Azure-sdk-for-go: [Compute] Encrypted Disks on Virtual Machines

Created on 26 Jul 2018  Â·  10Comments  Â·  Source: Azure/azure-sdk-for-go

Bug Report

SDK version: v18.0.0
Package: github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2017-12-01/compute

$ go version
go version go1.10.3 darwin/amd64

:wave:

I've spent a couple of days looking at how we'd support encrypted disks within Virtual Machines. As a part of this I've taken two approaches:

  1. Provisioning a Virtual Machine and then on-boot encrypting brand new disks by specifying the EncryptionSettings struct.
  2. Provisioning a Virtual Machine and then encrypting the Data Volume (I've also tried both the OS disk and "all", but Data should be quicker) using a Virtual Machine extension (using Terraform, but this should be no different in an ARM Template):
resource "azurerm_virtual_machine_extension" "disk-encryption" {
  name                 = "DiskEncryption"
  location             = "West Europe"
  resource_group_name  = "some-resource-group"
  virtual_machine_name = "some-virtual-machine"
  publisher            = "Microsoft.Azure.Security"
  type                 = "AzureDiskEncryptionForLinux"
  type_handler_version = "1.1"

  settings = <<SETTINGS
{
  "KeyVaultURL": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/[name]/providers/Microsoft.KeyVault/vaults/[name]",
  "VolumeType": "DATA",
  "EncryptionOperation": "EnableEncryptionFormatAll",
  "KeyEncryptionKeyURL": "https://[name].vault.azure.net/keys/[name]/[version]",
  "KeyEncryptionAlgorithm": "RSA-OAEP"
}
SETTINGS
}

Unfortunately in both cases the CreateOrUpdate method in the SDK/API call times out after ~40m returning the rather unhelpful error (wrapped by Terraform in this case):

azurerm_virtual_machine.managed: Still creating... (40m50s elapsed)

Error: Error applying plan:

1 error(s) occurred:

* azurerm_virtual_machine.managed: 1 error(s) occurred:

• azurerm_virtual_machine.managed: Code="" Message=""

Looking in the Portal - there's a slightly more descriptive error but the Virtual Machine enters a Failed state with a description that it's Failed but may eventually boot (however I didn't see this boot even after leaving it overnight). Is there a way to work around this hard-timeout from the Compute API? Whilst it'd be possible to poll on the Compute API's Get method ourselves, I can't help but feel polling on a Failed state could lead to other issues? It's worth noting that the documentation for disk encryption mentions the encryption process can take an extended period (3h-days depending on the amount of data involved), but that wiping the data disk should be significantly quicker.

Is there an example available for Disk Encryption of a Virtual Machine that I'm overlooking?

Thanks!

P1 Sprint-122 customer in progress
Source
picture tombuildsstuff
👍5

Most helpful comment

from a consumer of both azure and terraform (via the sdk for go), whats being done to move this forward?

picture bostrowski13 on 31 Oct 2018
👍3

All 10 comments

@tombuildsstuff we have this sample for disk encryption: https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/master/compute/encryption.go

Let us know if it helps.

vladbarosan picture vladbarosan on 26 Jul 2018

Hi @tombuildsstuff, checking back here, was the sample useful for you ?

vladbarosan picture vladbarosan on 1 Aug 2018

hey @vladbarosan I've not had a chance to circle back to this yet unfortunately, but that example 404's and I can't see it in the last few commits, is there another link? Thanks!

tombuildsstuff picture tombuildsstuff on 9 Aug 2018

Hey @tombuildsstuff . @joshgav refactored the repo a little since then. I think this is what you are looking for https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/master/compute/vm_test.go#L190

vladbarosan picture vladbarosan on 9 Aug 2018

@vladbarosan so checking the code sample that'll have the same issue mentioned above where the Compute API returns that this has entered the Failed state (but may eventually boot) - at least for Windows machines (whereas the code sample's for Linux). My understanding is that this is running Bitlocker which encrypts asynchronously (and eventually causes the Compute API to return a hard status of Failed, but which has a message in the portal of "may eventually boot")?

Is there a sample available for encrypting machines at boot too? Sorry to be awkward here 🙃

tombuildsstuff picture tombuildsstuff on 16 Aug 2018

@tombuildsstuff coming back to this ? are you still blocked. we dont have a sample for enrypting machines on boot.
Regarding Windows please note that you can't encrypt the data volume without encrypting the OS volume first. ( See here )

Let us know if there is any specific ask we would want for the compute team.

vladbarosan picture vladbarosan on 4 Oct 2018

from a consumer of both azure and terraform (via the sdk for go), whats being done to move this forward?

bostrowski13 picture bostrowski13 on 31 Oct 2018
👍3

This would be of really interest of all of us i think.

mariobede picture mariobede on 13 Dec 2018

I'd like to see this move forward too. This is currently making some of our work tricky and messy.

leewilson86 picture leewilson86 on 13 Dec 2018
👍2

hey guys, this thread had diverged in a couple directions, can you let us know of a specific ask here please?

There is a sample for linux here.

Is that what you are looking for ? or is there any specific API call that is failing ?

vladbarosan picture vladbarosan on 14 Dec 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lawrencegripper picture lawrencegripper  Â·  4Comments
njuCZ picture njuCZ  Â·  3Comments
Tirke picture Tirke  Â·  3Comments
ncw picture ncw  Â·  4Comments
mbfrahry picture mbfrahry  Â·  4Comments