Merge pull request #109862 from ShawnJackson/how-to-verify-encryption-status

Ja-Dunn · web-flow · commit 699963ac00fa · 2020-05-26T10:55:41.000-07:00
edit pass: how-to-verify-encryption-status
diff --git a/articles/virtual-machines/linux/how-to-verify-encryption-status.md b/articles/virtual-machines/linux/how-to-verify-encryption-status.md
@@ -1,6 +1,6 @@
 ---
-title: How to verify encryption status for Linux 
-description: This article provides instructions on verifying the encryption status from platform and OS level.
+title: Verify encryption status for Linux - Azure Disk Encryption
+description: This article provides instructions on verifying the encryption status from the platform and OS levels.
 author: kailashmsft
 ms.service: security
 ms.topic: article
@@ -13,79 +13,60 @@ ms.custom: seodec18
 
 
 
-# How to verify encryption status for Linux 
+# Verify encryption status for Linux 
 
-**This scenario applies for ADE dual-pass and single-pass extensions.**  
-This Document scope is to validate the encryption status of a virtual machine using different methods.
+The scope of this article is to validate the encryption status of a virtual machine by using different methods: the Azure portal, PowerShell, the Azure CLI, or the operating system of the virtual machine (VM). 
 
-### Environment
+You can validate the encryption status during or after the encryption, by either:
 
-- Linux distributions
+- Checking the disks attached to a particular VM. 
+- Querying the encryption settings on each disk, whether the disk is attached or unattached.
 
-### Procedure
-
-A virtual machine has been encrypted using dual-pass or single-pass.
-
-The encryption status can be validated during or after the encryption using different methods.
+This scenario applies for Azure Disk Encryption dual-pass and single-pass extensions. Linux distributions are the only environment for this scenario.
 
 >[!NOTE] 
->We're using variables throughout the document, replace the values accordingly.
-
-### Verification
-
-The verification can be done from the Portal, PowerShell, AZ CLI and, or from the VM OS side. 
-
-This verification can be done by checking the disks attached to a particular VM. 
-
-Or by querying the encryption settings on each individual disk whether the disk is attached or unattached.
-
-Below the different validations methods:
+>We're using variables throughout the article. Replace the values accordingly.
 
-## Using the Portal
+## Portal
 
-Validate the encryption status by checking the extensions section on the Azure portal.
+In the Azure portal, inside the **Extensions** section, select the Azure Disk Encryption extension in the list. The information for **Status message** indicates the current encryption status:
 
-Inside the **Extensions** section, you'll see the ADE extension listed. 
+![Portal check with status, version, and status message highlighted](./media/disk-encryption/verify-encryption-linux/portal-check-001.png)
 
-Click it and take a look at the **status message**, it will indicate the current encryption status:
+In the list of extensions, you'll see the corresponding Azure Disk Encryption extension version. Version 0.x corresponds to Azure Disk Encryption dual pass, and version 1.x corresponds to Azure Disk Encryption single pass.
 
-![Portal check number 1](./media/disk-encryption/verify-encryption-linux/portal-check-001.png)
+You can get more details by selecting the extension and then selecting **View detailed status**. The detailed status of the encryption process appears in JSON format.
 
-In the list of extensions, you'll see the corresponding ADE extension version. Version 0.x corresponds to ADE Dual-Pass and version 1.x corresponds to ADE Single-pass.
+![Portal check with the "View detailed status" link highlighted](./media/disk-encryption/verify-encryption-linux/portal-check-002.png)
 
-You can get further details clicking on the extension and then on *View detailed status*.
+![Detailed status in JSON format](./media/disk-encryption/verify-encryption-linux/portal-check-003.png)
 
-You'll see a more detailed status of the encryption process in json format:
+Another way to validate the encryption status is by looking at the **Disk settings** section.
 
