Encrypt Linux machine in Azure

LuckyPhantom 1 Reputation point
2022-01-02T13:47:08.583+00:00

Good evening everyone.
We need to encrypt Linux machines running in Azure (all of them CentOS). Some of them are B1ls/B1s type instances, all of them have only OS drive. Due to prerequisites described in article https://video2.skills-academy.com/en-us/azure/virtual-machines/linux/disk-encryption-overview it looks like machines should have at least 8 GB of RAM, depending on root file system usage, and dm-crypt and vfat modules installed. Question is if we have B1ls/B1s instances, does it mean that first we should change instance types to the ones, which have at least 8 GB of RAM? Then we should encrypt and can revert to B1ls/B1s? Is that correct?
Thanks.

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
174 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 46,126 Reputation points Microsoft Employee
    2022-01-05T15:28:26.41+00:00

    @LuckyPhantom Adding more information to the above response! Yes you can encrypt(once the vm is encrypted we can resize to lower size RAM)

     Minimum memory:

    • 2GB for Linux VMs when only encrypting data volumes
    • 8GB for Linux VMs when encrypting both data and OS volumes, and where the root (/) file system usage is 4GB or less
    • The root file system usage * 2 for Linux VMs when encrypting both data and OS volumes, and where the root (/) file system usage is greater than 4GB
       XFS: Encryption of XFS data disks is supported only when the EncryptFormatAll parameter is used. This will reformat the volume, erasing any data previously there. For more information, see the EncryptFormatAll criteria.
       Operating systems: ADE is supported on a subset of the Azure-endorsed Linux distributions, which is itself a subset of all Linux server possible distributions.

    For more information refer to the below mentioned articles:
    https://video2.skills-academy.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
    https://video2.skills-academy.com/en-us/azure/virtual-machines/linux/disk-encryption-faq

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to 162470-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
  2. Ravi Kanth Koppala 3,231 Reputation points Microsoft Employee
    2022-01-03T00:33:40.753+00:00

    @LuckyPhantom ,
    I tried to replicate your case, created a B1s instance with 4 GB ram, and I am able to encrypt my OS and data SDD LRS disks. Are you getting any errors while encrypting your disks?

    161784-disk-encryption.png
    161805-vm-size.png

    0 comments
  3. LuckyPhantom 1 Reputation point
    2022-01-05T08:27:41.86+00:00

    @RaviKanth-5629,
    Thank you for investigation. Does it mean that it's not necessary to have at least 8 GB of RAM like described in the article? We also have one production Linux machine with even 2 GB of RAM (B1ms). Can we just encrypt it without changing the instance type as well?

    0 comments
  4. Sumarigo-MSFT 46,126 Reputation points Microsoft Employee
    2022-01-21T09:19:23.037+00:00

    @LuckyPhantom Apologies for the delay response! Can you please serial console logs

    Also screenshot of the error message?

    This error can be caused by either folders being too large for the VM ram to handle or by files being locked because they are in use. This server was already in use and running software when you try to encrypt it

    Provided guidelines on how to encrypt the VM's successfully:
    As described in the article https://video2.skills-academy.com/en-us/azure/virtual-machines/linux/disk-encryption-linux, the VM’s which are going to be encrypted need to be considered as unavailable.

    For successful disk encryption, the following steps should be followed:

    1. Make sure that the VM has enough RAM(minimum 7Gb) and also enough space in the OSDisk.
    2. Make sure that the application is stopped prior to the encryption process is started, also make sure that the application remains stopped after a reboot also, as the ADE process will reboot the vm.
    3. Make sure that the vm is not accessed by any means being it ssh or winscp or any other tools.
    4. Make sure that there is no extension installed in the vm.
    5. Make sure that there is no server hardening is done on the vm which is going to encrypted. 
       You can also encrypt using PowerShell:   
 New-AzResourceGroup -Name " ADE-CentOS" -Location "EastUS"  

 Create a virtual machine: Skip as you already create the VM  
 $cred = Get-Credential  
 New-AzVM -Name CentOS -Credential $cred -ResourceGroupName ADE-CentOS -Image OpenLogic:CentOS:7_9:7.9.2021020400 -Size Standard_D4S_V3  

 Create a Key Vault configured for encryption keys: Skip if you already create the Keyvault  
 New-AzKeyvault -name ade-keyvault-jstrom -ResourceGroupName ADE-CentOS -Location EastUS -EnabledForDiskEncryption  

 Encrypt the virtual machine:  

 $KeyVault = Get-AzKeyVault -VaultName ade-keyvault-jstrom -ResourceGroupName ADE-CentOS  

 Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName CentOS -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -SkipVmBackup -VolumeType OS  

 To review the encryption status run:  

 Get-AzVmDiskEncryptionStatus

    Azure Disk Encryption for Linux VMs troubleshooting guide: https://video2.skills-academy.com/en-us/azure/virtual-machines/linux/disk-encryption-troubleshooting

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.