Azure Disk Encryption for Linux (Microsoft.Azure.Security.AzureDiskEncryptionForLinux)

2025-04-12

Översikt

Azure Disk Encryption leverages the dm-crypt subsystem in Linux to provide full disk encryption on select Azure Linux distributions. This solution is integrated with Azure Key Vault to manage disk encryption keys and secrets.

Förutsättningar

For a full list of prerequisites, see Azure Disk Encryption for Linux VMs, specifically the following sections:

Tilläggsschema

Det finns två versioner av tilläggsschemat för Azure Disk Encryption (ADE):

v1.1 - A newer recommended schema that does not use Microsoft Entra properties.
v0.1 - An older schema that requires Microsoft Entra properties.

Om du vill välja ett målschema måste egenskapen vara lika med den typeHandlerVersion version av schemat som du vill använda.

Schema v1.1: No Microsoft Entra ID (recommended)

The v1.1 schema is recommended and does not require Microsoft Entra properties.

Anmärkning

The DiskFormatQuery parameter is deprecated. Its functionality has been replaced by the EncryptFormatAll option instead, which is the recommended way to format data disks at time of encryption.

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "AzureDiskEncryptionForLinux",
        "typeHandlerVersion": "1.1",
        "autoUpgradeMinorVersion": true,
        "settings": {
          "DiskFormatQuery": "[diskFormatQuery]",
          "EncryptionOperation": "[encryptionOperation]",
          "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
          "KeyVaultURL": "[keyVaultURL]",
          "KeyVaultResourceId": "[KeyVaultResourceId]",
          "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
          "KekVaultResourceId": "[KekVaultResourceId",
          "SequenceVersion": "sequenceVersion]",
          "VolumeType": "[volumeType]"
        }
  }
}

Schema v0.1: with Microsoft Entra ID

The 0.1 schema requires AADClientID and either AADClientSecret or AADClientCertificate.

Att använda AADClientSecret:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientSecret": "[aadClientSecret]",
      "Passphrase": "[passphrase]"
    },
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryptionForLinux",
    "typeHandlerVersion": "0.1",
    "settings": {
      "AADClientID": "[aadClientID]",
      "DiskFormatQuery": "[diskFormatQuery]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "KeyVaultURL": "[keyVaultURL]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    }
  }
}

Att använda AADClientCertificate:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientCertificate": "[aadClientCertificate]",
      "Passphrase": "[passphrase]"
    },
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryptionForLinux",
    "typeHandlerVersion": "0.1",
    "settings": {
      "AADClientID": "[aadClientID]",
      "DiskFormatQuery": "[diskFormatQuery]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "KeyVaultURL": "[keyVaultURL]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    }
  }
}

Egenskapsvärden

Note: All property values are case sensitive.

Namn	Värde/exempel	Datatyp
apiVersion	2019-07-01	date
förläggare	Microsoft.Azure.Security	sträng
type	AzureDiskEncryptionForLinux	sträng
typeHandlerVersion	1.1, 0.1	int
(0.1 schema) AADClientID	xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx	riktlinje
(0.1 schema) AADClientSecret	lösenord	sträng
(0.1 schema) AADClientCertificate	tumavtryck	sträng
(optional) (0.1 schema) Passphrase	lösenord	sträng
DiskFormatQuery	{"dev_path":"","name":"","file_system":""}	JSON dictionary
EncryptionOperation	EnableEncryption, EnableEncryptionFormatAll	sträng
(valfritt – standard RSA-OAEP ) KeyEncryptionAlgorithm	'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5'	sträng
KeyVaultURL	url	sträng
KeyVaultResourceId	url	sträng
(valfritt) KeyEncryptionKeyURL	url	sträng
(valfritt) KekVaultResourceId	url	sträng
(optional) SequenceVersion	unik identifierare	sträng
VolumeType	OS, Data, All	sträng

Template deployment

For an example of template deployment based on schema v1.1, see the Azure Quickstart Template encrypt-running-linux-vm-without-aad.

For an example of template deployment based on schema v0.1, see the Azure Quickstart Template encrypt-running-linux-vm.

Warning

If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue use this option to encrypt your VM.
När du krypterar Linux OS-volymer bör den virtuella datorn betraktas som otillgänglig. We strongly recommend to avoid SSH logins while the encryption is in progress to avoid issues blocking any open files that will need to be accessed during the encryption process. Om du vill kontrollera förloppet använder du PowerShell-cmdleten Get-AzVMDiskEncryptionStatus eller cli-kommandot för vm-kryptering. This process can be expected to take a few hours for a 30GB OS volume, plus additional time for encrypting data volumes. Data volume encryption time will be proportional to the size and quantity of the data volumes; the encrypt format all option is faster than in-place encryption, but will result in the loss of all data on the disks.
Inaktivering av kryptering på virtuella Linux-datorer stöds endast för datavolymer. It is not supported on data or OS volumes if the OS volume has been encrypted.

Anmärkning

Also if VolumeType parameter is set to All, data disks will be encrypted only if they are properly mounted.

Felsökning och stöd

Troubleshoot

Information om felsökning finns i felsökningsguiden för Azure Disk Encryption.

Support

Om du behöver mer hjälp när som helst i den här artikeln kan du kontakta Azure-experterna på MSDN Azure- och Stack Overflow-forumen.

Du kan också skapa en Azure Support incident. Gå till Azure-support och välj Hämta support. Information om hur du använder Azure Support finns i Vanliga frågor och svar om Microsoft Azure-support.

Nästa steg

For more information about VM extensions, see Virtual machine extensions and features for Linux.
For more information about Azure Disk Encryption for Linux, see Linux virtual machines.

Feedback

Var den här sidan till hjälp?