适用于 Linux 虚拟机的 Azure 磁盘加密常见问题解答Azure Disk Encryption for Linux virtual machines FAQ

本文提供有关适用于 Linux 虚拟机 (VM) 的 Azure 磁盘加密的常见问题解答 (FAQ)。This article provides answers to frequently asked questions (FAQ) about Azure Disk Encryption for Linux virtual machines (VMs). 有关此服务的详细信息,请参阅 Azure 磁盘加密概述For more information about this service, see Azure Disk Encryption overview.

什么是适用于 Linux VM 的 Azure 磁盘加密?What is Azure Disk Encryption for Linux VMs?

适用于 Linux VM 的 Azure 磁盘加密使用 Linux 的 dm-crypt 功能为 OS 磁盘* 和数据磁盘提供全磁盘加密。Azure Disk Encryption for Linux VMs uses the dm-crypt feature of Linux to provide full disk encryption of the OS disk* and data disks. 此外,它还在使用 EncryptFormatAll 功能时提供临时磁盘加密。Additionally, it provides encryption of the temporary disk when using the EncryptFormatAll feature. 加密内容从 VM 流向存储后端。The content flows encrypted from the VM to the Storage backend. 因此,使用客户托管密钥提供端对端加密。Thereby, providing end-to-end encryption with a customer-managed key.

请参阅支持的 VM 和操作系统See Supported VMs and operating systems.

Azure 磁盘加密提供哪些用户体验?What user experiences are available with Azure Disk Encryption?

Azure 磁盘加密正式版支持 Azure 资源管理器模板、Azure PowerShell 和 Azure CLI。Azure Disk Encryption GA supports Azure Resource Manager templates, Azure PowerShell, and Azure CLI. 不同的用户体验提供了灵活性。The different user experiences give you flexibility. 可以通过三个不同的选项为 VM 启用磁盘加密。You have three different options for enabling disk encryption for your VMs. 有关 Azure 磁盘加密中提供的用户体验详细信息和分步指南,请参阅适用于 Linux 的 Azure 磁盘加密方案For more information on the user experience and step-by-step guidance available in Azure Disk Encryption, see Azure Disk Encryption scenarios for Linux.

Azure 磁盘加密如何收费?How much does Azure Disk Encryption cost?

使用 Azure 磁盘加密来加密 VM 磁盘是免费的,但使用与 Azure Key Vault 相关联的内容则会产生费用。There's no charge for encrypting VM disks with Azure Disk Encryption, but there are charges associated with the use of Azure Key Vault. 有关 Azure Key Vault 成本的详细信息,请参阅 Key Vault 定价页面。For more information on Azure Key Vault costs, see the Key Vault pricing page.

如何开始使用 Azure 磁盘加密?How can I start using Azure Disk Encryption?

若要开始,请参阅 Azure 磁盘加密概述To get started, read the Azure Disk Encryption overview.

哪些 VM 大小和操作系统支持 Azure 磁盘加密?What VM sizes and operating systems support Azure Disk Encryption?

Azure 磁盘加密概述一文列出了支持 Azure 磁盘加密的 VM 大小VM 操作系统The Azure Disk Encryption overview article lists the VM sizes and VM operating systems that support Azure Disk Encryption.

是否可以使用 Azure 磁盘加密来加密引导卷和数据卷?Can I encrypt both boot and data volumes with Azure Disk Encryption?

是的,可以同时加密引导卷和数据卷,也可以在不先加密 OS 卷的情况下加密数据卷。Yes, you can encrypt both boot and data volumes, or you can encrypt the data volume without having to encrypt the OS volume first.

加密 OS 卷之后,不支持在 OS 卷上禁用加密。After you've encrypted the OS volume, disabling encryption on the OS volume isn't supported. 如果 Linux VM 位于规模集中,则只能加密数据卷。For Linux VMs in a scale set, only the data volume can be encrypted.

我可以使用 Azure 磁盘加密来加密未装入的卷吗?Can I encrypt an unmounted volume with Azure Disk Encryption?

不可以,Azure 磁盘加密只加密已装入的卷。No, Azure Disk Encryption only encrypts mounted volumes.

什么是存储服务器端加密?What is Storage server-side encryption?

存储服务器端加密会在 Azure 存储中加密 Azure 托管磁盘。Storage server-side encryption encrypts Azure managed disks in Azure Storage. 默认情况下,托管磁盘使用平台托管密钥通过服务器端加密进行加密(从 2017 年 6 月 10 日开始)。Managed disks are encrypted by default with Server-side encryption with a platform-managed key (as of June 10, 2017). 指定一个由客户托管的密钥,即可实现对使用自己的密钥加密托管磁盘的管理。You can manage encryption of managed disks with your own keys by specifying a customer-managed key. 有关详细信息,请参阅:Azure 托管磁盘的服务器端加密For more information see: Server-side encryption of Azure managed disks.

如何轮换机密或加密密钥?How do I rotate secrets or encryption keys?

若要轮换机密,只需调用你一开始在启用磁盘加密时使用的命令并指定另一 Key Vault 即可。To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. 若要轮换密钥加密密钥,只需调用你一开始在启用磁盘加密时使用的命令并指定新的密钥加密方法即可。To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption.

警告

  • 如果之前是通过指定 Azure AD 凭据使用 Azure 磁盘加密与 Azure AD 应用选项来加密此 VM,则必须继续使用此选项来加密 VM。If you have previously used Azure Disk Encryption with Azure AD app by specifying Azure AD credentials to encrypt this VM, you will have to continue use this option to encrypt your VM. 无法在此加密的 VM 上使用 Azure 磁盘加密,因为不支持此方案,这意味着尚不支持为此加密的 VM 实施 AAD 应用程序切换操作。You can't use Azure Disk Encryption on this encrypted VM as this isn't a supported scenario, meaning switching away from AAD application for this encrypted VM isn't supported yet.

如何在一开始并没有使用密钥加密密钥的情况下添加或删除该密钥?How do I add or remove a key encryption key if I didn't originally use one?

若要添加密钥加密密钥,请再次调用 enable 命令,传递密钥加密密钥参数。To add a key encryption key, call the enable command again passing the key encryption key parameter. 若要删除密钥加密密钥,请在没有密钥加密密钥参数的情况下再次调用 enable 命令。To remove a key encryption key, call the enable command again without the key encryption key parameter.

Azure 磁盘加密是否支持自带秘钥 (BYOK)?Does Azure Disk Encryption allow you to bring your own key (BYOK)?

是的,可以提供自己的密钥加密密钥。Yes, you can supply your own key encryption keys. 这些密钥在 Azure Key Vault(Azure 磁盘加密的密钥存储)中受保护。These keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. 有关密钥加密密钥支持方案的详细信息,请参阅创建和配置用于 Azure 磁盘加密的 Key VaultFor more information on the key encryption keys support scenarios, see Creating and configuring a key vault for Azure Disk Encryption.

是否可以使用 Azure 创建的密钥加密密钥?Can I use an Azure-created key encryption key?

是的,可以使用 Azure Key Vault 来生成密钥加密密钥供 Azure 磁盘加密使用。Yes, you can use Azure Key Vault to generate a key encryption key for Azure disk encryption use. 这些密钥在 Azure Key Vault(Azure 磁盘加密的密钥存储)中受保护。These keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. 有关密钥加密密钥的详细信息,请参阅创建和配置用于 Azure 磁盘加密的密钥保管库For more information on the key encryption key, see Creating and configuring a key vault for Azure Disk Encryption.

是否可以使用本地密钥管理服务来保护加密密钥?Can I use an on-premises key management service to safeguard the encryption keys?

无法使用本地密钥管理服务来配合 Azure 磁盘加密保护加密密钥。You can't use the on-premises key management service to safeguard the encryption keys with Azure Disk Encryption. 只能使用 Azure Key Vault 服务来保护加密密钥。You can only use the Azure Key Vault service to safeguard the encryption keys. 有关密钥加密密钥支持方案的详细信息,请参阅创建和配置用于 Azure 磁盘加密的 Key VaultFor more information on the key encryption key support scenarios, see Creating and configuring a key vault for Azure Disk Encryption.

配置 Azure 磁盘加密的先决条件是什么?What are the prerequisites to configure Azure Disk Encryption?

Azure 磁盘加密具有先决条件。There are prerequisites for Azure Disk Encryption. 若要创建新的 Key Vault 或设置现有 Key Vault 进行磁盘加密访问,以启用加密并保护机密和密钥,请参阅创建和配置用于 Azure 磁盘加密的 Key Vault一文。See the Creating and configuring a key vault for Azure Disk Encryption article to create a new key vault, or set up an existing key vault for disk encryption access to enable encryption, and safeguard secrets and keys. 有关密钥加密密钥支持方案的详细信息,请参阅创建和配置用于 Azure 磁盘加密的 Key VaultFor more information on the key encryption key support scenarios, see Creating and configuring a key vault for Azure Disk Encryption.

