创建主机密钥并将其添加到 HGSCreate a host key and add it to HGS

适用于:Windows Server 2019Applies to: Windows Server 2019

本主题介绍了如何使用主机密钥证明 (密钥模式) 将 Hyper-v 主机准备成为受保护的主机。This topic covers how to prepare Hyper-V hosts to become guarded hosts using host key attestation (Key mode). 你将创建一个主机密钥对 (或使用现有证书) 并将该密钥的公共一半添加到 HGS。You'll create a host key pair (or use an existing certificate) and add the public half of the key to HGS.

创建主机密钥Create a host key

  1. 在 Hyper-v 主机计算机上安装 Windows Server 2019。Install Windows Server 2019 on your Hyper-V host machine.

  2. 安装 Hyper-v 和主机保护者 Hyper-v 支持功能:Install the Hyper-V and Host Guardian Hyper-V Support features:

    Install-WindowsFeature Hyper-V, HostGuardian -IncludeManagementTools -Restart
    
  3. 自动生成主机密钥,或选择现有证书。Generate a host key automatically, or select an existing certificate. 如果你使用的是自定义证书,则它应至少具有一个2048位的 RSA 密钥、客户端身份验证 EKU 和数字签名密钥用法。If you are using a custom certificate, it should have at least a 2048-bit RSA key, Client Authentication EKU, and Digital Signature key usage.

    Set-HgsClientHostKey
    

    或者,如果想要使用自己的证书,也可以指定指纹。Alternatively, you can specify a thumbprint if you want to use your own certificate. 如果要在多台计算机上共享证书,或者使用绑定到 TPM 或 HSM 的证书,这会很有用。This can be useful if you want to share a certificate across multiple machines, or use a certificate bound to a TPM or an HSM. 下面是创建与 TPM 绑定的证书 (的示例,该证书可防止其在另一台计算机上盗取并使用私钥,只需要 TPM 1.2) :Here's an example of creating a TPM-bound certificate (which prevents it from having the private key stolen and used on another machine and requires only a TPM 1.2):

    $tpmBoundCert = New-SelfSignedCertificate -Subject "Host Key Attestation ($env:computername)" -Provider "Microsoft Platform Crypto Provider"
    Set-HgsClientHostKey -Thumbprint $tpmBoundCert.Thumbprint
    
  4. 获取密钥的公共一半以提供给 HGS 服务器。Get the public half of the key to provide to the HGS server. 你可以使用以下 cmdlet,或者,如果你的证书存储在其他位置,请提供包含密钥公共一半的 .cer。You can use the following cmdlet or, if you have the certificate stored elsewhere, provide a .cer containing the public half of the key. 请注意,我们只是在 HGS 上存储和验证公钥;我们不会保留任何证书信息,也不会验证证书链或到期日期。Note that we are only storing and validating the public key on HGS; we do not keep any certificate information nor do we validate the certificate chain or expiration date.

    Get-HgsClientHostKey -Path "C:\temp\$env:hostname-HostKey.cer"
    
  5. 将 .cer 文件复制到 HGS 服务器。Copy the .cer file to your HGS server.

将主机密钥添加到证明服务Add the host key to the attestation service

此步骤在 HGS 服务器上完成,并允许主机运行受防护的 Vm。This step is done on the HGS server and allows the host to run shielded VMs. 建议将名称设置为主机的 FQDN 或资源标识符,以便可以轻松地引用安装了该密钥的主机。It is recommended that you set the name to the FQDN or resource identifier of the host machine, so you can easily refer to which host the key is installed on.

Add-HgsAttestationHostKey -Name MyHost01 -Path "C:\temp\MyHost01-HostKey.cer"

后续步骤Next step

其他参考Additional References