使用 Azure AD 创建和配置用于 Azure 磁盘加密的密钥保管库(以前版本)Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release)

新版本的 Azure 磁盘加密无需提供 Azure AD 应用程序参数即可启用 VM 磁盘加密。使用新版本,在执行启用加密步骤时,不再需要提供 Azure AD 凭据。所有新 VM 都必须使用新版本在没有 Azure AD 应用程序参数的情况下进行加密。若要查看使用新版本启用 VM 磁盘加密的说明,请参阅 Azure 磁盘加密。已使用 Azure AD 应用程序参数加密的 VM 仍受支持,应继续使用 AAD 语法进行维护。The new release of Azure Disk Encryption eliminates the requirement for providing an Azure AD application parameter to enable VM disk encryption. With the new release, you are no longer required to provide Azure AD credentials during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters using the new release. To view instructions to enable VM disk encryption using the new release, see Azure Disk Encryption. VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.

Azure 磁盘加密使用 Azure 密钥保管库来控制和管理磁盘加密密钥和机密。Azure Disk Encryption uses Azure Key Vault to control and manage disk encryption keys and secrets. 有关 Key Vault 的详细信息,请参阅 Azure Key Vault 入门保护 Key VaultFor more information about key vaults, see Get started with Azure Key Vault and Secure your key vault.

使用 Azure AD 创建和配置用于 Azure 磁盘加密的密钥保管库(以前版本)需要三个步骤:Creating and configuring a key vault for use with Azure Disk Encryption with Azure AD (previous release) involves three steps:

  1. 创建密钥保管库。Create a key vault.
  2. 设置 Azure AD 应用程序和服务主体。Set up an Azure AD application and service principal.
  3. 为 Azure AD 应用设置 Key Vault 访问策略。Set the key vault access policy for the Azure AD app.
  4. 设置 Key Vault 高级访问策略。Set key vault advanced access policies.

还可以根据需要生成或导入密钥加密密钥 (KEK)。You may also, if you wish, generate or import a key encryption key (KEK).

有关如何安装工具并连接到 Azure 的步骤,请参阅主要的创建和配置用于 Azure 磁盘加密的密钥保管库一文。See the main Creating and configuring a key vault for Azure Disk Encryption article for steps on how to Install tools and connect to Azure.

创建密钥保管库Create a key vault

Azure 磁盘加密与 Azure Key Vault 集成,帮助你控制和管理 Key Vault 订阅中的磁盘加密密钥与机密。Azure Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. 可为 Azure 磁盘加密创建 Key Vault,或使用现有的 Key Vault。You can create a key vault or use an existing one for Azure Disk Encryption. 有关 Key Vault 的详细信息,请参阅 Azure Key Vault 入门保护 Key VaultFor more information about key vaults, see Get started with Azure Key Vault and Secure your key vault. 可以使用资源管理器模板、Azure PowerShell 或 Azure CLI 创建 Key Vault。You can use a Resource Manager template, Azure PowerShell, or the Azure CLI to create a key vault.

警告

为确保加密机密不会跨过区域边界,Azure 磁盘加密需要将密钥保管库和 VM 共置在同一区域。In order to make sure the encryption secrets don't cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VMs to be co-located in the same region. 在要加密的 VM 所在的同一区域中创建并使用 Key Vault。Create and use a Key Vault that is in the same region as the VM to be encrypted.

使用 PowerShell 创建密钥保管库Create a key vault with PowerShell

可以在 Azure PowerShell 中使用 New-AzKeyVault cmdlet 创建 Key Vault。You can create a key vault with Azure PowerShell using the New-AzKeyVault cmdlet. 有关适用于 Key Vault 的更多 cmdlet,请参阅 Az.KeyVaultFor additional cmdlets for Key Vault, see Az.KeyVault.

  1. 根据需要,使用 New-AzResourceGroup 创建新资源组。Create a new resource group, if needed, with New-AzResourceGroup. 若要列出数据中心位置,请使用 Get-AzLocationTo list data center locations, use Get-AzLocation.

