|
| 1 | +--- |
| 2 | +title: How to display encryption settings on Azure Linux Virtual Machines |
| 3 | +description: Learn how to visualize encryption settings stamped on a disk or VM after Azure Disk Encryption (ADE) is deployed. |
| 4 | +author: elicorme |
| 5 | +ms.author: elcorral |
| 6 | +ms.date: 01/20/2025 |
| 7 | +ms.reviewer: divargas |
| 8 | +ms.service: azure-virtual-machines |
| 9 | +ms.custom: linux-related-content |
| 10 | +ms.topic: troubleshooting |
| 11 | +ms.collection: linux |
| 12 | +--- |
| 13 | + |
| 14 | +# How to display encryption settings on Azure Linux Virtual Machines |
| 15 | + |
| 16 | +**Applies to:** :heavy_check_mark: Linux VMs |
| 17 | + |
| 18 | +When Azure Disk Encryption (ADE) is enabled on an Azure Linux Virtual Machine (VM), encryption settings are configured at a platform level to either the disk object or the VM object. This guide shows how to visualize these encryption settings after ADE is deployed. |
| 19 | + |
| 20 | +## Prerequisites |
| 21 | + |
| 22 | +- Access to [the Azure portal Resource Explorer](https://portal.azure.com/?feature.customportal=false#view/HubsExtension/ArmExplorerBlade) |
| 23 | +- Access to [Azure web Resource Explorer](https://resources.azure.com/) |
| 24 | + |
| 25 | +## How to identify the ADE extension version |
| 26 | + |
| 27 | +You can identify the ADE version in the Azure portal. To do this, open the properties of the VM, and then select `Extensions` to open the `Extensions` blade. On the `Extensions` blade, view the version number of **AzureDiskEncryptionForLinux**. |
| 28 | + |
| 29 | +- If the version number is `0.*`, the disk uses **dual-pass encryption**. |
| 30 | +- If the version number is `1.*` or a later version, the disk uses **single-pass encryption**. |
| 31 | + |
| 32 | +If ADE single-pass is used, the extension process stamps the encryption settings on the disk object itself. If ADE dual-pass is used, encryption settings are stamped on the VM object. |
| 33 | + |
| 34 | +> [!NOTE] |
| 35 | +> We recommend that you use single-pass encryption instead of dual-pass encryption. |
| 36 | +
|
| 37 | +## <a id="portal"> </a> Verify ADE encryption settings through Azure portal |
| 38 | + |
| 39 | +1. Log in to your subscription in [the Azure portal](https://portal.azure.com) |
| 40 | +2. Search for "Resource Explorer" on the search bar. |
| 41 | + |
| 42 | + :::image type="content" source="./media/how-to-display-encryption-settings-in-azure-vms/searchresourceexplorerportal.png" alt-text="Portal search bar"::: |
| 43 | + |
| 44 | +3. Select the "Resource Explorer" icon. |
| 45 | +4. Select the subscription that you want to review. |
| 46 | +5. Locate the disk that you want to review by using either by the resource group path or the provider path. |
| 47 | + |
| 48 | + :::image type="content" source="./media/how-to-display-encryption-settings-in-azure-vms/providersrgs.png" alt-text="Provider and resource groups view"::: |
| 49 | + |
| 50 | + :::image type="content" source="./media/how-to-display-encryption-settings-in-azure-vms/compute.jpeg" alt-text="Disk selected"::: |
| 51 | + |
| 52 | +6. After the disk is selected, the corresponding JSON metadata is shown in the right panel. The encryption settings block is enclosed inside the `encryptionSettingsCollection` key. It resembles the following code: |
| 53 | + |
| 54 | + ```json |
| 55 | + "encryptionSettingsCollection": { |
| 56 | + "enabled": true, |
| 57 | + "encryptionSettings": [ |
| 58 | + { |
| 59 | + "diskEncryptionKey": { |
| 60 | + "sourceVault": { |
| 61 | + "id": "/subscriptions/12345678-1234-4321-5678-987654321987/resourceGroups/RGName/providers/Microsoft.KeyVault/vaults/KeyvaultName" |
| 62 | + }, |
| 63 | + "secretUrl": "https://kevaultName.vault.azure.net/secrets/12345678-1234-4321-5678-987654321987/12345678998765432112345678998765" |
| 64 | + }, |
| 65 | + "keyEncryptionKey": { |
| 66 | + "sourceVault": { |
| 67 | + "id": "/subscriptions/12345678-1234-4321-5678-987654321987/resourceGroups/RGName/providers/Microsoft.KeyVault/vaults/KeyvaultName" |
| 68 | + }, |
| 69 | + "keyUrl": "https://kevaultName.vault.azure.net/keys/kek/" |
| 70 | + } |
| 71 | + } |
| 72 | + ], |
| 73 | + "encryptionSettingsVersion": "1.1" |
| 74 | + } |
| 75 | + ``` |
| 76 | + |
| 77 | +- `encryptionSettingsCollection` - This value is set to `True` if the disk has encryption settings stamped. |
| 78 | +- `encryptionSettings` - This value corresponds to the JSON array that contains the encryption settings on a disk. |
| 79 | +- `sourceVault` - This value is the complete URL of the key vault that's used for ADE. |
| 80 | +- `secretUrl` - This value is the complete URL of the secret that's generated during encryption. |
| 81 | +- `keyEncryptionKey` - This value is optional. If you used [Key Encryption Key (KEK)](/azure/virtual-machines/linux/disk-encryption-overview#terminology), the URL of the wrapping key is listed in this section. |
| 82 | +- `encryptionSettingsVersion` - The extension (ADE) version that's used to encrypt the disk. |
| 83 | + - If the version number is `0.*`, the disk uses dual-pass encryption. |
| 84 | + - If the version number is `1.*` or a later version, the disk uses single-pass encryption. |
| 85 | + |
| 86 | +The first version of ADE relied on Microsoft Entra ID for authentication (dual-pass). The current version of ADE doesn't rely on Entra ID (single-pass). We strongly encourage you to use the current version. |
| 87 | + |
| 88 | +If you're already using the dual-pass version of ADE, the encryption settings are shown in the VM component. |
| 89 | + |
| 90 | +## Verify ADE encryption settings through Azure Web Resource Explorer |
| 91 | + |
| 92 | +You can access the web version of Resource Explorer through [this link](https://resources.azure.com). Follow steps 1 through 6 in []"Verify ADE encryption settings through Azure portal"](#portal) to locate the component that ou want to analyze. |
| 93 | + |
| 94 | +## Next steps |
| 95 | + |
| 96 | +For more information, see [the ADE documentation](/azure/virtual-machines/linux/disk-encryption-overview). |
0 commit comments