Azure 磁盘加密故障排除指南Azure Disk Encryption troubleshooting guide

本指南面向使用 Azure 磁盘加密的组织中的 IT 专业人员、信息安全分析人员和云管理员。This guide is for IT professionals, information security analysts, and cloud administrators whose organizations use Azure Disk Encryption. 本文旨在帮助排查与磁盘加密相关的问题。This article is to help with troubleshooting disk-encryption-related problems.

在执行以下任何步骤之前,请首先确保你尝试加密的 VM 具有受支持的 VM 大小和操作系统,并且已满足所有先决条件:Before taking any of the steps below, first ensure that the VMs you are attempting to encrypt are among the supported VM sizes and operating systems, and that you have met all the prerequisites:

防火墙保护下的 Azure 磁盘加密故障排除Troubleshooting Azure Disk Encryption behind a firewall

如果连接受到防火墙、代理要求或网络安全组 (NSG) 设置的限制,扩展执行所需任务的能力可能会受到干扰。When connectivity is restricted by a firewall, proxy requirement, or network security group (NSG) settings, the ability of the extension to perform needed tasks might be disrupted. 此干扰可能会导致出现类似于“VM 上未提供扩展状态”的状态消息。This disruption can result in status messages such as "Extension status not available on the VM." 在预期方案中,将无法完成加密。In expected scenarios, the encryption fails to finish. 以下部分描述了可能需要调查的一些常见防火墙问题。The sections that follow have some common firewall problems that you might investigate.

网络安全组Network security groups

应用的任何网络安全组设置仍必须允许终结点满足所述的与磁盘加密相关的网络配置先决条件Any network security group settings that are applied must still allow the endpoint to meet the documented network configuration prerequisites for disk encryption.

防火墙保护下的 Azure Key VaultAzure Key Vault behind a firewall

使用 Azure AD 凭据启用加密时,目标 VM 必须允许连接到 Azure Active Directory 终结点和密钥保管库终结点。When encryption is being enabled with Azure AD credentials, the target VM must allow connectivity to both Azure Active Directory endpoints and Key Vault endpoints. 当前 Azure Active Directory 身份验证终结点在 Office 365 URL 和 IP 地址范围文档中的第 56 和 59 节中进行维护。Current Azure Active Directory authentication endpoints are maintained in sections 56 and 59 of the Office 365 URLs and IP address ranges documentation. 在有关如何访问防火墙保护下的 Azure 密钥保管库的文档中提供了密钥保管库说明。Key Vault instructions are provided in the documentation on how to Access Azure Key Vault behind a firewall.

Azure 实例元数据服务Azure Instance Metadata Service

VM 必须能够访问这样的 Azure 实例元数据服务终结点:该终结点使用只能从 VM 内访问的已知不可路由 IP 地址 (169.254.169.254)。The VM must be able to access the Azure Instance Metadata service endpoint which uses a well-known non-routable IP address (169.254.169.254) that can be accessed only from within the VM. 不支持将本地 HTTP 流量更改为此地址的代理配置(例如,添加 X-Forwarded-For 标头)。Proxy configurations that alter local HTTP traffic to this address (for example, adding an X-Forwarded-For header) are not supported.

Windows Server 2016 Server Core 疑难解答Troubleshooting Windows Server 2016 Server Core

在 Windows Server 2016 Server Core 上,bdehdcfg 组件默认不可用。On Windows Server 2016 Server Core, the bdehdcfg component isn't available by default. Azure 磁盘加密需要此组件。This component is required by Azure Disk Encryption. 它用于从 OS 卷拆分出系统卷,该操作仅在虚拟机生命期内执行一次。It's used to split the system volume from OS volume, which is done only once for the life time of the VM. 在后续加密操作中,不需要这些二进制文件。These binaries aren't required during later encryption operations.

要暂时避开此问题,请将下面 Windows Server 2016 Data Center VM 中的 4 个文件复制到 Server Core 上的同一位置中:To work around this issue, copy the following four files from a Windows Server 2016 Data Center VM to the same location on Server Core:

\windows\system32\bdehdcfg.exe
\windows\system32\bdehdcfglib.dll
\windows\system32\en-US\bdehdcfglib.dll.mui
\windows\system32\en-US\bdehdcfg.exe.mui
  1. 输入以下命令:Enter the following command:

    bdehdcfg.exe -target default
    
  2. 此命令将创建一个 550 MB 系统分区。This command creates a 550-MB system partition. 重新启动系统。Reboot the system.

  3. 使用 DiskPart 检查卷,然后继续。Use DiskPart to check the volumes, and then proceed.

例如:For example:

DISKPART> list vol

  Volume ### Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     C                NTFS   Partition    126 GB  Healthy    Boot
  Volume 1                      NTFS   Partition    550 MB  Healthy    System
  Volume 2     D   Temporary S  NTFS   Partition     13 GB  Healthy    Pagefile

加密状态故障排除Troubleshooting encryption status

即使磁盘在 VM 中解密后,门户也可能显示该磁盘已加密。The portal may display a disk as encrypted even after it has been unencrypted within the VM. 当使用低级别命令从 VM 内部直接解密磁盘,而不是使用较高级别的 Azure 磁盘加密管理命令时,可能会发生这种情况。This can occur when low-level commands are used to directly unencrypt the disk from within the VM, instead of using the higher level Azure Disk Encryption management commands. 较高级别命令不仅从 VM 内部解密磁盘,而且在 VM 外部它们还更新与 VM 关联的重要平台级加密设置和扩展设置。The higher level commands not only unencrypt the disk from within the VM, but outside of the VM they also update important platform level encryption settings and extension settings associated with the VM. 如果这些未保持一致,平台将无法报告加密状态或正确预配 VM。If these are not kept in alignment, the platform will not be able to report encryption status or provision the VM properly.

若要使用 PowerShell 禁用 Azure 磁盘加密,请使用 Disable-AzVMDiskEncryption,然后使用 Remove-AzVMDiskEncryptionExtensionTo disable Azure Disk Encryption with PowerShell, use Disable-AzVMDiskEncryption followed by Remove-AzVMDiskEncryptionExtension. 禁用加密之前,运行 Remove-AzVMDiskEncryptionExtension 会失败。Running Remove-AzVMDiskEncryptionExtension before the encryption is disabled will fail.

若要使用 CLI 禁用 Azure 磁盘加密,请使用 az vm encryption disableTo disable Azure Disk Encryption with CLI, use az vm encryption disable.