适用于 Linux VM 的 Azure 磁盘加密Azure Disk Encryption for Linux VMs

Azure 磁盘加密有助于保护数据,使组织能够信守在安全性与合规性方面作出的承诺。Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. 它使用 Linux 的 DM-Crypt 功能为 Azure 虚拟机 (VM) 的 OS 和数据磁盘提供卷加密,并与 Azure Key Vault 集成,帮助你控制和管理磁盘加密密钥和机密。It uses the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

如果使用 Azure 安全中心,当 VM 未加密时,你会收到警报。If you use Azure Security Center, you're alerted if you have VMs that aren't encrypted. 这些警报显示为“高严重性”,建议加密这些 VM。The alerts show as High Severity and the recommendation is to encrypt these VMs.

Azure 安全中心磁盘加密警报

警告

  • 如果之前是使用 Azure 磁盘加密与 Azure AD 来加密 VM,则必须继续使用此选项来加密 VM。If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue to use this option to encrypt your VM. 有关详细信息,请参阅 使用 Azure AD 进行 Azure 磁盘加密(以前版本)See Azure Disk Encryption with Azure AD (previous release) for details.
  • 某些建议可能会导致数据、网络或计算资源使用量增加,从而产生额外的许可或订阅成本。Certain recommendations might increase data, network, or compute resource usage, resulting in additional license or subscription costs. 必须具有有效的活动 Azure 订阅,才能在 Azure 的受支持区域中创建资源。You must have a valid active Azure subscription to create resources in Azure in the supported regions.
  • 目前,第 2 代 VM 不支持 Azure 磁盘加密。Currently Generation 2 VMs do not support Azure Disk Encryption. 有关详细信息,请参阅 Azure 中对第 2 代 VM 的支持See Support for Generation 2 VMs on Azure for details.

只需花几分钟时间学习使用 Azure CLI 创建 Linux VM 并对其进行加密快速入门或者使用 Azure PowerShell 创建 Linux VM 并对其进行加密快速入门,即可了解适用于 Linux 的 Azure 磁盘加密的基础知识。You can learn the fundamentals of Azure Disk Encryption for Linux in just a few minutes with the Create and encrypt a Linux VM with Azure CLI quickstart or the Create and encrypt a Linux VM with Azure PowerShell quickstart.

支持的 VM 和操作系统Supported VMs and operating systems

支持的 VMSupported VMs

Linux VM 具有各种大小Linux VMs are available in a range of sizes. Azure 磁盘加密不适用于基本的 A 系列 VM,也不适用于不符合以下最低内存要求的虚拟机:Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines that do not meet these minimum memory requirements:

虚拟机Virtual machine 内存最低要求Minimum memory requirement
Linux VM(仅加密数据卷时)Linux VMs when only encrypting data volumes 2 GB2 GB
Linux VM(加密数据卷和 OS 卷,并且根 (/) 文件系统占用的空间为 4GB 或更少)Linux VMs when encrypting both data and OS volumes, and where the root (/) file system usage is 4GB or less 8 GB8 GB
Linux VM(加密数据卷和 OS 卷,并且根 (/) 文件系统占用的空间大于 4GB)Linux VMs when encrypting both data and OS volumes, and where the root (/) file system usage is greater than 4GB 根文件系统空间占用量 * 2。The root file system usage * 2. 例如,如果根文件系统的空间占用量为 16 GB,则至少需要 32GB RAMFor instance, a 16 GB of root file system usage requires at least 32GB of RAM

在 Linux 虚拟机上完成 OS 磁盘加密进程后,可将 VM 配置为以更少的内存运行。Once the OS disk encryption process is complete on Linux virtual machines, the VM can be configured to run with less memory.

Azure 磁盘加密还可用于使用高级存储的 VM。Azure Disk Encryption is also available for VMs with premium storage.

Azure 磁盘加密在第 2 代 VM 上不可用。Azure Disk Encryption is not available on Generation 2 VMs. 有关更多例外,请参阅 Azure 磁盘加密:不支持的方案For more exceptions, see Azure Disk Encryption: Unsupported scenarios.

支持的操作系统Supported operating systems

Azure 认可的 Linux 发行版的子集支持 Azure 磁盘加密,而 Linux 发行版本身就是所有 Linux 服务器可能的发行版的子集。Azure Disk Encryption is supported on a subset of the Azure-endorsed Linux distributions, which is itself a subset of all Linux server possible distributions.

