Azure REST API does not return encryption settings for Virtual Machine

1
votes

I have a 16.04-LTS Ubuntu Virtual Machine in my Azure account and I am trying Azure Disk Encryption for this virtual machine making use of this azure cli sample script. On running the encryption script, the azure portal shows its OS disk is encrypted. There is Enabled under Encryption header. enter image description here

However, the Azure REST API (api link) for getting information about the virtual machine does not return the encryptionSettings under properties.storageProfile.osDisk. I tried both Model View and Model View and Instance View for the api-version 2017-03-30 as well as 2017-12-01. Here is the partial response from the API:

{
    "name": "ubuntu",
    "properties": {
        "osProfile": {},
        "networkProfile": {},
        "storageProfile": {
            "imageReference": {
                "sku": "16.04-LTS",
                "publisher": "Canonical",
                "version": "latest",
                "offer": "UbuntuServer"
            },
            "osDisk": {
                "name": "ubuntu-OsDisk",
                "diskSizeGB": 30,
                "managedDisk": {
                    "storageAccountType": "Premium_LRS",
                    "id": "..."
                },
                "caching": "ReadWrite",
                "createOption": "FromImage",
                "osType": "Linux"
            },
            "dataDisks": []
        },
        "diagnosticsProfile": {},
        "vmId": "",
        "hardwareProfile": {
            "vmSize": "Standard_B1s"
        },
        "provisioningState": "Succeeded"
    },
    "location": "eastus",
    "type": "Microsoft.Compute/virtualMachines",
    "id": ""
}

But for my other encrypted windows virtual machine, I get the correct response which contains encryptionSettings in properties.storageProfile.osDisk:

{
    "name": "win1",
    "properties": {
        "osProfile": {},
        "networkProfile": {},
        "storageProfile": {
            "imageReference": {
                "sku": "2016-Datacenter-smalldisk",
                "publisher": "MicrosoftWindowsServer",
                "version": "latest",
                "offer": "WindowsServer"
            },
            "osDisk": {
                "name": "win1_OsDisk_1",
                "diskSizeGB": 31,
                "managedDisk": {
                    "storageAccountType": "Premium_LRS",
                    "id": "..."
                },
                "encryptionSettings": {
                    "diskEncryptionKey": {
                        "secretUrl": "...",
                        "sourceVault": {
                            "id": "..."
                        }
                    },
                    "keyEncryptionKey": {
                        "keyUrl": "...",
                        "sourceVault": {
                            "id": "..."
                        }
                    },
                    "enabled": true
                },
                "caching": "ReadWrite",
                "createOption": "FromImage",
                "osType": "Windows"
            },
            "dataDisks": []
        },
        "diagnosticsProfile": {},
        "vmId": "...",
        "hardwareProfile": {
            "vmSize": "Standard_B1s"
        },
        "provisioningState": "Succeeded"
    },
    "location": "eastus",
    "type": "Microsoft.Compute/virtualMachines",
    "id": "..."
}

Why is the Virtual Machine Get API not returning the encryptionSettings for some VMs? Any help would be greatly appreciated.

2
restazureencryptionazure-virtual-machine
Encryption completed in about 3 minutes. It has already been over an hour after the encryption.Santosh Ghimire
no, thats not how it works ;) you should check extension state, it will tell you encryption is in progress4c74356b41
You mean, if the provisioning for the extension AzureDiskEncryptionForLinux is Succeeded, I should consider it as encrypted?Santosh Ghimire
no, its only provisioned the extension, after that it starts encrypting the vm. use this Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName to get status4c74356b41
I am using Azure CLi to check the encryption status az vm encryption show --resource-group $rgname --name $vmName --query [osDisk] -o tsv and it shows EncryptionInProgressSantosh Ghimire

2 Answers

0
votes

I create VM using following command.

az vm create \
    --resource-group shuivm \
    --name shuivm \
    --image Canonical:UbuntuServer:16.04-LTS:latest \
    --admin-username azureuser \
    --generate-ssh-keys

When I use the following API, I could get encryption setting.

https://management.azure.com/subscriptions/**********/resourceGroups/shuivm/providers/Microsoft.Compute/virtualMachines/shuivm?api-version=2017-03-30"

enter image description here

Note: When OS is encrypted successful, I could use API to get encryption setting.

0
votes

This is because there are two types of at-rest disk encryption for Azure VMs and they are not reported in the same part of the Azure Management API:

  • Server-Side Encryption: that you can see in the encryptionSettings section of the VM/compute API when you get a vm details. It will show whether you are encypting with a customer managed key or a platform managed key
  • ADE: Azure Disk Encryption is actually a VM extension and so you can find it in the VM Extension API instead.

see: https://docs.microsoft.com/en-us/rest/api/compute/virtualmachineextensions/list