使用 Azure AD 进行 Azure 磁盘加密(以前版本)Azure Disk Encryption with Azure AD (previous release)

新版本的 Azure 磁盘加密无需提供 Azure AD 应用程序参数即可启用 VM 磁盘加密。使用新版本,在执行启用加密步骤时,不再需要提供 Azure AD 凭据。所有新 VM 都必须使用新版本在没有 Azure AD 应用程序参数的情况下进行加密。若要查看使用新版本启用 VM 磁盘加密的说明,请参阅适用于 Windows VM 的 Azure 磁盘加密。已使用 Azure AD 应用程序参数加密的 VM 仍受支持,应继续使用 AAD 语法进行维护。The new release of Azure Disk Encryption eliminates the requirement for providing an Azure AD application parameter to enable VM disk encryption. With the new release, you are no longer required to provide Azure AD credentials during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters using the new release. To view instructions to enable VM disk encryption using the new release, see Azure Disk Encryption for Windows VMs. VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.

本文通过使用 Azure AD 进行 Azure 磁盘加密的其他要求和先决条件(以前版本)补充说明了适用于 Windows VM 的 Azure 磁盘加密This article supplements Azure Disk Encryption for Windows VMs with additional requirements and prerequisites for Azure Disk Encryption with Azure AD (previous release). 支持的 VM 和操作系统部分保持不变。The Supported VMs and operating systems section remains the same.

网络和组策略Networking and Group Policy

若要启用使用旧 AAD 参数语法的 Azure 磁盘加密功能,IaaS VM 必须符合以下网络终结点配置要求:To enable the Azure Disk Encryption feature using the older AAD parameter syntax, the IaaS VMs must meet the following network endpoint configuration requirements:

  • 若要获取用于连接密钥保管库的令牌,IaaS VM 必须能够连接到 Azure Active Directory 终结点 [login.chinacloudapi.cn]。To get a token to connect to your key vault, the IaaS VM must be able to connect to an Azure Active Directory endpoint, [login.chinacloudapi.cn].
  • IaaS VM 必须能够连接到 Key Vault 终结点,以将加密密钥写入 Key Vault。To write the encryption keys to your key vault, the IaaS VM must be able to connect to the key vault endpoint.
  • IaaS VM 必须能够连接到托管 Azure 扩展存储库的 Azure 存储终结点和托管 VHD 文件的 Azure 存储帐户。The IaaS VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
  • 如果安全策略限制从 Azure VM 到 Internet 的访问,可以解析上述 URI,并配置特定的规则以允许与这些 IP 建立出站连接。If your security policy limits access from Azure VMs to the Internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. 有关详细信息,请参阅防火墙后的 Azure Key VaultFor more information, see Azure Key Vault behind a firewall.
  • 要加密的 VM 必须配置为使用 TLS 1.2 作为默认协议。The VM to be encrypted must be configured to use TLS 1.2 as the default protocol. 如果显式禁用了 TLS 1.0 且 .NET 版本尚未更新到 4.6 或更高版本,以下注册表更改将允许 ADE 选择更新的 TLS 版本:If TLS 1.0 has been explicitly disabled and the .NET version has not been updated to 4.6 or higher, the following registry change will enable ADE to select the more recent TLS version:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001` 

组策略:Group Policy:

  • Azure 磁盘加密解决方案对 Windows IaaS VM 使用 BitLocker 外部密钥保护程序。The Azure Disk Encryption solution uses the BitLocker external key protector for Windows IaaS VMs. 对于已加入域的 VM,请不要推送会强制执行 TPM 保护程序的任何组策略。For domain joined VMs, don't push any group policies that enforce TPM protectors. 有关“在没有兼容 TPM 的情况下允许 BitLocker”的组策略信息,请参阅 BitLocker 组策略参考For information about the group policy for "Allow BitLocker without a compatible TPM," see BitLocker Group Policy Reference.

  • 具有自定义组策略的已加入域虚拟机上的 BitLocker 策略必须包含以下设置:配置 BitLocker 恢复信息的用户存储 -> 允许 256 位恢复密钥BitLocker policy on domain joined virtual machines with custom group policy must include the following setting: Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key. 如果 BitLocker 的自定义组策略设置不兼容,Azure 磁盘加密将会失败。Azure Disk Encryption will fail when custom group policy settings for BitLocker are incompatible. 在没有正确策略设置的计算机上,应用新策略,强制更新新策略 (gpupdate.exe /force),然后可能需要重启。On machines that didn't have the correct policy setting, apply the new policy, force the new policy to update (gpupdate.exe /force), and then restarting may be required.

加密密钥存储要求Encryption key storage requirements

Azure 磁盘加密需要 Azure Key Vault 来控制和管理磁盘加密密钥和机密。Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. 密钥保管库和 VM 必须位于同一 Azure 区域和订阅中。Your key vault and VMs must reside in the same Azure region and subscription.

有关详细信息,请参阅使用 Azure AD 创建和配置用于 Azure 磁盘加密的密钥保管库(以前版本)For details, see Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release).

后续步骤Next steps