none
ADE only encrypting the OS disk but not the data disk using ARM template RRS feed

  • Question

  • Hello,

    I am deploying a VM with two disks (OS and Data). I am using ADE extension. OS disk is getting encrypted but not the data disk. I am using volumeType = All to encrypt both the disk.

    Template is 

    {
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
    "location": {
    "type": "string",
    "defaultValue": "australiaeast",
    "metadata": {
    "description": "Location for the virtual machine."
    }
    },
    "existingVitualNetworkName": {
    "type": "string",
    "metadata": {
    "description": "VNet "
    }
    },
    "existingSubnetName": {
    "type": "string",
    "metadata": {
    "description": "subnet ."
    }
    },
    "virtualNetworkResourceGroup": {
    "type": "string",
    "metadata": {
    "description": "Resource Group"
    }
    },
    "virtualMachineName": {
    "type": "string",
    "metadata": {
    "description": "Virtual Machine."
    }
    },
    "osDiskType": {
    "type": "string",
    "allowedValues": [
    "Standard_LRS",
    "Premium_LRS",
    "StandardSSD_LRS",
    "UltraSSD_LRS"
    ],
    "defaultValue": "Standard_LRS",
    "metadata":{
    "description": "Managed Disk "
    }
    },
    "virtualMachineSize": {
    "type": "string",
    "metadata": {
    "descrption": "Size."
    }
    },
    "adminUsername": {
    "type": "string",
    "metadata": {
    "descrption": "Local admin "
    }
    },
    "adminPassword": {
    "type": "securestring",
    "metadata": {
    "descrption": "Local admin user Password"
    }
    },
    "OSSku": {
    "allowedValues": [
    "2016-Datacenter",
    "2012-R2-Datacenter",
    "2019-Datacenter"
    ],
    "type": "string",
    "metadata": {
    "description": "OS version"
    }
    },
    "timezone": {
    "allowedValues": [
    "AUS Eastern Standard Time",
    "AUS Central Standard Time",
    "E. Australia Standard Time"
    ],
    "type": "string",
    "metadata": {
    "description": " timezone"
    }
    },
    "sizeOfDataDisk1InGB": {
    "type": "string",
    "metadata": {
    "description": "data disk in GB"
    }
    },
    "keyVaultName": {
    "type": "string",
    "metadata": {
    "description": "KeyVault"
    }
    },
    "keyVaultResourceGroup": {
    "type": "string",
    "metadata": {
    "description": "Resource group of the KeyVault"
    }
    },
    "keyEncryptionKeyURL": {
    "type": "string",
    "defaultValue": "",
    "metadata": {
    "description": "URL of the KeyEncryptionKey"
    }
    },
    "volumeType": {
    "type": "string",
    "defaultValue": "All",
    "metadata": {
    "description": "Type of the volume"
    }
    },
    "forceUpdateTag": {
    "type": "string",
    "defaultValue": "1.0",
    "metadata": {
    "description": "force run"
    }
    },
    "resizeOSDisk": {
    "type": "bool",
    "defaultValue": false,
    "metadata": {
    "description": "resized to OS VHD "
    }
    }
    },
    "variables": {
    "vnetId": "[resourceId(parameters('virtualNetworkResourceGroup'),'Microsoft.Network/virtualNetworks', parameters('existingVitualNetworkName'))]",
    "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('existingSubnetName'))]",
    "networkInterfaceName": "[concat(parameters('virtualMachineName'),'-NIC')]",
    "extensionName": "AzureDiskEncryption",
    "extensionVersion": "2.2",
    "encryptionOperation": "EnableEncryption",
    "keyEncryptionAlgorithm": "RSA-OAEP",
    "keyVaultResourceID": "[resourceId(parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
    },
    "resources": [
    {
    "type": "Microsoft.Network/networkInterfaces",
    "name": "[variables('networkInterfaceName')]",
    "apiVersion": "2018-10-01",
    "location": "[parameters('location')]",
    "tags": {
    },
    "properties": {
    "ipConfigurations": [
    {
    "name": "ipconfig1",
    "properties": {
    "subnet": {
    "id": "[variables('subnetRef')]"
    },
    "privateIPAllocationMethod": "Dynamic"
    }
    }
    ]
    },
    "dependsOn": []
    },
    {
    "type": "Microsoft.Compute/virtualMachines",
    "name": "[parameters('virtualMachineName')]",
    "apiVersion": "2018-06-01",
    "location": "[parameters('location')]",
    "tags": {
    },
    "properties": {
    "hardwareProfile": {
    "vmSize": "[parameters('virtualMachineSize')]"
    },
    "storageProfile": {
    "osDisk": {
    "name": "[concat(parameters('virtualMachineName'), '-Osdisk')]",
    "createOption": "FromImage",
    "managedDisk": {
    "storageAccountType": "[parameters('osDiskType')]"
    }
    },
    "imageReference": {
    "publisher": "MicrosoftWindowsServer",
    "offer": "WindowsServer",
    "sku": "[parameters('OSSku')]",
    "version": "latest"
    },
    "dataDisks": [
    {
    "name": "[concat(parameters('virtualMachineName'), '-datadisk1')]",
    "diskSizeGB": "[parameters('sizeOfDataDisk1InGB')]",
    "lun": 0,
    "managedDisk": {
    "storageAccountType": "[parameters('osDiskType')]"
    },
    "createOption": "Empty"
    }
    ]
    },
    "networkProfile": {
    "networkInterfaces": [
    {
    "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
    }
    ]
    },
    "osProfile": {
    "computerName": "[parameters('virtualMachineName')]",
    "adminUsername": "[parameters('adminUsername')]",
    "adminPassword": "[parameters('adminPassword')]",
    "windowsConfiguration": {
    "provisionVmAgent": true,
    "timeZone": "[parameters('timezone')]"
    }
    }
    },
    "dependsOn": [
    "[concat('Microsoft.Network/networkInterfaces/', variables('networkInterfaceName'))]"
    ]
    },
    {
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "name": "[concat(parameters('virtualMachineName'),'/', variables('extensionName'))]",
    "location": "[parameters('location')]",
    "apiVersion": "2017-03-30",
    "properties": {
    "publisher": "Microsoft.Azure.Security",
    "type": "[variables('extensionName')]",
    "typeHandlerVersion": "[variables('extensionVersion')]",
    "autoUpgradeMinorVersion": true,
    "forceUpdateTag": "[parameters('forceUpdateTag')]",
    "settings": {
    "EncryptionOperation": "[variables('encryptionOperation')]",
    "KeyVaultURL": "[reference(variables('keyVaultResourceId'),'2016-10-01').vaultUri]",
    "KeyVaultResourceId": "[variables('keyVaultResourceID')]",
    "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
    "KekVaultResourceId": "[variables('keyVaultResourceID')]",
    "KeyEncryptionAlgorithm": "[variables('keyEncryptionAlgorithm')]",
    "VolumeType": "[parameters('volumeType')]",
    "ResizeOSDisk": "[parameters('resizeOSDisk')]"
    }
    },
    "dependsOn": [
    "[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'))]"
    ]
    }
    ]
    }

