Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AzureDiskEncryptionForLinux fails #383

Closed
anniehedgpeth opened this issue May 18, 2017 · 7 comments
Closed

AzureDiskEncryptionForLinux fails #383

anniehedgpeth opened this issue May 18, 2017 · 7 comments

Comments

@anniehedgpeth
Copy link

anniehedgpeth commented May 18, 2017

VM:
Linux / Ubuntu 16.04
Standard DS2 v2 (2 cores, 7 GB memory)

I tried to encrypt through the CLI with this command:

~ az vm encryption enable --aad-client-id <aad-client-id> --disk-encryption-keyvault <my-key-vault-name> --name <vm-name> --resource-group <my-rg-name> --aad-client-secret <aad-client-secret> --key-encryption-key https://<my-key-vault-name>.vault.azure.net/ --volume-type ALL

I received this error in the terminal:

VM has reported a failure when processing extension 'AzureDiskEncryptionForLinux'. Error message: "Enable failed.".

And this detailed status in the Portal:

[
    {
        "code": "ComponentStatus/Microsoft.Azure.Security.AzureDiskEncryptionForLinux/failed/13",
        "level": "Error",
        "displayStatus": "Provisioning failed",
        "message": "{\"os\": \"NotEncrypted\", \"data\": \"NotMounted\"}"
    }
]

However, when I ran the Powershell command to encrypt the VM, the encryption was successful:

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName <myRGName> -VMName <myVmName> -AadClientID <clientID> -AadClientSecret <aadClientSecret> -DiskEncryptionKeyVaultUrl https://<myVaultName>.vault.azure.net/ -DiskEncryptionKeyVaultId /subscriptions/<mySub>/resourceGroups/<vaultRG>/providers/Microsoft.KeyVault/vaults/<myKeyVaultName>

Could this be an error with the CLI's execution of the AzureDiskEncryptionForLinux extension?

This issue appears to be different than #334 but still an issue with AzureDiskEncryptionForLinux.

@m00ki3
Copy link

m00ki3 commented Sep 12, 2017

I'm getting the same error.

Here are the logs from the target VM (Ubuntu 16.04.3 LTS) from /var/log/azure/Microsoft.Azure.Security.AzureDiskEncryptionForLinux/0.1.0.999297/CommandExecution.log

2017/09/12 20:55:53.073750 INFO [Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999297] Target handler state: enabled
2017/09/12 20:55:53.076852 INFO [Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999297] [Enable] current handler state is: notinstalled
2017/09/12 20:55:53.123675 INFO [Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999297] Initialize extension directory
2017/09/12 20:55:53.126644 INFO [Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999297] Update settings file: 0.settings
2017/09/12 20:55:53.129427 INFO [Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999297] Install extension [main/handle.py -install]
2017/09/12 20:56:12.154695 INFO [Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999297] Enable extension [main/handle.py -enable]

@jesquivel91
Copy link

Did you find a fix for this?

@lauxtermann-aram
Copy link

Can anyone from Azure please reply to this issue, because this is a major problem.

@lauxtermann-aram
Copy link

I spoke to Microsoft support, please read this:

@m00ki3
Copy link

m00ki3 commented Jan 27, 2018

I was running Neo4J, guess those were the os handles that prevented it...it should have killed those processes itself IMO though.

@jesquivel91
Copy link

What happened to me is that I didn't met this

"Minimum memory requirements are not met (7 GB is suggested for OS disk encryption)."

@ejarvi ejarvi self-assigned this Mar 29, 2018
@ejarvi
Copy link
Collaborator

ejarvi commented Mar 29, 2018

I think this thread has been resolved already but to add some additional information prior to closing, the values of the key vault parameters being provided to the az vm encryption enable command must be provided in the correct format. Specifically:

The proper syntax for the value of disk-encryption-keyvault parameter is the full identifier string:
/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]

The proper syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in:
https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id]

The other follow up comments are also accurate with respect to other prerequisite requirements that exist for Linux VM's. Some additional background detail on this is in the troubleshooting guide here:

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-tsg#troubleshooting-linux-os-disk-encryption

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants