Linux VM 上的 Azure 磁盘加密方案Azure Disk Encryption scenarios on Linux VMs

适用于 Linux 虚拟机 (VM) 的 Azure 磁盘加密使用 Linux 的 DM-Crypt 功能为 OS 磁盘和数据磁盘提供全磁盘加密。Azure Disk Encryption for Linux virtual machines (VMs) uses the DM-Crypt feature of Linux to provide full disk encryption of the OS disk and data disks. 此外,它还在使用 EncryptFormatAll 功能时提供临时磁盘加密。Additionally, it provides encryption of the temporary disk when using the EncryptFormatAll feature.

Azure 磁盘加密与 Azure Key Vault 集成,有助于你控制和管理磁盘加密密钥和机密。Azure Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. 有关此服务的概述,请参阅适用于 Linux VM 的 Azure 磁盘加密For an overview of the service, see Azure Disk Encryption for Linux VMs.

只能对具有支持的 VM 大小和操作系统的虚拟机应用磁盘加密。You can only apply disk encryption to virtual machines of supported VM sizes and operating systems. 还必须满足以下先决条件:You must also meet the following prerequisites:

在所有情况下,在对磁盘进行加密之前,应该创建快照和/或备份。In all cases, you should take a snapshot and/or create a backup before disks are encrypted. 备份确保在加密过程中发生任何意外故障时可以使用恢复选项。Backups ensure that a recovery option is possible if an unexpected failure occurs during encryption. 加密之前,需要备份包含托管磁盘的 VM。VMs with managed disks require a backup before encryption occurs. 备份之后,可以通过指定 -skipVmBackup 参数,使用 Set-AzVMDiskEncryptionExtension cmdlet 来加密托管磁盘。Once a backup is made, you can use the Set-AzVMDiskEncryptionExtension cmdlet to encrypt managed disks by specifying the -skipVmBackup parameter. 有关如何备份和还原已加密 VM 的详细信息,请参阅 Azure 备份一文。For more information about how to back up and restore encrypted VMs, see the Azure Backup article.

警告

  • 如果之前是使用 Azure 磁盘加密与 Azure AD 来加密 VM,则必须继续使用此选项来加密 VM。If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM. 有关详细信息,请参阅使用 Azure AD 进行的 Azure 磁盘加密(以前的版本)See Azure Disk Encryption with Azure AD (previous release) for details.

  • 加密 Linux OS 卷时,应将 VM 视为不可用。When encrypting Linux OS volumes, the VM should be considered unavailable. 我们强烈建议在加密过程中避免 SSH 登录,以避免阻止加密过程中需要访问的任何打开文件的问题。We strongly recommend to avoid SSH logins while the encryption is in progress to avoid issues blocking any open files that will need to be accessed during the encryption process. 若要检查进度,请使用 Get-AzVMDiskEncryptionStatus PowerShell cmdlet 或 vm encryption show CLI 命令。To check progress, use the the Get-AzVMDiskEncryptionStatus PowerShell cmdlet or the vm encryption show CLI command. 对于 30GB 操作系统卷,此过程可能需要几小时才能完成,还需要额外的时间来加密数据卷。This process can be expected to take a few hours for a 30GB OS volume, plus additional time for encrypting data volumes. 除非使用“encrypt format all”选项,否则数据卷加密时间将与数据卷的大小和数量成比例。Data volume encryption time will be proportional to the size and quantity of the data volumes unless the encrypt format all option is used.

  • 在 Linux VM 上,仅支持对数据卷禁用加密。Disabling encryption on Linux VMs is only supported for data volumes. 如果 OS 卷已加密,则不支持对数据卷或 OS 卷禁用加密。It is not supported on data or OS volumes if the OS volume has been encrypted.

安装工具并连接到 AzureInstall tools and connect to Azure

可以通过 Azure CLIAzure PowerShell 启用和管理 Azure 磁盘加密。Azure Disk Encryption can be enabled and managed through the Azure CLI and Azure PowerShell. 为此,必须在本地安装工具并连接到 Azure 订阅。To do so, you must install the tools locally and connect to your Azure subscription.

Azure CLIAzure CLI

Azure CLI 2.0 是用于管理 Azure 资源的命令行工具。The Azure CLI 2.0 is a command-line tool for managing Azure resources. CLI 旨在提高数据查询灵活性、支持非阻塞进程形式的长时间操作,以及简化脚本编写。The CLI is designed to flexibly query data, support long-running operations as non-blocking processes, and make scripting easy. 可以按照安装 Azure CLI 中的步骤在本地安装它。You can install it locally by following the steps in Install the Azure CLI.