     Any thoughts?




    Thursday, May 2, 2019 2:10 AM

All replies

  • For azure disk encryption you can set the variable in PS -VolumeType [OS, Data, all], with this you can control the encryption.Try to restart the VM and check for the status. 

    possible scenarios: VM with attached disks, you can encrypt only the OS disk or only the data disk or both, depending of this variable:

    For more information, How to Enable disk encryption on Data disk

    You can encrypt boot and data volumes for Windows and Linux IaaS VMs. For Windows VMs, you can't encrypt the data without first encrypting the OS volume. For Linux VMs, it's possible to encrypt the data volume without having to encrypt the OS volume first. After you've encrypted the OS volume for Linux, disabling encryption on an OS volume for Linux IaaS VMs isn't supported.

    Azure Disk Encryption allows you to encrypt the OS and Data disks used by an IaaS Virtual Machine. This includes managed disks. For Windows, the drives are encrypted using industry-standard BitLocker encryption technology. For Linux, the disks are encrypted using the DM-Crypt technology. This is integrated with Azure Key Vault to allow you to control and manage the disk encryption keys. For more information, please see Azure Disk Encryption for Windows and Linux IaaS VMs.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Thursday, May 2, 2019 8:37 AM
    Moderator
  • Thank you for the reply.

    I am using VolumeType as variable in my template 

    "VolumeType": "[parameters('volumeType')]", 

    and defining 'volumeType' as parameter, but no luck.

    "volumeType": {

    "type": "string",
    "defaultValue": "All",
    "metadata": {
    "description": "Type of the volume"
    }

    Please refer to my template file for more details.

    Thank you

    Thursday, May 2, 2019 12:20 PM
  • Can you please share the screenshot after running the below mentioned command:

     

    Output of "manage-bde -status" 

    -RDP into the VM -> Open CMD prompt -> run the command

     

    Check in Disk manager how the disks are aligned within the VM. Additionally, Are you using  storage pool.


    Tuesday, May 7, 2019 7:40 AM
    Moderator
  • Issue has been resolved.

    Issue was that data disk was not initialized. Hence, we need to create a powershell script which will be called by using a custom extension to fix the issue.  

    Monday, May 13, 2019 4:38 AM
  • Glad to hear that issue got fixed.This would certainly benefit other community members. Please feel free contact us anytime for any Azure issue.

    Monday, May 13, 2019 5:12 AM
    Moderator
  • I am running into the same problem. I thought it was likely the fact the disk wasn't initialized. We have a post-creation PS script that initialized the disk and finishes setting up our VM. However, this didn't encrypt after initializing the disk.

    Vishalsaini, would you mind sending/posting your ps script and custom extension arm snippet so I can see if that solves my problem too? Please.
    Friday, July 5, 2019 2:15 PM
  • @vishalsaini Refer to the suggestion mentioned in the GitHub thread.

    https://github.com/MicrosoftDocs/azure-docs/issues/37795


    Tuesday, July 9, 2019 11:38 AM
    Moderator
  • @Gvishalsaini  Just checking in to see if you have had a chance to see the previous response. Could you share the above required information to understand/investigate this issue further?


    Saturday, July 13, 2019 4:10 PM
    Moderator
  • Remove volumetype from the template, the default is 'All'
    Thursday, September 5, 2019 1:42 PM