I want to create a disk that should be booted as a confidential TDX VM, with --os-disk-security-encryption-type set to NonPersistedTPM:
az disk create \
-n ${DISK_NAME}
-g ${RESOURCE_GROUP} \
-l ${REGION} \
--os-type Linux \
--upload-type Upload \
--upload-size-bytes ${DISK_SIZE} \
--sku standard_lrs \
--security-type ConfidentialVM_NonPersistedTPM \
--hyper-v-generation V2
This fails with:
az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.
So now I can't start a confidential VM with NonPersistedTPM:
az vm create \
--name ${DISK_NAME} \
--size ${VM_SIZE} \
--resource-group ${RESOURCE_GROUP} \
--attach-os-disk ${DISK_NAME} \
--os-type Linux \
--security-type ConfidentialVM \
--enable-vtpm true \
--enable-secure-boot false \
--os-disk-security-encryption-type NonPersistedTPM
Related command
az disk create
Errors
az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.
Issue script & Debug output
az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.
Expected behavior
Disk is created with securityType=ConfidentialVM_NonPersistedTPM
Describe the bug
I want to create a disk that should be booted as a confidential TDX VM, with
--os-disk-security-encryption-type
set toNonPersistedTPM
:This fails with:
So now I can't start a confidential VM with
NonPersistedTPM
:Related command
az disk create
Errors
az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.
Issue script & Debug output
az disk create: 'ConfidentialVM_NonPersistedTPM' is not a valid value for '--security-type'. Allowed values: TrustedLaunch, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithCustomerKey, Standard.
Expected behavior
Disk is created with securityType=ConfidentialVM_NonPersistedTPM
Environment Summary
az --version azure-cli 2.61.0
core 2.61.0 telemetry 1.1.0
Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1
Python location '/opt/homebrew/Cellar/azure-cli/2.61.0/libexec/bin/python' Extensions directory '/Users/*/.azure/cliextensions'
Python (Darwin) 3.11.9 (main, Apr 2 2024, 08:25:04) [Clang 15.0.0 (clang-1500.3.9.4)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
Issue discussing adding the
NonPersistedTPM
featuer: https://github.com/Azure/azure-cli/issues/27479 PoC patch, that fixes the problem locally for me: https://github.com/Azure/azure-sdk-for-python/pull/36161