-![Portal check number 2](./media/disk-encryption/verify-encryption-linux/portal-check-002.png)
-
-![Portal check number 3](./media/disk-encryption/verify-encryption-linux/portal-check-003.png)
-
-Another way of validating the encryption status is by taking a look at the **Disks** section.
-
-![Portal check number 4](./media/disk-encryption/verify-encryption-linux/portal-check-004.png)
+![Encryption status for OS disk and data disks](./media/disk-encryption/verify-encryption-linux/portal-check-004.png)
 
 >[!NOTE] 
-> This status means the disks have encryption settings stamped but not that they were actually encrypted at OS level. 
-> By design, the disks get stamped first and encrypted later. 
-> If the encryption process fails, the disks may end up stamped but not encrypted. 
-> To confirm if the disks are truly encrypted, you can double check the encryption of each disk at OS level.
+> This status means the disks have encryption settings stamped, not that they were actually encrypted at the OS level.
+>
+> By design, the disks are stamped first and encrypted later. If the encryption process fails, the disks may end up stamped but not encrypted. 
+>
+> To confirm if the disks are truly encrypted, you can double check the encryption of each disk at the OS level.
 
-## Using PowerShell
+## PowerShell
 
-You can validate the **general** encryption status of an encrypted VM using the following PowerShell commands:
+You can validate the *general* encryption status of an encrypted VM by using the following PowerShell commands:
 
 ```azurepowershell
    $VMNAME="VMNAME"
    $RGNAME="RGNAME"
    Get-AzVmDiskEncryptionStatus -ResourceGroupName  ${RGNAME} -VMName ${VMNAME}
 ```
-![check PowerShell 1](./media/disk-encryption/verify-encryption-linux/verify-status-ps-01.png)
+![General encryption status in PowerShell](./media/disk-encryption/verify-encryption-linux/verify-status-ps-01.png)
 
-You can capture the encryption settings from each individual disk using the following PowerShell commands:
+You can capture the encryption settings from each disk by using the following PowerShell commands.
 
-### Single-Pass
-If single-pass, the encryption settings are stamp on each of the disks (OS and Data), you can capture the OS disk encryption settings in single pass as follows:
+### Single pass
+In a single pass, the encryption settings are stamped on each of the disks (OS and data). You can capture the encryption settings for an OS disk in a single pass as follows:
 
 ``` powershell
 $RGNAME = "RGNAME"
@@ -103,13 +84,13 @@ $VM = Get-AzVM -Name ${VMNAME} -ResourceGroupName ${RGNAME}
  Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
  Write-Host "============================================================================================================================================================="
 ```
-![Verify OS Single pass 01](./media/disk-encryption/verify-encryption-linux/verify-os-single-ps-001.png)
+![Encryption settings for an OS disk](./media/disk-encryption/verify-encryption-linux/verify-os-single-ps-001.png)
 
-If the disk doesn't have encryption settings stamped, the output will be empty as shown below:
+If the disk doesn't have encryption settings stamped, the output will be empty:
 
-![OS Encryption settings 2](./media/disk-encryption/verify-encryption-linux/os-encryption-settings-2.png)
+![Empty output](./media/disk-encryption/verify-encryption-linux/os-encryption-settings-2.png)
 
-Capture Data disk(s) encryption settings:
+Use the following commands to capture encryption settings for data disks:
 
 ```azurepowershell
 $RGNAME = "RGNAME"
@@ -130,12 +111,12 @@ $VM = Get-AzVM -Name ${VMNAME} -ResourceGroupName ${RGNAME}
  Write-Host "============================================================================================================================================================="
  }
 ```
-![Verify data single ps 001](./media/disk-encryption/verify-encryption-linux/verify-data-single-ps-001.png)
+![Encryption settings for data disks](./media/disk-encryption/verify-encryption-linux/verify-data-single-ps-001.png)
 
-### Dual-Pass
-In Dual Pass, the encryption settings are stamped in the VM model and not on each individual disk.
+### Dual pass
+In a dual pass, the encryption settings are stamped in the VM model and not on each individual disk.
 
