创建和配置用于 Azure 磁盘加密的密钥保管库Creating and configuring a key vault for Azure Disk Encryption

Azure Disk Encryption 使用 Azure Key Vault 来控制和管理磁盘加密密钥和机密。Azure Disk Encryption uses Azure Key Vault to control and manage disk encryption keys and secrets. 有关 Key Vault 的详细信息,请参阅 Azure Key Vault 入门保护 Key VaultFor more information about key vaults, see Get started with Azure Key Vault and Secure your key vault.

警告

创建和配置用于 Azure 磁盘加密的 Key Vault 需要三个步骤:Creating and configuring a key vault for use with Azure Disk Encryption involves three steps:

备注

必须在 Azure Key Vault 访问策略设置中选择该选项,才能为卷加密启用对 Azure 磁盘加密的访问。You must select the option in the Azure Key Vault access policy settings to enable access to Azure Disk Encryption for volume encryption. 如果已在密钥保管库上启用防火墙,则必须转到密钥保管库上的“网络”选项卡并启用对 Azure 受信任的服务的访问。If you have enabled the firewall on the key vault, you must go to the Networking tab on the key vault and enable access to Azure Trusted Services.

  1. 创建资源组(如果需要)。Creating a resource group, if needed.
  2. 创建密钥保管库。Creating a key vault.
  3. 设置密钥保管库高级访问策略。Setting key vault advanced access policies.

以下快速入门说明了这些步骤:These steps are illustrated in the following quickstarts:

还可以根据需要生成或导入密钥加密密钥 (KEK)。You may also, if you wish, generate or import a key encryption key (KEK).

安装工具并连接到 AzureInstall tools and connect to Azure

可以使用 Azure CLIAzure PowerShell Az 模块Azure 门户来完成本文中的步骤。The steps in this article can be completed with the Azure CLI, the Azure PowerShell Az module, or the Azure portal.

虽然可以通过浏览器访问门户,但 Azure CLI 和 Azure PowerShell 需要本地安装;有关详细信息,请参阅适用于 Windows 的 Azure 磁盘加密:安装工具While the portal is accessible through your browser, Azure CLI and Azure PowerShell require local installation; see Azure Disk Encryption for Windows: Install tools for details.

连接到 Azure 帐户Connect to your Azure account

使用 Azure CLI 或 Azure PowerShell 之前,必须先连接到 Azure 订阅。Before using the Azure CLI or Azure PowerShell, you must first connect to your Azure subscription. 为此,可以使用 Azure CLI 登录使用 Azure Powershell 登录,或在出现提示时向 Azure 门户提供凭据。You do so by Signing in with Azure CLI, Signing in with Azure Powershell, or supplying your credentials to the Azure portal when prompted.

az cloud set -n AzureChinaCloud
az login
Connect-AzAccount -Environment AzureChinaCloud

创建资源组Create a resource group

如果已有资源组,可以跳至创建 Key VaultIf you already have a resource group, you can skip to Create a key vault.

资源组是在其中部署和管理 Azure 资源的逻辑容器。A resource group is a logical container into which Azure resources are deployed and managed.

使用 az group create Azure CLI 命令、New-AzResourceGroup Azure PowerShell 命令或从 Azure 门户创建资源组。Create a resource group using the az group create Azure CLI command, the New-AzResourceGroup Azure PowerShell command, or from the Azure portal.

Azure CLIAzure CLI

az group create --name "myResourceGroup" --location chinaeast

Azure PowerShellAzure PowerShell

New-AzResourceGroup -Name "myResourceGroup" -Location "ChinaEast"

创建密钥保管库Create a key vault

如果已有 Key Vault,可以跳至设置 Key Vault 高级访问策略If you already have a key vault, you can skip to Set key vault advanced access policies.

使用 az keyvault create Azure CLI 命令、New-AzKeyvault Azure Powershell 命令、Azure 门户资源管理器模板创建 Key Vault。Create a key vault using the az keyvault create Azure CLI command, the New-AzKeyvault Azure Powershell command, the Azure portal, or a Resource Manager template.

警告

密钥保管库和 VM 必须位于同一订阅中。Your key vault and VMs must be in the same subscription. 另外,为确保加密机密不会跨越区域边界,Azure 磁盘加密需要将 Key Vault 和 VM 共置于同一区域中。Also, to ensure that encryption secrets don't cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. 在要加密的 VM 所在的同一订阅和区域中创建并使用 Key Vault。Create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted.

