适用于 Windows VM 的 Azure 磁盘加密Azure Disk Encryption for Windows VMs

Azure 磁盘加密有助于保护数据,使组织能够信守在安全性与合规性方面作出的承诺。Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. 它使用 Windows 的 Bitlocker 功能为 Azure 虚拟机 (VM) 的操作系统和数据磁盘提供卷加密,并与 Azure 密钥保管库集成,以帮助你控制和管理磁盘加密密钥和机密。It uses the Bitlocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

如果使用 Azure 安全中心,当 VM 未加密时,你会收到警报。If you use Azure Security Center, you're alerted if you have VMs that aren't encrypted. 这些警报显示为“高严重性”,建议加密这些 VM。The alerts show as High Severity and the recommendation is to encrypt these VMs.

Azure 安全中心磁盘加密警报

警告

  • 如果之前是使用 Azure 磁盘加密与 Azure AD 来加密 VM,则必须继续使用此选项来加密 VM。If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM. 有关详细信息,请参阅 使用 Azure AD 进行 Azure 磁盘加密(以前版本)See Azure Disk Encryption with Azure AD (previous release) for details.
  • 某些建议可能会导致数据、网络或计算资源使用量增加,从而产生额外的许可或订阅成本。Certain recommendations might increase data, network, or compute resource usage, resulting in additional license or subscription costs. 必须具有有效的活动 Azure 订阅,才能在 Azure 的受支持区域中创建资源。You must have a valid active Azure subscription to create resources in Azure in the supported regions.

通过使用 Azure CLI 创建和加密 Windows VM 快速入门使用 Azure Powershell 创建和加密 Windows VM 快速入门,只需几分钟即可了解适用于 Windows 的 Azure 磁盘加密的基本知识。You can learn the fundamentals of Azure Disk Encryption for Windows in just a few minutes with the Create and encrypt a Windows VM with Azure CLI quickstart or the Create and encrypt a Windows VM with Azure Powershell quickstart.

支持的 VM 和操作系统Supported VMs and operating systems

支持的 VMSupported VMs

Windows VM 的大小有多种Windows VMs are available in a range of sizes. Azure 磁盘加密在 A 系列基本 VM 或内存小于 2 GB 的虚拟机上不可用。Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with a less than 2 GB of memory.

Azure 磁盘加密还可用于使用高级存储的 VM。Azure Disk Encryption is also available for VMs with premium storage.

Azure 磁盘加密在第 2 代 VM 上不可用。Azure Disk Encryption is not available on Generation 2 VMs. 有关更多例外,请参阅 Azure 磁盘加密:不支持的方案For more exceptions, see Azure Disk Encryption: Unsupported scenarios.

支持的操作系统Supported operating systems

  • Windows 客户端:Windows 8 和更高版本。Windows client: Windows 8 and later.
  • Windows Server:Windows Server 2008 R2 和更高版本。Windows Server: Windows Server 2008 R2 and later.

备注

Windows Server 2008 R2 要求安装 .NET Framework 4.5 以支持加密;请从 Windows 更新安装此组件,并安装适用于 Windows Server 2008 R2 基于 x64 的系统的 Microsoft .NET Framework 4.5.2 可选更新 (KB2901983)。Windows Server 2008 R2 requires the .NET Framework 4.5 to be installed for encryption; install it from Windows Update with the optional update Microsoft .NET Framework 4.5.2 for Windows Server 2008 R2 x64-based systems (KB2901983).

Windows Server 2012 R2 Core 和 Windows Server 2016 Core 要求在 VM 安装 bdehdcfg 组件以支持加密。Windows Server 2012 R2 Core and Windows Server 2016 Core requires the bdehdcfg component to be installed on the VM for encryption.

网络要求Networking requirements

若要启用 Azure 磁盘加密,VM 必须符合以下网络终结点配置要求:To enable Azure Disk Encryption, the VMs must meet the following network endpoint configuration requirements:

  • 若要获取用于连接到密钥保管库的令牌,Windows VM 必须能够连接到 Azure Active Directory 终结点 [login.chinacloudapi.cn]。To get a token to connect to your key vault, the Windows VM must be able to connect to an Azure Active Directory endpoint, [login.chinacloudapi.cn].
  • 若要将加密密钥写入密钥保管库,Windows VM 必须能够连接到密钥保管库终结点。To write the encryption keys to your key vault, the Windows VM must be able to connect to the key vault endpoint.
  • Windows VM 必须能够连接到托管 Azure 扩展存储库的 Azure 存储终结点和托管 VHD 文件的 Azure 存储帐户。The Windows VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
  • 如果安全策略限制从 Azure VM 到 Internet 的访问,可以解析上述 URI,并配置特定的规则以允许与这些 IP 建立出站连接。If your security policy limits access from Azure VMs to the Internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. 有关详细信息,请参阅防火墙后的 Azure Key VaultFor more information, see Azure Key Vault behind a firewall.

组策略要求Group Policy requirements

Azure 磁盘加密对 Windows VM 使用 BitLocker 外部密钥保护程序。Azure Disk Encryption uses the BitLocker external key protector for Windows VMs. 对于已加入域的 VM,请不要推送会强制执行 TPM 保护程序的任何组策略。For domain joined VMs, don't push any group policies that enforce TPM protectors. 有关“在没有兼容 TPM 的情况下允许 BitLocker”的组策略信息,请参阅 BitLocker 组策略参考For information about the group policy for "Allow BitLocker without a compatible TPM," see BitLocker Group Policy Reference.

具有自定义组策略的已加入域虚拟机上的 BitLocker 策略必须包含以下设置:配置 BitLocker 恢复信息的用户存储 -> 允许 256 位恢复密钥BitLocker policy on domain joined virtual machines with custom group policy must include the following setting: Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key. 如果 BitLocker 的自定义组策略设置不兼容,Azure 磁盘加密将会失败。Azure Disk Encryption will fail when custom group policy settings for BitLocker are incompatible. 在没有正确策略设置的计算机上,应用新策略,强制更新新策略 (gpupdate.exe /force),然后可能需要重启。On machines that didn't have the correct policy setting, apply the new policy, force the new policy to update (gpupdate.exe /force), and then restarting may be required.

如果域级组策略阻止了 BitLocker 使用的 AES-CBC 算法,Azure 磁盘加密将会失败。Azure Disk Encryption will fail if domain level group policy blocks the AES-CBC algorithm, which is used by BitLocker.

加密密钥存储要求Encryption key storage requirements

Azure 磁盘加密需要 Azure Key Vault 来控制和管理磁盘加密密钥和机密。Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. 密钥保管库和 VM 必须位于同一 Azure 区域和订阅中。Your key vault and VMs must reside in the same Azure region and subscription.

有关详细信息,请参阅创建和配置用于 Azure 磁盘加密的密钥保管库For details, see Creating and configuring a key vault for Azure Disk Encryption.

术语Terminology

下表定义了 Azure 磁盘加密文档中使用的一些常用术语:The following table defines some of the common terms used in Azure disk encryption documentation:

术语Terminology 定义Definition
Azure Key VaultAzure Key Vault Key Vault 是基于联邦信息处理标准 (FIPS) 验证的硬件安全模块。Key Vault is a cryptographic, key management service that's based on Federal Information Processing Standards (FIPS) validated hardware security modules. 这些标准有助于保护加密密钥和敏感机密。These standards help to safeguard your cryptographic keys and sensitive secrets. 有关详细信息,请参阅 Azure Key Vault 文档和创建和配置用于 Azure 磁盘加密的密钥保管库For more information, see the Azure Key Vault documentation and Creating and configuring a key vault for Azure Disk Encryption.
Azure CLIAzure CLI Azure CLI 经过了优化,可从命令行管理 Azure 资源。The Azure CLI is optimized for managing and administering Azure resources from the command line.
BitLockerBitLocker BitLocker 是一种行业认可的 Windows 卷加密技术,用于在 Windows VM 上启用磁盘加密。BitLocker is an industry-recognized Windows volume encryption technology that's used to enable disk encryption on Windows VMs.
密钥加密密钥 (KEK)Key encryption key (KEK) 可用于保护或包装机密的非对称密钥 (RSA 2048)。The asymmetric key (RSA 2048) that you can use to protect or wrap the secret. 有关详细信息,请参阅 Azure Key Vault 文档和创建和配置用于 Azure 磁盘加密的密钥保管库For more information, see the Azure Key Vault documentation and Creating and configuring a key vault for Azure Disk Encryption.
PowerShell cmdletPowerShell cmdlets 有关详细信息,请参阅 Azure PowerShell cmdletFor more information, see Azure PowerShell cmdlets.

后续步骤Next steps