Windows VM 上的 Azure 磁盘加密方案Azure Disk Encryption scenarios on Windows VMs

适用于 Windows 虚拟机 (VM) 的 Azure 磁盘加密使用 Windows 的 BitLocker 功能对 OS 磁盘和数据磁盘进行完整的磁盘加密。Azure Disk Encryption for Windows virtual machines (VMs) uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disk. 此外,VolumeType 参数为 All 时,它提供临时磁盘加密。Additionally, it provides encryption of the temporary disk when the VolumeType parameter is All.

Azure 磁盘加密与 Azure Key Vault 集成,帮助你控制和管理磁盘加密密钥与机密。Azure Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. 有关该服务的概述,请参阅适用于 Windows VM 的 Azure 磁盘加密For an overview of the service, see Azure Disk Encryption for Windows VMs.

只能对具有支持的 VM 大小和操作系统的虚拟机应用磁盘加密。You can only apply disk encryption to virtual machines of supported VM sizes and operating systems. 还必须满足以下先决条件:You must also meet the following prerequisites:

重要

  • 如果之前是使用 Azure 磁盘加密与 Azure AD 来加密 VM,则必须继续使用此选项来加密 VM。If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM. 有关详细信息,请参阅使用 Azure AD 进行的 Azure 磁盘加密(以前的版本)See Azure Disk Encryption with Azure AD (previous release) for details.

  • 在对磁盘进行加密之前,应该创建快照和/或备份。You should take a snapshot and/or create a backup before disks are encrypted. 备份确保在加密过程中发生任何意外故障时可以使用恢复选项。Backups ensure that a recovery option is possible if an unexpected failure occurs during encryption. 加密之前,需要备份包含托管磁盘的 VM。VMs with managed disks require a backup before encryption occurs. 备份之后,可以通过指定 -skipVmBackup 参数,使用 Set-AzVMDiskEncryptionExtension cmdlet 来加密托管磁盘。Once a backup is made, you can use the Set-AzVMDiskEncryptionExtension cmdlet to encrypt managed disks by specifying the -skipVmBackup parameter. 有关如何备份和还原加密型 VM 的详细信息,请参阅备份和还原加密型 Azure VMFor more information about how to back up and restore encrypted VMs, see Back up and restore encrypted Azure VM.

  • 加密或禁用加密可能导致 VM 重新启动。Encrypting or disabling encryption may cause a VM to reboot.

安装工具并连接到 AzureInstall tools and connect to Azure

可以通过 Azure CLIAzure PowerShell 启用和管理 Azure 磁盘加密。Azure Disk Encryption can be enabled and managed through the Azure CLI and Azure PowerShell. 为此,必须在本地安装工具并连接到 Azure 订阅。To do so you must install the tools locally and connect to your Azure subscription.

Azure CLIAzure CLI

Azure CLI 2.0 是用于管理 Azure 资源的命令行工具。The Azure CLI 2.0 is a command-line tool for managing Azure resources. CLI 旨在提高数据查询灵活性、支持非阻塞进程形式的长时间操作,以及简化脚本编写。The CLI is designed to flexibly query data, support long-running operations as non-blocking processes, and make scripting easy. 可以按照安装 Azure CLI 中的步骤在本地安装它。You can install it locally by following the steps in Install the Azure CLI.

若要使用 Azure CLI 登录 Azure 帐户,请使用 az login 命令。To Sign in to your Azure account with the Azure CLI, use the az login command.

az cloud set -n AzureChinaCloud
az login

若要选择登录到的租户,请使用:If you would like to select a tenant to sign in under, use:

az login --tenant <tenant>

如果有多个订阅并想要指定其中的一个,请使用 az account list 获取订阅列表,然后使用 az account set 指定订阅。If you have multiple subscriptions and want to specify a specific one, get your subscription list with az account list and specify with az account set.

az account list
az account set --subscription "<subscription name or ID>"

有关详细信息,请参阅 Azure CLI 2.0 入门For more information, see Get started with Azure CLI 2.0.

Azure PowerShellAzure PowerShell

Azure PowerShell az 模块提供了一组使用 Azure 资源管理器模型管理 Azure 资源的 cmdlet。The Azure PowerShell az module provides a set of cmdlets that uses the Azure Resource Manager model for managing your Azure resources.

