Azure 托管磁盘的服务器端加密Server-side encryption of Azure managed disks

默认情况下,在将数据保存到云时,Azure 托管磁盘会自动加密数据。Azure managed disks automatically encrypt your data by default when persisting it to the cloud. 服务器端加密 (SSE) 可保护数据,并帮助实现组织安全性和符合性承诺。Server-side encryption (SSE) protects your data and helps you meet your organizational security and compliance commitments.

Azure 托管磁盘中的数据使用 256 位 AES 加密(可用的最强大分组加密之一)以透明方式加密,且符合 FIPS 140-2 规范。Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. 有关加密模块基础 Azure 托管磁盘的详细信息,请参阅加密 API:下一代For more information about the cryptographic modules underlying Azure managed disks, see Cryptography API: Next Generation

加密不会影响托管磁盘的性能,并且不会产生额外的费用。Encryption does not impact the performance of managed disks and there is no additional cost for the encryption.

备注

临时磁盘不是托管磁盘,未由 SSE 加密;有关临时磁盘的详细信息,请参阅托管磁盘概述:磁盘角色Temporary disks are not managed disks and are not encrypted by SSE; for more information on temporary disks, see Managed disks overview: disk roles.

关于加密密钥管理About encryption key management

可以依赖于平台托管的密钥来加密托管磁盘,也可以使用自己的密钥来管理加密。You can rely on platform-managed keys for the encryption of your managed disk, or you can manage encryption using your own keys. 如果选择使用自己的密钥管理加密,可以指定一个客户托管密钥,用于加密和解密托管磁盘中的所有数据。If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all data in managed disks.

以下部分更详细地介绍了密钥管理的每个选项。The following sections describe each of the options for key management in greater detail.

平台托管的密钥Platform-managed keys

默认情况下,托管磁盘使用平台托管的加密密钥。By default, managed disks use platform-managed encryption keys. 自 2017 年 6 月 10 日起,所有新托管磁盘、快照、图像和写入现有托管磁盘中的新数据都会使用平台托管密钥自动进行静态加密。As of June 10, 2017, all new managed disks, snapshots, images, and new data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys.

客户管理的密钥Customer-managed keys

可以选择使用自己的密钥在每个托管磁盘的级别管理加密。You can choose to manage encryption at the level of each managed disk, with your own keys. 使用客户托管密钥对托管磁盘进行服务器端加密提供了与 Azure Key Vault 的集成体验。Server-side encryption for managed disks with customer-managed keys offers an integrated experience with Azure Key Vault.

Azure 托管磁盘使用信封加密以完全透明的方式处理加密和解密。Azure managed disks handles the encryption and decryption in a fully transparent fashion using envelope encryption. 它使用基于 AES 256 的数据加密密钥 (DEK) 对数据进行加密,DEK 反过来使用你的密钥进行保护。It encrypts data using an AES 256 based data encryption key (DEK), which is, in turn, protected using your keys. 存储服务生成数据加密密钥,并使用 RSA 加密通过客户托管密钥对其进行加密。The Storage service generates data encryption keys and encrypts them with customer-managed keys using RSA encryption. 通过信封加密,可以根据合规性策略定期轮替(更改)密钥,而不会影响 VM。The envelope encryption allows you to rotate (change) your keys periodically as per your compliance policies without impacting your VMs. 轮替密钥时,存储服务会使用新的客户托管密钥对数据加密密钥进行重新加密。When you rotate your keys, the Storage service re-encrypts the data encryption keys with the new customer-managed keys.

必须授予对 Key Vault 中的托管磁盘的访问权限,才能使用你的密钥来加密和解密 DEK。You have to grant access to managed disks in your Key Vault to use your keys for encrypting and decrypting the DEK. 这允许你完全控制数据和密钥。This allows you full control of your data and keys. 可以随时禁用密钥或撤销对托管磁盘的访问权限。You can disable your keys or revoke access to managed disks at any time. 还可以通过 Azure Key Vault 监视来审核加密密钥用法,以确保仅托管磁盘或其他受信任的 Azure 服务访问你的密钥。You can also audit the encryption key usage with Azure Key Vault monitoring to ensure that only managed disks or other trusted Azure services are accessing your keys.

对于高级 SSD、标准 SSD 和标准 HDD:禁用或删除密钥后,包含使用该密钥的磁盘的任何 VM 都会自动关闭。For premium SSDs, standard SSDs, and standard HDDs: When you disable or delete your key, any VMs with disks using that key will automatically shut down. 之后,VM 将无法使用,除非再次启用密钥或分配新密钥。After this, the VMs will not be usable unless the key is enabled again or you assign a new key.

下图显示了托管磁盘如何借助 Azure Active Directory 和 Azure Key Vault 使用客户托管密钥发出请求:The following diagram shows how managed disks use Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:

托管磁盘和客户托管密钥工作流。

下表更详细地介绍了该图:The following list explains the diagram in even more detail:

  1. Azure Key Vault 管理员创建密钥保管库资源。An Azure Key Vault administrator creates key vault resources.
  2. 密钥保管库管理员可以将 RSA 密钥导入 Key Vault,也可以在 Key Vault 中生成新的 RSA 密钥。The key vault admin either imports their RSA keys to Key Vault or generate new RSA keys in Key Vault.
  3. 该管理员创建磁盘加密集资源的实例,指定 Azure Key Vault ID 和密钥 URL。That administrator creates an instance of Disk Encryption Set resource, specifying an Azure Key Vault ID and a key URL. 磁盘加密集是为了简化托管磁盘的密钥管理而引入的新资源。Disk Encryption Set is a new resource introduced for simplifying the key management for managed disks.
  4. 创建磁盘加密集时,将在 Azure Active Directory (AD) 中创建系统分配的托管标识,并将其与磁盘加密集相关联。When a disk encryption set is created, a system-assigned managed identity is created in Azure Active Directory (AD) and associated with the disk encryption set.
  5. 然后,Azure Key Vault 管理员授予托管标识权限,以在密钥保管库中执行操作。The Azure key vault administrator then grants the managed identity permission to perform operations in the key vault.
  6. VM 用户可以通过将磁盘与磁盘加密集相关联来创建磁盘。A VM user creates disks by associating them with the disk encryption set. VM 用户还可以通过将现有资源的客户托管密钥与磁盘加密集相关联来启用客户托管密钥的服务器端加密。The VM user can also enable server-side encryption with customer-managed keys for existing resources by associating them with the disk encryption set.
  7. 托管磁盘使用托管标识将请求发送到 Azure Key Vault。Managed disks use the managed identity to send requests to the Azure Key Vault.
  8. 若要读取或写入数据,托管磁盘会将请求发送到 Azure Key Vault 以加密(包装)和解密(解包)数据加密密钥,以便执行数据的加密和解密。For reading or writing data, managed disks sends requests to Azure Key Vault to encrypt (wrap) and decrypt (unwrap) the data encryption key in order to perform encryption and decryption of the data.

若要撤销对客户托管密钥的访问权限,请参阅 Azure Key Vault PowerShellAzure Key Vault CLITo revoke access to customer-managed keys, see Azure Key Vault PowerShell and Azure Key Vault CLI. 撤销访问权限会实际阻止对存储帐户中所有数据的访问权限,因为 Azure 存储无法访问加密密钥。Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.

支持的区域Supported regions

对于高级 SSD、标准 SSD 和标准 HDD,目前只有以下区域支持客户管理的密钥:For premium SSDs, standard SSDs, and standard HDDs, only the following regions currently support customer-managed keys:

  • 已在 Azure 中国云区域中国正式上市。Available as a GA offering in Azure China cloud regions.

限制Restrictions

目前,客户托管密钥具有以下限制:For now, customer-managed keys have the following restrictions:

  • 如果为磁盘启用了此功能,则无法禁用它。If this feature is enabled for your disk, you cannot disable it. 如果需要解决此问题,则必须复制所有数据到完全不同的托管磁盘(未使用客户托管密钥)。If you need to work around this, you must copy all the data to an entirely different managed disk that isn't using customer-managed keys.

  • 仅支持大小为 2048 的软件密钥,不支持其他密钥或其他大小。Only software keys of size 2048 are supported, no other keys or sizes.

  • 从使用服务器端加密和客户托管密钥加密的自定义映像创建的磁盘必须使用相同的客户托管密钥进行加密,且必须位于同一订阅中。Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.

