使用 Azure AD 进行 Azure 磁盘加密(以前版本)Azure Disk Encryption with Azure AD (previous release)

新版本的 Azure 磁盘加密无需提供 Azure Active Directory (Azure AD) 应用程序参数即可启用 VM 磁盘加密。The new release of Azure Disk Encryption eliminates the requirement for providing an Azure Active Directory (Azure AD) application parameter to enable VM disk encryption. 使用新版本,在执行启用加密步骤时,不再需要提供 Azure AD 凭据。With the new release, you're no longer required to provide Azure AD credentials during the enable encryption step. 所有新 VM 都必须使用新版本在没有 Azure AD 应用程序参数的情况下进行加密。All new VMs must be encrypted without the Azure AD application parameters by using the new release. 有关如何使用新版本来启用 VM 磁盘加密的说明,请参阅适用于 Linux VM 的 Azure 磁盘加密For instructions on how to enable VM disk encryption by using the new release, see Azure Disk Encryption for Linux VMs. 已使用 Azure AD 应用程序参数加密的 VM 仍受支持,应继续使用 AAD 语法进行维护。VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.

本文提供了使用 Azure AD 进行 Azure 磁盘加密的其他要求和先决条件(旧版),补充说明了适用于 Linux VM 的 Azure 磁盘加密This article provides supplements to Azure Disk Encryption for Linux VMs with additional requirements and prerequisites for Azure Disk Encryption with Azure AD (previous release).

这些部分中的信息保持不变:The information in these sections remains the same:

网络和组策略Networking and Group Policy

若要使用旧的 AAD 参数语法来启用 Azure 磁盘加密功能,基础结构即服务 (IaaS) VM 必须符合以下网络终结点配置要求:To enable the Azure Disk Encryption feature by using the older AAD parameter syntax, the infrastructure as a service (IaaS) VMs must meet the following network endpoint configuration requirements:

  • 若要获取用于连接到密钥保管库的令牌,IaaS VM 必须能够连接到 Azure AD 终结点 login.partner.microsoftonline.cn[]。To get a token to connect to your key vault, the IaaS VM must be able to connect to an Azure AD endpoint, [login.partner.microsoftonline.cn].

  • IaaS VM 必须能够连接到 Key Vault 终结点,以将加密密钥写入 Key Vault。To write the encryption keys to your key vault, the IaaS VM must be able to connect to the key vault endpoint.

  • IaaS VM 必须能够连接到托管 Azure 扩展存储库的 Azure 存储终结点和托管 VHD 文件的 Azure 存储帐户。The IaaS VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.

  • 如果安全策略限制从 Azure VM 到 Internet 的访问,可以解析上述 URI,并配置特定的规则,允许与这些 IP 建立出站连接。If your security policy limits access from Azure VMs to the internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. 有关详细信息,请参阅防火墙后的 Azure Key VaultFor more information, see Azure Key Vault behind a firewall.

  • 在 Windows 中,如果显式禁用了 TLS 1.0 且 .NET 版本未更新到 4.6 或更高版本,则下面的注册表更改将使 Azure 磁盘加密能够选择较新的 TLS 版本:On Windows, if TLS 1.0 is explicitly disabled and the .NET version isn't updated to 4.6 or higher, the following registry change enables Azure Disk Encryption to select the more recent TLS version:

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
        "SystemDefaultTlsVersions"=dword:00000001
        "SchUseStrongCrypto"=dword:00000001
    
        [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
        "SystemDefaultTlsVersions"=dword:00000001
        "SchUseStrongCrypto"=dword:00000001` 
    

组策略Group Policy

  • Azure 磁盘加密解决方案对 Windows IaaS VM 使用 BitLocker 外部密钥保护程序。The Azure Disk Encryption solution uses the BitLocker external key protector for Windows IaaS VMs. 对于已加入域的 VM,请不要推送会强制执行 TPM 保护程序的任何组策略。For domain-joined VMs, don't push any Group Policies that enforce TPM protectors. 有关“在没有兼容 TPM 的情况下允许 BitLocker”**** 选项的组策略信息,请参阅 BitLocker 组策略参考For information about the Group Policy for the option Allow BitLocker without a compatible TPM, see BitLocker Group Policy reference.

  • 具有自定义组策略的已加入域虚拟机上的 BitLocker 策略必须包含以下设置:配置 BitLocker 恢复信息的用户存储 -> 允许 256 位恢复密钥BitLocker policy on domain-joined virtual machines with a custom Group Policy must include the following setting: Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key. 如果 BitLocker 的自定义组策略设置不兼容,Azure 磁盘加密会失败。Azure Disk Encryption fails when custom Group Policy settings for BitLocker are incompatible. 在没有正确的策略设置的计算机上应用新策略,强制更新新策略 (gpupdate.exe /force),然后根据需要重启。On machines that don't have the correct policy setting, apply the new policy, force the new policy to update (gpupdate.exe /force), and then restart if it's required.

加密密钥存储要求Encryption key storage requirements

Azure 磁盘加密需要 Azure Key Vault 来控制和管理磁盘加密密钥和机密。Azure Disk Encryption requires Azure Key Vault to control and manage disk encryption keys and secrets. 密钥保管库和 VM 必须位于同一 Azure 区域和订阅中。Your key vault and VMs must reside in the same Azure region and subscription.

有关详细信息,请参阅使用 Azure AD 创建和配置用于 Azure 磁盘加密的密钥保管库(旧版)For more information, see Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release).

后续步骤Next steps