none
Unable to Encrypt CIS CentOS Marketplace VMS RRS feed

  • Question


  • I'm deploying CIS Hardened CentOS Marketplace images as the Standard for our Company Infrastructure build.
    As per the Company Rules all the OS and Data Disks should be Encrypted using Azure Disk Encryption.
    However, I'm unable to encrypt either of the CIS CentOS 6 or 7 version through AZ CLI.

    See Logs..


    CentOS 6
    --------

    [cisadm@ciscentos6 ~]$ cat /etc/centos-release
    CentOS release 6.10 (Final)
    [cisadm@ciscentos6 ~]$ rpm -q centos-release
    centos-release-6-10.el6.centos.12.3.x86_64

    az cli> az vm encryption enable --resource-group "cistestrg2" --name "ciscentos6" --disk-encryption-keyvault "ciscentkv" --volume-type OS
    The distro is not in CLI's known supported list. Use https://aka.ms/adelinux to cross check
    VM has reported a failure when processing extension 'AzureDiskEncryptionForLinux'. Error message: "Failed to enable the extension with error: [Errno 2] No such file or directory: '/var/lib/azure_disk_encryption_config/azure_crypt_config.ini', stack trace: Traceback (most recent call last):
      File "/var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux-1.1.0.17/main/handle.py", line 647, in enable_encryption
        encryption_config.commit()
      File "/var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux-1.1.0.17/main/EncryptionConfig.py", line 65, in commit
        self.encryption_config.save_configs(key_value_pairs)
      File "/var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux-1.1.0.17/main/ConfigUtil.py", line 62, in save_configs
        with open(self.config_file_path, 'wb') as configfile:
    IOError: [Errno 2] No such file or directory: '/var/lib/azure_disk_encryption_config/azure_crypt_config.ini'
    ".


    CentOS 7
    --------


    [centadm@ciscentos7 ~]$ uname -a 
    Linux ciscentos7 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 
    [centadm@ciscentos7 ~]$ cat /etc/centos-release 
    CentOS Linux release 7.5.1804 (Core) 
    [centadm@ciscentos7 ~]$ rpm -q centos-release 
    centos-release-7-5.1804.4.el7.centos.x86_64 
    [centadm@ciscentos7 ~]$

    az cli> az vm encryption enable --resource-group "cistestrg2" --name "ciscentos7" --disk-encryption-keyvault "ciscentkv" --volume-type OS
    The distro is not in CLI's known supported list. Use https://aka.ms/adelinux to cross check
    VM has reported a failure when processing extension 'AzureDiskEncryptionForLinux'. Error message: "OS volume encryption is not supported on centos 7.5.1804".

    See Supported versions of Linux for Azure Disk Encryption.

    https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-faq#bkmk_LinuxOSSupport

    Do we have any idea as to When MS will start Supporting Azure Disk Encryption for CIS Hardened Images for CentOS 7.5

    Wednesday, November 7, 2018 2:18 PM

All replies

  • @cloudfirstltd, please use Powershell, I ran into the same issue previously while testing. AZ CLI doesn't seem to support the encryption process for Linux. 

    This is the full documentation for it: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-linux Also, make sure to add the -SkipVmBackup; flag when running the script, ex: 

    Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -DiskEncryptionKeyV
    aultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType Data -SkipVmBackup;

    Wednesday, November 7, 2018 9:01 PM
  • Thanks for the response @Adam.

    It may be possible that some Linux distributions are not supported by AZ CLI.

    But I've tried using Az Disk Encryption on the Standard (MS Offered) Ubuntu and Centos Marketplace images.

    Which works fine with az cli and Powershell.

    I think the problem is in particular with Hardened images offered by Non-MS vendors.

    @Update

    Just a while back i got a confirmation from MS that they do not support Az Disk encryption for any Hardened images available in Az Marketplace.

    Thursday, November 8, 2018 4:24 PM
  • Hi,

    Were you able to encrypt the disk later?

    Tuesday, May 7, 2019 12:49 PM
  • @Div123 Do you have any issue in encrypting CIS Centos OS? 

    To understand the issue better, could you please provide more details on the issue you are experiencing? Do point any specific step or document section that you’re unable to follow? Also, kindly do share a screenshot of the issue after concealing any private details. Looking forward to your reply.

     

    Wednesday, May 8, 2019 5:56 AM
    Moderator