每个密钥保管库必须具有唯一的名称。Each Key Vault must have a unique name. 在以下示例中,将 替换为密钥保管库的名称。Replace with the name of your key vault in the following examples.

Azure CLIAzure CLI

使用 Azure CLI 创建 Key Vault 时,请添加“--enabled-for-disk-encryption”标志。When creating a key vault using Azure CLI, add the "--enabled-for-disk-encryption" flag.

az keyvault create --name "<your-unique-keyvault-name>" --resource-group "myResourceGroup" --location "chinaeast" --enabled-for-disk-encryption

Azure PowerShellAzure PowerShell

使用 Azure PowerShell 创建 Key Vault 时,请添加“-EnabledForDiskEncryption”标志。When creating a key vault using Azure PowerShell, add the "-EnabledForDiskEncryption" flag.

New-AzKeyvault -name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location "chinaeast" -EnabledForDiskEncryption

Resource Manager 模板Resource Manager template

还可以使用资源管理器模板创建 Key Vault。You can also create a key vault by using the Resource Manager template.

  1. 在 Azure 快速入门模板中,单击“部署到 Azure”。 On the Azure quickstart template, click Deploy to Azure.
  2. 选择订阅、资源组、资源组位置、Key Vault 名称、对象 ID、法律条款和协议,然后单击“购买”。 Select the subscription, resource group, resource group location, Key Vault name, Object ID, legal terms, and agreement, and then click Purchase.

设置 Key Vault 高级访问策略Set key vault advanced access policies

Azure 平台需要访问 Key Vault 中的加密密钥或机密,才能使这些密钥和机密可供 VM 用来启动和解密卷。The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes.

如果在创建时没有为磁盘加密、部署或模板部署启用 Key Vault(如上一步所示),则必须更新其高级访问策略。If you did not enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies.

Azure CLIAzure CLI

使用 az keyvault update 为 Key Vault 启用磁盘加密。Use az keyvault update to enable disk encryption for the key vault.

  • 为磁盘加密启用 Key Vault: 需要使用 Enabled-for-disk-encryption。Enable Key Vault for disk encryption: Enabled-for-disk-encryption is required.

    az keyvault update --name "<your-unique-keyvault-name>" --resource-group "MyResourceGroup" --enabled-for-disk-encryption "true"
    
  • 根据需要为部署启用 Key Vault: 在资源创建操作中引用此 Key Vault(例如,创建虚拟机)时,使 Microsoft.Compute 资源提供程序能够从此 Key Vault 中检索机密。Enable Key Vault for deployment, if needed: Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

    az keyvault update --name "<your-unique-keyvault-name>" --resource-group "MyResourceGroup" --enabled-for-deployment "true"
    
  • 根据需要为模板部署启用 Key Vault: 允许资源管理器从保管库中检索机密。Enable Key Vault for template deployment, if needed: Allow Resource Manager to retrieve secrets from the vault.

    az keyvault update --name "<your-unique-keyvault-name>" --resource-group "MyResourceGroup" --enabled-for-template-deployment "true"
    

Azure PowerShellAzure PowerShell

使用 Key Vault PowerShell cmdlet Set-AzKeyVaultAccessPolicy 为 Key Vault 启用磁盘加密。Use the key vault PowerShell cmdlet Set-AzKeyVaultAccessPolicy to enable disk encryption for the key vault.

  • 为磁盘加密启用 Key Vault: 若要启用 Azure 磁盘加密,需要使用 EnabledForDiskEncryption。Enable Key Vault for disk encryption: EnabledForDiskEncryption is required for Azure Disk encryption.

    Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup" -EnabledForDiskEncryption
    
  • 根据需要为部署启用 Key Vault: 在资源创建操作中引用此 Key Vault(例如,创建虚拟机)时,使 Microsoft.Compute 资源提供程序能够从此 Key Vault 中检索机密。Enable Key Vault for deployment, if needed: Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

     Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup" -EnabledForDeployment
    
  • 根据需要为模板部署启用 Key Vault: 在模板部署中引用此 Key Vault 时,使 Azure 资源管理器能够从此 Key Vault 中获取机密。Enable Key Vault for template deployment, if needed: Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.

    Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup" -EnabledForTemplateDeployment
    

Azure 门户Azure portal

  1. 选择 Key Vault,转到“访问策略”,然后选择“单击此处可显示高级访问策略”。 Select your key vault, go to Access Policies, and Click to show advanced access policies.