使用 Azure AD 应用(早期版本)配置 Azure 磁盘加密的先决条件是什么?What are the prerequisites to configure Azure Disk Encryption with an Azure AD app (previous release)?

Azure 磁盘加密具有先决条件。There are prerequisites for Azure Disk Encryption. 请参阅使用 Azure AD 的 Azure 磁盘加密内容,创建 Azure Active Directory 应用程序、创建新的 Key Vault 或设置现有 Key Vault 进行磁盘加密访问,以启用加密并保护机密和密钥。See the Azure Disk Encryption with Azure AD content to create an Azure Active Directory application, create a new key vault, or set up an existing key vault for disk encryption access to enable encryption, and safeguard secrets and keys. 有关密钥加密密钥支持方案的详细信息,请参阅创建和配置可将 Azure 磁盘加密和 Azure AD 配合使用的 Key VaultFor more information on the key encryption key support scenarios, see Creating and configuring a key vault for Azure Disk Encryption with Azure AD.

是否仍然支持使用 Azure AD 应用(早期版本)进行 Azure 磁盘加密?Is Azure Disk Encryption using an Azure AD app (previous release) still supported?

是的。Yes. 仍然支持使用 Azure AD 应用进行磁盘加密。Disk encryption using an Azure AD app is still supported. 不过,当加密新的 VM 时,建议使用新方法而不是使用 Azure AD 应用进行加密。However, when encrypting new VMs it's recommended that you use the new method rather than encrypting with an Azure AD app.

是否可以在不使用 Azure AD 应用的情况下将通过 Azure AD 应用加密的 VM 迁移到此加密?Can I migrate VMs that were encrypted with an Azure AD app to encryption without an Azure AD app?

当前,对于通过 Azure AD 应用加密的计算机,没有直接迁移路径可用来在不使用 Azure AD 应用的情况下迁移到此加密。Currently, there isn't a direct migration path for machines that were encrypted with an Azure AD app to encryption without an Azure AD app. 此外,也没有直接路径用来将未使用 Azure AD 应用的加密迁移到使用 AD 应用的加密。Additionally, there isn't a direct path from encryption without an Azure AD app to encryption with an AD app.

Azure 磁盘加密支持哪些 Azure PowerShell 版本?What version of Azure PowerShell does Azure Disk Encryption support?

使用最新版的 Azure PowerShell SDK 来配置 Azure 磁盘加密。Use the latest version of the Azure PowerShell SDK to configure Azure Disk Encryption. 下载最新版本的 Azure PowerShellDownload the latest version of Azure PowerShell. Azure SDK 版本 1.1.0 不支持 Azure 磁盘加密。Azure Disk Encryption is not supported by Azure SDK version 1.1.0.

备注

Linux Azure 磁盘加密预览扩展“Microsoft.OSTCExtension.AzureDiskEncryptionForLinux”已弃用。The Linux Azure disk encryption preview extension "Microsoft.OSTCExtension.AzureDiskEncryptionForLinux" is deprecated. 发布的该扩展适用于 Azure 磁盘加密预览版。This extension was published for Azure disk encryption preview release. 不应将预览版扩展用于测试或生产性部署。You should not use the preview version of the extension in your testing or production deployment.

使用 Azure 资源管理器 (ARM) 之类的部署方案时,需要部署适用于 Linux VM 的 Azure 磁盘加密扩展,以便在 Linux IaaS VM 上启用加密,因此必须使用 Azure 磁盘加密生产版支持的扩展“Microsoft.Azure.Security.AzureDiskEncryptionForLinux”。For deployment scenarios like Azure Resource Manager (ARM), where you have a need to deploy Azure disk encryption extension for Linux VM to enable encryption on your Linux IaaS VM, you must use the Azure disk encryption production supported extension "Microsoft.Azure.Security.AzureDiskEncryptionForLinux".

是否可对自定义 Linux 映像应用 Azure 磁盘加密?Can I apply Azure Disk Encryption on my custom Linux image?

不能对自定义 Linux 映像应用 Azure 磁盘加密。You can't apply Azure Disk Encryption on your custom Linux image. 仅支持上述受支持分发版的 Linux 库映像。Only the gallery Linux images for the supported distributions called out previously are supported. 目前不支持自定义 Linux 映像。Custom Linux images aren't currently supported.

是否可以向使用 yum 更新的 Linux Red Hat VM 应用更新?Can I apply updates to a Linux Red Hat VM that uses the yum update?

是的,可以在 Red Hat Linux VM 上执行 yum 更新。Yes, you can perform a yum update on a Red Hat Linux VM. 有关详细信息,请参阅隔离网络上的 Azure 磁盘加密For more information, see Azure Disk Encryption on an isolated network.

为在 Linux 上获得最佳结果,建议使用以下工作流:The following workflow is recommended to have the best results on Linux:

  • 从与所需的 OS 发行版和版本相对应的未修改存储库映像启动Start from the unmodified stock gallery image corresponding to the needed OS distro and version
  • 备份要加密的任何已装载的驱动器。Back up any mounted drives that will be encrypted. 使用此备份,在失败时能够进行恢复,例如当 VM 在加密完成前重启时。This back up allows for recovery if there's a failure, for example if the VM is rebooted before encryption has completed.
  • 加密(可能需要花费几小时甚至几天,具体取决于 VM 特征和所附加的任何数据磁盘的大小)Encrypt (can take several hours or even days depending on VM characteristics and size of any attached data disks)
  • 根据需要自定义软件,并将其添加到映像。Customize, and add software to the image as needed.

如果此工作流不可用,可在平台存储帐户层使用存储服务加密 (SSE),作为通过 dm-crypt 实现完整磁盘加密的一个替代方法。If this workflow isn't possible, relying on Storage Service Encryption (SSE) at the platform storage account layer may be an alternative to full disk encryption using dm-crypt.

磁盘“Bek 卷”或“/mnt/azure_bek_disk”是什么?What is the disk "Bek Volume" or "/mnt/azure_bek_disk"?

“Bek 卷”是一个本地数据卷,可以安全地存储用于已加密 Azure VM 的加密密钥。The "Bek volume" is a local data volume that securely stores the encryption keys for Encrypted Azure VMs.

备注

请勿删除或编辑此磁盘中的任何内容。Do not delete or edit any contents in this disk. 请勿卸载磁盘,因为 IaaS VM 上的任何加密操作都需要有加密密钥才能执行。Do not unmount the disk since the encryption key presence is needed for any encryption operations on the IaaS VM.

Azure 磁盘加密使用何种加密方法?What encryption method does Azure Disk Encryption use?

Azure 磁盘加密可将 aes-xts-plain64 的 decrypt 默认方法和 256 位卷主密钥配合使用。Azure Disk Encryption uses the decrypt default of aes-xts-plain64 with a 256-bit volume master key.

如果我使用 EncryptFormatAll 并指定了所有卷类型,它是否会擦除我们已加密的数据驱动器上的数据?If I use EncryptFormatAll and specify all volume types, will it erase the data on the data drives that we already encrypted?

否,不会擦除已使用 Azure 磁盘加密进行了加密的数据驱动器上的数据。No, data won't be erased from data drives that are already encrypted using Azure Disk Encryption. 与 EncryptFormatAll 不重新加密 OS 驱动器类似,它也不会重新加密已加密的数据驱动器。Similar to how EncryptFormatAll didn't re-encrypt the OS drive, it won't re-encrypt the already encrypted data drive. 有关详细信息,请参阅 EncryptFormatAll 条件For more information, see the EncryptFormatAll criteria.

是否支持 XFS 文件系统?Is XFS filesystem supported?

支持加密 XFS OS 磁盘。Encryption of XFS OS disks is supported.

仅当使用 EncryptFormatAll 参数时,才支持加密 XFS 数据磁盘。Encryption of XFS data disks is supported only when the EncryptFormatAll parameter is used. 该操作将重格式化卷,并清除卷中所有数据。This will reformat the volume, erasing any data previously there. 有关详细信息,请参阅 EncryptFormatAll 条件For more information, see the EncryptFormatAll criteria.

我可以备份和还原已加密的 VM 吗?Can I backup and restore an encrypted VM?

Azure 备份提供一个机制,可以用来备份和还原同一订阅与区域中的已加密 VM。Azure Backup provides a mechanism to backup and restore encrypted VM's within the same subscription and region. 相关说明,请参阅通过 Azure 备份来备份和还原加密的虚拟机For instructions, please see Back up and restore encrypted virtual machines with Azure Backup. 目前不支持将已加密的 VM 还原到另一区域。Restoring an encrypted VM to a different region is not currently supported.

可以在何处提问或提供反馈?Where can I go to ask questions or provide feedback?

可在 Azure 磁盘加密论坛上提问或提供反馈。You can ask questions or provide feedback on the Azure Disk Encryption forum.

后续步骤Next steps

本文档详细描述了有关 Azure 磁盘加密的最常见问题。In this document, you learned more about the most frequent questions related to Azure Disk Encryption. 有关此服务的详细信息,请参阅以下文章:For more information about this service, see the following articles: