search

Azure / azure-linux-extensions

Linux Virtual Machine Extensions for Azure
Apache License 2.0
308 stars 254 forks source link

ADE: discrepancy when reporting the disks encryption status #678

Open johanburati opened 6 years ago

johanburati commented 6 years ago

We have encrypted the OS and Data disks on a Ubuntu VM a few days ago.

We can see discrepancy in the data disk encryption status depending on the tool used to query the status.

AzureDiskEncryptionForLinux version is 1.1.0.17

OS and data disks are encrypted:

root@testencrypt12:~# lsblk
NAME                                     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sdd                                        8:48   0    30G  0 disk
└─sdd1                                     8:49   0    30G  0 part
  └─4aa3a0e6-f951-4469-b4cd-d875f0ac4454 253:2    0    30G  0 crypt /datadrive
sdb                                        8:16   0    14G  0 disk
└─sdb1                                     8:17   0    14G  0 part
  └─554e2186-59a8-4f4d-9239-f06cfbd3a17c 253:1    0    14G  0 crypt /mnt/resource
sdc                                        8:32   0    48M  0 disk
└─sdc1                                     8:33   0    47M  0 part
sda                                        8:0    0    30G  0 disk
├─sda2                                     8:2    0 254.1M  0 part  /boot
└─sda1                                     8:1    0  29.8G  0 part
  └─osencrypt                            253:0    0  29.8G  0 crypt /

Powershell report the data status correctly:

PS Azure:\> Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName rg2 -VMName testencrypt12

OsVolumeEncrypted          : Encrypted
DataVolumesEncrypted       : Encrypted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage            : Provisioning succeeded

The Encryption on the data disk show as Not enabled on the Azure Portal:

Screenshot

az cli reports the data disk as Disk is not encrypted althought the substatus report it as Encrypted:

$ az vm encryption show --resource-group rg2 --name testencrypt12
[ -- cut --]
      "name": "testencrypt12_OsDisk_1_a68b55546fc8dcd0673705c7b47b6b47",
      "statuses": [
        {
          "code": "EncryptionState/encrypted",
          "displayStatus": "Encryption is enabled on disk",
          "level": "Info",
          "message": null,
          "time": null
        }
      ]
    },
    {
      "encryptionSettings": null,
      "name": "datadisk1",
      "statuses": [
        {
          "code": "EncryptionState/notEncrypted",
          "displayStatus": "Disk is not encrypted",
          "level": "Info",
          "message": null,
          "time": null
        }
      ]
    }
  ],
  "status": [
    {
      "code": "ProvisioningState/succeeded",
      "displayStatus": "Provisioning succeeded",
      "level": "Info",
      "message": "",
      "time": null
    }
  ],
  "substatus": [
    {
      "code": "ComponentStatus/Microsoft.Azure.Security.AzureDiskEncryptionForLinux/succeeded",
      "displayStatus": "Provisioning succeeded",
      "level": "Info",
      "message": "{\"os\": \"Encrypted\", \"data\": \"Encrypted\"}",
      "time": null
    }
  ]
}
jwgrenier commented 4 years ago

@johanburati Did you ever find an answer as to why this discrepancy was occurring? I am having the same issue, except both my disks are reported as not encrypted by the Azure Portal and Azure CLI, while PowerShell, the Azure Disk Encryption extension logs and file system examination show that encryption succeeded.

johanburati commented 4 years ago

@jwgrenier no, did not find any answer. It seems the only reliable way to get the status is to check directly on the VM.