本文介绍了KEK不工作,但BEK会!!! HEELLPP!的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧! 问题描述 所以我为KEK加密运行以下脚本,它出错了。 可怕的:供应失败文件0.未找到状态。So I run the following script for KEK Encryption it errors out.  The dreaded: Provisioning fails file 0.Status not found.如果我删除KEK并让它作为BEK加密运行,则相同的脚本有效。The same script works if I remove the KEK and let it run as a BEK encryption.有趣的是BEK和KEK之间的扩展版本不同。The interesting thing is the extensions versions are different between BEK and KEK. BEK成功  Microsoft .Azure.Security.AzureDiskEncryptionForLinux 1.1.0.22   成功Microsoft.Azure.Security.AzureDiskEncryptionForLinux 1.1.0.22   Succeeded KEK失败 这是我正在运行的KEK脚本:Here is the KEK script that I am running: #Input Area $ subscriptionName ='订阅' $ aadSvcPrinAppDisplayName ='VMEncryptionSvcPrinDev' $ $ aadSvcPrinAppHomePage ='http:// FakeURLBecauseItsNotReallyNeededForThisPurpose' $ aadSvcPrinAppIdentifierUri ='https://DomainName.com/VMEncryptionSvcPrinDev' $ aadSvcPrinAppPassword = ConvertTo-SecureString'SuperStrongPassword'-AsPlainText -Force # - 创建用于加密虚拟机的服务主体应用程序 $ aadSvcPrinApplication = New-AzureRmADApplication -DisplayName $ aadSvcPrinAppDisplayName -HomePage $ aadSvcPrinAppHomePage -IdentifierUris $ aadSvcPrinAppIdentifierUri -Password $ aadSvcPrinAppPassword New-AzureRmADServicePrincipal -ApplicationId $ aadSvcPrinApplication.ApplicationId $ $ sequenceVersion = [Guid] :: NewGuid(); $ vmName ='centos74 '; $ $ resourceGroupName ='test' $ keyVaultName ='KeyVault-Dev' $ keyVaultLocation ='Canada Central' New-AzureRmKeyVault -VaultName $ keyVaultName -ResourceGroupName $ resourceGroupName -Location $ keyVaultLocation -Sku'Premium' $ aadSvcPrinAppDisplayName ='VMEncryptionSvcPrinDev' $ keyName ='VMEncryption-KEK' $ keyType ='软件' $ backupserviceid ='262044b1-e2ce -469f-a196-69ab7ada62d3' Set-AzureRmKeyVaultAccessPolicy -VaultName $ keyVaultName -ResourceGroupName $ resourceGroupName -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName $ backupserviceid $ aadSvcPrinApplication = Get-AzureRmADApplication -DisplayName $ aadSvcPrinAppDisplayName Set-AzureRmKeyVaultAccessPolicy -VaultName $ keyVaultName -ServicePrincipalName $ aadSvcPrinApplication.ApplicationId -PermissionsToKeys'WrapKey'-Permiss ionsToSecrets'Set'-ResourceGroupName $ resourceGroupName Set-AzureRmKeyVaultAccessPolicy -VaultName $ keyVaultName -ResourceGroupName $ resourceGroupName -EnabledForDiskEncryption #---将自己添加为具有完整权限的KeyVault管理员 - 手动 Add-AzureKeyVaultKey -VaultName $ keyVaultName -Name $ keyName -Destination $ keyType $ keyVault = Get-AzureRmKeyVault -VaultName $ keyVaultName -ResourceGroupName $ resourceGroupName; $ diskEncryptionKeyVaultUrl = $ KeyVault.VaultUri; $ keyVaultResourceId = $ KeyVault.ResourceId; $ keyEncryptionKeyUrl = Get-AzureKeyVaultKey -VaultName $ keyVaultName -KeyName $ keyName; $ aadSvcPrinApplication = Get-AzureRmADApplication - DisplayName $ aadSvcPrinAppDisplayName;  Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $ resourceGroupName -VMName $ vmName -AadClientID $ aadSvcPrinApplication.ApplicationId -AadCli entSecret $ aadSvcPrinAppPassword -DiskEncryptionKeyVaultUrl $ diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $ KeyVaultResourceId -KeyEncryptionKeyUrl $ keyEncryptionKeyUrl.key.kid -KeyEncryptionKeyVaultId $ keyVaultResourceId -VolumeType'Data'-SequenceVersion $ sequenceVersion; Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName $ resourceGroupName -VMName $ vmName #Input Area$subscriptionName = 'Subscription'$aadSvcPrinAppDisplayName = 'VMEncryptionSvcPrinDev'$aadSvcPrinAppHomePage = 'http://FakeURLBecauseItsNotReallyNeededForThisPurpose'$aadSvcPrinAppIdentifierUri = 'https://DomainName.com/VMEncryptionSvcPrinDev'$aadSvcPrinAppPassword = ConvertTo-SecureString 'SuperStrongPassword' -AsPlainText -Force#--Create Service Principal App to Use For Encryption of VMs$aadSvcPrinApplication = New-AzureRmADApplication -DisplayName $aadSvcPrinAppDisplayName -HomePage $aadSvcPrinAppHomePage -IdentifierUris $aadSvcPrinAppIdentifierUri -Password $aadSvcPrinAppPasswordNew-AzureRmADServicePrincipal -ApplicationId $aadSvcPrinApplication.ApplicationId$sequenceVersion = [Guid]::NewGuid();$vmName = 'centos74';$resourceGroupName = 'test'$keyVaultName = 'KeyVault-Dev'$keyVaultLocation = 'Canada Central'New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -Location $keyVaultLocation -Sku 'Premium'$aadSvcPrinAppDisplayName = 'VMEncryptionSvcPrinDev'$keyName = 'VMEncryption-KEK'$keyType = 'Software'$backupserviceid = '262044b1-e2ce-469f-a196-69ab7ada62d3'Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName $backupserviceid$aadSvcPrinApplication = Get-AzureRmADApplication -DisplayName $aadSvcPrinAppDisplayNameSet-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadSvcPrinApplication.ApplicationId -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $resourceGroupNameSet-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -EnabledForDiskEncryption#--- Add yourself as a KeyVault Admin with full priveleges - ManualAdd-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyName -Destination $keyType$keyVault = Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName;$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;$keyVaultResourceId = $KeyVault.ResourceId;$keyEncryptionKeyUrl = Get-AzureKeyVaultKey -VaultName $keyVaultName -KeyName $keyName;$aadSvcPrinApplication = Get-AzureRmADApplication -DisplayName $aadSvcPrinAppDisplayName; Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadSvcPrinApplication.ApplicationId -AadClientSecret $aadSvcPrinAppPassword -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl.key.kid -KeyEncryptionKeyVaultId $keyVaultResourceId -VolumeType 'Data' –SequenceVersion $sequenceVersion;Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName $resourceGroupName -VMName $vmName 推荐答案 请问,为我提供Azure VM的配置(操作系统,内存,磁盘等)? 同时,您可以查看演示的Powershell脚本 如何设置必要的密钥库先决条件: 推荐的工作流程:由于内存不足可能会出现此问题,如果可用内存很低,即使由于其他活动内存导致总内存很高,也会使用此问题在OS加密阶段仍然可以触发。 https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-faq#what-is-the -recommended-azure-disk-encryption-workflow-for-Linux **故障排除指南: https:/ /docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-tsg 这篇关于KEK不工作,但BEK会!!! HEELLPP!的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!
09-16 01:19