在 Linux VM 上使用 Azure AD 启用 Azure 磁盘加密(以前版本)Enable Azure Disk Encryption with Azure AD on Linux VMs (previous release)

新版本的 Azure 磁盘加密无需提供 Azure Active Directory (Azure AD) 应用程序参数即可启用 VM 磁盘加密。The new release of Azure Disk Encryption eliminates the requirement for providing an Azure Active Directory (Azure AD) application parameter to enable VM disk encryption. 使用新版本,在执行启用加密步骤时,不再需要提供 Azure AD 凭据。With the new release, you're no longer required to provide Azure AD credentials during the enable encryption step. 所有新 VM 都必须使用新版本在没有 Azure AD 应用程序参数的情况下进行加密。All new VMs must be encrypted without the Azure AD application parameters by using the new release. 有关如何使用新版本启用 VM 磁盘加密的说明,请参阅适用于 Linux VM 的 Azure 磁盘加密For instructions on how to enable VM disk encryption by using the new release, see Azure Disk Encryption for Linux VMS. 已使用 Azure AD 应用程序参数加密的 VM 仍受支持,应继续使用 AAD 语法进行维护。VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.

可启用多种磁盘加密方案,具体步骤因方案而异。You can enable many disk-encryption scenarios, and the steps might vary according to the scenario. 以下部分更详细地介绍了适用于 Linux 基础结构即服务 (IaaS) VM 的方案。The following sections cover the scenarios in greater detail for Linux infrastructure as a service (IaaS) VMs. 只能对具有支持的 VM 大小和操作系统的虚拟机应用磁盘加密。You can only apply disk encryption to virtual machines of supported VM sizes and operating systems. 还必须满足以下先决条件:You must also meet the following prerequisites:

在加密磁盘之前,请创建快照并/或备份。Take a snapshot, make a backup, or both before you encrypt the disks. 备份确保在加密过程中发生任何意外故障时可以使用恢复选项。Backups ensure that a recovery option is possible if an unexpected failure occurs during encryption. 加密之前,需要备份包含托管磁盘的 VM。VMs with managed disks require a backup before encryption occurs. 备份之后,可以通过指定 -skipVmBackup 参数,使用 Set-AzVMDiskEncryptionExtension cmdlet 来加密托管磁盘。After a backup is made, you can use the Set-AzVMDiskEncryptionExtension cmdlet to encrypt managed disks by specifying the -skipVmBackup parameter. 有关如何备份和还原已加密 VM 的详细信息,请参阅 Azure 备份For more information about how to back up and restore encrypted VMs, see Azure Backup.

警告

  • 如果之前是使用 Azure 磁盘加密与 Azure AD 应用来加密此 VM,则必须继续使用此选项来加密 VM。If you previously used Azure Disk Encryption with the Azure AD app to encrypt this VM, you must continue to use this option to encrypt your VM. 无法在此加密的 VM 上使用 Azure 磁盘加密,因为不支持此方案,这意味着尚不支持为此加密的 VM 实施 Azure AD 应用程序切换操作。You can't use Azure Disk Encryption on this encrypted VM because this isn't a supported scenario, which means switching away from the Azure AD application for this encrypted VM isn't supported yet.
  • 为确保加密机密不会跨过区域边界,Azure 磁盘加密需要将密钥保管库和 VM 共置于同一区域。To make sure the encryption secrets don't cross regional boundaries, Azure Disk Encryption needs the key vault and the VMs to be co-located in the same region. 在要加密的 VM 所在的同一区域中创建并使用密钥保管库。Create and use a key vault that's in the same region as the VM to be encrypted.
  • 加密 Linux OS 卷的过程可能需要几个小时。When you encrypt Linux OS volumes, the process can take a few hours. 加密 Linux OS 卷所需的时间比加密数据卷要长,这是正常的。It's normal for Linux OS volumes to take longer than data volumes to encrypt.
  • 加密 Linux OS 卷时,VM 应当会被视为不可用的。When you encrypt Linux OS volumes, the VM should be considered unavailable. 我们强烈建议在加密过程中避免 SSH 登录,以避免阻止在加密过程中需要访问的任何已打开文件。We strongly recommend that you avoid SSH logins while the encryption is in progress to avoid blocking any open files that need to be accessed during the encryption process. 若要查看进度,请使用 Get-AzVMDiskEncryptionStatusvm encryption show 命令。To check progress, use the Get-AzVMDiskEncryptionStatus or vm encryption show commands. 对于 30-GB OS 卷,此过程可能需要几小时才能完成,还需要额外的时间来加密数据卷。You can expect this process to take a few hours for a 30-GB OS volume, plus additional time for encrypting data volumes. 除非使用 encrypt format all**** 选项,否则数据卷加密时间将与数据卷的大小和数量成比例。Data volume encryption time is proportional to the size and quantity of the data volumes unless the encrypt format all option is used.
  • 在 Linux VM 上,仅支持对数据卷禁用加密。Disabling encryption on Linux VMs is only supported for data volumes. 如果 OS 卷已加密,则不支持对数据卷或 OS 卷禁用加密。It's not supported on data or OS volumes if the OS volume has been encrypted.

在现有或正在运行的 IaaS Linux VM 上启用加密 Enable encryption on an existing or running IaaS Linux VM

在此方案中,可以使用 Azure 资源管理器模板、PowerShell cmdlet 或 Azure CLI 命令启用加密。In this scenario, you can enable encryption by using the Azure Resource Manager template, PowerShell cmdlets, or Azure CLI commands.

重要

启用 Azure 磁盘加密之前,必须在其外部创建基于托管磁盘的 VM 实例的快照或备份。It's mandatory to take a snapshot or back up a managed disk-based VM instance outside of and prior to enabling Azure Disk Encryption. 可以从 Azure 门户创建托管磁盘的快照,也可以使用 Azure 备份You can take a snapshot of the managed disk from the Azure portal, or you can use Azure Backup. 备份确保在加密过程中发生任何意外故障时可以使用恢复选项。Backups ensure that a recovery option is possible in the case of any unexpected failure during encryption. 在创建备份之后,请通过指定 -skipVmBackup 参数,使用 Set-AzVMDiskEncryptionExtension cmdlet 来加密托管磁盘。After a backup is made, use the Set-AzVMDiskEncryptionExtension cmdlet to encrypt managed disks by specifying the -skipVmBackup parameter. 在未创建备份且未指定此参数的情况下,对基于托管磁盘的 VM 使用 Set-AzVMDiskEncryptionExtension 命令会失败。The Set-AzVMDiskEncryptionExtension command fails against managed disk-based VMs until a backup is made and this parameter is specified.

加密或禁用加密可能会导致 VM 重启。Encrypting or disabling encryption might cause the VM to reboot.

使用 Azure CLI 在现有或正在运行的 Linux VM 上启用加密Enable encryption on an existing or running Linux VM by using the Azure CLI

可通过安装并使用 Azure CLI 2.0 命令行工具在加密的 VHD 上启用磁盘加密。You can enable disk encryption on your encrypted VHD by installing and using The Azure CLI 2.0 command-line tool. 可以在本地计算机上安装 PowerShell,并在任何 PowerShell 会话中使用它。You can install it on your local machine and use it in any PowerShell session. 若要在 Azure 中现有或正在运行的 IaaS Linux VM 上启用加密,请使用以下 CLI 命令:To enable encryption on existing or running IaaS Linux VMs in Azure, use the following CLI commands:

使用 az vm encryption enable 命令在 Azure 中运行的 IaaS 虚拟机上启用加密。Use the az vm encryption enable command to enable encryption on a running IaaS virtual machine in Azure.

  • 使用客户端机密加密正在运行的 VM:Encrypt a running VM by using a client secret:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --aad-client-id "<my spn created with CLI/my Azure AD ClientID>"  --aad-client-secret "My-AAD-client-secret" --disk-encryption-keyvault "MySecureVault" --volume-type [All|OS|Data]
    
  • 使用 KEK 包装客户端机密,以加密正在运行的 VM:Encrypt a running VM by using KEK to wrap the client secret:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --aad-client-id "<my spn created with CLI which is the Azure AD ClientID>"  --aad-client-secret "My-AAD-client-secret" --disk-encryption-keyvault  "MySecureVault" --key-encryption-key "MyKEK_URI" --key-encryption-keyvault "MySecureVaultContainingTheKEK" --volume-type [All|OS|Data]
    

    备注

    disk-encryption-keyvault 参数值的语法是完整的标识符字符串:/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]。The syntax for the value of the disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name].

    key-encryption-key 参数值的语法是 KEK 的完整 URI,其格式为: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]。The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id].

