edit pass: how-to-verify-encryption-status

ShawnJackson · ShawnJackson · commit 12d97b60dd3f · 2020-03-31T17:43:14.000-05:00
diff --git a/articles/virtual-machines/linux/how-to-verify-encryption-status.md b/articles/virtual-machines/linux/how-to-verify-encryption-status.md
@@ -1,6 +1,6 @@
 ---
-title: How to verify encryption status for Linux 
-description: This article provides instructions on verifying the encryption status from platform and OS level.
+title: Verify encryption status for Linux - Azure Disk Encryption
+description: This article provides instructions on verifying the encryption status from the platform and OS level.
 author: kailashmsft
 ms.service: security
 ms.topic: article
@@ -13,79 +13,62 @@ ms.custom: seodec18
 
 
 
-# How to verify encryption status for Linux 
+# Verify encryption status for Linux 
 
-**This scenario applies for ADE dual-pass and single-pass extensions.**  
-This Document scope is to validate the encryption status of a virtual machine using different methods.
+The scope of this article is to validate the encryption status of a virtual machine by using different methods: the Azure portal, PowerShell, the Azure CLI, or the OS of the virtual machine (VM). 
 
-### Environment
+You can validate the encryption status during or after the encryption, by either:
 
-- Linux distributions
+- Checking the disks attached to a particular VM. 
+- Querying the encryption settings on each disk, whether the disk is attached or unattached.
 
-### Procedure
-
-A virtual machine has been encrypted using dual-pass or single-pass.
-
-The encryption status can be validated during or after the encryption using different methods.
+This scenario applies for Azure Disk Encryption dual-pass and single-pass extensions. Linux distributions are the only environment for this scenario.
 
 >[!NOTE] 
->We're using variables throughout the document, replace the values accordingly.
-
-### Verification
-
-The verification can be done from the Portal, PowerShell, AZ CLI and, or from the VM OS side. 
-
-This verification can be done by checking the disks attached to a particular VM. 
-
-Or by querying the encryption settings on each individual disk whether the disk is attached or unattached.
+>We're using variables throughout the article. Replace the values accordingly.
 
-Below the different validations methods:
-
-## Using the Portal
+## Portal
 
 Validate the encryption status by checking the extensions section on the Azure portal.
 
-Inside the **Extensions** section, you'll see the ADE extension listed. 
-
-Click it and take a look at the **status message**, it will indicate the current encryption status:
-
-![Portal check number 1](./media/disk-encryption/verify-encryption-linux/portal-check-001.png)
+In the Azure portal, inside the **Extensions** section, select the Azure Disk Encryption extension in the list. The information for **Status message** indicates the current encryption status:
 
-In the list of extensions, you'll see the corresponding ADE extension version. Version 0.x corresponds to ADE Dual-Pass and version 1.x corresponds to ADE Single-pass.
+![Portal check with status, version, and status message highlighted](./media/disk-encryption/verify-encryption-linux/portal-check-001.png)
 
-You can get further details clicking on the extension and then on *View detailed status*.
+In the list of extensions, you'll see the corresponding Azure Disk Encryption extension version. Version 0.x corresponds to Azure Disk Encryption dual-pass, and version 1.x corresponds to Azure Disk Encryption single-pass.
 
-You'll see a more detailed status of the encryption process in json format:
+You can get more details by selecting the extension and then selecting **View detailed status**. The detailed status of the encryption process appears in JSON format.
 
-![Portal check number 2](./media/disk-encryption/verify-encryption-linux/portal-check-002.png)
+![Portal check with the "View detailed status" link highlighted](./media/disk-encryption/verify-encryption-linux/portal-check-002.png)
 
-![Portal check number 3](./media/disk-encryption/verify-encryption-linux/portal-check-003.png)
+![Detailed status in JSON format](./media/disk-encryption/verify-encryption-linux/portal-check-003.png)
 
-Another way of validating the encryption status is by taking a look at the **Disks** section.
+Another way to validate the encryption status is by looking at the **Disk settings** section.
 