    # Get-AzLocation 
    New-AzResourceGroup -Name 'MyKeyVaultResourceGroup' -Location 'China East'
    
  2. 使用 New-AzKeyVault 创建新的 Key VaultCreate a new key vault using New-AzKeyVault

    New-AzKeyVault -VaultName 'MySecureVault' -ResourceGroupName 'MyKeyVaultResourceGroup' -Location 'China East'
    
  3. 记下返回的“保管库名称”、“资源组名称”、“资源 ID”、“保管库 URI”和“对象 ID”,以便稍后在加密磁盘时使用。 Note the Vault Name, Resource Group Name, Resource ID, Vault URI, and the Object ID that are returned for later use when you encrypt the disks.

使用 Azure CLI 创建密钥保管库Create a key vault with Azure CLI

可以在 Azure CLI 中使用 az keyvault 命令管理 Key Vault。You can manage your key vault with Azure CLI using the az keyvault commands. 若要创建 Key Vault,请使用 az keyvault createTo create a key vault, use az keyvault create.

  1. 根据需要,使用 az group create 创建新资源组。Create a new resource group, if needed, with az group create. 若要列出位置,请使用 az account list-locationsTo list locations, use az account list-locations

    # To list locations: az account list-locations --output table
    az group create -n "MyKeyVaultResourceGroup" -l "China East"
    
  2. 使用 az keyvault create 创建新 Key Vault。Create a new key vault using az keyvault create.

    az keyvault create --name "MySecureVault" --resource-group "MyKeyVaultResourceGroup" --location "China East"
    
  3. 记下返回的“保管库名称”(name)、“资源组名称”、“资源 ID”(ID)、“保管库 URI”和“对象 ID”,以便稍后使用。 Note the Vault Name (name), Resource Group Name, Resource ID (ID), Vault URI, and the Object ID that are returned for use later.

使用资源管理器模板创建密钥保管库Create a key vault with a Resource Manager template

可以使用资源管理器模板创建 Key Vault。You can create a key vault by using the Resource Manager template.

  1. 在 Azure 快速入门模板中,单击“部署到 Azure”。 On the Azure quickstart template, click Deploy to Azure.
  2. 选择订阅、资源组、资源组位置、Key Vault 名称、对象 ID、法律条款和协议,然后单击“购买”。 Select the subscription, resource group, resource group location, Key Vault name, Object ID, legal terms, and agreement, and then click Purchase.

设置 Azure AD 应用和服务主体Set up an Azure AD app and service principal

需要在 Azure 中正在运行的 VM 上启用加密时,Azure 磁盘加密将生成加密密钥并将其写入 Key Vault。When you need encryption to be enabled on a running VM in Azure, Azure Disk Encryption generates and writes the encryption keys to your key vault. 在 Key Vault 中管理加密密钥需要 Azure AD 身份验证。Managing encryption keys in your key vault requires Azure AD authentication. 为此,请创建 Azure AD 应用程序。Create an Azure AD application for this purpose. 对于身份验证,可以使用基于客户端机密的身份验证或基于客户端证书的 Azure AD 身份验证For authentication purposes, you can use either client secret-based authentication or client certificate-based Azure AD authentication.

使用 Azure PowerShell 设置 Azure AD 应用和服务主体Set up an Azure AD app and service principal with Azure PowerShell

若要执行以下命令,请获取并使用 Azure AD PowerShell 模块To execute the following commands, get and use the Azure AD PowerShell module.

  1. 使用 New-AzADApplication PowerShell cmdlet 创建 Azure AD 应用程序。Use the New-AzADApplication PowerShell cmdlet to create an Azure AD application. MyApplicationHomePage 和 MyApplicationUri 可以是所需的任意值。MyApplicationHomePage and the MyApplicationUri can be any values you wish.

    $aadClientSecret = "My AAD client secret"
    $aadClientSecretSec = ConvertTo-SecureString -String $aadClientSecret -AsPlainText -Force
    $azureAdApplication = New-AzADApplication -DisplayName "My Application Display Name" -HomePage "https://MyApplicationHomePage" -IdentifierUris "https://MyApplicationUri" -Password $aadClientSecretSec
    $servicePrincipal = New-AzADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
    
  2. $azureAdApplication.ApplicationId 是 Azure AD ClientID,$aadClientSecret 是稍后启用 Azure 磁盘加密时要使用的客户端机密。The $azureAdApplication.ApplicationId is the Azure AD ClientID and the $aadClientSecret is the client secret that you will use later to enable Azure Disk Encryption. 请妥善保存 Azure AD 客户端机密。Safeguard the Azure AD client secret appropriately. 运行 $azureAdApplication.ApplicationId 会显示 ApplicationID。Running $azureAdApplication.ApplicationId will show you the ApplicationID.

