template 201-encrypt-running-windows-vm-without-aad.

有关基于架构 v1.1 的模板部署的示例,请参阅 Azure 快速入门模板 201-encrypt-running-windows-vmFor an example of template deployment based on schema v1.1, see Azure QuickStart Template 201-encrypt-running-windows-vm.

备注

此外,如果 VolumeType 参数设置为 All,则仅当数据磁盘采用正确格式时才会对其进行加密。Also if VolumeType parameter is set to All, data disks will be encrypted only if they are properly formatted.

故障排除和支持Troubleshoot and support

故障排除Troubleshoot

有关故障排除,请参阅 Azure 磁盘加密故障排除指南For troubleshooting, refer to the Azure Disk Encryption troubleshooting guide.

支持Support

如果对本文中的任何观点存在疑问,可以联系 Azure 支持上的 Azure 专家。If you need more help at any point in this article, you can contact the Azure experts on the Azure support.

或者,也可以提出 Azure 支持事件。Alternatively, you can file an Azure support incident. 请转到 Azure 支持站点提交请求。Go to the Azure support site and submit your request. 有关使用 Azure 支持的信息,请阅读 Azure 支持常见问题For information about using Azure Support, read the Azure support FAQ.

后续步骤Next steps