验证 Linux 的加密状态Verify encryption status for Linux

本文介绍了如何使用不同的方法来验证虚拟机的加密状态:Azure 门户、PowerShell、Azure CLI 或虚拟机 (VM) 的操作系统。The scope of this article is to validate the encryption status of a virtual machine by using different methods: the Azure portal, PowerShell, the Azure CLI, or the operating system of the virtual machine (VM).

可以通过以下任一方法在加密期间或之后验证加密状态:You can validate the encryption status during or after the encryption, by either:

  • 检查附加到特定 VM 的磁盘。Checking the disks attached to a particular VM.
  • 查询每个磁盘上的加密设置,无论是否已附加该磁盘。Querying the encryption settings on each disk, whether the disk is attached or unattached.

此方案适用于 Azure 磁盘加密双重传递和单次传递扩展。This scenario applies for Azure Disk Encryption dual-pass and single-pass extensions. 此方案下的唯一环境是 Linux 发行版。Linux distributions are the only environment for this scenario.

备注

我们将在本文中使用变量。We're using variables throughout the article. 请相应地替换值。Replace the values accordingly.

门户Portal

在 Azure 门户的“扩展”部分中,选择列表中的 Azure 磁盘加密扩展。In the Azure portal, inside the Extensions section, select the Azure Disk Encryption extension in the list. “状态消息”信息指示当前加密状态:The information for Status message indicates the current encryption status:

门户检查(突出显示状态、版本和状态消息)

在扩展列表中,可以看到相应的 Azure 磁盘加密扩展版本。In the list of extensions, you'll see the corresponding Azure Disk Encryption extension version. 版本 0.x 对应于 Azure 磁盘加密双重传递,版本 1.x 对应于 Azure 磁盘加密单次传递。Version 0.x corresponds to Azure Disk Encryption dual pass, and version 1.x corresponds to Azure Disk Encryption single pass.

选择扩展,然后选择“查看详细状态”,可获取更多详细信息。You can get more details by selecting the extension and then selecting View detailed status. 加密过程的详细状态以 JSON 格式显示。The detailed status of the encryption process appears in JSON format.

门户检查(突出显示“查看详细状态”链接)

JSON 格式的详细状态

验证加密状态的另一种方法是查看“磁盘设置”部分。Another way to validate the encryption status is by looking at the Disk settings section.

OS 磁盘和数据磁盘的加密状态

备注

此状态表示磁盘已标记加密设置,而不是在 OS 级别已对其进行加密。This status means the disks have encryption settings stamped, not that they were actually encrypted at the OS level.

根据设计,先标记磁盘,再加密磁盘。By design, the disks are stamped first and encrypted later. 如果加密过程失败,则磁盘可能被标记,但未被加密。If the encryption process fails, the disks may end up stamped but not encrypted.

若要确认磁盘是否已真正加密,可以在 OS 级别仔细检查每个磁盘的加密状态。To confirm if the disks are truly encrypted, you can double check the encryption of each disk at the OS level.

PowerShellPowerShell

可以使用以下 PowerShell 命令验证已加密 VM 的“常规”加密状态:You can validate the general encryption status of an encrypted VM by using the following PowerShell commands:

   $VMNAME="VMNAME"
   $RGNAME="RGNAME"
   Get-AzVmDiskEncryptionStatus -ResourceGroupName  ${RGNAME} -VMName ${VMNAME}

PowerShell 中的常规加密状态

可以使用以下 PowerShell 命令捕获每个磁盘的加密设置。You can capture the encryption settings from each disk by using the following PowerShell commands.

