Set-AzVMDiskEncryptionExtension

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [-DiskEncryptionKeyVaultUrl] <String>
    [-DiskEncryptionKeyVaultId] <String>
    [[-KeyEncryptionKeyUrl] <String>]
    [[-KeyEncryptionKeyVaultId] <String>]
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-EncryptionIdentity <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [-AadClientID] <String>
    [-AadClientSecret] <String>
    [-DiskEncryptionKeyVaultUrl] <String>
    [-DiskEncryptionKeyVaultId] <String>
    [[-KeyEncryptionKeyUrl] <String>]
    [[-KeyEncryptionKeyVaultId] <String>]
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [-AadClientID] <String>
    [-AadClientCertThumbprint] <String>
    [-DiskEncryptionKeyVaultUrl] <String>
    [-DiskEncryptionKeyVaultId] <String>
    [[-KeyEncryptionKeyUrl] <String>]
    [[-KeyEncryptionKeyVaultId] <String>]
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-Migrate]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-MigrationRecovery]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Cmdleten Set-AzVMDiskEncryptionExtension möjliggör kryptering på en virtuell IaaS-dator (infrastruktur som en tjänst) som körs i Azure. Det möjliggör kryptering genom att installera diskkrypteringstillägget på den virtuella datorn.

Den här cmdleten kräver bekräftelse från användarna eftersom ett av stegen för att aktivera kryptering kräver en omstart av den virtuella datorn.

Vi rekommenderar att du sparar ditt arbete på den virtuella datorn innan du kör den här cmdleten.

Linux: VolumeType-parametern krävs vid kryptering av virtuella Linux-datorer och måste anges till ett värde ("Os", "Data" eller "Alla") som stöds av Linux-distributionen.

Windows: Parametern VolumeType kan utelämnas, i vilket fall åtgärden är standard för Alla. Om parametern VolumeType finns för en virtuell Windows-dator måste den vara inställd på alla eller operativsystem.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

Det här exemplet aktiverar kryptering på en virtuell dator utan att ange AD-autentiseringsuppgifter.

$params = New-Object PSObject -Property @{
    ResourceGroupName = "[resource-group-name]"
    VMName = "[vm-name]"
    DiskEncryptionKeyVaultId = "/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]"
    DiskEncryptionKeyVaultUrl = "https://[keyvault-name].vault.azure.net"
    KeyEncryptionKeyVaultId = "/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]"
    KeyEncryptionKeyUrl = "https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id]"
    VolumeType = "All"
}

$params | Set-AzVMDiskEncryptionExtension

Det här exemplet skickar parametrar med pipelineindata för att aktivera kryptering på en virtuell dator, utan att ange AD-autentiseringsuppgifter.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

I det här exemplet används Microsoft Entra-klient-ID och klienthemlighet för att aktivera kryptering på en virtuell dator.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"

# create Azure AD application and associate the certificate
$CertPath = "C:\certificates\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -CertValue $CertValue
$ServicePrincipal = New-AzADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId

$AADClientID = $AzureAdApplication.ApplicationId
$aadClientCertThumbprint= $cert.Thumbprint

#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = Get-Content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
$JSONObject = @"
    {
        "data" : "$filecontentencoded",
        "dataType" : "pfx",
        "password" : "$CertPassword"
    }
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
$JSONEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)

$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName -SecretValue $Secret
Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment

#deploy cert to VM
$CertUrl = (Get-AzKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzVM -VM $VM -ResourceGroupName $RGName

#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

Det här exemplet använder Microsoft Entra-klient-ID och tumavtryck för klientcertifiering för att aktivera kryptering på en virtuell dator.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"

$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"

$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"

$KEKName = "MyKeyEncryptionKey"
$KEK = Add-AzKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid

Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

Det här exemplet använder Microsoft Entra-klient-ID och klienthemlighet för att aktivera kryptering på en virtuell dator och omsluter diskkrypteringsnyckeln med hjälp av en nyckelkrypteringsnyckel.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$KEKName = "MyKeyEncryptionKey"
$KEK = Add-AzKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid
$VolumeType = "All"

# create Azure AD application and associate the certificate
$CertPath = "C:\certificates\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -CertValue $CertValue
$ServicePrincipal = New-AzADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId

$AADClientID = $AzureAdApplication.ApplicationId
$AADClientCertThumbprint= $Cert.Thumbprint

#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = Get-Content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($FileContentBytes)
$JSONObject = @"
    {
        "data" : "$filecontentencoded",
        "dataType" : "pfx",
        "password" : "$CertPassword"
    }
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONObject)
$JsonEncoded = [System.Convert]::ToBase64String($JSONObjectBytes)
$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $VaultName-Name $KeyVaultSecretName -SecretValue $Secret
Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment

#deploy cert to VM
$CertUrl = (Get-AzKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzVM -VM $VM -ResourceGroupName $RGName

#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGname -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

Det här exemplet använder Microsoft Entra-klient-ID och tumavtryck för klientcertifikat för att aktivera kryptering på en virtuell dator och omsluter diskkrypteringsnyckeln med hjälp av en nyckelkrypteringsnyckel.

Den här cmdleten stöder vanliga parametrar: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction och -WarningVariable. Mer information finns i about_CommonParameters.