Azure-cli: Error using disk encryption
Describe the bug
az disk encryption Failed. VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected. Exception: Access denied, InnerException: , stack trace: at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.UploadBekToKeyVault(EncryptableVolume vol, String protectorId, Boolean saveKeyToBekVolume)
To Reproduce
Steps to reproduce the behavior.
Expected behavior
A clear and concise description of what you expected to happen.
Environment summary
Install Method (e.g. pip, interactive script, apt-get, Docker, MSI, edge build) / CLI version (az --version) / OS version / Shell Type (e.g. bash, cmd.exe, Bash on Windows)
Additional context
Add any other context about the problem here.
Aaronmcd1978
All 16 comments
Has any one come across this error ?
Aaronmcd1978
on 26 Feb 2019
Please provide all of the requested information in the issue template in order to effect a speedy response.
tjprescott
on 26 Feb 2019
@Aaronmcd1978, the error looks like a service end error, could you give us some more context? For example the command you executed and what parameters you used. Thanks
adewaleo
on 26 Feb 2019
az vm encryption enable --name
Above is the command I am using . I have KeyVault enabled also.
Aaronmcd1978
on 27 Feb 2019
Thanks @Aaronmcd1978. I will look into this. Does your add-client have permissions to write secrets to the keyvault?
cc @yugangw-msft
adewaleo
on 27 Feb 2019
So I followed the instructions in https://github.com/Azure/azure-cli/issues/2507#issuecomment-286843943_ and was able to encrypt a windows vm with a service principal.
However, I was also able to encrypt a windows vm without needing to setup a service principal at all, in fact according to the azure disk encryption docs you no longer need to supply an aad app / service principal.
Encryption with service principal (older way).
(cli-venv) [04:08 PM] Work-Mac:azure-cli tosin$ az vm encryption enable -g ova-test -n tosin-windows16 --aad-client-id $MY_SP --disk-encryption-keyvault tosin-keyvault --key-encryption-key key1 --volume-type OS --aad-client-secret "my-aad-secret-1-2"
Deallocating the VM before updating encryption settings...
Restarting the VM after the update...
(cli-venv) [04:26 PM] Work-Mac:azure-cli tosin$ az vm encryption show -n tosin-windows16 -g ova-test --query "osDisk"
"Encrypted"
Note: I received a service side out of memory error and simply reran the command. (cc @ejarvi )
Encryption without service principal.
(cli-venv) [04:19 PM] Work-Mac:azure-cli tosin$ az vm encryption enable -g ova-test -n tosin-windows17 --disk-encryption-keyvault tosin-keyvault --key-encryption-key key1 --volume-type OS
(cli-venv) [04:27 PM] Work-Mac:azure-cli tosin$ az vm encryption show -g ova-test -n tosin-windows17 --query "{Name: disks[0].name, Status: disks[0].statuses}"
{
"Name": "tosin-windows17_OsDisk_1_9169d56940244287b7868789f39eef41",
"Status": [
{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}
]
}
(cli-venv) [04:29 PM] Work-Mac:azure-cli tosin$
Seeing as this is likely an issue with your service principal / ad app's permissions and it is possible to encrypt the vm without one, I will be closing the issue.
Please feel free to follow up if you have any more questions.
adewaleo
on 12 Mar 2019
The new version eliminates this requirement. More on this is available here: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites-aad
ejarvi
on 12 Mar 2019
Yes I am Able to Encrypt OsDisk now but when i create a Data disk in the VM its not encrypting
Aaronmcd1978
on 13 Mar 2019
@Aaronmcd1978 please can you share more context and info?
Are you saying that after encrypting the os disk, you attach a data disk and then run encryption on the data disk which fails?
If so what failure specifically?
adewaleo
on 13 Mar 2019
Yes . When I create a Windows VM the OS Disk is created automatically. Then i create a Data disk and save. I run this command from CLI to encrypt "az vm encryption enable -g resourceGroup -n myVM --disk-encryption myVault --volume-type All" it runs but only Enrypts osDisk not dataDisk . It does not give me an error message.
Aaronmcd1978
on 13 Mar 2019
That's strange, what happens when you run vm encryption show?