  • 从使用服务器端加密和客户托管密钥加密的磁盘创建的快照必须使用相同的客户托管密钥进行加密。Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.

  • 与客户托管密钥相关的所有资源(Azure Key Vault、磁盘加密集、VM、磁盘和快照)都必须位于同一订阅和区域中。All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.

  • 使用客户托管密钥加密的磁盘、快照和映像不能移至另一个订阅。Disks, snapshots, and images encrypted with customer-managed keys cannot move to another subscription.

  • 使用客户托管密钥加密的托管磁盘也不能使用 Azure 磁盘加密进行加密。Managed disks encrypted using customer-managed keys cannot also be encrypted with Azure Disk Encryption.

CLICLI

设置 Azure Key Vault 和 DiskEncryptionSetSetting up your Azure Key Vault and DiskEncryptionSet

  1. 确保已安装了最新的 Azure CLI 并已使用 az login 登录到 Azure 帐户。Make sure that you have installed the latest Azure CLI and logged to an Azure account in with az login.

  2. 创建 Azure Key Vault 和加密密钥的实例。Create an instance of Azure Key Vault and encryption key.

    创建 Key Vault 实例时,必须启用软删除和清除保护。When creating the Key Vault instance, you must enable soft delete and purge protection. 软删除可确保 Key Vault 在给定的保留期(默认为 90 天)内保留已删除的密钥。Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). 清除保护可确保在保留期结束之前,无法永久删除已删除的密钥。Purge protection ensures that a deleted key cannot be permanently deleted until the retention period lapses. 这些设置可防止由于意外删除而丢失数据。These settings protect you from losing data due to accidental deletion. 使用 Key Vault 加密托管磁盘时,这些设置是必需的。These settings are mandatory when using a Key Vault for encrypting managed disks.

    重要

    不要对区域使用混合大小写,如果这样做,则在将其他磁盘分配到 Azure 门户中的资源时可能会遇到问题。Do not camel case the region, if you do so you may experience problems when assigning additional disks to the resource in the Azure portal.

    subscriptionId=yourSubscriptionID
    rgName=yourResourceGroupName
    location=chinaeast
    keyVaultName=yourKeyVaultName
    keyName=yourKeyName
    diskEncryptionSetName=yourDiskEncryptionSetName
    diskName=yourDiskName
    
    az account set --subscription $subscriptionId
    
    az keyvault create -n $keyVaultName -g $rgName -l $location --enable-purge-protection true --enable-soft-delete true
    
    az keyvault key create --vault-name $keyVaultName -n $keyName --protection software
    
  3. 创建一个 DiskEncryptionSet 实例。Create an instance of a DiskEncryptionSet.

    keyVaultId=$(az keyvault show --name $keyVaultName --query [id] -o tsv)
    
    keyVaultKeyUrl=$(az keyvault key show --vault-name $keyVaultName --name $keyName --query [key.kid] -o tsv)
    
    az disk-encryption-set create -n $diskEncryptionSetName -l $location -g $rgName --source-vault $keyVaultId --key-url $keyVaultKeyUrl
    
  4. 授予对密钥保管库的 DiskEncryptionSet 资源访问权限。Grant the DiskEncryptionSet resource access to the key vault.

    备注

    Azure 可能需要几分钟时间才能在 Azure Active Directory 中创建 DiskEncryptionSet 的标识。It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Azure Active Directory. 如果在运行以下命令时收到类似于“找不到 Active Directory 对象”的错误,请等待几分钟,然后重试。If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again.

    desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv)
    
    az keyvault set-policy -n $keyVaultName -g $rgName --object-id $desIdentity --key-permissions wrapkey unwrapkey get
    

使用市场映像创建 VM,并使用客户托管密钥加密 OS 和数据磁盘Create a VM using a Marketplace image, encrypting the OS and data disks with customer-managed keys

rgName=yourResourceGroupName
vmName=yourVMName
location=chinaeast
vmSize=Standard_DS3_V2
image=UbuntuLTS 
diskEncryptionSetName=yourDiskencryptionSetName

diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)

az vm create -g $rgName -n $vmName -l $location --image $image --size $vmSize --generate-ssh-keys --os-disk-encryption-set $diskEncryptionSetId --data-disk-sizes-gb 128 128 --data-disk-encryption-sets $diskEncryptionSetId $diskEncryptionSetId