如果已在本地安装 PowerShell,请确保使用最新版本的 Azure PowerShell SDK 来配置 Azure 磁盘加密。If you already have it installed locally, make sure you use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. 下载最新版本的 Azure PowerShell 版本Download the latest version of Azure PowerShell release.

若要使用 Azure PowerShell 登录 Azure 帐户,请使用 Connect-AzAccount -Environment AzureChinaCloud cmdlet。To Sign in to your Azure account with Azure PowerShell, use the Connect-AzAccount -Environment AzureChinaCloud cmdlet.

Connect-AzAccount -Environment AzureChinaCloud

如果有多个订阅并想要指定一个,请使用 Get-AzSubscription cmdlet 列出这些订阅,然后使用 Set-AzContext cmdlet:If you have multiple subscriptions and want to specify one, use the Get-AzSubscription cmdlet to list them, followed by the Set-AzContext cmdlet:

Set-AzContext -Subscription -Subscription <SubscriptionId>

运行 Get-AzContext cmdlet 将验证是否选择了正确的订阅。Running the Get-AzContext cmdlet will verify that the correct subscription has been selected.

若要确认已安装 Azure 磁盘加密 cmdlet,请使用 Get-command cmdlet:To confirm the Azure Disk Encryption cmdlets are installed, use the Get-command cmdlet:

Get-command *diskencryption*

有关详细信息,请参阅 Azure PowerShell 入门For more information, see Getting started with Azure PowerShell.

在现有或正在运行的 Windows VM 上启用加密Enable encryption on an existing or running Windows VM

在此方案中,可以使用资源管理器模板、PowerShell cmdlet 或 CLI 命令启用加密。In this scenario, you can enable encryption by using the Resource Manager template, PowerShell cmdlets, or CLI commands. 如果需要虚拟机扩展的架构信息,请参阅适用于 Windows 扩展的 Azure 磁盘加密一文。If you need schema information for the virtual machine extension, see the Azure Disk Encryption for Windows extension article.

使用 Azure PowerShell 在现有或正在运行的 VM 上启用加密Enable encryption on existing or running VMs with Azure PowerShell

使用 Set-AzVMDiskEncryptionExtension cmdlet 在 Azure 中运行的 IaaS 虚拟机上启用加密。Use the Set-AzVMDiskEncryptionExtension cmdlet to enable encryption on a running IaaS virtual machine in Azure.

  • 加密正在运行的 VM: 以下脚本初始化变量并运行 Set-AzVMDiskEncryptionExtension cmdlet。Encrypt a running VM: The script below initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. 先决条件是事先创建资源组、VM 和密钥保管库。The resource group, VM, and key vault should have already been created as prerequisites. 请将 MyKeyVaultResourceGroup、MyVirtualMachineResourceGroup、MySecureVM 和 MySecureVault 替换为自己的值。Replace MyKeyVaultResourceGroup, MyVirtualMachineResourceGroup, MySecureVM, and MySecureVault with your values.

    $KVRGname = 'MyKeyVaultResourceGroup';
    $VMRGName = 'MyVirtualMachineResourceGroup';
    $vmName = 'MySecureVM';
    $KeyVaultName = 'MySecureVault';
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;
    
  • 使用 KEK 加密正在运行的 VM:Encrypt a running VM using KEK:

    $KVRGname = 'MyKeyVaultResourceGroup';
    $VMRGName = 'MyVirtualMachineResourceGroup';
    $vmName = 'MyExtraSecureVM';
    $KeyVaultName = 'MySecureVault';
    $keyEncryptionKeyName = 'MyKeyEncryptionKey';
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;
    
    

    备注

    disk-encryption-keyvault 参数值的语法是完整的标识符字符串:/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]The syntax for the value of disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]
    key-encryption-key 参数值的语法是 KEK 的完整 URI,其格式为: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]

  • 验证磁盘是否已加密: 若要检查 IaaS VM 的加密状态,请使用 Get-AzVmDiskEncryptionStatus cmdlet。Verify the disks are encrypted: To check on the encryption status of an IaaS VM, use the Get-AzVmDiskEncryptionStatus cmdlet.

