Azure VM with secure boot running Ubuntu Linux 22.04 cannot mount xfs partitions after Azure Disk Encryption configured

Gary Mansell 111 Reputation points

Hi, If I create an Ubuntu 22.04 VM with secure boot enabled, add a couple of disks and format them - one with ext4 and the other xfs filesystem - they mount fine after reboot. If I then apply Azure Disk Encryption to "ALL" disks (with the format option required for xfs disks) and wait for it to complete successfully:

Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType "all" -EncryptFormatAll -skipVmBackup

User's image

When I try and mount it manually, I get this error: User's image

When I then try and load the xfs kernel module manually, I get this error: User's image

It seems to be (as the VM has Secure Boot enabled) - that the kernel does not like the signature on the xfs kernel module anymore (it is signed though): User's image

Why has this occurred (the xfs module signature was fine before the ADE was done) and how do I fix it? Gary

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
6,794 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
153 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. deherman-MSFT 31,991 Reputation points Microsoft Employee

    @Gary Mansell
    I understand that you are formatting some disks attached to a Secure Boot enabled VM then running Set-AzVMDiskEncryptionExtension with the EncryptFormatAll option to apply Azure Disk Encryption. Afterwords you are attempting to mount the disks again but getting the above error. Please let me know if I am missing something.

    When you use the EncryptFormatAll option the data and the filesystem on the disks will be deleted. If you are attempting to recover data from disks where this option has been run that will not be possible, you will need to restore the data from a backup. I hope that is not the case and your data is okay. Please read through the details here and let me know if there are any more questions.

    If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts. If the answer has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community. Thank you for helping to improve Microsoft Q&A! User's image

  2. deherman-MSFT 31,991 Reputation points Microsoft Employee

    @Gary MansellOur service team is still looking into this. After the issue you should be able to fix this by reinstalling the kernel modules.

    apt install --reinstall linux-modules-6.2.0-1019-azure

  3. Gary Mansell 111 Reputation points

    @deherman-MSFT Thanks - I can confirm that re-installing the kernel modules package does then allow the encrypted xfs partition to be mounted. For some reason - the same process that I followed previously, of building a fresh Ubuntu server VM with ext4 and xfs data disks and then selecting to encrypt both OS+Data disks, caused the VM to get corrupted when I tried it this time (so there has been some regression in this encryption extension). In the end I had to build the VM and encrypt the OS and then add the data disks and change to encrypt OS+Data disks afterwards to get the machine built and all disks encrypted. It seems to me that Linux disk encryption is pretty flaky and not really suitable for production if things like this happen that prevent mounting partitions...

    0 comments No comments