-![Portal check number 4](./media/disk-encryption/verify-encryption-linux/portal-check-004.png)
+![Encryption status for OS disk and data disks](./media/disk-encryption/verify-encryption-linux/portal-check-004.png)
 
 >[!NOTE] 
-> This status means the disks have encryption settings stamped but not that they were actually encrypted at OS level. 
-> By design, the disks get stamped first and encrypted later. 
-> If the encryption process fails, the disks may end up stamped but not encrypted. 
+> This status means the disks have encryption settings stamped but not that they were actually encrypted at the OS level.
+>
+> By design, the disks are stamped first and encrypted later. If the encryption process fails, the disks may end up stamped but not encrypted. 
+>
 > To confirm if the disks are truly encrypted, you can double check the encryption of each disk at OS level.
 
-## Using PowerShell
+## PowerShell
 
-You can validate the **general** encryption status of an encrypted VM using the following PowerShell commands:
+You can validate the *general* encryption status of an encrypted VM by using the following PowerShell commands:
 
 ```azurepowershell
    $VMNAME="VMNAME"
    $RGNAME="RGNAME"
    Get-AzVmDiskEncryptionStatus -ResourceGroupName  ${RGNAME} -VMName ${VMNAME}
 ```
-![check PowerShell 1](./media/disk-encryption/verify-encryption-linux/verify-status-ps-01.png)
+![General encryption status in PowerShell](./media/disk-encryption/verify-encryption-linux/verify-status-ps-01.png)
 
-You can capture the encryption settings from each individual disk using the following PowerShell commands:
+You can capture the encryption settings from each disk by using the following PowerShell commands.
 
-### Single-Pass
-If single-pass, the encryption settings are stamp on each of the disks (OS and Data), you can capture the OS disk encryption settings in single pass as follows:
+### Single pass
+In a single pass, the encryption settings are stamped on each of the disks (OS and data). You can capture the encryption settings for an OS disk in a single pass, as follows:
 
 ``` powershell
 $RGNAME = "RGNAME"
@@ -103,13 +86,13 @@ $VM = Get-AzVM -Name ${VMNAME} -ResourceGroupName ${RGNAME}
  Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
  Write-Host "============================================================================================================================================================="
 ```
-![Verify OS Single pass 01](./media/disk-encryption/verify-encryption-linux/verify-os-single-ps-001.png)
+![Encryption settings for an OS disk](./media/disk-encryption/verify-encryption-linux/verify-os-single-ps-001.png)
 
-If the disk doesn't have encryption settings stamped, the output will be empty as shown below:
+If the disk doesn't have encryption settings stamped, the output will be empty:
 
-![OS Encryption settings 2](./media/disk-encryption/verify-encryption-linux/os-encryption-settings-2.png)
+![Empty output](./media/disk-encryption/verify-encryption-linux/os-encryption-settings-2.png)
 
-Capture Data disk(s) encryption settings:
+Use the following commands to capture encryption settings for data disks:
 
 ```azurepowershell
 $RGNAME = "RGNAME"
@@ -130,12 +113,12 @@ $VM = Get-AzVM -Name ${VMNAME} -ResourceGroupName ${RGNAME}
  Write-Host "============================================================================================================================================================="
  }
 ```
-![Verify data single ps 001](./media/disk-encryption/verify-encryption-linux/verify-data-single-ps-001.png)
+![Encryption settings for data disks](./media/disk-encryption/verify-encryption-linux/verify-data-single-ps-001.png)
 
-### Dual-Pass
-In Dual Pass, the encryption settings are stamped in the VM model and not on each individual disk.
+### Dual pass
+In a dual pass, the encryption settings are stamped in the VM model and not on each individual disk.
 