    Get-AzVmDiskEncryptionStatus -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM'
    
  • 禁用磁盘加密: 若要禁用加密,请使用 Disable-AzVMDiskEncryption cmdlet。Disable disk encryption: To disable the encryption, use the Disable-AzVMDiskEncryption cmdlet. 当 OS 和数据磁盘都已加密时,无法按预期在 Windows VM 上禁用数据磁盘加密。Disabling data disk encryption on Windows VM when both OS and data disks have been encrypted doesn't work as expected. 请改为在所有磁盘上禁用加密。Disable encryption on all disks instead.

    Disable-AzVMDiskEncryption -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM'
    

使用 Azure CLI 在现有或正在运行的 VM 上启用加密Enable encryption on existing or running VMs with the Azure CLI

使用 az vm encryption enable 命令在 Azure 中运行的 IaaS 虚拟机上启用加密。Use the az vm encryption enable command to enable encryption on a running IaaS virtual machine in Azure.

  • 加密正在运行的 VM:Encrypt a running VM:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type [All|OS|Data]
    
  • 使用 KEK 加密正在运行的 VM:Encrypt a running VM using KEK:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault  "MySecureVault" --key-encryption-key "MyKEK_URI" --key-encryption-keyvault "MySecureVaultContainingTheKEK" --volume-type [All|OS|Data]
    

    备注

    disk-encryption-keyvault 参数值的语法是完整的标识符字符串:/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]The syntax for the value of disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]
    key-encryption-key 参数值的语法是 KEK 的完整 URI,其格式为: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]

  • 验证磁盘是否已加密: 若要检查 IaaS VM 的加密状态,请使用 az vm encryption show 命令。Verify the disks are encrypted: To check on the encryption status of an IaaS VM, use the az vm encryption show command.

    az vm encryption show --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup"
    
  • 禁用加密: 若要禁用加密,请使用 az vm encryption disable 命令。Disable encryption: To disable encryption, use the az vm encryption disable command. 当 OS 和数据磁盘都已加密时,无法按预期在 Windows VM 上禁用数据磁盘加密。Disabling data disk encryption on Windows VM when both OS and data disks have been encrypted doesn't work as expected. 请改为在所有磁盘上禁用加密。Disable encryption on all disks instead.

    az vm encryption disable --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup" --volume-type [ALL, DATA, OS]
    

使用 Resource Manager 模板Using the Resource Manager template

可以通过使用资源管理器模板加密正在运行的 Windows VM,在 Azure 中现有或正在运行的 IaaS Windows VM 上启用磁盘加密。You can enable disk encryption on existing or running IaaS Windows VMs in Azure by using the Resource Manager template to encrypt a running Windows VM.

  1. 在 Azure 快速入门模板中,单击“部署到 Azure”。On the Azure quickstart template, click Deploy to Azure.

    “部署到 Azure”Deploy to Azure

    备注

    必须修改从 GitHub 存储库“azure-quickstart-templates”下载或参考的模板,以适应 Azure 中国云环境。Templates you downloaded or referenced from the GitHub Repo "azure-quickstart-templates" must be modified in order to fit in the Azure China Cloud Environment. 例如,替换某些终结点(将“blob.core.windows.net”替换为“blob.core.chinacloudapi.cn”,将“cloudapp.azure.com”替换为“chinacloudapp.cn”);必要时更改某些不受支持的 VM 映像、VM 大小、SKU 以及资源提供程序的 API 版本。For example, replace some endpoints -- "blob.core.windows.net" by "blob.core.chinacloudapi.cn", "cloudapp.azure.com" by "chinacloudapp.cn"; change some unsupported VM images, VM sizes, SKU and resource-provider's API Version when necessary.

  2. 选择订阅、资源组、位置、设置、法律条款和协议。Select the subscription, resource group, location, settings, legal terms, and agreement. 单击“购买”,在现有或正在运行的 IaaS VM 上启用加密。Click Purchase to enable encryption on the existing or running IaaS VM.

    下表列出了现有或正在运行的 VM 的资源管理器模板参数:The following table lists the Resource Manager template parameters for existing or running VMs:

    参数Parameter 说明Description
    vmNamevmName 运行加密操作的 VM 的名称。Name of the VM to run the encryption operation.
    KeyVaultNamekeyVaultName BitLocker 密钥应上传到的 Key Vault 的名称。Name of the key vault that the BitLocker key should be uploaded to. 可使用 cmdlet (Get-AzKeyVault -ResourceGroupName <MyKeyVaultResourceGroupName>). Vaultname 或 Azure CLI 命令 az keyvault list --resource-group "MyKeyVaultResourceGroup" 获取该名称You can get it by using the cmdlet (Get-AzKeyVault -ResourceGroupName <MyKeyVaultResourceGroupName>). Vaultname or the Azure CLI command az keyvault list --resource-group "MyKeyVaultResourceGroup"
    keyVaultResourceGroupkeyVaultResourceGroup 包含密钥保管库的资源组的名称Name of the resource group that contains the key vault
    keyEncryptionKeyURLkeyEncryptionKeyURL 密钥加密密钥的 URL,格式为 https://<Key Vault 名称>.vault.azure.cn/key/<密钥名称>。The URL of the key encryption key, in the format https://<keyvault-name>.vault.azure.cn/key/<key-name>. 如果不想要使用 KEK,请将此字段留空。If you do not wish to use a KEK, leave this field blank.
    volumeTypevolumeType 要对其执行加密操作的卷的类型。Type of volume that the encryption operation is performed on. 有效值为 OSDataAllValid values are OS, Data, and All .
    forceUpdateTagforceUpdateTag 每次操作需要强制运行时,传入一个像 GUID 这样的唯一值。Pass in a unique value like a GUID every time the operation needs to be force run.
    resizeOSDiskresizeOSDisk 在拆分系统卷之前,是否应调整 OS 分区大小以占用整个 OS VHD。Should the OS partition be resized to occupy full OS VHD before splitting system volume.
    locationlocation 所有资源的位置。Location for all resources.

通过客户加密的 VHD 和加密密钥新建的 IaaS VMNew IaaS VMs created from customer-encrypted VHD and encryption keys

在此方案中,可以使用 PowerShell cmdlet 或 CLI 命令通过预加密的 VHD 和关联的加密密钥来创建新的 VM。In this scenario, you can create a new VM from a pre-encrypted VHD and the associated encryption keys using PowerShell cmdlets or CLI commands.

请按照准备预加密的 Windows VHD 中的说明操作。Use the instructions in Prepare a pre-encrypted Windows VHD. 创建映像后,可使用下一部分中的步骤创建加密的 Azure VM。After the image is created, you can use the steps in the next section to create an encrypted Azure VM.

使用 Azure PowerShell 加密包含预加密 VHD 的 VMEncrypt VMs with pre-encrypted VHDs with Azure PowerShell

可以使用 PowerShell cmdlet Set-AzVMOSDisk 在加密的 VHD 上启用磁盘加密。You can enable disk encryption on your encrypted VHD by using the PowerShell cmdlet Set-AzVMOSDisk. 以下示例显示了一些常用参数。The example below gives you some common parameters.

$VirtualMachine = New-AzVMConfig -VMName "MySecureVM" -VMSize "Standard_A1"
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -Name "SecureOSDisk" -VhdUri "os.vhd" Caching ReadWrite -Windows -CreateOption "Attach" -DiskEncryptionKeyUrl "https://mytestvault.vault.azure.cn/secrets/Test1/514ceb769c984379a7e0230bddaaaaaa" -DiskEncryptionKeyVaultId "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myKVresourcegroup/providers/Microsoft.KeyVault/vaults/mytestvault"
New-AzVM -VM $VirtualMachine -ResourceGroupName "MyVirtualMachineResourceGroup"

在新添加的数据磁盘上启用加密Enable encryption on a newly added data disk

可以使用 PowerShell通过 Azure 门户将新磁盘添加到 Windows VM。You can add a new disk to a Windows VM using PowerShell, or through the Azure portal.

使用 Azure PowerShell 在新添加的磁盘上启用加密Enable encryption on a newly added disk with Azure PowerShell

使用 PowerShell 加密 Windows VM 的新磁盘时,应指定新的序列版本。When using PowerShell to encrypt a new disk for Windows VMs, a new sequence version should be specified. 序列版本必须唯一。The sequence version has to be unique. 以下脚本生成序列版本的 GUID。The script below generates a GUID for the sequence version. 在某些情况下,Azure 磁盘加密扩展可能会自动加密新添加的数据磁盘。In some cases, a newly added data disk might be encrypted automatically by the Azure Disk Encryption extension. 新磁盘处于联机状态后,在 VM 重新启动时,通常会出现自动加密的情况。Auto encryption usually occurs when the VM reboots after the new disk comes online. 这通常是由于之前在 VM 上运行磁盘加密时将卷类型指定为“全部”。This is typically caused because "All" was specified for the volume type when disk encryption previously ran on the VM. 如果新添加的数据磁盘上发生自动加密的情况,我们建议结合新序列版本再次运行 Set-AzVmDiskEncryptionExtension cmdlet。If auto encryption occurs on a newly added data disk, we recommend running the Set-AzVmDiskEncryptionExtension cmdlet again with new sequence version. 如果新数据磁盘已自动加密,但并不希望进行加密,请先解密所有驱动器,然后使用为卷类型指定 OS 的新序列版本重新进行加密。If your new data disk is auto encrypted and you do not wish to be encrypted, decrypt all drives first then re-encrypt with a new sequence version specifying OS for the volume type.

  • 加密正在运行的 VM: 以下脚本初始化变量并运行 Set-AzVMDiskEncryptionExtension cmdlet。Encrypt a running VM: The script below initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. 先决条件是事先创建资源组、VM 和密钥保管库。The resource group, VM, and key vault should have already been created as prerequisites. 请将 MyKeyVaultResourceGroup、MyVirtualMachineResourceGroup、MySecureVM 和 MySecureVault 替换为自己的值。Replace MyKeyVaultResourceGroup, MyVirtualMachineResourceGroup, MySecureVM, and MySecureVault with your values. 本示例使用“All”作为 -VolumeType 参数,其中包含 OS 卷和 Data 卷。This example uses "All" for the -VolumeType parameter, which includes both OS and Data volumes. 如果只想加密 OS 卷,请使用“OS”作为 -VolumeType 参数。If you only want to encrypt the OS volume, use "OS" for the -VolumeType parameter.

    $KVRGname = 'MyKeyVaultResourceGroup';
    $VMRGName = 'MyVirtualMachineResourceGroup';
    $vmName = 'MySecureVM';
    $KeyVaultName = 'MySecureVault';
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    $sequenceVersion = [Guid]::NewGuid();
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType "All" -SequenceVersion $sequenceVersion;
    
  • 使用 KEK 加密正在运行的 VM: 本示例使用“All”作为 -VolumeType 参数,其中包含 OS 卷和 Data 卷。Encrypt a running VM using KEK: This example uses "All" for the -VolumeType parameter, which includes both OS and Data volumes. 如果只想加密 OS 卷,请使用“OS”作为 -VolumeType 参数。If you only want to encrypt the OS volume, use "OS" for the -VolumeType parameter.

    $KVRGname = 'MyKeyVaultResourceGroup';
    $VMRGName = 'MyVirtualMachineResourceGroup';
    $vmName = 'MyExtraSecureVM';
    $KeyVaultName = 'MySecureVault';
    $keyEncryptionKeyName = 'MyKeyEncryptionKey';
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
    $sequenceVersion = [Guid]::NewGuid();
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType "All" -SequenceVersion $sequenceVersion;
    
    

    备注

    disk-encryption-keyvault 参数值的语法是完整的标识符字符串:/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]The syntax for the value of disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]
    key-encryption-key 参数值的语法是 KEK 的完整 URI,其格式为: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.cn/keys/[kekname]/[kek-unique-id]

使用 Azure CLI 在新添加的磁盘上启用加密Enable encryption on a newly added disk with Azure CLI

运行 Azure CLI 命令来启用加密时,命令会自动提供新的序列版本。The Azure CLI command will automatically provide a new sequence version for you when you run the command to enable encryption. 本示例使用“All”作为 volume-type 参数。The example uses "All" for the volume-type parameter. 如果只加密 OS 磁盘,则可能需要将 volume-type 参数更改为 OS。You may need to change the volume-type parameter to OS if you're only encrypting the OS disk. 与 Powershell 语法相反,CLI 在启用加密时不要求用户提供唯一的序列版本。In contrast to Powershell syntax, the CLI does not require the user to provide a unique sequence version when enabling encryption. CLI 自动生成并使用自己唯一的序列版本值。The CLI automatically generates and uses its own unique sequence version value.

