This post is part of a series, for the series contents see:
For the code listed in this post please see:
In my last post I encrypted my Windows “mgmt-vm” successfully and thought I’d then done the same with my Linux “firewall-vm”. Well it turns out that was a bit of an alternative fact.
The PowerShell ran successfully to encrypt the firewall-vm, so I thought it had done the job, but when I checked back later I was presented with this:
Digging a bit deeper and looking at the VM extension logs I came up with this:
So why did that happen?
Well it turns out that the Set-AzureRmVMDiskEncryption cmdlet only supports encrypting Linux data disks, OS disks aren’t supported. For Windows VMs there is no such restriction. For more details see this Microsoft document and search for the section on the -VolumeType switch.
Working Example – Finding a Target VM:
It would be good to have a working example of a Linux VM with disk encryption and whilst my firewall-vm doesn’t have a data disk, my web-vm does so it’s the obvious choice of test subject.
However, talking about the web-vm reminded me that it was conspicuously missing from the list of VMs in my Security Center alert about disk encryption:
There’s a reason for its absence that has also been highlighted by Security Center:
web-vm doesn’t have the VM agent enabled that is needed by Security Center.
Note that the same alert for the firewall-vm is resolved, hence Security Center is able to give other recommendations, such as disk encryption, for that one.
Working Example – Enable the VM Agent on Linux
Enabling the agent was nothing more than a yum install and then a command to enable the agent:
sudo yum install python-pyasn1 WALinuxAgent sudo systemctl enable waagent
I got the steps from this article, and confirmed the results in the portal by checking web-vm’s extensions:
In Security Center itself, the VM agent issue also then showed as resolved:
Working Example – Encrypt a Linux Data Disk
With my VM agent installed, next up I needed to run the PowerShell command to encrypt the data volume on web-vm. To run the code I needed to dig out the output of the Microsoft encryption script from my last post.
#Setup my variables #Most of the values came from #the output of the Microsoft Encryption script $vmName = "web-vm" $resourceGroupName = "dmz-rg" $aadClientID = "<your_client_id>" $aadClientSecret = "<your_key>" $diskEncryptionKeyVaultUrl = "https://lab-vault.vault.azure.net/" $keyVaultResourceId = "<your_vault_resource_id>" #Now use those variables to encrypt web-vm's data disk Set-AzureRmVMDiskEncryptionExtension ` -ResourceGroupName $resourceGroupName ` -VMName $vmName ` -VolumeType Data ` -AadClientID $aadClientID ` -AadClientSecret $aadClientSecret ` -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl ` -DiskEncryptionKeyVaultId $keyVaultResourceId
I’ve removed most of my details from the code above so just plug in whatever your own values were from the Microsoft encryption script.
The key switch is the one that instructs the cmdlet to focus purely on the data disk as that’s all we can do with Linux:
This time I stopped and checked the status, before I got ahead of myself, and the result was success:
So that’s that!