Also what happens when you try encrypting afterwards with --volume-type DATA?
adewaleo
on 13 Mar 2019
One thing to check first: After attaching a new data disk, there are some steps that need to be taken to initialize the disk inside of Windows before it can be encrypted. Has this been done? If not, some steps on how to do this are available here: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/attach-managed-disk-portal#initialize-a-new-data-disk
ejarvi
on 13 Mar 2019
adewaleo see below for output of vm encryption show
{
"disks": [
{
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "https://cis-vault.vault.azure.net/secrets/B10B7076-0796-4D47-9A91-07741E4DED74/2c329545b4c2417c88dd2861a0e464ee",
"sourceVault": {
"id": "/subscriptions/341968b6-b414-48fb-b340-a11ce884fe8f/resourceGroups/CIS-VM-RG/providers/Microsoft.KeyVault/vaults/CIS-Vault"
}
},
"enabled": true,
"keyEncryptionKey": null
}
],
"name": "Test3-Windows_OsDisk_1_882800bb15054bf5b8dc2d954010069f",
"statuses": [
{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}
]
},
{
"encryptionSettings": null,
"name": "Test3-Windows_DataDisk_0",
"statuses": [
{
"code": "EncryptionState/notEncrypted",
"displayStatus": "Disk is not encrypted",
"level": "Info",
"message": null,
"time": null
}
]
}
],
"status": [
{
"code": "ProvisioningState/succeeded",
"displayStatus": "Provisioning succeeded",
"level": "Info",
"message": "",
"time": null
}
],
"substatus": null
}
Aaronmcd1978
on 14 Mar 2019
ejarvi
I just completed the tasks you suggested and am getting same thing . It only encrypts osdisk
Aaronmcd1978
on 14 Mar 2019
adewaleo see below from out put of -- query dataDisk
aaron@aaron-HP-Z400-Workstation:~/$ az vm encryption show --name Test4-Windows --resource-group CIS-VM-RG --query dataDisk
aaron@aaron-HP-Z400-Workstation:~$
as you can see it just goes into next command it does not do anything of give me any return on the query
Aaronmcd1978
on 14 Mar 2019
@Aaronmcd1978 .
I created a windows VM, encrypted the os disk, added the data disk, followed the steps @ejarvi mentioned to properly attach and initialize the data disk within the VM and then ran encryption enable on just data disks. The command succeeded for me.
Could you look at the referenced doc and ensure that the data disk is properly initialized?
(cli-venv) [02:31 PM] Work-Mac:azure-cli tosin$ az vm encryption show -n tosin-winsvr -g ova-test
{
"disks": [
{
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "https://tosin-kv.vault.azure.net/secrets/4C02781D-000000000",
"sourceVault": {
"id": "/subscriptions/000000000/resourceGroups/ova-test/providers/Microsoft.KeyVault/vaults/tosin-kv"
}
},
"enabled": true,
"keyEncryptionKey": null
}
],
"name": "tosin-winsvr_OsDisk_1_9ca11974d7444fd5a4b83d7d7247704a",
"statuses": [
{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}
]
}
],
"status": [
{
"code": "ProvisioningState/succeeded",
"displayStatus": "Provisioning succeeded",
"level": "Info",
"message": "",
"time": null
}
],
"substatus": null
}
(cli-venv) [02:33 PM] Work-Mac:azure-cli tosin$ az vm disk attach --vm-name tosin-winsvr -g ova-test --new --name disk-1
(cli-venv) [03:14 PM] Work-Mac:azure-cli tosin$ az vm encryption enable -n tosin-winsvr -g ova-test --volume-type DATA --disk-encryption-keyvault tosin-kv
(cli-venv) [03:15 PM] Work-Mac:azure-cli tosin$ az vm encryption show -n tosin-winsvr -g ova-test
{
"disks": [
{
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "https://tosin-kv.vault.azure.net/secrets/00000000000",
"sourceVault": {
"id": "/subscriptions/00000000/resourceGroups/ova-test/providers/Microsoft.KeyVault/vaults/tosin-kv"
}
},
"enabled": true,
"keyEncryptionKey": null
}
],
"name": "tosin-winsvr_OsDisk_1_9ca11974d7444fd5a4b83d7d7247704a",
"statuses": [
{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}
]
},
{
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "https://tosin-kv.vault.azure.net/secrets/000000000",
"sourceVault": {
"id": "/subscriptions/000000000/resourceGroups/ova-test/providers/Microsoft.KeyVault/vaults/tosin-kv"
}
},
"enabled": true,
"keyEncryptionKey": null
}
],
"name": "disk-1",
"statuses": [
{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}
]
}
],
"status": [
{
"code": "ProvisioningState/succeeded",
"displayStatus": "Provisioning succeeded",
"level": "Info",
"message": "",
"time": null
}
],
"substatus": null
}
Related issues
troydai
路
3Comments
ambakshi
路
3Comments
amarzavery
路
3Comments
mmacy
路
3Comments
seanknox
路
3Comments
Most helpful comment
The new version eliminates this requirement. More on this is available here: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites-aad