  • 加密正在运行的 VM:Encrypt a running VM:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"
    
  • 使用 KEK 加密正在运行的 VM:Encrypt a running VM using KEK:

    az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault  "MySecureVault" --key-encryption-key "MyKEK_URI" --key-encryption-keyvault "MySecureVaultContainingTheKEK" --volume-type "All"
    

禁用加密功能Disable encryption

可以使用 Azure PowerShell、Azure CLI 或资源管理器模板禁用加密。You can disable encryption using Azure PowerShell, the Azure CLI, or with a Resource Manager template. 当 OS 和数据磁盘都已加密时,无法按预期在 Windows VM 上禁用数据磁盘加密。Disabling data disk encryption on Windows VM when both OS and data disks have been encrypted doesn't work as expected. 请改为在所有磁盘上禁用加密。Disable encryption on all disks instead.

  • 使用 Azure PowerShell 禁用磁盘加密: 若要禁用加密,请使用 Disable-AzVMDiskEncryption cmdlet。Disable disk encryption with Azure PowerShell: To disable the encryption, use the Disable-AzVMDiskEncryption cmdlet.

    Disable-AzVMDiskEncryption -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM' -VolumeType "all"
    
  • 使用 Azure CLI 禁用加密: 若要禁用加密,请使用 az vm encryption disable 命令。Disable encryption with the Azure CLI: To disable encryption, use the az vm encryption disable command.

    az vm encryption disable --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup" --volume-type "all"
    

不支持的方案Unsupported scenarios

Azure 磁盘加密不支持以下方案、功能和技术:Azure Disk Encryption does not work for the following scenarios, features, and technology:

  • 加密通过经典 VM 创建方法创建的基本层 VM。Encrypting basic tier VM or VMs created through the classic VM creation method.
  • 加密使用基于软件的 RAID 系统配置的 VM。Encrypting VMs configured with software-based RAID systems.
  • 加密配置了存储空间直通 (S2D) 的 VM,或配置了 Windows 存储空间的、版本低于 2016 的 Windows Server。Encrypting VMs configured with Storage Spaces Direct (S2D), or Windows Server versions before 2016 configured with Windows Storage Spaces.
  • 与本地密钥管理系统集成。Integration with an on-premises key management system.
  • Azure 文件(共享文件系统)。Azure Files (shared file system).
  • 网络文件系统 (NFS)。Network File System (NFS).
  • 动态卷。Dynamic volumes.
  • Windows Server 容器,为每个容器创建动态卷。Windows Server containers, which create dynamic volumes for each container.
  • 临时 OS 磁盘。Ephemeral OS disks.
  • 加密共享/分布式文件系统,包括但不限于 DFS、GFS、DRDB 和 CephFS。Encryption of shared/distributed file systems like (but not limited to) DFS, GFS, DRDB, and CephFS.
  • 将加密的 VM 移到其他订阅或区域。Moving an encrypted VMs to another subscription or region.
  • 创建已加密 VM 的映像或快照,并使用它来部署其他 VM。Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs.
  • Gen2 VM(请参阅:Azure 对第 2 代 VM 的支持Gen2 VMs (see: Support for generation 2 VMs on Azure)
  • 具有写入加速器磁盘的 M 系列 VM。M-series VMs with Write Accelerator disks.
  • 将 ADE 应用到一个 VM,此 VM 使用服务器端加密和客户管理的密钥 (SSE + CMK) 加密磁盘。Applying ADE to a VM that has disks encrypted with server-side encryption with customer-managed keys (SSE + CMK). 将 SSE+CMK 应用于使用 ADE 加密的 VM 上的数据磁盘,这种方案也不受支持。Applying SSE + CMK to a data disk on a VM encrypted with ADE is an unsupported scenario as well.
  • 将使用 ADE 加密的 VM,或者曾经使用 ADE 加密的 VM 迁移到使用客户管理的密钥的服务器端加密Migrating a VM that is encrypted with ADE, or has ever been encrypted with ADE, to server-side encryption with customer-managed keys.

后续步骤Next steps