若要使用 Azure CLI 登录 Azure 帐户,请使用 az login 命令。To Sign in to your Azure account with the Azure CLI, use the az login command.

az login

若要选择登录到的租户,请使用:If you would like to select a tenant to sign in under, use:

az login --tenant <tenant>

如果有多个订阅并想要指定其中的一个,请使用 az account list 获取订阅列表,然后使用 az account set 指定订阅。If you have multiple subscriptions and want to specify a specific one, get your subscription list with az account list and specify with az account set.

az account list
az account set --subscription "<subscription name or ID>"

有关详细信息,请参阅 Azure CLI 2.0 入门For more information, see Get started with Azure CLI 2.0.

Azure PowerShellAzure PowerShell

Azure PowerShell az 模块提供了一组使用 Azure 资源管理器模型管理 Azure 资源的 cmdlet。The Azure PowerShell az module provides a set of cmdlets that uses the Azure Resource Manager model for managing your Azure resources. 可以按照安装 Azure PowerShell 模块中的说明在本地计算机上安装它。You can install it on your local machine using the instructions in Install the Azure PowerShell module.

如果已在本地安装 PowerShell,请确保使用最新版本的 Azure PowerShell SDK 来配置 Azure 磁盘加密。If you already have it installed locally, make sure you use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. 下载最新版本的 Azure PowerShell 版本Download the latest version of Azure PowerShell release.

若要使用 Azure PowerShell 登录 Azure 帐户,请使用 Connect-AzAccount cmdlet。To Sign in to your Azure account with Azure PowerShell, use the Connect-AzAccount cmdlet.

Connect-AzAccount -Environment AzureChinaCloud

如果有多个订阅并要指定一个,请先运行 Get-AzSubscription cmdlet 列出订阅,再运行 Set-AzContext cmdlet:If you have multiple subscriptions and want to specify one, use the Get-AzSubscription cmdlet to list them, followed by the Set-AzContext cmdlet:

Set-AzContext -Subscription -Subscription <SubscriptionId>

运行 Get-AzContext cmdlet 将验证是否选择了正确的订阅。Running the Get-AzContext cmdlet will verify that the correct subscription has been selected.

若要确认已安装 Azure 磁盘加密 cmdlet,请使用 Get-command cmdlet:To confirm the Azure Disk Encryption cmdlets are installed, use the Get-command cmdlet:

Get-command *diskencryption*

有关详细信息,请参阅 Azure PowerShell 入门For more information, see Getting started with Azure PowerShell.

在现有或正在运行的 Linux VM 上启用加密Enable encryption on an existing or running Linux VM

在此方案中,可以使用资源管理器模板、PowerShell cmdlet 或 CLI 命令启用加密。In this scenario, you can enable encryption by using the Resource Manager template, PowerShell cmdlets, or CLI commands. 如果需要虚拟机扩展的架构信息,请参阅适用于 Linux 扩展的 Azure 磁盘加密一文。If you need schema information for the virtual machine extension, see the Azure Disk Encryption for Linux extension article.

重要

启用 Azure 磁盘加密之前,必须在其外部创建基于托管磁盘的 VM 实例的快照和/或备份。It is mandatory to snapshot and/or backup a managed disk based VM instance outside of, and prior to enabling Azure Disk Encryption. 可以通过门户或 Azure 备份创建托管磁盘的快照。A snapshot of the managed disk can be taken from the portal, or through Azure Backup. 备份确保在加密过程中发生任何意外故障时可以使用恢复选项。Backups ensure that a recovery option is possible in the case of any unexpected failure during encryption. 备份后,可以通过指定 -skipVmBackup 参数,使用 Set-AzVMDiskEncryptionExtension cmdlet 来加密托管磁盘。Once a backup is made, the Set-AzVMDiskEncryptionExtension cmdlet can be used to encrypt managed disks by specifying the -skipVmBackup parameter. 在未备份基于托管磁盘的 VM 且未指定此参数的情况下,对该 VM 使用 Set-AzVMDiskEncryptionExtension 命令会失败。The Set-AzVMDiskEncryptionExtension command will fail against managed disk based VMs until a backup has been made and this parameter has been specified.

加密或禁用加密可能导致 VM 重新启动。Encrypting or disabling encryption may cause the VM to reboot.

使用 Azure CLI 在现有或正在运行的 Linux VM 上启用加密Enable encryption on an existing or running Linux VM using Azure CLI

可通过安装并使用 Azure CLI 命令行工具在加密的 VHD 上启用磁盘加密。You can enable disk encryption on your encrypted VHD by installing and using the Azure CLI command-line tool. 可以在本地计算机上安装 PowerShell,并在任何 PowerShell 会话中使用它。You can install it on your local machine and use it in any PowerShell session. 若要在 Azure 中现有或正在运行的 Linux VM 上启用加密,请使用以下 CLI 命令:To enable encryption on existing or running Linux VMs in Azure, use the following CLI commands:

使用 az vm encryption enable 命令在 Azure 中运行的虚拟机上启用加密。Use the az vm encryption enable command to enable encryption on a running virtual machine in Azure.