-To verify the encryption settings were stamped in dual-pass, you can use the following commands:
+To verify that the encryption settings were stamped in a dual pass, use the following commands:
 
 ```azurepowershell
 $RGNAME = "RGNAME"
@@ -154,7 +137,7 @@ Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSett
 Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
 Write-Host "============================================================================================================================================================="
 ```
-![Verify dual pass PowerShell  1](./media/disk-encryption/verify-encryption-linux/verify-dual-ps-001.png)
+![Encyption settings in a dual pass](./media/disk-encryption/verify-encryption-linux/verify-dual-ps-001.png)
 
 ### Unattached disks
 
@@ -173,19 +156,19 @@ Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSett
 Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
 Write-Host "============================================================================================================================================================="
 ```
-## Using AZ CLI
+## Azure CLI
 
-You can validate the **general** encryption status of an encrypted VM using the following AZ CLI commands:
+You can validate the *general* encryption status of an encrypted VM by using the following Azure CLI commands:
 
 ```bash
 VMNAME="VMNAME"
 RGNAME="RGNAME"
 az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} --query "substatus"
 ```
-![Verify general using CLI ](./media/disk-encryption/verify-encryption-linux/verify-gen-cli.png)
+![General encryption status from the Azure CLI ](./media/disk-encryption/verify-encryption-linux/verify-gen-cli.png)
 
-### Single Pass
-You can validate the encryption settings from each individual disk using the following AZ CLI commands:
+### Single pass
+You can validate the encryption settings from each individual disk by using the following Azure CLI commands:
 
 ```bash
 az vm encryption show -g ${RGNAME} -n ${VMNAME} --query "disks[*].[name, statuses[*].displayStatus]"  -o table
@@ -194,12 +177,11 @@ az vm encryption show -g ${RGNAME} -n ${VMNAME} --query "disks[*].[name, statuse
 ![Data encryption settings](./media/disk-encryption/verify-encryption-linux/data-encryption-settings-2.png)
 
 >[!IMPORTANT]
-> In case the disk does not have encryption settings stamped, it will be shown as 
-  "Disk is  not encrypted"
+> If the disk doesn't have encryption settings stamped, you'll see the message "Disk is not encrypted."
 
-Detailed Status and Encryption settings:
+Use the following commands to get detailed status and encryption settings.
 
-OS Disk:
+OS disk:
 
 ```bash
 RGNAME="RGNAME"
@@ -217,9 +199,9 @@ echo "==========================================================================
 done
 ```
 
-![OSSingleCLI](./media/disk-encryption/verify-encryption-linux/os-single-cli.png)
+![Detailed status and encryption settings for the OS disk](./media/disk-encryption/verify-encryption-linux/os-single-cli.png)
 
-Data Disks:
+Data disks:
 
 ```bash
 RGNAME="RGNAME"
@@ -237,15 +219,15 @@ echo "==========================================================================
 done
 ```
 
-![Data single CLI ](./media/disk-encryption/verify-encryption-linux/data-single-cli.png)
+![Detailed status and encryption settings for the data disks](./media/disk-encryption/verify-encryption-linux/data-single-cli.png)
 
-### Dual Pass
+### Dual pass
 
 ``` bash
 az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} -o table
 ```
 
-![Verify general dual using CLI ](./media/disk-encryption/verify-encryption-linux/verify-gen-dual-cli.png)
+![General encryption settings for dual pass via the Azure CLI](./media/disk-encryption/verify-encryption-linux/verify-gen-dual-cli.png)
 You can also check the Encryption settings on the VM Model Storage profile of the OS disk:
 
 ```bash
@@ -261,7 +243,7 @@ echo "==========================================================================
 done
 ```
 
-![Verify vm profile dual using CLI ](./media/disk-encryption/verify-encryption-linux/verify-vm-profile-dual-cli.png)
+![VM profile for dual pass via the Azure CLI](./media/disk-encryption/verify-encryption-linux/verify-vm-profile-dual-cli.png)
 
 ### Unattached disks
 
@@ -286,10 +268,10 @@ Unmanaged disks are VHD files that are stored as page blobs in Azure storage acc
 
 To get the details of a specific disk, you need to provide:
 
-The ID of the storage account that contains the disk.
-A connection string for that particular storage account.
-The name of the container that stores the disk.
-The disk name.
+- The ID of the storage account that contains the disk.
+- A connection string for that particular storage account.
+- The name of the container that stores the disk.
+- The disk name.
 
