Question

RobC_CTL on Thu, 22 Feb 2018 16:05:39


Hi,

I've just expanded a couple of VMs data disks which is normally a quick process, the VM reboots and Linux automatically expands the partition to take advantage of the additional space.  However this is not what I am seeing with encrypted data disks.  The process of expanding the disk through the portal was the same.  Once the VMs were back up I ran a df command and the data disk size hasn't changed, and one of the VMs the data disk is no longer mounted! However if I run sudo lshw -C disk I can see the data disks are present and showing the new size, to add to the fun the mount point have changed i.e. used to be /dev/sdc and is now /dev/sdd which means that FSTAB file is now out of date.  However that can be fixed.

I suspect what is happening is the additional space is now being encrypted which has cause this odd behaviour, is that correct?

I notice that the disks are no longer showing as encrypted in the portal and running az vm encryption show from the cli the data disks are showing as NotEncrypted

If my suspicion is correct is there any way to monitor the progress of the encryption or is there process I can look for?

Cheers

Rob

Replies

Adam Smith (Azure) on Mon, 26 Feb 2018 17:06:22


Hey Rob, 

Monitoring Encryption Status:

You can monitor encryption status in different ways as mentioned in this article: Use the Get-AzureRmVmDiskEncryptionStatus cmdlet and inspect the ProgressMessage field:

Copy

OsVolumeEncrypted          : EncryptionInProgress

DataVolumesEncrypted       : NotMounted

OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings

ProgressMessage            : OS disk encryption started

  • Go to Azure Resource Explorer, and then expand this hierarchy in the selection panel on "margin-line-height:normal;background:whitesmoke;">Copy

    |-- subscriptions

       |-- [Your subscription]

            |-- resourceGroups

                 |-- [Your resource group]

                      |-- providers

                           |-- Microsoft.Compute

                                |-- virtualMachines

                                     |-- [Your virtual machine]

                                          |-- InstanceView

    In the InstanceView, scroll down to see the encryption status of your drives.

    • Look at boot diagnostics. Messages from the ADE extension should be prefixed with [AzureDiskEncryption].
    • Sign in to the VM via SSH, and get the extension log from:

    /var/log/azure/Microsoft.Azure.Security.AzureDiskEncryptionForLinux

    We recommend that you do not sign in to the VM while OS encryption is in progress. Copy the logs only when the other two methods have failed.

    Disk expansion: 
    Have you followed the suggested steps mentioned here It advises to unmount the disk prior to expanding it, This should keep the same drive letter when it's already set in fstab. 

    Let me know if you have any other questions.

    -Adam

RobC_CTL on Mon, 26 Feb 2018 17:24:55


Hi Adam

Thanks for the response, I have to admit I gave up trying to get the encrypted disks to expand, I tried the instructions from the link you sent, the issue was the resizepart command couldn't see the extra disk space. Anyway as they were data disks I removed them and re-created them. 

Thanks for the info on visualising the process, one of the VMs is currently encrypting nicely.  The other is reporting that encryption is complete....which I don't believe as both VMs were started at roughly the same time (same size data disks). The one that is still encrypting is at 7% (Premium storage) where the one that it's complete is on standard storage.  The portal is suggesting that the disk is encrypted as you can see (VM1)

But if I look at the disks on VM1 it says it's not enabled

And just to add to the fun, this is the output of Get-AzureRmVMDiskEncryptionStatus:

Confused! which one is right?

Give me a Windows VM everyday of the week :)


Adam Smith (Azure) on Mon, 26 Feb 2018 18:38:55


Thanks for the detailed answer Rob! This could be related to a known issue that exists and which we are trying to fix, however, the Powershell command should reflect the correct status, meaning the Disks are not encrypted :( . Can you send me your Subscription ID to AzCommunity[AT]microsoft.com, add "ATTN:Adam", the forum post's link, and the name of the affected VMs so I can enable a free support ticket for you? This would enable the escalation team to thoroughly examine it the situation for you. 

Thanks,
Adam 

RobC_CTL on Tue, 27 Feb 2018 16:14:54


Hi Adam

Thanks for the reply, I've tried to email the address provided but looks like it is a restricted group.

Regards

Rob

Adam Smith (Azure) on Tue, 27 Feb 2018 16:29:00


Hi Rob , 

I just replied to your email :)

Adam

RobC_CTL on Tue, 27 Feb 2018 16:34:49


Got it, thanks.

Rob

kcehtrak on Wed, 05 Sep 2018 11:19:05


Is there a fix for this? We are also in the same boat with expanding our encrypted 1TB Data disk to 2TB for testing purposes before we apply the fix on Prod VM's and it doesn't see the extra space. The VM was stopped/de-allocated, data disk expanded to 2TB, VM booted up and disk unmounted, resize part is unable to see the expanded volume as per the instructions listed in the referenced article. Any help will be duly appreciated as there isn't much info about this on msdn or google for that fact. Thanks.