使用 Azure CLI 设置 Azure AD 应用和服务主体Set up an Azure AD app and service principal with Azure CLI

可以在 Azure CLI 中使用 az ad sp 命令来管理服务主体。You can manage your service principals with Azure CLI using the az ad sp commands. 有关详细信息,请参阅创建 Azure 服务主体For more information, see Create an Azure service principal.

  1. 创建新服务主体。Create a new service principal.

    az ad sp create-for-rbac --name "ServicePrincipalName" --password "My-AAD-client-secret" --skip-assignment 
    
  2. 返回的 appId 是其他命令中使用的 Azure AD ClientID。The appId returned is the Azure AD ClientID used in other commands. 它也是要在 az keyvault set-policy 中使用的 SPN。It's also the SPN you'll use for az keyvault set-policy. password 是稍后启用 Azure 磁盘加密时要使用的客户端机密。The password is the client secret that you should use later to enable Azure Disk Encryption. 请妥善保存 Azure AD 客户端机密。Safeguard the Azure AD client secret appropriately.

通过 Azure 门户设置 Azure AD 应用和服务主体Set up an Azure AD app and service principal though the Azure portal

使用使用门户创建可访问资源的 Azure Active Directory 应用程序和服务主体一文中的步骤创建 Azure AD 应用程序。Use the steps from the Use portal to create an Azure Active Directory application and service principal that can access resources article to create an Azure AD application. 下面列出的每个步骤直接链接到要完成的文章部分。Each step listed below will take you directly to the article section to complete.

  1. 验证所需的权限Verify required permissions
  2. 创建 Azure Active Directory 应用程序Create an Azure Active Directory application
    • 创建应用程序时,可以使用任意所需的名称和登录 URL。You can use any name and sign-on URL you would like when creating the application.
  3. 获取应用程序 ID 和身份验证密钥Get the application ID and the authentication key.
    • 身份验证密钥是客户端密码,用作 Set-AzVMDiskEncryptionExtension 的 AadClientSecret。The authentication key is the client secret and is used as the AadClientSecret for Set-AzVMDiskEncryptionExtension.
      • 应用程序使用身份验证密钥作为凭据登录到 Azure AD。The authentication key is used by the application as a credential to sign in to Azure AD. 在 Azure 门户中,此机密称为密钥,但与 Key Vault 没有任何关系。In the Azure portal, this secret is called keys, but has no relation to key vaults. 请适当地保护此机密。Secure this secret appropriately.
    • 稍后,应用程序 ID 将用作 Set-AzVMDiskEncryptionExtension 的 AadClientId,以及 Set-AzKeyVaultAccessPolicy 的 ServicePrincipalName。The application ID will be used later as the AadClientId for Set-AzVMDiskEncryptionExtension and as the ServicePrincipalName for Set-AzKeyVaultAccessPolicy.

为 Azure AD 应用设置密钥保管库访问策略Set the key vault access policy for the Azure AD app

若要将加密机密写入指定的 Key Vault,Azure 磁盘加密需要 Azure Active Directory 应用程序的客户端 ID,以及有权将机密写入 Key Vault 的客户端机密。To write encryption secrets to a specified Key Vault, Azure Disk Encryption needs the Client ID and the Client Secret of the Azure Active Directory application that has permissions to write secrets to the Key Vault.

备注

Azure 磁盘加密要求为 Azure AD 客户端应用程序配置以下访问策略:WrapKeySet 权限。Azure Disk Encryption requires you to configure the following access policies to your Azure AD client application: WrapKey and Set permissions.

使用 Azure PowerShell 为 Azure AD 应用设置密钥保管库访问策略Set the key vault access policy for the Azure AD app with Azure PowerShell

Azure AD 应用程序需有访问保管库中密钥或机密的权限。Your Azure AD application needs rights to access the keys or secrets in the vault. 使用 Set-AzKeyVaultAccessPolicy cmdlet,并将客户端 ID(注册应用程序时所生成)用作 -ServicePrincipalName 参数值,以向应用程序授予权限。Use the Set-AzKeyVaultAccessPolicy cmdlet to grant permissions to the application, using the client ID (which was generated when the application was registered) as the -ServicePrincipalName parameter value. 若要了解详细信息,请参阅博客文章 Azure Key Vault - Step by Step(Azure Key Vault - 分步指南)。To learn more, see the blog post Azure Key Vault - Step by Step.