 This command lists all the IDs for all your storage accounts:
 
@@ -304,65 +286,58 @@ Select the appropriate ID and store it on a variable:
 ```bash
 id="/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>"
 ```
-The connection string.
 
 This command gets the connection string for one particular storage account and stores it on a variable:
 
 ```bash
 ConnectionString=$(az storage account show-connection-string --ids $id --query connectionString -o tsv)
 ```
 
-The container name.
-
 The following command lists all the containers under a storage account:
 ```bash
 az storage container list --connection-string $ConnectionString --query [].[name] -o tsv
 ```
-The container used for disks is normally named "vhds"
+The container used for disks is normally named "vhds."
 
-Store the container name on a variable 
+Store the container name on a variable: 
 ```bash
 ContainerName="name of the container"
 ```
 
-The disk name.
-
-Use this command to list all the blobs on a particular container
+Use this command to list all the blobs on a particular container:
 ```bash 
 az storage blob list -c ${ContainerName} --connection-string $ConnectionString --query [].[name] -o tsv
 ```
-Choose the disk you want to query and store its name on a variable.
+Choose the disk you want to query and store its name on a variable:
 ```bash
 DiskName="diskname.vhd"
 ```
-Query the disk encryption settings
+Query the disk encryption settings:
 ```bash
 az storage blob show -c ${ContainerName} --connection-string ${ConnectionString} -n ${DiskName} --query metadata.DiskEncryptionSettings
 ```
 
-## From the OS
-Validate if the data disk partitions are encrypted (and the OS disk isn't)
+## Operating system
+Validate if the data disk partitions are encrypted (and the OS disk isn't).
 
-When a partition/disk is encrypted it's displayed as **crypt** type, when it's not encrypted it's displayed as **part/disk** type
+When a partition or disk is encrypted, it's displayed as a **crypt** type. When it's not encrypted, it's displayed as a **part/disk** type.
 
 ``` bash
 lsblk
 ```
 
-![Os Crypt layer ](./media/disk-encryption/verify-encryption-linux/verify-os-crypt-layer.png)
-
-You can get further details using the following "lsblk" variant. 
+![OS crypt layer for a partition](./media/disk-encryption/verify-encryption-linux/verify-os-crypt-layer.png)
 
-You'll see a **crypt** type layer that is mounted by the extension.
+You can get more details using the following **lsblk** variant. 
 
-The following example shows Logical Volumes and normal disks having a "**crypto\_LUKS FSTYPE**".
+You'll see a **crypt** type layer that is mounted by the extension. The following example shows logical volumes and normal disks having **crypto\_LUKS FSTYPE**.
 
 ```bash
 lsblk -o NAME,TYPE,FSTYPE,LABEL,SIZE,RO,MOUNTPOINT
 ```
-![Os Crypt layer 2](./media/disk-encryption/verify-encryption-linux/verify-os-crypt-layer-2.png)
+![OS crypt layer for logial volumes and normal disks](./media/disk-encryption/verify-encryption-linux/verify-os-crypt-layer-2.png)
 
-As an extra step, you can also validate if the data disk has any keys loaded
+As an extra step, you can validate if the data disk has any keys loaded:
 
 ``` bash
 cryptsetup luksDump /dev/VGNAME/LVNAME
@@ -372,12 +347,12 @@ cryptsetup luksDump /dev/VGNAME/LVNAME
 cryptsetup luksDump /dev/sdd1
 ```
 
-And which dm devices are listed as crypt
+And you can check which **dm** devices are listed as **crypt**:
 
 ```bash
 dmsetup ls --target crypt
 ```
 
-## Next Steps
+## Next steps
 
 - [Azure Disk Encryption troubleshooting](disk-encryption-troubleshooting.md)
