Encryption secrets sometimes do not appear in key vault as secrets when Azure disk encryption enabled for Linux VM

Divit SANJAY KARMIANI 1 Reputation point

We are trying to encrypt some Linux VMs using Azure disk encryption. We use the following command as we want the temporary disks to be encrypted as well and we use KEK(Key encryption key) too.

az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --key-encryption-key "MyKEK" --volume-type "data" --encrypt-format-all

Reference : https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-linux#:~:text=Azure%20Disk%20Encryption%20for%20Linux,when%20using%20the%20EncryptFormatAll%20feature

We saw that the KEK wraps the encryption secrets(passphrase I guess for Linux) before writing to keyvault.
Reference: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/disk-encryption-key-vault#set-up-a-key-encryption-key-kek

But there is something unusual happening. Sometimes for some VMs, after encryption is done, in the keyvaults where KEK is stored, we don't see secrets being shown in the keyvault. Whereas in some cases it is shown. I don't know what I am missing.

I have provided some images to confirm the same.
Secrets being shown

Secrets not shown

Note:- I have given all the possible permissions to both the keyvaults and enabled them for Azure disk encryption as well.

Also we want to do ADE with terraform as well. Will that affect anything? Will the secrets be stored in the keyvault?

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
160 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 43,406 Reputation points Microsoft Employee

    @Divit SANJAY KARMIANI Would you please query the encryption settings of the disk that is being encrypted in order to see if they got stamped? Please use this:

    $Sourcedisk = Get-AzDisk -ResourceGroupName ${RGNAME} -DiskName ${TARGETDISKNAME}
    Write-Host "============================================================================================================================================================="
    Write-Host "Encryption Settings:"
    Write-Host "============================================================================================================================================================="
    Write-Host "Enabled:" $Sourcedisk.EncryptionSettingsCollection.Enabled
    Write-Host "Version:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettingsVersion
    Write-Host "Source Vault:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SourceVault.Id
    Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl
    Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
    Write-Host "======================================================================================================
    The secrets should be stored in the KeyVault as you are expecting, we would need to check if for some reason the Secret is not being created, are you able to consistently reproduce this?

    I wish to engage with you offline for a closer look and provide quick and specialized assistance, please send an email with the subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you. Once again, apologies for any inconvenience with this issue.

    Thanks for your patience and co-operation.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.