安全中心“应用磁盘加密"高优先级警告 [英] Security Center "Apply Disk Encryption" high priority warning
问题描述
我正试图更好地理解安全中心中的此警告:
I'm trying to better understand this warning in Security Center:
应用磁盘加密"
VM正在使用托管磁盘",根据我在Security Center中单击此高优先级项时的解释,默认情况下,托管磁盘在静止时被加密:
The VM's are using "managed disks", and based on the explanation when I click this high priority item in Security Center, managed disks are by default encrypted at rest:
"默认情况下,使用Azure存储服务加密(使用由Azure管理的密钥)对托管磁盘进行静态加密.
这是整个段落:
Azure磁盘加密(ADE)利用了Windows的行业标准BitLocker功能和Linux的DM-Crypt功能以提供操作系统 和数据磁盘加密,以帮助保护和保护您的数据,并满足组织的安全性和合规性承诺 在 客户Azure密钥库. 托管 磁盘 静态加密默认情况下使用 Azure 存储服务 使用密钥加密由Azure管理.如果您使用的是托管磁盘,则建议您使用ADE. 加密磁盘并 您可以完全控制和管理您的密钥库订阅中的磁盘加密密钥和机密, 同时确保对虚拟机磁盘中的所有数据进行静态加密.
Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and compliance commitments in customer Azure key vault. Managed Disks are encrypted at rest by default using Azure Storage Service Encryption using keys managed by Azure. If you are using Managed Disks, we recommend you to use ADE if you want to encrypt disks and safeguard your encryption keys in Azure key vault including encryption of the ephemeral (temp) disks. You can completely control and manage your disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest.
在管理磁盘上另外使用ADE的原因是什么,所以我们控制加密密钥而不是由Azure管理它?
What would be the reason to use ADE additionally on manage disks, so so we control the encryption key instead of Azure managing it?
还想知道,在启用了ADE的情况下,启动VM是否需要特殊的引导,或者是否可以通过从Azure密钥保管库获取所需的内容来自动引导.
Also wanted to know, if anything special is needed for a VM to boot up once ADE is enabled on it, or if can boot automatically by getting what it needs from Azure key vault.
推荐答案
There are three Azure features that provide encryption at rest. Azure Disk Encryption is used to encrypt the OS and data disks in IaaS Virtual Machines. Client-side Encryption and SSE are both used to encrypt data in Azure Storage.
虽然您可以使用客户端加密来加密传输中的数据(也以其加密形式存储在存储中),您可能更喜欢使用 传输期间使用HTTPS,并且有某种方式可以在存储数据时自动对其进行加密.有两种方法可以执行此操作-Azure磁盘加密和SSE.一个用于直接加密VM所使用的OS和数据磁盘上的数据,另一个用于 用于加密写入Azure Blob存储的数据.
While you can use Client-side Encryption to encrypt the data in transit (which is also stored in its encrypted form in Storage), you may prefer to use HTTPS during the transfer, and have some way for the data to be automatically encrypted when it is stored. There are two ways to do this -- Azure Disk Encryption and SSE. One is used to directly encrypt the data on OS and data disks used by VMs, and the other is used to encrypt data written to Azure Blob Storage.
有关更多信息,请参见:
For more information refer:
Comparison of Azure Disk Encryption, SSE, and Client-Side Encryption
这篇关于安全中心“应用磁盘加密"高优先级警告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
