none
ARM Linux VM Encryption Fails RRS feed

  • Question

  • Hello,

    I encountered with below error, when was trying to encrypt linux machine. The vm is behind the firewall and to pass the outbound traffic for encryption process have enabled the port 443 for all. Is there any thing which need to configure.

    The same deployment process works when we try to deploy it without firewall. 

    Error From Azure CLI :

    Deployment failed. Correlation ID: b1c719e3-9890-487c-996b-e10f97146081. VM has reported a failure when processing extension 'AzureDiskEncryptionForLinux'. Error message: "Failed to update encryption settings with error: encryption settings update request was not accepted, stack trace: Traceback (most recent call last):
      File "main/handle.py", line 328, in update_encryption_settings
        stamp_disks_with_settings(items_to_encrypt=[], encryption_config=encryption_config)
      File "main/handle.py", line 197, in stamp_disks_with_settings
        settings.post_to_wireserver(data)
      File "/var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux-1.1.0.36/main/EncryptionSettingsUtil.py", line 251, in post_to_wireserver
        raise e
    Exception: encryption settings update request was not accepted

    Friday, June 14, 2019 3:03 PM

All replies

  • Apologies for the delay!

    Refer to the suggestion outlined in this article

    Go to the Key vault in the Azure portal, click on Access policies, click on the Click to show advanced access policies link, make sure the Enable access to Azure Disk Encryption for volume encryption check box is checked, then try to encrypt the VM again.

    You may also refer to the suggestion mentioned in this GitHub and MSDN link.

    Additional information:  the values of the key vault parameters being provided to the az vm encryption enable command must be provided in the correct format. Specifically:

    The proper syntax for the value of disk-encryption-keyvault parameter is the full identifier string: /subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]

    The proper syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in: https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id]

    The other follow up comments are also accurate with respect to other prerequisite requirements that exist for Linux VM's. Some additional background detail on this is in the troubleshooting guide here:

    https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-tsg#troubleshooting-linux-os-disk-encryption

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Up-vote on the post that helps you, this can be beneficial to other community members

    Monday, June 17, 2019 1:08 AM
    Moderator
  • I followed the same procedure with other new vm and the encryption works.

    But whenever it tried to enabled encryption with old vm, it always fails. This issue came across when we enabled encryption with blocking firewall and it fails because unable to access vault endpoint. But now we have enabled outbound traffic for port 80 and 443.

     This issue is similar to github logged issue.

    https://github.com/Azure/azure-linux-extensions/issues/769 

    Any help appreciated.

    Thanks. 

    Wednesday, June 19, 2019 7:06 AM
  • Apologies for the delay! Can you share the screen shot of the error message or error code?

    * Change the VM size to a supported model, that is a VM with over 8gb of RAM and any available SKU except the B series.
    * Attempt again the Azure disk encryption and report back the status.

    More information on how to encrypt Linux VMs and the supported models: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-faq#which-virtual-machine-tiers-does-azure-disk-encryption-support
     https://docs.microsoft.com/en-us/azure/virtual-machines/linux/encrypt-disks


    VMs from a Generalized OS encrypted image, is not supported, as such images will not carry the encryption settings and will cause further issues down the line. We recommend customers to encrypt VMs which were deployed directly from Azure supported Gallery images.

    If your Old VM is created by custom image. It wouldn’t be a supported image. The azure disk encryption extension is only supported on the azure endorsed gallery images and prior they have any customizations or apps installed. Also the pre-encrypted VHD approach is not to be mixed with the ADE extension, that pre-encrypted VHD image would be a custom image, not one of our azure endorsed gallery images hence is not a supported image to get the extension installed.

    Hope this helps!


    Kindly let us know if the above helps or you need further assistance on this issue. 
    ------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" and Up-vote on the post that helps you, this can be beneficial to other community members

    Tuesday, June 25, 2019 6:52 AM
    Moderator
  • @Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Wednesday, July 3, 2019 5:34 AM
    Moderator
  • I don't know why vm size matters but my vm has good configuration i.e 8Gb/30-Gb OS Disk.

    If you look at the github issue raise by me (https://github.com/Azure/azure-linux-extensions/issues/769).Here the error message shows that some server is not accepting the encryption setting which have supplied and JFYI, the similar vm configuration and encryption setting works.

    Any help appreciated.

    Thank you !

    Wednesday, July 3, 2019 7:18 AM
  • vpradeep May I know how was the Old VM deployed (Custom or Market place image? 

    Can you also just try to change the size of the VM and let me know the status?  

    Wednesday, July 3, 2019 9:34 AM
    Moderator
  • @vpradeep Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Wednesday, July 10, 2019 6:37 AM
    Moderator
  • The Old one and New VM was deployed using azure template. And the template configuration is same for both the vm.
    Tuesday, July 16, 2019 9:47 AM
  • Even after upgrading the vm size...still the issue persists !
    Tuesday, July 16, 2019 10:33 AM
  • This may require a deeper investigation, so If you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support. In this case, could you send an email toAzCommunity[at]Microsoft[dot]com referencing this thread. Please mention "ATTN subm" in the subject field and subscription ID. Thank you for your cooperation on this matter and look forward to your reply.

    Tuesday, July 16, 2019 2:09 PM
    Moderator
  • Linux VM needs outbound internet access in order to apply disk encryption as it needs to connect to respective repository while applying encryption. 
    Thursday, September 5, 2019 1:40 PM