Enabled VM Disk Encryption but some disks are not encrypted

Johnny Le 101 Reputation points
2021-11-17T18:09:24.533+00:00

I enabled Azure disk encryption on the VM for OS and data disks but some disks for the VM do not show encrypted. Is there any way I can force encryption on a single disk with VM encryption enabled?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,196 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
162 questions
Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
575 questions
0 comments
Accepted answer
  1. Johnny Le 101 Reputation points
    2021-11-23T02:41:07.53+00:00

    Just some additional information to clarify my issue. Azure Disk encryption was set on the VM under Disk > Additional settings. The OS Disk would get encrypted no problem but the data disks would not show as ADE encrypted. In the OS BitLocker is enabled and disks are encrypted but on the VM level it shows unencrypted both on the disk description in the portal and using Azure CLI. The advisor recommendations would also report that encryption at rest is not compliant for data disks.

    I was able to resolve this discrepancy in 2 different ways.

    1. Go to additional settings and just hit save (effectively re-applying the same KEK to the VM). This worked in many cases but not all.
    2. Use Azure CLI's set VM encryption command with the same exact KEK info. This was only if 1 didn't work because when you run it through CLI it doesn't show any of the info in the portal anymore.

    CLI from this link: disk-encryption-windows

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ronen Ariely 15,096 Reputation points
    2021-11-17T18:22:17.95+00:00

    Hi,

    (1) Go to the Virtual Machine in the Azure Portal

    (2) In the left menu Click on: Disks

    150258-image.png

    (3) Select the disk which you want to encrypt

    (4) On the left menu select: Encryption

    150320-image.png

    (5) Here you can select if you want encryption and which.

    Note! You can changes encryption settings only when the disk is unattached to a virtual machine or the VM are deallocated.

  2. Sumarigo-MSFT 43,806 Reputation points Microsoft Employee
    2021-11-18T07:14:57.967+00:00

    @Johnny Le Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Are you using Windows or Linux OS VM? Can you share the the screen shot of the error status?

    Linux: `tar -cvzf /tmp/varlogazure.tar.gz /var/log/azure

    tar -cvzf /tmp/varlibazureconfig.tar.gz /var/lib/azure_disk_encryption_config/

    tar -cvzf /tmp/varlibextension.tar.gz /var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux*

    tar -cvzf /tmp/waagent.log.tar.gz /var/log/waagent.log

    cat /etc/fstab

    df -h

    lsblk

    cat /etc/crypttab

    blkid

    ls -lh /mnt/azure_bek_disk/

    ls -lh /dev/disk/azure/scsi1/

    ls -lh /dev/disk/azure/

    Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName $rgName -VMName $vmName`

    Please share the output!

    -Is there any way I can force encryption on a single disk with VM encryption enabled?
    We can rerun the commands to encrypt the vm(but I would advise not to do that)

    Windows OS VM :
    Run the manage-bde output in cmd and let me know the output

    Troubleshooting steps:
    1-Make sure your data disk is attached to your VM and Initialized
    2-If your disk is already attached and initialized, can you make sure it's online and formatted in NTFS.
    3-Once all the above is true, please re-run the encryption script using the "sequence version" variable. Keep in mind, if you used a KEK to encrypt you'll be using the KEK encryption script. All variables will remain the same as when you initially encrypted.

    If this doesn't resolve your issue, can you please send the following logs, Screenshots:
    Disk management
    Updated manage-bde output after you executed the script
    Portal status of your disks
    "BiLockerExtension.txt" - located at "C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.AzureDiskEncryption\"

    AzCommunity@microsoft.com
    ATTN: Data Disk ADE issue - subm
    Body: Please include this thread link

    Some time you may see disk are not encrypted in the Portal.

    Cause 2. Encryption inside guest OS should kick in automatically but in order to reflect in Azure Portal the encryption status for the new disk a Stop (de-allocate) must be performed in order for the extension to communicate the new status to the host.

    Cause 3. This occurs when you disable encryption from OS level directly. The extension will not be updated by the OS if you manipulate manually Bitlocker as OS level. The manipulation of encryption must be done always using the high level commands for ADE extension.

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to 150453-image.png and 150454-image.png wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  3. Johnny Le 101 Reputation points
    2021-11-23T02:44:58.467+00:00

    @Sumarigo-MSFT Thanks for the info. I ended up re-running the commands like you suggested not to do. The MS support person actually wanted me to disable encryption and re-enable. That sounded way worse than just re-applying. He did end up pointing me to the documentation or encrypting additional disks that are added to the VM after the fact which led me to believe that re-applying the encryption was a harmless procedure.

    0 comments