  • 验证磁盘是否已加密: 若要检查 IaaS VM 的加密状态,请使用 az vm encryption show 命令。Verify that the disks are encrypted: To check on the encryption status of an IaaS VM, use the az vm encryption show command.

    az vm encryption show --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup"
    
  • 禁用加密: 若要禁用加密,请使用 az vm encryption disable 命令。Disable encryption: To disable encryption, use the az vm encryption disable command. 只允许对 Linux VM 的数据卷禁用加密。Disabling encryption is only allowed on data volumes for Linux VMs.

    az vm encryption disable --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup" --volume-type DATA
    

使用 PowerShell 在现有或正在运行的 Linux VM 上启用加密Enable encryption on an existing or running Linux VM by using PowerShell

使用 Set-AzVMDiskEncryptionExtension cmdlet 在 Azure 中运行的 IaaS 虚拟机上启用加密。Use the Set-AzVMDiskEncryptionExtension cmdlet to enable encryption on a running IaaS virtual machine in Azure. 在加密磁盘之前,创建 VM 的快照或者使用 Azure 备份创建 VM 的备份。Take a snapshot or make a backup of the VM with Azure Backup before the disks are encrypted. 已在 PowerShell 脚本中指定 -skipVmBackup 参数以加密正在运行的 Linux VM。The -skipVmBackup parameter is already specified in the PowerShell scripts to encrypt a running Linux VM.

  • 使用客户端机密加密正在运行的 VM: 以下脚本初始化你的变量并运行 Set-AzVMDiskEncryptionExtension cmdlet。Encrypt a running VM by using a client secret: The following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. 作为先决条件,你应当已事先创建了资源组、VM、密钥保管库、Azure AD 应用和客户端机密。The resource group, VM, key vault, Azure AD app, and client secret should have already been created as prerequisites. 将 MyVirtualMachineResourceGroup、MyKeyVaultResourceGroup、MySecureVM、MySecureVault、My-AAD-client-ID 和 My-AAD-client-secret 替换为自己的值。Replace MyVirtualMachineResourceGroup, MyKeyVaultResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. 修改 -VolumeType 参数,以指定要加密哪些磁盘。Modify the -VolumeType parameter to specify which disks you're encrypting.

    $VMRGName = 'MyVirtualMachineResourceGroup';
    $KVRGname = 'MyKeyVaultResourceGroup';
    $vmName = 'MySecureVM';
    $aadClientID = 'My-AAD-client-ID';
    $aadClientSecret = 'My-AAD-client-secret';
    $KeyVaultName = 'MySecureVault';
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    $sequenceVersion = [Guid]::NewGuid();
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType '[All|OS|Data]' -SequenceVersion $sequenceVersion -skipVmBackup;
    
  • 使用 KEK 包装客户端机密,以加密正在运行的 VM: Azure 磁盘加密允许在 Key Vault 中指定一个现有密钥,用于包装启用加密时生成的磁盘加密机密。Encrypt a running VM by using KEK to wrap the client secret: Azure Disk Encryption lets you specify an existing key in your key vault to wrap disk encryption secrets that were generated while enabling encryption. 指定密钥加密密钥后,Azure 磁盘加密会使用该密钥包装加密机密,然后将机密写入密钥保管库。When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to the key vault. 修改 -VolumeType 参数,以指定要加密哪些磁盘。Modify the -VolumeType parameter to specify which disks you're encrypting.

    $KVRGname = 'MyKeyVaultResourceGroup';
    $VMRGName = 'MyVirtualMachineResourceGroup';
    $aadClientID = 'My-AAD-client-ID';
    $aadClientSecret = 'My-AAD-client-secret';
    $KeyVaultName = 'MySecureVault';
    $keyEncryptionKeyName = 'MyKeyEncryptionKey';
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
    $sequenceVersion = [Guid]::NewGuid();
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType '[All|OS|Data]' -SequenceVersion $sequenceVersion -skipVmBackup;
    

    备注

    disk-encryption-keyvault 参数值的语法是完整的标识符字符串:/subscriptions/[subscription-id-guid]/resourceGroups/[KVresource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]。The syntax for the value of the disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[KVresource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name].

    key-encryption-key 参数值的语法是 KEK 的完整 URI,其格式为: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]。The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id].

  • 验证磁盘是否已加密: 若要检查 IaaS VM 的加密状态,请使用 Get-AzVmDiskEncryptionStatus cmdlet。Verify that the disks are encrypted: To check on the encryption status of an IaaS VM, use the Get-AzVmDiskEncryptionStatus cmdlet.

    Get-AzVmDiskEncryptionStatus -ResourceGroupName MyVirtualMachineResourceGroup -VMName MySecureVM
    
  • 禁用磁盘加密: 若要禁用加密,请使用 Disable-AzureRmVMDiskEncryption cmdlet。Disable disk encryption: To disable the encryption, use the Disable-AzureRmVMDiskEncryption cmdlet. 只允许对 Linux VM 的数据卷禁用加密。Disabling encryption is only allowed on data volumes for Linux VMs.