  • 加密正在运行的 VM:Encrypt a running VM:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type [All|OS|Data]
    
  • 使用 KEK 加密正在运行的 VM:Encrypt a running VM using KEK:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault  "MySecureVault" --key-encryption-key "MyKEK_URI" --key-encryption-keyvault "MySecureVaultContainingTheKEK" --volume-type [All|OS|Data]
    

    备注

    disk-encryption-keyvault 参数值的语法是完整的标识符字符串:/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]The syntax for the value of disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]
    key-encryption-key 参数值的语法是 KEK 的完整 URI,其格式为: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]

  • 验证磁盘是否已加密: 若要检查 VM 的加密状态,请使用 az vm encryption show 命令。Verify the disks are encrypted: To check on the encryption status of a VM, use the az vm encryption show command.

    az vm encryption show --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup"
    
  • 禁用加密: 若要禁用加密,请使用 az vm encryption disable 命令。Disable encryption: To disable encryption, use the az vm encryption disable command. 只允许对 Linux VM 的数据卷禁用加密。Disabling encryption is only allowed on data volumes for Linux VMs.

    az vm encryption disable --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup" --volume-type "data"
    

使用 PowerShell 在现有或正在运行的 Linux VM 上启用加密Enable encryption on an existing or running Linux VM using PowerShell

使用 Set-AzVMDiskEncryptionExtension cmdlet 在 Azure 中运行的虚拟机上启用加密。Use the Set-AzVMDiskEncryptionExtension cmdlet to enable encryption on a running virtual machine in Azure. 在加密磁盘之前,创建快照和/或使用 Azure 备份备份 VM。Take a snapshot and/or back up the VM with Azure Backup before disks are encrypted. 已在 PowerShell 脚本中指定 -skipVmBackup 参数以加密正在运行的 Linux VM。The -skipVmBackup parameter is already specified in the PowerShell scripts to encrypt a running Linux VM.

  • 加密正在运行的 VM: 以下脚本初始化变量并运行 Set-AzVMDiskEncryptionExtension cmdlet。Encrypt a running VM: The script below initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. 已创建必要的资源组、VM 和 Key Vault。The resource group, VM, and key vault, were created as prerequisites. 请将 MyVirtualMachineResourceGroup、MySecureVM 和 MySecureVault 替换为自己的值。Replace MyVirtualMachineResourceGroup, MySecureVM, and MySecureVault with your values. 修改 -VolumeType 参数,以指定要加密哪些磁盘。Modify the -VolumeType parameter to specify which disks you're encrypting.

     $KVRGname = 'MyKeyVaultResourceGroup';
     $VMRGName = 'MyVirtualMachineResourceGroup';
     $vmName = 'MySecureVM';
     $KeyVaultName = 'MySecureVault';
     $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
     $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
     $KeyVaultResourceId = $KeyVault.ResourceId;
     $sequenceVersion = [Guid]::NewGuid();  
    
     Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType '[All|OS|Data]' -SequenceVersion $sequenceVersion -skipVmBackup;
    
  • 使用 KEK 加密正在运行的 VM: 如果加密的是数据磁盘而不是 OS 磁盘,可能需要添加 -VolumeType 参数。Encrypt a running VM using KEK: You may need to add the -VolumeType parameter if you're encrypting data disks and not the OS disk.

     $KVRGname = 'MyKeyVaultResourceGroup';
     $VMRGName = 'MyVirtualMachineResourceGroup';
     $vmName = 'MyExtraSecureVM';
     $KeyVaultName = 'MySecureVault';
     $keyEncryptionKeyName = 'MyKeyEncryptionKey';
     $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
     $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
     $KeyVaultResourceId = $KeyVault.ResourceId;
     $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
     $sequenceVersion = [Guid]::NewGuid();  
    
     Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType '[All|OS|Data]' -SequenceVersion $sequenceVersion -skipVmBackup;
    

    备注

    disk-encryption-keyvault 参数值的语法是完整的标识符字符串:/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]The syntax for the value of disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]
    key-encryption-key 参数值的语法是 KEK 的完整 URI,其格式为: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]

  • 验证磁盘是否已加密: 若要检查 VM 的加密状态,请使用 Get-AzVmDiskEncryptionStatus cmdlet。Verify the disks are encrypted: To check on the encryption status of a VM, use the Get-AzVmDiskEncryptionStatus cmdlet.

    Get-AzVmDiskEncryptionStatus -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM'
    
  • 禁用磁盘加密: 若要禁用加密,请使用 Disable-AzVMDiskEncryption cmdlet。Disable disk encryption: To disable the encryption, use the Disable-AzVMDiskEncryption cmdlet. 只允许对 Linux VM 的数据卷禁用加密。Disabling encryption is only allowed on data volumes for Linux VMs.

    Disable-AzVMDiskEncryption -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM'
    

使用模板在现有或正在运行的 Linux VM 上启用加密Enable encryption on an existing or running Linux VM with a template

可通过资源管理器模板在 Azure 中为现有或正在运行的 Linux VM 启用磁盘加密。You can enable disk encryption on an existing or running Linux VM in Azure by using the Resource Manager template.

