Category: azure disk encryption
vishalsaini on Thu, 02 May 2019 02:10:32
I am deploying a VM with two disks (OS and Data). I am using ADE extension. OS disk is getting encrypted but not the data disk. I am using volumeType = All to encrypt both the disk.
SumanthMarigowda-MSFT on Thu, 02 May 2019 08:37:10
For azure disk encryption you can set the variable in PS -VolumeType [OS, Data, all], with this you can control the encryption.Try
to restart the VM and check for the status.
possible scenarios: VM with attached disks, you can encrypt only the OS disk or only the data disk or both, depending of this
For more information, How to Enable disk encryption on Data
You can encrypt boot and data volumes for Windows and Linux IaaS VMs. For Windows VMs, you can't encrypt the data without first encrypting the OS volume. For Linux VMs, it's possible to encrypt the data volume without having to encrypt the OS volume first. After you've encrypted the OS volume for Linux, disabling encryption on an OS volume for Linux IaaS VMs isn't supported.
Azure Disk Encryption allows you to encrypt the OS and Data disks used by an IaaS Virtual Machine. This includes managed disks.
For Windows, the drives are encrypted using industry-standard BitLocker encryption technology. For Linux, the disks are encrypted using the DM-Crypt technology. This is integrated with Azure Key Vault to allow you to control and manage the disk encryption
keys. For more information, please see Azure Disk Encryption for Windows and Linux IaaS VMs.
Kindly let us know if the above helps or you need further assistance on this issue.
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
vishalsaini on Thu, 02 May 2019 12:20:01
Thank you for the reply.
I am using VolumeType as variable in my template
and defining 'volumeType' as parameter, but no luck.
Please refer to my template file for more details.
SumanthMarigowda-MSFT on Tue, 07 May 2019 07:40:44
Can you please share the screenshot after running the below mentioned command:
Output of "manage-bde -status"
-RDP into the VM -> Open CMD prompt -> run the command
Check in Disk manager how the disks are aligned within the VM. Additionally, Are you using storage pool.
vishalsaini on Mon, 13 May 2019 04:38:58
Issue has been resolved.
Issue was that data disk was not initialized. Hence, we need to create a powershell script which will be called by using a custom extension to fix the issue.
SumanthMarigowda-MSFT on Mon, 13 May 2019 05:12:53
Glad to hear that issue got fixed.This would certainly benefit other community members. Please feel free contact us anytime for any Azure issue.
Greg Double on Fri, 05 Jul 2019 14:15:02
I am running into the same problem. I thought it was likely the fact the disk wasn't initialized. We have a post-creation PS script that initialized the disk and finishes setting up our VM. However, this didn't encrypt after initializing the disk.Vishalsaini, would you mind sending/posting your ps script and custom extension arm snippet so I can see if that solves my problem too? Please.
SumanthMarigowda-MSFT on Tue, 09 Jul 2019 11:38:31
@vishalsaini Refer to the suggestion mentioned in the GitHub thread.
SumanthMarigowda-MSFT on Sat, 13 Jul 2019 16:10:46
Rohan Islam on Thu, 05 Sep 2019 13:42:54
Remove volumetype from the template, the default is 'All'
Subhro Majumder on Wed, 25 Dec 2019 08:29:22
I have successfully encrypted OS and Data Disks for Azure Windows VMs using PowerShell, so here are few input :
1) You need to first encrypt OS Disk in Azure Windows VM, if you want to encrypt data disks.
2) If you want to encrypt OS volume and data volumes, do not specify –VolumeType parameter. I found some bug in the 'All" option and did not work correctly in our environment. Just omitting this parameter will enable encryption for OS disk and all current and future data disks.
3) If you add a new disk in an encrypted VM, you have to initialize and format the new volume before you enable encryption. You can use manage-bde –status within the OS, to ensure that the new disk is encrypted.
4) Once you enable Data Disk encryption on a Windows VM, all current and future Data Disks will be encrypted. Next time you add a data disk in this VM, you do not need to enable encryption separately.
4) To correctly reflect the encryption status for the new disk in Azure Portal, you may need to stop and start the Azure VM.
For more details, please refer my article: https://social.technet.microsoft.com/wiki/contents/articles/53496.azure-disk-encryption-configure-for-azure-windows-vms.aspx