单次传递Single pass

在单次传递中,将在每个磁盘(OS 和数据)上标记加密设置。In a single pass, the encryption settings are stamped on each of the disks (OS and data). 可以按如下方式在单次传递中捕获 OS 磁盘的加密设置:You can capture the encryption settings for an OS disk in a single pass as follows:

$RGNAME = "RGNAME"
$VMNAME = "VMNAME"

$VM = Get-AzVM -Name ${VMNAME} -ResourceGroupName ${RGNAME}  
 $Sourcedisk = Get-AzDisk -ResourceGroupName ${RGNAME} -DiskName $VM.StorageProfile.OsDisk.Name
 Write-Host "============================================================================================================================================================="
 Write-Host "Encryption Settings:"
 Write-Host "============================================================================================================================================================="
 Write-Host "Enabled:" $Sourcedisk.EncryptionSettingsCollection.Enabled
 Write-Host "Version:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettingsVersion
 Write-Host "Source Vault:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SourceVault.Id
 Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl
 Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
 Write-Host "============================================================================================================================================================="

OS 磁盘的加密设置

如果磁盘未标记加密设置,则输出将为空:If the disk doesn't have encryption settings stamped, the output will be empty:

输出为空

使用以下命令捕获数据磁盘的加密设置:Use the following commands to capture encryption settings for data disks:

$RGNAME = "RGNAME"
$VMNAME = "VMNAME"

$VM = Get-AzVM -Name ${VMNAME} -ResourceGroupName ${RGNAME}
 clear
 foreach ($i in $VM.StorageProfile.DataDisks|ForEach-Object{$_.Name})
 {
 Write-Host "============================================================================================================================================================="
 Write-Host "Encryption Settings:"
 Write-Host "============================================================================================================================================================="
 Write-Host "Checking Disk:" $i
 $Disk=(Get-AzDisk -ResourceGroupName ${RGNAME} -DiskName $i)
 Write-Host "Encryption Enable: " $Sourcedisk.EncryptionSettingsCollection.Enabled
 Write-Host "Encryption KeyEncryptionKey: " $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl;
 Write-Host "Encryption DiskEncryptionKey: " $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl;
 Write-Host "============================================================================================================================================================="
 }

数据磁盘的加密设置

双重传递Dual pass

在双重传递中,将在 VM 模型中标记加密设置,而不是在每个单独的磁盘上进行标记。In a dual pass, the encryption settings are stamped in the VM model and not on each individual disk.

若要验证是否已在双重传递中标记了加密设置,请使用以下命令:To verify that the encryption settings were stamped in a dual pass, use the following commands:

$RGNAME = "RGNAME"
$VMNAME = "VMNAME"

$vm = Get-AzVm -ResourceGroupName ${RGNAME} -Name ${VMNAME};
$Sourcedisk = Get-AzDisk -ResourceGroupName ${RGNAME} -DiskName $VM.StorageProfile.OsDisk.Name
clear
Write-Host "============================================================================================================================================================="
Write-Host "Encryption Settings:"
Write-Host "============================================================================================================================================================="
Write-Host "Enabled:" $Sourcedisk.EncryptionSettingsCollection.Enabled
Write-Host "Version:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettingsVersion
Write-Host "Source Vault:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SourceVault.Id
Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl
Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
Write-Host "============================================================================================================================================================="

双重传递中的加密设置

未附加的磁盘Unattached disks

检查未附加到 VM 的磁盘的加密设置。Check the encryption settings for disks that aren't attached to a VM.

托管磁盘Managed disks

$Sourcedisk = Get-AzDisk -ResourceGroupName ${RGNAME} -DiskName ${TARGETDISKNAME}
Write-Host "============================================================================================================================================================="
Write-Host "Encryption Settings:"
Write-Host "============================================================================================================================================================="
Write-Host "Enabled:" $Sourcedisk.EncryptionSettingsCollection.Enabled
Write-Host "Version:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettingsVersion
Write-Host "Source Vault:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SourceVault.Id
Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl
Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
Write-Host "============================================================================================================================================================="

Azure CLIAzure CLI

可以使用以下 Azure CLI 命令验证已加密 VM 的“常规”加密状态:You can validate the general encryption status of an encrypted VM by using the following Azure CLI commands:

VMNAME="VMNAME"
RGNAME="RGNAME"
az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} --query "substatus"

Azure CLI 中的常规加密状态General encryption status from the Azure CLI

单次传递Single pass

可以使用以下 Azure CLI 命令验证每个磁盘的加密设置:You can validate the encryption settings for each disk by using the following Azure CLI commands:

az vm encryption show -g ${RGNAME} -n ${VMNAME} --query "disks[*].[name, statuses[*].displayStatus]"  -o table

数据加密设置

重要

如果磁盘未标记加密设置,将显示文本“磁盘未加密”。If the disk doesn't have encryption settings stamped, you'll see the text Disk is not encrypted.

