快速入门:在 Azure 中使用 Azure PowerShell 创建和加密 Linux VMQuickstart: Create and encrypt a Linux VM in Azure with Azure PowerShell

Azure PowerShell 模块用于从 PowerShell 命令行或脚本创建和管理 Azure 资源。The Azure PowerShell module is used to create and manage Azure resources from the PowerShell command line or in scripts. 本快速入门介绍如何使用 Azure PowerShell 模块创建 Linux 虚拟机 (VM)、创建用于存储加密密钥的密钥保管库以及加密 VM。This quickstart shows you how to use the Azure PowerShell module to create a Linux virtual machine (VM), create a Key Vault for the storage of encryption keys, and encrypt the VM. 本快速入门使用 Canonical 提供的 Ubuntu 16.04 LTS 市场映像和 VM Standard_D2S_V3 大小。This quickstart uses the Ubuntu 16.04 LTS marketplace image from Canonical and a VM Standard_D2S_V3 size.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

创建资源组Create a resource group

使用 New-AzResourceGroup 创建 Azure 资源组。Create an Azure resource group with New-AzResourceGroup. 资源组是在其中部署和管理 Azure 资源的逻辑容器:A resource group is a logical container into which Azure resources are deployed and managed:

New-AzResourceGroup -Name "myResourceGroup" -Location "ChinaEast2"

创建虚拟机Create a virtual machine

使用 New-AzVM 创建 Azure 虚拟机,并将前面创建的 VM 配置对象传递给它。Create an Azure virtual machine with New-AzVM, passing to it the VM configuration object you created above.

$cred = Get-Credential

New-AzVM -Name MyVm -Credential $cred -ResourceGroupName MyResourceGroup -Image Canonical:UbuntuServer:18.04-LTS:latest -Size Standard_D2S_V3

部署 VM 需要数分钟。It will take a few minutes for your VM to be deployed.

创建为加密密钥配置的密钥保管库Create a Key Vault configured for encryption keys

Azure 磁盘加密将其加密密钥存储在 Azure 密钥保管库中。Azure disk encryption stores its encryption key in an Azure Key Vault. 使用 New-AzKeyvault 创建一个密钥保管库。Create a Key Vault with New-AzKeyvault. 要使密钥保管库能够存储加密密钥,请使用 -EnabledForDiskEncryption 参数。To enable the Key Vault to store encryption keys, use the -EnabledForDiskEncryption parameter.

重要

每个密钥保管库必须有一个在 Azure 中唯一的名称。Every key vault must have a name that is unique across Azure. 在下面的示例中,将 替换为你选择的名称。In the examples below, replace with the name you choose.

New-AzKeyvault -name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location ChinaEast2 -EnabledForDiskEncryption

加密虚拟机Encrypt the virtual machine

使用 Set-AzVmDiskEncryptionExtension 加密 VM。Encrypt your VM with Set-AzVmDiskEncryptionExtension.

Set-AzVmDiskEncryptionExtension 需要密钥保管库对象中的一些值。Set-AzVmDiskEncryptionExtension requires some values from your Key Vault object. 可以通过将密钥保管库的唯一名称传递给 Get-AzKeyvault 来获取这些值。You can obtain these values by passing the unique name of your key vault to Get-AzKeyvault.

$KeyVault = Get-AzKeyVault -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup"

Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -SkipVmBackup -VolumeType All

几分钟后,进程将返回以下内容:After a few minutes the process will return the following:

RequestId IsSuccessStatusCode StatusCode ReasonPhrase
--------- ------------------- ---------- ------------
                         True         OK OK

可以通过运行 Get-AzVmDiskEncryptionStatus 来验证加密过程。You can verify the encryption process by running Get-AzVmDiskEncryptionStatus.

Get-AzVmDiskEncryptionStatus -VMName MyVM -ResourceGroupName MyResourceGroup

启用加密后,你将在返回的输出中看到以下内容:When encryption is enabled, you will see the following in the returned output:

OsVolumeEncrypted          : EncryptionInProgress
DataVolumesEncrypted       : NotMounted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage            : OS disk encryption started

清理资源Clean up resources

不再需要时,可以使用 Remove-AzResourceGroup cmdlet 删除资源组、VM 和所有相关资源:When no longer needed, you can use the Remove-AzResourceGroup cmdlet to remove the resource group, VM, and all related resources:

Remove-AzResourceGroup -Name "myResourceGroup"

后续步骤Next steps

在本快速入门中,你创建了一个虚拟机,创建了一个启用加密密钥的密钥保管库,并对 VM 进行了加密。In this quickstart, you created a virtual machine, created a Key Vault that was enable for encryption keys, and encrypted the VM. 请继续学习下一篇文章,详细了解 Linux VM 的 Azure 磁盘加密。Advance to the next article to learn more about Azure Disk Encryption for Linux VMs.