  1. 在 Azure 快速入门模板中,单击“部署到 Azure”。Click Deploy to Azure on the Azure quickstart template.

  2. 选择订阅、资源组、资源组位置、参数、法律条款和协议。Select the subscription, resource group, resource group location, parameters, legal terms, and agreement. 单击“创建”,在现有或正在运行的 VM 上启用加密。Click Create to enable encryption on the existing or running VM.

下表列出了现有的或正在运行的 VM 的资源管理器模板参数:The following table lists Resource Manager template parameters for existing or running VMs:

参数Parameter 说明Description
vmNamevmName 运行加密操作的 VM 的名称。Name of the VM to run the encryption operation.
KeyVaultNamekeyVaultName 加密密钥应上传到的 Key Vault 的名称。Name of the key vault that the encryption key should be uploaded to. 可使用 cmdlet (Get-AzKeyVault -ResourceGroupName <MyKeyVaultResourceGroupName>). Vaultname 或 Azure CLI 命令 az keyvault list --resource-group "MyKeyVaultResourceGroupName" 获取该名称。You can get it by using the cmdlet (Get-AzKeyVault -ResourceGroupName <MyKeyVaultResourceGroupName>). Vaultname or the Azure CLI command az keyvault list --resource-group "MyKeyVaultResourceGroupName".
keyVaultResourceGroupkeyVaultResourceGroup 包含 Key Vault 的资源组的名称。Name of the resource group that contains the key vault.
keyEncryptionKeyURLkeyEncryptionKeyURL 用于对加密密钥进行加密的密钥加密密钥的 URL。URL of the key encryption key that's used to encrypt the encryption key. 如果在 UseExistingKek 下拉列表中选择“nokek”,则此参数为可选参数。This parameter is optional if you select nokek in the UseExistingKek drop-down list. 如果在 UseExistingKek 下拉列表中选择“kek”,则必须输入 keyEncryptionKeyURL 值。If you select kek in the UseExistingKek drop-down list, you must enter the keyEncryptionKeyURL value.
volumeTypevolumeType 要对其执行加密操作的卷的类型。Type of volume that the encryption operation is performed on. 有效值为“OS”、“Data”和“All”。Valid values are OS, Data, and All.
forceUpdateTagforceUpdateTag 每次操作需要强制运行时,传入一个像 GUID 这样的唯一值。Pass in a unique value like a GUID every time the operation needs to be force run.
locationlocation 所有资源的位置。Location for all resources.

有关配置 Linux VM 磁盘加密模板的详细信息,请参阅适用于 Linux 的 Azure 磁盘加密For more information about configuring the Linux VM disk encryption template, see Azure Disk Encryption for Linux.

对 Linux VM 上的数据磁盘使用 EncryptFormatAll 功能Use EncryptFormatAll feature for data disks on Linux VMs

EncryptFormatAll 参数可以减少加密 Linux 数据磁盘所需的时间。The EncryptFormatAll parameter reduces the time for Linux data disks to be encrypted. 满足特定条件的分区与当前文件系统一起格式化,然后重新装载回在命令执行前的位置。Partitions meeting certain criteria will be formatted, along with their current file systems, then remounted back to where they were before command execution. 如果想要排除某个符合条件的数据磁盘,可以在运行命令之前卸载该磁盘。If you wish to exclude a data disk that meets the criteria, you can unmount it before running the command.

在此命令运行后,先前装载的所有驱动器都会被格式化,并在现在已空的驱动器之上启动加密层。After running this command, any drives that were mounted previously will be formatted, and the encryption layer will be started on top of the now empty drive. 如果你选择这种方式,附加到 VM 的临时磁盘也会得到加密。When this option is selected, the temporary disk attached to the VM will also be encrypted. 如果重置临时磁盘,该磁盘将重新格式化,并且 Azure 磁盘加密解决方案下次有机会为 VM 重新加密该磁盘。If the temporary disk is reset, it will be reformatted and re-encrypted for the VM by the Azure Disk Encryption solution at the next opportunity. 加密资源磁盘后,Azure Linux 代理无法管理资源磁盘和启用交换文件,但你可以手动配置交换文件。Once the resource disk gets encrypted, the Azure Linux Agent will not be able to manage the resource disk and enable the swap file, but you may manually configure the swap file.

警告

如果 VM 的数据卷上存在所需的数据,则不应使用 EncryptFormatAll。EncryptFormatAll shouldn't be used when there is needed data on a VM's data volumes. 卸载磁盘可将其从加密项中排除。You may exclude disks from encryption by unmounting them. 首先应该在测试 VM 上试用 EncryptFormatAll,以了解功能参数及其影响,然后再尝试在生产 VM 上使用该参数。You should first try out the EncryptFormatAll first on a test VM, understand the feature parameter and its implication before trying it on the production VM. EncryptFormatAll 选项会格式化数据磁盘,因此磁盘上的所有数据都会丢失。The EncryptFormatAll option formats the data disk and all the data on it will be lost. 在继续之前,请验证是否已正确卸载想要排除的磁盘。Before proceeding, verify that disks you wish to exclude are properly unmounted.

