Azure-docs: Pre-Encrypted Disks steps issues
Apparently, this doc states several steps to proceed with a pre-encryption of disks for both linux and windows but in the end i cannot manage to enable the encryption.
- Specify a secret URL when you attach an OS disk : This step does nothing in the end apart from updating the osdisk object. It is not triggering anything to dump keys from the vault onto E: BEK Drive.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 246df0be-86c4-083f-5896-d9ed79a94b88
- Version Independent ID: cba0daf5-b5f3-e1ba-2d79-56ef94f927cb
- Content: Appendix - Azure Disk Encryption for IaaS VMs
- Content Source: articles/security/azure-security-disk-encryption-appendix.md
- Service: security
- GitHub Login: @mestew
- Microsoft Alias: mstewart
mariobede
All 7 comments
@marioanton Thanks for the feedback. We are investigating this and will provide an update shortly.
ManojReddy-MSFT
on 21 Dec 2018
@marioanton I have assigned this to the author to validate the steps and provide an update acccordingly.
ManojReddy-MSFT
on 24 Dec 2018
@marioanton I am looking into this for you. I will let you know what I find.
mestew
on 2 Jan 2019
Hey @marioanton. I spoke to one of the developers about your issue. Below is the response:
"I think the key to understanding is that the customer managed secret is stored in KeyVault, but it is the platform that will be retrieving that secret and attaching it to the VM as the BEK volume. If the platform cannot do this operation, then the key will not be provided to the VM at time of boot. To make that work there are two main things that need to be accomplished. First, the URL that points to that secret needs to be associated with the VM model. This is why the $secretUrl part of the documentation is so important to get right.
Second, to ensure that when platform starts the VM it will be able to retrieve the key, the permissions on the KeyVault need to have been enabled for disk encryption, so the platform will have permission to retrieve that key and attach it to the VM. The $secretUrl value is described in the code section of the following part of the documentation after the secret has been uploaded to key vault:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-appendix#bkmk_UploadSecret "
Hopefully this helps you out.
mestew
on 3 Jan 2019
Ok, thanks. Looks like the confusion has been sorted out. Still wondering whether is possible to get a pre-encrypted img somehow to do this work, that would make much EASIER the deployment of the vm.
mariobede
on 7 Jan 2019
@marioanton glad you got it sorted! Thanks for taking the time to provide feedback on Azure Disk Encryption. This is an interesting feature idea, and I want to make sure it gets directly into the hands of the engineering team. Fortunately, we've got dedicated channels for that very purpose. :) See the Product feedback page. I think it’s important that you submit it directly, because that allows you to receive notifications and more closely monitor the progress. I'm closing this issue as there's nothing actionable for the Azure Security docs team at this time.
please-close
mestew
on 7 Jan 2019
@marioanton We will now close this issue. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.
Karishma-Tiwari-MSFT
on 7 Jan 2019
Related issues
Agazoth
·
3Comments
spottedmahn
·
3Comments
paulmarshall
·
3Comments
jebeld17
·
3Comments
jamesgallagher-ie
·
3Comments