ADE only encrypting the OS disk but not the data disk using ARM template

Category: azure disk encryption

Question

vishalsaini on Thu, 02 May 2019 02:10:32


Hello,

I am deploying a VM with two disks (OS and Data). I am using ADE extension. OS disk is getting encrypted but not the data disk. I am using volumeType = All to encrypt both the disk.

Template is 

{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "australiaeast",
"metadata": {
"description": "Location for the virtual machine."
}
},
"existingVitualNetworkName": {
"type": "string",
"metadata": {
"description": "VNet "
}
},
"existingSubnetName": {
"type": "string",
"metadata": {
"description": "subnet ."
}
},
"virtualNetworkResourceGroup": {
"type": "string",
"metadata": {
"description": "Resource Group"
}
},
"virtualMachineName": {
"type": "string",
"metadata": {
"description": "Virtual Machine."
}
},
"osDiskType": {
"type": "string",
"allowedValues": [
"Standard_LRS",
"Premium_LRS",
"StandardSSD_LRS",
"UltraSSD_LRS"
],
"defaultValue": "Standard_LRS",
"metadata":{
"description": "Managed Disk "
}
},
"virtualMachineSize": {
"type": "string",
"metadata": {
"descrption": "Size."
}
},
"adminUsername": {
"type": "string",
"metadata": {
"descrption": "Local admin "
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"descrption": "Local admin user Password"
}
},
"OSSku": {
"allowedValues": [
"2016-Datacenter",
"2012-R2-Datacenter",
"2019-Datacenter"
],
"type": "string",
"metadata": {
"description": "OS version"
}
},
"timezone": {
"allowedValues": [
"AUS Eastern Standard Time",
"AUS Central Standard Time",
"E. Australia Standard Time"
],
"type": "string",
"metadata": {
"description": " timezone"
}
},
"sizeOfDataDisk1InGB": {
"type": "string",
"metadata": {
"description": "data disk in GB"
}
},
"keyVaultName": {
"type": "string",
"metadata": {
"description": "KeyVault"
}
},
"keyVaultResourceGroup": {
"type": "string",
"metadata": {
"description": "Resource group of the KeyVault"
}
},
"keyEncryptionKeyURL": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "URL of the KeyEncryptionKey"
}
},
"volumeType": {
"type": "string",
"defaultValue": "All",
"metadata": {
"description": "Type of the volume"
}
},
"forceUpdateTag": {
"type": "string",
"defaultValue": "1.0",
"metadata": {
"description": "force run"
}
},
"resizeOSDisk": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "resized to OS VHD "
}
}
},
"variables": {
"vnetId": "[resourceId(parameters('virtualNetworkResourceGroup'),'Microsoft.Network/virtualNetworks', parameters('existingVitualNetworkName'))]",
"subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('existingSubnetName'))]",
"networkInterfaceName": "[concat(parameters('virtualMachineName'),'-NIC')]",
"extensionName": "AzureDiskEncryption",
"extensionVersion": "2.2",
"encryptionOperation": "EnableEncryption",
"keyEncryptionAlgorithm": "RSA-OAEP",
"keyVaultResourceID": "[resourceId(parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
},
"resources": [
{
"type": "Microsoft.Network/networkInterfaces",
"name": "[variables('networkInterfaceName')]",
"apiVersion": "2018-10-01",
"location": "[parameters('location')]",
"tags": {
},
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"subnet": {
"id": "[variables('subnetRef')]"
},
"privateIPAllocationMethod": "Dynamic"
}
}
]
},
"dependsOn": []
},
{
"type": "Microsoft.Compute/virtualMachines",
"name": "[parameters('virtualMachineName')]",
"apiVersion": "2018-06-01",
"location": "[parameters('location')]",
"tags": {
},
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('virtualMachineSize')]"
},
"storageProfile": {
"osDisk": {
"name": "[concat(parameters('virtualMachineName'), '-Osdisk')]",
"createOption": "FromImage",
"managedDisk": {
"storageAccountType": "[parameters('osDiskType')]"
}
},
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "[parameters('OSSku')]",
"version": "latest"
},
"dataDisks": [
{
"name": "[concat(parameters('virtualMachineName'), '-datadisk1')]",
"diskSizeGB": "[parameters('sizeOfDataDisk1InGB')]",
"lun": 0,
"managedDisk": {
"storageAccountType": "[parameters('osDiskType')]"
},
"createOption": "Empty"
}
]
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
}
]
},
"osProfile": {
"computerName": "[parameters('virtualMachineName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"provisionVmAgent": true,
"timeZone": "[parameters('timezone')]"
}
}
},
"dependsOn": [
"[concat('Microsoft.Network/networkInterfaces/', variables('networkInterfaceName'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('virtualMachineName'),'/', variables('extensionName'))]",
"location": "[parameters('location')]",
"apiVersion": "2017-03-30",
"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "[variables('extensionName')]",
"typeHandlerVersion": "[variables('extensionVersion')]",
"autoUpgradeMinorVersion": true,
"forceUpdateTag": "[parameters('forceUpdateTag')]",
"settings": {
"EncryptionOperation": "[variables('encryptionOperation')]",
"KeyVaultURL": "[reference(variables('keyVaultResourceId'),'2016-10-01').vaultUri]",
"KeyVaultResourceId": "[variables('keyVaultResourceID')]",
"KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
"KekVaultResourceId": "[variables('keyVaultResourceID')]",
"KeyEncryptionAlgorithm": "[variables('keyEncryptionAlgorithm')]",
"VolumeType": "[parameters('volumeType')]",
"ResizeOSDisk": "[parameters('resizeOSDisk')]"
}
},
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'))]"
]
}
]
}

