Set-AzVMDiskEncryptionExtension

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [-DiskEncryptionKeyVaultUrl] <String>
    [-DiskEncryptionKeyVaultId] <String>
    [[-KeyEncryptionKeyUrl] <String>]
    [[-KeyEncryptionKeyVaultId] <String>]
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-EncryptionIdentity <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [-AadClientID] <String>
    [-AadClientSecret] <String>
    [-DiskEncryptionKeyVaultUrl] <String>
    [-DiskEncryptionKeyVaultId] <String>
    [[-KeyEncryptionKeyUrl] <String>]
    [[-KeyEncryptionKeyVaultId] <String>]
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [-AadClientID] <String>
    [-AadClientCertThumbprint] <String>
    [-DiskEncryptionKeyVaultUrl] <String>
    [-DiskEncryptionKeyVaultId] <String>
    [[-KeyEncryptionKeyUrl] <String>]
    [[-KeyEncryptionKeyVaultId] <String>]
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-Migrate]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-MigrationRecovery]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

O cmdlet Set-AzVMDiskEncryptionExtension habilita a criptografia em uma máquina virtual IaaS (infraestrutura como serviço) em execução no Azure. Ele permite a criptografia instalando a extensão de criptografia de disco na máquina virtual.

Esse cmdlet requer a confirmação dos usuários, pois uma das etapas para habilitar a criptografia requer uma reinicialização da máquina virtual.

É aconselhável que você salve seu trabalho na máquina virtual antes de executar este cmdlet.

Linux: O parâmetro VolumeType é necessário ao criptografar máquinas virtuais Linux e deve ser definido como um valor ("Os", "Data" ou "All") suportado pela distribuição Linux.

Windows: O parâmetro VolumeType pode ser omitido, caso em que a operação assume como padrão All; se o parâmetro VolumeType estiver presente para uma máquina virtual do Windows, ele deverá ser definido como All ou OS.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

Este exemplo habilita a criptografia em uma VM sem especificar as credenciais do AD.

$params = New-Object PSObject -Property @{
    ResourceGroupName = "[resource-group-name]"
    VMName = "[vm-name]"
    DiskEncryptionKeyVaultId = "/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]"
    DiskEncryptionKeyVaultUrl = "https://[keyvault-name].vault.azure.net"
    KeyEncryptionKeyVaultId = "/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]"
    KeyEncryptionKeyUrl = "https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id]"
    VolumeType = "All"
}

$params | Set-AzVMDiskEncryptionExtension

Este exemplo envia parâmetros usando entrada em pipeline para habilitar a criptografia em uma VM, sem especificar credenciais do AD.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

Este exemplo usa a ID do cliente Microsoft Entra e o segredo do cliente para habilitar a criptografia em uma VM.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"

# create Azure AD application and associate the certificate
$CertPath = "C:\certificates\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -CertValue $CertValue
$ServicePrincipal = New-AzADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId

$AADClientID = $AzureAdApplication.ApplicationId
$aadClientCertThumbprint= $cert.Thumbprint

#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = Get-Content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
$JSONObject = @"
    {
        "data" : "$filecontentencoded",
        "dataType" : "pfx",
        "password" : "$CertPassword"
    }
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
$JSONEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)

$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName -SecretValue $Secret
Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment

#deploy cert to VM
$CertUrl = (Get-AzKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzVM -VM $VM -ResourceGroupName $RGName

#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

Este exemplo usa a ID do cliente Microsoft Entra e impressões digitais de certificação do cliente para habilitar a criptografia em uma VM.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"

$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"

$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"

$KEKName = "MyKeyEncryptionKey"
$KEK = Add-AzKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid

Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

Este exemplo usa a ID do cliente Microsoft Entra e o segredo do cliente para habilitar a criptografia em uma VM e encapsula a chave de criptografia de disco usando uma chave de criptografia de chave.

$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$KEKName = "MyKeyEncryptionKey"
$KEK = Add-AzKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid
$VolumeType = "All"

# create Azure AD application and associate the certificate
$CertPath = "C:\certificates\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -CertValue $CertValue
$ServicePrincipal = New-AzADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId

$AADClientID = $AzureAdApplication.ApplicationId
$AADClientCertThumbprint= $Cert.Thumbprint

#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = Get-Content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($FileContentBytes)
$JSONObject = @"
    {
        "data" : "$filecontentencoded",
        "dataType" : "pfx",
        "password" : "$CertPassword"
    }
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONObject)
$JsonEncoded = [System.Convert]::ToBase64String($JSONObjectBytes)
$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $VaultName-Name $KeyVaultSecretName -SecretValue $Secret
Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment

#deploy cert to VM
$CertUrl = (Get-AzKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzVM -VM $VM -ResourceGroupName $RGName

#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGname -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

Este exemplo usa a ID do cliente Microsoft Entra e a impressão digital do certificado do cliente para habilitar a criptografia em uma VM e encapsula a chave de criptografia de disco usando uma chave de criptografia de chave.

Este cmdlet suporta os parâmetros comuns: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction e -WarningVariable. Para obter mais informações, consulte about_CommonParameters.