Azure 磁碟加密與 Azure Active Directory (AD) (先前的版本) Azure Disk Encryption with Azure Active Directory (AD) (previous release)

Azure 磁碟加密的新版本不需要提供 Azure Active Directory (Azure AD) 應用程式參數,即可啟用 VM 磁片加密。The new release of Azure Disk Encryption eliminates the requirement for providing an Azure Active Directory (Azure AD) application parameter to enable VM disk encryption. 若使用新版本,您就不再需要在啟用加密步驟期間提供 Azure AD 認證。With the new release, you're no longer required to provide Azure AD credentials during the enable encryption step. 您必須使用新的版本,在沒有 Azure AD 應用程式參數的情況下加密所有新的 Vm。All new VMs must be encrypted without the Azure AD application parameters by using the new release. 如需如何使用新版本啟用 VM 磁片加密的指示,請參閱 Linux vm 的 Azure 磁碟加密For instructions on how to enable VM disk encryption by using the new release, see Azure Disk Encryption for Linux VMs. 已經使用 Azure AD 應用程式參數進行加密的 VM 仍然受支援,應該繼續使用 AAD 語法進行維護。VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.

本文提供 Linux vm Azure 磁碟加密 的補充,以及 Azure AD (先前版本) Azure 磁碟加密的其他需求和必要條件。This article provides supplements to Azure Disk Encryption for Linux VMs with additional requirements and prerequisites for Azure Disk Encryption with Azure AD (previous release).

這些區段中的資訊維持不變:The information in these sections remains the same:

網路和群組原則Networking and Group Policy

若要使用較舊的 AAD 參數語法來啟用 Azure 磁碟加密功能,基礎結構即服務 (IaaS) Vm 必須符合下列網路端點設定需求:To enable the Azure Disk Encryption feature by using the older AAD parameter syntax, the infrastructure as a service (IaaS) VMs must meet the following network endpoint configuration requirements:

  • 若要取得權杖以連接到您的金鑰保存庫,IaaS VM 必須能夠連接到 Azure AD 端點 [ login.microsoftonline.com ] 。To get a token to connect to your key vault, the IaaS VM must be able to connect to an Azure AD endpoint, [login.microsoftonline.com].
  • 若要將加密金鑰寫入至您的金鑰保存庫,IaaS VM 必須能連接至金鑰保存庫端點。To write the encryption keys to your key vault, the IaaS VM must be able to connect to the key vault endpoint.
  • IaaS VM 必須能連接至託管 Azure 擴充儲存機制的 Azure 儲存體端點,和託管 VHD 檔案的 Azure 儲存體帳戶。The IaaS VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
  • 如果您的安全性原則會限制從 Azure Vm 到網際網路的存取,您可以解析上述的 URI,並設定特定的規則,以允許連至 Ip 的輸出連線能力。If your security policy limits access from Azure VMs to the internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. 如需詳細資訊,請參閱防火牆後方的 Azure Key VaultFor more information, see Azure Key Vault behind a firewall.
  • 在 Windows 上,如果 TLS 1.0 已明確停用,而 .NET 版本未更新為4.6 或更高版本,則下列登錄變更可讓 Azure 磁碟加密選取較新的 TLS 版本:On Windows, if TLS 1.0 is explicitly disabled and the .NET version isn't updated to 4.6 or higher, the following registry change enables Azure Disk Encryption to select the more recent TLS version:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
  
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001` 

群組原則Group Policy

  • Azure 磁碟加密解決方案對 Windows IaaS VM 使用 BitLocker 外部金鑰保護裝置。The Azure Disk Encryption solution uses the BitLocker external key protector for Windows IaaS VMs. 針對已加入網域的 Vm,請勿推送任何會強制使用 TPM 保護裝置的群組原則。For domain-joined VMs, don't push any Group Policies that enforce TPM protectors. 需 [允許沒有相容 TPM 的 bitlocker] 選項群組原則的詳細資訊,請參閱 bitlocker 群組原則參考For information about the Group Policy for the option Allow BitLocker without a compatible TPM, see BitLocker Group Policy reference.

  • 已加入網域之虛擬機器上具有自訂群組原則的 BitLocker 原則必須包含下列設定:設定 BitLocker 修復資訊的使用者儲存體-> 允許256位修復金鑰BitLocker policy on domain-joined virtual machines with a custom Group Policy must include the following setting: Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key. 當 BitLocker 的自訂群組原則設定不相容時,Azure 磁碟加密會失敗。Azure Disk Encryption fails when custom Group Policy settings for BitLocker are incompatible. 在沒有正確原則設定的電腦上,套用新的原則、強制新原則更新 (gpupdate.exe/force) ,然後視需要重新開機。On machines that don't have the correct policy setting, apply the new policy, force the new policy to update (gpupdate.exe /force), and then restart if it's required.

加密金鑰儲存體需求Encryption key storage requirements

Azure 磁碟加密需要 Azure Key Vault 控制和管理磁片加密金鑰和秘密。Azure Disk Encryption requires Azure Key Vault to control and manage disk encryption keys and secrets. 您的金鑰保存庫和 VM 位於相同的 Azure 區域和訂閱中。Your key vault and VMs must reside in the same Azure region and subscription.

如需詳細資訊,請參閱 使用 Azure AD (舊版) Azure 磁碟加密建立和設定金鑰保存庫 For more information, see Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release).

下一步Next steps