  1. 使用 PowerShell 为 AD 应用程序设置 Key Vault 访问策略。Set the key vault access policy for the AD application with PowerShell.

    $keyVaultName = 'MySecureVault'
    $aadClientID = 'MyAadAppClientID'
    $KVRGname = 'MyKeyVaultResourceGroup'
    Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $KVRGname
    

使用 Azure CLI 为 Azure AD 应用设置密钥保管库访问策略Set the key vault access policy for the Azure AD app with Azure CLI

使用 az keyvault set-policy 设置访问策略。Use az keyvault set-policy to set the access policy. 有关详细信息,请参阅使用 CLI 2.0 管理 Key VaultFor more information, see Manage Key Vault using CLI 2.0.

使用以下命令,为通过 Azure CLI 创建的服务主体授予获取机密和包装密钥的访问权限:Give the service principal you created via the Azure CLI access to get secrets and wrap keys with the following command:

az keyvault set-policy --name "MySecureVault" --spn "<spn created with CLI/the Azure AD ClientID>" --key-permissions wrapKey --secret-permissions set

使用门户为 Azure AD 应用设置密钥保管库访问策略Set the key vault access policy for the Azure AD app with the portal

  1. 打开包含 Key Vault 的资源组。Open the resource group with your key vault.
  2. 选择 Key Vault,转到“访问策略”,然后单击“新增”。 Select your key vault, go to Access Policies, then click Add new.
  3. 在“选择主体”下,搜索创建的 Azure AD 应用程序并选择它。 Under Select principal, search for the Azure AD application you created and select it.
  4. 对于“密钥权限”,请选中“加密操作”下的“包装密钥”。 For Key permissions, check Wrap Key under Cryptographic Operations.
  5. 对于“机密权限”,请选中“机密管理操作”下的“设置”。 For Secret permissions, check Set under Secret Management Operations.
  6. 单击“确定”保存访问策略。 Click OK to save the access policy.

Azure Key Vault 加密操作 - 包装密钥

Azure Key Vault 机密权限 - 设置

设置密钥保管库高级访问策略Set key vault advanced access policies

Azure 平台需要访问 Key Vault 中的加密密钥或机密,才能使这些密钥和机密可供 VM 用来启动和解密卷。The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. 对 Key Vault 启用磁盘加密,否则部署将会失败。Enable disk encryption on the key vault or deployments will fail.

使用 Azure PowerShell 设置密钥保管库高级访问策略Set key vault advanced access policies with Azure PowerShell

使用 Key Vault PowerShell cmdlet Set-AzKeyVaultAccessPolicy 为 Key Vault 启用磁盘加密。Use the key vault PowerShell cmdlet Set-AzKeyVaultAccessPolicy to enable disk encryption for the key vault.

  • 为磁盘加密启用 Key Vault: 若要启用 Azure 磁盘加密,需要使用 EnabledForDiskEncryption。Enable Key Vault for disk encryption: EnabledForDiskEncryption is required for Azure Disk encryption.

    Set-AzKeyVaultAccessPolicy -VaultName 'MySecureVault' -ResourceGroupName 'MyKeyVaultResourceGroup' -EnabledForDiskEncryption
    
  • 根据需要为部署启用 Key Vault: 在资源创建操作中引用此 Key Vault(例如,创建虚拟机)时,使 Microsoft.Compute 资源提供程序能够从此 Key Vault 中检索机密。Enable Key Vault for deployment, if needed: Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

    Set-AzKeyVaultAccessPolicy -VaultName 'MySecureVault' -ResourceGroupName 'MyKeyVaultResourceGroup' -EnabledForDeployment
    
  • 根据需要为模板部署启用 Key Vault: 在模板部署中引用此 Key Vault 时,使 Azure 资源管理器能够从此 Key Vault 中获取机密。Enable Key Vault for template deployment, if needed: Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.

    Set-AzKeyVaultAccessPolicy -VaultName 'MySecureVault' -ResourceGroupName 'MyKeyVaultResourceGroup' -EnabledForTemplateDeployment
    

使用 Azure CLI 设置密钥保管库高级访问策略Set key vault advanced access policies using the Azure CLI

使用 az keyvault update 为 Key Vault 启用磁盘加密。Use az keyvault update to enable disk encryption for the key vault.

  • 为磁盘加密启用 Key Vault: 需要使用 Enabled-for-disk-encryption。Enable Key Vault for disk encryption: Enabled-for-disk-encryption is required.

    az keyvault update --name "MySecureVault" --resource-group "MyKeyVaultResourceGroup" --enabled-for-disk-encryption "true"
    
  • 根据需要为部署启用 Key Vault: 允许虚拟机从保管库中检索作为机密存储的证书。Enable Key Vault for deployment, if needed: Allow Virtual Machines to retrieve certificates stored as secrets from the vault.

    az keyvault update --name "MySecureVault" --resource-group "MyKeyVaultResourceGroup" --enabled-for-deployment "true"
    
  • 根据需要为模板部署启用 Key Vault: 允许资源管理器从保管库中检索机密。Enable Key Vault for template deployment, if needed: Allow Resource Manager to retrieve secrets from the vault.

    az keyvault update --name "MySecureVault" --resource-group "MyKeyVaultResourceGroup" --enabled-for-template-deployment "true"
    

通过 Azure 门户设置密钥保管库高级访问策略Set key vault advanced access policies through the Azure portal

  1. 选择 Key Vault,转到“访问策略”,然后选择“单击此处可显示高级访问策略”。 Select your keyvault, go to Access Policies, and Click to show advanced access policies.
  2. 选中标有“启用对 Azure 磁盘加密的访问以进行卷加密”的框。 Select the box labeled Enable access to Azure Disk Encryption for volume encryption.
  3. 根据需要选择“启用对 Azure 虚拟机的访问以进行部署”和/或“启用对 Azure 资源管理器的访问以进行模板部署”。 Select Enable access to Azure Virtual Machines for deployment and/or Enable Access to Azure Resource Manager for template deployment, if needed.
  4. 单击“保存” 。Click Save.

Azure Key Vault 高级访问策略

设置密钥加密密钥(可选)Set up a key encryption key (optional)

若要使用密钥加密密钥 (KEK) 来为加密密钥提供附加的安全层,请将 KEK 添加到 Key Vault。If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. 使用 Add-AzKeyVaultKey cmdlet 在 Key Vault 中创建密钥加密密钥。Use the Add-AzKeyVaultKey cmdlet to create a key encryption key in the key vault. 指定密钥加密密钥后,Azure 磁盘加密会使用该密钥包装加密机密,然后将机密写入 Key Vault。When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.

使用 Azure PowerShell 设置密钥加密密钥Set up a key encryption key with Azure PowerShell

在使用 PowerShell 脚本之前,应熟悉 Azure 磁盘加密必备组件,以了解脚本中的步骤。Before using the PowerShell script, you should be familiar with the Azure Disk Encryption prerequisites to understand the steps in the script. 可能需要根据环境更改示例脚本。The sample script might need changes for your environment. 此脚本创建所有 Azure 磁盘加密必备组件、加密现有 IaaS VM,并使用密钥加密密钥来包装磁盘加密密钥。This script creates all Azure Disk Encryption prerequisites and encrypts an existing IaaS VM, wrapping the disk encryption key by using a key encryption key.

# Step 1: Create a new resource group and key vault in the same location.
    # Fill in 'MyLocation', 'MyKeyVaultResourceGroup', and 'MySecureVault' with your values.
    # Use Get-AzLocation to get available locations and use the DisplayName.
    # To use an existing resource group, comment out the line for New-AzResourceGroup

    $Loc = 'MyLocation';
    $KVRGname = 'MyKeyVaultResourceGroup';
    $KeyVaultName = 'MySecureVault'; 
    New-AzResourceGroup -Name  $KVRGname -Location $Loc;
    New-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname -Location $Loc;
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName  $KVRGname;
    $KeyVaultResourceId = (Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName  $KVRGname).ResourceId;
    $diskEncryptionKeyVaultUrl = (Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName  $KVRGname).VaultUri;

# Step 2: Create the AD application and service principal.
    # Fill in 'MyAADClientSecret', "<My Application Display Name>", "<https://MyApplicationHomePage>", and "<https://MyApplicationUri>" with your values.
    # MyApplicationHomePage and the MyApplicationUri can be any values you wish.