 Any thoughts?




Replies

SumanthMarigowda-MSFT on Thu, 02 May 2019 08:37:10


For azure disk encryption you can set the variable in PS -VolumeType [OS, Data, all], with this you can control the encryption.Try to restart the VM and check for the status. 

possible scenarios: VM with attached disks, you can encrypt only the OS disk or only the data disk or both, depending of this variable:

For more information, How to Enable disk encryption on Data disk

You can encrypt boot and data volumes for Windows and Linux IaaS VMs. For Windows VMs, you can't encrypt the data without first encrypting the OS volume. For Linux VMs, it's possible to encrypt the data volume without having to encrypt the OS volume first. After you've encrypted the OS volume for Linux, disabling encryption on an OS volume for Linux IaaS VMs isn't supported.

Azure Disk Encryption allows you to encrypt the OS and Data disks used by an IaaS Virtual Machine. This includes managed disks. For Windows, the drives are encrypted using industry-standard BitLocker encryption technology. For Linux, the disks are encrypted using the DM-Crypt technology. This is integrated with Azure Key Vault to allow you to control and manage the disk encryption keys. For more information, please see Azure Disk Encryption for Windows and Linux IaaS VMs.

Kindly let us know if the above helps or you need further assistance on this issue.

------------------------------------------------------------------------------------------

Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

vishalsaini on Thu, 02 May 2019 12:20:01


Thank you for the reply.

I am using VolumeType as variable in my template 

"VolumeType": "[parameters('volumeType')]", 

and defining 'volumeType' as parameter, but no luck.

"volumeType": {

"type": "string",
"defaultValue": "All",
"metadata": {
"description": "Type of the volume"
}

Please refer to my template file for more details.

Thank you

SumanthMarigowda-MSFT on Tue, 07 May 2019 07:40:44


Can you please share the screenshot after running the below mentioned command:

 

Output of "manage-bde -status" 

-RDP into the VM -> Open CMD prompt -> run the command

 

Check in Disk manager how the disks are aligned within the VM. Additionally, Are you using  storage pool.


vishalsaini on Mon, 13 May 2019 04:38:58


Issue has been resolved.

Issue was that data disk was not initialized. Hence, we need to create a powershell script which will be called by using a custom extension to fix the issue.  

SumanthMarigowda-MSFT on Mon, 13 May 2019 05:12:53


Glad to hear that issue got fixed.This would certainly benefit other community members. Please feel free contact us anytime for any Azure issue.

Greg Double on Fri, 05 Jul 2019 14:15:02


I am running into the same problem. I thought it was likely the fact the disk wasn't initialized. We have a post-creation PS script that initialized the disk and finishes setting up our VM. However, this didn't encrypt after initializing the disk.

Vishalsaini, would you mind sending/posting your ps script and custom extension arm snippet so I can see if that solves my problem too? Please.

SumanthMarigowda-MSFT on Tue, 09 Jul 2019 11:38:31


@Greg Double Are you still facing any issue? If, so can you please share the screen shot of the error message or error code? Let me know what all troubleshooting steps have you tried till now? 

SumanthMarigowda-MSFT on Sat, 13 Jul 2019 16:10:46


@Greg Double Just checking in to see if you have had a chance to see the previous response. Could you share the above required information to understand/investigate this issue further?