如果在更新加密设置时设置此参数,可能会导致在实际加密之前重新启动。If you're setting this parameter while updating encryption settings, it might lead to a reboot before the actual encryption. 在这种情况下,还需要从 fstab 文件中删除不想要格式化的磁盘。In this case, you will also want to remove the disk you don't want formatted from the fstab file. 同样,在启动加密操作之前,应将想要加密并格式化的分区添加到 fstab 文件。Similarly, you should add the partition you want encrypt-formatted to the fstab file before initiating the encryption operation.

EncryptFormatAll 条件EncryptFormatAll criteria

该参数会遍历并加密满足以下所有条件的所有分区:The parameter goes though all partitions and encrypts them as long as they meet all of the criteria below:

  • 不是根/OS/启动分区Is not a root/OS/boot partition
  • 尚未加密Is not already encrypted
  • 不是 BEK 卷Is not a BEK volume
  • 不是 RAID 卷Is not a RAID volume
  • 不是 LVM 卷Is not an LVM volume
  • 已装载Is mounted

加密组成 RAID 或 LVM 卷而不是 RAID 或 LVM 卷的磁盘。Encrypt the disks that compose the RAID or LVM volume rather than the RAID or LVM volume.

通过 Azure CLI 使用 EncryptFormatAll 参数Use the EncryptFormatAll parameter with Azure CLI

使用 az vm encryption enable 命令在 Azure 中运行的虚拟机上启用加密。Use the az vm encryption enable command to enable encryption on a running virtual machine in Azure.

  • 使用 EncryptFormatAll 加密正在运行的 VM:Encrypt a running VM using EncryptFormatAll:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "data" --encrypt-format-all
    

结合 PowerShell cmdlet 使用 EncryptFormatAll 参数Use the EncryptFormatAll parameter with a PowerShell cmdlet

结合 EncryptFormatAll 参数使用 Set-AzVMDiskEncryptionExtension cmdlet。Use the Set-AzVMDiskEncryptionExtension cmdlet with the EncryptFormatAll parameter.

使用 EncryptFormatAll 加密正在运行的 VM: 例如,以下脚本会初始化变量,并结合 EncryptFormatAll 参数运行 Set-AzVMDiskEncryptionExtension cmdlet。Encrypt a running VM using EncryptFormatAll: As an example, the script below initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet with the EncryptFormatAll parameter. 已创建必要的资源组、VM 和 Key Vault。The resource group, VM, and key vault were created as prerequisites. 请将 MyVirtualMachineResourceGroup、MySecureVM 和 MySecureVault 替换为自己的值。Replace MyVirtualMachineResourceGroup, MySecureVM, and MySecureVault with your values.

$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;

Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType "data" -EncryptFormatAll

结合逻辑卷管理器 (LVM) 使用 EncryptFormatAll 参数Use the EncryptFormatAll parameter with Logical Volume Manager (LVM)

我们建议采用 LVM-on-crypt 设置。We recommend an LVM-on-crypt setup. 对于下面的所有示例,请将设备路径和装载点替换为适合用例的任何值。For all the following examples, replace the device-path and mountpoints with whatever suits your use-case. 可按如下所述完成此设置:This setup can be done as follows:

  1. 添加构成 VM 的数据磁盘。Add the data disks that will compose the VM.

  2. 格式化、装载这些磁盘并将其添加到 fstab 文件。Format, mount, and add these disks to the fstab file.

  3. 选择分区标准,创建跨越整个驱动器的分区,然后格式化该分区。Choose a partition standard, create a partition that spans the entire drive, and then format the partition. 此处使用了 Azure 生成的符号链接。We use symlinks generated by Azure here. 使用符号链接可避免设备名更改所造成的问题。Using symlinks avoids problems related to device names changing. 有关详细信息,请参阅排查设备名问题一文。For more information, see the Troubleshoot Device Names problems article.

    parted /dev/disk/azure/scsi1/lun0 mklabel gpt
    parted -a opt /dev/disk/azure/scsi1/lun0 mkpart primary ext4 0% 100%
    
    mkfs -t ext4 /dev/disk/azure/scsi1/lun0-part1
    
  4. 装载磁盘:Mount the disks:

    mount /dev/disk/azure/scsi1/lun0-part1 /mnt/mountpoint
    

    添加到 fstab 文件:Add to fstab file:

    echo "/dev/disk/azure/scsi1/lun0-part1 /mnt/mountpoint ext4 defaults,nofail 0 2" >> /etc/fstab
    
  5. 在运行 Azure PowerShell Set-AzVMDiskEncryptionExtension cmdlet 的同时使用 -EncryptFormatAll,以加密这些磁盘。Run the Azure PowerShell Set-AzVMDiskEncryptionExtension cmdlet with -EncryptFormatAll to encrypt these disks.