可使用以下命令获取详细状态和加密设置。Use the following commands to get detailed status and encryption settings.

OS 磁盘:OS disk:

RGNAME="RGNAME"
VMNAME="VNAME"

disk=`az vm show -g ${RGNAME} -n ${VMNAME} --query storageProfile.osDisk.name -o tsv`
for disk in $disk; do \
echo "============================================================================================================================================================="
echo -ne "Disk Name: "; az disk show -g ${RGNAME} -n ${disk} --query name -o tsv; \
echo -ne "Encryption Enabled: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.enabled -o tsv; \
echo -ne "Version: "; az disk show -g ${RGNAME} -n ${TARGETDISKNAME} --query encryptionSettingsCollection.encryptionSettingsVersion -o tsv; \
echo -ne "Disk Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].diskEncryptionKey.secretUrl -o tsv; \
echo -ne "key Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].keyEncryptionKey.keyUrl -o tsv; \
echo "============================================================================================================================================================="
done

OS 磁盘的详细状态和加密设置

数据磁盘:Data disks:

RGNAME="RGNAME"
VMNAME="VMNAME"
az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} --query "substatus"

for disk in `az vm show -g ${RGNAME} -n ${VMNAME} --query storageProfile.dataDisks[].name -o tsv`; do \
echo "============================================================================================================================================================="; \
echo -ne "Disk Name: "; az disk show -g ${RGNAME} -n ${disk} --query name -o tsv; \
echo -ne "Encryption Enabled: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.enabled -o tsv; \
echo -ne "Version: "; az disk show -g ${RGNAME} -n ${TARGETDISKNAME} --query encryptionSettingsCollection.encryptionSettingsVersion -o tsv; \
echo -ne "Disk Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].diskEncryptionKey.secretUrl -o tsv; \
echo -ne "key Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].keyEncryptionKey.keyUrl -o tsv; \
echo "============================================================================================================================================================="
done

数据磁盘的详细状态和加密设置

双重传递Dual pass

az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} -o table

通过 Azure CLI 进行双重传递的常规加密设置

还可在 OS 磁盘的 VM 模型存储配置文件上检查加密设置:You can also check the encryption settings on the VM Model Storage profile of the OS disk:

disk=`az vm show -g ${RGNAME} -n ${VMNAME} --query storageProfile.osDisk.name -o tsv`
for disk in $disk; do \
echo "============================================================================================================================================================="; \
echo -ne "Disk Name: "; az disk show -g ${RGNAME} -n ${disk} --query name -o tsv; \
echo -ne "Encryption Enabled: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.enabled -o tsv; \
echo -ne "Version: "; az disk show -g ${RGNAME} -n ${TARGETDISKNAME} --query encryptionSettingsCollection.encryptionSettingsVersion -o tsv; \
echo -ne "Disk Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].diskEncryptionKey.secretUrl -o tsv; \
echo -ne "key Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].keyEncryptionKey.keyUrl -o tsv; \
echo "============================================================================================================================================================="
done

通过 Azure CLI 进行双重传递的 VM 配置文件

未附加的磁盘Unattached disks

检查未附加到 VM 的磁盘的加密设置。Check the encryption settings for disks that aren't attached to a VM.

托管磁盘Managed disks

RGNAME="RGNAME"
TARGETDISKNAME="DISKNAME"
echo "============================================================================================================================================================="
echo -ne "Disk Name: "; az disk show -g ${RGNAME} -n ${TARGETDISKNAME} --query name -o tsv; \
echo -ne "Encryption Enabled: "; az disk show -g ${RGNAME} -n ${TARGETDISKNAME} --query encryptionSettingsCollection.enabled -o tsv; \
echo -ne "Version: "; az disk show -g ${RGNAME} -n ${TARGETDISKNAME} --query encryptionSettingsCollection.encryptionSettingsVersion -o tsv; \
echo -ne "Disk Encryption Key: "; az disk show -g ${RGNAME} -n ${TARGETDISKNAME} --query encryptionSettingsCollection.encryptionSettings[].diskEncryptionKey.secretUrl -o tsv; \
echo -ne "key Encryption Key: "; az disk show -g ${RGNAME} -n ${TARGETDISKNAME} --query encryptionSettingsCollection.encryptionSettings[].keyEncryptionKey.keyUrl -o tsv; \
echo "============================================================================================================================================================="

非托管磁盘Unmanaged disks

非托管磁盘是指以页 blob 形式存储在 Azure 存储帐户中的 VHD 文件。Unmanaged disks are VHD files that are stored as page blobs in Azure storage accounts.

若要获取特定磁盘的详细信息,需要提供:To get the details for a specific disk, you need to provide:

  • 内含磁盘的存储帐户的 ID。The ID of the storage account that contains the disk.
  • 该特定存储帐户的连接字符串。A connection string for that particular storage account.
  • 存储该磁盘的容器的名称。The name of the container that stores the disk.
  • 磁盘名称。The disk name.

此命令可列出所有存储帐户的所有 ID:This command lists all the IDs for all your storage accounts:

az storage account list --query [].[id] -o tsv

存储帐户 ID 采用以下格式列出:The storage account IDs are listed in the following form:

/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>

选择相应的 ID,并将其存储在变量上:Select the appropriate ID and store it on a variable:

id="/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>"

此命令可获取某个特定存储帐户的连接字符串,并将其存储在变量上:This command gets the connection string for one particular storage account and stores it on a variable:

ConnectionString=$(az storage account show-connection-string --ids $id --query connectionString -o tsv)

以下命令可列出存储帐户下的所有容器:The following command lists all the containers under a storage account:

az storage container list --connection-string $ConnectionString --query [].[name] -o tsv

用于磁盘的容器通常命名为“vhds”。The container used for disks is normally named "vhds."

将容器名称存储在变量上:Store the container name on a variable:

ContainerName="name of the container"

此命令可列出特定容器上的所有 blob:Use this command to list all the blobs on a particular container:

az storage blob list -c ${ContainerName} --connection-string $ConnectionString --query [].[name] -o tsv

选择要查询的磁盘,并将其名称存储在变量上:Choose the disk that you want to query and store its name on a variable:

DiskName="diskname.vhd"

查询磁盘加密设置:Query the disk encryption settings:

az storage blob show -c ${ContainerName} --connection-string ${ConnectionString} -n ${DiskName} --query metadata.DiskEncryptionSettings

操作系统Operating system

验证数据磁盘分区是否已加密(而 OS 磁盘未加密)。Validate if the data disk partitions are encrypted (and the OS disk isn't).

如果分区或磁盘已加密,它将显示为 crypt 类型。When a partition or disk is encrypted, it's displayed as a crypt type. 如果未加密,它将显示为 part/disk 类型。When it's not encrypted, it's displayed as a part/disk type.

lsblk

分区的 OS crypt 层

可以使用以下 lsblk 变体获取更多详细信息。You can get more details by using the following lsblk variant.

你将看到一个由扩展装载的 crypt 类型层。You'll see a crypt type layer that is mounted by the extension. 以下示例显示了类型为 crypto_LUKS FSTYPE 的逻辑卷和普通磁盘。The following example shows logical volumes and normal disks having crypto_LUKS FSTYPE.

lsblk -o NAME,TYPE,FSTYPE,LABEL,SIZE,RO,MOUNTPOINT

逻辑卷和普通磁盘的 OS crypt 层

作为额外步骤,可以验证数据磁盘是否已加载任何密钥:As an extra step, you can validate if the data disk has any keys loaded:

cryptsetup luksDump /dev/VGNAME/LVNAME
cryptsetup luksDump /dev/sdd1

可以检查哪些 dm 设备作为 crypt 列出:And you can check which dm devices are listed as crypt:

dmsetup ls --target crypt

后续步骤Next steps