支持 Azure 磁盘加密的 Linux 服务器发行版的维恩图

未经 Azure 认可的 Linux 服务器发行版不支持 Azure 磁盘加密,而在认可的那些发行版中,只有以下发行版和版本支持 Azure 磁盘加密:Linux server distributions that are not endorsed by Azure do not support Azure Disk Encryption; of those that are endorsed, only the following distributions and versions support Azure Disk Encryption:

发布者Publisher 产品/服务Offer SKUSKU URNURN 支持加密的卷类型Volume type supported for encryption
CanonicalCanonical UbuntuUbuntu 18.04-LTS18.04-LTS Canonical:UbuntuServer:18.04-LTS:latestCanonical:UbuntuServer:18.04-LTS:latest OS 和数据磁盘OS and data disk
CanonicalCanonical Ubuntu 18.04Ubuntu 18.04 18.04-DAILY-LTS18.04-DAILY-LTS Canonical:UbuntuServer:18.04-DAILY-LTS:latestCanonical:UbuntuServer:18.04-DAILY-LTS:latest OS 和数据磁盘OS and data disk
CanonicalCanonical Ubuntu 16.04Ubuntu 16.04 16.04-DAILY-LTS16.04-DAILY-LTS Canonical:UbuntuServer:16.04-DAILY-LTS:latestCanonical:UbuntuServer:16.04-DAILY-LTS:latest OS 和数据磁盘OS and data disk
CanonicalCanonical Ubuntu 14.04.5Ubuntu 14.04.5
其 Azure 优化内核更新到 4.15 或更高版本with Azure tuned kernel updated to 4.15 or later
14.04.5-LTS14.04.5-LTS Canonical:UbuntuServer:14.04.5-LTS:latestCanonical:UbuntuServer:14.04.5-LTS:latest OS 和数据磁盘OS and data disk
CanonicalCanonical Ubuntu 14.04.5Ubuntu 14.04.5
其 Azure 优化内核更新到 4.15 或更高版本with Azure tuned kernel updated to 4.15 or later
14.04.5-DAILY-LTS14.04.5-DAILY-LTS Canonical:UbuntuServer:14.04.5-DAILY-LTS:latestCanonical:UbuntuServer:14.04.5-DAILY-LTS:latest OS 和数据磁盘OS and data disk
OpenLogicOpenLogic CentOS 7.7CentOS 7.7 7.77.7 OpenLogic:CentOS:7.7:latestOpenLogic:CentOS:7.7:latest OS 和数据磁盘OS and data disk
OpenLogicOpenLogic CentOS 7.7CentOS 7.7 7-LVM7-LVM OpenLogic:CentOS:7-LVM:latestOpenLogic:CentOS:7-LVM:latest OS 和数据磁盘OS and data disk
OpenLogicOpenLogic CentOS 7.6CentOS 7.6 7.67.6 OpenLogic:CentOS:7.6:latestOpenLogic:CentOS:7.6:latest OS 和数据磁盘OS and data disk
OpenLogicOpenLogic CentOS 7.5CentOS 7.5 7.57.5 OpenLogic:CentOS:7.5:latestOpenLogic:CentOS:7.5:latest OS 和数据磁盘OS and data disk
OpenLogicOpenLogic CentOS 7.4CentOS 7.4 7.47.4 OpenLogic:CentOS:7.4:latestOpenLogic:CentOS:7.4:latest OS 和数据磁盘OS and data disk
OpenLogicOpenLogic CentOS 7.3CentOS 7.3 7.37.3 OpenLogic:CentOS:7.3:latestOpenLogic:CentOS:7.3:latest OS 和数据磁盘OS and data disk
OpenLogicOpenLogic CentOS 7.2nCentOS 7.2n 7.2n7.2n OpenLogic:CentOS:7.2n:latestOpenLogic:CentOS:7.2n:latest OS 和数据磁盘OS and data disk
OpenLogicOpenLogic CentOS 7.1CentOS 7.1 7.17.1 OpenLogic:CentOS:7.1:latestOpenLogic:CentOS:7.1:latest 仅数据磁盘Data disk only
OpenLogicOpenLogic CentOS 7.0CentOS 7.0 7.07.0 OpenLogic:CentOS:7.0:latestOpenLogic:CentOS:7.0:latest 仅数据磁盘Data disk only
OpenLogicOpenLogic CentOS 6.8CentOS 6.8 6.86.8 OpenLogic:CentOS:6.8:latestOpenLogic:CentOS:6.8:latest 仅数据磁盘Data disk only
SUSESUSE SLES 12-SP4SLES 12-SP4 12-SP412-SP4 SUSE:SLES:12-SP4:latestSUSE:SLES:12-SP4:latest 仅数据磁盘Data disk only
SUSESUSE SLES HPC 12-SP3SLES HPC 12-SP3 12-SP312-SP3 SUSE:SLES-HPC:12-SP3:latestSUSE:SLES-HPC:12-SP3:latest 仅数据磁盘Data disk only

其他 VM 要求Additional VM requirements

Azure 磁盘加密要求系统上存在 dm-crypt 和 vfat 模块。Azure Disk Encryption requires the dm-crypt and vfat modules to be present on the system. 在默认映像中删除或禁用 vfat 会阻止系统读取密钥卷,以及在后续重新启动时获取用于解锁磁盘的密钥。Removing or disabling vfat from the default image will prevent the system from reading the key volume and obtaining the key needed to unlock the disks on subsequent reboots. 从系统中删除 vfat 模块或强制扩展数据驱动器上的 OS 装入点/文件夹的系统强化步骤与 Azure 磁盘加密不兼容。System hardening steps that remove the vfat module from the system or enforce expanding the OS mountpoints/folders on data drives are not compatible with Azure Disk Encryption.

在启用加密之前,必须在 /etc/fstab 中正确列出要加密的数据磁盘。Before enabling encryption, the data disks to be encrypted must be properly listed in /etc/fstab. 创建条目时,请使用“nofail”选项,然后选择一个永久性的块设备名称(因为采用“/dev/sdX”格式的设备名称在重启期间可能不会与同一磁盘关联,尤其是在加密之后。有关此行为的更多详细信息,请参阅:排查 Linux VM 设备名称更改问题)。Use the "nofail" option when creating entries, and choose a persistent block device name (as device names in the "/dev/sdX" format may not be associated with the same disk across reboots, particularly after encryption; for more detail on this behavior, see: Troubleshoot Linux VM device name changes).

确保正确配置用于装载的 /etc/fstab 设置。Make sure the /etc/fstab settings are configured properly for mounting. 若要配置这些设置,请运行 mount -a 命令,或重新启动 VM 并以这种方法触发重新装载。To configure these settings, run the mount -a command or reboot the VM and trigger the remount that way. 装载完成后,检查 lsblk 命令的输出,以验证驱动器是否仍已装载。Once that is complete, check the output of the lsblk command to verify that the drive is still mounted.

  • 如果在启用加密之前 /etc/fstab 文件未正确装载该驱动器,则 Azure 磁盘加密无法将其正确装载。If the /etc/fstab file doesn't mount the drive properly before enabling encryption, Azure Disk Encryption won't be able to mount it properly.
  • 在加密过程中,Azure 磁盘加密进程会将装载信息移出 /etc/fstab,并移入其自身的配置文件中。The Azure Disk Encryption process will move the mount information out of /etc/fstab and into its own configuration file as part of the encryption process. 数据驱动器加密完成后,如果看到 /etc/fstab 中缺少条目,请不要担心。Don't be alarmed to see the entry missing from /etc/fstab after data drive encryption completes.
  • 在开始加密之前,请务必停止可能正在向装载的数据磁盘写入数据的所有服务和进程并将其禁用,使其不会在重新引导后自动重启。Before starting encryption, be sure to stop all services and processes that could be writing to mounted data disks and disable them, so that they do not restart automatically after a reboot. 这可能会使文件在这些分区上保持打开状态,从而阻止加密过程重新装载这些分区,导致加密失败。These could keep files open on these partitions, preventing the encryption procedure to remount them, causing failure of the encryption.
  • 重新启动后,Azure 磁盘加密进程需要花费一段时间来装载新加密的磁盘。After reboot, it will take time for the Azure Disk Encryption process to mount the newly encrypted disks. 重新启动后,这些磁盘并不是立即可用。They won't be immediately available after a reboot. 该进程需要一段时间来启动、解锁然后装载加密的驱动器,然后,这些驱动器才可供其他进程访问。The process needs time to start, unlock, and then mount the encrypted drives before being available for other processes to access. 重新启动后,此进程可能需要一分钟以上的时间,具体时间取决于系统特征。This process may take more than a minute after reboot depending on the system characteristics.

