You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-machines/linux/disk-encryption-faq.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -73,7 +73,7 @@ sections:
73
73
Azure Disk Encryption provides end-to-end encryption for the OS disk, data disks, and the temporary disk, using a customer-managed key.
74
74
- If your requirements include encrypting all of the above and end-to-end encryption, use Azure Disk Encryption.
75
75
- If your requirements include encrypting only data at rest with customer-managed key, then use [Server-side encryption with customer-managed keys](../disk-encryption.md). You cannot encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer-managed keys.
76
-
- If your Linux distro is not listed under [supported operating systems for Azure Disk Encryption](disk-encryption-overview.md#supported-operating-systems) or you are using a scenario called out in the [unsupported scenarios for Windows](disk-encryption-linux.md#unsupported-scenarios), consider [Server-side encryption with customer-managed keys](../disk-encryption.md).
76
+
- If your Linux distro is not listed under [supported operating systems for Azure Disk Encryption](disk-encryption-overview.md#supported-operating-systems) or you are using a scenario called out in the [restrictions](disk-encryption-linux.md#restrictions), consider [Server-side encryption with customer-managed keys](../disk-encryption.md).
77
77
- If your organization's policy allows you to encrypt content at rest with an Azure-managed key, then no action is needed - the content is encrypted by default. For managed disks, the content inside storage is encrypted by default with Server-side encryption with platform-managed key. The key is managed by the Azure Storage service.
Copy file name to clipboardExpand all lines: articles/virtual-machines/linux/disk-encryption-linux.md
+38-36Lines changed: 38 additions & 36 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,19 +19,51 @@ Azure Disk Encryption for Linux virtual machines (VMs) uses the DM-Crypt feature
19
19
20
20
Azure Disk Encryption is [integrated with Azure Key Vault](disk-encryption-key-vault.md) to help you control and manage the disk encryption keys and secrets. For an overview of the service, see [Azure Disk Encryption for Linux VMs](disk-encryption-overview.md).
21
21
22
+
## Prerequisites
23
+
22
24
You can only apply disk encryption to virtual machines of [supported VM sizes and operating systems](disk-encryption-overview.md#supported-vms-and-operating-systems). You must also meet the following prerequisites:
23
25
24
26
-[Additional requirements for VMs](disk-encryption-overview.md#supported-vms-and-operating-systems)
In all cases, you should [take a snapshot](snapshot-copy-managed-disk.md) and/or create a backup before disks are encrypted. Backups ensure that a recovery option is possible if an unexpected failure occurs during encryption. VMs with managed disks require a backup before encryption occurs. Once a backup is made, you can use the [Set-AzVMDiskEncryptionExtension cmdlet](/powershell/module/az.compute/set-azvmdiskencryptionextension) to encrypt managed disks by specifying the -skipVmBackup parameter. For more information about how to back up and restore encrypted VMs, see the [Azure Backup](../../backup/backup-azure-vms-encryption.md) article.
30
+
In all cases, you should [take a snapshot](snapshot-copy-managed-disk.md) and/or create a backup before disks are encrypted. Backups ensure that a recovery option is possible if an unexpected failure occurs during encryption. VMs with managed disks require a backup before encryption occurs. Once a backup is made, you can use the [Set-AzVMDiskEncryptionExtension cmdlet](/powershell/module/az.compute/set-azvmdiskencryptionextension) to encrypt managed disks by specifying the -skipVmBackup parameter. For more information about how to back up and restore encrypted VMs, see the [Azure Backup](../../backup/backup-azure-vms-encryption.md) article.
29
31
30
-
>[!WARNING]
31
-
> - If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue use this option to encrypt your VM. See [Azure Disk Encryption with Microsoft Entra ID (previous release)](disk-encryption-overview-aad.md) for details.
32
-
>
33
-
> - When encrypting Linux OS volumes, the VM should be considered unavailable. We strongly recommend to avoid SSH logins while the encryption is in progress to avoid issues blocking any open files that will need to be accessed during the encryption process. To check progress, use the [Get-AzVMDiskEncryptionStatus](/powershell/module/az.compute/get-azvmdiskencryptionstatus) PowerShell cmdlet or the [vm encryption show](/cli/azure/vm/encryption#az-vm-encryption-show) CLI command. This process can be expected to take a few hours for a 30GB OS volume, plus additional time for encrypting data volumes. Data volume encryption time will be proportional to the size and quantity of the data volumes unless the encrypt format all option is used.
34
-
> - Disabling encryption on Linux VMs is only supported for data volumes. It is not supported on data or OS volumes if the OS volume has been encrypted.
32
+
## Restrictions
33
+
34
+
If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue use this option to encrypt your VM. See [Azure Disk Encryption with Microsoft Entra ID (previous release)](disk-encryption-overview-aad.md) for details.
35
+
36
+
When encrypting Linux OS volumes, the VM should be considered unavailable. We strongly recommend to avoid SSH logins while the encryption is in progress to avoid issues blocking any open files that will need to be accessed during the encryption process. To check progress, use the [Get-AzVMDiskEncryptionStatus](/powershell/module/az.compute/get-azvmdiskencryptionstatus) PowerShell cmdlet or the [vm encryption show](/cli/azure/vm/encryption#az-vm-encryption-show) CLI command. This process can be expected to take a few hours for a 30GB OS volume, plus additional time for encrypting data volumes. Data volume encryption time will be proportional to the size and quantity of the data volumes unless the encrypt format all option is used.
37
+
38
+
Disabling encryption on Linux VMs is only supported for data volumes. It is not supported on data or OS volumes if the OS volume has been encrypted.
