KEK不工作,但BEK会!!! HEELLPP! [英] KEK Not Working but BEK Does!!! HEELLPP!!!
问题描述
所以我为KEK加密运行以下脚本,它出错了。 可怕的:供应失败文件0.未找到状态。
So I run the following script for KEK Encryption it errors out. The dreaded: Provisioning fails file 0.Status not found.
如果我删除KEK并让它作为BEK加密运行,则相同的脚本有效。
The same script works if I remove the KEK and let it run as a BEK encryption.
有趣的是BEK和KEK之间的扩展版本不同。
The interesting thing is the extensions versions are different between BEK and KEK.
BEK成功
Microsoft .Azure.Security.AzureDiskEncryptionForLinux 1.1.0.22 成功
Microsoft.Azure.Security.AzureDiskEncryptionForLinux 1.1.0.22 Succeeded
KEK失败
这是我正在运行的KEK脚本:
Here is the KEK script that I am running:
#Input Area
$ subscriptionName ='订阅'
$ aadSvcPrinAppDisplayName ='VMEncryptionSvcPrinDev'
$
$ aadSvcPrinAppHomePage ='http:// FakeURLBecauseItsNotReallyNeededForThisPurpose'
$ aadSvcPrinAppIdentifierUri ='https://DomainName.com/VMEncryptionSvcPrinDev'
$ aadSvcPrinAppPassword = ConvertTo-SecureString'SuperStrongPassword'-AsPlainText -Force
# - 创建用于加密虚拟机的服务主体应用程序
$ aadSvcPrinApplication = New-AzureRmADApplication -DisplayName $ aadSvcPrinAppDisplayName -HomePage $ aadSvcPrinAppHomePage -IdentifierUris $ aadSvcPrinAppIdentifierUri -Password $ aadSvcPrinAppPassword
New-AzureRmADServicePrincipal -ApplicationId $ aadSvcPrinApplication.ApplicationId
$
$ sequenceVersion = [Guid] :: NewGuid();
$ vmName ='centos74 ';
$
$ resourceGroupName ='test'
$ keyVaultName ='KeyVault-Dev'
$ keyVaultLocation ='Canada Central'
New-AzureRmKeyVault -VaultName $ keyVaultName -ResourceGroupName $ resourceGroupName -Location $ keyVaultLocation -Sku'Premium'
$ aadSvcPrinAppDisplayName ='VMEncryptionSvcPrinDev'
$ keyName ='VMEncryption-KEK'
$ keyType ='软件'
$ backupserviceid ='262044b1-e2ce -469f-a196-69ab7ada62d3'
Set-AzureRmKeyVaultAccessPolicy -VaultName $ keyVaultName -ResourceGroupName $ resourceGroupName -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName $ backupserviceid
$ aadSvcPrinApplication = Get-AzureRmADApplication -DisplayName $ aadSvcPrinAppDisplayName
Set-AzureRmKeyVaultAccessPolicy -VaultName $ keyVaultName -ServicePrincipalName $ aadSvcPrinApplication.ApplicationId -PermissionsToKeys'WrapKey'-Permiss ionsToSecrets'Set'-ResourceGroupName $ resourceGroupName
Set-AzureRmKeyVaultAccessPolicy -VaultName $ keyVaultName -ResourceGroupName $ resourceGroupName -EnabledForDiskEncryption
#---将自己添加为具有完整权限的KeyVault管理员 - 手动
Add-AzureKeyVaultKey -VaultName $ keyVaultName -Name $ keyName -Destination $ keyType < br $>
$ keyVault = Get-AzureRmKeyVault -VaultName $ keyVaultName -ResourceGroupName $ resourceGroupName;
$ diskEncryptionKeyVaultUrl = $ KeyVault.VaultUri;
$ keyVaultResourceId = $ KeyVault.ResourceId;
$ keyEncryptionKeyUrl = Get-AzureKeyVaultKey -VaultName $ keyVaultName -KeyName $ keyName;
$ aadSvcPrinApplication = Get-AzureRmADApplication - DisplayName $ aadSvcPrinAppDisplayName;
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $ resourceGroupName -VMName $ vmName -AadClientID $ aadSvcPrinApplication.ApplicationId -AadCli entSecret $ aadSvcPrinAppPassword -DiskEncryptionKeyVaultUrl $ diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId
$ KeyVaultResourceId -KeyEncryptionKeyUrl $ keyEncryptionKeyUrl.key.kid -KeyEncryptionKeyVaultId $ keyVaultResourceId -VolumeType'Data'-SequenceVersion $ sequenceVersion;
Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName $ resourceGroupName -VMName $ vmName
#Input Area
$subscriptionName = 'Subscription'
$aadSvcPrinAppDisplayName = 'VMEncryptionSvcPrinDev'
$aadSvcPrinAppHomePage = 'http://FakeURLBecauseItsNotReallyNeededForThisPurpose'
$aadSvcPrinAppIdentifierUri = 'https://DomainName.com/VMEncryptionSvcPrinDev'
$aadSvcPrinAppPassword = ConvertTo-SecureString 'SuperStrongPassword' -AsPlainText -Force
#--Create Service Principal App to Use For Encryption of VMs
$aadSvcPrinApplication = New-AzureRmADApplication -DisplayName $aadSvcPrinAppDisplayName -HomePage $aadSvcPrinAppHomePage -IdentifierUris $aadSvcPrinAppIdentifierUri -Password $aadSvcPrinAppPassword
New-AzureRmADServicePrincipal -ApplicationId $aadSvcPrinApplication.ApplicationId
$sequenceVersion = [Guid]::NewGuid();
$vmName = 'centos74';
$resourceGroupName = 'test'
$keyVaultName = 'KeyVault-Dev'
$keyVaultLocation = 'Canada Central'
New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -Location $keyVaultLocation -Sku 'Premium'
$aadSvcPrinAppDisplayName = 'VMEncryptionSvcPrinDev'
$keyName = 'VMEncryption-KEK'
$keyType = 'Software'
$backupserviceid = '262044b1-e2ce-469f-a196-69ab7ada62d3'
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName $backupserviceid
$aadSvcPrinApplication = Get-AzureRmADApplication -DisplayName $aadSvcPrinAppDisplayName
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadSvcPrinApplication.ApplicationId -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $resourceGroupName
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -EnabledForDiskEncryption
#--- Add yourself as a KeyVault Admin with full priveleges - Manual
Add-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyName -Destination $keyType
$keyVault = Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$keyVaultResourceId = $KeyVault.ResourceId;
$keyEncryptionKeyUrl = Get-AzureKeyVaultKey -VaultName $keyVaultName -KeyName $keyName;
$aadSvcPrinApplication = Get-AzureRmADApplication -DisplayName $aadSvcPrinAppDisplayName;
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadSvcPrinApplication.ApplicationId -AadClientSecret $aadSvcPrinAppPassword -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId
$KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl.key.kid -KeyEncryptionKeyVaultId $keyVaultResourceId -VolumeType 'Data' –SequenceVersion $sequenceVersion;
Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName $resourceGroupName -VMName $vmName
推荐答案
请问,为我提供Azure VM的配置(操作系统,内存,磁盘等)?
< span style ="font-size:10.0pt;行高:107%; font-family:'Verdana',sans-serif">同时,您可以查看演示
的Powershell脚本
如何设置必要的密钥库先决条件:
推荐的工作流程:由于内存不足可能会出现此问题,如果可用内存很低,即使由于其他活动内存导致总内存很高,也会使用此
问题在OS加密阶段仍然可以触发。
**故障排除指南:
https:/ /docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-tsg
这篇关于KEK不工作,但BEK会!!! HEELLPP!的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!