如何使用存储在托管 HSM 中的客户托管密钥为托管磁盘启用服务器端加密?
How to enable the server-side encryption with customer-managed keys stored in Managed HSM for managed disks?
我已经使用以下 terraform 脚本创建并激活了托管 HSM:
main.tf
data "azurerm_client_config" "current" {}
## Create a Resource Group
resource "azurerm_resource_group" "resource_group" {
name = var.resource_group_name
location = var.location
}
## Create a Key Vault Managed Hardware Security Module
resource "azurerm_key_vault_managed_hardware_security_module" "kv_hsm" {
name = var.kv_hsm_name
resource_group_name = azurerm_resource_group.resource_group.name
location = azurerm_resource_group.resource_group.location
sku_name = var.sku_name
purge_protection_enabled = true
soft_delete_retention_days = 90
tenant_id = data.azurerm_client_config.current.tenant_id
admin_object_ids = [data.azurerm_client_config.current.object_id]
tags = var.tags
depends_on = [
azurerm_resource_group.resource_group
]
}
## Use openssl to generate 3 self signed certificate
resource "null_resource" "OPENSSLCERT" {
count = 3
provisioner "local-exec" {
command = <<EOT
cd "C:\Program Files\Git\usr\bin"
./openssl.exe req -newkey rsa:2048 -nodes -keyout ${var.KeyName[count.index]} -x509 -days 365 -out ${var.CertName[count.index]} -subj "/C=IN/ST=XX/L=XX/O=abc ltd/OU=Stack/CN=abc.com"
EOT
interpreter = [
"PowerShell", "-Command"
]
}
}
## Use the az keyvault security-domain download command to download the security domain and activate your managed HSM.
resource "null_resource" "securityDomain" {
provisioner "local-exec" {
command = <<EOT
az keyvault security-domain download --hsm-name ${azurerm_key_vault_managed_hardware_security_module.kv_hsm.name} --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file ${azurerm_key_vault_managed_hardware_security_module.kv_hsm.name}-SD.json
EOT
interpreter = [
"PowerShell", "-Command"
]
}
depends_on = [
null_resource.OPENSSLCERT,
azurerm_key_vault_managed_hardware_security_module.kv_hsm
]
}
我已按照 this 文档使用存储在托管 HSM 中的客户托管密钥为托管磁盘启用加密。但是在创建磁盘加密集时,我看不到最近创建的托管 HSM。
如何使用存储在托管 HSM 中的客户管理密钥为使用 CLI/PowerShell/Portal 的托管磁盘启用服务器端加密?
如评论中所述,您无法在 Portal 中找到 HSM Key Vault,因此您必须 使用Azure Keyvault Powershell Module or Azure Keyvault CLI Module .
作为解决方案,您可以在 Terraform 脚本中添加以下内容以使用托管 HSM创建磁盘加密集:
resource "null_resource" "diskencryptionset" {
provisioner "local-exec" {
command = <<EOT
$rgName='${azurerm_resource_group.example.name}'
$location='${azurerm_resource_group.example.location}'
$keyVaultName='${azurerm_key_vault_managed_hardware_security_module.example.name}'
$keyName='diskencrytptionkey'
$diskEncryptionSetName='ansumandiskset'
az keyvault role assignment create --hsm-name $KeyvaultName --role "Managed HSM Crypto User" --assignee ${data.azurerm_client_config.current.object_id} --scope /
az keyvault key create --hsm-name $keyVaultName --name $keyName --protection software
$keyVaultKeyUrl=$(az keyvault key show --hsm-name $keyVaultName --name $keyName --query [key.kid] -o tsv)
az disk-encryption-set create -n $diskEncryptionSetName -l $location -g $rgName --source-vault $keyVaultName --key-url $keyVaultKeyUrl --enable-auto-key-rotation false
$desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv)
az keyvault role assignment create --hsm-name $keyVaultName --role "Managed HSM Crypto Service Encryption User" --assignee $desIdentity --scope /keys
EOT
interpreter = [