    $aadClientSecret =  'MyAADClientSecret';
    $aadClientSecretSec = ConvertTo-SecureString -String $aadClientSecret -AsPlainText -Force;
    $azureAdApplication = New-AzADApplication -DisplayName "<My Application Display Name>" -HomePage "<https://MyApplicationHomePage>" -IdentifierUris "<https://MyApplicationUri>" -Password $aadClientSecretSec
    $servicePrincipal = New-AzADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId;
    $aadClientID = $azureAdApplication.ApplicationId;

#Step 3: Enable the vault for disk encryption and set the access policy for the Azure AD application.

    Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $KVRGname -EnabledForDiskEncryption;
    Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName  $KVRGname;

#Step 4: Create a new key in the key vault with the Add-AzKeyVaultKey cmdlet.
    # Fill in 'MyKeyEncryptionKey' with your value.

    $keyEncryptionKeyName = 'MyKeyEncryptionKey';
    Add-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName -Destination 'Software';
    $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;

#Step 5: Encrypt the disks of an existing IaaS VM
    # Fill in 'MySecureVM' and 'MyVirtualMachineResourceGroup' with your values. 

    $VMName = 'MySecureVM';
     $VMRGName = 'MyVirtualMachineResourceGroup';
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;

基于证书的身份验证(可选)Certificate-based authentication (optional)

若要使用证书身份验证,可将一个证书上传到 Key Vault,并将其部署到客户端。If you would like to use certificate authentication, you can upload one to your key vault and deploy it to the client. 在使用 PowerShell 脚本之前,应熟悉 Azure 磁盘加密必备组件,以了解脚本中的步骤。Before using the PowerShell script, you should be familiar with the Azure Disk Encryption prerequisites to understand the steps in the script. 可能需要根据环境更改示例脚本。The sample script might need changes for your environment.


 # Fill in "MyKeyVaultResourceGroup", "MySecureVault", and 'MyLocation' ('My location' only if needed)

   $KVRGname = 'MyKeyVaultResourceGroup'
   $KeyVaultName= 'MySecureVault'

   # Create a key vault and set enabledForDiskEncryption property on it. 
   # Comment out the next three lines if you already have an existing key vault enabled for encryption. No need to set 'My location' in this case.

   $Loc = 'MyLocation'
   New-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname -Location $Loc
   Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $KVRGname -EnabledForDiskEncryption

   #Setting some variables with the key vault information 
   $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname
   $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
   $KeyVaultResourceId = $KeyVault.ResourceId

   # Create the Azure AD application and associate the certificate with it. 
   # Fill in "C:\certificates\mycert.pfx", "Password", "<My Application Display Name>", "<https://MyApplicationHomePage>", and "<https://MyApplicationUri>" with your values.
   # MyApplicationHomePage and the MyApplicationUri can be any values you wish

   $CertPath = "C:\certificates\mycert.pfx"
   $CertPassword = "Password"
   $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
   $CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())

   $AzureAdApplication = New-AzADApplication -DisplayName "<My Application Display Name>" -HomePage "<https://MyApplicationHomePage>" -IdentifierUris "<https://MyApplicationUri>" -CertValue $CertValue 
   $ServicePrincipal = New-AzADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId

   $AADClientID = $AzureAdApplication.ApplicationId
   $aadClientCertThumbprint= $cert.Thumbprint

   Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $KVRGname

   # Upload the pfx file to the key vault. 
   # Fill in "MyAADCert".  

   $KeyVaultSecretName = "MyAADCert"
   $FileContentBytes = get-content $CertPath -Encoding Byte
   $FileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
           $JSONObject = @"
           { 
               "data" : "$filecontentencoded", 
               "dataType" : "pfx", 
               "password" : "$CertPassword" 
           } 
"@

   $JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
   $JSONEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)

   #Set the secret and set the key vault policy for -EnabledForDeployment

   $Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
   Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName -SecretValue $Secret
   Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $KVRGname -EnabledForDeployment