  2. 选中标有“启用对 Azure 磁盘加密的访问以进行卷加密”的框。 Select the box labeled Enable access to Azure Disk Encryption for volume encryption.

  3. 根据需要选择“启用对 Azure 虚拟机的访问以进行部署”和/或“启用对 Azure 资源管理器的访问以进行模板部署”。 Select Enable access to Azure Virtual Machines for deployment and/or Enable Access to Azure Resource Manager for template deployment, if needed.

  4. 单击“保存” 。Click Save.

    Azure Key Vault 高级访问策略

设置密钥加密密钥 (KEK)Set up a key encryption key (KEK)

若要使用密钥加密密钥 (KEK) 来为加密密钥提供附加的安全层,请将 KEK 添加到 Key Vault。If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. 指定密钥加密密钥后,Azure 磁盘加密会使用该密钥包装加密机密,然后将机密写入 Key Vault。When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.

可以使用 Azure CLI az keyvault key create 命令、Azure PowerShell Add-AzKeyVaultKey cmdlet 或 Azure 门户生成新 KEK。You can generate a new KEK using the Azure CLI az keyvault key create command, the Azure PowerShell Add-AzKeyVaultKey cmdlet, or the Azure portal. 必须生成 RSA 密钥类型;Azure 磁盘加密尚不支持使用椭圆曲线密钥。You must generate an RSA key type; Azure Disk Encryption does not yet support using Elliptic Curve keys.

必须对 Key Vault KEK URL 进行版本控制。Your key vault KEK URLs must be versioned. Azure 会强制实施这项版本控制限制。Azure enforces this restriction of versioning. 有关有效的机密和 KEK URL,请参阅以下示例:For valid secret and KEK URLs, see the following examples:

Azure 磁盘加密不支持将端口号指定为 Key Vault 机密和 KEK URL 的一部分。Azure Disk Encryption doesn't support specifying port numbers as part of key vault secrets and KEK URLs. 有关不支持和支持的 Key Vault URL 的示例,请参阅以下示例:For examples of non-supported and supported key vault URLs, see the following examples:

Azure CLIAzure CLI

使用 Azure CLI az keyvault key create 命令生成新 KEK 并将其存储在密钥保管库中。Use the Azure CLI az keyvault key create command to generate a new KEK and store it in your key vault.

az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA

可以改用 Azure CLI az keyvault key import 命令导入私钥:You may instead import a private key using the Azure CLI az keyvault key import command:

在这两种情况下,都会向 Azure CLI az vm encryption enable --key-encryption-key 参数提供 KEK 的名称。In either case, you will supply the name of your KEK to the Azure CLI az vm encryption enable --key-encryption-key parameter.

az vm encryption enable -g "MyResourceGroup" --name "myVM" --disk-encryption-keyvault "<your-unique-keyvault-name>" --key-encryption-key "myKEK"

Azure PowerShellAzure PowerShell

使用 Azure PowerShell Add-AzKeyVaultKey cmdlet 生成新 KEK 并将其存储在 Key Vault 中。Use the Azure PowerShell Add-AzKeyVaultKey cmdlet to generate a new KEK and store it in your key vault.

Add-AzKeyVaultKey -Name "myKEK" -VaultName "<your-unique-keyvault-name>" -Destination "Software"

可以改用 Azure PowerShell az keyvault key import 命令导入私钥。You may instead import a private key using the Azure PowerShell az keyvault key import command.

在这两种情况下,都会向 Azure PowerShell Set-AzVMDiskEncryptionExtension -KeyEncryptionKeyVaultId 和 -KeyEncryptionKeyUrl 参数提供 KEK Key Vault 的 ID 和 KEK 的 URL。In either case, you will supply the ID of your KEK key Vault and the URL of your KEK to the Azure PowerShell Set-AzVMDiskEncryptionExtension -KeyEncryptionKeyVaultId and -KeyEncryptionKeyUrl parameters. 请注意,此示例假定使用同一密钥保管库保存磁盘加密密钥和 KEK。Note that this example assumes that you are using the same key vault for both the disk encryption key and the KEK.

$KeyVault = Get-AzKeyVault -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup"
$KEK = Get-AzKeyVaultKey -VaultName "<your-unique-keyvault-name>" -Name "myKEK"

Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyUrl $KEK.Id -SkipVmBackup -VolumeType All

后续步骤Next steps