Pastaba.
Prieigai prie šio puslapio reikalingas įgaliojimas. Galite bandyti prisijungti arba pakeisti katalogus.
Prieigai prie šio puslapio reikalingas įgaliojimas. Galite bandyti pakeisti katalogus.
Important
Azure Disk Encryption is scheduled for retirement on September 15, 2028. Until that date, you can continue to use Azure Disk Encryption without disruption. On September 15, 2028, ADE-enabled workloads will continue to run, but encrypted disks will fail to unlock after VM reboots, resulting in service disruption.
Use encryption at host for new VMs, or consider Confidential VM sizes with OS disk encryption for confidential computing workloads. All ADE-enabled VMs (including backups) must migrate to encryption at host before the retirement date to avoid service disruption. See Migrate from Azure Disk Encryption to encryption at host for details.
Caution
This article references CentOS, a Linux distribution that is end-of-life (EOL) status. Consider your use and plan accordingly. For more information, see the CentOS end-of-life guidance.
Applies to: ✔️ Linux VMs ✔️ Flexible scale sets.
When a firewall, proxy requirement, or network security group (NSG) settings restrict connectivity, the extension might not complete required tasks. This disruption can result in status messages such as "Extension status not available on the VM."
Package management
Azure Disk Encryption depends on many components, which are typically installed as part of ADE enablement if not already present. When the VM is behind a firewall or otherwise isolated from the internet, preinstall these packages or make them available locally.
Here are the packages necessary for each distribution. For a full list of supported distros and volume types, see supported VMs and operating systems.
- Ubuntu 14.04, 16.04, 18.04: lsscsi, psmisc, at, cryptsetup-bin, python-parted, python-six, procps, grub-pc-bin
- CentOS 7.2 - 7.9, 8.1, 8.2: lsscsi, psmisc, lvm2, uuid, at, patch, cryptsetup, cryptsetup-reencrypt, pyparted, procps-ng, util-linux
- CentOS 6.8: lsscsi, psmisc, lvm2, uuid, at, cryptsetup-reencrypt, parted, python-six
- RedHat 7.2 - 7.9, 8.1, 8.2: lsscsi, psmisc, lvm2, uuid, at, patch, cryptsetup, cryptsetup-reencrypt, procps-ng, util-linux
- RedHat 6.8: lsscsi, psmisc, lvm2, uuid, at, patch, cryptsetup-reencrypt
- openSUSE 42.3, SLES 12-SP4, 12-SP3: lsscsi, cryptsetup
On Red Hat, when a proxy is required, verify that subscription-manager and yum are set up properly. For more information, see How to troubleshoot subscription-manager and yum problems.
When you install packages manually, manually upgrade them as new versions are released.
Network security groups
Any network security group settings that you apply must still allow the endpoint to meet the documented network configuration prerequisites for disk encryption. See Azure Disk Encryption: Networking requirements
Azure Disk Encryption with Microsoft Entra ID (previous version)
If using Azure Disk Encryption with Microsoft Entra ID (previous version), the Microsoft Authentication Library must be installed manually for all distros (in addition to the packages appropriate for the distro).
When you enable encryption with Microsoft Entra credentials, the target VM must allow connectivity to both Microsoft Entra endpoints and key vault endpoints. Microsoft maintains current Microsoft Entra authentication endpoints in sections 56 and 59 of the Microsoft 365 URLs and IP address ranges documentation. Key Vault instructions are provided in Access Azure Key Vault behind a firewall.
Azure Instance Metadata Service
The virtual machine must access the Azure Instance Metadata service endpoint, which uses a well-known nonroutable IP address (169.254.169.254) that you can access only from within the VM. Proxy configurations that alter local HTTP traffic to this address (for example, adding an X-Forwarded-For header) aren't supported.
Next steps
- See more steps for Azure Disk Encryption troubleshooting
- Azure data encryption at rest