    Disable-AzVMDiskEncryption -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM'
    

使用模板在现有或正在运行的 IaaS Linux VM 上启用加密Enable encryption on an existing or running IaaS Linux VM with a template

可通过 Resource Manager 模板 在 Azure 中为现有或正在运行的 IaaS Linux VM 启用磁盘加密。You can enable disk encryption on an existing or running IaaS Linux VM in Azure by using the Resource Manager template.

  1. 在 Azure 快速入门模板中,选择“部署到 Azure”。****Select Deploy to Azure on the Azure quickstart template.

  2. 选择订阅、资源组、资源组位置、参数、法律条款和协议。Select the subscription, resource group, resource group location, parameters, legal terms, and agreement. 选择“创建”,在现有或正在运行的 IaaS VM 上启用加密。****Select Create to enable encryption on the existing or running IaaS VM.

下表列出了使用 Azure AD 客户端 ID 的现有或正在运行的 VM 的 Resource Manager 模板参数:The following table lists Resource Manager template parameters for existing or running VMs that use an Azure AD client ID:

参数Parameter 说明Description
AADClientIDAADClientID 有权将机密写入 Key Vault 的 Azure AD 应用程序的客户端 ID。Client ID of the Azure AD application that has permissions to write secrets to the key vault.
AADClientSecretAADClientSecret 有权将机密写入 Key Vault 的 Azure AD 应用程序的客户端机密。Client secret of the Azure AD application that has permissions to write secrets to your key vault.
KeyVaultNamekeyVaultName 密钥应上传到的 Key Vault 的名称。Name of the key vault that the key should be uploaded to. 可以使用 Azure CLI 命令 az keyvault show --name "MySecureVault" --query KVresourceGroup 获取该名称。You can get it by using the Azure CLI command az keyvault show --name "MySecureVault" --query KVresourceGroup.
keyEncryptionKeyURLkeyEncryptionKeyURL 用于加密所生成密钥的密钥加密密钥的 URL。URL of the key encryption key that's used to encrypt the generated key. 如果在 UseExistingKek 下拉列表中选择了“nokek”**** ****,则此参数为可选的。This parameter is optional if you select nokek in the UseExistingKek drop-down list. 如果在 UseExistingKek 下拉列表中选择了“kek”****,则必须输入 keyEncryptionKeyURL****__ 值。If you select kek in the UseExistingKek drop-down list, you must enter the keyEncryptionKeyURL value.
volumeTypevolumeType 要对其执行加密操作的卷的类型。Type of volume that the encryption operation is performed on. 支持的有效值为“OS”或“All”__ __。Valid supported values are OS or All . (请参阅前面“先决条件”部分中的受支持 Linux 分发版及其 OS 和数据磁盘版本。)(See supported Linux distributions and their versions for OS and data disks in the prerequisites section earlier.)
sequenceVersionsequenceVersion BitLocker 操作的序列版本。Sequence version of the BitLocker operation. 每当在同一个 VM 上执行磁盘加密操作时,此版本号便会递增。Increment this version number every time a disk-encryption operation is performed on the same VM.
vmNamevmName 要对其执行加密操作的 VM 的名称。Name of the VM that the encryption operation is to be performed on.
通行短语passphrase 键入强密码作为数据加密密钥。Type a strong passphrase as the data encryption key.

对 Linux IaaS VM 上的数据磁盘使用 EncryptFormatAll 功能 Use the EncryptFormatAll feature for data disks on Linux IaaS VMs

EncryptFormatAll 参数可以减少加密 Linux 数据磁盘所需的时间。The EncryptFormatAll parameter reduces the time for Linux data disks to be encrypted. 满足特定条件的分区将格式化(使用其当前文件系统)。Partitions that meet certain criteria are formatted (with their current file system). 然后,它们将重新装回到执行命令之前所在的位置。Then they're remounted back to where they were before command execution. 如果你想要排除某个符合条件的数据磁盘,可以在运行命令之前卸载该磁盘。If you want to exclude a data disk that meets the criteria, you can unmount it before you run the command.

运行此命令之后,以前装载的所有驱动器将格式化。After you run this command, any drives that were mounted previously are formatted. 然后,加密层将在现已为空的驱动器的基础上启动。Then the encryption layer starts on top of the now empty drive. 如果你选择这种方式,附加到 VM 的临时磁盘也会得到加密。When this option is selected, the temporary disk attached to the VM is also encrypted. 如果重置临时驱动器,该驱动器将重新格式化,并且 Azure 磁盘加密解决方案下次有机会为 VM 重新加密该驱动器。If the ephemeral drive is reset, it's reformatted and re-encrypted for the VM by the Azure Disk Encryption solution at the next opportunity.