"PowerShell","-Command"
]
}
depends_on = [
null_resource.securityDomain
]
}
输出:
我已经使用以下 terraform 脚本创建并激活了托管 HSM:
main.tf
data "azurerm_client_config" "current" {}
## Create a Resource Group
resource "azurerm_resource_group" "resource_group" {
name = var.resource_group_name
location = var.location
}
## Create a Key Vault Managed Hardware Security Module
resource "azurerm_key_vault_managed_hardware_security_module" "kv_hsm" {
name = var.kv_hsm_name
resource_group_name = azurerm_resource_group.resource_group.name
location = azurerm_resource_group.resource_group.location
sku_name = var.sku_name
purge_protection_enabled = true
soft_delete_retention_days = 90
tenant_id = data.azurerm_client_config.current.tenant_id
admin_object_ids = [data.azurerm_client_config.current.object_id]
tags = var.tags
depends_on = [
azurerm_resource_group.resource_group
]
}
## Use openssl to generate 3 self signed certificate
resource "null_resource" "OPENSSLCERT" {
count = 3
provisioner "local-exec" {
command = <<EOT
cd "C:\Program Files\Git\usr\bin"
./openssl.exe req -newkey rsa:2048 -nodes -keyout ${var.KeyName[count.index]} -x509 -days 365 -out ${var.CertName[count.index]} -subj "/C=IN/ST=XX/L=XX/O=abc ltd/OU=Stack/CN=abc.com"
EOT
interpreter = [
"PowerShell", "-Command"
]
}
}
## Use the az keyvault security-domain download command to download the security domain and activate your managed HSM.
resource "null_resource" "securityDomain" {
provisioner "local-exec" {
command = <<EOT
az keyvault security-domain download --hsm-name ${azurerm_key_vault_managed_hardware_security_module.kv_hsm.name} --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file ${azurerm_key_vault_managed_hardware_security_module.kv_hsm.name}-SD.json
EOT
interpreter = [
"PowerShell", "-Command"
]
}
depends_on = [
null_resource.OPENSSLCERT,
azurerm_key_vault_managed_hardware_security_module.kv_hsm
]
}
我已按照 this 文档使用存储在托管 HSM 中的客户托管密钥为托管磁盘启用加密。但是在创建磁盘加密集时,我看不到最近创建的托管 HSM。
如何使用存储在托管 HSM 中的客户管理密钥为使用 CLI/PowerShell/Portal 的托管磁盘启用服务器端加密?
如评论中所述,您无法在 Portal 中找到 HSM Key Vault,因此您必须 使用Azure Keyvault Powershell Module or Azure Keyvault CLI Module .
作为解决方案,您可以在 Terraform 脚本中添加以下内容以使用托管 HSM创建磁盘加密集:
resource "null_resource" "diskencryptionset" {
provisioner "local-exec" {
command = <<EOT
$rgName='${azurerm_resource_group.example.name}'
$location='${azurerm_resource_group.example.location}'
$keyVaultName='${azurerm_key_vault_managed_hardware_security_module.example.name}'
$keyName='diskencrytptionkey'
$diskEncryptionSetName='ansumandiskset'
az keyvault role assignment create --hsm-name $KeyvaultName --role "Managed HSM Crypto User" --assignee ${data.azurerm_client_config.current.object_id} --scope /
az keyvault key create --hsm-name $keyVaultName --name $keyName --protection software
$keyVaultKeyUrl=$(az keyvault key show --hsm-name $keyVaultName --name $keyName --query [key.kid] -o tsv)
az disk-encryption-set create -n $diskEncryptionSetName -l $location -g $rgName --source-vault $keyVaultName --key-url $keyVaultKeyUrl --enable-auto-key-rotation false
$desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv)
az keyvault role assignment create --hsm-name $keyVaultName --role "Managed HSM Crypto Service Encryption User" --assignee $desIdentity --scope /keys
EOT
interpreter = [
"PowerShell","-Command"
]
}
depends_on = [
null_resource.securityDomain
]
}
输出: