This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 26%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Here is a workflow:
My question is do we have to decrypt the disk before detaching from the old VM and mounting ot the new VM or is there a way to mount an already encrypted disk (done via ADE and key in Keyvault) to an new VM ?
Thanks
@nithya swaminathan
Thanks for your post! From my experience, you shouldn't have to decrypt the data disk before attaching it to the new VM. However, I've reach out to our Linux ADE experts and will update you as soon as I receive guidance from their end.
Thank you for your time and patience.
Thank you very much. I see that you have tagged the wrong nithya .. my name is nithyaswaminathan-2639 . I look forward to hearing from you.
Thanks
@nithya swaminathan
Thank you for your patience! If you're attaching an encrypted data disk to an unencrypted VM, you can try to set the same encryption settings on the second VM as you did the original VM.
For example A backup is recommended prior to performing any encryption steps on your VM.
VM1:
az vm encryption enable --resource-group "VM1-RG" --name "VM-1" --disk-encryption-keyvault "ADEvault" --volume-type "All"
VM2:
az vm encryption enable --resource-group "VM2-RG" --name "VM-2" --disk-encryption-keyvault "ADEvault" --volume-type "All"
Note:
Our Linux AD SMEs let us know that you might run into issues when doing this since this process for Linux VMs is not supported. However, if you have a backup you should be able to revert back to the last known "good" state.
If you have any other questions, please let me know.
Thank you!
@nithya swaminathan
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?
@nithya swaminathan Just checking in to see if the above answer helped. If this answers your query, please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
"Our Linux AD SMEs let us know that you might run into issues when doing this since this process for Linux VMs is not supported"
@JamesTran-MSFT I did not understand this information that it is not supported for Linux. Are you saying it will work only for Windows VMs?
I will try your options.. but can you help me understand what you meant by the above statement.
Thanks
The process of:
1)Encrypting a VM with a data disk (volumeType All)
2)Moving that encrypted data disk to a new unencrypted VM
3)Encrypting that new VM with the same encryption settings as the original VM - is currently only supported for Windows VMs.
From what I was told, the reason it's not supported is because on Linux, you have to manually modify /etc/fstab and /etc/crypttab and manually open the drive in cryptsetup luksOpen, just by attaching the disk to the VM is not enough to get it to work. However, on a Windows VM, all you have to do is attach the data disk, assign it a drive letter, and re-run the sequence version encryption script.
I hope this helps to clarify why the process isn't supported.
If you have any other questions or would like to work closer with our support engineers on this process, please let me know.
Thank you for your time and patience.
@JamesTran-MSFT
thank you for the detailed explanation. A note.. i am not encrypting both the OS and the Data disks. I am only encrypting a data disk (a managed storage disk) - VolumeType - DATA. I am encrypting that storage disk (DATA) in the 1st VM. In case the first VM is not responsive.. i am creating a new VM and I am trying to move this storage disk and attach it to the new VM . The OS in both VMs is not encrypted.
So does the same issue exist for Data Disks ? In the 2nd VM , will we still have to manually modify the /etc/fstab and the /etc/crypttab files Or will the ADEDiskEncryptionForlinux Extension that we are using help automount the disks ?
@nithya swaminathan
Thanks for the clarification. Yes, the same issue would exist with both VolumeType -Data or -All, since you're going to be dealing with an encrypted Data Disk in both scenarios.
If you have any other questions, please let me know.
Thank you!
@JamesTran-MSFT - Thank you very much for your clarifications and answers around support for ADE Encryption in Linux VMs.
I would like to take this opportunity to provide feedback regarding the ADE encryption feature in Linux VMs. In cloud computing , VMs can be replaced at any time and the ADE Encryption for disks needs to be idempotent.. that is wherever the disk is being moved , the ADE encryption for Linux extension should take care to mount LUKS disks to the new VM and abstract that away from the users. There is no point in having encryption on a disk that has data and if the VM that hosts the disks has issues, the disk has to be manually attached by the user and opened. This logic has to be taken care by the extension.
In addition, I would like to appreciate you James for prompt response to my questions. That is excellent customer service. Thanks so much
@nithya swaminathan
Thank you for the kind comments and feedback request.
I went ahead and created a feature request for you using what you mentioned above, feel free to add additional comments. Additionally, I have reached out to our Linux ADE SME with this info so that he can hopefully pass this feature request to our ADE PG team.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue!
Thank you @JamesTran-MSFT for creating this feature request!
@JamesTran-MSFT - Could you please share if the requested feature is available for Linux? Thanks.