    $KeyVault = Get-AzKeyVault -VaultName "MySecureVault" -ResourceGroupName "MySecureGroup"
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName "MySecureGroup" -VMName "MySecureVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -EncryptFormatAll -SkipVmBackup -VolumeType Data
    

    若要使用密钥加密密钥 (KEK),请分别将 KEK 的 URI 和密钥保管库的 ResourceID 传递到 -KeyEncryptionKeyUrl 和 -KeyEncryptionKeyVaultId 参数:If you wish to use a key encryption key (KEK), pass the URI of your KEK and the ResourceID of your key vault to the -KeyEncryptionKeyUrl and -KeyEncryptionKeyVaultId parameters, respectively:

    $KeyVault = Get-AzKeyVault -VaultName "MySecureVault" -ResourceGroupName "MySecureGroup"
    $KEKKeyVault = Get-AzKeyVault -VaultName "MyKEKVault" -ResourceGroupName "MySecureGroup"
    $KEK = Get-AzKeyVaultKey -VaultName "myKEKVault" -KeyName "myKEKName"
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName "MySecureGroup" -VMName "MySecureVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -EncryptFormatAll -SkipVmBackup -VolumeType Data -KeyEncryptionKeyUrl $$KEK.id -KeyEncryptionKeyVaultId $KEKKeyVault.ResourceId
    
  6. 在这些新磁盘的顶层设置 LVM。Set up LVM on top of these new disks. 请注意,VM 在完成启动后,加密的驱动器会解锁。Note the encrypted drives are unlocked after the VM has finished booting. 因此,后续的 LVM 装载必定会延迟。So, the LVM mounting will also have to be subsequently delayed.

通过客户加密的 VHD 和加密密钥新建的 VMNew VMs created from customer-encrypted VHD and encryption keys

在此方案中,可以使用 PowerShell cmdlet 或 CLI 命令启用加密。In this scenario, you can enable encrypting by using PowerShell cmdlets or CLI commands.

参考相同 Azure 磁盘加密脚本中的说明来准备可在 Azure 中使用的预加密映像。Use the instructions in the Azure Disk encryption same scripts for preparing pre-encrypted images that can be used in Azure. 创建映像后,可使用下一部分中的步骤创建加密的 Azure VM。After the image is created, you can use the steps in the next section to create an encrypted Azure VM.

重要

启用 Azure 磁盘加密之前,必须在其外部创建基于托管磁盘的 VM 实例的快照和/或备份。It is mandatory to snapshot and/or backup a managed disk based VM instance outside of, and prior to enabling Azure Disk Encryption. 可以从门户创建托管磁盘的快照,也可以使用 Azure 备份A snapshot of the managed disk can be taken from the portal, or Azure Backup can be used. 备份确保在加密过程中发生任何意外故障时可以使用恢复选项。Backups ensure that a recovery option is possible in the case of any unexpected failure during encryption. 备份后,可以通过指定 -skipVmBackup 参数,使用 Set-AzVMDiskEncryptionExtension cmdlet 来加密托管磁盘。Once a backup is made, the Set-AzVMDiskEncryptionExtension cmdlet can be used to encrypt managed disks by specifying the -skipVmBackup parameter. 在未备份基于托管磁盘的 VM 且未指定此参数的情况下,对该 VM 使用 Set-AzVMDiskEncryptionExtension 命令会失败。The Set-AzVMDiskEncryptionExtension command will fail against managed disk based VMs until a backup has been made and this parameter has been specified.

加密或禁用加密可能导致 VM 重新启动。Encrypting or disabling encryption may cause the VM to reboot.

使用 Azure PowerShell 加密包含预加密 VHD 的 VMUse Azure PowerShell to encrypt VMs with pre-encrypted VHDs

可以使用 PowerShell cmdlet Set-AzVMOSDisk 在加密的 VHD 上启用磁盘加密。You can enable disk encryption on your encrypted VHD by using the PowerShell cmdlet Set-AzVMOSDisk. 以下示例显示了一些常用参数。The example below gives you some common parameters.

$VirtualMachine = New-AzVMConfig -VMName "MySecureVM" -VMSize "Standard_A1"
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -Name "SecureOSDisk" -VhdUri "os.vhd" Caching ReadWrite -Linux -CreateOption "Attach" -DiskEncryptionKeyUrl "https://mytestvault.vault.azure.cn/secrets/Test1/514ceb769c984379a7e0230bddaaaaaa" -DiskEncryptionKeyVaultId "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mytestvault"
New-AzVM -VM $VirtualMachine -ResourceGroupName "MyVirtualMachineResourceGroup"

在新添加的数据磁盘上启用加密Enable encryption on a newly added data disk

可以使用 az vm disk attach通过 Azure 门户添加新数据磁盘。You can add a new data disk using az vm disk attach, or through the Azure portal. 在加密之前,需要先装载新附加的数据磁盘。Before you can encrypt, you need to mount the newly attached data disk first. 必须请求加密数据驱动器,因为加密正在进行时,该驱动器不可用。You must request encryption of the data drive since the drive will be unusable while encryption is in progress.