警告

如果 VM 的数据卷上存在所需的数据,则不应使用 EncryptFormatAll。EncryptFormatAll shouldn't be used when there's needed data on a VM's data volumes. 卸载磁盘可将其从加密项中排除。You can exclude disks from encryption by unmounting them. 首先在测试 VM 上试用 EncryptFormatAll 参数,以了解此功能参数及其影响,然后再尝试在生产 VM 上使用该参数。Try out the EncryptFormatAll parameter on a test VM first to understand the feature parameter and its implication before you try it on the production VM. EncryptFormatAll 选项会格式化数据磁盘,因此磁盘上的所有数据都会丢失。The EncryptFormatAll option formats the data disk, so all the data on it will be lost. 在继续操作之前,请验证是否已正确卸载想要排除的磁盘。Before you proceed, verify that any disks you want to exclude are properly unmounted.

如果在更新加密设置时设置此参数,可能会导致在实际加密之前重启。If you set this parameter while you update encryption settings, it might lead to a reboot before the actual encryption. 在这种情况下,还需要从 fstab 文件中删除不想要格式化的磁盘。In this case, you also want to remove the disk you don't want formatted from the fstab file. 同样,在启动加密操作之前,应将想要加密并格式化的分区添加到 fstab 文件。Similarly, you should add the partition you want encrypt-formatted to the fstab file before you initiate the encryption operation.

EncryptFormatAll 的条件 EncryptFormatAll criteria

该参数会传播到满足以下所有条件的所有分区并将其加密**:The parameter goes through all partitions and encrypts them as long as they meet all of the following criteria:

  • 不是根/OS/启动分区Is not a root/OS/boot partition
  • 尚未加密Is not already encrypted
  • 不是 BEK 卷Is not a BEK volume
  • 不是 RAID 卷Is not a RAID volume
  • 不是 LVM 卷Is not an LVM volume
  • 已装载Is mounted

加密组成 RAID 或 LVM 卷而不是 RAID 或 LVM 卷的磁盘。Encrypt the disks that compose the RAID or LVM volume rather than the RAID or LVM volume.

结合模板使用 EncryptFormatAll 参数 Use the EncryptFormatAll parameter with a template

若要使用 EncryptFormatAll 选项,请使用可加密 Linux VM 的任何现有 Azure 资源管理器模板,并更改 AzureDiskEncryption 资源的 EncryptionOperation 字段****。To use the EncryptFormatAll option, use any preexisting Azure Resource Manager template that encrypts a Linux VM and change the EncryptionOperation field for the AzureDiskEncryption resource.

  1. 例如,使用资源管理器模板加密正在运行的 Linux IaaS VMAs an example, use the Resource Manager template to encrypt a running Linux IaaS VM.
  2. 在 Azure 快速入门模板中,选择“部署到 Azure”。****Select Deploy to Azure on the Azure quickstart template.
  3. 将 EncryptionOperation 字段从 EnableEncryption 更改为 EnableEncryptionFormatAl**** **** ****。Change the EncryptionOperation field from EnableEncryption to EnableEncryptionFormatAl.
  4. 选择订阅、资源组、资源组位置、其他参数、法律条款和协议。Select the subscription, resource group, resource group location, other parameters, legal terms, and agreement. 选择“创建”,在现有或正在运行的 IaaS VM 上启用加密。****Select Create to enable encryption on the existing or running IaaS VM.

结合 PowerShell cmdlet 使用 EncryptFormatAll 参数Use the EncryptFormatAll parameter with a PowerShell cmdlet

结合 EncryptFormatAll 参数使用 Set-AzVMDiskEncryptionExtension cmdlet。Use the Set-AzVMDiskEncryptionExtension cmdlet with the EncryptFormatAll parameter.

使用客户端机密和 EncryptFormatAll 加密正在运行的 VM: 例如,以下脚本会初始化你的变量,并在使用 EncryptFormatAll 参数的情况下运行 Set-AzVMDiskEncryptionExtension cmdlet。Encrypt a running VM by using a client secret and EncryptFormatAll: As an example, the following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet with the EncryptFormatAll parameter. 作为先决条件,你应当已事先创建了资源组、VM、密钥保管库、Azure AD 应用和客户端机密。The resource group, VM, key vault, Azure AD app, and client secret should have already been created as prerequisites. 将 MyKeyVaultResourceGroup、MyVirtualMachineResourceGroup、MySecureVM、MySecureVault、My-AAD-client-ID 和 My-AAD-client-secret 替换为自己的值。Replace MyKeyVaultResourceGroup, MyVirtualMachineResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values.

$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup'; 
$aadClientID = 'My-AAD-client-ID';
$aadClientSecret = 'My-AAD-client-secret';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;

Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -EncryptFormatAll

结合逻辑卷管理器 (LVM) 使用 EncryptFormatAll 参数 Use the EncryptFormatAll parameter with Logical Volume Manager (LVM)

我们建议采用 LVM-on-crypt 设置。We recommend an LVM-on-crypt setup. 对于下面的所有示例,请将设备路径和装载点替换为适合你的用例的任何值。For all the following examples, replace the device-path and mountpoints with whatever suits your use case. 可按如下所述完成此设置:This setup can be done as follows:

  • 添加构成 VM 的数据磁盘。Add the data disks that will compose the VM.

  • 格式化、装载这些磁盘并将其添加到 fstab 文件。Format, mount, and add these disks to the fstab file.

    1. 格式化新添加的磁盘。Format the newly added disk. 此处使用了 Azure 生成的符号链接。We use symlinks generated by Azure here. 使用符号链接可避免设备名更改所造成的问题。Using symlinks avoids problems related to device names changing. 有关详细信息,请参阅排查设备名称问题For more information, see Troubleshoot device names problems.

      mkfs -t ext4 /dev/disk/azure/scsi1/lun0

    2. 装载磁盘。Mount the disks.

      mount /dev/disk/azure/scsi1/lun0 /mnt/mountpoint

    3. 添加到 fstab。Add to fstab.

      echo "/dev/disk/azure/scsi1/lun0 /mnt/mountpoint ext4 defaults,nofail 1 2" >> /etc/fstab

    4. 结合 -EncryptFormatAll 运行 Set-AzVMDiskEncryptionExtension PowerShell cmdlet,以加密这些磁盘。Run the Set-AzVMDiskEncryptionExtension PowerShell cmdlet with -EncryptFormatAll to encrypt these disks.

      Set-AzVMDiskEncryptionExtension -ResourceGroupName "MySecureGroup" -VMName "MySecureVM" -DiskEncryptionKeyVaultUrl "https://mykeyvault.vault.azure.cn/" -EncryptFormatAll
      
    5. 在这些新磁盘的顶层设置 LVM。Set up LVM on top of these new disks. 请注意,VM 在完成启动后,加密的驱动器会解锁。Note the encrypted drives are unlocked after the VM has finished booting. 因此,后续的 LVM 装载必定会延迟。So, the LVM mounting will also have to be subsequently delayed.

通过客户加密的 VHD 和加密密钥新建的 IaaS VM New IaaS VMs created from customer-encrypted VHD and encryption keys

在此方案中,可以通过使用 Resource Manager 模板、PowerShell cmdlet 或 CLI 命令启用加密。In this scenario, you can enable encrypting by using the Resource Manager template, PowerShell cmdlets, or CLI commands. 以下部分详细介绍了 Resource Manager 模板和 CLI 命令。The following sections explain in greater detail the Resource Manager template and CLI commands.

参考附录中的说明来准备可在 Azure 中使用的预加密映像。Use the instructions in the appendix for preparing pre-encrypted images that can be used in Azure. 创建映像后,可使用下一部分中的步骤创建加密的 Azure VM。After the image is created, you can use the steps in the next section to create an encrypted Azure VM.

重要

启用 Azure 磁盘加密之前,必须在其外部创建基于托管磁盘的 VM 实例的快照或备份。It's mandatory to take a snapshot or back up a managed disk-based VM instance outside of and prior to enabling Azure Disk Encryption. 可以从门户创建托管磁盘的快照,也可以使用 Azure 备份You can take a snapshot of the managed disk from the portal, or you can use Azure Backup. 备份确保在加密过程中发生任何意外故障时可以使用恢复选项。Backups ensure that a recovery option is possible in the case of any unexpected failure during encryption. 在创建备份之后,请通过指定 -skipVmBackup 参数,使用 Set-AzVMDiskEncryptionExtension cmdlet 来加密托管磁盘。After a backup is made, use the Set-AzVMDiskEncryptionExtension cmdlet to encrypt managed disks by specifying the -skipVmBackup parameter. 在未创建备份且未指定此参数的情况下,对基于托管磁盘的 VM 使用 Set-AzVMDiskEncryptionExtension 命令会失败。The Set-AzVMDiskEncryptionExtension command fails against managed disk-based VMs until a backup is made and this parameter is specified.

加密或禁用加密可能会导致 VM 重启。Encrypting or disabling encryption might cause the VM to reboot.

使用 Azure PowerShell 加密包含预加密 VHD 的 IaaS VM Use Azure PowerShell to encrypt IaaS VMs with pre-encrypted VHDs

可以使用 PowerShell cmdlet Set-AzVMOSDisk 在加密的 VHD 上启用磁盘加密。You can enable disk encryption on your encrypted VHD by using the PowerShell cmdlet Set-AzVMOSDisk. 以下示例提供了一些常用参数。The following example gives you some common parameters.

$VirtualMachine = New-AzVMConfig -VMName "MySecureVM" -VMSize "Standard_A1"
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -Name "SecureOSDisk" -VhdUri "os.vhd" Caching ReadWrite -Windows -CreateOption "Attach" -DiskEncryptionKeyUrl "https://mytestvault.vault.azure.cn/secrets/Test1/514ceb769c984379a7e0230bddaaaaaa" -DiskEncryptionKeyVaultId "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mytestvault"
New-AzVM -VM $VirtualMachine -ResourceGroupName "MyVirtualMachineResourceGroup"

在新添加的数据磁盘上启用加密Enable encryption on a newly added data disk

可以使用 az vm disk attach通过 Azure 门户添加新数据磁盘。You can add a new data disk by using az vm disk attach or through the Azure portal. 在加密之前,需要先装载新附加的数据磁盘。Before you can encrypt, you need to mount the newly attached data disk first. 必须请求加密数据驱动器,因为在进行加密时,该驱动器不可用。You must request encryption of the data drive because the drive will be unusable while encryption is in progress.

使用 Azure CLI 在新添加的磁盘上启用加密Enable encryption on a newly added disk with the Azure CLI

如果 VM 先前使用“All”进行加密,则 --volume-type 参数应保留为 All。If the VM was previously encrypted with "All" then the --volume-type parameter should remain All. All 包括 OS 和数据磁盘。All includes both OS and data disks. 如果 VM 先前使用卷类型“OS”进行加密,则应将 --volume-type 参数更改为 All,以便包含 OS 和新数据磁盘。If the VM was previously encrypted with a volume type of "OS", then the --volume-type parameter should be changed to All so that both the OS and the new data disk will be included. 如果 VM 仅使用卷类型“Data”进行加密,则它可以保留为“Data”,如下所示。If the VM was encrypted with only the volume type of "Data", then it can remain "Data" as demonstrated here. 添加新数据磁盘并将其附加到 VM 并不足以为加密做准备。Adding and attaching a new data disk to a VM is not sufficient preparation for encryption. 在启用加密之前,还必须格式化新附加的磁盘并将其正确装载在 VM 中。The newly attached disk must also be formatted and properly mounted within the VM before you enable encryption. 在 Linux 上,磁盘必须使用永久性块设备名称装载在 /etc/fstab 中。On Linux the disk must be mounted in /etc/fstab with a persistent block device name.

与 PowerShell 语法相反,在启用加密时,CLI 不要求你提供唯一的序列版本。In contrast to PowerShell syntax, the CLI doesn't require you to provide a unique sequence version when you enable encryption. CLI 自动生成并使用自己唯一的序列版本值。The CLI automatically generates and uses its own unique sequence version value.

  • 使用客户端机密加密正在运行的 VM:Encrypt a running VM by using a client secret:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --aad-client-id "<my spn created with CLI/my Azure AD ClientID>"  --aad-client-secret "My-AAD-client-secret" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"
    
  • 使用 KEK 包装客户端机密,以加密正在运行的 VM:Encrypt a running VM by using KEK to wrap the client secret:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --aad-client-id "<my spn created with CLI which is the Azure AD ClientID>"  --aad-client-secret "My-AAD-client-secret" --disk-encryption-keyvault  "MySecureVault" --key-encryption-key "MyKEK_URI" --key-encryption-keyvault "MySecureVaultContainingTheKEK" --volume-type "Data"
    

使用 Azure PowerShell 在新添加的磁盘上启用加密Enable encryption on a newly added disk with Azure PowerShell

当使用 PowerShell 加密适用于 Linux 的新磁盘时,需要指定新的序列版本。When you use PowerShell to encrypt a new disk for Linux, a new sequence version needs to be specified. 序列版本必须唯一。The sequence version has to be unique. 以下脚本生成序列版本的 GUID。The following script generates a GUID for the sequence version.

  • 使用客户端机密加密正在运行的 VM: 以下脚本初始化你的变量并运行 Set-AzVMDiskEncryptionExtension cmdlet。Encrypt a running VM by using a client secret: The following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. 作为先决条件,你应当已事先创建了资源组、VM、密钥保管库、Azure AD 应用和客户端机密。The resource group, VM, key vault, Azure AD app, and client secret should have already been created as prerequisites. 将 MyVirtualMachineResourceGroup、MyKeyVaultResourceGroup、MySecureVM、MySecureVault、My-AAD-client-ID 和 My-AAD-client-secret 替换为自己的值。Replace MyVirtualMachineResourceGroup, MyKeyVaultResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. -VolumeType 参数设置为数据磁盘而不是 OS 磁盘。The -VolumeType parameter is set to data disks and not the OS disk. 如果 VM 先前使用卷类型“OS”或“All”进行加密,则应将 -VolumeType 参数更改为 All,以便包含 OS 和新数据磁盘。If the VM was previously encrypted with a volume type of "OS" or "All", then the -VolumeType parameter should be changed to All so that both the OS and the new data disk will be included.

    $KVRGname = 'MyKeyVaultResourceGroup';
    $VMRGName = 'MyVirtualMachineResourceGroup'; 
    $vmName = 'MySecureVM';
    $aadClientID = 'My-AAD-client-ID';
    $aadClientSecret = 'My-AAD-client-secret';
    $KeyVaultName = 'MySecureVault';
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    $sequenceVersion = [Guid]::NewGuid();
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType 'data' -SequenceVersion $sequenceVersion;
    
  • 使用 KEK 包装客户端机密,以加密正在运行的 VM: Azure 磁盘加密允许在 Key Vault 中指定一个现有密钥,用于包装启用加密时生成的磁盘加密机密。Encrypt a running VM by using KEK to wrap the client secret: Azure Disk Encryption lets you specify an existing key in your key vault to wrap disk encryption secrets that were generated while enabling encryption. 指定密钥加密密钥后,Azure 磁盘加密会使用该密钥包装加密机密,然后将机密写入 Key Vault。When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault. -VolumeType 参数设置为数据磁盘而不是 OS 磁盘。The -VolumeType parameter is set to data disks and not the OS disk. 如果 VM 先前使用卷类型“OS”或“All”进行加密,则应将 -VolumeType 参数更改为 All,以便包含 OS 和新数据磁盘。If the VM was previously encrypted with a volume type of "OS" or "All", then the -VolumeType parameter should be changed to All so that both the OS and the new data disk will be included.

    $KVRGname = 'MyKeyVaultResourceGroup';
    $VMRGName = 'MyVirtualMachineResourceGroup';
    $vmName = 'MyExtraSecureVM';
    $aadClientID = 'My-AAD-client-ID';
    $aadClientSecret = 'My-AAD-client-secret';
    $KeyVaultName = 'MySecureVault';
    $keyEncryptionKeyName = 'MyKeyEncryptionKey';
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
    $sequenceVersion = [Guid]::NewGuid();
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType 'data' -SequenceVersion $sequenceVersion;
    

    备注

    disk-encryption-keyvault 参数值的语法是完整的标识符字符串:/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]The syntax for the value of the disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]

    key-encryption-key 参数值的语法是 KEK 的完整 URI,其格式为: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]

为 Linux VM 禁用加密Disable encryption for Linux VMs

可以使用 Azure PowerShell、Azure CLI 或资源管理器模板禁用加密。You can disable encryption by using Azure PowerShell, the Azure CLI, or a Resource Manager template.

重要

在 Linux VM 上,仅支持对数据卷禁用 Azure 磁盘加密。Disabling encryption with Azure Disk Encryption on Linux VMs is only supported for data volumes. 如果 OS 卷已加密,则不支持对数据卷或 OS 卷禁用加密。It's not supported on data or OS volumes if the OS volume has been encrypted.

  • 使用 Azure PowerShell 禁用磁盘加密: 若要禁用加密,请使用 Disable-AzureRmVMDiskEncryption cmdlet。Disable disk encryption with Azure PowerShell: To disable encryption, use the Disable-AzureRmVMDiskEncryption cmdlet.

    Disable-AzVMDiskEncryption -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM' [--volume-type {ALL, DATA, OS}]
    
  • 使用 Azure CLI 禁用加密: 若要禁用加密,请使用 az vm encryption disable 命令。Disable encryption with the Azure CLI: To disable encryption, use the az vm encryption disable command.

    az vm encryption disable --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup" --volume-type [ALL, DATA, OS]
    
  • 使用资源管理器模板禁用加密: 若要禁用加密,请使用在正在运行的 Linux VM 上禁用加密模板。Disable encryption with a Resource Manager template: To disable encryption, use the Disable encryption on a running Linux VM template.

    1. 选择“部署到 Azure”****。Select Deploy to Azure.
    2. 选择订阅、资源组、位置、VM、法律条款和协议。Select the subscription, resource group, location, VM, legal terms, and agreement.
    3. 选择“购买”,在正在运行的 Windows VM 上禁用磁盘加密****。Select Purchase to disable disk encryption on a running Windows VM.

后续步骤Next steps