question

LuckyPhantom-7602 avatar image
0 Votes"
LuckyPhantom-7602 asked SumanthMarigowda-MSFT commented

Encrypt Linux machine in Azure

Good evening everyone.
We need to encrypt Linux machines running in Azure (all of them CentOS). Some of them are B1ls/B1s type instances, all of them have only OS drive. Due to prerequisites described in article https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview it looks like machines should have at least 8 GB of RAM, depending on root file system usage, and dm-crypt and vfat modules installed. Question is if we have B1ls/B1s instances, does it mean that first we should change instance types to the ones, which have at least 8 GB of RAM? Then we should encrypt and can revert to B1ls/B1s? Is that correct?
Thanks.

azure-disk-encryption
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

ravikanthk avatar image
0 Votes"
ravikanthk answered

@LuckyPhantom-7602,
I tried to replicate your case, created a B1s instance with 4 GB ram, and I am able to encrypt my OS and data SDD LRS disks. Are you getting any errors while encrypting your disks?

161784-disk-encryption.png
161805-vm-size.png



disk-encryption.png (60.7 KiB)
vm-size.png (143.8 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuckyPhantom-7602 avatar image
0 Votes"
LuckyPhantom-7602 answered

@RaviKanth-5629,
Thank you for investigation. Does it mean that it's not necessary to have at least 8 GB of RAM like described in the article? We also have one production Linux machine with even 2 GB of RAM (B1ms). Can we just encrypt it without changing the instance type as well?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SumanthMarigowda-MSFT avatar image
1 Vote"
SumanthMarigowda-MSFT answered LuckyPhantom-7602 commented

@LuckyPhantom-7602 Adding more information to the above response! Yes you can encrypt(once the vm is encrypted we can resize to lower size RAM)

 Minimum memory:
- 2GB for Linux VMs when only encrypting data volumes
- 8GB for Linux VMs when encrypting both data and OS volumes, and where the root (/) file system usage is 4GB or less
- **The root file system usage 2 for Linux VMs when encrypting both data and OS volumes, and where the root (/) file system usage is greater than 4GB*
 XFS: Encryption of XFS data disks is supported only when the EncryptFormatAll parameter is used. This will reformat the volume, erasing any data previously there. For more information, see the EncryptFormatAll criteria.
 Operating systems: ADE is supported on a subset of the Azure-endorsed Linux distributions, which is itself a subset of all Linux server possible distributions.

For more information refer to the below mentioned articles:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-faq

Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to 162470-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.



screenshot-2021-12-10-121802.png (1.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuckyPhantom-7602 avatar image LuckyPhantom-7602 ·

@Sumarigo-MSFT, thanks for the answer.
We changed VM size to B2ms and started the encryption from Azure portal. I see that extension "AzureDiskEncryptionForLinux" is installed, but encryption process fails (umount: /oldroot: target is busy | Could not unmount /oldroot in 10 attempts). Image is CentOS 7.9, have some applications already installed . Could you clarify is it possible to overcome this error? Or encryption should be done only on newly installed machine, without any additional software?


0 Votes 0 ·
SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered SumanthMarigowda-MSFT commented

@LuckyPhantom-7602 Apologies for the delay response! Can you please serial console logs

Also screenshot of the error message?

This error can be caused by either folders being too large for the VM ram to handle or by files being locked because they are in use. This server was already in use and running software when you try to encrypt it

Provided guidelines on how to encrypt the VM's successfully:
As described in the article https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-linux, the VM’s which are going to be encrypted need to be considered as unavailable.

For successful disk encryption, the following steps should be followed:


  1. Make sure that the VM has enough RAM(minimum 7Gb) and also enough space in the OSDisk.

  2. Make sure that the application is stopped prior to the encryption process is started, also make sure that the application remains stopped after a reboot also, as the ADE process will reboot the vm.

  3. Make sure that the vm is not accessed by any means being it ssh or winscp or any other tools.

  4. Make sure that there is no extension installed in the vm.

  5. Make sure that there is no server hardening is done on the vm which is going to encrypted.

       You can also encrypt using PowerShell: 
     New-AzResourceGroup -Name " ADE-CentOS" -Location "EastUS"
         
     Create a virtual machine: Skip as you already create the VM
     $cred = Get-Credential
     New-AzVM -Name CentOS -Credential $cred -ResourceGroupName ADE-CentOS -Image OpenLogic:CentOS:7_9:7.9.2021020400 -Size Standard_D4S_V3
         
     Create a Key Vault configured for encryption keys: Skip if you already create the Keyvault
     New-AzKeyvault -name ade-keyvault-jstrom -ResourceGroupName ADE-CentOS -Location EastUS -EnabledForDiskEncryption
         
     Encrypt the virtual machine:
         
     $KeyVault = Get-AzKeyVault -VaultName ade-keyvault-jstrom -ResourceGroupName ADE-CentOS
         
     Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName CentOS -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -SkipVmBackup -VolumeType OS
         
     To review the encryption status run:
         
     Get-AzVmDiskEncryptionStatus

Azure Disk Encryption for Linux VMs troubleshooting guide: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-troubleshooting

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.