使用 Azure CLI 在新添加的磁盘上启用加密Enable encryption on a newly added disk with Azure CLI

如果 VM 先前使用“All”进行加密,则 --volume-type 参数应保留为“All”。If the VM was previously encrypted with "All" then the --volume-type parameter should remain "All". All 包括 OS 和数据磁盘。All includes both OS and data disks. 如果 VM 先前使用卷类型“OS”进行加密,则应将 --volume-type 参数更改为“All”,以便包含 OS 和新数据磁盘。If the VM was previously encrypted with a volume type of "OS", then the --volume-type parameter should be changed to "All" so that both the OS and the new data disk will be included. 如果 VM 仅使用卷类型“Data”进行加密,则它可以保留为“Data”,如下所示。If the VM was encrypted with only the volume type of "Data", then it can remain "Data" as demonstrated below. 添加新数据磁盘并将其附加到 VM 并不足以为加密做准备。Adding and attaching a new data disk to a VM is not sufficient preparation for encryption. 在启用加密之前,还必须格式化新附加的磁盘并将其正确装载在 VM 中。The newly attached disk must also be formatted and properly mounted within the VM prior to enabling encryption. 在 Linux 上,磁盘必须使用永久性块设备名称装载在 /etc/fstab 中。On Linux the disk must be mounted in /etc/fstab with a persistent block device name.

与 Powershell 语法相反,在启用加密时,CLI 不要求用户提供唯一的序列版本。In contrast to PowerShell syntax, the CLI does not require the user to provide a unique sequence version when enabling encryption. CLI 自动生成并使用自己唯一的序列版本值。The CLI automatically generates and uses its own unique sequence version value.

  • 加密正在运行的 VM 的数据卷:Encrypt data volumes of a running VM:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"
    
  • 使用 KEK 加密正在运行的 VM 的数据卷:Encrypt data volumes of a running VM using KEK:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault  "MySecureVault" --key-encryption-key "MyKEK_URI" --key-encryption-keyvault "MySecureVaultContainingTheKEK" --volume-type "Data"
    

使用 Azure PowerShell 在新添加的磁盘上启用加密Enable encryption on a newly added disk with Azure PowerShell

当使用 PowerShell 加密适用于 Linux 的新磁盘时,需要指定新的序列版本。When using PowerShell to encrypt a new disk for Linux, a new sequence version needs to be specified. 序列版本必须唯一。The sequence version has to be unique. 以下脚本生成序列版本的 GUID。The script below generates a GUID for the sequence version. 在加密磁盘之前,创建快照和/或使用 Azure 备份备份 VM。Take a snapshot and/or back up the VM with Azure Backup before disks are encrypted. 已在 PowerShell 脚本中指定 -skipVmBackup 参数以加密新添加的数据磁盘。The -skipVmBackup parameter is already specified in the PowerShell scripts to encrypt a newly added data disk.

  • 加密正在运行的 VM 的数据卷: 以下脚本初始化变量并运行 Set-AzVMDiskEncryptionExtension cmdlet。Encrypt data volumes of a running VM: The script below initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. 先决条件是事先创建资源组、VM 和密钥保管库。The resource group, VM, and key vault should have already been created as prerequisites. 请将 MyVirtualMachineResourceGroup、MySecureVM 和 MySecureVault 替换为自己的值。Replace MyVirtualMachineResourceGroup, MySecureVM, and MySecureVault with your values. -VolumeType 参数可接受的值为 All、OS 和 Data。Acceptable values for the -VolumeType parameter are All, OS, and Data. 如果 VM 先前使用卷类型“OS”或“All”进行加密,则应将 -VolumeType 参数更改为“All”,以便包含 OS 和新数据磁盘。If the VM was previously encrypted with a volume type of "OS" or "All", then the -VolumeType parameter should be changed to "All" so that both the OS and the new data disk will be included.

    $KVRGname = 'MyKeyVaultResourceGroup';
    $VMRGName = 'MyVirtualMachineResourceGroup';
    $vmName = 'MySecureVM';
    $KeyVaultName = 'MySecureVault';
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    $sequenceVersion = [Guid]::NewGuid();
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType 'data' -SequenceVersion $sequenceVersion -skipVmBackup;
    
  • 使用 KEK 加密正在运行的 VM 的数据卷: -VolumeType 参数可接受的值为 All、OS 和 Data。Encrypt data volumes of a running VM using KEK: Acceptable values for the -VolumeType parameter are All, OS, and Data. 如果 VM 先前使用卷类型“OS”或“All”进行加密,则应将 -VolumeType 参数更改为 All,以便包含 OS 和新数据磁盘。If the VM was previously encrypted with a volume type of "OS" or "All", then the -VolumeType parameter should be changed to All so that both the OS and the new data disk will be included.

