Azure Disk encryption using Azure rest API (PATCH) fails

Question

so i have been trying this for a while .I pass the below payload to the Patch rest API. My vault is created with ADE encryption enabled with all permissions set.

payload1 = '{
  "properties": {
    "diskSizeGB": "",
    "encryptionSettingsCollection": {
      "enabled": "true",
      "encryptionSettings": [{
        "diskEncryptionKey": {
          "sourceVault": {
            "id": "/subscriptions/xyz/resourceGroups/xyz/providers/Microsoft.KeyVault/vaults/xyz"
          },
          "secretUrl": "https://xyz.vault.azure.net/secrets/secret_name/version"
        }
      }],
     "encryptionSettingsVersion": "1.1"
    }
  }
}'

I get the below error's "

MsRestAzure::AzureOperationError: OperationNotAllowed: Cannot change the encryption settings of disk xyz while it is attached to running VM

Also can i please get a solution with respect to rest api's to enable the ADE encryption without giving the secret name and version in the payload and azure manages it

Answer 1

Hi ShilpanayakEcomm,

Based off the error message and your post it looks like you're trying to encrypt your disk(s)/VM but can't update the encryption settings. 

Questions:

-What're you trying to accomplish with the "Patch" Rest API? Are you trying to encrypt your VM or disk(s)?

-Do you have the link to the "Path" Rest API? I wasn't able to find it under current Key Vault APIs

If you're trying to encrypt your VM using ADE you'll have to follow the attached link and walk-through the pre-requisite steps. 

We also have a new feature called Storage Service Encryption with Customer Managed Keys (SSE+CMK), if you're trying to just encrypt your managed disks.

Please let me know if this helps answer your question.

Thank you.