   # Deploy the certificate to the VM
   # Fill in 'MySecureVM' and 'MyVirtualMachineResourceGroup' with your values.

   $VMName = 'MySecureVM'
   $VMRGName = 'MyVirtualMachineResourceGroup'
   $CertUrl = (Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName).Id
   $SourceVaultId = (Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGName).ResourceId
   $VM = Get-AzVM -ResourceGroupName $VMRGName -Name $VMName 
   $VM = Add-AzVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
   Update-AzVM -VM $VM -ResourceGroupName $VMRGName 

   #Enable encryption on the VM using Azure AD client ID and the client certificate thumbprint

   Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId

基于证书的身份验证和 KEK(可选)Certificate-based authentication and a KEK (optional)

若要使用证书身份验证并通过 KEK 包装加密密钥,可使用以下脚本作为示例。If you would like to use certificate authentication and wrap the encryption key with a KEK, you can use the below script as an example. 在使用 PowerShell 脚本之前,应熟悉前面所述的所有 Azure 磁盘加密必备组件,以了解脚本中的步骤。Before using the PowerShell script, you should be familiar with all of the previous Azure Disk Encryption prerequisites to understand the steps in the script. 可能需要根据环境更改示例脚本。The sample script might need changes for your environment.

# Fill in 'MyKeyVaultResourceGroup', 'MySecureVault', and 'MyLocation' (if needed)

   $KVRGname = 'MyKeyVaultResourceGroup'
   $KeyVaultName= 'MySecureVault'

   # Create a key vault and set enabledForDiskEncryption property on it. 
   # Comment out the next three lines if you already have an existing key vault enabled for encryption.

   $Loc = 'MyLocation'
   New-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname -Location $Loc
   Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $KVRGname -EnabledForDiskEncryption

   # Create the Azure AD application and associate the certificate with it.  
   # Fill in "C:\certificates\mycert.pfx", "Password", "<My Application Display Name>", "<https://MyApplicationHomePage>", and "<https://MyApplicationUri>" with your values.
   # MyApplicationHomePage and the MyApplicationUri can be any values you wish

   $CertPath = "C:\certificates\mycert.pfx"
   $CertPassword = "Password"
   $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
   $CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())

   $AzureAdApplication = New-AzADApplication -DisplayName "<My Application Display Name>" -HomePage "<https://MyApplicationHomePage>" -IdentifierUris "<https://MyApplicationUri>" -CertValue $CertValue 
   $ServicePrincipal = New-AzADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId

   $AADClientID = $AzureAdApplication.ApplicationId
   $aadClientCertThumbprint= $cert.Thumbprint

   ## Give access for setting secrets and wraping keys
   Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $KVRGname

   # Upload the pfx file to the key vault. 
   # Fill in "MyAADCert". 

   $KeyVaultSecretName = "MyAADCert"
   $FileContentBytes = get-content $CertPath -Encoding Byte
   $FileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
           $JSONObject = @"
           { 
               "data" : "$filecontentencoded", 
               "dataType" : "pfx", 
               "password" : "$CertPassword" 
           } 
"@

   $JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
   $JSONEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)

   #Set the secret and set the key vault policy for deployment

   $Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
   Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName -SecretValue $Secret
   Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $KVRGname -EnabledForDeployment

   #Setting some variables with the key vault information and generating a KEK 
   # FIll in 'KEKName'

   $KEKName ='KEKName'
   $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname
   $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
   $KeyVaultResourceId = $KeyVault.ResourceId
   $KEK = Add-AzKeyVaultKey -VaultName $KeyVaultName -Name $KEKName -Destination "Software"
   $KeyEncryptionKeyUrl = $KEK.Key.kid

   # Deploy the certificate to the VM
   # Fill in 'MySecureVM' and 'MyVirtualMachineResourceGroup' with your values.

   $VMName = 'MySecureVM';
   $VMRGName = 'MyVirtualMachineResourceGroup';
   $CertUrl = (Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName).Id
   $SourceVaultId = (Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGName).ResourceId
   $VM = Get-AzVM -ResourceGroupName $VMRGName -Name $VMName 
   $VM = Add-AzVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
   Update-AzVM -VM $VM -ResourceGroupName $VMRGName

   #Enable encryption on the VM using Azure AD client ID and the client certificate thumbprint

   Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId

后续步骤Next steps

在 Windows VM 上使用 Azure AD 启用 Azure 磁盘加密(以前版本)Enable Azure Disk Encryption with Azure AD on Windows VMs (previous release)