-To verify the encryption settings were stamped in dual-pass, you can use the following commands:
+To verify that the encryption settings were stamped in a dual pass, use the following commands:
 
 ```azurepowershell
 $RGNAME = "RGNAME"
@@ -154,7 +135,7 @@ Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSett
 Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
 Write-Host "============================================================================================================================================================="
 ```
-![Verify dual pass PowerShell  1](./media/disk-encryption/verify-encryption-linux/verify-dual-ps-001.png)
+![Encryption settings in a dual pass](./media/disk-encryption/verify-encryption-linux/verify-dual-ps-001.png)
 
 ### Unattached disks
 
@@ -173,19 +154,19 @@ Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSett
 Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
 Write-Host "============================================================================================================================================================="
 ```
-## Using AZ CLI
+## Azure CLI
 
-You can validate the **general** encryption status of an encrypted VM using the following AZ CLI commands:
+You can validate the *general* encryption status of an encrypted VM by using the following Azure CLI commands:
 
 ```bash
 VMNAME="VMNAME"
 RGNAME="RGNAME"
 az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} --query "substatus"
 ```
-![Verify general using CLI ](./media/disk-encryption/verify-encryption-linux/verify-gen-cli.png)
+![General encryption status from the Azure CLI ](./media/disk-encryption/verify-encryption-linux/verify-gen-cli.png)
 
-### Single Pass
-You can validate the encryption settings from each individual disk using the following AZ CLI commands:
+### Single pass
+You can validate the encryption settings for each disk by using the following Azure CLI commands:
 
 ```bash
 az vm encryption show -g ${RGNAME} -n ${VMNAME} --query "disks[*].[name, statuses[*].displayStatus]"  -o table
@@ -194,12 +175,11 @@ az vm encryption show -g ${RGNAME} -n ${VMNAME} --query "disks[*].[name, statuse
 ![Data encryption settings](./media/disk-encryption/verify-encryption-linux/data-encryption-settings-2.png)
 
 >[!IMPORTANT]
-> In case the disk does not have encryption settings stamped, it will be shown as 
-  "Disk is  not encrypted"
+> If the disk doesn't have encryption settings stamped, you'll see the text **Disk is not encrypted**.
 
-Detailed Status and Encryption settings:
+Use the following commands to get detailed status and encryption settings.
 
-OS Disk:
+OS disk:
 
 ```bash
 RGNAME="RGNAME"
@@ -217,9 +197,9 @@ echo "==========================================================================
 done
 ```
 
-![OSSingleCLI](./media/disk-encryption/verify-encryption-linux/os-single-cli.png)
+![Detailed status and encryption settings for the OS disk](./media/disk-encryption/verify-encryption-linux/os-single-cli.png)
 
-Data Disks:
+Data disks:
 
 ```bash
 RGNAME="RGNAME"
@@ -237,16 +217,17 @@ echo "==========================================================================
 done
 ```
 
-![Data single CLI ](./media/disk-encryption/verify-encryption-linux/data-single-cli.png)
+![Detailed status and encryption settings for the data disks](./media/disk-encryption/verify-encryption-linux/data-single-cli.png)
 
-### Dual Pass
+### Dual pass
 
 ``` bash
 az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} -o table
 ```
 
-![Verify general dual using CLI ](./media/disk-encryption/verify-encryption-linux/verify-gen-dual-cli.png)
-You can also check the Encryption settings on the VM Model Storage profile of the OS disk:
+![General encryption settings for dual pass via the Azure CLI](./media/disk-encryption/verify-encryption-linux/verify-gen-dual-cli.png)
+
+You can also check the encryption settings on the VM Model Storage profile of the OS disk:
 
 ```bash
 disk=`az vm show -g ${RGNAME} -n ${VMNAME} --query storageProfile.osDisk.name -o tsv`
@@ -261,7 +242,7 @@ echo "==========================================================================
 done
 ```
 
-![Verify vm profile dual using CLI ](./media/disk-encryption/verify-encryption-linux/verify-vm-profile-dual-cli.png)
+![VM profile for dual pass via the Azure CLI](./media/disk-encryption/verify-encryption-linux/verify-vm-profile-dual-cli.png)
 
 ### Unattached disks
 
@@ -284,12 +265,12 @@ echo "==========================================================================
 
 Unmanaged disks are VHD files that are stored as page blobs in Azure storage accounts.
 
