none
Cannot enable disk encryption for Data Science Virtual Machine (Ubuntu) RRS feed

  • Question

  • Hi,

    Following the manual at docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption I tried to enable disk encryption for a Data Science Virtual Machine for Ubuntu VM.
    However, enabling the encryption fails, though I tried different options:

    > Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName '...' -VMName 'dsvm-..' -AadClientID '...-...' -AadClientSecret '...-...' -DiskEncryptionKeyVaultUrl 'https://....vault.azure.net/' -DiskEncryptionKeyVaultId '/subscriptions/.../providers/Microsoft.KeyVault/vaults/...' -VolumeType 'All' –SkipVmBackup


    Set-AzureRmVMDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension 'AzureDiskEncryptionForLinux'. Error message: 'UpdateEncryptionSettings failed.'.'
    ErrorCode: VMExtensionProvisioningError
    ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryptionForLinux'. Error message: 'UpdateEncryptionSettings failed.'.
    StartTime: 28.05.2018 13:47:47
    EndTime: 28.05.2018 13:49:05
    OperationID: ...
    Status: Failed
    In Zeile:1 Zeichen:1
    + Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName '...'  ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : CloseError: (:) [Set-AzureRmVMDiskEncryptionExtension], ComputeCloudException
        + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureDiskEncryptionExtensionCommand


    > Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName '...' -VMName 'dsvm-...' -AadClientID '...-...' -AadClientSecret '...-...' -DiskEncryptionKeyVaultUrl 'https://....vault.azure.net/' -DiskEncryptionKeyVaultId '/subscriptions/.../providers/Microsoft.KeyVault/vaults/...' -VolumeType 'All' –SkipVmBackup -KeyEncryptionKeyUrl 'https://....vault.azure.net/secrets/...-.../...'

    Set-AzureRmVMDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing
    extension 'AzureDiskEncryptionForLinux'. Error message: 'UpdateEncryptionSettings failed.'.'
    ErrorCode: VMExtensionProvisioningError
    ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryptionForLinux'. Error message: 'UpdateEncryptionSettings failed.'.
    StartTime: 28.05.2018 13:25:52
    EndTime: 28.05.2018 13:25:59
    OperationID: ...
    Status: Failed
    In Zeile:1 Zeichen:1
    + Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName '...'  ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : CloseError: (:) [Set-AzureRmVMDiskEncryptionExtension], ComputeCloudException
        + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureDiskEncryptionExtensionCommand

    Did anyone succeed in enabling the disk encryption extension for the DSVM? Any hint is highly appreciated!

    Thanks in advance for your support.

    Kind regards,

    Sebastian

    Monday, June 4, 2018 12:40 PM

All replies

  • Disk encryption may fail due to one of the reasons listed here: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-tsg#troubleshooting-linux-os-disk-encryption

    One thing from that document that may be an issue is "Large applications such as SAP, MongoDB, Apache Cassandra, and Docker are not supported when they are installed and running in the OS prior to encryption. Azure Disk Encryption is unable to safely shut down these processes as required in preparation of the OS drive for disk encryption. If there are still active processes holding open file handles to the OS drive, the OS drive cannot be unmounted, resulting in a failure to encrypt the OS drive. "

    We do have docker on the Linux Data Science VM. Can you try to stop docker manually and then try to enable disk encryption?

    Wednesday, June 6, 2018 9:13 PM
  • Hi,

    thanks for your hint! Indeed, stopping the Docker demon seems to help a bit as the docker mount points are not disturbing the encryption process anymore, but still I get an error message (see below). Thanks in advance for any other idea.

    Kind regards,

    Sebastian

    [AzureDiskEncryption] 4015: [Info] Executing: /bin/mount /dev/sdc1 /mnt/azure_bek_disk -t vfat
    [AzureDiskEncryption] 4015: [Info] Command /bin/mount /dev/sdc1 /mnt/azure_bek_disk -t vfat failed with return code 32
    stdout:
    stderr:
    mount: /dev/sdc1 is already mounted or /mnt/azure_bek_disk busy
           /dev/sdc1 is already mounted on /mnt/azure_bek_disk
    [AzureDiskEncryption] 4015: [Info] Executing: mountpoint /oldroot
    [AzureDiskEncryption] 4015: [Info] Command mountpoint /oldroot failed with return code 1
    stdout:
    stderr:
    mountpoint: /oldroot: No such file or directory
    [AzureDiskEncryption] 4015: [Info] Executing: /bin/mount -a

    [...]

    [AzureDiskEncryption] 4015: [Info] Command /sbin/cryptsetup luksOpen /dev/disk/by-uuid/c84f... --header /var/lib/azure_disk_encryption_config/azureluksheadera62d... -d /mnt/azure_bek_disk/LinuxPassPhraseFileName -q failed with return code 5
    stdout:

    stderr:
    Cannot use device /dev/disk/by-uuid/c84f09a4... which is in use (already mapped or mounted).

    [AzureDiskEncryption] 4015: [Error] cryptsetup luksOpen failed, return_code is:5
    [AzureDiskEncryption] 4015: [Error] the encrypton for /dev/disk/by-uuid/c84f09a4-f02f-4715-... failed
    [AzureDiskEncryption] 4015: [Error] Failed to encrypt data volumes with error: EnableEncryption: resuming encryption for <bound method OnGoingItemConfig.get_original_dev_path of <OnGoingItemConfig.OnGoingItemConfig object at 0x7fb598026310>> failed, stack trace: Traceback (most recent call last):
      File "/var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999322/main/handle.py", line 1530, in daemon_encrypt
        bek_passphrase_file=bek_passphrase_file):
      File "/var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999322/main/handle.py", line 1698, in daemon_encrypt_data_volumes
        raise Exception(message)
    Exception: EnableEncryption: resuming encryption for <bound method OnGoingItemConfig.get_original_dev_path of <OnGoingItemConfig.OnGoingItemConfig object at 0x7fb598026310>> failed

    [AzureDiskEncryption] 4015: [Info] Executing: lvs --noheadings --nameprefixes --unquoted -o lv_name,vg_name,lv_kernel_major,lv_kernel_minor
    [AzureDiskEncryption] 4015: [Info] Data volume /home is mounted from /dev/sdd1
    [AzureDiskEncryption] 4015: [Info] exiting daemon

    Thursday, June 7, 2018 3:37 PM