     $KVRGname = 'MyKeyVaultResourceGroup';
     $VMRGName = 'MyVirtualMachineResourceGroup';
     $vmName = 'MyExtraSecureVM';
     $KeyVaultName = 'MySecureVault';
     $keyEncryptionKeyName = 'MyKeyEncryptionKey';
     $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
     $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
     $KeyVaultResourceId = $KeyVault.ResourceId;
     $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
     $sequenceVersion = [Guid]::NewGuid();
    
     Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType 'data' -SequenceVersion $sequenceVersion -skipVmBackup;
    

    备注

    disk-encryption-keyvault 参数值的语法是完整的标识符字符串:/subscriptions/[subscription-id-guid]/resourceGroups/[KVresource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]The syntax for the value of disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[KVresource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]
    key-encryption-key 参数值的语法是 KEK 的完整 URI,其格式为: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]

为 Linux VM 禁用加密Disable encryption for Linux VMs

You can disable encryption using Azure PowerShell, the Azure CLI, or with a Resource Manager template.

重要

Disabling encryption with Azure Disk Encryption on Linux VMs is only supported for data volumes. It is not supported on data or OS volumes if the OS volume has been encrypted.

  • Disable disk encryption with Azure PowerShell: To disable the encryption, use the Disable-AzVMDisk​Encryption cmdlet.

    Disable-AzVMDiskEncryption -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM' [-VolumeType DATA]
    
  • Disable encryption with the Azure CLI: To disable encryption, use the az vm encryption disable command.

    az vm encryption disable --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup" --volume-type DATA
    
  • Disable encryption with a Resource Manager template: Use the Disable encryption on a running Linux VM template to disable encryption.

    1. Click Deploy to Azure.
    2. Select the subscription, resource group, location, VM, legal terms, and agreement.

不支持的方案Unsupported scenarios

Azure 磁盘加密不支持以下 Linux 方案、功能和技术:Azure Disk Encryption does not work for the following Linux scenarios, features, and technology:

  • 加密通过经典 VM 创建方法创建的基本层 VM。Encrypting basic tier VM or VMs created through the classic VM creation method.
  • 在已加密 OS 驱动器的情况下,在 Linux VM 的 OS 驱动器或数据驱动器上禁用加密。Disabling encryption on an OS drive or data drive of a Linux VM when the OS drive is encrypted.
  • 为 Linux 虚拟机规模集加密 OS 驱动器。Encrypting the OS drive for Linux virtual machine scale sets.
  • 加密 Linux VM 上的自定义映像。Encrypting custom images on Linux VMs.
  • 与本地密钥管理系统集成。Integration with an on-premises key management system.
  • Azure 文件(共享文件系统)。Azure Files (shared file system).
  • 网络文件系统 (NFS)。Network File System (NFS).
  • 动态卷。Dynamic volumes.
  • 临时 OS 磁盘。Ephemeral OS disks.
  • 加密共享/分布式文件系统,包括但不限于:DFS、GFS、DRDB 和 CephFS。Encryption of shared/distributed file systems like (but not limited to): DFS, GFS, DRDB, and CephFS.
  • 将加密的 VM 移到其他订阅或区域。Moving an encrypted VM to another subscription or region.
  • 创建已加密 VM 的映像或快照,并使用它来部署其他 VM。Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs.
  • 内核故障转储 (kdump)。Kernel Crash Dump (kdump).
  • Oracle ACFS(ASM 群集文件系统)。Oracle ACFS (ASM Cluster File System).
  • Gen2 VM(请参阅:Azure 对第 2 代 VM 的支持)。Gen2 VMs (see: Support for generation 2 VMs on Azure).
  • 具有“嵌套装入点”的 VM,即一个路径中有多个装入点(例如“/1stmountpoint/data/2stmountpoint”)。A VM with "nested mount points"; that is, multiple mount points in a single path (such as "/1stmountpoint/data/2stmountpoint").
  • 包含数据驱动器的 VM 装载在 OS 文件夹之上。A VM with a data drive mounted on top of an OS folder.
  • 具有写入加速器磁盘的 M 系列 VM。M-series VMs with Write Accelerator disks.
  • 将 ADE 应用到一个 VM,此 VM 使用服务器端加密和客户管理的密钥 (SSE + CMK) 加密磁盘。Applying ADE to a VM that has disks encrypted with server-side encryption with customer-managed keys (SSE + CMK). 将 SSE+CMK 应用于使用 ADE 加密的 VM 上的数据磁盘,这种方案也不受支持。Applying SSE + CMK to a data disk on a VM encrypted with ADE is an unsupported scenario as well.
  • 将使用 ADE 加密的 VM,或者曾经使用 ADE 加密的 VM 迁移到使用客户管理的密钥的服务器端加密Migrating a VM that is encrypted with ADE, or has ever been encrypted with ADE, to server-side encryption with customer-managed keys.

后续步骤Next steps