下面是用于装载数据磁盘和创建必要的 /etc/fstab 条目的命令示例:Here is an example of the commands used to mount the data disks and create the necessary /etc/fstab entries:

UUID0="$(blkid -s UUID -o value /dev/disk/azure/scsi1/lun0)"
UUID1="$(blkid -s UUID -o value /dev/disk/azure/scsi1/lun1)"
mkdir /data0
mkdir /data1
echo "UUID=$UUID0 /data0 ext4 defaults,nofail 0 0" >>/etc/fstab
echo "UUID=$UUID1 /data1 ext4 defaults,nofail 0 0" >>/etc/fstab
mount -a

网络要求Networking requirements

若要启用 Azure 磁盘加密功能,Linux VM 必须符合以下网络终结点配置要求:To enable the Azure Disk Encryption feature, the Linux VMs must meet the following network endpoint configuration requirements:

  • Linux VM 必须能够连接到 Azure Active Directory 终结点 [login.partner.microsoftonline.cn],以获取用于连接密钥保管库的令牌。To get a token to connect to your key vault, the Linux VM must be able to connect to an Azure Active Directory endpoint, [login.partner.microsoftonline.cn].
  • 若要将加密密钥写入密钥保管库,Linux VM 必须能够连接到密钥保管库终结点。To write the encryption keys to your key vault, the Linux VM must be able to connect to the key vault endpoint.
  • Linux VM 必须能够连接到托管 Azure 扩展存储库的 Azure 存储终结点和托管 VHD 文件的 Azure 存储帐户。The Linux VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
  • 如果安全策略限制从 Azure VM 到 Internet 的访问,可以解析上述 URI,并配置特定的规则以允许与这些 IP 建立出站连接。If your security policy limits access from Azure VMs to the Internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. 有关详细信息,请参阅防火墙后的 Azure Key VaultFor more information, see Azure Key Vault behind a firewall.

加密密钥存储要求Encryption key storage requirements

Azure 磁盘加密需要 Azure Key Vault 来控制和管理磁盘加密密钥和机密。Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. 密钥保管库和 VM 必须位于同一 Azure 区域和订阅中。Your key vault and VMs must reside in the same Azure region and subscription.

有关详细信息,请参阅创建和配置用于 Azure 磁盘加密的密钥保管库For details, see Creating and configuring a key vault for Azure Disk Encryption.

术语Terminology

下表定义了 Azure 磁盘加密文档中使用的一些常用术语:The following table defines some of the common terms used in Azure disk encryption documentation:

术语Terminology 定义Definition
Azure Key VaultAzure Key Vault Key Vault 是基于联邦信息处理标准 (FIPS) 验证的硬件安全模块。Key Vault is a cryptographic, key management service that's based on Federal Information Processing Standards (FIPS) validated hardware security modules. 这些标准有助于保护加密密钥和敏感机密。These standards help to safeguard your cryptographic keys and sensitive secrets. 有关详细信息,请参阅 Azure 密钥保管库文档和创建和配置用于 Azure 磁盘加密的密钥保管库For more information, see the Azure Key Vault documentation and Creating and configuring a key vault for Azure Disk Encryption.
Azure CLIAzure CLI Azure CLI 经过了优化,可从命令行管理 Azure 资源。The Azure CLI is optimized for managing and administering Azure resources from the command line.
DM-CryptDM-Crypt DM-Crypt 是基于 Linux 的透明磁盘加密子系统,用于在 Linux VM 上启用磁盘加密。DM-Crypt is the Linux-based, transparent disk-encryption subsystem that's used to enable disk encryption on Linux VMs.
密钥加密密钥 (KEK)Key encryption key (KEK) 可用于保护或包装机密的非对称密钥 (RSA 2048)。The asymmetric key (RSA 2048) that you can use to protect or wrap the secret. 你可以提供软件保护密钥。You can provide a software-protected key. 有关详细信息,请参阅 Azure Key Vault 文档和创建和配置用于 Azure 磁盘加密的密钥保管库For more information, see the Azure Key Vault documentation and Creating and configuring a key vault for Azure Disk Encryption.
PowerShell cmdletPowerShell cmdlets 有关详细信息,请参阅 Azure PowerShell cmdletFor more information, see Azure PowerShell cmdlets.

后续步骤Next steps