使用 Azure CLI,通过客户管理的密钥为托管磁盘启用服务器端加密Use the Azure CLI to enable server-side encryption with customer-managed keys for managed disks

Azure 磁盘存储使你能在对托管磁盘使用服务器端加密 (SSE) 时管理自己的密钥(如果你选择)。Azure Disk Storage allows you to manage your own keys when using server-side encryption (SSE) for managed disks, if you choose. 有关使用客户管理的密钥的 SSE 以及其他托管磁盘加密类型的概念信息,请参阅磁盘加密文章的客户管理的密钥部分。For conceptual information on SSE with customer managed keys, as well as other managed disk encryption types, see the Customer-managed keys section of our disk encryption article.

限制Restrictions

目前,客户托管密钥具有以下限制:For now, customer-managed keys have the following restrictions:

  • 如果为磁盘启用了此功能,则无法禁用它。If this feature is enabled for your disk, you cannot disable it. 如果需要解决此问题,则必须复制所有数据到完全不同的托管磁盘(未使用客户托管密钥)。If you need to work around this, you must copy all the data to an entirely different managed disk that isn't using customer-managed keys.
  • 仅支持大小为 2048 位、3,072 位和 4,096 位的软件密钥,不支持其他密钥或其他大小。Only software keys of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.

  • 从使用服务器端加密和客户托管密钥加密的自定义映像创建的磁盘必须使用相同的客户托管密钥进行加密,且必须位于同一订阅中。Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.

  • 从使用服务器端加密和客户托管密钥加密的磁盘创建的快照必须使用相同的客户托管密钥进行加密。Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.

  • 与客户托管密钥相关的所有资源(Azure Key Vault、磁盘加密集、VM、磁盘和快照)都必须位于同一订阅和区域中。All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.

  • 使用客户托管密钥加密的磁盘、快照和映像不能移至另一个订阅。Disks, snapshots, and images encrypted with customer-managed keys cannot move to another subscription.

  • 当前或以前使用 Azure 磁盘加密加密的托管磁盘不能使用客户管理的密钥进行加密。Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.

  • 每个区域、每个订阅最多只能创建 50 个磁盘加密集。Can only create up to 50 disk encryption sets per region per subscription.

设置 Azure Key Vault 和 DiskEncryptionSet 资源Set up your Azure Key Vault and DiskEncryptionSet

首先,必须设置 Azure Key Vault 和 DiskEncryptionSet 资源。First, you must set up an Azure Key Vault and a diskencryptionset resource.

  1. 确保已安装了最新的 Azure CLI 并已使用 az login 登录到 Azure 帐户。Make sure that you have installed the latest Azure CLI and logged to an Azure account in with az login.

  2. 创建 Azure Key Vault 和加密密钥的实例。Create an instance of Azure Key Vault and encryption key.

    创建 Key Vault 实例时,必须启用软删除和清除保护。When creating the Key Vault instance, you must enable soft delete and purge protection. 软删除可确保 Key Vault 在给定的保留期(默认为 90 天)内保留已删除的密钥。Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). 清除保护可确保在保留期结束之前,无法永久删除已删除的密钥。Purge protection ensures that a deleted key cannot be permanently deleted until the retention period lapses. 这些设置可防止由于意外删除而丢失数据。These settings protect you from losing data due to accidental deletion. 使用 Key Vault 加密托管磁盘时,这些设置是必需的。These settings are mandatory when using a Key Vault for encrypting managed disks.

    重要

    不要对区域使用混合大小写,如果这样做,则在将其他磁盘分配到 Azure 门户中的资源时可能会遇到问题。Do not camel case the region, if you do so you may experience problems when assigning additional disks to the resource in the Azure portal.

    subscriptionId=yourSubscriptionID
    rgName=yourResourceGroupName
    location=chinaeast
    keyVaultName=yourKeyVaultName
    keyName=yourKeyName
    diskEncryptionSetName=yourDiskEncryptionSetName
    diskName=yourDiskName
    
    az account set --subscription $subscriptionId
    
    az keyvault create -n $keyVaultName -g $rgName -l $location --enable-purge-protection true --enable-soft-delete true
    
    az keyvault key create --vault-name $keyVaultName -n $keyName --protection software
    
  3. 创建一个 DiskEncryptionSet 实例。Create an instance of a DiskEncryptionSet.

    keyVaultId=$(az keyvault show --name $keyVaultName --query [id] -o tsv)
    
    keyVaultKeyUrl=$(az keyvault key show --vault-name $keyVaultName --name $keyName --query [key.kid] -o tsv)
    
    az disk-encryption-set create -n $diskEncryptionSetName -l $location -g $rgName --source-vault $keyVaultId --key-url $keyVaultKeyUrl
    
  4. 授予对密钥保管库的 DiskEncryptionSet 资源访问权限。Grant the DiskEncryptionSet resource access to the key vault.

    备注

    Azure 可能需要几分钟时间才能在 Azure Active Directory 中创建 DiskEncryptionSet 的标识。It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Azure Active Directory. 如果在运行以下命令时收到类似于“找不到 Active Directory 对象”的错误,请等待几分钟,然后重试。If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again.

    desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv)
    
    az keyvault set-policy -n $keyVaultName -g $rgName --object-id $desIdentity --key-permissions wrapkey unwrapkey get
    

创建并配置这些资源之后,可以使用它们来保护托管磁盘。Now that you've created and configured these resources, you can use them to secure your managed disks. 以下链接包含示例脚本,每个脚本都有各自的方案,可用于保护托管磁盘。The following links contain example scripts, each with a respective scenario, that you can use to secure your managed disks.

示例Examples

使用市场映像创建 VM,并使用客户托管密钥加密 OS 和数据磁盘Create a VM using a Marketplace image, encrypting the OS and data disks with customer-managed keys

rgName=yourResourceGroupName
vmName=yourVMName
location=chinanorth2
vmSize=Standard_DS3_V2
image=UbuntuLTS 
diskEncryptionSetName=yourDiskencryptionSetName

diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)

az vm create -g $rgName -n $vmName -l $location --image $image --size $vmSize --generate-ssh-keys --os-disk-encryption-set $diskEncryptionSetId --data-disk-sizes-gb 128 128 --data-disk-encryption-sets $diskEncryptionSetId $diskEncryptionSetId

加密现有托管磁盘Encrypt existing managed disks

不得将现有磁盘附加到正在运行的 VM,以便可以使用以下脚本加密这些磁盘:Your existing disks must not be attached to a running VM in order for you to encrypt them using the following script:

rgName=yourResourceGroupName
diskName=yourDiskName
diskEncryptionSetName=yourDiskEncryptionSetName
 
az disk update -n $diskName -g $rgName --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set $diskEncryptionSetId

使用市场映像创建虚拟机规模集,并使用客户托管密钥加密 OS 和数据磁盘Create a virtual machine scale set using a Marketplace image, encrypting the OS and data disks with customer-managed keys

rgName=yourResourceGroupName
vmssName=yourVMSSName
location=chinanorth2
vmSize=Standard_DS3_V2
image=UbuntuLTS 
diskEncryptionSetName=yourDiskencryptionSetName

diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)
az vmss create -g $rgName -n $vmssName --image UbuntuLTS --upgrade-policy automatic --admin-username azureuser --generate-ssh-keys --os-disk-encryption-set $diskEncryptionSetId --data-disk-sizes-gb 64 128 --data-disk-encryption-sets $diskEncryptionSetId $diskEncryptionSetId

创建一个使用客户托管密钥的服务器端加密进行了加密的空磁盘,并将其附加到 VMCreate an empty disk encrypted using server-side encryption with customer-managed keys and attach it to a VM

vmName=yourVMName
rgName=yourResourceGroupName
diskName=yourDiskName
diskSkuName=Premium_LRS
diskSizeinGiB=30
location=chinanorth2
diskLUN=2
diskEncryptionSetName=yourDiskEncryptionSetName


diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)

az disk create -n $diskName -g $rgName -l $location --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set $diskEncryptionSetId --size-gb $diskSizeinGiB --sku $diskSkuName

diskId=$(az disk show -n $diskName -g $rgName --query [id] -o tsv)

az vm disk attach --vm-name $vmName --lun $diskLUN --ids $diskId 

更改 DiskEncryptionSet 的密钥,以轮替引用 DiskEncryptionSet 的所有资源的密钥Change the key of a DiskEncryptionSet to rotate the key for all the resources referencing the DiskEncryptionSet


rgName=yourResourceGroupName
keyVaultName=yourKeyVaultName
keyName=yourKeyName
diskEncryptionSetName=yourDiskEncryptionSetName


keyVaultId=$(az keyvault show --name $keyVaultName--query [id] -o tsv)

keyVaultKeyUrl=$(az keyvault key show --vault-name $keyVaultName --name $keyName --query [key.kid] -o tsv)

az disk-encryption-set update -n keyrotationdes -g keyrotationtesting --key-url $keyVaultKeyUrl --source-vault $keyVaultId

查找磁盘的服务器端加密状态Find the status of server-side encryption of a disk

az disk show -g yourResourceGroupName -n yourDiskName --query [encryption.type] -o tsv

重要

客户托管密钥依赖于 Azure 资源的托管标识(Azure Active Directory (Azure AD) 的一项功能)。Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). 配置客户托管密钥时,实际上会自动将托管标识分配给你的资源。When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. 如果随后将订阅、资源组或托管磁盘从一个 Azure AD 目录移动到另一个目录,则与托管磁盘关联的托管标识不会转移到新租户,因此,客户托管密钥可能不再有效。If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with the managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. 有关详细信息,请参阅在 Azure AD 目录之间转移订阅For more information, see Transferring a subscription between Azure AD directories.

后续步骤Next steps