39
+
40
+
Azure Disk Encryption does not work for the following Linux scenarios, features, and technology:
41
+
42
+
- Encrypting basic tier VM or VMs created through the classic VM creation method.
43
+
- Disabling encryption on an OS drive or data drive of a Linux VM when the OS drive is encrypted.
44
+
- Encrypting the OS drive for Linux Virtual Machine Scale Sets.
45
+
- Encrypting custom images on Linux VMs.
46
+
- Integration with an on-premises key management system.
47
+
- Azure Files (shared file system).
48
+
- Network File System (NFS).
49
+
- Dynamic volumes.
50
+
- Ephemeral OS disks.
51
+
- Encryption of shared/distributed file systems like (but not limited to): DFS, GFS, DRDB, and CephFS.
52
+
- Moving an encrypted VM to another subscription or region.
53
+
- Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs.
54
+
- Kernel Crash Dump (kdump).
55
+
- Oracle ACFS (ASM Cluster File System).
56
+
- NVMe disks such as those on [High performance computing VM sizes](../sizes-hpc.md) or [Storage optimized VM sizes](../sizes-storage.md).
57
+
- A VM with "nested mount points"; that is, multiple mount points in a single path (such as "/1stmountpoint/data/2stmountpoint").
58
+
- A VM with a data drive mounted on top of an OS folder.
59
+
- A VM on which a root (OS disk) logical volume has been extended using a data disk.
60
+
- M-series VMs with Write Accelerator disks.
61
+
- Applying ADE to a VM that has disks encrypted with [Encryption at Host](../disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data) or [server-side encryption with customer-managed keys](../disk-encryption.md) (SSE + CMK). Applying SSE + CMK to a data disk or adding a data disk with SSE + CMK configured to a VM encrypted with ADE is an unsupported scenario as well.
62
+
- Migrating a VM that is encrypted with ADE, or has **ever** been encrypted with ADE, to [Encryption at Host](../disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data) or [server-side encryption with customer-managed keys](../disk-encryption.md).
63
+
- Encrypting VMs in failover clusters.
64
+
- Encryption of [Azure ultra disks](../disks-enable-ultra-ssd.md).
65
+
- Encryption of [Premium SSD v2 disks](../disks-types.md#premium-ssd-v2-limitations).
66
+
- Encryption of VMs in subscriptions that have the [Secrets should have the specified maximum validity period](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F342e8053-e12e-4c44-be01-c3c2f318400f) policy enabled with the [DENY effect](../../governance/policy/concepts/effects.md).
35
67
36
68
## Install tools and connect to Azure
37
69
@@ -408,36 +440,6 @@ You can remove the encryption extension using Azure PowerShell or the Azure CLI.
408
440
az vm extension delete -g "MyVirtualMachineResourceGroup" --vm-name "MySecureVM" -n "AzureDiskEncryptionForLinux"
409
441
```
410
442
411
-
## Unsupported scenarios
412
-
413
-
Azure Disk Encryption does not work for the following Linux scenarios, features, and technology:
414
-
415
-
- Encrypting basic tier VM or VMs created through the classic VM creation method.
416
-
- Disabling encryption on an OS drive or data drive of a Linux VM when the OS drive is encrypted.
417
-
- Encrypting the OS drive for Linux Virtual Machine Scale Sets.
418
-
- Encrypting custom images on Linux VMs.
419
-
- Integration with an on-premises key management system.
420
-
- Azure Files (shared file system).
421
-
- Network File System (NFS).
422
-
- Dynamic volumes.
423
-
- Ephemeral OS disks.
424
-
- Encryption of shared/distributed file systems like (but not limited to): DFS, GFS, DRDB, and CephFS.
425
-
- Moving an encrypted VM to another subscription or region.
426
-
- Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs.
427
-
- Kernel Crash Dump (kdump).
428
-
- Oracle ACFS (ASM Cluster File System).
429
-
- NVMe disks such as those on [High performance computing VM sizes](../sizes-hpc.md) or [Storage optimized VM sizes](../sizes-storage.md).
430
-
- A VM with "nested mount points"; that is, multiple mount points in a single path (such as "/1stmountpoint/data/2stmountpoint").
431
-
- A VM with a data drive mounted on top of an OS folder.
432
-
- A VM on which a root (OS disk) logical volume has been extended using a data disk.
433
-
- M-series VMs with Write Accelerator disks.
434
-
- Applying ADE to a VM that has disks encrypted with [Encryption at Host](../disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data) or [server-side encryption with customer-managed keys](../disk-encryption.md) (SSE + CMK). Applying SSE + CMK to a data disk or adding a data disk with SSE + CMK configured to a VM encrypted with ADE is an unsupported scenario as well.
435
-
- Migrating a VM that is encrypted with ADE, or has **ever** been encrypted with ADE, to [Encryption at Host](../disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data) or [server-side encryption with customer-managed keys](../disk-encryption.md).
436
-
- Encrypting VMs in failover clusters.
437
-
- Encryption of [Azure ultra disks](../disks-enable-ultra-ssd.md).
438
-
- Encryption of [Premium SSD v2 disks](../disks-types.md#premium-ssd-v2-limitations).
439
-
- Encryption of VMs in subscriptions that have the [Secrets should have the specified maximum validity period](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F342e8053-e12e-4c44-be01-c3c2f318400f) policy enabled with the [DENY effect](../../governance/policy/concepts/effects.md).
440
-
441
443
## Next steps
442
444
443
445
- [Azure Disk Encryption overview](disk-encryption-overview.md)
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments