Passphrase file is readable by anyone

[makhdumi]

The permissions for the passphrase file, /mnt/azure_bek_disk/LinuxPassPhraseFileName, which is seemingly the same for both the OS and data disks, is 755. I think that this is pretty insecure, since any limited user (non-root, non-superuser) can read the key.

To reproduce:

1. Deploy a new VM with this template:
   https://github.com/Azure/azure-quickstart-templates/tree/master/101-vm-full-disk-encrypted-rhel

2. Once the VM is up, login with the regular non-root user and run:

whoami
stat -c "%a %n" /mnt/azure_bek_disk/LinuxPassPhraseFileName
cat /mnt/azure_bek_disk/LinuxPassPhraseFileName

3. For extra sanity/verification, add a new user, e.g. called "limiteduser":

sudo adduser limiteduser
sudo passwd limiteduser
Changing password for user limiteduser.
New password: 123
BAD PASSWORD: The password is shorter than 6 characters
Retype new password: 123
passwd: all authentication tokens updated successfully.

4. Switch to the user and try to read the file again

su - limiteduser
whoami
cat /mnt/azure_bek_disk/LinuxPassPhraseFileName

[vermashi]

Fixed with this PR

[sfehrmann]

Password by default still or again readable for unprivileged users after creating a server, adding multiple data disks and encrypting the disks using az vm encryption enable

ls -l /mnt/azure_bek_disk/LinuxPassPhraseFileName
-r-xr-xr-x 1 root root 172 Feb 11 10:31 /mnt/azure_bek_disk/LinuxPassPhraseFileName

On a second server with a similar setup, the permissions where 0644, after I changed to 0400 and restarted, the permission set was reset to 0555.