使用 Azure CLI 为托管磁盘启用静态双重加密Use the Azure CLI to enable double encryption at rest for managed disks

Azure 磁盘存储支持对托管磁盘的静态双重加密。Azure Disk Storage supports double encryption at rest for managed disks. 有关静态双重加密的概念信息以及其他托管磁盘加密类型,请参阅磁盘加密文章的静态双重加密部分。For conceptual information on double encryption at rest, as well as other managed disk encryption types, see the Double encryption at rest section of our disk encryption article.

先决条件Prerequisites

安装最新的 Azure CLI 并使用 az login 登录到 Azure 帐户。Install the latest Azure CLI and log in to an Azure account with az login.

入门Getting started

  1. 创建 Azure Key Vault 和加密密钥的实例。Create an instance of Azure Key Vault and encryption key.

    创建 Key Vault 实例时,必须启用软删除和清除保护。When creating the Key Vault instance, you must enable soft delete and purge protection. 软删除可确保 Key Vault 在给定的保留期(默认为 90 天)内保留已删除的密钥。Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). 清除保护可确保在保留期结束之前,无法永久删除已删除的密钥。Purge protection ensures that a deleted key cannot be permanently deleted until the retention period lapses. 这些设置可防止由于意外删除而丢失数据。These settings protect you from losing data due to accidental deletion. 使用 Key Vault 加密托管磁盘时,这些设置是必需的。These settings are mandatory when using a Key Vault for encrypting managed disks.

    subscriptionId=yourSubscriptionID
    rgName=yourResourceGroupName
    location=chinaeast2
    keyVaultName=yourKeyVaultName
    keyName=yourKeyName
    diskEncryptionSetName=yourDiskEncryptionSetName
    diskName=yourDiskName
    
    az account set --subscription $subscriptionId
    
    az keyvault create -n $keyVaultName -g $rgName -l $location --enable-purge-protection true --enable-soft-delete true
    
    az keyvault key create --vault-name $keyVaultName -n $keyName --protection software
    
  2. 创建 DiskEncryptionSet,并将 encryptionType 设置为 EncryptionAtRestWithPlatformAndCustomerKeys。Create a DiskEncryptionSet with encryptionType set as EncryptionAtRestWithPlatformAndCustomerKeys. 在 Azure 资源管理器 (ARM) 模板中使用 API 版本 2020-05-01。Use API version 2020-05-01 in the Azure Resource Manager (ARM) template.

    az deployment group create -g $rgName \
    --template-uri "https://raw.githubusercontent.com/Azure-Samples/managed-disks-powershell-getting-started/master/DoubleEncryption/CreateDiskEncryptionSetForDoubleEncryption.json" \
    --parameters "diskEncryptionSetName=$diskEncryptionSetName" "encryptionType=EncryptionAtRestWithPlatformAndCustomerKeys" "keyVaultId=$keyVaultId" "keyVaultKeyUrl=$keyVaultKeyUrl" "region=$location"
    
  3. 授予对密钥保管库的 DiskEncryptionSet 资源访问权限。Grant the DiskEncryptionSet resource access to the key vault.

    备注

    Azure 可能需要几分钟时间才能在 Azure Active Directory 中创建 DiskEncryptionSet 的标识。It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Azure Active Directory. 如果在运行以下命令时收到类似于“找不到 Active Directory 对象”的错误,请等待几分钟,然后重试。If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again.

    desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv)
    
    az keyvault set-policy -n $keyVaultName -g $rgName --object-id $desIdentity --key-permissions wrapkey unwrapkey get
    

后续步骤Next steps

创建并配置这些资源之后,可以使用它们来保护托管磁盘。Now that you've created and configured these resources, you can use them to secure your managed disks. 以下链接包含示例脚本,每个脚本都有各自的方案,可用于保护托管磁盘。The following links contain example scripts, each with a respective scenario, that you can use to secure your managed disks.