加密现有托管磁盘Encrypt existing managed disks

不得将现有磁盘附加到正在运行的 VM,以便可以使用以下脚本加密这些磁盘:Your existing disks must not be attached to a running VM in order for you to encrypt them using the following script:

rgName=yourResourceGroupName
diskName=yourDiskName
diskEncryptionSetName=yourDiskEncryptionSetName

az disk update -n $diskName -g $rgName --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set $diskEncryptionSetName

使用市场映像创建虚拟机规模集,并使用客户托管密钥加密 OS 和数据磁盘Create a virtual machine scale set using a Marketplace image, encrypting the OS and data disks with customer-managed keys

rgName=yourResourceGroupName
vmssName=yourVMSSName
location=chinaeast
vmSize=Standard_DS3_V2
image=UbuntuLTS 
diskEncryptionSetName=yourDiskencryptionSetName

diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)
az vmss create -g $rgName -n $vmssName --image UbuntuLTS --upgrade-policy automatic --admin-username azureuser --generate-ssh-keys --os-disk-encryption-set $diskEncryptionSetId --data-disk-sizes-gb 64 128 --data-disk-encryption-sets $diskEncryptionSetId $diskEncryptionSetId

创建一个使用客户托管密钥的服务器端加密进行了加密的空磁盘,并将其附加到 VMCreate an empty disk encrypted using server-side encryption with customer-managed keys and attach it to a VM

vmName=yourVMName
rgName=yourResourceGroupName
diskName=yourDiskName
diskSkuName=Premium_LRS
diskSizeinGiB=30
location=chinaeast
diskLUN=2
diskEncryptionSetName=yourDiskEncryptionSetName

diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)

az disk create -n $diskName -g $rgName -l $location --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set $diskEncryptionSetId --size-gb $diskSizeinGiB --sku $diskSkuName

diskId=$(az disk show -n $diskName -g $rgName --query [id] -o tsv)

az vm disk attach --vm-name $vmName --lun $diskLUN --ids $diskId 

更改 DiskEncryptionSet 的密钥,以轮替所有引用 DiskEncryptionSet 的资源的密钥Change the key of a DiskEncryptionSet to rotate the key for all the resources referencing the DiskEncryptionSet


rgName=yourResourceGroupName
keyVaultName=yourKeyVaultName
keyName=yourKeyName
diskEncryptionSetName=yourDiskEncryptionSetName

keyVaultId=$(az keyvault show --name $keyVaultName--query [id] -o tsv)

keyVaultKeyUrl=$(az keyvault key show --vault-name $keyVaultName --name $keyName --query [key.kid] -o tsv)

az disk-encryption-set update -n keyrotationdes -g keyrotationtesting --key-url $keyVaultKeyUrl --source-vault $keyVaultId

查找磁盘的服务器端加密状态Find the status of server-side encryption of a disk

az disk show -g yourResourceGroupName -n yourDiskName --query [encryption.type] -o tsv

重要

客户托管密钥依赖于 Azure 资源的托管标识(Azure Active Directory (Azure AD) 的一项功能)。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 配置客户托管密钥时,实际上会自动将托管标识分配给你的资源。When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. 如果随后将订阅、资源组或托管磁盘从一个 Azure AD 目录移动到另一个目录,则与托管磁盘关联的托管标识不会转移到新租户,因此,客户托管密钥可能不再有效。If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅在 Azure AD 目录之间转移订阅For more information, see Transferring a subscription between Azure AD directories.

服务器端加密与 Azure 磁盘加密Server-side encryption versus Azure disk encryption

虚拟机和虚拟机规模集的 Azure 磁盘加密利用 Linux 的 DM-Crypt 功能,通过来宾 VM 中的客户托管密钥来加密托管磁盘。Azure Disk Encryption for virtual machines and virtual machine scale sets leverages the DM-Crypt feature of Linux to encrypt managed disks with customer-managed keys within the guest VM. 客户托管密钥的服务器端加密改进了 ADE,它通过加密存储服务中的数据使你可以为 VM 使用任何 OS 类型和映像。Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.

后续步骤Next steps