-To get the details of a specific disk, you need to provide:
+To get the details for a specific disk, you need to provide:
 
-The ID of the storage account that contains the disk.
-A connection string for that particular storage account.
-The name of the container that stores the disk.
-The disk name.
+- The ID of the storage account that contains the disk.
+- A connection string for that particular storage account.
+- The name of the container that stores the disk.
+- The disk name.
 
 This command lists all the IDs for all your storage accounts:
 
@@ -304,65 +285,58 @@ Select the appropriate ID and store it on a variable:
 ```bash
 id="/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>"
 ```
-The connection string.
 
 This command gets the connection string for one particular storage account and stores it on a variable:
 
 ```bash
 ConnectionString=$(az storage account show-connection-string --ids $id --query connectionString -o tsv)
 ```
 
-The container name.
-
 The following command lists all the containers under a storage account:
 ```bash
 az storage container list --connection-string $ConnectionString --query [].[name] -o tsv
 ```
-The container used for disks is normally named "vhds"
+The container used for disks is normally named "vhds."
 
-Store the container name on a variable 
+Store the container name on a variable: 
 ```bash
 ContainerName="name of the container"
 ```
 
-The disk name.
-
-Use this command to list all the blobs on a particular container
+Use this command to list all the blobs on a particular container:
 ```bash 
 az storage blob list -c ${ContainerName} --connection-string $ConnectionString --query [].[name] -o tsv
 ```
-Choose the disk you want to query and store its name on a variable.
+Choose the disk that you want to query and store its name on a variable:
 ```bash
 DiskName="diskname.vhd"
 ```
-Query the disk encryption settings
+Query the disk encryption settings:
 ```bash
 az storage blob show -c ${ContainerName} --connection-string ${ConnectionString} -n ${DiskName} --query metadata.DiskEncryptionSettings
 ```
 
-## From the OS
-Validate if the data disk partitions are encrypted (and the OS disk isn't)
+## Operating system
+Validate if the data disk partitions are encrypted (and the OS disk isn't).
 
-When a partition/disk is encrypted it's displayed as **crypt** type, when it's not encrypted it's displayed as **part/disk** type
+When a partition or disk is encrypted, it's displayed as a **crypt** type. When it's not encrypted, it's displayed as a **part/disk** type.
 
 ``` bash
 lsblk
 ```
 
-![Os Crypt layer ](./media/disk-encryption/verify-encryption-linux/verify-os-crypt-layer.png)
-
-You can get further details using the following "lsblk" variant. 
+![OS crypt layer for a partition](./media/disk-encryption/verify-encryption-linux/verify-os-crypt-layer.png)
 
-You'll see a **crypt** type layer that is mounted by the extension.
+You can get more details by using the following **lsblk** variant. 
 
-The following example shows Logical Volumes and normal disks having a "**crypto\_LUKS FSTYPE**".
+You'll see a **crypt** type layer that is mounted by the extension. The following example shows logical volumes and normal disks having **crypto\_LUKS FSTYPE**.
 
 ```bash
 lsblk -o NAME,TYPE,FSTYPE,LABEL,SIZE,RO,MOUNTPOINT
 ```
-![Os Crypt layer 2](./media/disk-encryption/verify-encryption-linux/verify-os-crypt-layer-2.png)
+![OS crypt layer for logical volumes and normal disks](./media/disk-encryption/verify-encryption-linux/verify-os-crypt-layer-2.png)
 
-As an extra step, you can also validate if the data disk has any keys loaded
+As an extra step, you can validate if the data disk has any keys loaded:
 
 ``` bash
 cryptsetup luksDump /dev/VGNAME/LVNAME
@@ -372,12 +346,12 @@ cryptsetup luksDump /dev/VGNAME/LVNAME
 cryptsetup luksDump /dev/sdd1
 ```
 
-And which dm devices are listed as crypt
+And you can check which **dm** devices are listed as **crypt**:
 
 ```bash
 dmsetup ls --target crypt
 ```
 
-## Next Steps
+## Next steps
 
 - [Azure Disk Encryption troubleshooting](disk-encryption-troubleshooting.md)
